[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), "Reducing the Significant Risk of Known Exploited Vulnerabilities." [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.
This directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in 'CISA's vulnerability catalog.
Qualys helps customers to identify and assess risk to organizations' digital infrastructure and automate remediation. Qualys' guidance for rapid response to Operational Directive is below.
## Directive Scope
This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency's behalf.
However, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA's public catalog.
## CISA Catalog of Known Exploited Vulnerabilities
In total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).
### Not all vulnerabilities are created equal
Our quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:
#### Category 1 – Past Due
Remediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.
#### Category 2 – Patch in less than two weeks
100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.
#### Category 3 – Patch within six months
The remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.
## Detect CISA's Vulnerabilities Using Qualys VMDR
The Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.
For example, to detect critical CVEs released in 2021:
_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_
Using [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.
In addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.
With Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the ["CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES"](<https://success.qualys.com/support/s/article/000006791>) Dashboard.
### Detailed Operational Dashboard:
### Summary Dashboard High Level Structured by Vendor:
## Remediation
To comply with this directive, federal agencies must remediate most "Category 2" vulnerabilities by **November 17, 2021**, and "Category 3" by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.
Customers can copy the following query into the Patch Management app to help customers comply with the directive's aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.
cve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]
Qualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.
Note that the due date for “Category 1” patches has already passed. To find missing patches in your environment for “Category 1” past due CVEs, copy the following query into the Patch Management app:
cve:['CVE-2021-1732′,'CVE-2020-1350′,'CVE-2020-1472′,'CVE-2021-26855′,'CVE-2021-26858′,'CVE-2021-27065′,'CVE-2020-0601′,'CVE-2021-26857′,'CVE-2021-22893′,'CVE-2020-8243′,'CVE-2021-22900′,'CVE-2021-22894′,'CVE-2020-8260′,'CVE-2021-22899′,'CVE-2019-11510']
## Federal Enterprises and Agencies Can Act Now
For federal enterprises and agencies, it's a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).
Here are a few steps Federal enterprises can take immediately:
* Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more
* Prioritize remediation by due dates
* Identify all vulnerable assets automatically mapped into the threat feed
* Use Patch Management to apply patches and other configurations changes
* Track remediation progress through Unified Dashboards
## Summary
Understanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys' threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.
## Getting Started
Learn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).
{"malwarebytes": [{"lastseen": "2021-10-21T08:35:39", "description": "Apple has released a security update for iOS and iPad that addresses a critical vulnerability reportedly being exploited in the wild.\n\nThe update has been made available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).\n\n### The vulnerability\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This one is listed as [CVE-2021-30883](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30883>) and allows an application to execute arbitrary code with kernel privileges. Kernel privileges can be achieved by using a memory corruption issue in the "IOMobileFrameBuffer" component.\n\nKernel privileges are a serious matter as they offer an attacker more than administrator privileges. In kernel mode, the executing code has complete and unrestricted access to the underlying hardware. It can execute any CPU instruction and reference any memory address. Kernel mode is generally reserved for the lowest-level, most trusted functions of the operating system.\n\nResearchers have already found that this vulnerability is exploitable from the browser, which makes it extra worrying.\n\n> We can confirm that the recently patched iOS 15.0.2 vulnerability, CVE-2021-30883, is also accessible from the browser: perfect for 1-click & water-holing mobile attacks. This vulnerability is exploited in the wild. Update as soon as possible. <https://t.co/dhogxTM6pT>\n> \n> -- ZecOps (@ZecOps) [October 12, 2021](<https://twitter.com/ZecOps/status/1447804721771606016?ref_src=twsrc%5Etfw>)\n\nWatering holes are used as a highly targeted attack strategy. The attacker infects a website where they knows the intended victim(s) visits regularly. Depending on the nature of the infection, the attacker can single out their intended target(s) or just infect anyone that visits the site unprotected.\n\n### IOMobileFrameBuffer\n\nIOMobileFramebuffer is a kernel extension for managing the screen framebuffer. An earlier vulnerability in this extension, listed as [CVE-2021-30807](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30807>) was tied to the [Pegasus spyware](<https://blog.malwarebytes.com/privacy-2/2021/07/pegasus-spyware-has-been-here-for-years-we-must-stop-ignoring-it/>). This vulnerability also allowed an application to execute arbitrary code with kernel privileges. Coincidence? Or did someone take the entire IOMobileFramebuffer extension apart and save up the vulnerabilities for a rainy day?\n\nAnother iPhone exploit called [FORCEDENTRY](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/latest-iphone-exploit-forcedenrty-used-to-launch-pegasus-attack-against-bahraini-activists/>) was found to be used against Bahraini activists to launch the Pegasus spyware. Researchers at Citizen Lab disclosed this vulnerability and code to Apple, and it was listed as CVE-2021-30860.\n\n### Undisclosed\n\nAs is usual for Apple, both the researcher that found the vulnerability and the circumstances under which the vulnerability used in the wild are kept secret. Apple didn't respond to a query about whether the previously found bug was being exploited by NSO Group's Pegasus surveillance software.\n\n### Zero-days for days\n\nOver the last months Apple has had to close quite a few zero-days in iOS, iPadOS,and macOS. Seventeen if I have counted correctly.\n\n * [CVE-2021-1782](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1782>) - iOS-kernel: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-1870](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1870>) \u2013 WebKit: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-1871](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1871>) \u2013 WebKit: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-1879](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1879>) \u2013 WebKit: Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-30657](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30657>) \u2013 Gatekeeper: A malicious application may bypass Gatekeeper checks. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-30661](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30661>) \u2013 WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-30663](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30663>) \u2013 WebKit: Processing maliciously crafted web content may lead to arbitrary code execution.\n * [CVE-2021-30665](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30665>) \u2013 WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-30666](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30666>) \u2013 WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-30713](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30713>) \u2013 TCC: A malicious application may be able to bypass Privacy preferences. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-30761](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30761>) \u2013 WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-30762](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30762>) \u2013 WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-308](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30807>)[0](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30807>)[7](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30807>) \u2013 IOMobileFrameBuffer: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. Tied to Pegasus (see above).\n * [CVE-2021-30858](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30858>) \u2013 WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n * [CVE-2021-30860](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30860>) \u2013 CoreGraphics: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. This is FORCEDENTRY (see above).\n * [CVE-2021-30869](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30869>) \u2013 XNU: A malicious application may be able to execute arbitrary code with kernel privileges. [Reportedly](<https://www.helpnetsecurity.com/2021/09/24/cve-2021-30869/>) being actively exploited by attackers in conjunction with a previously known WebKit vulnerability.\n\nAnd last but not least, the latest addition\u2014CVE-2021-30883\u2014which means that of the 17 zero-days that were fixed over the course of a handful of months, at least 16 were found to be actively exploited.\n\n### Update\n\nApple advises users to update to [iOS 15.0.2 and iPadOS 15.0.2](<https://support.apple.com/en-gb/HT212846>) which can be done through the automatic update function or iTunes.\n\nStay safe, everyone!\n\nThe post [Update now! Apple patches another privilege escalation bug in iOS and iPadOS](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/update-now-apple-patches-another-privilege-escalation-bug-in-ios-and-ipados/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-12T16:07:53", "type": "malwarebytes", "title": "Update now! Apple patches another privilege escalation bug in iOS and iPadOS", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-30883"], "modified": "2021-10-12T16:07:53", "id": "MALWAREBYTES:11D4071979D3FC1E6028AA8D71EB87F4", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/update-now-apple-patches-another-privilege-escalation-bug-in-ios-and-ipados/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-14T18:35:22", "description": "Google _[announced](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>)_ on Monday that it will be issuing patches for 11 high severity vulnerabilities found in Chrome, including two that are currently being exploited in the wild. The patch, which is part of the Stable Channel Update for Chrome 93 (93.0.4577.82), will be released for Windows, Mac, and Linux (if it hasn\u2019t already). Chrome users are expected to see the roll out in the coming days and weeks.\n\nReaders should note that other popular browsers such as Brave and Edge are also Chromium-based and therefore likely to be vulnerable to these flaws too. Keep an eye out for updates.\n\nYou can check what version of Chrome you are running by opening About Google Chrome from the main menu.\n\nThe About Google Chrome screen tells you what version you are running and whether it is up to date\n\n### The vulnerabilities\n\nThe fixes address high severity vulnerabilities reported to Google by independent researchers from as early as August of this year. That said, the company has included names of the researchers who found the flaws in their announcement.\n\nThe two vulnerabilities that are being actively exploited\u2014namely, [CVE-2021-30632](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30632>) and [CVE-2021-30633](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30633>)\u2014were submitted anonymously. The former is an "Out of bounds write" flaw in the V8 JavaScript engine and the latter is a "Use after free" bug in the Indexed DB API.\n\nBecause threat actors are currently exploiting the two aforementioned vulnerabilities, Google provides little to no information on how the attacks against these weaknesses are being carried out, or other precautionary measures users should be looking out for. Per Google:\n\n> Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven\u2019t yet fixed.\n\n### V8, the thorn in Chrome's side?\n\nNobody will be surprised to see that one of the in-the-wild exploits affects Chrome's V8 engine. \n\nAt the heart of every modern web browser sits a JavaScript interpreter, a component that does much of the heavy lifting for interactive web apps. In Chrome, that interpreter is V8. These components need to accommodate frequent updates and adhere to a bewildering array of web standards, while also being both fast and secure.\n\nChrome's [V8](<https://v8.dev/>) JavaScript engine has been a significant source of security problems. So significant in fact, that in August Microsoft\u2014whose Edge browser is based on Chrome\u2014announced an experimental project called [Super Duper Secure Mode](<https://blog.malwarebytes.com/reports/2021/08/edges-super-duper-secure-mode-benchmarked-how-much-speed-would-you-trade-for-security/>) that aims to tackle the rash of V8 problems by simply turning an important part of it off.\n\nA little under half of the CVEs issued for V8 relate to its Just-in-Time (JIT) compiler, and more than half of all \u2018in-the-wild\u2019 Chrome exploits abuse JIT bugs. Just-in-time compilation is an important performance feature and turning it off is a direct trade of speed for security. How much? According our quick-and-dirty testing, turning off the JIT compiler makes JavaScript execution twice as slow in Edge.\n\n### 11 zero-days and counting\n\nTo date, the Google Chrome team has patched 11 zero-day vulnerabilities in 2021. Previous patches are from the following vulnerabilities, some of which we have covered here in the Malwarebytes Labs blog:\n\n * [_CVE-2021-21148_](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/02/update-now-chrome-patches-zero-day-that-was-exploited-in-the-wild/>)\n * [_CVE-2021-21166_](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/update-now-chrome-fix-patches-in-the-wild-zero-day/>)\n * CVE-2021-21193\n * [_CVE-2021-21206_](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/update-now-chrome-needs-patching-against-two-in-the-wild-exploits/>)\n * [_CVE-2021-21220_](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/update-now-chrome-needs-patching-against-two-in-the-wild-exploits/>)\n * CVE-2021-21224\n * CVE-2021-30551\n * CVE-2021-30554\n * CVE-2021-30563\n\nWith so much bad PR, you might expect Chrome's market share to suffer; yet, it remains by far the most popular browser. Users\u2014and the Google Chrome brand\u2014seem unaffected.\n\nMake sure you update your Chrome or Chromium-based browser once you see the patch available, or better still, make sure your browser is set to [update itself](<https://support.google.com/chrome/answer/95414?hl=en-GB&co=GENIE.Platform%3DDesktop#:~:text=Go%20to%20'About%20Google%20Chrome,Chrome%20to%20apply%20the%20update.>).\n\nStay safe!\n\nThe post [Update now! Google Chrome fixes two in-the-wild zero-days](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-google-chrome-fixes-two-in-the-wild-zero-days/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-14T16:28:47", "type": "malwarebytes", "title": "Update now! Google Chrome fixes two in-the-wild zero-days", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633"], "modified": "2021-09-14T16:28:47", "id": "MALWAREBYTES:390E663F11CA04293C83488A40CB3A8A", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-google-chrome-fixes-two-in-the-wild-zero-days/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-29T18:23:40", "description": "A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.\n\n## 1\\. Log4Shell\n\n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>), commonly referred to as [Log4Shell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>) or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.\n\nWhen Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.\n\nThis made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The [CISA Log4j scanner](<https://github.com/cisagov/log4j-scanner>) is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.\n\n## 2\\. CVE-2021-40539\n\n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) is a REST API authentication bypass [vulnerability in ManageEngine\u2019s single sign-on (SSO) solution](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that [APT](<https://blog.malwarebytes.com/glossary/advanced-persistent-threat-apt/>) threat-actors were likely among those exploiting the vulnerability.\n\nThe vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.\n\nFor those that have never heard of this software, it\u2019s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.\n\nThe [ManageEngine site](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) has specific instructions on how to identify and update vulnerable installations.\n\n## 3\\. ProxyShell\n\nThird on the list are 3 vulnerabilities that we commonly grouped together and referred to as [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). [CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>), [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>), and [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>).\n\nThe danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\nThe vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.\n\nMicrosoft\u2019s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.\n\n## 4\\. ProxyLogon\n\nAfter the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name\u2014[ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>)\u2014for similar reasons. [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-2685](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) all share the same description\u2014"This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443."\n\nWhile the CVE description is the same for the 4 CVE\u2019s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws\u2014CVE-2021-26858 and CVE-2021-27065\u2014would allow an attacker to write a file to any part of the server.\n\nTogether these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nProxyLogon started out as a limited and targeted attack method attributed to a group called [Hafnium](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.\n\nMicrosoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n\n## 5\\. CVE-2021-26084\n\n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of [Confluence Server and Data Center](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.\n\nShortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.\n\nOn the [Confluence Support website](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.\n\n## Lessons learned\n\nWhat does this list tell us to look out for in 2022?\n\nWell, first off, if you haven\u2019t patched one of the above we would urgently advise you to do so. And it wouldn\u2019t hurt to continue working down the [list](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) provided by CISA.\n\nSecond, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:\n\n * **A large attack surface**. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.\n * **Internet-facing instances**. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.\n * **Easy exploitability**. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.\n\nSo, if you notice or hear about a vulnerability that meets these "requirements" move it to the top of your "to-patch" list.\n\nStay safe, everyone!\n\nThe post [The top 5 most routinely exploited vulnerabilities of 2021](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-29T16:28:20", "type": "malwarebytes", "title": "The top 5 most routinely exploited vulnerabilities of 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-2685", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-04-29T16:28:20", "id": "MALWAREBYTES:B8C767042833344389F6158273089954", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-20T18:28:42", "description": "In the Android Security Bulletin of May 2021, published at the beginning of this month, you can find a list of roughly 40 vulnerabilities in several components that might concern Android users. According to info provided by Google's Project Zero team, four of those Android security vulnerabilities are being exploited in the wild as zero-day bugs.\n\nThe good news is that patches are available. The problem with Android patches and updates though is that you, as a user, are dependent on your upstream provider for when these patches will reach your system.\n\n### Android updates and upgrades\n\nIt is always unclear for Android users when they can expect to get the latest updates and upgrades. An Android device is a computer in many regards and it needs regular refreshes. Either to patch against the latest vulnerabilities or when new features become available.\n\nAn update is when an existing Android version gets improved, and these come out regularly. An upgrade is when your device gets a later Android version. Usually a device can function just fine without getting an upgrade as long as it stays safe by getting the latest updates.\n\n### Depends on brand and type\n\nGoogle is the company that developed the Android operating system (which is itself a type of Linux) and the company also keeps it current. It is also the company that creates the security patches. But then the software is turned over to device manufacturers that create their own versions for their own devices.\n\nSo, when (even if) you will get the latest updates at all, depends on the manufacturer of your device. Some manufacturer\u2019s devices may never see another update because Google is not allowed to do business with them.\n\n### The critical vulnerabilities\n\nIn a note, the bulletin states that there are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663, and CVE-2021-28664 may be under limited, targeted exploitation. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. The four that may be being abused in the wild are:\n\n * [CVE-2021-1905](<https://nvd.nist.gov/vuln/detail/CVE-2021-1905>) Possible use after free due to improper handling of memory mapping of multiple processes simultaneously. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables.\n * [CVE-2021-1906](<https://nvd.nist.gov/vuln/detail/CVE-2021-1906>) Improper handling of address de-registration on failure can lead to new GPU address allocation failure. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables.\n * [CVE-2021-28663](<https://nvd.nist.gov/vuln/detail/CVE-2021-28663>) The Arm Mali GPU kernel driver allows privilege escalation or information disclosure because GPU memory operations are mishandled, leading to a use-after-free. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through r30p0.\n * [CVE-2021-28664](<https://nvd.nist.gov/vuln/detail/CVE-2021-28664>) The Arm Mali GPU kernel driver allows privilege escalation or a denial of service (memory corruption) because an unprivileged user can achieve read/write access to read-only pages. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r8p0 through r30p0.\n\nUse after free (UAF) like CVE-2021-1905 is a vulnerability caused by incorrect use of dynamic memory during a program\u2019s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.\n\nSnapdragon is a suite of system on a chip (SoC) semiconductor products for mobile devices designed and marketed by Qualcomm Technologies Inc.\n\nArm Mali GPU is a graphics processing unit for a range of mobile devices from smartwatches to autonomous vehicles developed by Arm.\n\n### Mitigation\n\nYou can tell whether your device is protected by [checking the security patch level](<https://support.google.com/android/answer/7680439?hl=en>).\n\n * Security patch levels of 2021-05-01 or later address all issues associated with the 2021-05-01 security patch level.\n * Security patch levels of 2021-05-05 or later address all issues associated with the 2021-05-05 security patch level and all previous patch levels.\n\nWe would love to tell you to patch urgently, but as we explained, this depends on the manufacturer. Some users who haven't switched to new devices that still receive monthly security updates might even not be able to install these patches at all.\n\nStay safe, everyone!\n\nThe post [Android patches for 4 in-the-wild bugs are out, but when will you get them?](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/android-patches-for-4-in-the-wild-bugs-are-out-but-when-will-you-get-them/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-20T17:13:53", "type": "malwarebytes", "title": "Android patches for 4 in-the-wild bugs are out, but when will you get them?", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1905", "CVE-2021-1906", "CVE-2021-28663", "CVE-2021-28664"], "modified": "2021-05-20T17:13:53", "id": "MALWAREBYTES:EB04567CC0DCC2AA6FDDD6A780E6AFE7", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/05/android-patches-for-4-in-the-wild-bugs-are-out-but-when-will-you-get-them/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-04T12:27:56", "description": "Pulse Secure has [alerted customers](<https://blog.pulsesecure.net/pulse-connect-secure-security-update/>) to the existence of an exploitable chain of attack against its Pulse Connect Secure (PCS) appliances. PCS provides Virtual Private Network (VPN) facilities to businesses, which use them to prevent unauthorized access to their networks and services.\n\nCybersecurity sleuths Mandiant report that they are tracking "12 malware families associated with the exploitation of Pulse Secure VPN devices" operated by groups using a set of related techniques to bypass both single and multi-factor authentication. Most of the problems discovered by Pulse Secure and Mandiant involve three vulnerabilities that were patched in 2019 and 2020. But there is also a very serious new issue that it says impacts a very limited number of customers.\n\n### The old vulnerabilities\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The patched vulnerabilities are listed as:\n\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. We [wrote](<https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/>) about the apparent reluctance to patch for this vulnerability in 2019.\n * [CVE-2020-8243](<https://nvd.nist.gov/vuln/detail/CVE-2020-8243>) a vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload a custom template to perform an arbitrary code execution.\n * [CVE-2020-8260](<https://nvd.nist.gov/vuln/detail/CVE-2020-8260>) a vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.\n\nThe obvious advice here is to review the Pulse advisories for these vulnerabilities and follow the recommended guidance, which includes changing all passwords in the environments that are impacted.\n\n### The new vulnerability\n\nThe new vulnerability (CVE-2021-22893) is a Remote Code Execution (RCE) vulnerability with a CVSS score of 10\u2014the maximum\u2014and a Critical rating. According to [the Pulse advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>):\n\n> [The vulnerability] includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment.\n\nThere is no patch for it yet (it is expected to be patched in early May), so system administrators will need to mitigate for the problem for now, rather than simply fixing it. Please don't wait for the patch.\n\n### Mitigation requires a workaround\n\nAccording to Pulse Secure, until the patch is available CVE-2021-22893 can be mitigated by importing a workaround file. More details can be found in the company's [Security Advisory 44784](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>). Reportedly, the workaround disables Pulse Collaboration, a feature that allows users to schedule and hold online meetings between both Connect Secure users and non-Connect Secure users. The workaround also disables the Windows File Share Browser that allows users to browse network file shares.\n\n### Targets\n\nThe Pulse Connect Secure vulnerabilities including CVE-2021-22893 have been used to target government, defense and financial organizations around the world, but mainly in the US. According to some articles the threat-actors are linked to China. The identified threat actors were found to be harvesting account credentials. Very likely in order to perform lateral movement within compromised organizations' environments. They have also observed threat actors deploying modified Pulse Connect Secure files and scripts in order to maintain persistence. These modified scripts on the Pulse Secure system are reported to have allowed the malware to survive software updates and factory resets.\n\n### Threat analysis\n\nFireEye's Mandiant was involved in the research into these vulnerabilities. It has posted an elaborate analysis of the related malware, which they have dubbed SlowPulse. According to Mandiant, the malware and its variants are "applied as modifications to legitimate Pulse Secure files to bypass or log credentials in the authentication flows that exist within the legitimate Pulse Secure shared object libdsplibs.so". In their [blogpost](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>) they discuss 4 variants. Interested parties can also find technical details and detections there.\n\n### Networking devices\n\nState sponsored cyber-attacks are often more about espionage than about monetary gain with the exception of sabotage against an enemy state. A big part of the espionage is getting hold of login credentials of those that have access to interesting secret information. Breaking into network devices in a way that can be used to extract login credential is an important strategy in this secret conflict. Keep in mind that attribution is always hard and tricky. You may end up reaching the conclusion they wanted you to reach. Given the targets and the methodology however, it makes sense in this case to look first at state sponsored threat actors.\n\n### Update May 4th\n\nThe Pulse Secure team released a security update to address the issue outlined in [Security Advisory SA44784 (CVE-2021-22893)](<https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/SA44784/s>) impacting the Pulse Connect Secure appliance. It is recommend that customers act urgently to apply the update to ensure they are protected. On that note, Pulse Secure also recommends that customers use the Pulse Security Integrity Checker Tool, a tool for customers to identify malicious activity on their systems, and that they continue to apply and follow recommended guidance for all available security patches.\n\nThe post [Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/take-action-multiple-pulse-secure-vpn-vulnerabilities-exploited-in-the-wild/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-21T18:12:15", "type": "malwarebytes", "title": "Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893"], "modified": "2021-04-21T18:12:15", "id": "MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/04/take-action-multiple-pulse-secure-vpn-vulnerabilities-exploited-in-the-wild/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-21T21:27:45", "description": "The FBI has issued an[ advisory](<https://www.ic3.gov/Media/News/2022/220318.pdf>) about the AvosLocker ransomware. Notably the FBI has noticed that several victims have reported Microsoft Exchange Server vulnerabilities as the intrusion vector. \n\nAvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including financial services, critical manufacturing, and government facilities.\n\n## Threat profile\n\nAvosLocker ransomware is a multi-threaded Windows executable written in C++ that runs as a console application and shows a log of actions performed on victim systems. AvosLocker ransomware encrypts files on a victim\u2019s server and renames them with the \u201c.avos\u201d extension.\n\nThe AvosLocker executable leaves a ransom note called GET_YOUR_FILES_BACK.txt in all directories where encryption occurs. The ransom note includes a .onion site that contains instructions for paying the ransom and receiving a decryption key.\n\n\n\n> _Attention!_\n> \n> _Your systems have been encrypted, and your confidential documents were downloaded._\n> \n> _In order to restore your data, you must pay for the decryption key & application._\n> \n> _You may do so by visiting us at <onion address>._\n> \n> _This is an onion address that you may access using Tor Browser which you may download at <https://www.torproject.org/download/>_\n> \n> _Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website._\n> \n> _Contact us soon, because those who don\u2019t have their data leaked in our press release blog and the price they\u2019ll have to pay will go up significantly._\n> \n> _The corporations whom don\u2019t pay or fail to respond in a swift manner have their data leaked in our blog, accessible at <onion address>_\n\nSo, besides encrypting your files, AvosLocker also exfiltrates data and threatens to publish the stolen data to its leaks site. The public leak site not only lists victims of AvosLocker, along with a sample of data allegedly stolen from the victim\u2019s network, but also gives visitors an opportunity to view a sample of victim data and to purchase that data.\n\nThe FBI also notes that in some cases, AvosLocker victims receive phone calls from an AvosLocker representative. The caller encourages the victim to go to the .onion site to negotiate, and threatens to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations.\n\n## Exchange vulnerabilities\n\nSince AvosLocker is a Ransomware-as-a-Service it may depend on the affiliate which of the vulnerabilities gets used.\n\nThe Exchange Server vulnerabilities are named as: CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, and CVE-2021-26855.\n\n[CVE-2021-31207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207>): a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process. This is the way in.\n\n[CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>): a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions. This is how they take control.\n\n[CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>): a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files. This allows the attacker to drop malware on the server and run it.\n\nThis is exactly the same attack chain we [described](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>) in August 2021. This chain of attack was generally referred to as ProxyShell.\n\nAnother RCE vulnerability in Exchange Server has been seen as well:\n\n[CVE-2021-26855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>): the ProxyLogon vulnerability which we discussed in detail in our article on [Microsoft Exchange attacks causing panic as criminals go shell collecting](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>). The vulnerability allows an attacker to drop a webshell on a vulnerable Exchange Server. A web shell is a script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Obviously, not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)\n\n## Mitigation\n\nAs we stated earlier, all these vulnerabilities have been patched. So, if you are wondering which updates to install next and you are running one or more Microsoft Exchange Server instances, starting there might be a good idea.\n\nMicrosoft\u2019s team has published a [script on GitHub](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) that can check the status of protection against ProxyLogon vulnerabilities of Exchange servers.\n\n## Detection\n\nMalwarebytes detects AvosLocker as [Ransom.AvosLocker](<https://blog.malwarebytes.com/detections/ransom-avoslocker/>).\n\n_Malwarebytes blocks Ransom.AvosLocker_\n\nStay safe, everyone!\n\nThe post [AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI](<https://blog.malwarebytes.com/ransomware/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-21T21:09:12", "type": "malwarebytes", "title": "AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-21T21:09:12", "id": "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "href": "https://blog.malwarebytes.com/ransomware/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-17T16:35:06", "description": "The September 2021 Patch Tuesday could be remembered as the _final_ patching attempt in the PrintNightmare\u2026 nightmare. The ease with which the vulnerabilities [shrugged off the August patches](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/microsofts-printnightmare-continues-shrugs-off-patch-tuesday-fixes/>) doesn\u2019t look to get a rerun. So far we haven\u2019t seen any indications that this patch is so easy to circumvent.\n\nThe total count of fixes for this Patch Tuesday tallies up to 86, including 26 for Microsoft Edge alone. Only a few of these vulnerabilities are listed as zero-days and two of them are "old friends". There is a third, less-likely-to-be-exploited one, and then we get to introduce a whole new set of vulnerabilities nicknamed OMIGOD, for reasons that will become obvious.\n\nAzure was the subject of five CVE\u2019s, one of them listed as critical. The four that affect the Open Management Infrastructure (OMI) were found by researchers, grouped together and received the nickname OMIGOD.\n\n### PrintNightmare\n\nPrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a malicious printer driver to a vulnerable machine, and could use their new-found superpowers to install programs; view, change, or delete data; or create new accounts with full user rights.\n\nThe problem was made worse by significant [confusion](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/>) about whether PrintNightmare was a known, patched problem or an entirely new problem, and by repeated, at best partially-successful, attempts to patch it.\n\nThis month, Microsoft patched the remaining Print Spooler vulnerabilities under [CVE-2021-36958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36958>). Fingers crossed.\n\n### MSHTML\n\nThis zero-day vulnerability that felt like a ghost from the past (it involved ActiveX, remember that?) was only [found last week](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/>), but has attracted significant attention. It was listed as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>), a Remote Code Execution (RCE) vulnerability in Microsoft MSHTML. \n\nThreat actors were sharing PoCs, tutorials and exploits on hacking forums, so that every script kiddy and wannabe hacker was able to follow step-by-step instructions in order to launch their own attacks. Microsoft published mitigation instructions that disabled the installation of new ActiveX controls, but this turned out to be easy to work around for attackers.\n\nGiven the short window of opportunity, there was some doubt about whether a fix would be included in this Patch Tuesday, but it looks like Microsoft managed to pull it off.\n\n### DNS elevation of privilege vulnerability\n\nThis vulnerability was listed as [CVE-2021-36968](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36968>) and affects systems running Windows Server 2008 R2 SP1, SP2 and Windows 7 SP1. It exists due to an application that does not properly impose security restrictions in Windows DNS. The vulnerability is listed as a zero-day because it has been publicly disclosed, not because it is actively being exploited.\n\nMicrosoft says that exploitation is \u201cless likely\u201d, perhaps because it requires initial authentication and can only be exploited locally. If these conditions are met this bug can be used to accomplish elevation of privilege (EoP). \n\n### OMIGOD\n\nOMIGOD is the name for a set of four vulnerabilities in the Open Management Infrastructure (OMI) that you will find embedded in many popular Azure services. The CVEs are:\n\n * [CVE-2021-38647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38647>) OMI RCE Vulnerability with a [CVSS score](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) of 9.8 out of 10.\n * [CVE-2021-38648](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38648>) Open Management Infrastructure Elevation of Privilege Vulnerability\n * [CVE-2021-38645](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38645>) Open Management Infrastructure Elevation of Privilege Vulnerability\n * [CVE-2021-38649](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38649>) Open Management Infrastructure Elevation of Privilege Vulnerability\n\nThe [researchers](<https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution>) that discovered the vulnerabilities consider OMIGOD to be a result of the supply-chain risks that come with using open-source code:\n\n> Wiz\u2019s research team recently discovered a series of alarming vulnerabilities that highlight the supply chain risk of open source code, particularly for customers of cloud computing services.\n\nOMI runs as root (the highest privilege level) and is activated within Azure when users enable certain services, like distributed logging, or other management tools and services. It's likely that many users aren't even aware they have it running.\n\nThe RCE vulnerability (CVE-2021-38647) can be exploited in situations where the OMI ports are accessible to the Internet to allow for remote management. In this configuration, any user can communicate with it using a UNIX socket or via an HTTP API, and any user can abuse it to remotely execute code or escalate privileges.\n\nA coding mistake means that any incoming request to the service _without_ an authorization header has its privileges default to uid=0, gid=0, which is root. \n \nOMIGOD, right?\n\nThe researchers report that the flaw can only be used to remotely takeover a target when OMI exposes the HTTPS management port externally. This is the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager (SCOM). Other Azure services (such as Log Analytics) do not expose this port, so in those cases the scope is limited to local privilege escalation.\n\nThey advise all Azure customers to connect to their Azure VMs and run the commands below in their terminal to ensure OMI is updated to the latest version:\n\n * For Debian systems (e.g., Ubuntu): `dpkg -l omi`\n * For Redhat based system (e.g., Fedora, CentOS, RHEL): `rpm -qa omi`\n\nIf OMI isn\u2019t installed, the commands won't return any results, and your machine isn\u2019t vulnerable. Version 1.6.8.1 is the patched version. All earlier versions need to be patched.\n\n## Update September 17, 2021\n\nAfter a proof-of-concept exploit was published on code hosting website GitHub, attackers we re noticed to be looking for Linux servers running on Microsoft\u2019s Azure cloud infrastructure. These systems are vulnerable to the security flaw called OMIGOD.\n\nAccording to reports from security researchers the attackers use the OMIGOD exploit, to deploy malware that ensnares the hacked server into cryptomining or DDoS botnets.\n\nThe post [[updated] Patch now! PrintNightmare over, MSHTML fixed, a new horror appears \u2026 OMIGOD](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-15T13:19:48", "type": "malwarebytes", "title": "[updated] Patch now! PrintNightmare over, MSHTML fixed, a new horror appears \u2026 OMIGOD", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-36958", "CVE-2021-36968", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444"], "modified": "2021-09-15T13:19:48", "id": "MALWAREBYTES:76333D1F0FCAFD79FA2EDD4A4CAFBB38", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-16T10:27:50", "description": "Microsoft has detected multiple [zero-day](<https://blog.malwarebytes.com/glossary/zero-day/>) exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributes the attacks to a group they have dubbed Hafnium.\n\n> \u201cHAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.\u201d\n\n### The Hafnium attack group\n\nBesides a rare metal that chemically resembles zirconium, Hafnium is a newly identified attack group that is also thought to be responsible for other attacks on internet-facing servers, and typically exfiltrates data to [file sharing sites](<https://blog.malwarebytes.com/how-tos-2/2020/12/file-sharing-and-cloud-storage-sites-how-safe-are-they/>). Despite their use of leased servers in the US, the group is believed to be based in China (as most security researchers will tell you, attribution is hard, especially when it involves international espionage).\n\n### Exchange Server\n\nIn many organizations, internal cooperation depends on groupware solutions that enable the central administration of emails, calendars, contacts, and tasks. Microsoft Exchange Server is software that offers this functionality for Windows-based server systems.\n\nIn this case the attacker was using one of the zero-day vulnerabilities to steal the full contents of several user mailboxes from such servers.\n\n### Not one, but four zero-days\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The CVE\u2019s (with descriptions provided by Microsoft) used in these attacks were:\n\n * [**CVE-2021-26855**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-26857**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-26858**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-27065**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n\nThey all look the same. Boring you said? Read on!\n\n### The attack chain\n\nWhile the CVE description is the same for the 4 CVE\u2019s we can learn from the report by the security firm that discovered the attacks, Volexity, that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The Remote Code Execution (RCE) vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws \u2014 CVE-2021-26858 and CVE-2021-27065 \u2014 would allow an attacker to write a file to any part of the server.\n\nTogether these 4 vulnerabilities form a powerful attack chain which only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\n### Urgent patching necessary\n\nEven though the use of the vulnerabilities was described as \u201climited\u201d, now that the information has been made public, we may see a quick rise in the number of attacks. Especially since the attack does not require a lot of information about the victim to start with.\n\nOr as Microsoft\u2019s vice president for customer security Tom Burt put it:\n\n> \u201cEven though we\u2019ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.\u201d\n\nUsers of Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 are advised to apply the updates immediately to protect against these exploits, prioritizing the externally facing Exchange servers.\n\nMicrosoft also advises that the initial stage of the attack can be stopped by "restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access", although the other parts of the attack chain can still be exploited, if other means of access are used.\n\n### Update March 4, 2021\n\nThe Cybersecurity and Infrastructure Security Agency issued an [emergency directive](<https://cyber.dhs.gov/ed/21-02/>) after CISA partners observed active exploitation of vulnerabilities in Microsoft Exchange _on-premises_ products. The directive gives detailed instructions for agencies to follow immediately after identifying all instances of on-premises Microsoft Exchange Servers in their environment.\n\nFor readers that are interested in the more technical details of the attack chain, [Veloxity published a blog](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) that provides details about their investigation, the vulnerabilities, and which also includes IOCs.\n\n### Update March 5, 2021\n\nIt turns out that [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) was discovered in December of 2020 by DEVCORE who named the vulnerability ProxyLogon. They called it [ProxyLogon](<https://proxylogon.com/>) because this bug exploits against the Exchange **Proxy** Architecture and **Logon** mechanism. After DEVCORE chained the bugs together to a workable pre-auth RCE exploit, they sent an advisory and exploit to Microsoft through the MSRC portal. The entire timeline can be found [here](<https://proxylogon.com/#timeline>).\n\n### Update March 8, 2021\n\nMicrosoft has released an [updated script that scans Exchange log files](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) for indicators of compromise (IOCs) associated with the vulnerabilities disclosed on March 2, 2021. The US Cybersecurity & Infrastructure Security Agency (CISA) has [issued a warning](<https://us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilities>) that it is aware of widespread domestic and international exploitation of these vulnerabilities and strongly recommends organizations run the script as soon as possible.\n\nMicrosoft has also added definitions to its standalone malware scanner, the [Microsoft Safety Scanner](<https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download>) (also known as the Microsoft Support Emergency Response Tool or MSERT), so that it detects web shells.\n\nMalwarebytes detects web shells planted on comprised Exchange servers as [Backdoor.Hafnium](<https://blog.malwarebytes.com/detections/backdoor-hafnium/>). You can read more about the use of web shells in Exchange server attacks in our article [Microsoft Exchange attacks cause panic as criminals go shell collecting](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>).\n\n### Update March 12, 2021\n\nThe abuse of these vulnerabilities has sky-rocketed, and the first public proof-of-concept (PoC) exploit for the ProxyLogon flaws has appeared on GitHub, only to be taken down by the site. In spite of Microsoft's efforts, cybercriminals have shown in numbers that they are exploiting this opportunity to the fullest.\n\nA new form of ransomware has also entered the mix. Detections for DearCry, a new form of human-operated ransomware that's deployed through compromised Exchange servers, began yesterday. When the ransomware was still unknown, it would have been detected by Malwarebytes proactively, as Malware.Ransom.Agent.Generic. \n\nYou can read more about DearCry ransomware attacks in our article [Ransomware is targeting vulnerable Microsoft Exchange servers](<https://blog.malwarebytes.com/ransomware/2021/03/ransomware-is-targeting-vulnerable-microsoft-exchange-servers/>).\n\n### Update March 16, 2021\n\nMicrosoft has released a new, one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\n\nDetails, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>). \n\nWe will keep you posted as we gather more information about these ransomware attacks.\n\nStay safe, everyone!\n\nThe post [Patch now! Exchange servers attacked by Hafnium zero-days](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-03T12:34:27", "type": "malwarebytes", "title": "Patch now! Exchange servers attacked by Hafnium zero-days", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T12:34:27", "id": "MALWAREBYTES:B4D157FAC0EB655355514D120382CC56", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T08:33:57", "description": "The list of July 2021 Patch Tuesday updates looks endless. 117 patches with no less than 42 CVEs assigned to them that have FAQs, mitigations details or workarounds listed for them. Looking at the urgency levels Microsoft has assigned to them, system administrators have their work cut out for them once again:\n\n * 13 criticial patches\n * 103 important patches\n\nYou can find the list of CVEs that have FAQs, mitigations, or workarounds on the Microsoft [July release notes](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jul>) page.\n\nSix vulnerabilities were previously disclosed and four are being exploited in-the-wild, according to Microsoft. One of those CVE\u2019s is a familiar one, [2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) aka the anyone-can-run-code-as-domain-admin RCE known as [PrintNightmare](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/printnightmare-0-day-can-be-used-to-take-over-windows-domain-controllers/>). Microsoft issued out-of-band patches for that vulnerability a week ago, but those were [not as comprehensive](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/>) as one might have hoped. \n\nSince then, the Cybersecurity and Infrastructure Security Agency\u2019s (CISA) has issued [Emergency Directive 21-04](<https://cyber.dhs.gov/ed/21-04/>), \u201cMitigate Windows Print Spooler Service Vulnerability\u201d because it is aware of active exploitation, by multiple threat actors, of the PrintNightmare vulnerability. These directive list required actions for all Federal Civilian Executive Branch agencies.\n\n### Priorities\n\nBesides the ongoing PrintNightmare, er, nightmare, there are some others that deserve your undivided attention. Vulnerabilities being exploited in the wild, besides PrintNightmare, are:\n\n * [CVE-2021-34448](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34448>) Scripting Engine Memory Corruption Vulnerability for Windows Server 2012 R2 and Windows 10.\n * [CVE-2021-33771](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33771>) Windows Kernel Elevation of Privilege Vulnerability for Windows Server 2012, Server 2016, Windows 8.1, and Windows 10.\n * [CVE-2021-31979](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31979>) Windows Kernel Elevation of Privilege Vulnerability for Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, Windows Server 2016, and Windows Server 2019.\n\nOther vulnerabilities that are not seen exploited in the wild yet, but are likely candidates to make that list soon:\n\n * [CVE-2021-34458](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34458>) Windows Kernel Remote Code Execution Vulnerability for some Windows Server versions, if the system is hosting virtual machines, or the Server includes hardware with SR-IOV devices.\n * [CVE-2021-34494](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34494>) Windows DNS Server Remote Code Execution Vulnerability for Windows Server versions if the server is configured to be a DNS server.\n\n### Exchange Server\n\nAnother ongoing effort to patch vulnerable systems has to do with Microsoft Exchange Server. Flaws that were actually already [patched in April](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>) have now been assigned new CVE numbers [CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>) (Microsoft Exchange Server Remote Code Execution Vulnerability) and [CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>) (Microsoft Exchange Server Elevation of Privilege Vulnerability). As you may remember this combo of elevation of privilege (EOP) and remote code execution (RCE) caused quite the [panic](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>) when attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.\n\nIf you applied the patches in April, you are already protected. If you didn\u2019t, move them to the top of your to-do-list.\n\n### Windows Media Foundation\n\nTwo other critical vulnerabilities, and one considered important, were found in Microsoft Windows Media Foundation. Microsoft Media Foundation enables the development of applications and components for using digital media on Windows Vista and later. If you do have this multimedia platform installed on your system you are advised to apply the patches, but note that many of them include the [Flash](<https://blog.malwarebytes.com/awareness/2021/01/adobe-flash-player-reaches-end-of-life/>) Removal Package. So do the patches for [CVE-2021-34497](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34497>) a critical Windows MSHTML Platform RCE vulnerability.\n\nStay safe, everyone!\n\nThe post [Four in-the-wild exploits, 13 critical patches headline bumper Patch Tuesday](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/four-in-the-wild-exploits-13-critical-patches-headline-bumper-patch-tuesday/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-14T11:56:06", "type": "malwarebytes", "title": "Four in-the-wild exploits, 13 critical patches headline bumper Patch Tuesday", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31979", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34458", "CVE-2021-34473", "CVE-2021-34494", "CVE-2021-34497", "CVE-2021-34523", "CVE-2021-34527"], "modified": "2021-07-14T11:56:06", "id": "MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/four-in-the-wild-exploits-13-critical-patches-headline-bumper-patch-tuesday/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-24T11:39:21", "description": "The Google Threat Analysis Group (TAG) has [revealed](<https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/>) that of the nine zero-day vulnerabilities affecting Chrome, Android, Apple and Microsoft that it reported in 2021, five were in use by a single commercial surveillance company.\n\nDid I hear someone say [Pegasus](<https://blog.malwarebytes.com/privacy-2/2021/07/pegasus-spyware-has-been-here-for-years-we-must-stop-ignoring-it/>)? An educated guess, but wrong in this case. The name of the surveillance company\u2014or better said, professional spyware vendor\u2014is Cytrox and the name of its spyware is Predator.\n\n## Google\n\nTAG routinely hunts for zero-day vulnerabilities exploited in-the-wild to fix the vulnerabilities in Google's own products. If the group finds zero-days outside of its own products, it reports them to the vendors that own the vulnerable software. \n\nPatches for the five vulnerabilities TAG mentions in its blog are available. Four of them affected the Chrome browser and one the Android kernel component.\n\n## Vulnerabilities\n\nBy definition, zero-day vulnerabilities are vulnerabilities for which no patch exists, and therefore potentially have a high rate of success for an attacker. That doesn\u2019t mean that patched vulnerabilities are useless to attackers, but they will have a smaller number of potential targets. Depending on the product and how easy it is to apply patches, vulnerabilities can be useful for quite a while.\n\nIn the campaign uncovered by TAG, the spyware vendor used the zero-days in conjunction with other already-patched vulnerabilities. The developers took advantage of the time difference between the availability of patches for some of the critical bugs, as it can take a while before these patches are fully deployed across the Android ecosystem.\n\nTAG says Cytrox abused four Chrome zero-days ([CVE-2021-37973](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html>), [CVE-2021-37976](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html>), [CVE-2021-38000](<https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html>), and [CVE-2021-38003](<https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html>)) and a single Android zero-day ([CVE-2021-1048](<https://source.android.com/security/bulletin/2021-11-01#kernel-components_1>)) last year in at least three campaigns conducted on behalf of various governments.\n\n## Cytrox\n\nTAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Cytrox is one of these vendors, along with the NSO Group\u2014undoubtedly the best known one among them and responsible for Pegasus spyware.\n\nCitizenlab at the University of Toronto [published](<https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/>) information about Cytrox in December 2021. It says that Cytrox describes its own activities as providing governments with an \u201coperational cyber solution\u201d that includes gathering information from devices and cloud services. It also says it assists with "designing, managing, and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices as well as from cloud services."\n\nCytrox reportedly began life as a North Macedonian start-up and appears to have a corporate presence in Israel and Hungary. As such, Cytrox is believed to be part of the so-called Intellexa alliance, a marketing label for a range of mercenary surveillance vendors that emerged in 2019. The consortium of companies includes Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., Cytrox, and Senpai, along with other unnamed entities, purportedly seeking to compete against other players in the cyber surveillance market such as NSO Group (Pegasus) and [Verint](<https://www.lopinion.fr/economie/verint-pursues-seller-of-spyware>).\n\n## Government spyware\n\nSpyware packages such as Predator and Pegasus create problematic circumstances for the security teams at Google, Apple, and Microsoft, and it seems like they will not stop any time soon.\n\nWhatever arguments these vendors use about how they are working for governments, and therefore not doing anything illegal, we all know the legitimacy of some governments lies in the eye of the beholder. And it is not always easy to find out who actually controls the data received from the spyware.\n\nIt is for good reason that the European Data Protection Supervisor (EDPS) has urged the EU to [ban the development and deployment of spyware](<https://blog.malwarebytes.com/stalkerware/2022/02/ban-pegasus-spyware-urges-european-union-data-protection-supervisor/>) with the capabilities of Pegasus to protect fundamental rights and freedoms. The EDPS argues that the use of Pegasus might lead to an unprecedented level of intrusiveness, threatening the very essence of the right to privacy, since the spyware is capable of interfering with the most intimate aspects of our daily lives.\n\nThe post [Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware](<https://blog.malwarebytes.com/privacy-2/2022/05/zero-day-vulnerabilities-in-chrome-and-android-exploited-by-commercial-spyware/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2022-05-24T09:55:59", "type": "malwarebytes", "title": "Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1048", "CVE-2021-37973", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003"], "modified": "2022-05-24T09:55:59", "id": "MALWAREBYTES:1BBB147ADD90DF3A3483E6805D78B6A6", "href": "https://blog.malwarebytes.com/privacy-2/2022/05/zero-day-vulnerabilities-in-chrome-and-android-exploited-by-commercial-spyware/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-23T18:35:00", "description": "Last Saturday the Cybersecurity and Infrastructure Security Agency issued an [urgent warning](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>) that threat actors are actively exploiting three Microsoft Exchange vulnerabilities\u2014[CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>), [CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>), and [CVE-2021-31207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207>). These vulnerabilities can be chained together to remotely execute arbitrary code on a vulnerable machine.\n\nThis set of Exchange vulnerabilities is often grouped under the name ProxyShell. Fixes were available in the [May 2021 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-May>) issued by Microsoft. (To be more precise, the first two were patched in April and CVE-2021-31207 was patched in May.)\n\n### The attack chain\n\nSimply explained, these three vulnerabilities can be chained together to allow a remote attacker to run code on the unpatched server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34523, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\n### ProxyShell\n\nThe Record reports that ProxyShell has been used to [take over some 2,000 Microsoft Exchange mail servers](<https://therecord.media/almost-2000-exchange-servers-hacked-using-proxyshell-exploit/>) in just two days. This can only happen where organisations use the on-premise version of Exchange, and system administrators haven't installed the April and May patches.\n\nWe know there are many reasons why patching is difficult, and often slow. The high number is surprising though, given the noise level about Microsoft Exchange vulnerabilities has been high since [March](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Although it may have been muffled by the other alarm cries about PrintNightmare, HiveNightmare, PetitPotam, and many others.\n\n### Ransomware\n\nSeveral researchers have pointed to a ransomware group named LockFile that combines ProxyShell with [PetitPotam](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/microsoft-provides-more-mitigation-instructions-for-the-petitpotam-attack/>). [Kevin Beaumont](<https://twitter.com/GossiTheDog>) has documented how his Exchange honeypot detected exploitation by ProxyShell to drop a [webshell](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>). Later, the threat actor revisited to initiate the staging of artefacts related to the LockFile ransomware. For those interested in how to identify whether their servers are vulnerable, and technical details about the stages in this attack, we highly recommend you read [Kevin Beaumont\u2019s post](<https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c>).\n\n### PetitPotam\n\nBefore we can point out how ProxyShell can lead to a full blown network-wide ransomware infection we ought to tell you more about PetiPotam. PetitPotam enables a threat actor to launch an NTLM relay attack on domain controllers.\n\nPetitPotam uses the `EfsRpcOpenFileRaw` function of the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) API. MS-EFSRPC is used for maintenance and management operations on encrypted data that is stored remotely, and accessible over a network. The PetitPotam proof-of-concept (PoC) takes the form of a manipulator-in-the-middle (MitM) attack against Microsoft\u2019s NTLM authentication system. The targeted computer is forced to initiate an authentication procedure and share its authentication details via NTLM.\n\nSince the PetitPotam attack is not based on a vulnerability but uses a legitimate function in a way that was not intended, it will be hard to patch for this attack without \u201cbreaking stuff.\u201d Further, stopping the Encrypting File System (EFS) service does not prevent the technique from being exploited. (For mitigation details, see our post about [PetitPotam](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/microsoft-provides-more-mitigation-instructions-for-the-petitpotam-attack/>).)\n\n### LockFile\n\nLockFile attacks have been recorded mostly in the US and Asia, focusing on organizations in financial services, manufacturing, engineering, legal, business services, travel, and tourism. Symantec pointed out in a [blog post](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows>) that the ransom note from LockFile ransomware is very similar to the one used by the [LockBit](<http://blog.malwarebytes.com/detections/ransom-lockbit/>) ransomware group and that they reference the Conti gang in their email address. This may mean that members of those gangs have started a new operation, or just be another indication of how all these gangs are [connected, and sharing resources and tactics](<https://blog.malwarebytes.com/ransomware/2021/04/how-ransomware-gangs-are-connected-and-sharing-resources-and-tactics/>).\n\n### Advice\n\nCISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft's Security Update from May 2021\u2014which remediates all three ProxyShell vulnerabilities\u2014to protect against these attacks.\n\nWe would like to add that you have a look at the mitigation advice for PetitPotam and prioritize tackling these problems in your updating processes.\n\nStay safe, everyone!\n\nThe post [Patch now! Microsoft Exchange is being attacked via ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-23T13:21:08", "type": "malwarebytes", "title": "Patch now! Microsoft Exchange is being attacked via ProxyShell", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-23T13:21:08", "id": "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-27T16:38:26", "description": "The [Microsoft 365 Defender Research Team](<https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/>) has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers.\n\nIIS extensions are able to stay hidden in target environments and as such provide a long-term persistence mechanism for attackers.\n\n## IIS\n\nIIS is webserver software created by Microsoft that runs on Windows systems. Most commonly, organizations use IIS to host ASP.NET web applications and static websites. It can also be used as an FTP server, host WCF services, and be extended to host web applications built on other platforms such as PHP.\n\nExchange Server 2016 and Exchange Server 2019 automatically configure multiple Internet Information Services (IIS) virtual directories during the server installation. As a result, administrators are not always aware of the origin of some directories and their functionality.\n\n## IIS modules\n\nThe IIS 7 and above web server feature set is componentized into more than thirty independent modules. A module is either a Win32 DLL (native module) or a .NET 2.0 type contained within an assembly (managed module). Similar to a set of building blocks, modules are added to the server in order to provide the desired functionality for applications.\n\nMalicious IIS modules are near perfect backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. These requests will seem normal to the unsuspicious eye.\n\n## IIS backdoors\n\nIIS backdoors are harder to detect since they mostly reside in the same directories as legitimate modules, and they follow the same code structure as clean modules. The actual backdoor code is hard to detect as such and that also makes it hard to determine the origin.\n\n## ProxyLogon and ProxyShell\n\nSome of the methods used to drop malicious IIS extensions are known as [ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>) and [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). ProxyLogon consists of four vulnerabilities which can be combined to form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, the attackers deploy web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nThe ProxyShell exploit is very similar to ProxyLogon and was discovered more recently. ProxyShell is a different attack chain designed to exploit three separate vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.\n\n## Malicious behavior\n\nOn its blog, the Microsoft Team describes a custom IIS backdoor called FinanceSvcModel.dll which has a built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration. What's interesting in this example is how the threat actor forced the system to use the WDigest protocol for authentication, resulting in lsass.exe retaining a copy of the user\u2019s plaintext password in memory. This allowed the threat actor to steal the actual passwords and not just the hashes.\n\nCredential stealing can be a goal by itself. But stolen credentials also allow the attackers to remain persistent in the environment, even if the primary backdoor is detected. Credential stealing modules monitor for specific requests to determine a sign-in activity and dump the provided credentials in a file the threat actor can retrieve later.\n\nGiven the rising energy prizes and the falling, yet still profitable, cryptocurrency exchange rates, we wouldn\u2019t be surprised to find servers abused for cryptomining. A few years ago we saw threat actors leveraging an [IIS 6.0 vulnerability](<https://www.bleepingcomputer.com/news/security/windows-servers-targeted-for-cryptocurrency-mining-via-iis-flaw/>) to take over Windows servers and install a malware strain that mined the Electroneum cryptocurrency.\n\n## Mitigation, detection, and remediation\n\nThere are several thing you can do to minimize the risk and consequences of a malicious IIS extension:\n\n * Keep your server software up to date to minimize the risk of infection.\n * Use security software that also covers your servers.\n * Regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from the IIS servers suite.\n * Deploy a backup strategy that creates regular backups that are easy to deploy when needed.\n * Review permission and access policies, combined with credential hygiene.\n * Prioritize alerts that show patterns of server compromise. It can help to catch attacks in the exploratory phase, the period in which attackers spend time exploring the environment after gaining initial access.\n\nStay safe, everyone!\n\nThe post [IIS extensions are on the rise as backdoors to servers](<https://blog.malwarebytes.com/reports/2022/07/iis-extensions-are-on-the-rise-as-backdoors-to-servers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-27T13:58:06", "type": "malwarebytes", "title": "IIS extensions are on the rise as backdoors to servers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-07-27T13:58:06", "id": "MALWAREBYTES:B0F2474F776241731FE08EA7972E6239", "href": "https://blog.malwarebytes.com/reports/2022/07/iis-extensions-are-on-the-rise-as-backdoors-to-servers/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-14T00:05:09", "description": "In [a joint cybersecurity advisory](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3181261/nsa-cisa-fbi-reveal-top-cves-exploited-by-chinese-state-sponsored-actors/>), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have revealed the top CVEs used by state-sponsored threat actors from China.\n\nThe advisory aims to \"inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).\"\n\nThe US and other allied nations consider China a cyber threat as it continues to target and attack companies in the US and elsewhere, with the primary aim of stealing intellectual property or gaining access to sensitive networks. The usual targets range from organizations in the IT sector, including telecommunications service providers; the [DIB (Defense Industrial Base)](<https://www.cisa.gov/defense-industrial-base-sector>) sector, which is related to military weapons systems; and other critical infrastructure sectors.\n\nIt is no surprise, then, that a majority of the CVEs revealed are for flaws allowing actors to surreptitiously and unlawfully gain access to networks. Within these networks, they establish persistence and move laterally to other connected systems.\n\nThe advisory is part of a concerted effort by US government agencies, particularly CISA, to push companies into getting on top of their patching. Part of that is getting them to patch much faster, and the other is getting them to focus on patching the vulnerabilities that threat actors are known to use.\n\nLast year, CISA [began publishing a catalog of actively exploited vulnerabilities](<https://www.malwarebytes.com/blog/news/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities>) that need ot be patched within two weeks on federal information systems. The agencies behind this latest advisory have also collaborated in the past on a list of [vulnerabilities favored by Russian state-sponsored threat actors](<https://www.malwarebytes.com/blog/news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities>).\n\nIf your organization's intellectual property is likely to be of interest to China, this is list is for you. And if it isn't, this list is still worth paying attention to.\n\n## The vunerabilities\n\n### Remote code execution (RCE)\n\nRCE flaws let attackers execute malicious code on a compromised, remote computer. The advisory identifies 12 RCEs: [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) (also known as [Log4Shell or LogJam](<https://www.malwarebytes.com/blog/news/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend>)), [CVE-2021-22205](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>), [CVE-2022-26134](<https://www.malwarebytes.com/blog/news/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited>), [CVE-2021-26855](<https://www.malwarebytes.com/blog/news/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi>), [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>), [CVE-2021-26084](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-42237](<https://nvd.nist.gov/vuln/detail/CVE-2021-42237>), [CVE-2022-1388](<https://www.malwarebytes.com/blog/news/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability>), [CVE-2021-40539](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26857](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26858](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>), and [CVE-2021-27065](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>).\n\n### Arbitrary file read\n\nThe advisory identifies two arbitrary file read flaws--[CVE-2019-11510](<https://www.malwarebytes.com/blog/business/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind>) and [CVE-2021-22005](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>)--which allow users or malicious programs with low privileges to read (but not write) any file on the affected system or server. Useful for stealing data.\n\n### Authentication bypass by spoofing\n\n[CVE-2022-24112](<https://nvd.nist.gov/vuln/detail/CVE-2022-24112>) is an authentication bypass flaw that allows attackers to access resources they shouldn't have access to by spoofing an IP address.\n\n### Command injection\n\n[CVE-2021-36260](<https://www.malwarebytes.com/blog/news/2022/08/thousands-of-hikvision-video-cameras-remain-unpatched-and-vulnerable-to-takeover>) is a command injection flaw that allows attackers to execute commands of their own choosing on an affected system. A vulnerable app is usually involved in such attacks.\n\n### Command line execution\n\n[CVE-2021-1497](<https://nvd.nist.gov/vuln/detail/CVE-2021-1497>) is a command injection flaw that allows attackers to inject data into an affected system's command line.\n\n### Path Traversal\n\nAlso known as \"directory traversal,\" these flaws allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like `../` into file or directory paths. [CVE-2019-19781](<https://www.malwarebytes.com/blog/news/2021/06/atomic-research-institute-breached-via-vpn-vulnerability>), [CVE-2021-41773](<https://www.malwarebytes.com/blog/news/2021/10/apache-http>), and [CVE-2021-20090](<https://www.malwarebytes.com/blog/news/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago>) are all forms of path traversal attack.\n\n## Mitigations\n\nThe NSA, CISA, and FBI urge organizations to undertake the following mitigations:\n\n * * Apply patches as they come, prioritizing the most critical l flaws in your environment.\n * Use multi-factor authentication.\n * Require the use of strong, unique passwords.\n * Upgrade or replace software or devices that are at, or close to, their end of life.\n * Consider adopting a [zero-trust security model](<https://www.malwarebytes.com/blog/news/2020/01/explained-the-strengths-and-weaknesses-of-the-zero-trust-model>).\n * Monitor and log Internet-facing systems for abnormal activity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-13T16:15:00", "type": "malwarebytes", "title": "Chinese APT's favorite vulnerabilities revealed", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-13T16:15:00", "id": "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "href": "https://www.malwarebytes.com/blog/news/2022/10/psa-chinese-apts-target-flaws-that-take-full-control-of-systems", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:38:14", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEj9Bd2VdAXWvbASf8YmWxr5iArtahL17_NleXHz62PXrscVcuyhLoDB7s3THH7T3H2cNZseMCfhLHRI9u5ESRDFZknnkYq6qqLc5c9bPFMM7KFlt0MGfj_ufHze0jtqtN8jGQiQUtNiSL3Kgq8Vsdc1lkrooiJsHq3ucrJQr03nO_OVN3I2C0POzJAs>)\n\nApple on Monday released a security update for iOS and iPad to address a critical vulnerability that it says is being exploited in the wild, making it the 17th zero-day flaw the company has addressed in its products since the start of the year.\n\nThe weakness, assigned the identifier [CVE-2021-30883](<https://support.apple.com/en-us/HT212846>), concerns a memory corruption issue in the \"IOMobileFrameBuffer\" component that could allow an application to execute arbitrary code with kernel privileges. Crediting an anonymous researcher for reporting the vulnerability, Apple said it's \"aware of a report that this issue may have been actively exploited.\"\n\nTechnical specifics about the flaw and the nature of the attacks remain unavailable as yet, as is the identity of the threat actor, so as to allow a majority of the users to apply the patch and prevent other adversaries from weaponizing the vulnerability. The iPhone maker said it addressed the issue with improved memory handling.\n\nBut soon after the advisory was released, security researcher Saar Amar [shared](<https://saaramar.github.io/IOMFB_integer_overflow_poc/>) additional details, and a proof-of-concept (PoC) exploit, noting that \"this attack surface is highly interesting because it's accessible from the app sandbox (so it's great for jailbreaks) and many other processes, making it a good candidate for LPEs exploits in chains.\"\n\nCVE-2021-30883 is also the second zero-day impacting IOMobileFrameBuffer after Apple addressed a similar, anonymously reported memory corruption issue (CVE-2021-30807) in July 2021, raising the possibility that the two flaws could be related. With the latest fix, the company has resolved a record 17 zero-days to date in 2021 alone \u2014\n\n * [**CVE-2021-1782**](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (Kernel) - A malicious application may be able to elevate privileges\n * [**CVE-2021-1870**](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (WebKit) - A remote attacker may be able to cause arbitrary code execution\n * [**CVE-2021-1871**](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (WebKit) - A remote attacker may be able to cause arbitrary code execution\n * [**CVE-2021-1879**](<https://thehackernews.com/2021/03/apple-issues-urgent-patch-update-for.html>) (WebKit) - Processing maliciously crafted web content may lead to universal cross-site scripting\n * [**CVE-2021-30657**](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>) (System Preferences) - A malicious application may bypass Gatekeeper checks\n * [**CVE-2021-30661**](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>) (WebKit Storage) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30663**](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30665**](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30666**](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30713**](<https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.html>) (TCC framework) - A malicious application may be able to bypass Privacy preferences\n * [**CVE-2021-30761**](<https://thehackernews.com/2021/06/apple-issues-urgent-patches-for-2-zero.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30762**](<https://thehackernews.com/2021/06/apple-issues-urgent-patches-for-2-zero.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30807**](<https://thehackernews.com/2021/07/apple-releases-urgent-0-day-bug-patch.html>) (IOMobileFrameBuffer) - An application may be able to execute arbitrary code with kernel privileges\n * [**CVE-2021-30858**](<https://thehackernews.com/2021/09/apple-issues-urgent-updates-to-fix-new.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30860**](<https://thehackernews.com/2021/09/apple-issues-urgent-updates-to-fix-new.html>) (CoreGraphics) - Processing a maliciously crafted PDF may lead to arbitrary code execution\n * [**CVE-2021-30869**](<https://thehackernews.com/2021/09/urgent-apple-ios-and-macos-updates.html>) (XNU) - A malicious application may be able to execute arbitrary code with kernel privileges\n\nApple iPhone and iPad users are highly recommended to update to the latest version (iOS 15.0.2 and iPad 15.0.2) to mitigate the security vulnerability.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-12T02:41:00", "type": "thn", "title": "Apple Releases Urgent iPhone and iPad Updates to Patch New Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-30883"], "modified": "2021-10-20T05:21:18", "id": "THN:BB8CDCFD08801BDD2929E342853D03E9", "href": "https://thehackernews.com/2021/10/apple-releases-urgent-iphone-and-ipad.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:18", "description": "[](<https://thehackernews.com/images/-b6kGmU8c6Gc/YP-1oely-GI/AAAAAAAADV0/MURJ7OCSDsoeAi2sHU_Bb2cqNT4e2C-qACLcBGAsYHQ/s0/apple-iphone-hacking.jpg>)\n\nApple on Monday rolled out an urgent security update for [iOS, iPadOS](<https://support.apple.com/en-us/HT212622>), and [macOS](<https://support.apple.com/en-us/HT212623>) to address a zero-day flaw that it said may have been actively exploited, making it the thirteenth such vulnerability Apple has patched since the start of this year.\n\nThe updates, which arrive less than a week after the company released iOS 14.7, iPadOS 14.7, and macOS Big Sur 11.5 to the public, fixes a memory corruption issue (**CVE-2021-30807**) in the IOMobileFrameBuffer component, a kernel extension for managing the screen [framebuffer](<https://en.wikipedia.org/wiki/Framebuffer>), that could be abused to execute arbitrary code with kernel privileges.\n\nThe company said it addressed the issue with improved memory handling, noting it's \"aware of a report that this issue may have been actively exploited.\" As is typically the case, additional details about the flaw have not been disclosed to prevent the weaponization of the vulnerability for additional attacks. Apple credited an anonymous researcher for discovering and reporting the vulnerability.\n\nThe timing of the update also raises questions about whether the zero-day had any role in compromising iPhones using NSO Group's [Pegasus software](<https://forbiddenstories.org/case/the-pegasus-project/>), which has become the focus of a series of [investigative reports](<https://thehackernews.com/2021/07/new-leak-reveals-abuse-of-pegasus.html>) that have exposed how the spyware tool turned mobile phones of journalists, human rights activists, and others into portable surveillance devices, granting complete access to sensitive information stored in them.\n\nCVE-2021-30807 is also the thirteenth zero-day vulnerability addressed by Apple this year alone, including \u2014\n\n * [CVE-2021-1782](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (Kernel) - A malicious application may be able to elevate privileges\n * [CVE-2021-1870](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (WebKit) - A remote attacker may be able to cause arbitrary code execution\n * [CVE-2021-1871](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (WebKit) - A remote attacker may be able to cause arbitrary code execution\n * [CVE-2021-1879](<https://thehackernews.com/2021/03/apple-issues-urgent-patch-update-for.html>) (WebKit) - Processing maliciously crafted web content may lead to universal cross-site scripting\n * [CVE-2021-30657](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>) (System Preferences) - A malicious application may bypass Gatekeeper checks\n * [CVE-2021-30661](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>) (WebKit Storage) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [CVE-2021-30663](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [CVE-2021-30665](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [CVE-2021-30666](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [CVE-2021-30713](<https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.html>) (TCC framework) - A malicious application may be able to bypass Privacy preferences\n * [CVE-2021-30761](<https://thehackernews.com/2021/06/apple-issues-urgent-patches-for-2-zero.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [CVE-2021-30762](<https://thehackernews.com/2021/06/apple-issues-urgent-patches-for-2-zero.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n\nGiven the [public availability](<https://twitter.com/b1n4r1b01/status/1419734027565617165>) of a proof-of-concept (PoC) exploit, it's highly recommended that users move quickly to update their devices to the latest version to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-27T07:28:00", "type": "thn", "title": "Apple Releases Urgent 0-Day Bug Patch for Mac, iPhone and iPad Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807"], "modified": "2021-07-27T11:14:04", "id": "THN:080F85D43290560CDED8F282EE277B00", "href": "https://thehackernews.com/2021/07/apple-releases-urgent-0-day-bug-patch.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:14", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEggQTDQ-V9WbcSJKwsXKGeYWFxP3jSKikqYhYG8xpFa_NiB7aFJV8tcR11eRFpoq9nIOMlHfbefT2pZC9vdUHCul3SAafHr4t5T-oIIj-H61WEAlv8x9Mfzo1cqzuxor4bqF090P_C7w7fQqzoSFEmUVm1PvbmzU9YENMC2O_ZAEkOC_qbBbzYZdzhA>)\n\nGoogle on Thursday pushed urgent security fixes for its Chrome browser, including a pair of new security weaknesses that the company said are being exploited in the wild, making them the fourth and fifth actively zero-days plugged this month alone.\n\nThe issues, designated as [CVE-2021-37975 and CVE-2021-37976](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html>), are part of a total of four patches, and concern a [use-after-free flaw](<https://cwe.mitre.org/data/definitions/416.html>) in V8 JavaScript and WebAssembly engine as well as an information leak in core.\n\nAs is usually the case, the tech giant has refrained from sharing any additional details regarding how these zero-day vulnerabilities were used in attacks so as to allow a majority of users to be updated with the patches, but noted that it's aware that \"exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild.\"\n\nAn anonymous researcher has been credited with reporting CVE-2021-37975. The discovery of CVE-2021-37976, on the other hand, involves Cl\u00e9ment Lecigne from Google Threat Analysis Group, who was also credited with [CVE-2021-37973](<https://thehackernews.com/2021/09/urgent-chrome-update-released-to-patch.html>), another actively exploited use-after-free vulnerability in Chrome's Portals API that was reported last week, raising the possibility that the two flaws may have been stringed together as part of an exploit chain to execute arbitrary code.\n\nWith the latest update, Google has addressed a record 14 zero-days in the web browser since the start of the year.\n\n * [CVE-2021-21148](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [CVE-2021-21166](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [CVE-2021-21193](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [CVE-2021-21206](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [CVE-2021-21220](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [CVE-2021-21224](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [CVE-2021-30551](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [CVE-2021-30554](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n * [CVE-2021-30563](<https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html>) \\- Type confusion in V8\n * [CVE-2021-30632](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Out of bounds write in V8\n * [CVE-2021-30633](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Use-after-free in Indexed DB API\n * [CVE-2021-37973](<https://thehackernews.com/2021/09/urgent-chrome-update-released-to-patch.html>) \\- Use-after-free in Portals\n\nChrome users are advised to update to the latest version (94.0.4606.71) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate any potential risk of active exploitation.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-10-01T03:30:00", "type": "thn", "title": "Update Google Chrome ASAP to Patch 2 New Actively Exploited Zero-Day Flaws", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976"], "modified": "2021-10-05T05:27:09", "id": "THN:50D7C51FE6D69FC5DB5B37402AD0E412", "href": "https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:16", "description": "[](<https://thehackernews.com/images/-EBTuV2RF5wo/YU6_b4n3Y4I/AAAAAAAAD5w/Rv4cfNWgTzsitUR4O-m9Hoo5Jsb-IyxJACLcBGAsYHQ/s0/chrome-update.jpg>)\n\nGoogle on Friday rolled out an emergency security patch to its Chrome web browser to address a security flaw that's known to have an exploit in the wild.\n\nTracked as [CVE-2021-37973](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html>), the vulnerability has been described as [use after free](<https://cwe.mitre.org/data/definitions/416.html>) in [Portals API](<https://web.dev/hands-on-portals/>), a web page navigation system that enables a page to show another page as an inset and \"perform a seamless transition to a new state, where the formerly-inset page becomes the top-level document.\"\n\nCl\u00e9ment Lecigne of Google Threat Analysis Group (TAG) has been credited with reporting the flaw. Additional specifics pertaining to the weakness have not been disclosed in light of active exploitation and to allow a majority of the users to apply the patch, but the internet giant said it's \"aware that an exploit for CVE-2021-37973 exists in the wild.\"\n\nThe update arrives a day after Apple moved to close an actively exploited security hole in older versions of iOS and macOS ([CVE-2021-30869](<https://thehackernews.com/2021/09/urgent-apple-ios-and-macos-updates.html>)), which the TAG noted as being \"used in conjunction with a N-day remote code execution targeting WebKit.\" With the latest fix, Google has addressed a total of [12 zero-day flaws in Chrome](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) since the start of 2021:\n\n * [CVE-2021-21148](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [CVE-2021-21166](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [CVE-2021-21193](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [CVE-2021-21206](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [CVE-2021-21220](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [CVE-2021-21224](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [CVE-2021-30551](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [CVE-2021-30554](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n * [CVE-2021-30563](<https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html>) \\- Type confusion in V8\n * [CVE-2021-30632](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Out of bounds write in V8\n * [CVE-2021-30633](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Use-after-free in Indexed DB API\n\nChrome users are advised to update to the latest version (94.0.4606.61) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-09-25T06:39:00", "type": "thn", "title": "Urgent Chrome Update Released to Patch Actively Exploited Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30869", "CVE-2021-37973"], "modified": "2021-09-27T04:38:24", "id": "THN:6A9CD6F085628D08978727C0FF597535", "href": "https://thehackernews.com/2021/09/urgent-chrome-update-released-to-patch.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:48", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEibt_uA0VwMgumOtohRzrBSD-Inv5dv71ZMU1Hu4XYJFQxp8FVjEZzeLUuvttUyYx1xMxQJ16Nfw5Jdc7mPLfwoGoTeZqrLRMZ005Eu673XGL_uJrq7LDUpWojmmmN1YHSwVQcJQzL28acTco05Z7auS001HlgSR96GjvrE5gDr2M123luTRVFTFcAT>)\n\nGoogle has rolled out fixes for five security vulnerabilities in its Chrome web browser, including one which it says is being exploited in the wild, making it the [17th such weakness](<https://thehackernews.com/2021/10/google-releases-urgent-chrome-update-to.html>) to be disclosed since the start of the year.\n\nTracked as [CVE-2021-4102](<https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop_13.html>), the flaw relates to a [use-after-free bug](<https://cwe.mitre.org/data/definitions/416.html>) in the V8 JavaScript and WebAssembly engine, which could have severe consequences ranging from corruption of valid data to the execution of arbitrary code. An anonymous researcher has been credited with discovering and reporting the flaw.\n\nAs it stands, it's not known how the weakness is being abused in real-world attacks, but the internet giant issued a terse statement that said, \"it's aware of reports that an exploit for CVE-2021-4102 exists in the wild.\" This is done so in an attempt to ensure that a majority of users are updated with a fix and prevent further exploitation by other threat actors.\n\nCVE-2021-4102 is the second use-after-free vulnerability in V8 the company has remediated in less than three months following reports of active exploitation, with the previous vulnerability [CVE-2021-37975](<https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html>), also reported by an anonymous researcher, plugged in an update it shipped on September 30. It's not immediately clear if the two flaws bear any relation to one another.\n\nWith this latest update, Google has addressed a record 17 zero-days in Chrome this year alone \u2014\n\n * [CVE-2021-21148](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [CVE-2021-21166](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [CVE-2021-21193](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [CVE-2021-21206](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [CVE-2021-21220](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [CVE-2021-21224](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [CVE-2021-30551](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [CVE-2021-30554](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n * [CVE-2021-30563](<https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html>) \\- Type confusion in V8\n * [CVE-2021-30632](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Out of bounds write in V8\n * [CVE-2021-30633](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Use-after-free in Indexed DB API\n * [CVE-2021-37973](<https://thehackernews.com/2021/09/urgent-chrome-update-released-to-patch.html>) \\- Use-after-free in Portals \n * [CVE-2021-37975](<https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html>) \\- Use-after-free in V8\n * [CVE-2021-37976](<https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html>) \\- Information leak in core\n * [CVE-2021-38000](<https://thehackernews.com/2021/10/google-releases-urgent-chrome-update-to.html>) \\- Insufficient validation of untrusted input in Intents\n * [CVE-2021-38003](<https://thehackernews.com/2021/10/google-releases-urgent-chrome-update-to.html>) \\- Inappropriate implementation in V8\n\nChrome users are recommended to update to the latest version (96.0.4664.110) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate any potential risk of active exploitation.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-12-14T04:13:00", "type": "thn", "title": "Update Google Chrome to Patch New Zero-Day Exploit Detected in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-4102"], "modified": "2021-12-14T04:30:59", "id": "THN:4CC79A3CEFEDEB0DC9CF87C5B9035209", "href": "https://thehackernews.com/2021/12/update-google-chrome-to-patch-new-zero.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:09", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgMs77BPvPvj6P-3E7i08R8I_ixvGQZgvS5p1CxbhBqiARNzNLx3R6X1fYdCRjiQmZfLY3-6HUY_hPXAucE_jFVypFTV0HG0XIru72uSOfwfn3mMcLC9j6XyeOCF7We4fYjthQ17-YmGUSvhPWEOlnBXakT_9U8IYdpMKEB6GeCFMJI8ihho5D-6JUO>)\n\nGoogle on Thursday rolled out an emergency update for its Chrome web browser, including fixes for two zero-day vulnerabilities that it says are being actively exploited in the wild.\n\nTracked as **CVE-2021-38000** and **CVE-2021-38003**, the weaknesses relate to insufficient validation of untrusted input in a feature called Intents as well as a case of inappropriate implementation in V8 JavaScript and WebAssembly engine. The internet giant's Threat Analysis Group (TAG) has been credited with discovering and reporting the two flaws on September 15, 2021, and October 26, 2021, respectively.\n\n\"Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild,\" the company [noted](<https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html>) in an advisory without delving into technical specifics about how the two vulnerabilities were used in attacks or the threat actors that may have weaponized them.\n\nAlso addressed as part of this stable channel update is a [use-after-free](<https://cwe.mitre.org/data/definitions/416.html>) vulnerability in the Web Transport component (CVE-2021-38002), which was demonstrated for the first time at the [Tianfu Cup](<https://thehackernews.com/2021/10/windows-10-linux-ios-chrome-and-many.html>) contest held earlier this month in China. With these patches, Google has resolved a record 16 zero-days in the web browser since the start of the year \u2014\n\n * [**CVE-2021-21148**](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [**CVE-2021-21193**](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21206**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21220**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [**CVE-2021-21224**](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [**CVE-2021-30551**](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [**CVE-2021-30554**](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n * [**CVE-2021-30563**](<https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html>) \\- Type confusion in V8\n * [**CVE-2021-30632**](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Out of bounds write in V8\n * [**CVE-2021-30633**](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) \\- Use-after-free in Indexed DB API\n * [**CVE-2021-37973**](<https://thehackernews.com/2021/09/urgent-chrome-update-released-to-patch.html>) \\- Use-after-free in Portals\n * [**CVE-2021-37975**](<https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html>) \\- Use-after-free in V8\n * [**CVE-2021-37976**](<https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html>) \\- Information leak in core\n\nChrome users are advised to update to the latest version (95.0.4638.69) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate any potential risk of active exploitation.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-10-29T04:08:00", "type": "thn", "title": "Google Releases Urgent Chrome Update to Patch 2 Actively Exploited 0-Day Bugs", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38002", "CVE-2021-38003"], "modified": "2021-10-29T04:08:52", "id": "THN:B7217784F9D53002315C9C43CCC73766", "href": "https://thehackernews.com/2021/10/google-releases-urgent-chrome-update-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:20", "description": "[](<https://thehackernews.com/images/--Br-zb7NQb0/YPEUTqMvgsI/AAAAAAAADNw/cesEHjkHFKgyqC_MTP_ji5iUXUCeqoH1QCLcBGAsYHQ/s0/chrome-update.jpg>)\n\nGoogle has pushed out a new security update to Chrome browser for Windows, Mac, and Linux with multiple fixes, including a zero-day that it says is being exploited in the wild.\n\nThe latest patch resolves a total of eight issues, one of which concerns a type confusion issue in its V8 open-source and JavaScript engine ([CVE-2021-30563](<https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html>)). The search giant credited an anonymous researcher for reporting the flaw on July 12.\n\nAs is usually the case with actively exploited flaws, the company issued a terse statement acknowledging that \"an exploit for CVE-2021-30563 exists in the wild\" while refraining from sharing full details about the underlying vulnerability used in the attacks due to its serious nature and the possibility that doing so could lead to further abuse.\n\nCVE-2021-30563 also marks the ninth zero-day addressed by Google to combat real-world attacks against Chrome users since the start of the year \u2014\n\n * [**CVE-2021-21148**](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [**CVE-2021-21193**](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21206**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21220**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [**CVE-2021-21224**](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [**CVE-2021-30551**](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [**CVE-2021-30554**](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n\nChrome users are advised to update to the latest version (91.0.4472.164) by heading to Settings > Help > 'About Google Chrome' to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-16T05:08:00", "type": "thn", "title": "Update Your Chrome Browser to Patch New Zero\u2011Day Bug Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563"], "modified": "2021-07-16T05:08:47", "id": "THN:C736174C6B0ADC38AA88BC58F30271DA", "href": "https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:19", "description": "[](<https://thehackernews.com/images/-FOgCdN3CSOk/YUAgGS1bB1I/AAAAAAAADyc/2oKkq_Mon1AnpsrRVosSNgmXm6ZdbQTXACLcBGAsYHQ/s0/chrome-update.jpg>)\n\nGoogle on Monday released security updates for Chrome web browser to address a total of 11 security issues, two of which it says are actively exploited zero-days in the wild.\n\nTracked as **CVE-2021-30632** and **CVE-2021-30633**, the [vulnerabilities](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>) concern an out of bounds write in V8 JavaScript engine and a use after free flaw in Indexed DB API respectively, with the internet giant crediting anonymous researchers for reporting the bugs on September 8.\n\nAs is typically the case, the company said it's \"aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild\" without sharing additional specifics about how, when, and where the vulnerabilities were exploited, or the threat actors that may be abusing them.\n\nWith these two security shortcomings, Google has addressed a total of 11 zero-day vulnerabilities in Chrome since the start of the year \u2014\n\n * [**CVE-2021-21148**](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [**CVE-2021-21193**](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21206**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21220**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [**CVE-2021-21224**](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n * [**CVE-2021-30551**](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>) \\- Type confusion in V8\n * [**CVE-2021-30554**](<https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html>) \\- Use-after-free in WebGL\n * [**CVE-2021-30563**](<https://thehackernews.com/2021/07/update-your-chrome-browser-to-patch-new.html>) \\- Type confusion in V8\n\nChrome users are advised to update to the latest version (93.0.4577.82) for Windows, Mac, and Linux by heading to Settings > Help > 'About Google Chrome' to mitigate the risk associated with the flaws.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-09-14T04:08:00", "type": "thn", "title": "Update Google Chrome to Patch 2 New Zero-Day Flaws Under Attack", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633"], "modified": "2021-09-19T08:13:46", "id": "THN:1A836FDDE57334BC4DAFA65E6DFA02E4", "href": "https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:57", "description": "[](<https://thehackernews.com/images/-EY0jLibkpcU/YMgfQajFNQI/AAAAAAAAC3I/EIU5a5Wq51o-5TvSYm6aKt_vlbbskE6UACLcBGAsYHQ/s0/apple-zero-day.png>)\n\nApple on Monday shipped out-of-band security patches to address two zero-day vulnerabilities in iOS 12.5.3 that it says are being actively exploited in the wild.\n\nThe latest update, [iOS 12.5.4](<https://support.apple.com/en-us/HT212548>), comes with fixes for three security bugs, including a memory corruption issue in [ASN.1 decoder](<https://en.wikipedia.org/wiki/ASN.1>) (CVE-2021-30737) and two flaws concerning its WebKit browser engine that could be abused to achieve remote code execution \u2014\n\n * **CVE-2021-30761** \\- A memory corruption issue that could be exploited to gain arbitrary code execution when processing maliciously crafted web content. The flaw was addressed with improved state management.\n * **CVE-2021-30762** \\- A use-after-free issue that could be exploited to gain arbitrary code execution when processing maliciously crafted web content. The flaw was resolved with improved memory management.\n\nBoth CVE-2021-30761 and CVE-2021-30762 were reported to Apple anonymously, with the Cupertino-based company stating in its advisory that it's aware of reports that the vulnerabilities \"may have been actively exploited.\" As is usually the case, Apple didn't share any specifics on the nature of the attacks, the victims that may have been targeted, or the threat actors that may be abusing them.\n\nOne thing evident, however, is that the active exploitation attempts were directed against owners of older devices such as iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). The move mirrors a similar fix that Apple rolled out on May 3 to remediate a buffer overflow vulnerability (CVE-2021-30666) in WebKit targeting the same set of devices.\n\nAlong with the two aforementioned flaws, Apple has patched a total of 12 zero-days affecting iOS, iPadOS, macOS, tvOS, and watchOS since the start of the year \u2014\n\n * [**CVE-2021-1782**](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (Kernel) - A malicious application may be able to elevate privileges\n * [**CVE-2021-1870**](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (WebKit) - A remote attacker may be able to cause arbitrary code execution\n * [**CVE-2021-1871**](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (WebKit) - A remote attacker may be able to cause arbitrary code execution\n * [**CVE-2021-1879**](<https://thehackernews.com/2021/03/apple-issues-urgent-patch-update-for.html>) (WebKit) - Processing maliciously crafted web content may lead to universal cross-site scripting\n * [**CVE-2021-30657**](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>) (System Preferences) - A malicious application may bypass Gatekeeper checks\n * [**CVE-2021-30661**](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>) (WebKit Storage) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30663**](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30665**](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30666**](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2021-30713**](<https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.html>) (TCC framework) - A malicious application may be able to bypass Privacy preferences\n\nUsers of Apple devices are recommended to update to the latest versions to mitigate the risk associated with the vulnerabilities.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-15T03:32:00", "type": "thn", "title": "Apple Issues Urgent Patches for 2 Zero-Day Flaws Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30737", "CVE-2021-30761", "CVE-2021-30762"], "modified": "2021-06-15T10:08:36", "id": "THN:0D13405795D42B516C33D8E56A44BA9D", "href": "https://thehackernews.com/2021/06/apple-issues-urgent-patches-for-2-zero.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:59", "description": "[](<https://thehackernews.com/images/-Oinzu8T6SmI/YMBZ7WkhbJI/AAAAAAAACzI/kVA4Ura4Yl4MrNb_jPNPBtgjkBj1DSs1wCLcBGAsYHQ/s0/microsoft-windows-update.jpg>)\n\nMicrosoft on Tuesday released another round of [security updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jun>) for Windows operating system and other supported software, squashing 50 vulnerabilities, including six zero-days that are said to be under active attack.\n\nThe flaws were identified and resolved in Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code - Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.\n\nOf these 50 bugs, five are rated Critical, and 45 are rated Important in severity, with three of the issues publicly known at the time of release. The vulnerabilities that being actively exploited are listed below -\n\n * [**CVE-2021-33742**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) (CVSS score: 7.5) - Windows MSHTML Platform Remote Code Execution Vulnerability\n * [**CVE-2021-33739**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33739>) (CVSS score: 8.4) - Microsoft DWM Core Library Elevation of Privilege Vulnerability\n * [**CVE-2021-31199**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>) (CVSS score: 5.2) - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability\n * [**CVE-2021-31201**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) (CVSS score: 5.2) - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability\n * [**CVE-2021-31955**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) (CVSS score: 5.5) - Windows Kernel Information Disclosure Vulnerability\n * [**CVE-2021-31956**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) (CVSS score: 7.8) - Windows NTFS Elevation of Privilege Vulnerability\n\nMicrosoft didn't disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them. But the fact that four of the six flaws are privilege escalation vulnerabilities suggests that attackers could be leveraging them as part of an infection chain to gain elevated permissions on the targeted systems to execute malicious code or leak sensitive information.\n\nThe Windows maker also noted that both CVE-2021-31201 and CVE-2021-31199 address flaws related to [CVE-2021-28550](<https://thehackernews.com/2021/05/alert-hackers-exploit-adobe-reader-0.html>), an arbitrary code execution vulnerability rectified by Adobe last month that it said was being \"exploited in the wild in limited attacks targeting Adobe Reader users on Windows.\"\n\nGoogle's Threat Analysis Group, which has been acknowledged as having reported CVE-2021-33742 to Microsoft, [said](<https://twitter.com/ShaneHuntley/status/1402320072123719690>) \"this seem[s] to be a commercial exploit company providing capability for limited nation state Eastern Europe / Middle East targeting.\"\n\nRussian cybersecurity firm Kaspersky, for its part, detailed that CVE-2021-31955 and CVE-2021-31956 were abused in a Chrome zero-day exploit chain ([CVE-2021-21224](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>)) in a series of highly targeted attacks against multiple companies on April 14 and 15. The intrusions were attributed to a new threat actor dubbed \"PuzzleMaker.\"\n\n\"While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges,\" Kaspersky Lab researchers [said](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\nElsewhere, Microsoft fixed numerous remote code execution vulnerabilities spanning Paint 3D, Microsoft SharePoint Server, Microsoft Outlook, Microsoft Office Graphics, Microsoft Intune Management Extension, Microsoft Excel, and Microsoft Defender, as well as several privilege escalation flaws in Microsoft Edge, Windows Filter Manager, Windows Kernel, Windows Kernel-Mode Driver, Windows NTLM Elevation, and Windows Print Spooler.\n\nTo install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update or by selecting Check for Windows updates.\n\n### Software Patches From Other Vendors\n\nAlongside Microsoft, a number of other vendors have also released a slew of patches on Tuesday, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html>)\n * [Android](<https://source.android.com/security/bulletin/2021-06-01>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [Intel](<https://blogs.intel.com/technology/2021/06/intel-security-advisories-for-june-2021/>)\n * Linux distributions [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-June/thread.html>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), and [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999>) (with cybersecurity firm Onapsis [credited](<https://onapsis.com/blog/sap-security-patch-day-june-2021-multiple-memory-corruption-vulnerabilities-can-lead-system>) with identifying 20 of the 40 remediated flaws)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp>), and\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-09T06:07:00", "type": "thn", "title": "Update Your Windows Computers to Patch 6 New In-the-Wild Zero-Day Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21224", "CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-09T16:52:54", "id": "THN:1DDE95EA33D4D9F304973569FC787451", "href": "https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:58", "description": "[](<https://thehackernews.com/images/--v2cn8JGV00/YMGRd9cFvrI/AAAAAAAACz4/i5Stk6m4GEgwbul82T6lZeEbdMMNfofJQCLcBGAsYHQ/s0/chrome-zero-day-vulnerability.jpg>)\n\nAttention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update it immediately to the latest version Google released earlier today.\n\nThe internet services company has rolled out an urgent update to the browser to address 14 newly discovered security issues, including a zero-day flaw that it says is being actively exploited in the wild.\n\nTracked as [CVE-2021-30551](<https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html>), the vulnerability stems from a type confusion issue in its V8 open-source and JavaScript engine. Sergei Glazunov of Google Project Zero has been credited with discovering and reporting the flaw.\n\nAlthough the search giant's Chrome team issued a terse statement acknowledging \"an exploit for CVE-2021-30551 exists in the wild,\" Shane Huntley, Director of Google's Threat Analysis Group, [hinted](<https://twitter.com/ShaneHuntley/status/1402712986289016835>) that the vulnerability was leveraged by the same actor that abused [CVE-2021-33742](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>), an actively exploited remote code execution flaw in Windows MSHTML platform that was addressed by Microsoft as part of its Patch Tuesday update on June 8.\n\n[](<https://thehackernews.com/images/-XI4fkisfDp0/YMGPq0RtpKI/AAAAAAAACzw/d0mpshr20nw2j--sOXxBrrTJIj2IP95ewCLcBGAsYHQ/s0/chrome-zero-day.jpg>)\n\nThe two zero-days are said to have been provided by a commercial exploit broker to a nation-state actor, which used them in limited attacks against targets in Eastern Europe and the Middle East, Huntley said.\n\nMore technical details about the nature of the attacks are to be released in the coming weeks so as to allow a majority of the users to install the update and prevent other threat actors from creating exploits targeting the flaw.\n\nWith the latest fix, Google has addressed a total of seven zero-days in Chrome since the start of the year \u2014\n\n * [**CVE-2021-21148**](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) \\- Heap buffer overflow in V8\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>) \\- Object recycle issue in audio\n * [**CVE-2021-21193**](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21206**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Use-after-free in Blink\n * [**CVE-2021-21220**](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) \\- Insufficient validation of untrusted input in V8 for x86_64\n * [**CVE-2021-21224**](<https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html>) \\- Type confusion in V8\n\nChrome users can update to the latest version (91.0.4472.101) by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-10T04:14:00", "type": "thn", "title": "New Chrome 0-Day Bug Under Active Attacks \u2013 Update Your Browser ASAP!", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-33742"], "modified": "2021-06-10T10:25:50", "id": "THN:7D7C05739ECD847B8CDEEAF930C51BF8", "href": "https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:21", "description": "[](<https://thehackernews.com/images/-9Ndx9Vcrx9E/YHaB5SvoxwI/AAAAAAAACRI/WgbWr7Dgj6sRKNuvNcO4lj-zwEO5CNQdwCLcBGAsYHQ/s0/chrome-zero-day.jpg>)\n\nGoogle on Tuesday released a new version of Chrome web-browsing software for Windows, Mac, and Linux with patches for two newly discovered security vulnerabilities for both of which it says exploits exist in the wild, allowing attackers to engage in active exploitation.\n\nOne of the two flaws concerns an insufficient validation of untrusted input in its V8 JavaScript rendering engine (CVE-2021-21220), which was demonstrated by Dataflow Security's Bruno Keith and Niklas Baumstark at the [Pwn2Own 2021](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>) hacking contest last week.\n\nWhile Google moved to fix the flaw quickly, security researcher Rajvardhan Agarwal published a [working exploit](<https://thehackernews.com/2021/04/rce-exploit-released-for-unpatched.html>) over the weekend by reverse-engineering the patch that the Chromium team pushed to the open-source component, a factor that may have played a crucial role in the release.\n\n**UPDATE:** _Agarwal, in an email to The Hacker News, confirmed that there's [one more vulnerability](<https://twitter.com/r4j0x00/status/1382125720344793090>) affecting Chromium-based browsers that has been patched in the latest version of V8, but has not been included in the Chrome release rolling out today, thereby leaving users potentially vulnerable to attacks even after installing the new update._\n\n\"Even though both the flaws are different in nature, they can be exploited to gain RCE in the renderer process,\" Agarwal told The Hacker News via email. \"I suspect that the first patch was released with the Chrome update because of the published exploit but as the second patch was not applied to Chrome, it can still be exploited.\"\n\nAlso resolved by the company is a [use-after-free](<https://cwe.mitre.org/data/definitions/416.html>) vulnerability in its Blink browser engine (CVE-2021-21206). An anonymous researcher has been credited with reporting the flaw on April 7.\n\n[](<https://thehackernews.com/images/-Co9nqKO9t2I/YHaAjushveI/AAAAAAAACRA/uFUYN6VpoCwJz2lCJEMBEGAwXowVZlR3wCLcBGAsYHQ/s0/chrome-hacking.jpg>)\n\n\"Google is aware of reports that exploits for CVE-2021-21206 and CVE-2021-21220 exist in the wild,\" Chrome Technical Program Manager Prudhvikumar Bommana [noted](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html>) in a blog post.\n\nIt's worth noting that the existence of an exploit is not evidence of active exploitation by threat actors. Since the start of the year, Google has fixed three shortcomings in Chrome that have been under attack, including [CVE-2021-21148](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>), [CVE-2021-21166](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>), and [CVE-2021-21193](<https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html>).\n\nChrome 89.0.4389.128 is expected to roll out in the coming days. Users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaws.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-14T05:48:00", "type": "thn", "title": "Update Your Chrome Browser to Patch 2 New In-the-Wild 0-Day Exploits", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220"], "modified": "2021-04-14T08:32:40", "id": "THN:F197A729A4F49F957F9D5910875EBAAA", "href": "https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:18", "description": "[](<https://thehackernews.com/images/-s5Iv1JAWb9E/YUI9Ecx55CI/AAAAAAAADzc/GZ8B73768Pk8g0hW4maN8O-IOSq9arQIQCLcBGAsYHQ/s0/azure.gif>)\n\nMicrosoft on Tuesday addressed a quartet of security flaws as part of its [Patch Tuesday updates](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) that could be abused by adversaries to target Azure cloud customers and elevate privileges as well as allow for remote takeover of vulnerable systems.\n\nThe list of flaws, collectively called **OMIGOD** by researchers from Wiz, affect a little-known software agent called Open Management Infrastructure that's automatically deployed in many Azure services -\n\n * [**CVE-2021-38647**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647>) (CVSS score: 9.8) - Open Management Infrastructure Remote Code Execution Vulnerability\n * [**CVE-2021-38648**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38648>) (CVSS score: 7.8) - Open Management Infrastructure Elevation of Privilege Vulnerability\n * [**CVE-2021-38645**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38645>) (CVSS score: 7.8) - Open Management Infrastructure Elevation of Privilege Vulnerability\n * [**CVE-2021-38649**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38649>) (CVSS score: 7.0) - Open Management Infrastructure Elevation of Privilege Vulnerability\n\nOpen Management Infrastructure ([OMI](<https://github.com/microsoft/omi>)) is an open-source [analogous equivalent](<https://cloudblogs.microsoft.com/windowsserver/2012/06/28/open-management-infrastructure/>) of Windows Management Infrastructure (WMI) but designed for Linux and UNIX systems such as CentOS, Debian, Oracle Linux, Red Hat Enterprise Linux Server, SUSE Linux, and Ubuntu that allows for monitoring, inventory management, and syncing configurations across IT environments.\n\nAzure customers on Linux machines, including users of Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics, are at risk of potential exploitation.\n\n\"When users enable any of these popular services, OMI is silently installed on their virtual machine, running at the highest privileges possible,\" Wiz security researcher Nir Ohfeld [said](<https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution>). \"This happens without customers' explicit consent or knowledge. Users simply click agree to log collection during set-up and they have unknowingly opted in.\"\n\n\"In addition to Azure cloud customers, other Microsoft customers are affected since OMI can be independently installed on any Linux machine and is frequently used on-premise,\" Ohfeld added.\n\nSince the OMI agent runs as root with the highest privileges, the aforementioned vulnerabilities could be abused by external actors or low-privileged users to remotely execute code on target machines and escalate privileges, thereby enabling the threat actors to take advantage of the elevated permissions to mount sophisticated attacks.\n\n[](<https://thehackernews.com/images/-T0XmM7RcIvQ/YUI8jF03JfI/AAAAAAAADzU/AYwbK2Xv1cAtn6q-McPGNwxtZbKSWYYIwCLcBGAsYHQ/s0/hack-1.gif>)\n\nThe most critical of the four flaws is a remote code execution flaw arising out of an internet-exposed HTTPS port like 5986, 5985, or 1270, allowing attackers to obtain initial access to a target Azure environment and subsequently move laterally within the network.\n\n\"This is a textbook RCE vulnerability that you would expect to see in the 90's \u2013 it's highly unusual to have one crop up in 2021 that can expose millions of endpoints,\" Ohfeld said. \"With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It's that simple.\"\n\n\"OMI is just one example of a 'secret' software agent that's pre-installed and silently deployed in cloud environments. It's important to note that these agents exist not just in Azure but in [Amazon Web Services] and [Google Cloud Platform] as well.\"\n\n**_Update:_** Microsoft on Thursday published additional guidance for the [OMIGOD vulnerabilities](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647>), urging customers to apply the updates manually as and when they become available per the schedule outlined [here](<https://msrc-blog.microsoft.com/2021/09/16/additional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions/>). The security issues impact all versions of OMI below [1.6.8-1](<https://github.com/microsoft/omi/releases/tag/v1.6.8-1>).\n\n\"Several Azure Virtual Machine (VM) management extensions use [the OMI] framework to orchestrate configuration management and log collection on Linux VMs,\" Microsoft Security Response Center said in a bulletin. \"The remote code execution vulnerability only impacts customers using a Linux management solution (on-premises SCOM or Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management.\"\n\nThe development comes as Bad Packets [reported](<https://twitter.com/bad_packets/status/1438753415106994179>) [mass scanning](<https://www.greynoise.io/viz/query/?gnql=cve%3ACVE-2021-38647>) of Azure Linux-based servers vulnerable to the remote code execution flaw in an attempt to hijack vulnerable systems and mount further attacks, which, in turn, have been fueled by the [public release](<https://twitter.com/GossiTheDog/status/1438604418212114440>) of a proof-of-concept (PoC) exploit.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-15T18:36:00", "type": "thn", "title": "Critical Flaws Discovered in Azure App That Microsoft Secretly Installs on Linux VMs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649"], "modified": "2021-09-17T19:17:45", "id": "THN:69DC54E89A77C1E4E0DFE9C6EA3BAB48", "href": "https://thehackernews.com/2021/09/critical-flaws-discovered-in-azure-app.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:16", "description": "[](<https://thehackernews.com/images/-pYRFN6NLe6E/YJDef-c1NrI/AAAAAAAACcc/4bGiU-I6wLM0L_4q6OkSYydQnsvyfnlEwCLcBGAsYHQ/s0/apple-update.jpg>)\n\nApple on Monday released security updates for [iOS](<https://support.apple.com/en-us/HT212336>), [macOS](<https://support.apple.com/en-us/HT212335>), and [watchOS](<https://support.apple.com/en-us/HT212339>) to address three zero-day flaws and expand patches for a fourth vulnerability that the company said might have been exploited in the wild.\n\nThe weaknesses all concern WebKit, the browser engine which powers Safari and other third-party web browsers in iOS, allowing an adversary to execute arbitrary code on target devices. A summary of the three security bugs are as follows -\n\n * **CVE-2021-30663:** An integer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addressed with improved input validation.\n * **CVE-2021-30665:** A memory corruption issue that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addressed with improved state management.\n * **CVE-2021-30666:** A buffer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addressed with improved memory handling.\n\nThe development comes a week after Apple rolled out iOS 14.5 and macOS Big Sur 11.3 with a fix for a potentially exploited WebKit Storage vulnerability. Tracked as [CVE-2021-30661](<https://thehackernews.com/2021/04/hackers-exploit-0-day-gatekeeper-flaw.html>), the use-after-free issue was discovered and reported to the iPhone maker by a security researcher named yangkang ([@dnpushme](<https://twitter.com/dnpushme>)) of Qihoo 360 ATA.\n\nyangkang, along with zerokeeper and bianliang, have been credited with reporting the three new flaws.\n\nIt's worth noting that CVE-2021-30666 only affects older Apple devices such as iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). The [iOS 12.5.3](<https://support.apple.com/en-us/HT212341>) update, which remediates this flaw, also includes a fix for CVE-2021-30661.\n\nThe company said it's aware of reports that the issues \"may have been actively exploited\" but, as is typically the case, failed to elaborate about the nature of attacks, the victims that may have been targeted, or the threat actors that may be abusing them.\n\nUsers of Apple devices are recommended to update to the latest versions to mitigate the risk associated with the flaws.\n\n**Update: **Apple has also [released](<https://support.apple.com/en-us/HT212340>) a new version of Safari 14.1 for macOS Catalina and macOS Mojave, with the update introducing fixes for the two WebKit flaws CVE-2021-30663 and CVE-2021-30665. The update comes a day after patches were shipped for iOS, macOS, and watchOS.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-04T05:42:00", "type": "thn", "title": "Apple Releases Urgent Security Patches For Zero\u2011Day Bugs Under Active Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666"], "modified": "2021-05-05T03:21:40", "id": "THN:F0D5DEDB6BEE875D30F098FB7A4E55A1", "href": "https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:06", "description": "[](<https://thehackernews.com/images/-o4PjWjTeBCk/YDSsM4Y2pnI/AAAAAAAAB3A/s_vIwO-nBdgTSgGdEET9fFhVzK0QVUeuwCLcBGAsYHQ/s0/data-breach.jpg>)\n\nCybersecurity researchers on Monday tied a [string of attacks](<https://thehackernews.com/2021/02/data-breach-exposes-16-million-jobless.html>) targeting Accellion File Transfer Appliance (FTA) servers over the past two months to data theft and extortion campaign orchestrated by a cybercrime group called **UNC2546**.\n\nThe attacks, which began in mid-December 2020, involved exploiting multiple zero-day vulnerabilities in the legacy FTA software to install a new web shell named DEWMODE on victim networks and exfiltrating sensitive data, which was then published on a data leak website operated by the CLOP ransomware gang.\n\nBut in a twist, no ransomware was actually deployed in any of the recent incidents that hit organizations in the U.S., Singapore, Canada, and the Netherlands, with the actors instead resorting to extortion emails to threaten victims into paying bitcoin ransoms.\n\nAccording to [Risky Business](<https://risky.biz/newsletter44/>), some of the companies that have had their data listed on the site include Singapore's telecom provider [SingTel](<https://www.singtel.com/personal/support/about-accellion-security-incident>), the American Bureau of Shipping, law firm [Jones Day](<https://www.wsj.com/articles/hacker-claims-to-have-stolen-files-belonging-to-prominent-law-firm-jones-day-11613514532>), the Netherlands-based [Fugro](<https://www.fugro.com/media-centre/news/fulldetails/2021/02/12/cyber-security-incident-third-party-supplier-of-fugro>), and life sciences company Danaher.\n\n[](<https://thehackernews.com/images/-Q8lPq3Q_3Ak/YDSqVE_QgnI/AAAAAAAAB24/rXciWGBxiEoUYoFwkxwNK4iI-SawG1jkACLcBGAsYHQ/s0/data-theft.jpg>)\n\nFollowing the slew of attacks, Accellion has patched four FTA vulnerabilities that were known to be exploited by the threat actors, in addition to incorporating new monitoring and alerting capabilities to flag any suspicious behavior. The flaws are as follows -\n\n * CVE-2021-27101 - SQL injection via a crafted Host header\n * CVE-2021-27102 - OS command execution via a local web service call\n * CVE-2021-27103 - SSRF via a crafted POST request\n * CVE-2021-27104 - OS command execution via a crafted POST request\n\nFireEye's Mandiant threat intelligence team, which is leading the incident response efforts, is [tracking](<https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html>) the follow-on extortion scheme under a separate threat cluster it calls UNC2582 despite \"compelling\" overlaps identified between the two sets of malicious activities and previous attacks carried out by a financially motivated hacking group dubbed FIN11.\n\n\"Many of the organizations compromised by UNC2546 were previously targeted by FIN11,\" FireEye said. \"Some UNC2582 extortion emails observed in January 2021 were sent from IP addresses and/or email accounts used by FIN11 in multiple phishing campaigns between August and December 2020.\"\n\nOnce installed, the DEWMODE web shell was leveraged to download files from compromised FTA instances, leading to the victims receiving extortion emails claiming to be from the \"CLOP ransomware team\" several weeks later.\n\nLack of reply in a timely manner would result in additional emails sent to a wider group of recipients in the victim organization as well as its partners containing links to the stolen data, the researchers detailed.\n\nBesides urging its FTA customers to migrate to kiteworks, Accellion [said](<https://www.accellion.com/company/press-releases/accellion-provides-update-to-fta-security-incident-following-mandiants-preliminary-findings/>) fewer than 100 out of 300 total FTA clients were victims of the attack and that less than 25 appear to have suffered \"significant\" data theft.\n\nThe development comes after grocery chain Kroger [disclosed](<https://www.kroger.com/i/accellion-incident>) last week that HR data, pharmacy records, and money services records belonging to some customers might have been compromised as a result of the Accellion incident.\n\nThen earlier today, Transport for New South Wales (TfNSW) became the latest entity to confirm that it had been impacted by the worldwide Accellion data breach.\n\n\"The Accellion system was widely used to share and store files by organisations around the world, including Transport for NSW,\" the Australian agency [said](<https://www.transport.nsw.gov.au/news-and-events/articles/transport-for-nsw-impacted-by-worldwide-accellion-data-breach>). \"Before the attack on Accellion servers was interrupted, some Transport for NSW information was taken.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-23T07:18:00", "type": "thn", "title": "Hackers Exploit Accellion Zero-Days in Recent Data Theft and Extortion Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-02-23T08:26:03", "id": "THN:43A16BBDCD3B020E360EE37C48B44088", "href": "https://thehackernews.com/2021/02/hackers-exploit-accellion-zero-days-in.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:19", "description": "[](<https://thehackernews.com/images/-HxsxXCBkPXE/YH-natH6OTI/AAAAAAAACUA/6_XHWg-Cu_YYS4p-8w6I8XWh3VRUU9ZMQCLcBGAsYHQ/s0/pulse-secure-hacking.jpg>)\n\nIf Pulse Connect Secure gateway is part of your organization network, you need to be aware of a newly discovered critical zero-day authentication bypass vulnerability (CVE-2021-22893) that is currently being exploited in the wild and for which there is no patch available yet.\n\nAt least two threat actors have been behind a series of intrusions targeting defense, government, and financial organizations in the U.S. and elsewhere by leveraging critical vulnerabilities in Pulse Secure VPN devices to circumvent multi-factor authentication protections and breach enterprise networks.\n\n\"A combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>), are responsible for the initial infection vector,\" cybersecurity firm FireEye [said](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>) on Tuesday, identifying 12 malware families associated with the exploitation of Pulse Secure VPN appliances.\n\nThe company is also tracking the activity under two threat clusters UNC2630 and UNC2717 (\"[UNC](<https://www.fireeye.com/blog/products-and-services/2020/12/how-mandiant-tracks-uncategorized-threat-actors.html>)\" for Uncategorized) \u2014 the former linked to a break-in of U.S. Defense Industrial base (DIB) networks, while the latter was found targeting a European organization in March 2021 \u2014 with the investigation attributing UNC2630 to operatives working on behalf of the Chinese government, in addition to suggesting possible ties to another espionage actor [APT5](<https://malpedia.caad.fkie.fraunhofer.de/actor/apt5>) based on \"strong similarities to historic intrusions dating back to 2014 and 2015.\"\n\n[](<https://thehackernews.com/images/-_r1BkPmCUK8/YH-n1A6EuZI/AAAAAAAACUI/MS0JCaPy_hEkXJpAquULKRANPrKeNuL_gCLcBGAsYHQ/s728/vpn-hacking.jpg>)\n\nAttacks staged by UNC2630 are believed to have commenced as early as August 2020, before they expanded in October 2020, when UNC2717 began repurposing the same flaws to install custom malware on the networks of government agencies in Europe and the U.S. The incidents continued until March 2021, according to FireEye.\n\nThe list of malware families is as follows -\n\n * **UNC2630** \\- SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK\n * **UNC2717** \\- HARDPULSE, QUIETPULSE, AND PULSEJUMP\n\nTwo additional malware strains, STEADYPULSE and LOCKPICK, deployed during the intrusions have not been linked to a specific group, citing lack of evidence.\n\nBy exploiting multiple Pulse Secure VPN weaknesses ([CVE-2019-11510](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>), [CVE-2020-8260](<https://nvd.nist.gov/vuln/detail/CVE-2020-8260>), [CVE-2020-8243](<https://nvd.nist.gov/vuln/detail/CVE-2020-8243>), and CVE-2021-22893), UNC2630 is said to have harvested login credentials, using them to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts to enable arbitrary command execution and inject web shells capable of carrying out file operations and running malicious code.\n\nIvanti, the company behind the Pulse Secure VPN, has released [temporary mitigations](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) to address the arbitrary file execution vulnerability ([CVE-2021-22893](<https://kb.cert.org/vuls/id/213092>), CVSS score: 10), while a fix for the issue is expected to be in place by early May. The Utah-based company acknowledged that the new flaw impacted a \"[very limited number of customers](<https://blog.pulsesecure.net/pulse-connect-secure-security-update/>),\" adding it has released a [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) for customers to check for signs of compromise.\n\nPulse Secure customers are recommended to upgrade to PCS Server version 9.1R.11.4 when it becomes available.\n\nNews of compromises affecting government agencies, critical infrastructure entities, and other private sector organizations comes a week after the U.S. government [released an advisory](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>), warning businesses of active exploitation of five publicly known vulnerabilities by the Russian Foreign Intelligence Service (SVR), including CVE-2019-11510, to gain initial footholds into victim devices and networks.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-21T04:20:00", "type": "thn", "title": "WARNING: Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893"], "modified": "2021-04-21T17:42:28", "id": "THN:AE2E46F59043F97BE70DB77C163186E6", "href": "https://thehackernews.com/2021/04/warning-hackers-exploit-unpatched-pulse.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:20", "description": "[](<https://thehackernews.com/images/-lnmWNBrSE9k/YPWhrFsftuI/AAAAAAAA4Tc/mV6atejnTU8JKQ98Latgx1poZRDDLxvXgCLcBGAsYHQ/s0/cyber.jpg>)\n\nTwo of the zero-day Windows flaws rectified by Microsoft as part of its Patch Tuesday update earlier this week were weaponized by an Israel-based company called Candiru in a series of \"precision attacks\" to hack more than 100 journalists, academics, activists, and political dissidents globally.\n\nThe spyware vendor was also formally identified as the commercial surveillance company that Google's Threat Analysis Group (TAG) revealed as exploiting multiple zero-day vulnerabilities in Chrome browser to target victims located in Armenia, according to a report published by the University of Toronto's Citizen Lab.\n\n\"[Candiru](<https://www.forbes.com/sites/thomasbrewster/2019/10/03/meet-candiru-the-super-stealth-cyber-mercenaries-hacking-apple-and-microsoft-pcs-for-profit/>)'s apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,\" Citizen Lab researchers [said](<https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/>). \"This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services.\"\n\nFounded in 2014, the private-sector offensive actor (PSOA) \u2014 codenamed \"Sourgum\" by Microsoft \u2014 is said to be the developer of an espionage toolkit dubbed DevilsTongue that's exclusively sold to governments and is capable of infecting and monitoring a broad range of devices across different platforms, including iPhones, Androids, Macs, PCs, and cloud accounts.\n\nCitizen Lab said it was able to recover a copy of Candiru's Windows spyware after obtaining a hard drive from \"a politically active victim in Western Europe,\" which was then reverse engineered to identify two never-before-seen Windows zero-day exploits for vulnerabilities tracked as [CVE-2021-31979 and CVE-2021-33771](<https://thehackernews.com/2021/07/update-your-windows-pcs-to-patch-117.html>) that were leveraged to install malware on victim boxes.\n\nThe infection chain relied on a mix of browser and Windows exploits, with the former served via single-use URLs sent to targets on messaging applications such as WhatsApp. Microsoft addressed both the privilege escalation flaws, which enable an adversary to escape browser sandboxes and gain kernel code execution, on July 13.\n\nThe intrusions culminated in the deployment of DevilsTongue, a modular C/C++-based backdoor equipped with a number of capabilities, including exfiltrating files, exporting messages saved in the encrypted messaging app Signal, and stealing cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers.\n\nMicrosoft's analysis of the digital weapon also found that it could abuse the stolen cookies from logged-in email and social media accounts like Facebook, Twitter, Gmail, Yahoo, Mail.ru, Odnoklassniki, and Vkontakte to collect information, read the victim's messages, retrieve photos, and even send messages on their behalf, thus allowing the threat actor to send malicious links directly from a compromised user's computer.\n\nSeparately, the Citizen Lab report also tied the two Google Chrome vulnerabilities disclosed by the search giant on Wednesday \u2014 [CVE-2021-21166 and CVE-2021-30551](<https://thehackernews.com/2021/07/google-details-ios-chrome-ie-zero-day.html>) \u2014 to the Tel Aviv company, noting overlaps in the websites that were used to distribute the exploits.\n\nFurthermore, 764 domains linked to Candiru's spyware infrastructure were uncovered, with many of the domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities. Some of the systems under their control were operated from Saudi Arabia, Israel, U.A.E., Hungary, and Indonesia.\n\nOver 100 victims of SOURGUM's malware have been identified to date, with targets located in Palestine, Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore. \"These attacks have largely targeted consumer accounts, indicating Sourgum's customers were pursuing particular individuals,\" Microsoft's General Manager of Digital Security Unit, Cristin Goodwin, [said](<https://blogs.microsoft.com/on-the-issues/2021/07/15/cyberweapons-cybersecurity-sourgum-malware/>).\n\nThe latest report arrives as TAG researchers Maddie Stone and Clement Lecigne noted a surge in attackers using more zero-day exploits in their cyber offensives, in part fueled by more commercial vendors selling access to zero-days than in the early 2010s.\n\n\"Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets' computers, phones, network infrastructure, and other devices,\" Microsoft Threat Intelligence Center (MSTIC) [said](<https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/>) in a technical rundown.\n\n\"With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only adds to the complexity, scale, and sophistication of attacks,\" MSTIC added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-16T11:13:00", "type": "thn", "title": "Israeli Firm Helped Governments Target Journalists, Activists with 0-Days and Spyware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21166", "CVE-2021-30551", "CVE-2021-31979", "CVE-2021-33771"], "modified": "2021-07-19T16:01:00", "id": "THN:CDCF433A7837180E1F294791C672C5BB", "href": "https://thehackernews.com/2021/07/israeli-firm-helped-governments-target.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:04", "description": "[](<https://thehackernews.com/images/-LOLhcDcH4Q0/YEX4fZpKfUI/AAAAAAAAB9w/I0oQNqeVV2YmhlyC8lyvV-LztA9giv0vACLcBGAsYHQ/s0/microsoft-exchange-hacking.jpg>)\n\nMicrosoft on Friday warned of active attacks exploiting [unpatched Exchange Servers](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) carried out by multiple threat actors, as the hacking campaign is believed to have infected tens of thousands of businesses, government entities in the U.S., Asia, and Europe.\n\nThe company [said](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) \"it continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM,\" signaling an escalation that the breaches are no longer \"limited and targeted\" as was previously deemed.\n\nAccording to independent cybersecurity journalist [Brian Krebs](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>), at least 30,000 entities across the U.S. \u2014 mainly small businesses, towns, cities, and local governments \u2014 have been compromised by an \"unusually aggressive\" Chinese group that has set its sights on stealing emails from victim organizations by exploiting previously undisclosed flaws in Exchange Server.\n\nVictims are also being reported from outside the U.S., with email systems belonging to businesses in [Norway](<https://nsm.no/aktuelt/oppdater-microsoft-exchange-snarest>), the [Czech Republic](<https://nukib.cz/cs/infoservis/hrozby/1692-vyjadreni-k-aktualni-situaci/>) and the [Netherlands](<https://www.ncsc.nl/actueel/nieuws/2021/maart/8/40-nl-microsoft-exchange-servers-nog-steeds-kwetsbaar>) impacted in a series of hacking incidents abusing the vulnerabilities. The Norwegian National Security Authority said it has implemented a vulnerability scan of IP addresses in the country to identify vulnerable Exchange servers and \"continuously notify these companies.\"\n\nThe colossal scale of the ongoing offensive against Microsoft's email servers also eclipses the [SolarWinds hacking spree](<https://thehackernews.com/2020/12/nearly-18000-solarwinds-customers.html>) that came to light last December, which is said to have targeted as many as 18,000 customers of the IT management tools provider. But as it was with the SolarWinds hack, the attackers are likely to have only gone after high-value targets based on an initial reconnaissance of the victim machines.\n\n### Unpatched Exchange Servers at Risk of Exploitation\n\nA successful [exploitation of the flaws](<https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/>) allows the adversaries to break into Microsoft Exchange Servers in target environments and subsequently allow the installation of unauthorized web-based backdoors to facilitate long-term access. With multiple threat actors leveraging these zero-day vulnerabilities, the post-exploitation activities are expected to differ from one group to the other based on their motives.\n\nChief among the vulnerabilities is CVE-2021-26855, also called \"ProxyLogon\" (no connection to ZeroLogon), which permits an attacker to bypass the authentication of an on-premises Microsoft Exchange Server that's able to receive untrusted connections from an external source on port 443. This is followed by the exploitation of CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 post-authentication, allowing the malicious party to gain remote access.\n\nTaiwanese cybersecurity firm Devcore, which began an internal audit of Exchange Server security in October last year, [noted in a timeline](<https://proxylogon.com/>) that it discovered both CVE-2021-26855 and CVE-2021-27065 within a 10-day period between December 10-20, 2020. After chaining these bugs into a workable pre-authentication RCE exploit, the company said it reported the issue to Microsoft on January 5, 2021, suggesting that Microsoft had almost two months to release a fix.\n\n[](<https://thehackernews.com/images/-zR_JCeV5Moo/YEX5KX2rxLI/AAAAAAAAB94/XG6lQGCnfO0ZUBwgiwv9agIbi4TfP1csACLcBGAsYHQ/s0/microsoft-exchange-hacking.jpg>)\n\nThe four security issues in question were eventually [patched by Microsoft](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) as part of an emergency out-of-band security update last Tuesday, while warning that \"many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.\"\n\nThe fact that Microsoft also patched Exchange Server 2010 suggests that the vulnerabilities have been lurking in the code for more than ten years.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), which released an [emergency directive](<https://thehackernews.com/2021/03/cisa-issues-emergency-directive-on-in.html>) warning of \"active exploitation\" of the vulnerabilities, urged government agencies running vulnerable versions of Exchange Server to either update the software or disconnect the products from their networks.\n\n\"CISA is aware of widespread domestic and international exploitation of Microsoft Exchange Server vulnerabilities and urges scanning Exchange Server logs with Microsoft's IoC detection tool to help determine compromise,\" the agency [tweeted](<https://twitter.com/USCERT_gov/status/1368216461571919877>) on March 6.\n\nIt's worth noting that merely installing the patches issued by Microsoft would have no effect on servers that have already been backdoored. Organizations that have been breached to deploy the web shell and other post-exploitation tools continue to remain at risk of future compromise until the artifacts are completely rooted out from their networks.\n\n### Multiple Clusters Spotted\n\nFireEye's Mandiant threat intelligence team [said](<https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html>) it \"observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment\" since the start of the year. Cybersecurity firm Volexity, one of the firms credited with discovering the flaws, said the intrusion campaigns appeared to have started around January 6, 2021.\n\nNot much is known about the identities of the attackers, except that Microsoft has primarily attributed the exploits with high confidence to a group it calls Hafnium, a skilled government-backed group operating out of China. Mandiant is tracking the intrusion activity in three clusters, UNC2639, UNC2640, and UNC2643, adding it expects the number to increase as more attacks are detected.\n\nIn a statement to [Reuters](<https://www.reuters.com/article/us-usa-cyber-microsoft/more-than-20000-u-s-organizations-compromised-through-microsoft-flaw-source-idUSKBN2AX23U>), a Chinese government spokesman denied the country was behind the intrusions.\n\n\"There are at least five different clusters of activity that appear to be exploiting the vulnerabilities,\" [said](<https://twitter.com/redcanary/status/1368289931970322433>) Katie Nickels, director of threat intelligence at Red Canary, while noting the differences in the techniques and infrastructure from that of the Hafnium actor.\n\nIn one particular instance, the cybersecurity firm [observed](<https://twitter.com/redcanary/status/1367935292724948992>) that some of the customers compromised Exchange servers had been deployed with a crypto-mining software called [DLTminer](<https://www.carbonblack.com/blog/cb-tau-technical-analysis-dltminer-campaign-targeting-corporations-in-asia/>), a malware documented by Carbon Black in 2019.\n\n\"One possibility is that Hafnium adversaries shared or sold exploit code, resulting in other groups being able to exploit these vulnerabilities,\" Nickels said. \"Another is that adversaries could have reverse engineered the patches released by Microsoft to independently figure out how to exploit the vulnerabilities.\"\n\n### Microsoft Issues Mitigation Guidance\n\nAside from rolling out fixes, Microsoft has published new alternative mitigation guidance to help Exchange customers who need more time to patch their deployments, in addition to pushing out a new update for the Microsoft Safety Scanner (MSERT) tool to detect web shells and [releasing a script](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) for checking HAFNIUM indicators of compromise. They can be found [here](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>).\n\n\"These vulnerabilities are significant and need to be taken seriously,\" Mat Gangwer, senior director of managed threat response at Sophos said. \"They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them.\"\n\n\"The broad installation of Exchange and its exposure to the internet mean that many organizations running an on-premises Exchange server could be at risk,\" Gangwer added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-08T10:15:00", "type": "thn", "title": "Microsoft Exchange Cyber Attack \u2014 What Do We Know So Far?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-10T08:44:19", "id": "THN:9DB02C3E080318D681A9B33C2EFA8B73", "href": "https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:04", "description": "[](<https://thehackernews.com/images/-AxSsNt-9gYo/YD838gSOOTI/AAAAAAAAB7Q/IuSgG26w0NU-eyKMabZMnUfb7QBDyHkUgCLcBGAsYHQ/s0/ms-exchnage.jpg>)\n\nMicrosoft has [released emergency patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>) to address four previously undisclosed security flaws in Exchange Server that it says are being actively exploited by a new Chinese state-sponsored threat actor with the goal of perpetrating data theft.\n\nDescribing the attacks as \"limited and targeted,\" Microsoft Threat Intelligence Center (MSTIC) said the adversary used these vulnerabilities to access on-premises Exchange servers, in turn granting access to email accounts and paving the way for the installation of additional malware to facilitate long-term access to victim environments.\n\nThe tech giant primarily attributed the campaign with high confidence to a threat actor it calls HAFNIUM, a state-sponsored hacker collective operating out of China, although it suspects other groups may also be involved.\n\nDiscussing the tactics, techniques, and procedures (TTPs) of the group for the first time, Microsoft paints HAFNIUM as a \"highly skilled and sophisticated actor\" that mainly singles out entities in the U.S. for exfiltrating sensitive information from an array of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.\n\nHAFNIUM is believed to orchestrate its attacks by leveraging leased virtual private servers in the U.S. in an attempt to cloak its malicious activity.\n\nThe three-stage attack involves gaining access to an Exchange Server either with stolen passwords or by using previously undiscovered vulnerabilities, followed by deploying a web shell to control the compromised server remotely. The last link in the attack chain makes use of remote access to plunder mailboxes from an organization's network and export the collected data to file sharing sites like MEGA.\n\nTo achieve this, as many as [four zero-day vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) discovered by researchers from Volexity and Dubex are used as part of the attack chain \u2014\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>): A server-side request forgery (SSRF) vulnerability in Exchange Server\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>): An insecure deserialization vulnerability in the Unified Messaging service\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>): A post-authentication arbitrary file write vulnerability in Exchange, and\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>): A post-authentication arbitrary file write vulnerability in Exchange\n\nAlthough the vulnerabilities impact Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019, Microsoft said it's updating Exchange Server 2010 for \"Defense in Depth\" purposes.\n\n[](<https://thehackernews.com/images/-_eUnJYSlv7A/YD86dcga76I/AAAAAAAAB7Y/Ex1kb11XGtcD6b878ASeDzA-SFz8SSzNgCLcBGAsYHQ/s0/ms.jpg>)\n\nFurthermore, since the initial attack requires an untrusted connection to Exchange server port 443, the company notes that organizations can mitigate the issue by restricting untrusted connections or by using a VPN to separate the Exchange server from external access.\n\nMicrosoft, besides stressing that the exploits were not connected to the SolarWinds-related breaches, said it has briefed appropriate U.S. government agencies about the new wave of attacks. But the company didn't elaborate on how many organizations were targeted and whether the attacks were successful.\n\nStating that the intrusion campaigns appeared to have started around January 6, 2021, Volexity cautioned it has detected active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal email and compromise networks.\n\n\"While the attackers appear to have initially flown largely under the radar by simply stealing emails, they recently pivoted to launching exploits to gain a foothold,\" Volexity researchers Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster [explained](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) in a write-up.\n\n\"From Volexity's perspective, this exploitation appears to involve multiple operators using a wide variety of tools and methods for dumping credentials, moving laterally, and further backdooring systems.\"\n\nAside from the patches, Microsoft Senior Threat Intelligence Analyst Kevin Beaumont has also [created](<https://twitter.com/GossiTheDog/status/1366858907671552005>) a [nmap plugin](<https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse>) that can be used to scan a network for potentially vulnerable Microsoft Exchange servers.\n\nGiven the severity of the flaws, it's no surprise that patches have been rolled out a week ahead of the company's Patch Tuesday schedule, which is typically reserved for the second Tuesday of each month. Customers using a vulnerable version of Exchange Server are recommended to install the updates immediately to thwart these attacks.\n\n\"Even though we've worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,\" Microsoft's Corporate Vice President of Customer Security, Tom Burt, [said](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>). \"Promptly applying today's patches is the best protection against this attack.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T07:28:00", "type": "thn", "title": "URGENT \u2014 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T07:56:35", "id": "THN:9AB21B61AFE09D4EEF533179D0907C03", "href": "https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:21", "description": "[](<https://thehackernews.com/images/-xmPJ5TMTpac/YO_wfpf1LkI/AAAAAAAADM4/xSKsZYAbLBYJjYvNQilqUM9z0lf0Rx7_gCLcBGAsYHQ/s0/chrome.jpg>)\n\nThreat intelligence researchers from Google on Wednesday [shed more light](<https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/>) on four in-the-wild zero-days in Chrome, Safari, and Internet Explorer browsers that were exploited by malicious actors in different campaigns since the start of the year.\n\nWhat's more, three of the four zero-days were engineered by commercial providers and sold to and used by government-backed actors, contributing to an uptick in real-world attacks. The list of now-patched vulnerabilities is as follows -\n\n * [**CVE-2021-1879**](<https://thehackernews.com/2021/03/apple-issues-urgent-patch-update-for.html>): Use-After-Free in QuickTimePluginReplacement (Apple WebKit)\n * [**CVE-2021-21166**](<https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html>): Chrome Object Lifecycle Issue in Audio\n * [**CVE-2021-30551**](<https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html>): Chrome Type Confusion in V8\n * [**CVE-2021-33742**](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>): Internet Explorer out-of-bounds write in MSHTML\n\nBoth Chrome zero-days \u2014 CVE-2021-21166 and CVE-2021-30551 \u2014 are believed to have been used by the same actor, and were delivered as one-time links sent via email to targets located in Armenia, with the links redirecting unsuspecting users to attacker-controlled domains that masqueraded as legitimate websites of interest to the recipients.\n\nThe malicious websites took charge of fingerprinting the devices, including collecting system information about the clients, before delivering a second-stage payload.\n\nWhen Google rolled out a patch for CVE-2021-30551, Shane Huntley, Director of Google's Threat Analysis Group (TAG), revealed that the vulnerability was leveraged by the same actor that abused CVE-2021-33742, an actively exploited remote code execution flaw in Windows MSHTML platform that was addressed by Microsoft as part of its [Patch Tuesday update](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>) on June 8.\n\nThe two zero-days were provided by a commercial exploit broker to a nation-state adversary, which used them in limited attacks against targets in Eastern Europe and the Middle East, Huntley previously added.\n\n[](<https://thehackernews.com/images/--ol-CfJ3-bE/YO_tDkpfuNI/AAAAAAAADMw/bonGU0wpX_QzAsMNe5_Eh_0_Nb4OAma_QCLcBGAsYHQ/s0/zero-day.jpg>)\n\nNow according to a technical report published by the team, all the three zero-days were \"developed by the same commercial surveillance company that sold these capabilities to two different government-backed actors,\" adding the Internet Explorer flaw was used in a campaign targeting Armenian users with malicious Office documents that loaded web content within the web browser.\n\nGoogle did not disclose the identities of the exploit broker or the two threat actors that used the vulnerabilities as part of their attacks.\n\n## SolarWinds Hackers Exploited iOS Zero-Day\n\nThe Safari zero-day, in contrast, concerned a WebKit flaw that could enable adversaries to process maliciously crafted web content that may result in universal cross-site scripting attacks. The issue was rectified by Apple on March 26, 2021.\n\nAttacks leveraging CVE-2021-1879, which Google attributed to a \"likely Russian government-backed actor,\" were executed by means of sending malicious links to government officials over LinkedIn that, when clicked from an iOS device, redirected the user to a rogue domain that served the next-stage payloads.\n\nIt's worth noting that the offensive also mirrors a [wave of targeted attacks](<https://thehackernews.com/2021/05/solarwinds-hackers-target-think-tanks.html>) unleashed by Russian hackers tracked as Nobelium, which was found abusing the vulnerability to strike government agencies, think tanks, consultants, and non-governmental organizations as part of an email phishing campaign.\n\nNobelium, a threat actor linked to the Russian Foreign Intelligence Service (SVR), is also suspected of orchestrating the [SolarWinds supply chain attack](<https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html>) late last year. It's known by other aliases such as APT29, UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks).\n\n\"Halfway into 2021, there have been [33 zero-day exploits](<https://googleprojectzero.github.io/0days-in-the-wild/rca.html>) used in attacks that have been publicly disclosed this year \u2014 11 more than the total number from 2020,\" TAG researchers Maddie Stone and Clement Lecigne noted. \"While there is an increase in the number of zero-day exploits being used, we believe greater detection and disclosure efforts are also contributing to the upward trend.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-15T08:25:00", "type": "thn", "title": "Google Details iOS, Chrome, IE Zero-Day Flaws Exploited Recently in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1879", "CVE-2021-21166", "CVE-2021-30551", "CVE-2021-33742"], "modified": "2021-07-15T12:45:33", "id": "THN:BBBFDA7EEE18F813A5DA572FD390D528", "href": "https://thehackernews.com/2021/07/google-details-ios-chrome-ie-zero-day.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-29T03:59:29", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjRrnxKtJzXQbaLrPRY2GEIij8so07HImMs9wbPTTP-j92ED6wxTFv-NdQyw_Z0JBlqIYh-H3g2WKAcIkt70zKcB5AxP9KcQgCqChBwNsYPu9CQ_Xp6uBmkhxyoNZpHZIIQrV5TkreAFNBg-kFpOzjxBYxhl5bZqKZH6j9zgyd3itncGVyM5L09fy-c/s728-e100/windows-hacker.jpg>)\n\nA cyber mercenary that \"ostensibly sells general security and information analysis services to commercial customers\" used several Windows and Adobe zero-day exploits in limited and highly-targeted attacks against European and Central American entities.\n\nThe company, which Microsoft describes as a private-sector offensive actor (PSOA), is an Austria-based outfit called [DSIRF](<https://web.archive.org/web/20220713203741/https:/dsirf.eu/about/>) that's linked to the development and attempted sale of a piece of cyberweapon referred to as **Subzero**, which can be used to hack targets' phones, computers, and internet-connected devices.\n\n\"Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama,\" the tech giant's cybersecurity teams [said](<https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/>) in a Wednesday report.\n\nMicrosoft is [tracking](<https://blogs.microsoft.com/on-the-issues/2022/07/27/private-sector-cyberweapons-psoas-knotweed/>) the actor under the moniker KNOTWEED, continuing its trend of terming PSOAs using names given to trees and shrubs. The company previously designated the name [SOURGUM](<https://thehackernews.com/2021/07/israeli-firm-helped-governments-target.html>) to Israeli spyware vendor Candiru.\n\nKNOTWEED is known to dabble in both access-as-a-service and [hack-for-hire](<https://thehackernews.com/2022/06/google-blocks-dozens-of-malicious.html>) operations, offering its toolset to third parties as well as directly associating itself in certain attacks.\n\nWhile the former entails the sales of end-to-end hacking tools that can be used by the purchaser in their own operations without the involvement of the offensive actor, hack-for-hire groups run the targeted operations on behalf of their clients.\n\nThe deployment of Subzero is said to have transpired through the exploitation of numerous issues, including an attack chain that abused an unknown Adobe Reader remote code execution (RCE) flaw and a zero-day privilege escalation bug ([CVE-2022-22047](<https://thehackernews.com/2022/07/microsoft-releases-fix-for-zero-day.html>)), the latter of which was addressed by Microsoft as part of its July Patch Tuesday updates.\n\n\"The exploits were packaged into a PDF document that was sent to the victim via email,\" Microsoft explained. \"CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes and achieve system-level code execution.\"\n\nSimilar attack chains observed in 2021 leveraged a combination of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) in conjunction with an Adobe reader flaw (CVE-2021-28550). The three vulnerabilities were [resolved](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>) in June 2021.\n\nThe deployment of Subzero subsequently occurred through a fourth exploit, this time taking advantage of a privilege escalation vulnerability in the Windows Update Medic Service ([CVE-2021-36948](<https://thehackernews.com/2021/08/microsoft-releases-windows-updates-to.html>)), which was closed by Microsoft in August 2021.\n\nBeyond these exploit chains, Excel files masquerading as real estate documents have been used as a conduit to deliver the malware, with the files containing [Excel 4.0 macros](<https://thehackernews.com/2022/01/emotet-now-using-unconventional-ip.html>) designed to kick-start the infection process.\n\nRegardless of the method employed, the intrusions culminate in the execution of shellcode, which is used to retrieve a second-stage payload called Corelump from a remote server in the form of a JPEG image that also embeds a loader named Jumplump that, in turn, loads Corelump into memory.\n\nThe evasive implant comes with a wide range of capabilities, including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins downloaded from the remote server.\n\nAlso deployed during the attacks were bespoke utilities like Mex, a command-line tool to run open source security software like Chisel, and PassLib, a tool to dump credentials from web browsers, email clients, and the Windows credential manager.\n\nMicrosoft said it uncovered KNOTWEED actively serving malware since February 2020 through infrastructure hosted on DigitalOcean and Choopa, alongside identifying subdomains that are used for malware development, debugging Mex, and staging the Subzero payload.\n\nMultiple links have also been unearthed between DSIRF and the malicious tools used in KNOTWEED's attacks.\n\n\"These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF,\" Redmond noted.\n\nSubzero is no different from off-the-shelf malware such as [Pegasus](<https://thehackernews.com/2022/07/pegasus-spyware-used-to-hack-devices-of.html>), [Predator](<https://thehackernews.com/2022/05/cytroxs-predator-spyware-target-android.html>), [Hermit](<https://thehackernews.com/2022/06/google-says-isps-helped-attackers.html>), and [DevilsTongue](<https://thehackernews.com/2022/07/candiru-spyware-caught-exploiting.html>), which are capable of infiltrating phones and Windows machines to remotely control the devices and siphon off data, sometimes without requiring the user to click on a malicious link.\n\nIf anything, the latest findings highlight a burgeoning international market for such sophisticated surveillance technologies to carry out targeted attacks aimed at members of civil society.\n\nAlthough companies that sell commercial spyware advertise their wares as a means to tackle serious crimes, evidence gathered so far has found [several instances](<https://thehackernews.com/2022/06/nso-confirms-pegasus-spyware-used-by-at.html>) of these tools being misused by authoritarian governments and private organizations to snoop on human rights advocates, journalists, dissidents, and politicians.\n\nGoogle's Threat Analysis Group (TAG), which is tracking over 30 vendors that hawk exploits or surveillance capabilities to state-sponsored actors, said the booming ecosystem underscores \"the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments.\"\n\n\"These vendors operate with deep technical expertise to develop and operationalize exploits,\" TAG's Shane Huntley [said](<https://blog.google/threat-analysis-group/googles-efforts-to-identify-and-counter-spyware/>) in a testimony to the U.S. House Intelligence Committee on Wednesday, adding, \"its use is growing, fueled by demand from governments.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-28T11:18:00", "type": "thn", "title": "Microsoft Uncovers Austrian Company Exploiting Windows and Adobe Zero-Day Exploits", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-36948", "CVE-2022-22047"], "modified": "2022-07-29T02:58:07", "id": "THN:DFA2CC41C78DFA4BED87B1410C21CE2A", "href": "https://thehackernews.com/2022/07/microsoft-uncover-austrian-company.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:01", "description": "[](<https://thehackernews.com/images/-nG0kgJIWUe4/YKyCba_26VI/AAAAAAAACnk/LKb9R527jacuLLW42sp_Pra0dvHvKtFKgCLcBGAsYHQ/s0/apple.jpg>)\n\nApple on Monday rolled out security updates for [iOS](<https://support.apple.com/en-us/HT212528>), [macOS](<https://support.apple.com/en-us/HT212529>), [tvOS](<https://support.apple.com/en-us/HT212532>), [watchOS](<https://support.apple.com/en-us/HT212533>), and [Safari](<https://support.apple.com/en-us/HT212534>) web browser to fix multiple vulnerabilities, including an actively exploited zero-day flaw in macOS Big Sur and expand patches for two previously disclosed zero-day flaws. \n\nTracked as CVE-2021-30713, the zero-day concerns a permissions issue in Apple's Transparency, Consent, and Control ([TCC](<https://support.apple.com/en-in/guide/security/secddd1d86a6/web>)) framework in macOS that maintains a database of each user's consents. The iPhone maker acknowledged that the issue may have been exploited in the wild but stopped short of sharing specifics.\n\nThe company noted that it rectified the problem with improved validation.\n\nHowever, in a separate report, mobile device management company Jamf said the bypass flaw was being actively exploited by XCSSET, a malware that's been out in the wild since August 2020 and known to propagate via modified [Xcode IDE projects](<https://developer.apple.com/library/archive/featuredarticles/XcodeConcepts/Concept-Projects.html>) hosted on GitHub repositories and plant malicious packages into legitimate apps installed on the target system.\n\n\"The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user's explicit consent \u2014 which is the default behavior,\" Jamf researchers Stuart Ashenbrenner, Jaron Bradley, and Ferdous Saljooki [said](<https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/>) in a write-up.\n\n[](<https://thehackernews.com/images/-D65Oi6v5MWk/YKx_ahsaI8I/AAAAAAAACnc/7lPcPh2B5Rg04i8Tu6E0cBxGgMMDvthlgCLcBGAsYHQ/s0/iOS-malware.jpg>)\n\nTaking the form of a AppleScript module, the zero-day flaw allowed the hackers to exploit the devices XCSSET was installed to leverage the permissions that have already been provided to the trojanized application to amass and exfiltrate sensitive information.\n\nSpecifically, the malware checked for screen capture permissions from a list of installed applications, such as Zoom, Discord, WhatsApp, Slack, TeamViewer, Upwork, Skype, and Parallels Desktop, to inject the malware (\"avatarde.app\") into the app's folder, thereby inheriting the necessary permissions required to carry out its nefarious tasks.\n\n\"By leveraging an installed application with the proper permissions set, the attacker can piggyback off that donor app when creating a malicious app to execute on victim devices, without prompting for user approval,\" the researchers noted.\n\nXCSSET was also the subject of closer scrutiny [last month](<https://thehackernews.com/2021/04/malware-spreads-via-xcode-projects-now.html>) after a new variant of the malware was detected targeting Macs running on Apple's new M1 chips to steal wallet information from cryptocurrency apps. One of its primary functions is to siphon Safari browser cookies as well as install a developer version of the Safari application to load JavaScript backdoors from its command-and-control server.\n\nAlso fixed as part of Monday's updates are two other actively exploited flaws in its WebKit browser engine affecting Safari, Apple TV 4K, and Apple TV HD devices, almost three weeks after Apple addressed the same issues in [iOS, macOS, and watchOS](<https://thehackernews.com/2021/05/apple-releases-urgent-security-patches.html>) earlier this month.\n\n * **CVE-2021-30663** \\- An integer overflow issue in WebKit, which could be exploited to achieve arbitrary code execution when processing maliciously crafted web content.\n * **CVE-2021-30665** \\- A memory corruption issue in WebKit that could lead to arbitrary code execution when processing maliciously crafted web content.\n\nUsers of Apple devices are recommended to update to the latest versions to mitigate the risk associated with the flaws.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-25T04:52:00", "type": "thn", "title": "Apple\u200c Issues Patches to Combat Ongoing 0-Day Attacks on macOS, tvOS", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30713"], "modified": "2021-05-25T04:52:15", "id": "THN:3251602ACD4E04F5F4C7F140878960E0", "href": "https://thehackernews.com/2021/05/apple-issues-patches-to-combat-ongoing.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:01", "description": "[](<https://thehackernews.com/images/-BCVwauxz7O8/YKyosjaDKmI/AAAAAAAACn4/TLH1Bsw4NgwXyHFB5EmU57Aro4WWNwQegCLcBGAsYHQ/s0/pulse-secure-vpn-vulnerability.jpg>)\n\nIvanti, the company behind Pulse Secure VPN appliances, has published a security advisory for a high severity vulnerability that may allow an authenticated remote attacker to execute arbitrary code with elevated privileges.\n\n\"Buffer Overflow in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user,\" the company [said](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800>) in an alert published on May 14. \"As of version 9.1R3, this permission is not enabled by default.\"\n\nThe flaw, identified as CVE-2021-22908, has a CVSS score of 8.5 out of a maximum of 10 and impacts Pulse Connect Secure versions 9.0Rx and 9.1Rx. In a report detailing the vulnerability, the CERT Coordination Center said the issue stems from the gateway's ability to connect to Windows file shares through a number of CGI endpoints that could be leveraged to carry out the attack.\n\n\"When specifying a long server name for some SMB operations, the 'smbclt' application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified,\" CERT/CC [detailed](<https://kb.cert.org/vuls/id/667933>) in a vulnerability note published on Monday, adding it was able to trigger the vulnerable code by targeting the CGI script '/dana/fb/smb/wnf.cgi.'\n\nPulse Secure customers are recommended to upgrade to PCS Server version 9.1R.11.5 when it becomes available. In the interim, Ivanti has published a workaround file ('Workaround-2105.xml') that can be imported to disable the Windows File Share Browser feature by adding the vulnerable URL endpoints to a blocklist and thus activate necessary mitigations to protect against this vulnerability.\n\nIt bears noting that users running PCS versions 9.1R11.3 or below would need to import a different file named '[Workaround-2104.xml,](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/?kA23Z000000boUWSAY>)' necessitating that the PCS system is running 9.1R11.4 before applying the safeguards in 'Workaround-2105.xml.'\n\n[](<https://thehackernews.com/images/-2uTEZxdSTZw/YKypBTo6Q-I/AAAAAAAACoE/B0oJ9iYqOKkxyiyr2rn0S1KzYo5qu3QvgCLcBGAsYHQ/s0/pulse.jpg>)\n\nWhile Ivanti has recommended turning off Windows File Browser on the Admin UI by disabling the option 'Files, Window [sic]' for specific user roles, CERT/CC found the steps were inadequate to protect against the flaw during its testing. \n\n\"The vulnerable CGI endpoints are still reachable in ways that will trigger the 'smbclt' application to crash, regardless of whether the 'Files, Windows' user role is enabled or not,\" it noted.\n\n\"An attacker would need a valid DSID and 'xsauth' value from an authenticated user to successfully reach the vulnerable code on a PCS server that has an open Windows File Access policy.\"\n\nThe disclosure of a new flaw arrives weeks after the Utah-based IT software company [patched](<https://thehackernews.com/2021/05/critical-patch-out-for-month-old-pulse.html>) multiple critical security vulnerabilities in Pulse Connect Secure products, including CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900, the first of which was found to be actively [exploited in the wild](<https://thehackernews.com/2021/04/warning-hackers-exploit-unpatched-pulse.html>) by at least two different threat actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-25T07:37:00", "type": "thn", "title": "New High-Severity Vulnerability Reported in Pulse Connect Secure VPN", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22908"], "modified": "2021-05-25T07:37:19", "id": "THN:FA7EFA3A74BF3490AD84EA169EA6C4CA", "href": "https://thehackernews.com/2021/05/new-high-severity-vulnerability.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-21T04:22:58", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiIMzsLcFtJGLRZh2esVZJgDJEWwYDXVuFP6DZY6RPGSfcln7HmEW4rZJM-f9QB_Ignta4gEcancujYyz8HLHZ12ffMUpZVCtv67RMtcODcQlyFXtUoLlhBaO9nQrQJ3GVMLoW3CCBf1cUr01yiO_hMFYLr9OwyWME0SNnbLuj59ouirdrtCEw5w_E2/s728-e100/malware.jpg>)\n\nGoogle's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users.\n\n\"The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem,\" TAG researchers Clement Lecigne and Christian Resell [said](<https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/>).\n\nCytrox is alleged to have packaged the exploits and sold them to different government-backed actors located in Egypt, Armenia, Greece, Madagascar, C\u00f4te d'Ivoire, Serbia, Spain, and Indonesia, who, in turn, weaponized the bugs in at least three different campaigns.\n\nThe commercial surveillance company is the maker of [Predator](<https://www.securityweek.com/citizen-lab-exposes-cytrox-vendor-behind-predator-iphone-spyware>), an implant [analogous](<https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/>) to that of NSO Group's [Pegasus](<https://thehackernews.com/2022/04/experts-uncover-spyware-attacks-against.html>), and is known to have developed tools that enables its clients to penetrate iOS and Android devices.\n\nIn December 2021, Meta Platforms (formerly Facebook) [disclosed](<https://thehackernews.com/2021/12/facebook-bans-7-cyber-mercenaries.html>) that it had acted to remove roughly 300 accounts on Facebook and Instagram that the company used as part of its compromise campaigns.\n\nThe list of the five exploited zero-day flaws in Chrome and Android is below -\n\n * [**CVE-2021-37973**](<https://thehackernews.com/2021/09/urgent-chrome-update-released-to-patch.html>) \\- Use-after-free in Portals API\n * [**CVE-2021-37976**](<https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html>) \\- Information leak in core\n * [**CVE-2021-38000**](<https://thehackernews.com/2021/10/google-releases-urgent-chrome-update-to.html>) \\- Insufficient validation of untrusted input in Intents ([root cause analysis](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-38000.html>))\n * [**CVE-2021-38003**](<https://thehackernews.com/2021/10/google-releases-urgent-chrome-update-to.html>) \\- Inappropriate implementation in V8, and\n * [**CVE-2021-1048**](<https://thehackernews.com/2021/11/google-warns-of-new-android-0-day.html>) \\- Use-after-free in Android kernel ([root cause analysis](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-1048.html>))\n\nAccording to TAG, all the three campaigns in question commenced with a spear-phishing email that contained one-time links mimicking URL shortener services that, once clicked, redirected the targets to a rogue domain that dropped the exploits before taking the victim to an authentic site.\n\n\"The campaigns were limited \u2014 in each case, we assess the number of targets was in the tens of users,\" Lecigne and Resell noted. \"If the link was not active, the user was redirected directly to a legitimate website.\"\n\nThe ultimate goal of the operation, the researchers assessed, was to distribute a malware dubbed Alien, which acts as a precursor for loading Predator onto infected Android devices.\n\nThe \"simple\" malware, which receives commands from Predator over an inter process communication (IPC) mechanism, is engineered to record audio, add CA certificates, and hide apps to evade detection.\n\nThe first of the three campaigns took place in August 2021. It used Google Chrome as a jumping off point on a Samsung Galaxy S21 device to force the browser to load another URL in the Samsung Internet browser without requiring user interaction by exploiting CVE-2021-38000.\n\nAnother intrusion, which occurred a month later and was delivered to an up-to-date Samsung Galaxy S10, involved an exploit chain using CVE-2021-37973 and CVE-2021-37976 to escape the [Chrome sandbox](<https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md>) (not to be confused with [Privacy Sandbox](<https://thehackernews.com/2022/05/google-releases-first-developer-preview.html>)), leveraging it to drop a second exploit to escalate privileges and deploy the backdoor.\n\nThe third campaign \u2014 a full Android 0-day exploit \u2014 was detected in October 2021 on an up-to-date Samsung phone running the then latest version of Chrome. It strung together two flaws, CVE-2021-38003 and CVE-2021-1048, to escape the sandbox and compromise the system by injecting malicious code into privileged processes.\n\nGoogle TAG pointed out that while CVE-2021-1048 was fixed in the Linux kernel in September 2020, it wasn't backported to Android until last year as the [fix](<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=77f4689de17c0887775bb77896f4cc11a39bf848>) was not marked as a security issue.\n\n\"Attackers are actively looking for and profiting from such slowly-fixed vulnerabilities,\" the researchers said.\n\n\"Tackling the harmful practices of the commercial surveillance industry will require a robust, comprehensive approach that includes cooperation among threat intelligence teams, network defenders, academic researchers and technology platforms.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2022-05-20T10:58:00", "type": "thn", "title": "Cytrox's Predator Spyware Targeted Android Users with Zero-Day Exploits", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1048", "CVE-2021-37973", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003"], "modified": "2022-05-21T03:11:07", "id": "THN:C6CED16C5E8707F2EF9BD08516F7456C", "href": "https://thehackernews.com/2022/05/cytroxs-predator-spyware-target-android.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:16", "description": "[](<https://thehackernews.com/images/-5dTHnEs3qjc/YU1EKDZsIKI/AAAAAAAAD4o/SztREgil99ENgTumohbms1jhEOBVjMiwACLcBGAsYHQ/s0/apple-software-update.jpg>)\n\nApple on Thursday released security updates to fix multiple security vulnerabilities in older versions of [iOS](<https://support.apple.com/en-us/HT212824>) and [macOS](<https://support.apple.com/en-us/HT212825>) that it says have been detected in exploits in the wild, in addition to expanding patches for a previously plugged security weakness abused by NSO Group's Pegasus surveillance tool to target iPhone users.\n\nChief among them is CVE-2021-30869, a type confusion flaw that resides in the kernel component [XNU](<https://en.wikipedia.org/wiki/XNU>) developed by Apple that could cause a malicious application to execute arbitrary code with the highest privileges. The Cupertino-based tech giant said it addressed the bug with improved state handling.\n\nGoogle's Threat Analysis Group, which is credited with reporting the flaw, [said](<https://twitter.com/ShaneHuntley/status/1441102086385455112>) it detected the vulnerability being \"used in conjunction with a N-day remote code execution targeting WebKit.\"\n\nTwo other flaws include [CVE-2021-30858 and CVE-2021-30860](<https://thehackernews.com/2021/09/apple-issues-urgent-updates-to-fix-new.html>), both of which were resolved by the company earlier this month following disclosure from the University of Toronto's Citizen Lab about a previously unknown exploit called \"FORCEDENTRY\" (aka Megalodon) that could infect Apple devices without so much as a click.\n\nThe zero-click remote attack weaponizing CVE-2021-30860 is said to have been carried out by a customer of the controversial Israeli company NSO Group since at least February 2021. The scale and scope of the operation remains unclear as yet.\n\nIt relied on iMessage as an entry point to send malicious code that stealthily installed the Pegasus spyware on the devices and exfiltrate sensitive data without tipping the victims off. The exploit is also significant for its ability to get around defenses built by Apple in iOS 14 \u2014 called BlastDoor \u2014 to prevent such intrusions by filtering untrusted data sent over the texting application.\n\nThe patches are available for devices running macOS Catalina and iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation) running iOS 12.5.4. \n\nThe development also comes as security researchers have disclosed unpatched zero-day flaws in iOS, including a [lock screen bypass bug](<https://therecord.media/researcher-discloses-iphone-lock-screen-bypass-on-ios-15-launch-day/>) and a clutch of vulnerabilities that could be abused by an app to gain access to users' Apple ID email addresses and full names, check if a specific app is installed on the device given its bundle ID, and even retrieve Wi-Fi information without proper authorization.\n\nResearcher Denis Tokarev (aka illusionofchaos), who disclosed the latter three issues, [said](<https://habr.com/en/post/579714/>) they were reported to Apple between March 10 and May 4, claiming what was \"a frustrating experience participating in Apple Security Bounty program\" for its failure to fix the issues despite having them responsibly disclosed \"up to half a year\" ago.\n\nIndeed, a Washington Post article published two weeks ago [revealed](<https://www.washingtonpost.com/technology/2021/09/09/apple-bug-bounty/>) how the company sits on a \"massive backlog\" of vulnerability reports, leaving them unresolved for months, hands out lower monetary payouts to bug hunters, and, in some cases, outright bans researchers from its Developer Program for filing reports.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-24T03:39:00", "type": "thn", "title": "Urgent Apple iOS and macOS Updates Released to Fix Actively Exploited Zero-Days", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869"], "modified": "2021-09-27T04:38:55", "id": "THN:2741F0E9DD9F764C60701C9C81F231C5", "href": "https://thehackernews.com/2021/09/urgent-apple-ios-and-macos-updates.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:17", "description": "[](<https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s0/Security-Vulnerabilities.jpg>)\n\nIntelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.\n\n\"Cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) [noted](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>).\n\n\"However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\"\n\nThe top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.\n\nThe most routinely exploited flaws in 2020 are as follows -\n\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (CVSS score: 9.8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (CVSS score: 10.0) - Pulse Connect Secure arbitrary file reading vulnerability\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - Fortinet FortiOS path traversal vulnerability leading to system file leak\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (CVSS score: 9.8) - F5 BIG-IP remote code execution vulnerability\n * [**CVE-2020-15505**](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) (CVSS score: 9.8) - MobileIron Core & Connector remote code execution vulnerability\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) - Microsoft Exchange memory corruption vulnerability\n * [**CVE-2019-3396**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) (CVSS score: 9.8) - Atlassian Confluence Server remote code execution vulnerability\n * [**CVE-2017-11882**](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) (CVSS score: 7.8) - Microsoft Office memory corruption vulnerability\n * [**CVE-2019-11580**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) (CVSS score: 9.8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal remote code execution vulnerability\n * [**CVE-2019-18935**](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) (CVSS score: 9.8) - Telerik .NET deserialization vulnerability resulting in remote code execution\n * [**CVE-2019-0604**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0604>) (CVSS score: 9.8) - Microsoft SharePoint remote code execution vulnerability\n * [**CVE-2020-0787**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>) (CVSS score: 7.8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability\n * [**CVE-2020-1472**](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) (CVSS score: 10.0) - Windows [Netlogon elevation of privilege](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) vulnerability\n\nThe list of vulnerabilities that have come under active attack thus far in 2021 are listed below -\n\n * [Microsoft Exchange Server](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>): [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>) (aka \"ProxyLogon\")\n * [Pulse Secure](<https://thehackernews.com/2021/05/new-high-severity-vulnerability.html>): [CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>), [CVE-2021-22894](<https://nvd.nist.gov/vuln/detail/CVE-2021-22894>), [CVE-2021-22899](<https://nvd.nist.gov/vuln/detail/CVE-2021-22899>), and [CVE-2021-22900](<https://nvd.nist.gov/vuln/detail/CVE-2021-22900>)\n * [Accellion](<https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html>): [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), and [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n * [VMware](<https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html>): [CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n * Fortinet: [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>)\n\nThe development also comes a week after MITRE [published](<https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html>) a list of top 25 \"most dangerous\" software errors that could lead to serious vulnerabilities that could be exploited by an adversary to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.\n\n\"The advisory [...] puts the power in every organisation's hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices,\" NCSC Director for Operations, Paul Chichester, [said](<https://www.ncsc.gov.uk/news/global-cyber-vulnerabilities-advice>), urging the need to prioritize patching to minimize the risk of being exploited by malicious actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-29T08:21:00", "type": "thn", "title": "Top 30 Critical Security Vulnerabilities Most Exploited by Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-08-04T09:03:14", "id": "THN:B95DC27A89565323F0F8E6350D24D801", "href": "https://thehackernews.com/2021/07/top-30-critical-security.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:14", "description": "[](<https://thehackernews.com/images/-4bW5O7qDy3g/YRY939zQM4I/AAAAAAAADho/RUV3iIGj654Ml8xKhGo8MXIEWtGwsL1ywCLcBGAsYHQ/s0/ms-exchnage.jpg>)\n\nThreat actors are actively carrying out opportunistic [scanning](<https://twitter.com/bad_packets/status/1425598895569006594>) and [exploitation](<https://twitter.com/GossiTheDog/status/1425844380376735746>) of Exchange servers using a new exploit chain leveraging a trio of flaws affecting on-premises installations, making them the latest set of bugs after ProxyLogon vulnerabilities were exploited en masse at the start of the year.\n\nThe remote code execution flaws have been collectively dubbed \"ProxyShell.\" At least 30,000 machines are affected by the vulnerabilities, [according](<https://isc.sans.edu/diary/27732>) to a Shodan scan performed by Jan Kopriva of SANS Internet Storm Center.\n\n\"Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities,\" NCC Group's Richard Warren [tweeted](<https://twitter.com/buffaloverflow/status/1425831100157349890>), noting that one of the intrusions resulted in the deployment of a \"C# aspx webshell in the /aspnet_client/ directory.\"\n\nPatched in early March 2021, [ProxyLogon](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/>) is the moniker for CVE-2021-26855, a server-side request forgery vulnerability in Exchange Server that permits an attacker to take control of a vulnerable server as an administrator, and which can be chained with another post-authentication arbitrary-file-write vulnerability, CVE-2021-27065, to achieve code execution.\n\nThe vulnerabilities came to light after Microsoft [spilled the beans](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) on a Beijing-sponsored hacking operation that leveraged the weaknesses to strike entities in the U.S. for purposes of exfiltrating information in what the company described as limited and targeted attacks.\n\nSince then, the Windows maker has fixed six more flaws in its mail server component, two of which are called [ProxyOracle](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-2-ProxyOracle/>), which enables an adversary to recover the user's password in plaintext format.\n\nThree other issues \u2014 known as ProxyShell \u2014 could be abused to bypass ACL controls, elevate privileges on Exchange PowerShell backend, effectively authenticating the attacker and allowing for remote code execution. Microsoft noted that both CVE-2021-34473 and CVE-2021-34523 were inadvertently omitted from publication until July.\n\n**ProxyLogon:**\n\n * [**CVE-2021-26855**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-26857**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-26858**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-27065**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n\n**ProxyOracle:**\n\n * [**CVE-2021-31195**](<https://thehackernews.com/2021/05/latest-microsoft-windows-updates-patch.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on May 11)\n * [**CVE-2021-31196**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31196>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on July 13)\n\n**ProxyShell:**\n\n * [**CVE-2021-31207**](<https://thehackernews.com/2021/05/latest-microsoft-windows-updates-patch.html>) \\- Microsoft Exchange Server Security Feature Bypass Vulnerability (Patched on May 11)\n * [**CVE-2021-34473**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on April 13, advisory released on July 13)\n * [**CVE-2021-34523**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) \\- Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on April 13, advisory released on July 13)\n\n**Other:**\n\n * [**CVE-2021-33768**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33768>) \\- Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on July 13)\n\nOriginally demonstrated at the [Pwn2Own hacking competition](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>) this April, technical details of the ProxyShell attack chain were disclosed by DEVCORE researcher Orange Tsai at the [Black Hat USA 2021](<https://www.blackhat.com/us-21/briefings/schedule/index.html#proxylogon-is-just-the-tip-of-the-iceberg-a-new-attack-surface-on-microsoft-exchange-server-23442>) and [DEF CON](<https://www.youtube.com/watch?v=5mqid-7zp8k>) security conferences last week. To prevent exploitation attempts, organizations are highly recommended to install updates released by Microsoft.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-13T09:46:00", "type": "thn", "title": "Hackers Actively Searching for Unpatched Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31195", "CVE-2021-31196", "CVE-2021-31207", "CVE-2021-33768", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-13T09:46:09", "id": "THN:FA40708E1565483D14F9A31FC019FCE1", "href": "https://thehackernews.com/2021/08/hackers-actively-searching-for.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:19", "description": "[](<https://thehackernews.com/images/-wb_mRqoRlJs/YH_fh-jU73I/AAAAAAAACUg/PjdPBbIeXIQL_vuc_D3kAe7us4v9piwdwCLcBGAsYHQ/s0/chrome-update.jpg>)\n\nGoogle on Tuesday released an update for Chrome web browser for Windows, Mac, and Linux, with a total of seven security fixes, including one flaw for which it says an exploit exists in the wild.\n\nTracked as **CVE-2021-21224**, the flaw concerns a type confusion vulnerability in V8 open-source JavaScript engine that was reported to the company by security researcher Jose Martinez on April 5\n\nAccording to security researcher [Lei Cao](<https://iamelli0t.github.io/2021/04/20/Chromium-Issue-1196683-1195777.html#rca-of-issue-1195777>), the bug [[1195777](<https://bugs.chromium.org/p/chromium/issues/detail?id=1195777>)] is triggered when performing integer data type conversion, resulting in an out-of-bounds condition that could be used to achieve arbitrary memory read/write primitive.\n\n\"Google is aware of reports that exploits for CVE-2021-21224 exist in the wild,\" Chrome's Technical Program Manager Srinivas Sista [said](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html>) in a blog post.\n\n[](<https://thehackernews.com/images/-MqsPXUEBIAs/YH_gSVGkWZI/AAAAAAAACUw/ZOCKPD3LhzYIiPehN7StsViTVlFaKHhyACLcBGAsYHQ/s0/chrome-code.jpg>)\n\nThe update comes after proof-of-concept (PoC) [code](<https://noahblog.360.cn/chromium_v8_remote_code_execution_vulnerability_analysis/>) exploiting the flaw published by a researcher named \"[frust](<https://twitter.com/frust93717815/status/1382301769577861123>)\" emerged on April 14 by taking advantage of the fact that the issue was addressed in the [V8 source code](<https://chromium-review.googlesource.com/c/v8/v8/+/2826114/3/src/compiler/representation-change.cc>), but the patch was not integrated into the Chromium codebase and all the browsers that rely on it, such as Chrome, Microsoft Edge, Brave, Vivaldi, and Opera.\n\nThe one-week patch gap meant the browsers were vulnerable to attacks until the patches posted in the open-source code repository were released as a stable update.\n\nIt's worth noting that Google [halved](<https://groups.google.com/a/chromium.org/g/security-dev/c/fbiuFbW07vI>) the median \"patch gap\" from 33 days in Chrome 76 to 15 days in Chrome 78, which was released in October 2019, thereby pushing severe security fixes every two weeks.\n\nThe latest set of fixes also arrive close on the heels of an update the search giant rolled out [last week](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) with [patches for two security vulnerabilities](<https://thehackernews.com/2021/04/2-new-chrome-0-days-under-attack-update.html>) CVE-2021-21206 and CVE-2021-21220, the latter of which was demonstrated at the Pwn2Own [2021 hacking](<https://thehackernews.com/hacker/>) contest earlier this month.\n\nChrome 90.0.4430.85 is expected to roll out in the coming days. Users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaws.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-21T08:20:00", "type": "thn", "title": "Update Your Chrome Browser ASAP to Patch a Week Old Public Exploit", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224"], "modified": "2021-04-21T08:30:40", "id": "THN:FF8DAEC0AE0DDAE827D57407C51BE992", "href": "https://thehackernews.com/2021/04/update-your-chrome-browser-immediately.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:03", "description": "[](<https://thehackernews.com/images/-9-w9YkXtT5w/YECrmqxcKZI/AAAAAAAAB8c/y1lgP3oxO-sd2Br7Oak7lJXAAcf7EG2XwCLcBGAsYHQ/s0/data-breach.jpg>)\n\nEnterprise cloud security firm **Qualys** has become the latest victim to join a long list of entities to have suffered a data breach after zero-day vulnerabilities in its Accellion File Transfer Appliance (FTA) server were exploited to steal sensitive business documents.\n\nAs proof of access to the data, the cybercriminals behind the recent hacks targeting Accellion FTA servers have shared screenshots of files belonging to the company's customers on a publicly accessible data leak website operated by the CLOP ransomware gang.\n\nConfirming the incident, Qualys Chief Information Security Officer Ben Carr [said](<https://blog.qualys.com/vulnerabilities-research/2021/03/03/qualys-update-on-accellion-fta-security-incident>) a detailed probe \"identified unauthorized access to files hosted on the Accellion FTA server\" located in a DMZ (aka [demilitarized zone](<https://en.wikipedia.org/wiki/DMZ_%28computing%29>)) environment that's segregated from the rest of the internal network.\n\n\"Based on this investigation, we immediately notified the limited number of customers impacted by this unauthorized access,\" Carr added. \"The investigation confirmed that the unauthorized access was limited to the FTA server and did not impact any services provided or access to customer data hosted by the Qualys Cloud Platform.\"\n\nLast month, FireEye's Mandiant threat intelligence team [disclosed](<https://thehackernews.com/2021/02/hackers-exploit-accellion-zero-days-in.html>) details of four zero-day flaws in the FTA application that were exploited by threat actors to mount a wide-ranging data theft and extortion campaign, which involved deploying a web shell called DEWMODE on target networks to exfiltrate sensitive data, followed by sending extortion emails to threaten victims into paying bitcoin ransoms, failing which the stolen data was posted on the data leak site.\n\n[](<https://thehackernews.com/images/-N0_0EMgMeSk/YECsZm15i_I/AAAAAAAAB8o/LpcUVTcjzyw22UE7TTrWXNzJGVpnzURugCLcBGAsYHQ/s0/data.jpg>)\n\nWhile two of the flaws (CVE-2021-27101 and CVE-2021-27104) were [addressed](<https://thehackernews.com/2021/02/data-breach-exposes-16-million-jobless.html>) by Accellion on December 20, 2020, the other two vulnerabilities (CVE-2021-27102 and CVE-2021-27103) were identified earlier this year and fixed on January 25.\n\nQualys said it received an \"integrity alert\" suggesting a possible compromise on December 24, two days after it applied the initial hotfix on December 22. The company didn't say if it received extortion messages in the wake of the breach, but said an investigation into the incident is ongoing.\n\n\"The exploited vulnerabilities were of critical severity because they were subject to exploitation via unauthenticated remote code execution,\" Mandiant [said](<https://www.accellion.com/company/security-updates/mandiant-issues-final-report-regarding-accellion-fta-attack/>) in a security assessment of the FTA software published earlier this week.\n\nAdditionally, Mandiant's source code analysis uncovered two more previously unknown security flaws in the FTA software, both of which have been rectified in a patch (version 9.12.444) released on March 1 \u2014\n\n * **CVE-2021-27730**: An argument injection vulnerability (CVSS score 6.6) accessible only to authenticated users with administrative privileges, and\n * **CVE-2021-27731**: A stored cross-site scripting flaw (CVSS score 8.1) accessible only to regular authenticated users\n\nThe FireEye-owned subsidiary is tracking the exploitation activity and the follow-on extortion scheme under two separate threat clusters it calls UNC2546 and UNC2582, respectively, with overlaps identified between the two groups and previous attacks carried out by a financially motivated threat actor dubbed FIN11. But it is still unclear what connection, if any, the two clusters may have with the operators of Clop ransomware.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-04T09:49:00", "type": "thn", "title": "Extortion Gang Breaches Cybersecurity Firm Qualys Using Accellion Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-27730", "CVE-2021-27731"], "modified": "2021-03-08T07:30:27", "id": "THN:582576397E2C98200C7C952401392B5B", "href": "https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:27", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgG4LpJKxqUO2-qxnPcHk7kZshWlpcUJf4apWnuuu8g9A2r0wcvybcwpf7lOoNA63j4bRBhFvjSOcGs6VNIFsmjXTIplZEkjAFtBn3cM6NGJ0rIS2GGGAKNgL2WQIm_-fjXlryklUzygBckkBMBoeHlXhheLR9onLzGHVYPSgJnrJE7GbCsqTLo57hD/s728-e100/hive-ransomware.jpg>)\n\nA recent Hive ransomware attack carried out by an affiliate involved the exploitation of \"ProxyShell\" vulnerabilities in the Microsoft Exchange Server that were disclosed last year to encrypt an unnamed customer's network.\n\n\"The actor managed to achieve its malicious goals and encrypt the environment in less than 72 hours from the initial compromise,\" Varonis security researcher, Nadav Ovadia, [said](<https://www.varonis.com/blog/hive-ransomware-analysis>) in a post-mortem analysis of the incident. \n\nHive, which was [first observed](<https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html>) in June 2021, follows the lucrative ransomware-as-a-service (RaaS) scheme adopted by other cybercriminal groups in recent years, enabling affiliates to deploy the file-encrypting malware after gaining a foothold into their victims' networks.\n\n[ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) \u2014 tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 \u2014 involves a combination of security feature bypass, privilege escalation, and remote code execution in the Microsoft Exchange Server, effectively granting the attacker the ability to execute arbitrary code on affected servers.\n\nThe issues were addressed by Microsoft as part of its Patch Tuesday updates for April and May 2021.\n\nIn this case, successful exploitation of the flaws allowed the adversary to deploy web shells on the compromised server, using them to run malicious PowerShell code with SYSTEM privileges to create a new backdoor administrator user, hijack the domain admin account, and perform lateral movement.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgbU5YaGjiHhZvFPL5Fqh7rHbVldX6X-unk-Mq6dP0icasfzkogYQnkRDy9ZUNWr3oca2oh6FGdjSzMm5uyXe1DLzwsty4H8hXGZia0azIu3Q24ZyBwemMQXMvu5dpzZQn-9MUl_WWAG5opQBaoXlyg6Esg2eBVWtdYcBrz5l7yZPDtCD1v9nzKF-D8/s728-e100/hive.jpg>)\n\nThe web shells used in the attack are said to have been sourced from a [public git repository](<https://github.com/ThePacketBender/webshells>) and given filenames containing a random mix of characters to evade detection, Ovadia said. Also executed was an additional obfuscated PowerShell script that's part of the Cobalt Strike framework.\n\nFrom there, the threat actor moved to scan the network for valuable files, before proceeding to deploy the Golang ransomware executable (named \"Windows.exe\") to complete the encryption process and display the ransom note to the victim.\n\nOther operations carried out by the malware include deleting shadow copies, turning off security products, and clearing Windows event logs to avoid detection, prevent recovery, and ensure that the encryption happens without any hiccup.\n\nIf anything, the findings are yet another indicator that patching for known vulnerabilities is key to thwarting cyberattacks and other nefarious activities.\n\n\"Ransomware attacks have grown significantly over the past years and remain the preferred method of threat actors aiming to maximize profits,\" Ovadia said. \"It may potentially harm an organization's reputation, disrupt regular operations and lead to temporary, and possibly permanent, loss of sensitive data.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T10:00:00", "type": "thn", "title": "New Incident Report Reveals How Hive Ransomware Targets Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-04-21T10:00:58", "id": "THN:84E53E1CA489F43A3D68EC1B18D6C2E2", "href": "https://thehackernews.com/2022/04/new-incident-report-reveals-how-hive.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:02", "description": "[](<https://thehackernews.com/images/-tnjJ0FH8P0I/YEwt7ddHBcI/AAAAAAAACB8/2lR87aM5jBAUOKikDOdI3SWSC9ZG92FcgCLcBGAsYHQ/s0/chrome-browser-update.jpg>)\n\nGoogle has addressed yet another actively exploited zero-day in Chrome browser, marking the second such fix released by the company within a month.\n\nThe browser maker on Friday shipped 89.0.4389.90 for Windows, Mac, and Linux, which is expected to be rolling out over the coming days/weeks to all users.\n\nWhile the update contains a total of five security fixes, the most important flaw rectified by Google concerns a [use after free](<https://cwe.mitre.org/data/definitions/416.html>) vulnerability in its Blink rendering engine. The bug is tracked as CVE-2021-21193.\n\nDetails about the flaw are scarce except that it was reported to Google by an anonymous researcher on March 9.\n\nAccording to IBM, the vulnerability is rated 8.8 out of 10 on the CVSS scale, and could allow a remote attacker to execute arbitrary code on the target system. \"By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system,\" the report stated.\n\nAs is usually the case with actively exploited flaws, Google issued a terse statement acknowledging that an exploit for CVE-2021-21193 existed but refrained from sharing additional information until a majority of users are updated with the fixes and prevent other threat actors from creating exploits targeting this zero-day.\n\n[](<https://thehackernews.com/images/-4e8UqaJKLag/YEwrYTe6kaI/AAAAAAAACB0/A61b0Tzs5nIymspbYAAIoURKA3zV5lE2QCLcBGAsYHQ/s0/chrome-zero-day.jpg>)\n\n\"Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild,\" Chrome Technical Program Manager Prudhvikumar Bommana [noted](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html>) in a blog post.\n\nWith this update, Google has fixed three zero-day flaws in Chrome since the start of the year.\n\nEarlier this month, the company issued a fix for an \"object lifecycle issue in audio\" (CVE-2021-21166) which it said was being actively exploited. Then on February 4, the company resolved another actively-exploited heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine.\n\nChrome users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-13T03:16:00", "type": "thn", "title": "Another Google Chrome 0-Day Bug Found Actively Exploited In-the-Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193"], "modified": "2021-03-16T04:51:58", "id": "THN:15BF409706D7240A5276C705732D745F", "href": "https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:02", "description": "[](<https://thehackernews.com/images/--bQd_wXz_co/YKXvNNPXGpI/AAAAAAAAClU/c5Se7viT_Ewh2TJZaiUOQmpA_FBdof58QCLcBGAsYHQ/s0/ANDROID.jpg>)\n\nGoogle on Wednesday updated its May 2021 Android Security Bulletin to disclose that four of the security vulnerabilities that were patched earlier this month by Arm and Qualcomm may have been exploited in the wild as zero-days.\n\n\"There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 may be under limited, targeted exploitation,\" the search giant [said](<https://source.android.com/security/bulletin/2021-05-01>) in an updated alert.\n\nThe four flaws impact [Qualcomm Graphics](<https://www.qualcomm.com/company/product-security/bulletins/may-2021-bulletin>) and [Arm Mali GPU Driver](<https://developer.arm.com/support/arm-security-updates/mali-gpu-kernel-driver>) modules \u2014\n\n * **CVE-2021-1905** (CVSS score: 8.4) - A use-after-free flaw in Qualcomm's graphics component due to improper handling of memory mapping of multiple processes simultaneously.\n * **CVE-2021-1906** (CVSS score: 6.2) - A flaw concerning inadequate handling of address deregistration that could lead to new GPU address allocation failure.\n * **CVE-2021-28663** (CVSS score: NA) - A vulnerability in Arm Mali GPU kernel that could permit a non-privileged user to make improper operations on GPU memory, leading to a use-after-free scenario that could be exploited to gain root privilege or disclose information. \n * **CVE-2021-28664** (CVSS score: NA) - An unprivileged user can achieve read/write access to read-only memory, enabling privilege escalation or a denial-of-service (DoS) condition due to memory corruption.\n\nSuccessful exploitation of the weaknesses could grant an adversary carte blanche access to the targeted device and take over control. It's, however, not clear how the attacks themselves were carried out, the victims that may have been targeted, or the threat actors that may be abusing them.\n\nThe development marks one of the rare instances where zero-day bugs in Android have been spotted in real-world cyber offensives.\n\nEarlier this March, Google revealed that a vulnerability affecting Android devices that use Qualcomm chipsets ([CVE-2020-11261](<https://thehackernews.com/2021/03/warning-new-android-zero-day.html>)) was being weaponized by adversaries to launch targeted attacks. The other flaw is [CVE-2019-2215](<https://nvd.nist.gov/vuln/detail/CVE-2019-2215>), a vulnerability in [Binder](<https://developer.android.com/reference/android/os/Binder>) \u2014 Android's inter-process communication mechanism \u2014 that's said to have been allegedly exploited by the NSO Group as well as [SideWinder threat actor](<https://www.trendmicro.com/en_us/research/20/a/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group.html>) to compromise a victim's device and collect user information.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-20T05:13:00", "type": "thn", "title": "Android Issues Patches for 4 New Zero-Day Bugs Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2215", "CVE-2020-11261", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-28663", "CVE-2021-28664"], "modified": "2021-05-20T05:35:42", "id": "THN:9CE461E69A8B499207911497E3A349FD", "href": "https://thehackernews.com/2021/05/android-issues-patches-for-4-new-zero.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:24", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEihM5iYK8V59Az6V_QU4QfgIeRF_0hGVdMPzkolUAVIW-fNuFPicRQP8GVCKVzA_FETzCTUZXWBI67kH6LRZTLGCO5eI9UumwAso17F_kIigeX8Y7Z41AMwAPgq1iysoZkTTX-VU5eO4nCRvjFq57tq6FcnFZd3DBb3A8kWOZ253GJWm-fH0WFE7Fna>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency is warning of active exploitation attempts that leverage the latest line of \"**ProxyShell**\" Microsoft Exchange vulnerabilities that were patched earlier this May, including deploying LockFile ransomware on compromised systems.\n\nTracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, the vulnerabilities enable adversaries to bypass ACL controls, elevate privileges on the Exchange PowerShell backend, effectively permitting the attacker to perform unauthenticated, remote code execution. While the former two were addressed by Microsoft on April 13, a patch for CVE-2021-31207 was shipped as part of the Windows maker's May Patch Tuesday updates.\n\n\"An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine,\" CISA [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>).\n\nThe development comes a little over a week after cybersecurity researchers sounded the alarm on [opportunistic scanning and exploitation](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) of unpatched Exchange servers by taking advantage of the ProxyShell attack chain.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEi9pcvxkZCqcBcriArdPtNn0AWuIafJEeUPlEHsu4z-oKwZf3gzsprTbCyyBAmMBzU-gFoDqTD8zWP4vrlEdDv_w5I3I5iSFyAS8RZ2p_jjRO0sOXbKoN31TMsPPfb0BXXZt8m7aM2SAtTFrkZ3hdSN1FSLaynBoGiYDkl78s_i0T5Kva4eudH21Jzf>) \n--- \nImage Source: [Huntress Labs](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) \n \nOriginally demonstrated at the [Pwn2Own hacking contest](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>) in April this year, ProxyShell is part of a broader trio of exploit chains discovered by DEVCORE security researcher Orange Tsai that includes ProxyLogon and ProxyOracle, the latter of which concerns two remote code execution flaws that could be employed to recover a user's password in plaintext format.\n\n\"They're backdooring boxes with webshells that drop other webshells and also executables that periodically call out,\" researcher Kevin Beaumont [noted](<https://twitter.com/GossiTheDog/status/1425844380376735746>) last week.\n\nNow according to researchers from Huntress Labs, at least [five distinct styles of web shells](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) have been observed as deployed to vulnerable Microsoft Exchange servers, with over over 100 incidents reported related to the exploit between August 17 and 18. Web shells grant the attackers remote access to the compromised servers, but it isn't clear exactly what the goals are or the extent to which all the flaws were used.\n\nMore than 140 web shells have been detected across no fewer than 1,900 unpatched Exchanger servers to date, Huntress Labs CEO Kyle Hanslovan [tweeted](<https://twitter.com/KyleHanslovan/status/1428804893423382532>), adding \"impacted [organizations] thus far include building manufacturing, seafood processors, industrial machinery, auto repair shops, a small residential airport and more.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-22T09:51:00", "type": "thn", "title": "WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-23T13:28:25", "id": "THN:5BE77895D84D1FB816C73BB1661CE8EB", "href": "https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:24", "description": "[](<https://thehackernews.com/images/-5Zi_45-pXus/YF7LgsUU1pI/AAAAAAAACHQ/ltYZDuSTuqwbzRstY55f-hwWOXjS_zI2gCLcBGAsYHQ/s0/mac-malware-proxy-setting.png>)\n\nMerely weeks after releasing out-of-band patches for iOS, iPadOS, macOS and watchOS, Apple has issued yet another security update for iPhone, iPad, and Apple Watch to fix a critical zero-day weakness that it says is being actively exploited in the wild.\n\nTracked as **CVE-2021-1879**, the vulnerability relates to a WebKit flaw that could enable adversaries to process maliciously crafted web content that may result in universal cross-site scripting attacks.\n\n\"This issue was addressed by improved management of object lifetimes,\" the iPhone maker noted.\n\nApple has credited Clement Lecigne and Billy Leonard of Google's Threat Analysis Group for discovering and reporting the issue. While details of the flaw have not been disclosed, the company said it's aware of reports that CVE-2021-1879 may have been actively exploited.\n\nUpdates are available for the following devices:\n\n * [iOS 12.5.2](<https://support.apple.com/en-us/HT212257>) \\- Phone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)\n * [iOS 14.4.2](<https://support.apple.com/en-us/HT212256>) \\- iPhone 6s and later, and iPod touch (7th generation)\n * [iPadOS 14.4.2](<https://support.apple.com/en-us/HT212256>) \\- iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later\n * [watchOS 7.3.3](<https://support.apple.com/en-us/HT212258>) \\- Apple Watch Series 3 and later\n\nThe latest release arrives close on the heels of a patch for a separate WebKit flaw ([CVE-2021-1844](<https://thehackernews.com/2021/03/apple-issues-patch-for-remote-hacking.html>)) that Apple shipped earlier this month. In January 2021, the company resolved [three zero-day vulnerabilities](<https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html>) (CVE-2021-1782, CVE-2021-1870, and CVE-2021-1871) that allowed an attacker to elevate privileges and achieve remote code execution.\n\nInterestingly, Apple also appears to be [experimenting](<https://thehackernews.com/2021/03/apple-may-start-delivering-security.html>) with ways to deliver security updates on iOS in a manner that's independent of other OS updates. iOS 14.4.2 certainly sounds like the kind of update that could benefit from this feature.\n\nIn the meanwhile, users of Apple devices are advised to install the updates as soon as possible to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-27T06:07:00", "type": "thn", "title": "Apple Issues Urgent Patch Update for Another Zero\u2011Day Under Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1782", "CVE-2021-1844", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879"], "modified": "2021-03-27T08:51:29", "id": "THN:4EFE9C3A3A0DEB0019296A14C9EAC1FA", "href": "https://thehackernews.com/2021/03/apple-issues-urgent-patch-update-for.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:05", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjiGzDP_Q8TgakrIFP6H8c0NlSHHH4ztdEtesv8G-AaS-LvfiauO6JgcrFpPKfplpRuqYssvepWzyhQaLMIPqPzyt00vE0kNEL3qEg1k1YRQpWZouKa_km8jD-kuKbNBXugV_MhYndYW41kM6o2z77T4oOGQlDGhGk-HA0tZfdol-RO_fCE6o7N54uW>)\n\nThreat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers as part of an ongoing spam campaign that leverages stolen email chains to bypass security software and deploy malware on vulnerable systems.\n\nThe findings come from Trend Micro following an investigation into a number of intrusions in the Middle East that culminated in the distribution of a never-before-seen loader dubbed SQUIRRELWAFFLE. First publicly [documented](<https://thehackernews.com/2021/10/hackers-using-squirrelwaffle-loader-to.html>) by Cisco Talos, the attacks are believed to have commenced in mid-September 2021 via laced Microsoft Office documents.\n\n\"It is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim's guard against malicious activities,\" researchers Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar [said](<https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html>) in a report published last week. \"To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits.\"\n\n[ProxyLogon](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) and [ProxyShell](<https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html>) refer to a collection of flaws in Microsoft Exchange Servers that could enable a threat actor to elevate privileges and remotely execute arbitrary code, effectively granting the ability to take control of the vulnerable machines. While the ProxyLogon flaws were addressed in March, the ProxyShell bugs were patched in a series of updates released in May and July.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEhYwBTFRq5MuslNIXJAtZNZ-q9Ik0Wyu_z6HVG8loZsBaeJR_tXRLvm18OZvIJYeeOyYp0DVHZdMg8sdqe9H3ePEot8dMGuNuC25YWuyp09kuYsm_qh2nU_3dlFK7X2kVXn-DYmtklqChAj_2BOpas4TFiWcbPR3PtoX5RKukcpGn0sd1S8Ubdqo1bu>) \n--- \nDLL infection flow \n \nTrend Micro said it observed the use of public exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell) on three of the Exchange servers that were compromised in different intrusions, using the access to hijack legitimate email threads and send malicious spam messages as replies, thereby increasing the likelihood that unsuspecting recipients will open the emails.\n\n\"Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails,\" the researchers said, adding the attackers behind the operation did not carry out lateral movement or install additional malware so as to stay under the radar and avoid triggering any alerts.\n\nThe attack chain involves rogue email messages containing a link that, when clicked, drops a Microsoft Excel or Word file. Opening the document, in turn, prompts the recipient to enable macros, ultimately leading to the download and execution of the SQUIRRELWAFFLE malware loader, which acts as a medium to fetch final-stage payloads such as Cobalt Strike and Qbot.\n\nThe development marks a new escalation in phishing campaigns where a threat actor has breached corporate Microsoft Exchange email servers to gain unauthorized access to their internal mail systems and distribute malicious emails in an attempt to infect users with malware.\n\n\"SQUIRRELWAFFLE campaigns should make users wary of the different tactics used to mask malicious emails and files,\" the researchers concluded. \"Emails that come from trusted contacts may not be enough of an indicator that whatever link or file included in the email is safe.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-22T11:47:00", "type": "thn", "title": "Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-23T07:33:36", "id": "THN:0D80EEB03C07D557AA62E071C7A7C619", "href": "https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:11", "description": "[](<https://thehackernews.com/images/-jMlIotpt0jU/YBD-s7n5YQI/AAAAAAAABmI/X0k_6KZYvcAOxTj1nJiddOWRAnW-eYg9ACLcBGAsYHQ/s0/apple-iphone-hacking.jpg>)\n\nApple on Tuesday released updates for iOS, iPadOS, and tvOS with fixes for three security vulnerabilities that it says may have been actively exploited in the wild.\n\nReported by an anonymous researcher, the three [zero-day](<https://support.apple.com/en-us/HT212146>) [flaws](<https://support.apple.com/en-us/HT212149>) \u2014 CVE-2021-1782, CVE-2021-1870, and CVE-2021-1871 \u2014 could have allowed an attacker to elevate privileges and achieve remote code execution.\n\nThe iPhone maker did not disclose how widespread the attack was or reveal the identities of the attackers actively exploiting them.\n\nWhile the privilege escalation bug in the kernel (CVE-2021-1782) was noted as a race condition that could cause a malicious application to elevate its privileges, the other two shortcomings \u2014 dubbed a \"logic issue\" \u2014 were discovered in the WebKit browser engine (CVE-2021-1870 and CVE-2021-1871), permitting an attacker to achieve arbitrary code execution inside Safari.\n\nApple said the race condition and the WebKit flaws were addressed with improved locking and restrictions, respectively.\n\n[](<https://thehackernews.com/images/-fdpXkbfWGTA/YBD_Bui-nuI/AAAAAAAABmQ/MgynC4sTjqETJbW_z8c8Hc-4lAuJHG5rgCLcBGAsYHQ/s0/hacking.jpg>)\n\nWhile exact details of the exploit leveraging the flaws are unlikely to be made public until the patches have been widely applied, it wouldn't be a surprise if they were chained together to carry out watering hole attacks against potential targets.\n\nSuch an attack would involve delivering the malicious code simply by visiting a compromised website that then takes advantage of the aforementioned vulnerabilities to escalate its privileges and run arbitrary commands to take control of the device.\n\nThe updates are now available for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation), as well as Apple TV 4K and Apple TV HD.\n\nNews of the latest zero-days comes after the company resolved three actively exploited vulnerabilities in [November 2020](<https://thehackernews.com/2020/11/update-your-ios-devices-now-3-actively.html>) and a separate zero-day bug in iOS 13.5.1 that was disclosed as used in a [cyberespionage campaign](<https://thehackernews.com/2020/12/iphones-of-36-journalists-hacked-using.html>) targeting Al Jazeera journalists last year.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-27T05:50:00", "type": "thn", "title": "Apple Warns of 3 iOS Zero-Day Security Vulnerabilities Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871"], "modified": "2021-01-27T05:50:09", "id": "THN:739D9EFE8C7F1B29E2430DAC65CDEE52", "href": "https://thehackernews.com/2021/01/apple-warns-of-3-ios-zero-day-security.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:14", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEiQk7skJEo49QfN4ESusan9jBZfTXapDKpnR6CXuJbaNKUBpx7nO684Vj5RRctI8hh09KwyntDYPyeQI-HbWC03E5Uo4ABDXXj3vfb774Dv1G65e03iX30VM0pcCe5hQfxnkW-u1V4gZgZ3L2et_QXqceUwFJfPQDg8aUOWSagSt-l0OGRquNTiLEso>)\n\nA previously undocumented threat actor has been identified as behind a string of attacks targeting fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan with the goal of stealing data from compromised networks.\n\nCybersecurity company Positive Technologies dubbed the advanced persistent threat (APT) group ChamelGang \u2014 referring to their chameleellonic capabilities, including disguising \"its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.\" \n\n\"To achieve their goal, the attackers used a trending penetration method\u2014supply chain,\" the researchers [said](<https://www.ptsecurity.com/ww-en/about/news/positive-technologies-uncovers-new-apt-group-attacking-russia-s-fuel-and-energy-complex-and-aviation-production-industry/>) of one of the incidents investigated by the firm. \"The group compromised a subsidiary and penetrated the target company's network through it. Trusted relationship attacks are rare today due to the complexity of their execution. Using this method [\u2026], the ChamelGang group was able to achieve its goal and steal data from the compromised network.\"\n\nIntrusions mounted by the adversary are believed to have commenced at the end of March 2021, with later attacks in August leveraging what's called the [ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) chain of vulnerabilities affecting Microsoft Exchange Servers, the technical details of which were first revealed at the Black Hat USA 2021 security conference earlier that month.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgpU90FEVyvHUv6m3vUITmIj4tJ_Kexp6cw5No4dV8_Po339DpYJtWa0Z-_BTv7hBE9_EkkSjRVlbP2lsM6MxD-x1p1yD_mQOhRoeiBy9vjPZXWBKrrJlJlvEbl4QdL8woMTd4XIY2ZGusd5N0uFaCwXBUiwFnJnXGfU0C-ESawdO8FR9OB4njoQ6oc>)\n\nThe attack in March is also notable for the fact that the operators breached a subsidiary organization to gain access to an unnamed energy company's network by exploiting a flaw in Red Hat JBoss Enterprise Application ([CVE-2017-12149](<https://access.redhat.com/security/cve/CVE-2017-12149>)) to remotely execute commands on the host and deploy malicious payloads that enable the actor to launch the malware with elevated privileges, laterally pivot across the network, and perform reconnaissance, before deploying a backdoor called DoorMe.\n\n\"The infected hosts were controlled by the attackers using the public utility FRP (fast reverse proxy), written in Golang,\" the researchers said. \"This utility allows connecting to a reverse proxy server. The attackers' requests were routed using the socks5 plugin through the server address obtained from the configuration data.\"\n\nOn the other hand, the August attack against a Russian company in the aviation production sector involved the exploitation of ProxyShell flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to drop additional web shells and conduct remote reconnaissance on the compromised node, ultimately leading to the installation of a modified version of the DoorMe implant that comes with expanded capabilities to run arbitrary commands and carry out file operations.\n\n\"Targeting the fuel and energy complex and aviation industry in Russia isn't unique \u2014 this sector is one of the three most frequently attacked,\" Positive Technologies' Head of Threat Analysis, Denis Kuvshinov, said. \"However, the consequences are serious: Most often such attacks lead to financial or data loss\u2014in 84% of all cases last year, the attacks were specifically created to steal data, and that causes major financial and reputational damage.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-04T12:48:00", "type": "thn", "title": "A New APT Hacking Group Targeting Fuel, Energy, and Aviation Industries", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12149", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-10-04T12:48:16", "id": "THN:E95B6A75073DA71CEC73B2E4F0B13622", "href": "https://thehackernews.com/2021/10/a-new-apt-hacking-group-targeting-fuel.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-10-21T08:40:06", "description": "Apple recently released iOS and iPadOS [15.0.2](<https://support.apple.com/en-us/HT212846>) as an emergency security update that addresses 1 critical zero-day vulnerabilities, which is exploited in wild. Qualys recommends that security teams should immediately update all devices running iOS and iPadOS to the latest version. "_Apple is aware of a report that this issue may have been actively exploited_," the company said in [security advisories](<https://support.apple.com/en-us/HT212846>).\n\nThis year, Apple has released multiple emergency releases to fix the actively exploited vulnerabilities which _Apple is aware of a report that this issue may have been actively exploited_. Successful exploitation of the vulnerability allows an application to execute arbitrary code with kernel privileges, and spyware like [Pegasus](<https://blog.qualys.com/vulnerabilities-threat-research/2021/07/23/protect-your-devices-from-pegasus-spyware-using-vmdr-for-mobile-devices-proactive-approach>) can be easily deployed on affect devices, and exploiting other vulnerabilities, it will get access to a device.\n\nFollowing are the recent exploits and respective iOS and iPadOS versions in which they have been fixed by Apple since Jan 2021:\n\nCVE-2021-1870, CVE-2021-1871, CVE-2021-1782 \u2013 Fixed in [iOS and iPadOS 14.4](<https://support.apple.com/en-us/HT212146>)\n\nCVE-2021-1879 \u2013 Fixed in [iOS and iPadOS 14.4.2](<https://support.apple.com/en-us/HT212256>)\n\n[CVE-2021-30661](<https://blog.qualys.com/product-tech/2021/04/28/ios-and-ipados-14-5-security-update-vulnerabilities-discover-and-take-remote-response-action-using-vmdr-for-mobile-devices>) \u2013 Fixed in [iOS and iPadOS 14.5](<https://support.apple.com/en-us/HT212317>)\n\nCVE-2021-30665, CVE-2021-30663, CVE-2021-30666, CVE-2021-30661 \u2013 Fixed in [iOS and iPadOS 14.5.1](<https://support.apple.com/en-us/HT212336>) and [iOS 12.5.3](<https://support.apple.com/en-us/HT212341>)\n\nCVE-2021-30761, CVE-2021-30762 \u2013 Fixed in [iOS 12.5.4](<https://support.apple.com/en-us/HT212548>)\n\n[CVE-2021-30807](<https://blog.qualys.com/vulnerabilities-threat-research/2021/07/28/ios-and-ipados-14-7-and-14-7-1-security-update-discover-vulnerabilities-and-take-remote-response-action-using-vmdr-for-mobile-devices>) \u2013 Fixed in [iOS and iPadOS 14.7.1](<https://support.apple.com/en-us/HT212623>)\n\n[CVE-2021-30860, CVE-2021-30858, CVE-2021-30869](<https://blog.qualys.com/vulnerabilities-threat-research/2021/09/20/detect-prioritize-nso-pegasus-iphone-spyware-vulnerabilities-using-vmdr-for-mobile-devices>) \u2013 Fixed in [iOS and iPadOS 14.8](<https://support.apple.com/en-us/HT212807>) and [iOS 12.5.5](<https://support.apple.com/en-us/HT212824>)\n\n### Integer Overflow Vulnerability\n\nApple released a patch to fix integer overflow critical vulnerability (CVE-2021-30883). This vulnerability has a CVSSv3.1 base score of 8.8 and should be prioritized for patching as successful exploitation of the vulnerability allows a malicious application to execute arbitrary code with kernel privileges. It affects the iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\n### Discover Vulnerabilities and Take Remote Response Action Using VMDR for Mobile Devices\n\n#### Discover Assets Missing the Latest iOS Security Update\n\nThe first step in managing these critical vulnerabilities and reducing risk is to identify the assets. [Qualys VMDR for Mobile Devices](<https://www.qualys.com/apps/vulnerability-management-detection-response/mobile-devices/>) makes it easy to identify the iOS and iPadOS assets not updated to the latest version iOS and iPadOS 15.0.2. To get the comprehensive visibility of the mobile devices, you need to install [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) for Android or iOS/iPadOS on all mobile devices. The device onboarding process is easy, and the inventory of mobile devices is free.\n\nQuery: vulnerabilities.vulnerability.title:"iOS 15.0.2\u2033\n\n\n\nOnce you get the list of assets missing the latest security patch, navigate to the Vulnerability tab. Enter the vulnerabilities.vulnerability.title:"iOS 15.0.2\u2033 and apply the Group By \u201cVulnerabilities\u201d to get the list of the CVEs that Apple fixes in iOS and iPadOS 15.0.2 release. Qualys VMDR helps you understand what kind of risk you are taking by allowing the unpatched device to hold corporate data and connect to your corporate network.\n\n\n\nAlso, you can apply the Group By \u201cCVE Ids\u201d to get only the list of CVEs fixed by Apple in iOS and iPadOS 15.0.2 release.\n\n\n\nQID 610371 is available in signature version SEM VULNSIGS-1.0.0.48, and there is no dependency on any specific Qualys Cloud Agent version.\n\nWith the VMDR for Mobile Devices dashboard, you can track the status of the assets on which the latest security patch and update is missing. The dashboard will be updated with the latest data collected by Qualys Cloud Agent for Android and iOS devices.\n\n\n\n### Remote Response Action\n\nYou can perform the \u201cSend Message\u201d action to inform the end-user to update the devices to the latest OS version. Also, you may provide step-by-step details to update the security patch.\n\nWe recommend updating to the latest iOS and iPadOS version for the assets where vulnerabilities are detected as \u201cConfirmed\u201d.\n\n\n\n### Get Started Now\n\n[Qualys VMDR for Mobile Devices](<https://www.qualys.com/apps/vulnerability-management-detection-response/mobile-devices/>) is available free for 30 days to help customers detect vulnerabilities, monitor critical device settings, and correlate updates with the correct app versions available on Google Play Store. You can try our solution by [registering for the free 30-day service](<https://www.qualys.com/apps/vulnerability-management-detection-response/mobile-devices/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-18T07:41:18", "type": "qualysblog", "title": "Apple fixes zero-day in iOS and iPadOS 15.0.2 emergency release: Detect and Prioritize Vulnerabilities using VMDR for Mobile Devices", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-30883"], "modified": "2021-10-18T07:41:18", "id": "QUALYSBLOG:5101CC734C1A900451E5994AFF57209A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-11T05:29:14", "description": "_The U.S. Cybersecurity & Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report\u2019s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment._\n\nThe Cybersecurity & Infrastructure Security Agency (CISA) releases [detailed alerts](<https://www.cisa.gov/uscert/ncas/alerts>) of critical vulnerabilities and threats when warranted. These alerts cover the most exploited security vulnerabilities and provide critical insights into the type, nature, and vendor product affected, as well as recommended mitigations that enterprise IT/security professionals can take to reduce their risk.\n\nTo that end, CISA has released its [2021 Top Routinely Exploited Vulnerabilities Report](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>). It provides in-depth details of each exploited CVE, including which threat actors aggressively targeted both public and private sector organizations worldwide. It also provides mitigation guidance for all the top vulnerabilities.\n\nOf special interest in the report is this key finding by CISA:\n\n_Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors._\n\n### CISA\u2019s Top 15 Routinely Exploited Vulnerabilities of 2021\n\nThe top 15 routine vulnerability exploits observed by cybersecurity authorities in the U.S., Australia, Canada, New Zealand, and the U.K. are:\n\nCVE| Vulnerability Name| Vendor and Product| Type \n---|---|---|--- \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)| [Log4Shell](<https://www.qualys.com/log4shell-cve-2021-44228/>) | Apache Log4j| Remote code execution (RCE) \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)| | Zoho ManageEngine AD SelfService Plus| RCE \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)| ProxyShell| Microsoft Exchange Server| Elevation of privilege \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)| ProxyShell| Microsoft Exchange Server| RCE \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)| ProxyShell| Microsoft Exchange Server| Security feature bypass \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)| | Atlassian Confluence Server and Data Center| Arbitrary code execution \n[CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)| | VMware vSphere Client| RCE \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)| [ZeroLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2020/09/15/microsoft-netlogon-vulnerability-cve-2020-1472-zerologon-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Netlogon Remote Protocol (MS-NRPC)| Elevation of privilege \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)| | Microsoft Exchange Server| RCE \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)| | Pulse Secure Pulse Connect Secure| Arbitrary file reading \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)| | Fortinet FortiOS and FortiProxy| Path traversal \n \n### Highlights of Top Vulnerabilities Cited in CISA 2021 Report\n\nBased on the analysis of this report by the Qualys Research Team, let\u2019s review a few of the top vulnerabilities on the 2021 list and our recommendations for how Qualys enterprise customers can detect and respond to them.\n\n#### Log4Shell Vulnerability\n\nThe Log4Shell vulnerability **(CVE-2021-44228)** was disclosed in December 2021. It was widely exploited by sending a specially crafted code string, which allowed an attacker to execute arbitrary Java code on the server and take complete control of the system. Thousands of products used Log4Shell and were vulnerable to the Log4Shell exploitation.\n\nVisit the [Qualys Log4Shell website](<https://www.qualys.com/log4shell-cve-2021-44228/>) for full details on our response to this threat.\n\n### ProxyShell: Multiple Vulnerabilities\n\nThe multiple vulnerabilities called ProxyShell **(CVE-2021-34523, CVE-2021-34473, CVE-2021-31207)** affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., via "vulnerability chaining") enables a remote actor to execute arbitrary code and privilege escalation.\n\n### ProxyLogon: Multiple Vulnerabilities\n\nThe multiple vulnerabilities named ProxyLogon **(CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065)** also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination allows an unauthenticated threat actor to execute arbitrary code on vulnerable Exchange Servers, which enables the attacker to gain persistent access to files, mailboxes, and credentials stored on the servers.\n\n[Read our blog](<https://blog.qualys.com/product-tech/2021/03/10/security-advisory-mitigating-the-risk-of-microsoft-exchange-zero-day-proxylogon-vulnerabilities>) on this threat.\n\n#### Confluence Server and Data Center Vulnerability\n\nAn Object Graph Navigation Library injection vulnerability **(CVE-2021-26084)** exists in Confluence Server that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\n#### Top Vulnerabilities of 2020 Persist\n\nThree additional vulnerabilities **(CVE-2020-1472, CVE-2018-13379, CVE-2019-11510)** were part of the routinely exploited [top vulnerabilities of 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>) list but continued to be exploited well into 2021.\n\n### How Can Qualys Help?\n\nThe Qualys Research Team stays on top of CISA\u2019s vulnerability reports by mapping and releasing our QIDs as needed. The goal is to provide our enterprise customers with complete visibility into risk across their organizations.\n\n#### Detect CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\n[Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) provides coverage for all 15 vulnerabilities described in the CISA report. [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) can automatically patch all Windows-related vulnerabilities which account for 60% of the 15 vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities.\n\nUsing VMDR and Qualys Query Language (QQL) lets you easily detect all your assets that are vulnerable to the top 15.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nView vulnerabilities be severity in Qualys VMDR\n\nQualys Unified Dashboard provides a comprehensive view of the top 15 exploited vulnerabilities as they affect your entire enterprise environment. The dashboard allows the security team to keep track of each vulnerability as they may propagate across multiple assets in your infrastructure.\n\nDashboard CISA: Alert (AA22-117A) | Top 15 Routinely Exploited\n\nQualys Unified Dashboard\n\n#### Prioritize CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys VMDR makes it easy to prioritize the top 15 exploited vulnerabilities affecting your company\u2019s internet-facing assets. To do so, apply the tag \u201cInternet Facing Assets\u201d in the Prioritization tab. You can add tags like "Cloud Environments", "Type: Servers", "Web Servers", and "VMDR-Web Servers" to increase your scope of assets.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nPrioritizing vulnerabilities for remediation in Qualys VMDR\n\n#### Remediate CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys Patch Management offers out-of-the-box support for patching multiple CISA vulnerabilities. Patch Management also provides patches for many Microsoft, Linux, and third-party application vulnerabilities.\n\nTo view the patchable QIDs, enable the "Show only Patchable" toggle button. After that, you can configure the patch job to patch the relevant QIDs and their respective associated CVEs.\n\nUsing Qualys Patch Management to apply patches\n\nQualys Patch Management also provides the ability to deploy custom patches. The flexibility to customize patch deployment allows you to patch all the remaining CVEs in your patching to-do list.\n\nTo get a view of all available patches for CISA\u2019s top 15 exploitable vulnerabilities of 2021, go to the Patch Management application and run this QQL statement in the Patches tab:\n \n \n cve:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nViewing available patches in Qualys Patch Management\n\nFor additional patch details about vulnerabilities reported by CISA, please see the [Appendix](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) of the CISA report.\n\n### Getting Started\n\nReady to get started? Learn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-06T12:19:24", "type": "qualysblog", "title": "CISA Alert: Top 15 Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688", "CVE-2020-1472", "CVE-2021-21972", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228"], "modified": "2022-05-06T12:19:24", "id": "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-02T20:34:35", "description": "On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [cybersecurity advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>) detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.\n\nThe advisory states, \u201cIf an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems).\u201d\n\nCISA released the advisory in conjunction with the Australian Cyber Security Centre (ACSC), the United Kingdom\u2019s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI).\n\nThe CISA advisory is similar in scope to the October 2020 United States National Security Agency (NSA) [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) listing the top 25 known vulnerabilities being actively used by Chinese state-sponsored cyber actors [that security teams can detect and mitigate or remediate](<https://blog.qualys.com/product-tech/2020/10/22/nsa-alert-chinese-state-sponsored-actors-exploit-known-vulnerabilities>) in their infrastructure using Qualys VMDR.\n\n### Top Routinely Exploited Vulnerabilities\n\nHere is the list of top routinely exploited vulnerabilities in 2020 and 2021 along with affected products and associated Qualys VMDR QID(s) for each vulnerability.\n\n**CVE-IDs**| **Affected Products**| **Qualys Detections (QIDs)** \n---|---|--- \nCVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065| Microsoft Exchange| 50107, 50108 \nCVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900| Pulse Secure| 38838 \nCVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104| Accellion| 38830 \nCVE-2021-21985| VMware| 730102, 216261, 216260, 216259 \nCVE-2018-13379, CVE-2020-12812, CVE-2019-5591| Fortinet| 43702, 43769, 43825 \nCVE-2019-19781| Citrix| 150273, 372305, 372685 \nCVE-2019-11510| Pulse| 38771 \nCVE-2018-13379| Fortinet| 43702 \nCVE-2020-5902| F5- Big IP| 38791, 373106 \nCVE-2020-15505| MobileIron| 13998 \nCVE-2017-11882| Microsoft| 110308 \nCVE-2019-11580| Atlassian| 13525 \nCVE-2018-7600| Drupal| 371954, 150218, 277288, 176337, 11942 \nCVE-2019-18935| Telerik| 150299, 372327 \nCVE-2019-0604| Microsoft| 110330 \nCVE-2020-0787| Microsoft| 91609 \nCVE-2020-1472| Netlogon| 91688 \n \n### Detect CISA\u2019s Top Routinely Exploited Vulnerabilities using Qualys VMDR\n\nQualys released several remote and authenticated detections (QIDs) for the vulnerabilities. You can search for these QIDs in VMDR Dashboard using the following QQL query:\n\n__vulnerabilities.vulnerability.cveIds: [_`_CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27065`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-21985`,` CVE-2018-13379`,`CVE-2020-12812`,`CVE-2019-5591`,`CVE-2019-19781`,`CVE-2019-11510`,`CVE-2018-13379`,`CVE-2020-5902`,`CVE-2020-15505`,`CVE-2017-11882`,`CVE-2019-11580`,`CVE-2019-18935`,`CVE-2019-0604`,`CVE-2020-0787`,`CVE-2020-1472`]__\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for \u201cActive Attack\u201d RTI:\n\n\n\nWith VMDR Dashboard, you can track top 30 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [\u201cCISA: Alert (AA21-209A) | Top Exploited\u201d dashboard](<https://success.qualys.com/support/s/article/000006738>).\n\n\n\n### Recommendations\n\nAs guided by CISA, one must do the following to protect assets from being exploited:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Organizations\u2019 vigilance team should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n * Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.\n * Focus cyber defense resources on patching those vulnerabilities that cyber actors most often use.\n\n### Remediation and Mitigation\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [_Qualys VMDR trial_](<https://www.qualys.com/subscriptions/vmdr/>) to automatically detect and mitigate or remediate the CISA top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T00:20:27", "type": "qualysblog", "title": "CISA Alert: Top Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-5591", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T00:20:27", "id": "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-12T20:01:11", "description": "On October 6, 2022, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>) on the Chinese government\u2014officially known as the People\u2019s Republic of China (PRC) states-sponsored cyber actors' activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People's Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). The PRC malicious actor continues to exploit known vulnerabilities to target U.S. and vigorously allied networks and software and hardware companies to rob intellectual property and develop access to sensitive networks. \n\nThey stated that PRC state-sponsored cyber activities as one of the most significant and dynamic threats to U.S. government and civilian networks. The PRC state-sponsored cyber actors persist in targeting government and critical infrastructure networks with an increasing array of new and adaptive techniques. Some could pose a considerable risk to Information Technology Sector, telecommunications organizations, Defense Industrial Base (DIB) Sector, and other critical infrastructure organizations. \n\nPRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target victims. Here is a list of 20 publicly known vulnerabilities (CVEs) published by the NSA, along with affected products and associated Qualys VMDR QID(s) for each vulnerability: \n\n**Vendor**| **CVE**| **Vulnerability Type**| Qualys **QID**(s) \n---|---|---|--- \n| | | \nApache Log4j | CVE-2021-44228 | Remote Code Execution | 730302, 150441, 150440, and more \nPulse Connect Secure | CVE-2019-11510 | Arbitrary File Read | 38771 \nGitLab CE/EE | CVE-2021-22205 | Remote Code Execution | 375475 \nAtlassian | CVE-2022-26134 | Remote Code Execution | 730514, 376657, 150523 \nMicrosoft Exchange | CVE-2021-26855 | Remote Code Execution | 50107, 50108 \nF5 Big-IP | CVE-2020-5902 | Remote Code Execution | 38791, 373106 \nVMware vCenter Server | CVE-2021-22005 | Arbitrary File Upload | 216265, 216266 \nCitrix ADC | CVE-2019-19781 | Path Traversal | 372685, 150273, 372305 \nCisco Hyperflex | CVE-2021-1497 | Command Line Execution | 730070 \nBuffalo WSR | CVE-2021-20090 | Relative Path Traversal | NA \nAtlassian Confluence Server and Data Center | CVE-2021-26084 | Remote Code Execution | 150368, 375839, 730172 \nHikvision Webserver | CVE-2021-36260 | Command Injection | NA \nSitecore XP | CVE-2021-42237 | Remote Code Execution | 14012 \nF5 Big-IP | CVE-2022-1388 | Remote Code Execution | 150511, 730489, 376577 \nApache | CVE-2022-24112 | Authentication Bypass by Spoofing | 730361 \nZOHO | CVE-2021-40539 | Remote Code Execution | 375840 \nMicrosoft | CVE-2021-26857 | Remote Code Execution | 50107 \nMicrosoft | CVE-2021-26858 | Remote Code Execution | 50107 \nMicrosoft | CVE-2021-27065 | Remote Code Execution | 50107 \nApache HTTP Server | CVE-2021-41773 | Path Traversal | 150373, 150372, 710595 and more \nTable 1: Top CVEs most used by Chinese state-sponsored cyber actors since 2020 \n\nNSA stated that the threat actors use virtual private networks (VPNs) to obscure their activities and establish initial access. Multiple CVEs indicated in Table 1 let the actors stealthily acquire unauthorized access into sensitive networks, after which they pursue to develop persistence and reposition laterally to other internally connected networks. \n\nThe NSA highlights how the People\u2019s Republic of China (PRC) has targeted and compromised significant telecom establishments and network service providers mostly by exploiting publicly known vulnerabilities. Networks affected have varied from small office/home office (SOHO) routers to medium and large enterprise networks. \n\nPRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. The devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as means to conduct network intrusions on other entities. Furthermore, cyber defenders often overlook these devices, who work to maintain and keep pace with frequent software patching of Internet-facing services and endpoint devices. \n\n## Detect & Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0 \n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in [Qualys VMDR 2.0](<https://www.qualys.com/apps/vulnerability-management-detection-response/>), Vulnerabilities tab by using the following QQL query: \n\n_vulnerabilities.vulnerability.cveIds: [CVE-2021-44228, CVE-2019-11510, CVE-2021-22205, CVE-2022-26134, CVE-2021-26855, CVE-2020-5902, CVE-2021-22005, CVE-2019-19781, CVE-2021-1497, CVE-2021-20090, CVE-2021-26084, CVE-2021-36260, CVE-2021-42237, CVE-2022-1388, CVE-2022-24112, CVE-2021-40539, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-41773]_ \n\n\n\nUsing, [Qualys VMDR 2.0](<https://www.qualys.com/apps/vulnerability-management-detection-response/>), you can also effectively prioritize these vulnerabilities using the [Qualys TruRisk](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/10/in-depth-look-into-data-driven-science-behind-qualys-trurisk>).\n\n\n\n## Identify Vulnerable Assets using Qualys Threat Protection \n\nIn addition, you can locate vulnerable hosts through Qualys Threat Protection by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability. \n\n\n\nUsing the Qualys Unified Dashboard, you can track, impacted hosts, their status, and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment. \n\nRead the Article (Qualys Customer Portal): [NSA Top Exploited CVEs | China State Actors](<https://success.qualys.com/support/s/article/000007011>) \n\n\n\n## Recommendations & Mitigations \n\nThe NSA, CISA, and FBI recommend U.S. and allied governments, critical infrastructure, and private sector organizations use the mitigation guidance provided to boost their defensive posture and decrease the threat of compromise from PRC state-sponsored threat cyber actors. \n\nHere is a summary of mitigations guidance provided by the NSA: \n\n * Update, prioritize and patch vulnerable systems as soon as possible, as listed in this article and the list provided by [CISA KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n * Utilize phishing-resistant multi-factor authentication and require all accounts with a unique and strong password. \n * Block obsolete or unused protocols at the network edge. \n * Upgrade or replace end-of-life devices. \n * Move toward the Zero Trust security model. \n * Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity. \n\nOne of the soundest methods that organizations of all sizes could stay on top of these vulnerabilities and end-of-life (EOL) network/device infrastructure as noted by NSA general mitigations guidelines is to catalog the infected assets and apply patches as soon as possible. This could be an effortless process if the corps utilize the power of Qualys VMDR 2.0. You can start your [Qualys VMDR 2.0 trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting, and patching the high-priority commonly exploited vulnerabilities. \n\n## Contributors\n\n * Felix Jimenez Saez, Director, Product Management, Qualys\n * Swapnil Ahirrao, Principal Product Manager, VMDR, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-07T20:03:01", "type": "qualysblog", "title": "NSA Alert: Topmost CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-07T20:03:01", "id": "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "googleprojectzero": [{"lastseen": "2023-08-07T02:19:24", "description": "A Year in Review of 0-days Used In-the-Wild in 2021\n\nPosted by Maddie Stone, Google Project Zero\n\nThis is our third annual year in review of 0-days exploited in-the-wild [[2020](<https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html>), [2019](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>)]. Each year we\u2019ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you\u2019re interested in the analysis of individual exploits, please check out our [root cause analysis repository](<https://googleprojectzero.blogspot.com/p/rca.html>).\n\nWe perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for attackers to use 0-day capabilities. 2021 highlighted just how important it is to stay relentless in our pursuit to make it harder for attackers to exploit users with 0-days. We heard [over](<https://forbiddenstories.org/about-the-pegasus-project/>) and [over](<https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/>) and [over](<https://www.amnesty.org/en/latest/research/2021/11/devices-of-palestinian-human-rights-defenders-hacked-with-nso-groups-pegasus-spyware-2/>) about how governments were targeting journalists, minoritized populations, politicians, human rights defenders, and even security researchers around the world. The decisions we make in the security and tech communities can have real impacts on society and our fellow humans\u2019 lives.\n\nWe\u2019ll provide our evidence and process for our conclusions in the body of this post, and then wrap it all up with our thoughts on next steps and hopes for 2022 in the conclusion. If digging into the bits and bytes is not your thing, then feel free to just check-out the Executive Summary and Conclusion.\n\n# Executive Summary\n\n2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014. That\u2019s more than double the previous maximum of 28 detected in 2015 and especially stark when you consider that there were only 25 detected in 2020. We\u2019ve tracked publicly known in-the-wild 0-day exploits in [this spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>) since mid-2014.\n\nWhile we often talk about the number of 0-day exploits used in-the-wild, what we\u2019re actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild. And that leads into our first conclusion: we believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits.\n\nWith this record number of in-the-wild 0-days to analyze we saw that attacker methodology hasn\u2019t actually had to change much from previous years. Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces. Project Zero\u2019s mission is \u201cmake 0day hard\u201d. 0-day will be harder when, overall, attackers are not able to use public methods and techniques for developing their 0-day exploits. When we look over these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous & publicly known vulnerabilities. Only two 0-days stood out as novel: one for the technical sophistication of its exploit and the other for its use of logic bugs to escape the sandbox.\n\nSo while we recognize the industry\u2019s improvement in the detection and disclosure of in-the-wild 0-days, we also acknowledge that there\u2019s a lot more improving to be done. Having access to more \u201cground truth\u201d of how attackers are actually using 0-days shows us that they are able to have success by using previously known techniques and methods rather than having to invest in developing novel techniques. This is a clear area of opportunity for the tech industry.\n\nWe had so many more data points in 2021 to learn about attacker behavior than we\u2019ve had in the past. Having all this data, though, has left us with even more questions than we had before. Unfortunately, attackers who actively use 0-day exploits do not share the 0-days they\u2019re using or what percentage of 0-days we\u2019re missing in our tracking, so we\u2019ll never know exactly what proportion of 0-days are currently being found and disclosed publicly. \n\nBased on our analysis of the 2021 0-days we hope to see the following progress in 2022 in order to continue taking steps towards making 0-day hard:\n\n 1. All vendors agree to disclose the in-the-wild exploitation status of vulnerabilities in their security bulletins.\n 2. Exploit samples or detailed technical descriptions of the exploits are shared more widely.\n 3. Continued concerted efforts on reducing memory corruption vulnerabilities or rendering them unexploitable.Launch mitigations that will significantly impact the exploitability of memory corruption vulnerabilities.\n\n# A Record Year for In-the-Wild 0-days\n\n2021 was a record year for in-the-wild 0-days. So what happened?\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC72HVhQEdwHNIzMiyb18bUFr6hPCWJiKL2Mm43-tW11qc0ucOPI8A9oChEXQe0-QNOBF83SIcfyjcyvPveuWvgipbiBzHWqZTx2-LilJFYIbx6uQeno9f481HJQ0CgylQkh8Ks7AbGC6tjhYDNBcI7jh6ihhzJATA0r_P4bQUBm-1lmHp2DPvWM6I/s1200/image1%287%29.png>)\n\nIs it that software security is getting worse? Or is it that attackers are using 0-day exploits more? Or has our ability to detect and disclose 0-days increased? When looking at the significant uptick from 2020 to 2021, we think it's mostly explained by the latter. While we believe there has been a steady growth in interest and investment in 0-day exploits by attackers in the past several years, and that security still needs to urgently improve, it appears that the security industry's ability to detect and disclose in-the-wild 0-day exploits is the primary explanation for the increase in observed 0-day exploits in 2021.\n\nWhile we often talk about \u201c0-day exploits used in-the-wild\u201d, what we\u2019re actually tracking are \u201c0-day exploits detected and disclosed as used in-the-wild\u201d. There are more factors than just the use that contribute to an increase in that number, most notably: detection and disclosure. Better detection of 0-day exploits and more transparently disclosed exploited 0-day vulnerabilities is a positive indicator for security and progress in the industry. \n\nOverall, we can break down the uptick in the number of in-the-wild 0-days into:\n\n * More detection of in-the-wild 0-day exploits\n * More public disclosure of in-the-wild 0-day exploitation\n\n## More detection\n\nIn the [2019 Year in Review](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>), we wrote about the \u201cDetection Deficit\u201d. We stated \u201cAs a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can\u2019t draw significant conclusions due to the lack of (and biases in) the data we have collected.\u201d In the last two years, we believe that there\u2019s been progress on this gap. \n\nAnecdotally, we hear from more people that they\u2019ve begun working more on detection of 0-day exploits. Quantitatively, while a very rough measure, we\u2019re also seeing the number of entities credited with reporting in-the-wild 0-days increasing. It stands to reason that if the number of people working on trying to find 0-day exploits increases, then the number of in-the-wild 0-day exploits detected may increase.\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMbFpoEKSSn5AbAzsovaZ0yN6_OFXo9u4hpDCXJBpro8LRUWJlVQ9CSqtzT2V9ohrhOvP3_RnrYsOzFGPK0FZGJmW2713g2vVW82ReJVXpjAZc57BCxtHg8i-6AdR_ThDZB6UKvzAKekbmAkuUBliMyDyWSBW87z4ZZQJC3KX-_ptZIHveotLGoJ9I/s1200/image5%284%29.png>)\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRS0t_2Bwvc3U_EIr5h7NcWpQyjzHCPb4OMiDpzPxPs587otAEj8bzwch8UMFlgKchwdSq4L_PXRn1O6KGLHUl4X9voLBdZJNQsgQyJcMCVB4Y8-aRHaXRpOYZw7KVtyNYwdWpwX8ILUV1fyG2kDsXVWORsSPUBGVTON90gWf9POhhxA4edxNe1eoV/s1200/image2%285%29.png>)\n\nWe\u2019ve also seen the number of vendors detecting in-the-wild 0-days in their own products increasing. Whether or not these vendors were previously working on detection, vendors seem to have found ways to be more successful in 2021. Vendors likely have the most telemetry and overall knowledge and visibility into their products so it\u2019s important that they are investing in (and hopefully having success in) detecting 0-days targeting their own products. As shown in the chart above, there was a significant increase in the number of in-the-wild 0-days discovered by vendors in their own products. Google discovered 7 of the in-the-wild 0-days in their own products and Microsoft discovered 10 in their products!\n\n## More disclosure\n\nThe second reason why the number of detected in-the-wild 0-days has increased is due to more disclosure of these vulnerabilities. Apple and Google Android (we differentiate \u201cGoogle Android\u201d rather than just \u201cGoogle\u201d because Google Chrome has been annotating their security bulletins for the last few years) first began labeling vulnerabilities in their security advisories with the information about potential in-the-wild exploitation in November 2020 and January 2021 respectively. When vendors don\u2019t annotate their release notes, the only way we know that a 0-day was exploited in-the-wild is if the researcher who discovered the exploitation comes forward. If Apple and Google Android had not begun annotating their release notes, the public would likely not know about at least 7 of the Apple in-the-wild 0-days and 5 of the Android in-the-wild 0-days. Why? Because these vulnerabilities were reported by \u201cAnonymous\u201d reporters. If the reporters didn\u2019t want credit for the vulnerability, it\u2019s unlikely that they would have gone public to say that there were indications of exploitation. That is 12 0-days that wouldn\u2019t have been included in this year\u2019s list if Apple and Google Android had not begun transparently annotating their security advisories. \n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPe_J-0Wu9Ap-0n3Yj5BoXiWTnjViyyGasIChhb3juADZosK9nTbyiaWtzuRyjwG3frQNjLsvRMRoQHrFfo1iKa3GjmcuLHqat40GcoechQ16XbhpVGwF7m_TJ0Oucvy3wvm8x0aXbVnJfhkG2FNkxI4cJf5ONBqEYnPxQDUmZChvByLHE8OzSU20N/s1200/image3%287%29.png>)\n\nKudos and thank you to Microsoft, Google Chrome, and Adobe who have been annotating their security bulletins for transparency for multiple years now! And thanks to Apache who also annotated their release notes for [CVE-2021-41773](<https://httpd.apache.org/security/vulnerabilities_24.html>) this past year. \n\nIn-the-wild 0-days in Qualcomm and ARM products were annotated as in-the-wild in Android security bulletins, but not in the vendor\u2019s own security advisories.\n\nIt's highly likely that in 2021, there were other 0-days that were exploited in the wild and detected, but vendors did not mention this in their release notes. In 2022, we hope that more vendors start noting when they patch vulnerabilities that have been exploited in-the-wild. Until we\u2019re confident that all vendors are transparently disclosing in-the-wild status, there\u2019s a big question of how many in-the-wild 0-days are discovered, but not labeled publicly by vendors.\n\n# New Year, Old Techniques\n\nWe had a record number of \u201cdata points\u201d in 2021 to understand how attackers are actually using 0-day exploits. A bit surprising to us though, out of all those data points, there was nothing new amongst all this data. 0-day exploits are considered one of the most advanced attack methods an actor can use, so it would be easy to conclude that attackers must be using special tricks and attack surfaces. But instead, the 0-days we saw in 2021 generally followed the same bug patterns, attack surfaces, and exploit \u201cshapes\u201d previously seen in public research. Once \u201c0-day is hard\u201d, we\u2019d expect that to be successful, attackers would have to find new bug classes of vulnerabilities in new attack surfaces using never before seen exploitation methods. In general, that wasn't what the data showed us this year. With two exceptions (described below in the iOS section) out of the 58, everything we saw was pretty \u201c[meh](<https://www.dictionary.com/browse/meh#:~:text=unimpressive%3B%20boring%3A>)\u201d or standard.\n\nOut of the 58 in-the-wild 0-days for the year, 39, or 67% were memory corruption vulnerabilities. Memory corruption vulnerabilities have been the standard for attacking software for the last few decades and it\u2019s still how attackers are having success. Out of these memory corruption vulnerabilities, the majority also stuck with very popular and well-known bug classes:\n\n * 17 use-after-free\n * 6 out-of-bounds read & write\n * 4 buffer overflow\n * 4 integer overflow\n\nIn the next sections we\u2019ll dive into each major platform that we saw in-the-wild 0-days for this year. We\u2019ll share the trends and explain why what we saw was pretty unexceptional.\n\n## Chromium (Chrome)\n\nChromium had a record high number of 0-days detected and disclosed in 2021 with 14. Out of these 14, 10 were renderer remote code execution bugs, 2 were sandbox escapes, 1 was an infoleak, and 1 was used to open a webpage in Android apps other than Google Chrome.\n\nThe 14 0-day vulnerabilities were in the following components:\n\n * 6 JavaScript Engine - v8 ([CVE-2021-21148](<https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>), [CVE-2021-30551](<https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>), [CVE-2021-30563](<https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html>), [CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>), [CVE-2021-37975](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-37975.html>), [CVE-2021-38003](<https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html>))\n * 2 DOM Engine - Blink ([CVE-2021-21193](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html>) & [CVE-2021-21206](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html>))\n * 1 WebGL ([CVE-2021-30554](<https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html>))\n * 1 IndexedDB ([CVE-2021-30633](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>))\n * 1 webaudio ([CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>))\n * 1 Portals ([CVE-2021-37973](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html>))\n * 1 Android Intents ([CVE-2021-38000](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-38000.html>))\n * 1 Core ([CVE-2021-37976](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html>))\n\nWhen we look at the components targeted by these bugs, they\u2019re all attack surfaces seen before in public security research and previous exploits. If anything, there are a few less DOM bugs and more targeting these other components of browsers like IndexedDB and WebGL than previously. 13 out of the 14 Chromium 0-days were memory corruption bugs. Similar to last year, most of those memory corruption bugs are use-after-free vulnerabilities.\n\nA couple of the Chromium bugs were even similar to previous in-the-wild 0-days. [CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>) is an issue in ScriptProcessorNode::Process() in webaudio where there\u2019s insufficient locks such that buffers are accessible in both the main thread and the audio rendering thread at the same time. [CVE-2019-13720](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2019/CVE-2019-13720.html>) is an in-the-wild 0-day from 2019. It was a vulnerability in ConvolverHandler::Process() in webaudio where there were also insufficient locks such that a buffer was accessible in both the main thread and the audio rendering thread at the same time.\n\n[CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>) is another Chromium in-the-wild 0-day from 2021. It\u2019s a type confusion in the TurboFan JIT in Chromium\u2019s JavaScript Engine, v8, where Turbofan fails to deoptimize code after a property map is changed. [CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>) in particular deals with code that stores global properties. [CVE-2020-16009](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-16009.html>) was also an in-the-wild 0-day that was due to Turbofan failing to deoptimize code after map deprecation.\n\n## WebKit (Safari)\n\nPrior to 2021, Apple had only acknowledged 1 publicly known in-the-wild 0-day targeting WebKit/Safari, and that was due the sharing by an external researcher. In 2021 there were 7. This makes it hard for us to assess trends or changes since we don\u2019t have historical samples to go off of. Instead, we\u2019ll look at 2021\u2019s WebKit bugs in the context of other Safari bugs not known to be in-the-wild and other browser in-the-wild 0-days. \n\nThe 7 in-the-wild 0-days targeted the following components:\n\n * 4 Javascript Engine - JavaScript Core ([CVE-2021-1870](<https://support.apple.com/en-us/HT212146>), [CVE-2021-1871](<https://support.apple.com/en-us/HT212146>), [CVE-2021-30663](<https://support.apple.com/en-us/HT212336>), [CVE-2021-30665](<https://support.apple.com/en-us/HT212336>))\n * 1 IndexedDB ([CVE-2021-30858](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html>))\n * 1 Storage ([CVE-2021-30661](<https://support.apple.com/en-us/HT212317>))\n * 1 Plugins ([CVE-2021-1879](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1879.html>))\n\nThe one semi-surprise is that no DOM bugs were detected and disclosed. In previous years, vulnerabilities in the DOM engine have generally made up 15-20% of the in-the-wild browser 0-days, but none were detected and disclosed for WebKit in 2021. \n\nIt would not be surprising if attackers are beginning to shift to other modules, like third party libraries or things like IndexedDB. The modules may be more promising to attackers going forward because there\u2019s a better chance that the vulnerability may exist in multiple browsers or platforms. For example, the webaudio bug in Chromium, [CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>), also existed in WebKit and was fixed as [CVE-2021-1844](<https://support.apple.com/en-us/HT212223>), though there was no evidence it was exploited in-the-wild in WebKit. The IndexedDB in-the-wild 0-day that was used against Safari in 2021, [CVE-2021-30858](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html>), was very, very similar to a [bug fixed in Chromium in January 2020](<https://bugs.chromium.org/p/chromium/issues/detail?id=1032890>).\n\n## Internet Explorer\n\nSince we began tracking in-the-wild 0-days, Internet Explorer has had a pretty consistent number of 0-days each year. 2021 actually tied 2016 for the most in-the-wild Internet Explorer 0-days we\u2019ve ever tracked even though Internet Explorer\u2019s market share of web browser users continues to decrease.\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbMTlnGhVLcVL8K20S3s6hSrpyB6kZAA9CWvWNpn1isbEbLFv0c2rs_dPvM0ALT45NtTvyhp8rGehGDRIAEJ6OZYSkk5mezOEoPJOquVXXyHeqrVOvRGEiQHv_J7Je8Itjc5qhwXMCR-E4y79abuxiddCYoeF2VrVakY-L1q82NeMEPjTA0fFC-t8h/s1200/image4%286%29.png>)\n\nSo why are we seeing so little change in the number of in-the-wild 0-days despite the change in market share? Internet Explorer is still a ripe attack surface for initial entry into Windows machines, even if the user doesn\u2019t use Internet Explorer as their Internet browser. While the number of 0-days stayed pretty consistent to what we\u2019ve seen in previous years, the components targeted and the delivery methods of the exploits changed. 3 of the 4 0-days seen in 2021 targeted the MSHTML browser engine and were delivered via methods other than the web. Instead they were delivered to targets via Office documents or other file formats. \n\nThe four 0-days targeted the following components:\n\n * MSHTML browser engine ([CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>), [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-33742.html>), [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>))\n * Javascript Engine - JScript9 ([CVE-2021-34448](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448>))\n\nFor [CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>) targets of the campaign initially received a .mht file, which prompted the user to open in Internet Explorer. Once it was opened in Internet Explorer, the exploit was downloaded and run. [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html>) and [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) were delivered to targets via malicious Office documents.\n\n[CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>) and [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html>) were two common memory corruption bug patterns: a use-after-free due to a user controlled callback in between two actions using an object and the user frees the object during that callback and a buffer overflow.\n\nThere were a few different vulnerabilities used in the exploit chain that used [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>), but the one within MSHTML was that as soon as the Office document was opened the payload would run: a CAB file was downloaded, decompressed, and then a function from within a DLL in that CAB was executed. Unlike the previous two MSHTML bugs, this was a logic error in URL parsing rather than a memory corruption bug.\n\n## Windows\n\nWindows is the platform where we\u2019ve seen the most change in components targeted compared with previous years. However, this shift has generally been in progress for a few years and predicted with the end-of-life of Windows 7 in 2020 and thus why it\u2019s still not especially novel.\n\nIn 2021 there were 10 Windows in-the-wild 0-days targeting 7 different components:\n\n * 2 Enhanced crypto provider ([CVE-2021-31199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31199>), [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31201>))\n * 2 NTOS kernel ([CVE-2021-33771](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771>), [CVE-2021-31979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979>))\n * 2 Win32k ([CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>), [CVE-2021-40449](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/>))\n * 1 Windows update medic ([CVE-2021-36948](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948>)) \n * 1 SuperFetch ([CVE-2021-31955](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31955>))\n * 1 dwmcore.dll ([CVE-2021-28310](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>))\n * 1 ntfs.sys ([CVE-2021-31956](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31956>))\n\nThe number of different components targeted is the shift from past years. For example, in 2019 75% of Windows 0-days targeted Win32k while in 2021 Win32k only made up 20% of the Windows 0-days. The reason that this was expected and predicted was that 6 out of 8 of those 0-days that targeted Win32k in 2019 did not target the latest release of Windows 10 at that time; they were targeting older versions. With Windows 10 Microsoft began dedicating more and more resources to locking down the attack surface of Win32k so as those older versions have hit end-of-life, Win32k is a less and less attractive attack surface.\n\nSimilar to the many Win32k vulnerabilities seen over the years, the two 2021 Win32k in-the-wild 0-days are due to custom user callbacks. The user calls functions that change the state of an object during the callback and Win32k does not correctly handle those changes. [CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) is a type confusion vulnerability due to a user callback in xxxClientAllocWindowClassExtraBytes which leads to out-of-bounds read and write. If NtUserConsoleControl is called during the callback a flag is set in the window structure to signal that a field is an offset into the kernel heap. xxxClientAllocWindowClassExtraBytes doesn\u2019t check this and writes that field as a user-mode pointer without clearing the flag. The first in-the-wild 0-day detected and disclosed in 2022, [CVE-2022-21882](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-21882.html>), is due to [CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) actually not being fixed completely. The attackers found a way to bypass the original patch and still trigger the vulnerability. [CVE-2021-40449](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/>) is a use-after-free in NtGdiResetDC due to the object being freed during the user callback. \n\n## iOS/macOS\n\nAs discussed in the \u201cMore disclosure\u201d section above, 2021 was the first full year that Apple annotated their release notes with in-the-wild status of vulnerabilities. 5 iOS in-the-wild 0-days were detected and disclosed this year. The first publicly known macOS in-the-wild 0-day ([CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>)) was also found. In this section we\u2019re going to discuss iOS and macOS together because: 1) the two operating systems include similar components and 2) the sample size for macOS is very small (just this one vulnerability).\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPGaOlQUGIYyvpDY_M0rGh3JekH4mwXHfN459HYcklg74v4Mfp8j6fgh2SM09mjhA4svdgN_TdSN3R5Bb-DJTHnlo63qnRTsvLs1EZgAE3fBpRtsZhxKhyBNTb_khdS6mNT3EtSHnS_R-TshtHx-gSWnEPpHjmSqO_9Y7JxupGcDKZ0-xwsxgbX6zR/s1200/image6%284%29.png>)\n\nFor the 5 total iOS and macOS in-the-wild 0-days, they targeted 3 different attack surfaces:\n\n * IOMobileFrameBuffer ([CVE-2021-30807](<https://support.apple.com/en-us/HT212623>), [CVE-2021-30883](<https://support.apple.com/en-us/HT212846>))\n * XNU Kernel ([CVE-2021-1782](<https://support.apple.com/en-us/HT212146>) & [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>))\n * CoreGraphics ([CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>))\n * CommCenter ([FORCEDENTRY sandbox escape](<https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.html>) \\- CVE requested, not yet assigned)\n\nThese 4 attack surfaces are not novel. IOMobileFrameBuffer has been a target of public security research for many years. For example, the Pangu Jailbreak from 2016 used [CVE-2016-4654](<https://www.blackhat.com/docs/us-16/materials/us-16-Wang-Pangu-9-Internals.pdf>), a heap buffer overflow in IOMobileFrameBuffer. IOMobileFrameBuffer manages the screen\u2019s frame buffer. For iPhone 11 (A13) and below, IOMobileFrameBuffer was a kernel driver. Beginning with A14, it runs on a coprocessor, the DCP. It\u2019s a popular attack surface because historically it\u2019s been accessible from sandboxed apps. In 2021 there were two in-the-wild 0-days in IOMobileFrameBuffer. [CVE-2021-30807](<https://support.apple.com/en-us/HT212623>) is an out-of-bounds read and [CVE-2021-30883](<https://support.apple.com/en-us/HT212846>) is an integer overflow, both common memory corruption vulnerabilities. In 2022, we already have another in-the-wild 0-day in IOMobileFrameBuffer, [CVE-2022-22587](<https://support.apple.com/en-us/HT213053>).\n\nOne iOS 0-day and the macOS 0-day both exploited vulnerabilities in the XNU kernel and both vulnerabilities were in code related to XNU\u2019s inter-process communication (IPC) functionality. [CVE-2021-1782](<https://support.apple.com/en-us/HT212146>) exploited a vulnerability in mach vouchers while [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>) exploited a vulnerability in mach messages. This is not the first time we\u2019ve seen iOS in-the-wild 0-days, much less public security research, targeting mach vouchers and mach messages. [CVE-2019-6625](<https://support.apple.com/en-us/HT209443>) was exploited as a part of [an exploit chain targeting iOS 11.4.1-12.1.2](<https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-5.html>) and was also a [vulnerability in mach vouchers](<https://googleprojectzero.blogspot.com/2019/01/voucherswap-exploiting-mig-reference.html>). \n\nMach messages have also been a popular target for public security research. In 2020 there were two in-the-wild 0-days also in mach messages: [CVE-2020-27932](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27932.html>) & [CVE-2020-27950](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27950.html>). This year\u2019s [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>) is a pretty close variant to 2020\u2019s [CVE-2020-27932](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27932.html>). Tielei Wang and Xinru Chi actually [presented on this vulnerability at zer0con 2021](<https://github.com/wangtielei/Slides/blob/main/zer0con21.pdf>) in April 2021. In their presentation, they explained that they found it while doing variant analysis on [CVE-2020-27932](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27932.html>). [TieLei Wang explained via Twitter](<https://twitter.com/WangTielei/status/1486266258152726530>) that they had found the vulnerability in December 2020 and had noticed it was fixed in beta versions of iOS 14.4 and macOS 11.2 which is why they presented it at Zer0Con. The in-the-wild exploit only targeted macOS 10, but used the same exploitation technique as the one presented.\n\nThe two FORCEDENTRY exploits ([CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>) and the [sandbox escape](<https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.html>)) were the only times that made us all go \u201cwow!\u201d this year. For [CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>), the integer overflow in CoreGraphics, it was because: \n\n 1. For years we\u2019ve all heard about how attackers are using 0-click iMessage bugs and finally we have a public example, and\n 2. The exploit was an impressive work of art. \n\nThe sandbox escape (CVE requested, not yet assigned) was impressive because it\u2019s one of the few times we\u2019ve seen a sandbox escape in-the-wild that uses only logic bugs, rather than the standard memory corruption bugs. \n\nFor [CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>), the vulnerability itself wasn\u2019t especially notable: a classic integer overflow within the JBIG2 parser of the CoreGraphics PDF decoder. The exploit, though, was described by Samuel Gro\u00df & Ian Beer as \u201cone of the most technically sophisticated exploits [they]\u2019ve ever seen\u201d. [Their blogpost shares all the details](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>), but the highlight is that the exploit uses the logical operators available in JBIG2 to build NAND gates which are used to build its own computer architecture. The exploit then writes the rest of its exploit using that new custom architecture. From their blogpost:\n\nUsing over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent.\n\nThe bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying.\n\nThis is an example of what making 0-day exploitation hard could look like: attackers having to develop a new and novel way to exploit a bug and that method requires lots of expertise and/or time to develop. This year, the two FORCEDENTRY exploits were the only 0-days out of the 58 that really impressed us. Hopefully in the future, the bar has been raised such that this will be required for any successful exploitation.\n\n## Android\n\nThere were 7 Android in-the-wild 0-days detected and disclosed this year. Prior to 2021 there had only been 1 and it was in 2019: [CVE-2019-2215](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2019/CVE-2019-2215.html>). Like WebKit, this lack of data makes it hard for us to assess trends and changes. Instead, we\u2019ll compare it to public security research.\n\nFor the 7 Android 0-days they targeted the following components:\n\n * Qualcomm Adreno GPU driver ([CVE-2020-11261](<https://source.android.com/security/bulletin/2021-01-01>), [CVE-2021-1905](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-1905.html>), [CVE-2021-1906](<https://source.android.com/security/bulletin/2021-05-01>))\n * ARM Mali GPU driver ([CVE-2021-28663](<https://source.android.com/security/bulletin/2021-05-01>), [CVE-2021-28664](<https://source.android.com/security/bulletin/2021-05-01>))\n * Upstream Linux kernel ([CVE-2021-1048](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1048.html>), [CVE-2021-0920](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>))\n\n5 of the 7 0-days from 2021 targeted GPU drivers. This is actually not that surprising when we consider the evolution of the Android ecosystem as well as recent public security research into Android. The Android ecosystem is quite fragmented: many different kernel versions, different manufacturer customizations, etc. If an attacker wants a capability against \u201cAndroid devices\u201d, they generally need to maintain many different exploits to have a decent percentage of the Android ecosystem covered. However, if the attacker chooses to target the GPU kernel driver instead of another component, they will only need to have two exploits since most Android devices use 1 of 2 GPUs: either the Qualcomm Adreno GPU or the ARM Mali GPU. \n\nPublic security research mirrored this choice in the last couple of years as well. When developing full exploit chains (for defensive purposes) to target Android devices, [Guang Gong](<https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices-wp.pdf>), [Man Yue Mo](<https://securitylab.github.com/research/one_day_short_of_a_fullchain_android/>), and [Ben Hawkes](<https://googleprojectzero.blogspot.com/2020/09/attacking-qualcomm-adreno-gpu.html>) all chose to attack the GPU kernel driver for local privilege escalation. Seeing the in-the-wild 0-days also target the GPU was more of a confirmation rather than a revelation. Of the 5 0-days targeting GPU drivers, 3 were in the Qualcomm Adreno driver and 2 in the ARM Mali driver. \n\nThe two non-GPU driver 0-days ([CVE-2021-0920](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>) and [CVE-2021-1048](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1048.html>)) targeted the upstream Linux kernel. Unfortunately, these 2 bugs shared a singular characteristic with the Android in-the-wild 0-day seen in 2019: all 3 were previously known upstream before their exploitation in Android. While the sample size is small, it\u2019s still quite striking to see that 100% of the known in-the-wild Android 0-days that target the kernel are bugs that actually were known about before their exploitation.\n\nThe vulnerability now referred to as [CVE-2021-0920](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>) was actually found in September 2016 and [discussed on the Linux kernel mailing lists](<https://lore.kernel.org/lkml/CAOssrKcfncAYsQWkfLGFgoOxAQJVT2hYVWdBA6Cw7hhO8RJ_wQ@mail.gmail.com/>). A [patch was even developed back in 2016](<https://lore.kernel.org/lkml/1475150954-10152-1-git-send-email-mszeredi@redhat.com/>), but it didn\u2019t end up being submitted. The bug was finally [fixed in the Linux kernel in July 2021](<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cbcf01128d0a92e131bd09f1688fe032480b65ca>) after the detection of the in-the-wild exploit targeting Android. The patch then made it into the [Android security bulletin in November 2021](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>).\n\n[CVE-2021-1048](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1048.html>) remained unpatched in Android for 14 months after it was patched in the Linux kernel. The Linux kernel was actually only vulnerable to the issue for a few weeks, but due to Android patching practices, that few weeks became almost a year for some Android devices. If an Android OEM synced to the upstream kernel, then they likely were patched against the vulnerability at some point. But many devices, such as recent Samsung devices, had not and thus were left vulnerable.\n\n## Microsoft Exchange Server\n\nIn 2021, there were 5 in-the-wild 0-days targeting Microsoft Exchange Server. This is the first time any Exchange Server in-the-wild 0-days have been detected and disclosed since we began tracking in-the-wild 0-days. The first four ([CVE-2021-26855](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26855.html>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>)) were all disclosed and patched at the same time and used together in a [single operation](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). The fifth ([CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>)) was patched on its own in November 2021. [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>) was demonstrated at Tianfu Cup and then discovered in-the-wild by Microsoft. While no other in-the-wild 0-days were disclosed as part of the chain with [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>), the attackers would have required at least another 0-day for successful exploitation since [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>) is a post-authentication bug.\n\nOf the four Exchange in-the-wild 0-days used in the first campaign, [CVE-2021-26855](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26855.html>), which is also known as \u201cProxyLogon\u201d, is the only one that\u2019s pre-auth. [CVE-2021-26855](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26855.html>) is a server side request forgery (SSRF) vulnerability that allows unauthenticated attackers to send arbitrary HTTP requests as the Exchange server. The other three vulnerabilities were post-authentication. For example, [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) allowed attackers to write arbitrary files to the system. [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is a remote code execution vulnerability due to a deserialization bug in the Unified Messaging service. This allowed attackers to run code as the privileged SYSTEM user.\n\nFor the second campaign, [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>), like [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), is a post-authentication RCE vulnerability due to insecure deserialization. It seems that while attempting to harden Exchange, Microsoft inadvertently introduced another deserialization vulnerability.\n\nWhile there were a significant amount of 0-days in Exchange detected and disclosed in 2021, it\u2019s important to remember that they were all used as 0-day in only two different campaigns. This is an example of why we don\u2019t suggest using the number of 0-days in a product as a metric to assess the security of a product. Requiring the use of four 0-days for attackers to have success is preferable to an attacker only needing one 0-day to successfully gain access.\n\nWhile this is the first time Exchange in-the-wild 0-days have been detected and disclosed since Project Zero began our tracking, this is not unexpected. In 2020 there was [n-day exploitation of Exchange Servers](<https://www.cisa.gov/uscert/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688>). Whether this was the first year that attackers began the 0-day exploitation or if this was the first year that defenders began detecting the 0-day exploitation, this is not an unexpected evolution and we\u2019ll likely see it continue into 2022.\n\n# Outstanding Questions\n\nWhile there has been progress on detection and disclosure, that progress has shown just how much work there still is to do. The more data we gained, the more questions that arose about biases in detection, what we\u2019re missing and why, and the need for more transparency from both vendors and researchers.\n\nUntil the day that attackers decide to happily share all their exploits with us, we can\u2019t fully know what percentage of 0-days are publicly known about. However when we pull together our expertise as security researchers and anecdotes from others in the industry, it paints a picture of some of the data we\u2019re very likely missing. From that, these are some of the key questions we\u2019re asking ourselves as we move into 2022:\n\n## Where are the [x] 0-days?\n\nDespite the number of 0-days found in 2021, there are key targets missing from the 0-days discovered. For example, we know that messaging applications like WhatsApp, Signal, Telegram, etc. are targets of interest to attackers and yet there\u2019s only 1 messaging app, in this case iMessage, 0-day found this past year. Since we began tracking in mid-2014 the total is two: a WhatsApp 0-day in 2019 and this iMessage 0-day found in 2021.\n\nAlong with messaging apps, there are other platforms/targets we\u2019d expect to see 0-days targeting, yet there are no or very few public examples. For example, since mid-2014 there\u2019s only one in-the-wild 0-day each for macOS and Linux. There are no known in-the-wild 0-days targeting cloud, CPU vulnerabilities, or other phone components such as the WiFi chip or the baseband.\n\nThis leads to the question of whether these 0-days are absent due to lack of detection, lack of disclosure, or both?\n\n## Do some vendors have no known in-the-wild 0-days because they\u2019ve never been found or because they don\u2019t publicly disclose?\n\nUnless a vendor has told us that they will publicly disclose exploitation status for all vulnerabilities in their platforms, we, the public, don\u2019t know if the absence of an annotation means that there is no known exploitation of a vulnerability or if there is, but the vendor is just not sharing that information publicly. Thankfully this question is something that has a pretty clear solution: all device and software vendors agreeing to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited in-the-wild.\n\n## Are we seeing the same bug patterns because that\u2019s what we know how to detect?\n\nAs we described earlier in this report, all the 0-days we saw in 2021 had similarities to previously seen vulnerabilities. This leads us to wonder whether or not that\u2019s actually representative of what attackers are using. Are attackers actually having success exclusively using vulnerabilities in bug classes and components that are previously public? Or are we detecting all these 0-days with known bug patterns because that\u2019s what we know how to detect? Public security research would suggest that yes, attackers are still able to have success with using vulnerabilities in known components and bug classes the majority of the time. But we\u2019d still expect to see a few novel and unexpected vulnerabilities in the grouping. We posed this question back in the 2019 year-in-review and it still lingers. \n\n## Where are the spl0itz?\n\nTo successfully exploit a vulnerability there are two key pieces that make up that exploit: the vulnerability being exploited, and the exploitation method (how that vulnerability is turned into something useful). \n\nUnfortunately, this report could only really analyze one of these components: the vulnerability. Out of the 58 0-days, only 5 have an exploit sample publicly available. Discovered in-the-wild 0-days are the failure case for attackers and a key opportunity for defenders to learn what attackers are doing and make it harder, more time-intensive, more costly, to do it again. Yet without the exploit sample or a detailed technical write-up based upon the sample, we can only focus on fixing the vulnerability rather than also mitigating the exploitation method. This means that attackers are able to continue to use their existing exploit methods rather than having to go back to the design and development phase to build a new exploitation method. While acknowledging that sharing exploit samples can be challenging (we have that challenge too!), we hope in 2022 there will be more sharing of exploit samples or detailed technical write-ups so that we can come together to use every possible piece of information to make it harder for the attackers to exploit more users.\n\nAs an aside, if you have an exploit sample that you\u2019re willing to share with us, please reach out. Whether it\u2019s sharing with us and having us write a detailed technical description and analysis or having us share it publicly, we\u2019d be happy to work with you.\n\n# Conclusion\n\nLooking back on 2021, what comes to mind is \u201cbaby steps\u201d. We can see clear industry improvement in the detection and disclosure of 0-day exploits. But the better detection and disclosure has highlighted other opportunities for progress. As an industry we\u2019re not making 0-day hard. Attackers are having success using vulnerabilities similar to what we\u2019ve seen previously and in components that have previously been discussed as attack surfaces.The goal is to force attackers to start from scratch each time we detect one of their exploits: they\u2019re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. And while we made distinct progress in detection and disclosure it has shown us areas where that can continue to improve.\n\nWhile this all may seem daunting, the promising part is that we\u2019ve done it before: we have made clear progress on previously daunting goals. In 2019, we discussed the large detection deficit for 0-day exploits and 2 years later more than double were detected and disclosed. So while there is still plenty more work to do, it\u2019s a tractable problem. There are concrete steps that the tech and security industries can take to make it even more progress: \n\n\n 1. Make it an industry standard behavior for all vendors to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited,\n 2. Vendors and security researchers sharing exploit samples or detailed descriptions of the exploit techniques.\n 3. Continued concerted efforts on reducing memory corruption vulnerabilities or rendering them unexploitable.\n\nThrough 2021 we continually saw the real world impacts of the use of 0-day exploits against users and entities. Amnesty International, the Citizen Lab, and others highlighted [over](<https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/>) and [over](<https://www.amnesty.org/en/documents/doc10/4491/2021/en/>) how governments were using commercial surveillance products against [journalists](<https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/>), [human rights defenders](<https://www.amnesty.org/en/latest/research/2021/11/devices-of-palestinian-human-rights-defenders-hacked-with-nso-groups-pegasus-spyware-2/>), and [government officials](<https://www.reuters.com/technology/exclusive-us-state-department-phones-hacked-with-israeli-company-spyware-sources-2021-12-03/>). We saw many enterprises scrambling to remediate and protect themselves from the [Exchange Server 0-days](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). And we even learned of peer [security researchers being targeted by ](<https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/>)[North Korean government hackers](<https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/>). While the majority of people on the planet do not need to worry about their own personal risk of being targeted with 0-days, 0-day exploitation still affects us all. These 0-days tend to have an outsized impact on society so we need to continue doing whatever we can to make it harder for attackers to be successful in these attacks.\n\n2021 showed us we\u2019re on the right track and making progress, but there\u2019s plenty more to be done to make 0-day hard.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-19T00:00:00", "type": "googleprojectzero", "title": "\nThe More You Know, The More You Know You Don\u2019t Know\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4654", "CVE-2019-13720", "CVE-2019-2215", "CVE-2019-6625", "CVE-2020-0688", "CVE-2020-11261", "CVE-2020-16009", "CVE-2020-27932", "CVE-2020-27950", "CVE-2021-0920", "CVE-2021-1048", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1844", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-28310", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30737", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-30883", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-36948", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-41773", "CVE-2021-42321", "CVE-2022-21882", "CVE-2022-22587"], "modified": "2022-04-19T00:00:00", "id": "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156", "href": "https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2022-02-15T21:47:28", "description": "Google on Monday issued 11 security fixes for its Chrome browser, including a high-severity zero-day bug that\u2019s actively being jumped on by attackers in the wild.\n\nIn a brief update, Google [described](<https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html>) the weakness, tracked as [CVE-2022-0609](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0609>), as a [use-after-free](<https://cwe.mitre.org/data/definitions/416.html>) vulnerability in Chrome\u2019s Animation component. This kind of flaw can lead to all sorts of misery, ranging from the corruption of valid data to the execution of arbitrary code on vulnerable systems. Such flaws can also be used to escape the browser\u2019s security sandbox.\n\n\u201cGoogle is aware of reports that an exploit for CVE-2022-0609 exists in the wild,\u201d according to its security update.\n\nChrome users can fix it straight away, though, by going into the Chrome menu > Help > About Google Chrome.\n\nGiven that the zero day is under active attack, updating Chrome should be done ASAP.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/15125804/Chrome-zero-day-e1644947947750.png>)\n\nChrome security updates. Source: Google.\n\nCredit for the Animation zero day goes to Adam Weidemann and Cl\u00e9ment Lecigne, both from Google\u2019s Threat Analysis Group (TAG).\n\nMonday\u2019s update also plastered over four other high-severity use-after-free flaws found in Chrome\u2019s Webstore API, File Manager, [ANGLE](<https://en.wikipedia.org/wiki/ANGLE_\\(software\\)>) and GPU. As well, the company addressed a high-severity integer overflow in [Mojo](<https://chromium.googlesource.com/chromium/src/+/main/docs/mojo_and_services.md>), plus a high-severity h\u200beap buffer overflow in Tab Groups. Finally, Google patched a medium-severity issue with inappropriate implementation in Gamepad API.\n\n## And So It Begins\n\nThis is Chrome\u2019s first zero day of the year, and more are sure to follow. But at least we\u2019ve made it into the new-ish year 10 more days than we managed in 2021, when the first bug to hit arrived on Feb. 4.\n\nLast year delivered a total of these 16 Chrome zero days:\n\n * [CVE-2021-21148](<https://threatpost.com/google-chrome-zero-day-windows-mac/163688/>) \u2013 Feb. 4, a vulnerability in its V8 open-source web engine.\n * [CVE-2021-21166](<https://threatpost.com/google-patches-actively-exploited-flaw-in-chrome-browser/164468/>) \u2013 March 2, a flaw in the Audio component of Google Chrome.\n * [CVE-2021-21193](<https://threatpost.com/google-mac-windows-chrome-zero-day/164759/>) \u2013 March 12, a use-after-free flaw in Blink, [the browser engine for Chrome](<https://threatpost.com/google-high-severity-blink-browser-engine-flaw/147770/>) that was developed as part of the Chromium project.\n * [CVE-2021-21220](<https://threatpost.com/chrome-zero-day-exploit-twitter/165363/>) \u2013 April 13, a remote-code execution issue.\n * [CVE-2021-21224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21224>) \u2013 April 20, an issue with type confusion in V8 in Google Chrome that could have allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.\n * [CVE-2021-30551](<https://threatpost.com/chrome-browser-bug-under-attack/166804/>) \u2013- June 9, a type confusion bug within Google\u2019s V8 open-source JavaScript and WebAssembly engine.\n * [CVE-2021-30554](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30554>) \u2013 June 17, a use-after-free bug.\n * [CVE-2021-30563](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30563>) \u2013 July 15, type confusion in V8.\n * [CVE-2021-30632 and CVE-2021-30633](<https://threatpost.com/google-chrome-zero-day-exploited/169442/>) \u2013 Sept. 13, an out-of-bounds write in V8 and a use-after-free bug in the IndexedDB API, respectively.\n * [CVE-2021-37973](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37973>) \u2013 Sept. 24, a use-after-free flaw in Portals.\n * [CVE-2021-37976 and CVE-2021-37975](<https://threatpost.com/google-emergency-update-chrome-zero-days/175266/>) \u2013 Sept. 30, an information leak in core and a use-after-free bug in V8, respectively.\n * [CVE-2021-38000](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38000>) and [CVE-2021-38003](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38003>) \u2013 Oct. 28, an issue with Insufficient validation of untrusted input in Intents in Google Chrome on Android, and an inappropriate implementation in V8 respectively.\n * [CVE-2021-4102](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4102>) \u2013 Dec. 13, a use after free in V8.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-15T18:33:28", "type": "threatpost", "title": "Chrome Zero-Day Under Active Attack: Patch ASAP", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-4102", "CVE-2021-44228", "CVE-2022-0609"], "modified": "2022-02-15T18:33:28", "id": "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "href": "https://threatpost.com/google-chrome-zero-day-under-attack/178428/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-05T13:57:45", "description": "Apple has issued out-of-band patches for critical security issues affecting iPad, iPhone and iPod, which could allow remote code execution (RCE) and other attacks, completely compromising users\u2019 systems. And, the computing giant thinks all of them may have already been exploited in the wild. \n\nThree of these are zero-day flaws, while one is an expanded patch for a fourth vulnerability. \n\nApple keeps details of security problems close to the vest, \u201cfor our customers\u2019 protection,\u201d saving the blood and guts until after it investigates and manages to pump out patches or new releases. \n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nWhat data it does disclose can be found on its [support page](<https://support.apple.com/en-us/HT201222>). Here\u2019s a summary of the three zero-days: \n\n## **Zero-Day Bugs in WebKit**\n\n * **CVE-2021-30665:** A critical memory-corruption issue in the Safari WebKit engine where \u201cprocessing maliciously crafted web content may lead to arbitrary code execution\u201d was addressed with improved state management. Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). The bug was reported to Apple by three security researchers, nicknamed yangkang, zerokeeper and bianliang. \n\n * **CVE-2021-30663:** This second flaw is also found in the open-source WebKit browser engine. It\u2019s an integer overflow, reported by an anonymous researcher, that can also lead to RCE. It was addressed with improved input validation. Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). \n\n * **CVE-2021-30666:** A buffer-overflow issue was addressed with improved memory handling. Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)\n\nAnd here are details on the expanded patch for the fourth bug: \n\n## **WebKit Storage**\n\n * **CVE-2021-30661: **A use after free issue was addressed with improved memory management. Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). This flaw was discovered and reported to the iPhone maker by the security researcher named yangkang, @dnpushme, of Qihoo 360 ATA.\n\nApple\u2019s support page shows that this fourth one was actually patched on Monday last week (April 26) in iOS 14.5 and macOS 11.3, but not in iOS 12. \n\nNaked Security\u2019s Paul Ducklin finds this one [particularly interesting](<https://nakedsecurity.sophos.com/2021/05/04/apple-products-hit-by-fourfecta-of-zero-day-exploits-patch-now/>), and he noted that questions remain. Why wasn\u2019t iOS 12 updated at the same time as iOS 14.5 and macOS 11.3? Did the security hole crop up in the code base after iOS 12 was released, perhaps? \n\nNo, that\u2019s not it: the CVE-2021-30661 and CVE-2021-30666 bugs fixed on Monday only apply to iOS 12. So it remains unclear if the bug exists in recent operating system versions, or not, Ducklin said.\n\n\u201cIs this an old bug from iOS 12 that was carried forward into the current Apple codebase but has still not yet been patched there?\u201d Ducklin pondered. \u201cOr is it a bug that is unique to the older iOS 12 code that doesn\u2019t appear in the more recent operating system releases and can therefore now be considered to have been eliminated everywhere?\u201d\n\nThreatpost has reached out to Apple for comment.\n\n## **Patch Fast!**\n\nPer usual, Apple\u2019s lip is zipped. But one thing\u2019s for sure: Patching as soon as possible is top priority. As it is, the chance for websites passing along \u201cmaliciously crafted web content\u201d is alarming. If you translate Apple\u2019s statement that \u201cprocessing maliciously crafted web content may lead to arbitrary code execution, \u201cyou get a \u201c[drive-by](<https://threatpost.com/google-sites-solarmarket-rat/165396/>), web-based zero-day RCE exploit, according to Ducklin.\n\nIn other words, all you have to do to trigger infection is to visit and view a booby-trapped website. \n\nJohn Kinsella, chief architect at cloud security company Accurics, says this is one of the nastier types of security bugs: one in which the user isn\u2019t required to perform a certain action for an attacker\u2019s success. \u201cPart of the issue here is that it\u2019s not just the browser that a user needs to be careful with,\u201d he told Threatpost in an email on Tuesday. \u201cMany iOS apps are just wrappers around a web application, which would be rendered by WebKit. For example, HTML mail in Apple\u2019s Mail app will be rendered by WebKit, and this app is a hard one to avoid. Even if a user takes advantage of new iOS functionality to replace the default iOS Mail and Safari apps with other mail/browser apps, the underlying HTML rendering engine would still be WebKit-based on Apple\u2019s App Store rules.\u201d\n\nKinsella says that if he\u2019s at all suspicious of something, he won\u2019t open it on a mobile device, but rather on a desktop or laptop, where he has much more control. \u201cThat being said, I know I\u2019m not the average user,\u201d he said. \u201cThe best advice I have is to patch ASAP, and generally be very careful.\u201d\n\nGiven that Apple has acknowledged that these vulnerabilities have already been exploited in the wild, and given the fact that HTML content is so prevalent on mobile devices, Kinsella considers a drive-by RCE like this to be a highly serious issue, though \u201cThe overall security of iOS means this isn\u2019t a complete takeover of the mobile device.\u201d\n\nStill, every extra foothold an attacker can get \u201chelps them further compromise a device,\u201d he said. \u201cThe fact that malicious HTML can compromise something on my wrist doesn\u2019t thrill me. Luckily Apple\u2019s been quite consistent with the reliability of their patches in recent years, so while I may sometimes wait for others to \u2018beta test\u2019 a release, a security patch like this was applied to my devices ASAP.\u201d\n\n## **What is WebKit? The Little Engine That Could**\n\nApple developed the WebKit browser engine to run in its Safari web browser, but it\u2019s also used by Apple Mail, the App Store, and various apps on the macOS and iOS operating systems. This, of course, isn\u2019t the first time that the engine has hit some bumps. \n\nIn January, Apple released an emergency update that patched three iOS[ bugs](<https://threatpost.com/apple-patches-zero-days-ios-emergency-update/163374/>). Two of them (CVE-2021-1870 and CVE-2021-1871 ) were discovered in WebKit (and the third, tracked as CVE-2021-1782, was found in the OS kernel).\n\nMore recently, in March, Apple patched other [severe WebKit RCEs](<https://threatpost.com/apple-webkit-remote-code-execution/164595/>). Similar to Monday\u2019s updates, those WebKit fixes could have allowed remote attackers to completely compromise affected systems.\n\n05-04-2021 14:52 UPDATE: Added input from Accurics\u2019 John Kinsella.\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and **[**Register HERE**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)** for free. **\n", "cvss3": {}, "published": "2021-05-04T16:16:37", "type": "threatpost", "title": "Apple Fixes Zero\u2011Day Security Bugs Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-22893", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666"], "modified": "2021-05-04T16:16:37", "id": "THREATPOST:33E56DEB736406F9DD08C7533BF1812B", "href": "https://threatpost.com/apple-zero%e2%80%91days-active-attack/165842/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-04T17:56:13", "description": "Pulse Secure has [rushed a fix](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/SA44784/>) for a critical zero-day security vulnerability in its Connect Secure VPN devices, which has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe.\n\nPulse Secure also patched three other security bugs, two of them also critical RCE vulnerabilities.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nThe zero-day flaw, tracked as CVE-2021-22893, was first disclosed on April 20 and carries the highest possible CVSS severity score, 10 out of 10. An exploit allows remote code-execution (RCE) and two-factor authentication bypass. The bug [is being used in the wild](<https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/>) to gain administrator-level access to the appliances, according to research from Pulse Secure\u2019s parent company, Ivanti.\n\nIt\u2019s related to multiple use-after-free problems in Pulse Connect Secure before version 9.1R11.4, according to the advisory issued Tuesday, and \u201callows a remote unauthenticated attacker to execute arbitrary code via license server web services.\u201d It can be exploited without any user interaction.\n\nThe activity level has been such that the Cybersecurity and Infrastructure Security Agency (CISA) [issued an alert](<https://cyber.dhs.gov/ed/21-03/>) warning businesses of the ongoing campaigns. These are [being tracked by FireEye Mandiant](<https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/>) as being carried out by two main advanced persistent threat (APT) clusters with links to China: UNC2630 and UNC2717.\n\nIn addition to the exploit for CVE-2021-22893, the campaigns involve 12 different malware families overall, Mandiant said. The malware is used for authentication-bypass and establishing backdoor access to the VPN devices, and for lateral movement.\n\n\u201cNation-state hackers will forever pose a threat to businesses around the world,\u201d Andrey Yesyev, director of cybersecurity at Accedian, said via email. \u201cThese types of attacks are almost impossible to detect and are increasingly dangerous for any organization\u2019s sensitive data. Once hackers gain initial access to a victim\u2019s network, they\u2019ll move laterally in order to find valuable data. Furthermore, if they\u2019re able to infiltrate an organization\u2019s perimeter, bad actors could establish a connection to a command-and-control server (C2) \u2013 allowing them to control compromised systems and steal data from target networks.\u201d\n\n## **Additional Critical Pulse Connect VPN RCE Bugs**\n\nPulse Secure also rolled out fixes for three other concerning issues. Threatpost has reached out to Pulse Secure to find out whether these bugs are also being actively exploited in the wild.\n\nThe other patches are:\n\n * **CVE-2021-22894 (CVSS rating of 9.9)**: A buffer overflow in Pulse Connect Secure Collaboration Suite before 9.1R11.4 allows remote authenticated users to execute arbitrary code as the root user via maliciously crafted meeting room.\n * **CVE-2021-22899 (CVSS rating of 9.9):** A command-injection bug in Pulse Connect Secure before 9.1R11.4 allows remote authenticated users to perform RCE via Windows File Resource Profiles.\n * **CVE-2021-22900 (CVSS rating of 7.2):** Multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 allow an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.\n\n## **Pulse Secure: A Cyberattacker\u2019s Favorite**\n\nPulse Secure appliances have been in the sights of APTs for months, with ongoing nation-state attacks using the bug tracked as CVE-2019-11510. It allows unauthenticated remote attackers to send a specially crafted URI to carry out arbitrary file-reading \u2013 perfect for espionage efforts.\n\nHere\u2019s a rundown of recent activity:\n\n * **April:** [The FBI warned](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of five vulnerabilities under attack by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes). APT29 is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,\u201d according to the Feds.\n * **April**: The Department of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims\u2019 credentials \u2013 and now are using those credentials to move laterally through organizations, [DHS warned](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>).\n * **October**: CISA said that a federal agency had suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. Once again, [CVE-2019-11510 was in play](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>), used to gain access to employees\u2019 legitimate Microsoft Office 365 log-in credentials and sign into an agency computer remotely.\n\nTo stay safe, Accedian\u2019s Yesyev suggested monitoring east-west traffic to detect these types of intrusions.\n\n\u201cAnd in order to detect C2 communications, it\u2019s important to have visibility into network communication patterns,\u201d he added. \u201cThis is yet another instance that proves the benefits of a layered security model. In addition to adopting network-based threat detection and user/endpoint behavior analytics solutions, security must be designed into the DevOps cycle. These technologies and processes help organizations understand communication patterns and destinations to help identify C2 tunnels\u2026allowing teams to identify stealthy lateral movements and ultimately protect data from being stolen.\u201d\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "cvss3": {}, "published": "2021-05-04T17:42:30", "type": "threatpost", "title": "Pulse Secure VPNs Get a Fix for Critical Zero-Day Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900"], "modified": "2021-05-04T17:42:30", "id": "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "href": "https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-30T09:53:38", "description": "In a perfect world, CISA would laminate cards with the year\u2019s top 30 vulnerabilities: You could whip it out and ask a business if they\u2019ve bandaged these specific wounds before you hand over your cash.\n\nThis is not a perfect world. There are no laminated vulnerability cards.\n\nBut at least we have the list: In a joint advisory ([PDF](<https://us-cert.cisa.gov/sites/default/files/publications/AA21-209A_Joint%20CSA_Top%20Routinely%20Exploited%20Vulnerabilities.pdf>)) published Wednesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Center, and the UK\u2019s National Cyber Security Center listed the vulnerabilities that were \u201croutinely\u201d exploited in 2020, as well as those that are most often being picked apart so far this year.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerabilities \u2013 which lurk in devices or software from the likes of Citrix, Fortinet, Pulse Secure, Microsoft and Atlassian \u2013 include publicly known bugs, some of which are growing hair. One, in fact, dates to 2000.\n\n\u201cCyber actors continue to exploit publicly known \u2013 and often dated \u2013 software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\u201d according to the advisory. \u201cHowever, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\u201d\n\nSo far this year, cyberattackers are continuing to target vulnerabilities in perimeter-type devices, with particularly high amounts of unwanted attention being devoted to flaws in the perimeter devices sold by Microsoft, Pulse, Accellion, VMware and Fortinet.\n\nAll of the vulnerabilities have received patches from vendors. That doesn\u2019t mean those patches have been applied, of course.\n\n## Repent, O Ye Patch Sinners\n\nAccording to the advisory, attackers are unlikely to stop coming after geriatric vulnerabilities, including CVE-2017-11882: a Microsoft Office remote code execution (RCE) bug that was already near drinking age when it was [patched at the age of 17](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) in 2017.\n\nWhy would they stop? As long as systems remain unpatched, it\u2019s a win-win for adversaries, the joint advisory pointed out, as it saves bad actors time and effort.\n\n> Adversaries\u2019 use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. \u2014Advisory\n\nIn fact, the top four preyed-upon 2020 vulnerabilities were discovered between 2018 to 2020, showing how common it is for organizations using the devices or technology in question to sidestep patching or remediation.\n\nThe top four:\n\n * [CVE-2019-19781](<https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/>), a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that left unpatched outfits at risk from a trivial attack on their internal operations. As of December 2020, 17 percent \u2013 about one in five of the 80,000 companies affected \u2013 hadn\u2019t patched.\n * [CVE 2019-11510](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>): a critical Pulse Secure VPN flaw exploited in several cyberattacks that targeted companies that had previously patched a related flaw in the VPN. In April 2020, the Department of Homeland Security (DHS) urged users to change their passwords for [Active Directory](<https://threatpost.com/podcast-securing-active-directory-nightmare/168203/>) accounts, given that the patches were deployed too late to stop bad actors from compromising those accounts.\n * [CVE 2018-13379](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>): a path-traversal weakness in VPNs made by Fortinet that was discovered in 2018 and which was actively being exploited as of a few months ago, in April 2021.\n * [CVE 2020-5902](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>): a critical vulnerability in F5 Networks\u2019 BIG-IP advanced delivery controller networking devices that, as of July 2020, was being exploited by attackers to scrape credentials, launch malware and more.\n\nThe cybersecurity bodies urged organizations to remediate or mitigate vulnerabilities as soon as possible to reduce their risk of being ripped up. For those that can\u2019t do that, the advisory encouraged organizations to check for the presence of indicators of compromise (IOCs).\n\nIf IOCs are found, kick off incident response and recovery plans, and let CISA know: the advisory contains instructions on how to report incidents or request technical help.\n\n## 2020 Top 12 Exploited Vulnerabilities\n\nHere\u2019s the full list of the top dozen exploited bugs from last year:\n\n**Vendor** | **CVE** | **Type** \n---|---|--- \nCitrix | CVE-2019-19781 | arbitrary code execution \nPulse | CVE 2019-11510 | arbitrary file reading \nFortinet | CVE 2018-13379 | path traversal \nF5- Big IP | CVE 2020-5902 | remote code execution (RCE) \nMobileIron | CVE 2020-15505 | RCE \nMicrosoft | CVE-2017-11882 | RCE \nAtlassian | CVE-2019-11580 | RCE \nDrupal | CVE-2018-7600 | RCE \nTelerik | CVE 2019-18935 | RCE \nMicrosoft | CVE-2019-0604 | RCE \nMicrosoft | CVE-2020-0787 | elevation of privilege \nNetlogon | CVE-2020-1472 | elevation of privilege \n \n## Most Exploited So Far in 2021\n\nCISA et al. also listed these 13 flaws, all discovered this year, that are also being energetically exploited:\n\n * Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065: four flaws that can be chained together in the ProxyLogon group of security bugs that led to a [patching frenzy](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>). The frenzy was warranted: as of March, Microsoft said that 92 percent of Exchange Servers were vulnerable to [ProxyLogon](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>).\n * Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900. As of May, CVE-2021-22893 was being used by at least two advanced persistent threat actors (APTs), likely linked to China, [to attack U.S. defense targets,](<https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/>) among others.\n * Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104. These ones led to scads of attacks, including [on Shell](<https://threatpost.com/shell-victim-of-accellion-attacks/164973/>). Around 100 Accellion FTA customers, including the [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>), Kroger [and Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>), were affected by attacks [tied to FIN11 and the Clop ransomware gang](<https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/>).\n * VMware: CVE-2021-21985: A [critical bug](<https://threatpost.com/vmware-ransomware-alarm-critical-bug/166501/>) in VMware\u2019s virtualization management platform, vCenter Server, that allows a remote attacker to exploit the product and take control of a company\u2019s affected system.\n\nThe advisory gave technical details for all these vulnerabilities along with guidance on mitigation and IOCs to help organizations figure out if they\u2019re vulnerable or have already been compromised. The advisory also offers guidance for locking down systems.\n\n## Can Security Teams Keep Up?\n\nRick Holland, Digital Shadows CISO and vice president of strategy, called CISA vulnerability alerts an \u201cinfluential tool to help teams stay above water and minimize their attack surface.\u201d\n\nThe CVEs highlighted in Wednesday\u2019s alert \u201ccontinue to demonstrate that attackers are going after known vulnerabilities and leverage zero-days only when necessary,\u201d he told Threatpost on Thursday.\n\nRecent research ([PDF](<https://l.vulcancyber.com/hubfs/Infographics/Pulse%20research%20project%20-%202021-07-23%20-%20How%20are%20Businesses%20Mitigating%20Cyber%20Risk.pdf>)) from Vulcan Cyber has found that more than three-quarters of cybersecurity leaders have been impacted by a security vulnerability over the past year. It begs the question: Is there a mismatch between enterprise vulnerability management programs and the ability of security teams to mitigate risk?\n\nYaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, suggested that it\u2019s become ever more vital for enterprise IT security stakeholders to make \u201cmeaningful changes to their cyber hygiene efforts.\u201d That means \u201cprioritizing risk-based cybersecurity efforts, increasing collaboration between security and IT teams, updating vulnerability management tooling, and enhancing enterprise risk analytics, especially in businesses with advanced cloud application programs.\u201d\n\nGranted, vulnerability management is \u201cone of the most difficult aspects of any security program,\u201d he continued. But if a given vulnerability is being exploited, that should kick it up the priority list, Var-Dayan said. \u201cTaking a risk-based approach to vulnerability management is the way forward; and teams should unquestionably be prioritizing vulnerabilities that are actively being exploited.\u201d\n\n072921 15:02 UPDATE: Corrected misattribution of quotes.\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T18:39:56", "type": "threatpost", "title": "CISA\u2019s Top 30 Bugs: One\u2019s Old Enough to Buy Beer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11580", "CVE-2019-19781", "CVE-2020-0787", "CVE-2020-1472", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T18:39:56", "id": "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "href": "https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-08T22:18:00", "description": "Microsoft jumped on 50 vulnerabilities in this month\u2019s [Patch Tuesday update](<https://msrc.microsoft.com/update-guide>), issuing fixes for CVEs in Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code \u2013 Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.\n\nFive of the CVEs are rated Critical and 45 are rated Important in severity. Microsoft reported that six of the bugs are currently under active attack, while three are publicly known at the time of release.\n\nThe number might seem light \u2013 it represents six fewer patches than Microsoft [released in May](<https://threatpost.com/wormable-windows-bug-dos-rce/166057/>) \u2013 but the number of critical vulnerabilities ticked up to five month-over-month.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThose actively exploited vulnerabilities can enable an attacker to hijack a system. They have no workarounds, so some security experts are recommending that they be patched as the highest priority.\n\nThe six CVEs under active attack in the wild include four elevation of privilege vulnerabilities, one information disclosure vulnerability and one remote code execution (RCE) vulnerability.\n\n## Critical Bugs of Note\n\n[CVE-2021-31985](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31985>) is a critical RCE vulnerability in Microsoft\u2019s Defender antimalware software that should grab attention. A similar, critical bug in Defender was [patched in January](<https://threatpost.com/critical-microsoft-defender-bug-exploited/162992/>). The most serious of the year\u2019s first Patch Tuesday, that earlier Defender bug was an RCE vulnerability that came under active exploit.\n\nAnother critical flaw is [CVE-2021-31963](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31963>), a Microsoft SharePoint Server RCE vulnerability. Jay Goodman, director of product marketing at Automox, said in a [blog post](<https://blog.automox.com/automox-experts-weigh-in-june-patch-tuesday-2021>) that an attacker exploiting this vulnerability \u201ccould take control of a system where they would be free to install programs, view or change data, or create new accounts on the target system with full user rights.\u201d \nWhile Microsoft reports that this vulnerability is less likely to be exploited,Goodman suggested that organizations don\u2019t let it slide: \u201cPatching critical vulnerabilities in the 72-hour window before attackers can weaponize is an important first step to maintaining a safe and secure infrastructure,\u201d he observed.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/06/08141612/Sophos-impact-chart-June-21-patch-Tuesday-e1623176186946.png>)\n\nA year-to-date summary of 2021 Microsoft vulnerability releases as of June. Source: Sophos\n\n## Bugs Exploited in the Wild\n\nMicrosoft fixed a total of seven zero-day vulnerabilities. One was [CVE-2021-31968](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31968>), Windows Remote Desktop Services Denial of Service Vulnerability that was publicly disclosed but hasn\u2019t been seen in attacks. It was issued a CVSS score of 7.5.\n\nThese are the six flaws that MIcrosoft said are under active attack, all of them also zero days.\n\n * [CVE-2021-31955](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31955>) \u2013 Windows Kernel Information Disclosure Vulnerability. Rating: Important. CVSS 5.5\n * [CVE-2021-31956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956>) \u2013 Windows NTFS Elevation of Privilege Vulnerability. Rating: Important. CVSS 7.8\n * [CVE-2021-33739](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33739>) \u2013 Microsoft DWM Core Library Elevation of Privilege Vulnerability. Rating: Important. CVSS 8.4\n * [CVE-2021-33742](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742>) \u2013 Windows MSHTML Platform Remote Code Execution Vulnerability. Rating: **Critical**. CVSS 7.5\n * [CVE-2021-31199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31199>) \u2013 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability. Rating: Important. CVSS 5.2\n * [CVE-2021-31201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31201>) \u2013 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability. Rating: Important. CVSS 5.2\n\n## CVE-2021-33742\n\nThis RCE vulnerability exploits MSHTML, a component used by the Internet Explorer engine to read and display content from websites.The bug could allow an attacker to execute code on a target system if a user views specially crafted web content. The [Zero Day Initiative](<https://www.zerodayinitiative.com/blog/2021/6/8/the-june-2021-security-update-review>)\u2018s (ZDI\u2019s) Dustin Childs noted in his Patch Tuesday analysis that since the vulnerability is in the Trident (MSHTML) engine itself, many different applications are affected, not just Internet Explorer. \u201cIt\u2019s not clear how widespread the active attacks are, but considering the vulnerability impacts all supported Windows versions, this should be at the top of your test and deploy list,\u201d he recommended.\n\nThe vulnerability doesn\u2019t require special privilege to exploit, though the attack complexity is high, if that\u2019s any consolation. An attacker would need to do some extra legwork to pull it off, noted Satnam Narang, staff research engineer at Tenable, in an email to Threatpost on Tuesday.\n\nImmersive Labs\u2019 Kevin Breen, director of cyber threat research, noted that visiting a website in a vulnerable browser is \u201ca simple way for attackers to deliver this exploit.\u201d He told Threatpost via email on Tuesday that since the library is used by other services and applications, \u201cemailing HTML files as part of a phishing campaign is also a viable method of delivery.\u201d\n\n[Sophos decreed](<https://news.sophos.com/en-us/2021/06/08/six-in-the-wild-exploits-patched-in-microsofts-june-security-fix-release/>) this one to be the top concern of this month\u2019s crop, given that it\u2019s already being actively exploited by malicious actors.\n\n## CVE-2021-31955, CVE-2021-31956: Used in PuzzleMaker Targeted Malware\n\nCVE-2021-31955 is an information disclosure vulnerability in the Windows Kernel, while CVE-2021-31956 is an elevation of privilege vulnerability in Windows NTFS. The ZDI\u2019s Childs noted that CVE-2021-31956 was reported by the same researcher who found CVE-2021-31955, an information disclosure bug also listed as under active attack. They could be linked, he suggested: \u201cIt\u2019s possible these bugs were used in conjunction, as that is a common technique \u2013 use a memory leak to get the address needed to escalate privileges. These bugs are important on their own and could be even worse when combined. Definitely prioritize the testing and deployment of these patches.\u201d\n\nHe was spot-on. On Tuesday, Kaspersky announced that its researchers had discovered a highly targeted malware campaign launched in April against multiple companies, in which a previously unknown threat actor used a chain of Chrome and Windows zero-day exploits: Namely, these two.\n\nIn a press release, Kaspersky said that one of the exploits was used for RCE in the Google Chrome web browser, while the other was an elevation of privilege exploit fine-tuned to target \u201cthe latest and most prominent builds\u201d of Windows 10.\n\n\u201cRecent months have seen a wave of advanced threat activity exploiting zero-days in the wild,\u201d according to the release. \u201cIn mid-April, Kaspersky experts discovered yet a new series of highly targeted exploit attacks against multiple companies that allowed the attackers to stealthily compromise the targeted networks.\u201d\n\nKaspersky hasn\u2019t yet found a connection between these attacks and any known threat actors, so it\u2019s gone ahead and dubbed the actor PuzzleMaker. It said that all the attacks were conducted through Chrome and used an exploit that allowed for RCE. Kaspersky researchers weren\u2019t able to retrieve the code for the exploit, but the timeline and availability suggests the attackers were using the now-patched [CVE-2021-21224](<https://www.cvedetails.com/cve/CVE-2021-21224>) vulnerability in Chrome and Chromium browsers that allows attackers to exploit the Chrome renderer process (the processes that are responsible for what happens inside users\u2019 tabs).\n\nKaspersky experts did find and analyze the second exploit, however: An elevation of privilege exploit that exploits two distinct vulnerabilities in the Microsoft Windows OS kernel: CVE-2021-31955 and CVE-2021-31956. The CVE-2021-31955 bug \u201cis affiliated with SuperFetch, a feature first introduced in Windows Vista that aims to reduce software loading times by pre-loading commonly used applications into memory,\u201d they explained.\n\nThe second flaw, CVE-2021-31956, is an Elevation of Privilege vulnerability and heap-based buffer overflow. Kaspersky said that attackers used this vulnerability alongside Windows Notification Facility (WNF) \u201cto create arbitrary memory read/write primitives and execute malware modules with system privileges.\u201d\n\n\u201cOnce the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,\u201d they continued. \u201cThis dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS. The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain periods of time, and delete itself from the infected system.\u201d\n\nBoris Larin, senior security researcher with Kaspersky\u2019s Global Research and Analysis Team (GReAT), said that the team hasn\u2019t been able to link these highly targeted attacks to any known threat actor: Hence the name PuzzleMaker and the determination to closely monitor the security landscape \u201cfor future activity or new insights about this group,\u201d he was quoted as saying in the press release.\n\nIf the current trend is any indication, expect to see more of the same, Larin said. \u201cOverall, of late, we\u2019ve been seeing several waves of high-profile threat activity being driven by zero-day exploits,\u201d he said. \u201cIt\u2019s a reminder that zero days continue to be the most effective method for infecting targets. Now that these vulnerabilities have been made publicly known, it\u2019s possible that we\u2019ll see an increase of their usage in attacks by this and other threat actors. That means it\u2019s very important for users to download the latest patch from Microsoft as soon as possible.\u201d\n\n## CVE-2021-31199/CVE-2021-31201\n\nThe two Enhanced Cryptographic Provider Elevation of Privilege vulnerabilities are linked to the Adobe Reader bug that [came under active attack](<https://threatpost.com/adobe-zero-day-bug-acrobat-reader/166044/>) last month (CVE-2021-28550), ZDI explained. \u201cIt\u2019s common to see privilege escalation paired with code execution bugs, and it seems these two vulnerabilities were the privilege escalation part of those exploits,\u201d he explained. \u201cIt is a bit unusual to see a delay between patch availability between the different parts of an active attack, but good to see these holes now getting closed.\u201d\n\n## CVE-2021-33739\n\nBreen noted that privilege escalation vulnerabilities such as this one in the Microsoft DWM Core Library are just as valuable to attackers as RCEs. \u201cOnce they have gained an initial foothold, they can move laterally across the network and uncover further ways to escalate to system or domain-level access,\u201d he said. \u201cThis can be hugely damaging in the event of ransomware attacks, where high privileges can enable the attackers to stop or destroy backups and other security tools.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook, ****_\u201c_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-06-08T21:45:12", "type": "threatpost", "title": "Microsoft Patch Tuesday Fixes 6 In-The-Wild Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21224", "CVE-2021-28550", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31963", "CVE-2021-31968", "CVE-2021-31985", "CVE-2021-33739", "CVE-2021-33742"], "modified": "2021-06-08T21:45:12", "id": "THREATPOST:61CC1EAC83030C2B053946454FE77AC3", "href": "https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-23T14:28:35", "description": "Energy giant Royal Dutch Shell is the latest victim of a series of attacks on users of the Accellion legacy File Transfer Appliance (FTA) product, which already has affected numerous companies and been [attributed](<https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/>) to the FIN11 and the Clop ransomware gang.\n\n\u201cShell has been impacted by a data-security incident involving Accellion\u2019s File Transfer Appliance,\u201d the company revealed [on its website](<https://www.shell.com/energy-and-innovation/digitalisation/news-room/third-party-cyber-security-incident-impacts-shell.html>) last week. \u201cShell uses this appliance to securely transfer large data files.\u201d\n\nAttackers \u201cgained access to \u201cvarious files\u201d containing personal and company data from both Shell and some of its stakeholders, acknowledged the company. However, because its Accellion implementation its core IT systems were unaffected by the breach, \u201cas the file transfer service is isolated from the rest of Shell\u2019s digital infrastructure,\u201d the company said.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nShell, the fifth largest company in the world, also revealed several of its global petrochemical and energy company affiliates were impacted.\n\nAccording to the company, once it learned of the incident, Shell immediately addressed the vulnerabilities with its service provider and cybersecurity team, and started an investigation to better understand the nature and extent of the incident.\n\n\u201cShell is in contact with the impacted individuals and stakeholders and we are working with them to address possible risks,\u201d the company said in a statement. \u201cWe have also been in contact with relevant regulators and authorities and will continue to do so as the investigation continues.\u201d\n\nShell did not say specifically how attackers accessed its Accellion implementation, but the breach is likely related to a series of attacks on vulnerabilities in Accellion FTA, a 20-year-old legacy product used by large corporations around the world. Accellion revealed that it became aware of a then zero-day security vulnerability in the product in mid-December, and subsequently scrambled to patch it.\n\nHowever, the first flaw turned out to be just one of a cascade of now patched zero-day bugs in the platform that Accellion discovered only after they came under attack from cyber-adversaries well into the new year, the company acknowledged. Other victims of third-party attacks on Accellion FTA include [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>) and [telecom giant Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>).\n\nEventually, four security vulnerabilities ([CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)) were found to be exploited in the attacks, according to the investigation. Accellion tried to patch each subsequent vulnerability as soon as it was discovered; however, as evidenced by Shell\u2019s disclosure, unpatched systems likely remain and further attacks seem likely.\n\nIndeed, patching is a complicated endeavor even for the most well-run IT organizations and many companies struggle to achieve complete coverage across their environments, observed Chris Clements, vice president of solutions architecture for cybersecurity firm [Cerberus Sentinel](<https://www.cerberussentinel.com/>), in an email to Threatpost.\n\n\u201cThis is especially true for non-Microsoft Windows based systems, the unfortunate reality is that for many organizations, their patching strategy starts and stops with Windows,\u201d he said. \u201cInfrastructure equipment and especially network appliances like Accellion often lag significantly in patch adoption.\u201d\n\nThere are a number of reasons for why patches aren\u2019t immediately applied when they\u2019re made available, including lack of communication from vendors when patches are released, complex and manual patching processes, and organizational confusion around who\u2019s responsible for patch application, Clements added.\n\nThe Accellion attacks also once again shed light on the importance of choosing technology partners carefully when relying on them for critical digital processes that are exposed to potential exploit, said another security expert.\n\n\u201cThe Shell data breach illustrates the criticality of securing vendors and ensuring their systems don\u2019t compromise your own business,\u201d Demi Ben-Ari, CTO and co-founder of security firm [Panorays](<https://www.panorays.com/>) said in an email to Threatpost. \u201cVulnerabilities in vendors\u2019 legacy software can serve as an easy gateway to breach data in target companies \u2014 or worse.\u201d\n\n**_[Register for this LIVE Event](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>)_****_: 0-Day Disclosures: Good, Bad & Ugly:_** **_On Mar. 24 at 2 p.m. ET_**_, Threatpost_ tackles how vulnerability disclosures can pose a risk to companies. To be discussed, Microsoft 0-days found in Exchange Servers. Join 0-day hunters from Intel Corp. and veteran bug bounty researchers who will untangle the 0-day economy and unpack what\u2019s on the line for all businesses when it comes to the disclosure process. [Register NOW](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>) for this **LIVE **webinar on Wed., Mar. 24.\n", "cvss3": {}, "published": "2021-03-23T14:16:14", "type": "threatpost", "title": "Energy Giant Shell Is Latest Victim of Accellion Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-03-23T14:16:14", "id": "THREATPOST:153B5C59C5DB1F87B3DFE2D673FA0030", "href": "https://threatpost.com/shell-victim-of-accellion-attacks/164973/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-15T11:25:30", "description": "Threat actors used a Safari zero-day flaw to send malicious links to government officials in Western Europe via LinkedIn before researchers from Google discovered and reported the vulnerability.\n\nThat\u2019s the word from researchers from Google Threat Analysis Group (TAG) and Google Project Zero, who Wednesday [posted a blog](<https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/>) shedding more light on several zero-day flaws that they discovered so far this year. Researchers in particular detailed how attackers exploited the vulnerabilities\u2014the prevalence of which are on the rise\u2013before they were addressed by their respective vendors.\n\nTAG researchers discovered the Safari WebKit flaw, tracked as [CVE-\u200b2021-1879](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1879>), on March 19. The vulnerability allowed for the processing of maliciously crafted web content for universal cross site scripting and was addressed by Apple in [an update](<https://support.apple.com/en-us/HT212256>) later that month.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nBefore the fix, researchers assert Russian-language threat actors were exploiting the vulnerability in the wild by using LinkedIn Messaging to send government officials from Western European countries malicious links that could collect website-authentication cookies, according to the post by Maddie Stone and Clement Lecigne from Google TAG.\n\n\u201cIf the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next-stage payloads,\u201d they wrote.\n\nThe exploit, which targeted iOS versions 12.4 through 13.7, would turn off [Same-Origin-Policy](<https://en.wikipedia.org/wiki/Same-origin_policy>) protections on an infected device to collect authentication cookies from several popular websites\u2013including Google, Microsoft, LinkedIn, Facebook and Yahoo\u2013and then send them via WebSocket to an attacker-controlled IP, researchers wrote. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated.\n\nMoreover, the campaign targeting iOS devices coincided with others from the same threat actor\u2014which Microsoft has identified as Nobelium\u2013targeting users on Windows devices to deliver Cobalt Strike, researchers wrote. Security firm Volexity described one of these attacks [in a report](<https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/>) posted online in May, the researchers added.\n\nNobellium is believed to be a Russia-based threat group responsible for the [expansive cyber-espionage SolarWinds](<https://threatpost.com/feds-russia-culprit-solarwinds/162785/>) campaign, which affected numerous U.S. government agencies and tech companies, including Microsoft.\n\n## **Other Zero-Day Attacks**\n\nGoogle researchers also linked three additional zero-day flaws they identified this year to a commercial surveillance vendor, according to [Google TAG\u2019s Shane Huntley](<https://twitter.com/ShaneHuntley/status/1415340345500463113>). Two of those vulnerabilities\u2013[CVE-2021-21166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21166>) and [CVE-2021-30551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30551>)\u2014were found in Chrome, and one, tracked as [CVE-2021-33742](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33742>), in Internet Explorer.\n\nCVE-2021-21166 and CVE-2021-30551, two Chrome rendered remote-code execution (RCE) flaws, were identified separately but later believed to be used by the same actor, researchers wrote in the blog. Google researchers discovered the former in February and the latter in June.\n\n\u201cBoth of these 0-days were delivered as one-time links sent by email to the targets, all of whom we believe were in Armenia,\u201d Stone and Lecigne wrote. \u201cThe links led to attacker-controlled domains that mimicked legitimate websites related to the targeted users.\u201d\n\nWhen prospective victims clicked the link, they were redirected to a webpage that would fingerprint their device, collect system information about the client, and generate ECDH keys to encrypt the exploits, researchers wrote. This info\u2014which included screen resolution, timezone, languages, browser plugins, and available MIME types\u2014would then be sent back to the exploit server and used by attackers to decide whether or not an exploit should be delivered to the target, they said.\n\nResearchers also identified a separate campaigned in April that also targeted Armenian users by leveraging CVE-2021-26411, an RCE bug found in Internet Explorer (IE). The campaign loaded web content within IE that contained malicious Office documents, researchers wrote.\n\n\u201cThis happened by either embedding a remote ActiveX object using a Shell.Explorer.1 OLE object or by spawning an Internet Explorer process via VBA macros to navigate to a web page,\u201d Stone and Lecigne explained.\n\nAt the time, researchers said they were unable to recover the next-stage payload, but successfully recovered the exploit after discovering an early June campaign from the same actors. Microsoft patched the flaw later that month, they said.\n\n\n\nClick to Zoom CREDIT: TAG\n\n## **Why There is an Increase in Zero-Days?**\n\nAll in all, security researchers have identified 33 [zero-day flaws](<https://threatpost.com/kaseya-patches-zero-days-revil-attacks/167670/>) so far in 2021, which is 11 more than the total number from 2020, according to the post.\n\nWhile that trend reflects an increase in the number of these types of vulnerabilities that exist, Google researchers \u201cbelieve greater detection and disclosure efforts are also contributing to the upward trend,\u201d they wrote.\n\nStill, it\u2019s highly possible that attackers are indeed using more [zero-day exploits](<https://threatpost.com/zero-day-wipe-my-book-live/167422/>) for a few reasons, researchers noted. One is that the increase and maturation of security technologies and features means attackers also have to level up, which in turn requires more [zero-day vulnerabilities](<https://threatpost.com/solarwinds-hotfix-zero-day-active-attack/167704/>) for functional attack chains, they said.\n\nThe growth of mobile platforms also has resulted in an increase in the number of products that threat actors want to target\u2014hence more reason to use zero-day exploits, researchers observed. Perhaps inspired by this increase in demand, commercial vendors also are selling more access to zero-days than in the early 2010s, they said.\n\nFinally, the maturation of security protections and strategies also inspires sophistication on the part of attackers as well, boosting the need for them to use zero-day flaws to convince victims to install malware, researchers noted.\n\n\u201cDue to advancements in security, these actors now more often have to use 0-day exploits to accomplish their goals,\u201d Stone and Lecigne wrote.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-15T11:04:49", "type": "threatpost", "title": "Safari Zero-Day Used in Malicious LinkedIn Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1879", "CVE-2021-21166", "CVE-2021-26411", "CVE-2021-30551", "CVE-2021-33742"], "modified": "2021-07-15T11:04:49", "id": "THREATPOST:EA23582BD77C428ACE9B9DB7D5741EB6", "href": "https://threatpost.com/safari-zero-day-linkedin/167814/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-16T15:56:08", "description": "Four Microsoft zero-day vulnerabilities in the Azure cloud platform\u2019s Open Management Infrastructure (OMI) \u2014 a software that many don\u2019t know is embedded in a host of services \u2014 show that OMI represents a significant security blind spot, researchers said.\n\nCollectively dubbed \u201cOMIGOD\u201d because of the name and the reaction of the researchers who discovered them, the flaws \u2014 which were zero-day when found \u2014 affect thousands of Azure customers and millions of endpoints, according to a [blog post](<https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution>) published this week by cloud infrastructure security firm Wiz.\n\nThough Microsoft patched them this week in its [monthly Patch Tuesday](<https://threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/>) raft of updates, their presence in OMI highlights the risk for the supply chain when companies unknowingly run code \u2014 particularly open-source code \u2014 on their systems that allows for exploitation, researchers said.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nIndeed, recent high-profile supply-chain attacks such as [SolarWinds](<https://threatpost.com/solarwinds-attackers-dhs-emails/165110/>) and [Kaseya](<https://threatpost.com/kaseya-patches-zero-days-revil-attacks/167670/>) demonstrate how much damage can be done when undetected flaws in third-party software that organizations use in larger systems are exploited.\n\n\u201cOne of the biggest challenges in preventing them is that our digital supply chain is not transparent,\u201d senior security researcher Nir Ohfeld wrote in the Wiz post. \u201cIf you don\u2019t know what\u2019s hidden in the services and products you use every day, how can you manage the risk?\n\nIndeed, the OMIGOD vulnerabilities discovered by Ohfeld and his colleagues present a security danger to potentially millions of unsuspecting customers of cloud computing services, he said.\n\n\u201cIn a small sample of Azure tenants we analyzed, over 65 percent [of Azure customers] were unknowingly at risk,\u201d Ohfeld wrote.\n\nThe vulnerabilities that Wiz researchers discovered include one that allows for remote code execution (RCE), [CVE-2021-38647](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647>). The other three are privilege-escalation vulnerabilities ([CVE-2021-38648](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38648>), [CVE-2021-38645](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38645>) and [CVE-2021-38649)](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38649>) of lower risk but which are critical for a full attack chain.\n\n\u201cUnless a patch is applied, attackers can easily exploit these four vulnerabilities to escalate to root privileges and remotely execute malicious code (for instance, encrypting files for ransom),\u201d Ohfeld said.\n\n## **Hidden Cloud Security Danger in OMI**\n\nOne reason for the significant alarm over the flaws is that they are found in OMI, an agent automatically deployed when customers set up a Linux virtual machine (VM) in their cloud and enable certain Azure services, researchers explained.\n\n\u201cThis happens without customers\u2019 explicit consent or knowledge,\u201d Ohfeld wrote. \u201cUsers simply click \u2018agree\u2019 to log collection during setup, and they have unknowingly opted in.\u201d\n\nOMI is a perilous attack surface because Azure provides \u201cvirtually no public documentation\u201d about it, he said. That means most customers have never heard of it and are unaware that it even exists as an exploitable entity in their deployment.\n\nMoreover, the OMI agent runs as root with the highest privileges, so any user can communicate with it using a UNIX socket or via an HTTP API when configured to allow external access, Ohfeld explained.\n\n\u201cAs a result, the vulnerabilities we found would allow external users or low-privileged users to remotely execute code on target machines or escalate privileges,\u201d he wrote.\n\n## **\u2018Textbook RCE Vulnerability\u201d**\n\n** **[CVE-2021-38647](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647>), with a 9.8 severity rating, is the most serious of the flaws, allowing for RCE. However, for it to be exploited, the Azure product using OMI would have to be one, such as Configuration Management, that exposes an HTTPS port, or port 5986, for interacting with OMI.\n\n\u201cThat\u2019s what makes RCE possible,\u201d Ohfeld explained. \u201cNote that most Azure services that use OMI deploy it without exposing the HTTPS port.\u201d\n\nCalling the bug \u201ca textbook RCE vulnerability that you would expect to see in the 90s\u201d not in 2021, the flaw can expose millions of endpoints because \u201can attacker could use a single packet to become root on a remote machine by simply removing the authentication header,\u201d Ohfeld wrote.\n\n\u201cThanks to the combination of a simple conditional statement coding mistake and an uninitialized auth struct, any request without an Authorization header has its privileges default to uid=0, gid=0, which is root,\u201d he explained.\n\nIn situations where the OMI ports are accessible to the internet to allow for remote management, threat actors can use the vulnerability co-obtain initial access to a target Azure environment and then move laterally within it, Ohfeld added.\n\n\u201cAn exposed HTTPS port is the holy grail for malicious actors,\u201d he observed. \u201cWith one simple exploit they can get access to new targets, execute commands at the highest privileges and possibly spread to new target machines.\u201d\n\nThe other three flaws\u2014with severity ratings that range from 7.1 to 7.8\u2014can be used as part of attack chains once attackers gain initial low-privileged access to their targets, Ohfeld added.\n\n## **Threat Discovery and Mitigations**\n\nWiz researchers reported the four vulnerabilities to Microsoft through the responsible disclosure process; the company patched them as of Tuesday, researchers said.\n\nUpgrading OMI and thus patch installation happens through the parent Azure service that installed it, they added. \u201cHowever, we urge customers to verify that their environment is indeed patched and they are running the latest version of OMI (Version 1.6.8.1),\u201d Ohfeld wrote.\n\nDifferent Azure services have different port numbers, Microsoft noted in its advisory for CVE-2021-38647. However, for customers who want to check that their Azure Linux Node does not have an exposed port, they should look for the command \u2018_netstat -an | grep <port-number>_\u2018 on most Linux distributions, which will indicate if any processes are listening on an open port, the company said.\n\n**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. **[JOIN](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)** Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the **[4 Golden Rules of Linux Security](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)**. Your top takeaway will be a Linux roadmap to getting the basics right! **[REGISTER NOW](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) **and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.\n", "cvss3": {}, "published": "2021-09-16T11:37:48", "type": "threatpost", "title": "Azure Zero-Day Bugs Show Lurking Supply-Chain Risk", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649"], "modified": "2021-09-16T11:37:48", "id": "THREATPOST:FD28EAD589B45A1A4A7412632B25CEAB", "href": "https://threatpost.com/azure-zero-day-supply-chain/169508/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-22T18:12:09", "description": "Researchers have identified a set of threat actors (dubbed UNC2546 and UNC2582) with connections to the FIN11 and the Clop ransomware gang as the cybercriminal group behind the global zero-day attacks on users of the Accellion legacy File Transfer Appliance product.\n\n[](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)\n\nClick to Register\n\nMultiple Accellion FTA customers, including the [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>), Kroger [and Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>), have all been attacked by the group, receiving extortion emails threatening to publish stolen data on the \u201cCL0P^_- LEAKS\u201d .onion website, according to an investigation from Accellion and FireEye Mandiant. Around 100 companies have been victims of the attack, analysts found, with around 25 suffering \u201csignificant data theft.\u201d No ransomware was used in the attacks.\n\n\u201cNotably, the number of victims on the \u201cCL0P^_- LEAKS\u201d shaming website has increased in February 2021 with organizations in the United States, Singapore, Canada and the Netherlands recently outed by these threat actors,\u201d according to the Mandiant findings, [issued on Monday](<https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploitedfor-data-theft-and-extortion.html>).\n\n## **4 Accellion FTA Zero-Days **\n\nAs noted, the point of entry for the attacks was Accellion FTA, a 20-year-old legacy product used by large corporations around the world. Accellion said that it became aware of a zero-day security vulnerability in FTA in mid-December, which it scrambled to patch quickly. But that turned out to be just one of a cascade of zero-days in the platform that the company discovered only after they came under attack from cyber-adversaries.\n\n\u201cThis initial incident was the beginning of a concerted cyberattack on the Accellion FTA product that continued into January 2021,\u201d the company explained. \u201cAccellion identified additional exploits in the ensuing weeks, and rapidly developed and released patches to close each vulnerability.\u201d\n\nFour zero-day security holes were exploited in the attacks, according to the investigation:\n\n * CVE-2021-27101 \u2013 SQL injection via a crafted Host header\n * CVE-2021-27102 \u2013 OS command execution via a local web service call\n * CVE-2021-27103 \u2013 SSRF via a crafted POST request\n * CVE-2021-27104 \u2013 OS command execution via a crafted POST request\n\nAnd, the published victim data appears to have been stolen using a distinct \u201cDEWMODE\u201d web shell, according to Mandiant, which added, \u201cThe exfiltration activity has affected entities in a wide range of sectors and countries.\u201d\n\n## **DEWMODE Web Shell for Stealing Information**\n\nMandiant found that a specific web shell, which it calls DEWMODE, was used to exfiltrate data from Accellion FTA devices. The adversaries first exploited one of the zero-days, then used that access to install DEWMODE.\n\n\u201cAcross these incidents, Mandiant observed common infrastructure usage and TTPs [tactics, techniques and procedures], including exploitation of FTA devices to deploy the DEWMODE web shell,\u201d Mandiant determined. \u201cA common threat actor we now track as UNC2546 was responsible for this activity. While complete details of the vulnerabilities leveraged to install DEWMODE are still being analyzed, evidence from multiple client investigations has shown multiple commonalities in UNC2546\u2019s activities.\u201d\n\nThe firm is still analyzing the zero-day exploitation, but it did say that in the early attacks in December, UNC2546 leveraged an SQL injection vulnerability in the Accellion FTA as its primary intrusion vector. SQL injection was then followed by subsequent requests to additional resources.\n\n\u201cUNC2546 has leveraged this SQL injection vulnerability to retrieve a key which appears to be used in conjunction with a request to the file sftp_account_edit.php,\u201d according to the analysis. \u201cImmediately after this request, the built-in Accellion utility admin.pl was executed, resulting in an eval web shell being written to oauth.api. Almost immediately following this sequence, the DEWMODE web shell is written to the system.\u201d\n\nDEWMODE, once embedded, extracts a list of available files from a MySQL database on the FTA and lists those files and corresponding metadata\u2014file ID, path, filename, uploader and recipient\u2014on an HTML page. UNC2546 then uses the presented list to download files through the DEWMODE web shell.\n\nIn a subset of incidents, Mandiant observed UNC2546 requesting a file named cache.js.gz \u2013 an archive that likely contained a dump of a database.\n\n## **Extortion via Clop Leaks Site**\n\nOnce DEWMODE was installed, victims began to receive extortion emails from an actor claiming association with the Clop ransomware team gang.\n\nThese are tailored to each victim and sent from a free email account, to a small number of addresses at the victim organization. If the victim did not respond in a timely manner, more emails are sent, this time to hundreds or thousands of different email accounts, using varied SMTP infrastructure.\n\n\n\nThe initial extortion note sent to victims of the Accellion FTA attacks. Source: FireEye Mandiant.\n\n\u201cIn at least one case, UNC2582 also sent emails to partners of the victim organization that included links to the stolen data and negotiation chat,\u201d according to Mandiant.\n\nThe firm also found through monitoring the CL0P^_- LEAKS shaming website that UNC2582 has followed through on threats to publish stolen data.\n\n\u201cSeveral new victims have appeared on the site in recent weeks, including at least one organization that has publicly confirmed that their Accellion FTA device had been recently targeted,\u201d according to Mandiant.\n\n## **FIN11, Clop and UNC2546**\n\nFIN11 is a financially motivated group that has been around for at least four years, conducting widespread phishing campaigns. However, it continues to evolve. It added the use of Clop ([which emerged](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/>) in February 2019) [and double extortion in October](<https://threatpost.com/fin11-gang-double-extortion-ransomware/160089/>); and added point-of-sale (POS) malware to its arsenal in 2018. In 2019, it started conducting run-of-the-mill ransomware attacks.\n\nMandiant has previously found that FIN11 threatened to post stolen victim data on the same .onion site used in the Accellion FTA attacks, usually in a double-extortion demand following the deployment of Clop ransomware. However, researchers found that the cybercriminals involved in these latest attacks are likely distinct from FIN11 itself despite sharing some overlaps.\n\n\u201cWe are currently tracking the exploitation of the zero-day Accellion FTA vulnerabilities and data theft from companies running the legacy FTA product as UNC2546, and the subsequent extortion activity as UNC2582,\u201d according to Mandiant. \u201cWe have identified overlaps between UNC2582, UNC2546 and prior FIN11 operations, and we will continue to evaluate the relationships between these clusters of activity.\u201d\n\nSome of the overlaps between UNC2582\u2019s data-theft extortion activity and prior FIN11 operations include common email senders.\n\n\u201cSome UNC2582 extortion emails observed in January 2021 were sent from IP addresses and/or email accounts used by FIN11 in multiple phishing campaigns between August and December 2020, including some of the last campaigns that were clearly attributable to the group,\u201d according to the analysis.\n\nFIN11 has also used same the CL0P^_- LEAKS shaming site and is known for deploying Clop ransomware.\n\n\u201cThe UNC2582 extortion emails contained a link to the CL0P^_- LEAKS website and/or a victim specific negotiation page,\u201d according to Mandiant. \u201cThe linked websites were the same ones used to support historical Clop operations, a series of ransomware and data theft extortion campaigns we suspect can be exclusively attributed to FIN11.\u201d\n\nWhen it comes to the zero-day cluster of activity, attributed to UNC2546, there are also limited overlaps with FIN11. Specifically, many of the organizations compromised by UNC2546 were previously targeted by FIN11.\n\nAnd, \u201can IP address that communicated with a DEWMODE web shell was in the \u2018Fortunix Networks L.P.\u2019 netblock, a network frequently used by FIN11 to host download and [FRIENDSPEAK command-and-control (C2) domains](<https://threatpost.com/us-finance-sector-targeted-backdoor-campaign/152634/>).\u201d\n\nThere\u2019s also a connection between UNC2546 and UNC2582, the firm found: In at least one case, the UNC2546 attackers interacted with DEWMODE from a host that was used to send UNC2582-attributed extortion email.\n\n\u201cThe overlaps between FIN11, UNC2546 and UNC2582 are compelling, but we continue to track these clusters separately while we evaluate the nature of their relationships,\u201d Mandiant concluded. \u201cOne of the specific challenges is that the scope of the overlaps with FIN11 is limited to the later stages of the attack life cycle. UNC2546 uses a different infection vector and foothold, and unlike FIN11, we have not observed the actors expanding their presence across impacted networks.\u201d\n\nAlso, using SQL injection to deploy DEWMODE would represent a significant shift in FIN11 TTPs, \u201cgiven the group has traditionally relied on phishing campaigns as its initial infection vector and we have not previously observed them use zero-day vulnerabilities,\u201d Mandiant added.\n\n### _Is your small- to medium-sized business an easy mark for attackers? _\n\n**Threatpost WEBINAR:** _ Save your spot for __\u201c_**15 Cybersecurity Gaffes SMBs Make**_,\u201d a _[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)** _on Feb. 24 at 2 p.m. ET._**_ Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. _[_Register NOW_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)_ for this _**_LIVE_****_ _**_webinar on Wed., Feb. 24._\n\n** **\n", "cvss3": {}, "published": "2021-02-22T17:51:20", "type": "threatpost", "title": "Accellion FTA Zero-Day Attacks Tied to Clop, FIN11", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-02-22T17:51:20", "id": "THREATPOST:3661EA0D8FCA17978A471DB91405999A", "href": "https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-21T15:44:32", "description": "A critical zero-day security vulnerability in Pulse Secure VPN devices has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe, researchers said.\n\n[](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)\n\nDownload \u201cThe Evolution of Ransomware\u201d to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!\n\nThe flaw, tracked as CVE-2021-22893, allows remote code-execution (RCE) and is being used in the wild to gain administrator-level access to the appliances, according to Ivanti research. Pulse Secure said that the zero-day will be patched in early May; but in the meantime, the company worked with Ivanti (its parent company) to release both mitigations and the [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/KB44755/s>), to help determine if systems have been impacted.\n\n\u201cThe investigation shows ongoing attempts to exploit four issues: The substantial bulk of these issues involve three vulnerabilities that were patched in 2019 and 2020: [Security Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>) (CVE-2019-11510), [Security Advisory SA44588](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588>) (CVE-2020-8243) and [Security Advisory SA44601](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601>) (CVE-2020-8260),\u201d according to a Pulse Secure statement provided to Threatpost. \u201cThe new issue, discovered this month, impacted a very limited number of customers.\u201d\n\n## **CVE-2021-22893: A Zero-Day in Pulse Connect Secure VPNs**\n\nThe newly discovered critical security hole is rated 10 out of 10 on the CVSS vulnerability-rating scale. It\u2019s an authentication bypass vulnerability that can allow an unauthenticated user to perform RCE on the Pulse Connect Secure gateway. It \u201cposes a significant risk to your deployment,\u201d according to the advisory, [issued Tuesday](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>).\n\n\u201cThe ongoing COVID-19 crisis resulted in an overnight shift to remote work culture, and VPNs played a critical role to make this possible,\u201d Bharat Jogi, senior manager of vulnerability and threat research at Qualys, said via email. \u201cVPNs have become a prime target for cybercriminals and over the past few months.\u201d\n\n\u201cThe Pulse Connect Secure vulnerability with CVE-2021-22893\u2026can be exploited without any user interaction,\u201d he added.\n\nThe mitigations involve importing a file called \u201cWorkaround-2104.xml,\u201d available on the advisory page. It disables the Windows File Share Browser and Pulse Secure Collaboration features on the appliance.\n\nUser can also use the blacklisting feature to disable URL-based attacks, the firm noted, by blocking the following URIs:\n\n * ^/+dana/+meeting\n * ^/+dana/+fb/+smb\n * ^/+dana-cached/+fb/+smb\n * ^/+dana-ws/+namedusers\n * ^/+dana-ws/+metric\n\n\u201cThe Pulse Connect Secure (PCS) team is in contact with a limited number of customers who have experienced evidence of exploit behavior on their PCS appliances,\u201d according to Pulse Secure. \u201cThe PCS team has provided remediation guidance to these customers directly.\u201d\n\nAccording to tandem research from Mandiant, this and the other bugs are at the center of a flurry of activity by different threat actors, involving 12 different malware families overall. The malware is used for authentication-bypass and establishing backdoor access to the VPN devices, and for lateral movement. Two specific advanced persistent threat (APT) groups, UNC2630 and UNC2717, are particularly involved, researchers said.\n\n## **UNC2630 Cyber-Activity: Links to China**\n\n\u201cWe observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments,\u201d according to Mandiant, in a [Tuesday posting](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>). \u201cIn order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance.\u201d\n\nThe firm tracks those tools as the following:\n\n * **SlowPulse:** Trojanized shared objects with malicious code to log credentials and bypass authentication flows within the legitimate Pulse Secure shared object libdsplibs.so, including multifactor authentication requirements.\n * **RadialPulse and PulseCheck:** Web shells injected into legitimate, internet-accessible Pulse Secure VPN appliance administrative web pages.\n * **ThinBlood:** A utility used to clear relevant log files.\n * **Other capabilities:** Toggling the filesystem between Read-Only and Read-Write modes to allow for file modification on a typically Read-Only filesystem; the ability to maintain persistence across VPN appliance general upgrades that are performed by the administrator; and the ability to unpatch modified files and delete utilities and scripts after use to evade detection.\n\nUNC2630 targeted U.S. defense-sector companies as early as last August, Mandiant noted. It added that the activity could be state-sponsored, likely backed by China.\n\n\u201cWe suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5,\u201d according to the analysis. \u201cUNC2630\u2019s combination of infrastructure, tools, and on-network behavior appear to be unique, and we have not observed them during any other campaigns or at any other engagement. Despite these new tools and infrastructure, Mandiant analysts noted strong similarities to historic intrusions dating back to 2014 and 2015 and conducted by Chinese espionage actor APT5.\u201d\n\nAPT5 consistently targets defense and technology companies in the Asia, Europe and the U.S., Mandiant noted.\n\n\u201c[It] has shown significant interest in compromising networking devices and manipulating the underlying software which supports these appliances,\u201d Mandiant researchers said. \u201cAPT5 persistently targets high value corporate networks and often re-compromises networks over many years. Their primary targets appear to be aerospace and defense companies located in the U.S., Europe, and Asia. Secondary targets (used to facilitate access to their primary targets) include network appliance manufacturers and software companies usually located in the U.S.\u201d\n\n## **The UNC2717 APT Connection**\n\nAs for UNC2717, Mandiant linked Pulse Secure zero-day activity back to the APT in a separate incident in March, targeted against an unnamed European organization. UNC2717 was also seen targeting global government agencies between October and March.\n\nSo far, there\u2019s not enough evidence about UNC2717 to determine government sponsorship or suspected affiliation with any known APT group, Mandiant said.\n\nThe tools used by this group include HardPulse, which is a web shell; PulseJump, used for credential-harvesting; and RadialPulse. The firm also observed a new malware that it calls LockPick, which is a trojanized OpenSSL library file that appears to weaken encryption for communications used by the VPN appliances.\n\nAll of the malware families in use in the campaigns appear to be loosely related, according to Mandiant.\n\n\u201cAlthough we did not observe PulseJump or HardPulse used by UNC2630 against U.S. [defense] companies, these malware families have shared characteristics and serve similar purposes to other code families used by UNC2630,\u201d researchers said.\n\nThey added, \u201cMandiant cannot associate all the code families described in this report to UNC2630 or UNC2717. We also note the possibility that one or more related groups is responsible for the development and dissemination of these different tools across loosely connected APT actors.\u201d\n\n## **Pulse Secure: A Favorite Target for APTs**\n\nPulse Secure VPNs continue to be a hot target for nation-state actors. Last week, [the FBI warned](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of five vulnerabilities under attack by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes). APT29 is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,\u201d according to the Feds.\n\nMeanwhile, earlier in April, the Department of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims\u2019 credentials \u2013 and now are using those credentials to move laterally through organizations, [DHS warned](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>).\n\nAnd last fall, the Cybersecurity and Infrastructure Security Agency (CISA) said that a federal agency had suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. Once again, [CVE-2019-11510 was in play](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>), used to gain access to employees\u2019 legitimate Microsoft Office 365 log-in credentials and sign into an agency computer remotely.\n\n\u201cAlmost without fail, the common thread with any APT is the exploitation of known vulnerabilities both new and old,\u201d Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, said via email. \u201cMalicious activity, whether using a supply-chain vector or a VPN authentication bypass, is thwarted by good cyber-hygiene practices and serious blue teaming. Vulnerability management, or more importantly vulnerability remediation, is a cybersecurity dirty job that is under-resourced and underappreciated and businesses are paying the price.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c[2021: The Evolution of Ransomware](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>),\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and [DOWNLOAD](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>) the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-04-21T15:35:37", "type": "threatpost", "title": "Pulse Secure Critical Zero-Day Security Bug Under Active Exploit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893"], "modified": "2021-04-21T15:35:37", "id": "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "href": "https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-26T19:00:10", "description": "The patching level for Microsoft Exchange Servers that are vulnerable to the [ProxyLogon group of security bugs](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) has reached 92 percent, according to Microsoft.\n\nThe computing giant [tweeted out the stat](<https://twitter.com/msftsecresponse/status/1374075310195412992>) earlier this week \u2013 though of course patching won\u2019t fix already-compromised machines. Still, that\u2019s an improvement of 43 percent just since last week, Microsoft pointed out (using telemetry from RiskIQ).\n\n> Our work continues, but we are seeing strong momentum for on-premises Exchange Server updates: \n\u2022 92% of worldwide Exchange IPs are now patched or mitigated. \n\u2022 43% improvement worldwide in the last week. [pic.twitter.com/YhgpnMdlOX](<https://t.co/YhgpnMdlOX>)\n> \n> \u2014 Security Response (@msftsecresponse) [March 22, 2021](<https://twitter.com/msftsecresponse/status/1374075310195412992?ref_src=twsrc%5Etfw>)\n\nProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe good news on patching comes as a whirlwind of ProxyLogon cyberattacks has hit companies across the globe, with multiple advanced persistent threats (APT) and possibly other adversaries moving quickly to exploit the bug. A spate of public proof-of-concept exploits has added fuel to the fire \u2013 which is blazing so bright that F-Secure said on Sunday that hacks are occurring \u201cfaster than we can count,\u201d with tens of thousands of machines compromised.\n\n\u201cTo make matters worse, proof-of-concept automated attack scripts are being made publicly available, making it possible for even unskilled attackers to quickly gain remote control of a vulnerable Microsoft Exchange Server,\u201d according to [F-Secure\u2019s writeup](<https://blog.f-secure.com/microsoft-exchange-proxylogon/>). \u201cThere is even a fully functioning package for exploiting the vulnerability chain published to the Metasploit application, which is commonly used for both hacking- and security testing. This free-for-all attack opportunity is now being exploited by vast numbers of criminal gangs, state-backed threat actors and opportunistic script kiddies.\u201d\n\nThe attackers are using ProxyLogon to carry out a range of attacks, including data theft and the installation of malware, such as the recently discovered \u201cBlackKingdom\u201d strain. According to Sophos, the ransomware operators are asking for $10,000 in Bitcoin in exchange for an encryption key.\n\n## **Patching Remains Tough for Many**\n\nThe CyberNews investigation team [found](<https://cybernews.com/news/patched-microsoft-exchange-servers-give-a-false-sense-of-security-says-cisas-brandon-wales/>) 62,174 potentially vulnerable unpatched Microsoft Exchange Servers around the world, as of Wednesday.\n\n\n\nClick to enlarge. Source: CyberNews.\n\nVictor Wieczorek, practice director for Threat & Attack Simulation at GuidePoint Security, noted that some organizations are not structured or resourced to patch effectively against ProxyLogon.\n\n\u201cThis is because, 1) a lack of accurate asset inventory and ownership information; and 2) lag time to vet patching for negative impacts on the business and gain approval from asset/business owners to patch,\u201d he told Threatpost. \u201cIf you don\u2019t have an accurate inventory with a high level of confidence, it takes a long time to hunt down affected systems. You have to determine who owns them and if applying the patch would negatively impact the system\u2019s function. Responsible and timely patching takes lots of proactive planning and tracking.\u201d\n\nHe added that by regularly testing existing controls (red-teaming), searching for indicators of existing weakness and active threats (threat hunting), and investing/correcting confirmed vulnerabilities (vulnerability management), organizations are going to be in a much better spot to adjust to emerging vulnerabilities and invoke their incident-response capabilities when needed.\n\n## **APT Activity Continues**\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange servers.\n\nAnd indeed, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access. It\u2019s also apparent that Hafnium isn\u2019t the only party of interest, according to multiple researchers; [ESET said earlier in March](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that at least 10 different APTs are using the exploit.\n\nThe sheer volume of APTs mounting attacks, most of them starting in the days before ProxyLogon became publicly known, has prompted questions as to the exploit\u2019s provenance \u2013 and ESET researchers mused whether it was shared around the Dark Web on a wide scale.\n\nThe APTs seem mainly bent on cyberespionage and data theft, researchers said.\n\n\u201cThese breaches could be occurring in the background, completely unnoticed. Only after months or years will it become clear what was stolen,\u201d according to F-Secure. \u201cIf an attacker knows what they are doing, the data has most likely already been stolen or is being stolen right now.\u201d\n\nSeveral versions of the on-premise flavor of Exchange are vulnerable to the four bugs, including Exchange 2013, 2016 and 2019. Cloud-based and hosted versions are not vulnerable to ProxyLogon.\n\n## **Patching is Not Enough; Assume Compromise**\n\nUnfortunately, installing the ProxyLogon security patches alone does not guarantee that a server is secure \u2013 an attacker may have breached it before the update was installed.\n\n\u201cPatching is like closing a door. Therefore, 92 percent of the doors have been closed. But the doors were open for a relatively long time and known to all the bad actors,\u201d Oliver Tavakoli, CTO at Vectra, told Threatpost. \u201cIdentifying and remediating already compromised systems will be a lot harder.\u201d\n\nBrandon Wales, the acting director for the Cybersecurity and Infrastructure Security Agency (CISA), said during a webinar this week that \u201cpatching is not sufficient.\u201d\n\n\u201cWe know that multiple adversaries have compromised networks prior to patches being applied Wales said during a [Cipher Brief webinar](<https://cybernews.com/news/patched-microsoft-exchange-servers-give-a-false-sense-of-security-says-cisas-brandon-wales/>). He added, \u201cYou should not have a false sense of security. You should fully understand the risk. In this case, how to identify whether your system is already compromised, how to remediate it, and whether you should bring in a third party if you are not capable of doing that.\u201d\n\n## **How Businesses Can Protect Against ProxyLogon**\n\nYonatan Amitay, Security Researcher at Vulcan Cyber, told Threatpost that a successful response to mitigate Microsoft Exchange vulnerabilities should consist of the following steps:\n\n * Deploy updates to affected Exchange Servers.\n * Investigate for exploitation or indicators of persistence.\n * Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.\n\n\u201cIf for some reason you cannot update your Exchange servers immediately, Microsoft has released instructions for how to mitigate these vulnerabilities through reconfiguration \u2014 here, as they recognize that applying the latest patches to Exchange servers may take time and planning, especially if organizations are not on recent versions and/or associated cumulative and security patches,\u201d he said. \u201cNote that the mitigations suggested are not substitutes for installing the updates.\u201d\n\nMicrosoft also has issued a one-click mitigation and remediation tool for small- and medium-sized businesses in light of the ongoing swells of attacks.\n\nVectra\u2019s Tavakoli noted that the mitigation guides and tools Microsoft has supplied don\u2019t necessarily help post-compromise \u2013 they are intended to provide mitigation in advance of fully patching the Exchange server.\n\n\u201cThe end result of a compromise is reflective of the M.O. of each attack group, and that will be far more variable and less amenable to automated cleanup,\u201d he said.\n\nMilan Patel, global head of MSS for BlueVoyant, said that identifying follow-on malicious activity after the bad guys have gotten access to a network requires a good inventory of where data is housed.\n\n\u201cIncident response is a critical reactive tool that will help address what data could have been touched or stolen by the bad guys after they gained access to the critical systems,\u201d he told Threatpost. \u201cThis is critical, this could mean the difference between a small cleanup effort vs. potential litigation because sensitive data was stolen from the network.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-24T18:39:26", "type": "threatpost", "title": "Microsoft Exchange Servers See ProxyLogon Patching Frenzy", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-24T18:39:26", "id": "THREATPOST:BADA213290027D414693E838771F8645", "href": "https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-24T11:31:22", "description": "Apple has patched three actively exploited zero-day security vulnerabilities in updates to iOS and macOS, one of which can allow an attacker to execute arbitrary code with kernel privileges.\n\nApple released two updates on Thursday: iOS 12.5.5, which patches three zero-days that affect older versions of iPhone and iPod devices, and Security Update 2021-006 Catalina for macOS Catalina, which patches one of same vulnerabilities, CVE-2021-30869, that also affects macOS.\n\nThe XNU kernel vulnerability \u2014 the discovery of which was attributed to Google researchers Erye Hernandez and Clemente Lecigne of Google Threat Analysis Group and Ian Beer of Google Project Zero \u2014 is a type-confusion issue that Apple addressed with \u201cimproved state handling,\u201d according to [its advisory](<https://support.apple.com/en-us/HT212825>).\n\n\u201cA malicious application may be able to execute arbitrary code with kernel privileges,\u201d the company said. \u201cApple is aware of reports that an exploit for this issue exists in the wild.\u201d\n\nThe flaw also affects the WebKit browser engine, which is likely why [it caught the attention](<https://twitter.com/ShaneHuntley/status/1441102086385455112?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1441102086385455112%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.theregister.com%2F2021%2F09%2F24%2Fapple_zero_day%2F>) of the Google researchers. The issue affects macOS Catalina as well as iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).\n\n## **Pegasus Zero-Day Patched for Older Devices**\n\nAnother zero-day flaw patched in the iOS update also affects WebKit on the same older iOS devices. The issue tracked as CVE-2021-30858 is described by Apple as a use-after-free issue that the company addressed with improved memory management. It allows an attacker to process maliciously crafted web content that may lead to arbitrary code execution, according [to Apple\u2019s advisory](<https://support.apple.com/en-us/HT212824>).\n\n\u201cApple is aware of a report that this issue may have been actively exploited,\u201d the company said.\n\nA third bug patched in the iOS update \u2014 a zero-click exploit discovered by Citizen Lab \u2014 already [made headlines](<https://threatpost.com/apple-emergency-fix-nso-zero-click-zero-day/169416/>) earlier this month when Apple issued a series of emergency patches on Sept. 13 for it to cover the latest devices running iOS and macOS.\n\nThe vulnerability allows for an attacker to process a maliciously crafted PDF that may lead to arbitrary code execution. The fix issued Thursday for the integer-overflow bug \u201cwas addressed with improved input validation,\u201d according to Apple, and covers older devices: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).\n\nCitizen Lab detected the flaw \u2014 tracked by Apple as CVE-2021-30860, a flaw in CoreGraphics \u2014 targeting iMessaging in August. Researchers dubbed it ForcedEntry and alleged that it had been used to illegally spy on Bahraini activists with [NSO Group\u2019s Pegasus spyware](<https://threatpost.com/nso-group-data-pegasus/167897/>).\n\n## **Keeping Up with 0-Days**\n\nThe latest Apple security updates come on the heels of [news earlier this week](<https://threatpost.com/unpatched-apple-zero-day-code-execution/174915/>) that it quietly slid out an incomplete patch for a zero-day vulnerability in its macOS Finder system \u2014 which hasn\u2019t fixed the problem yet. It could allow remote attackers to trick users into running arbitrary commands.\n\nIndeed Apple, like many other vendors, spends a lot of its time trying to keep up with security vulnerabilities\u2014something at which it \u201cdoes a great job,\u201d noted Hank Schless, senior manager of security solutions at endpoint-to-cloud security firm Lookout.\n\n\u201cEven though Apple has been in the news a number of times over these zero-day vulnerabilities, software developers everywhere run into vulnerabilities in their code,\u201d he observed in an email to Threatpost.\n\nHowever, these patches are worth nothing and corporate data is at risk if people don\u2019t update their mobile devices in particular, as soon as fixes for actively exploited flaws are available, Schless warned.\n\n\u201cPeople often ignore them until they\u2019re forced to update,\u201d he said. \u201cThis could be risky to an enterprise that allows its employees to access corporate resources from their mobile devices\u2026[which is] just about every enterprise out there.\u201d\n\n_**Rule #1 of Linux Security: **__No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time._\n", "cvss3": {}, "published": "2021-09-24T11:29:27", "type": "threatpost", "title": "Apple Patches 3 More Zero-Days Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869"], "modified": "2021-09-24T11:29:27", "id": "THREATPOST:1A88FF1D2951B8467D062697D5D05CFA", "href": "https://threatpost.com/apple-patches-zero-days-attack/174988/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-04T21:57:55", "description": "Hot on the heels of Microsoft\u2019s announcement about active cyber-espionage campaigns that are [exploiting four serious security vulnerabilities](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in Microsoft Exchange Server, the U.S. government is mandating patching for the issues.\n\nThe news comes as security firms report escalating numbers of related campaigns led by sophisticated adversaries against a range of high-value targets, especially in the U.S.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, warning that its partners have observed active exploitation of the bugs in Microsoft Exchange on-premises products, which allow attackers to have \u201cpersistent system access and control of an enterprise network.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,\u201d reads the [March 3 alert](<https://cyber.dhs.gov/ed/21-02/>). \u201cThis determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems and the potential impact of a successful compromise.\u201d\n\n## **Rapidly Spreading Exchange Server Attacks**\n\nEarlier this week Microsoft said that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server, spurring it to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>).\n\nThe exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. When chained together, they allow remote authentication bypass and remote code execution. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\nThe attacks are being carried out in part by a China-linked advanced persistent threat (APT) called Hafnium, Microsoft said \u2013 but multiple other security firms have observed attacks from other groups and against a widespread swathe of targets.\n\nResearchers at Huntress Labs for instance told Threatpost that its researchers have discovered more than 200 web shells deployed across thousands of vulnerable servers (with antivirus and endpoint detection/recovery installed), and it expects this number to keep rising.\n\n\u201cThe team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,\u201d a spokesperson at Huntress told Threatpost.\n\nMeanwhile, researchers at ESET tweeted that CVE-2021-26855 was being actively exploited in the wild by at least three APTS besides Hafnium.\n\n\u201cAmong them, we identified #LuckyMouse, #Tick, #Calypso and a few additional yet-unclassified clusters,\u201d it tweeted, adding that while most attacks are against targets in the U.S., \u201cwe\u2019ve seen attacks against servers in Europe, Asia and the Middle East.\u201d\n\n> Most targets are located in the US but we\u2019ve seen attacks against servers in Europe, Asia and the Middle East. Targeted verticals include governments, law firms, private companies and medical facilities. 3/5 [pic.twitter.com/kwxjYPeMlm](<https://t.co/kwxjYPeMlm>)\n> \n> \u2014 ESET research (@ESETresearch) [March 2, 2021](<https://twitter.com/ESETresearch/status/1366862951156695047?ref_src=twsrc%5Etfw>)\n\nThe vulnerabilities only exist in on-premise versions of Exchange Server, and don\u2019t affect Office 365 and virtual instances. Yet despite the move to the cloud, there are plenty of physical servers still in service, leaving a wide pool of targets.\n\n\u201cWith organizations migrating to Microsoft Office 365 en masse over the last few years, it\u2019s easy to forget that on-premises Exchange servers are still in service,\u201d Saryu Nayyar, CEO, Gurucul, said via email. \u201cSome organizations, notably in government, can\u2019t migrate their applications to the cloud due to policy or regulation, which means we will see on-premises servers for some time to come.\u201d\n\n## **CISA Mandates Patching Exchange Servers**\n\nCISA is requiring federal agencies to take several steps in light of the spreading attacks.\n\nFirst, they should take a thorough inventory of all on-premises Microsoft Exchange Servers in their environments, and then perform forensics to identify any existing compromises. Any compromises must be reported to CISA for remediation.\n\nThe forensics step would include collecting \u201csystem memory, system web logs, windows event logs and all registry hives. Agencies shall then examine the artifacts for indications of compromise or anomalous behavior, such as credential dumping and other activities.\u201d\n\nIf no indicators of compromise have been found, agencies must immediately patch, CISA added. And if agencies can\u2019t immediately patch, then they must take their Microsoft Exchange Servers offline.\n\nAll agencies have also been told to submit an initial report by Friday on their current situation.\n\n\u201c[This] highlights the increasing frequency of attacks orchestrated by nation states,\u201d said Steve Forbes, government cybersecurity expert at Nominet, via email. \u201cThe increasing role of government agencies in leading a coordinated response against attacks. CISA\u2019s directive for agencies to report back on their level of exposure, apply security fixes or disconnect the program is the latest in a series of increasingly regular emergency directives that the agency has issued since it was established two years ago. Vulnerabilities like these demonstrate the necessity for these coordinated national protective measures to efficiently and effectively mitigate the effects of attacks that could have major national security implications.\u201d\n", "cvss3": {}, "published": "2021-03-04T17:08:36", "type": "threatpost", "title": "CISA Orders Fed Agencies to Patch Exchange Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T17:08:36", "id": "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "href": "https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-15T12:28:24", "description": "Cryptojacking can be added to the list of threats that face any [unpatched Exchange servers](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) that remain vulnerable to the now-infamous ProxyLogon exploit, new research has found.\n\nResearchers discovered the threat actors using Exchange servers compromised using the highly publicized exploit chain\u2014which suffered a [barrage of attacks](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) from advanced persistent threat (APT) groups to infect systems with everything from [ransomware](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) to webshells\u2014to host Monero cryptomining malware, according to [a report](<https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/>) posted online this week by SophosLabs.\n\n\u201cAn unknown attacker has been attempting to leverage what\u2019s now known as the ProxyLogon exploit to foist a malicious Monero cryptominer onto Exchange servers, with the payload being hosted on a compromised Exchange server,\u201d Sophos principal researcher Andrew Brandt wrote in the report. \n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers were inspecting telemetry when they discovered what they deemed an \u201cunusual attack\u201d targeting the customer\u2019s Exchange server. Sophos researchers Fraser Howard and Simon Porter were instrumental in the discovery and analysis of the novel threat, Brandt acknowledged.\n\nResearchers said they detected the executables associated with this attack as Mal/Inject-GV and XMR-Stak Miner (PUA), according to the report. Researchers published a list of [indicators of compromise](<https://github.com/sophoslabs/IoCs/blob/master/PUA-QuickCPU_xmr-stak.csv>) on the SophosLabs GitHub page to help organizations recognize if they\u2019ve been attacked in this way.\n\n## **How It Works**\n\nThe attack as observed by researchers began with a PowerShell command to retrieve a file named win_r.zip from another compromised server\u2019s Outlook Web Access logon path (/owa/auth), according to the report. Under closer inspection, the .zip file was not a compressed archive at all but a batch script that then invoked the built-into-Windows certutil.exe program to download two additional files, win_s.zip and win_d.zip, which also were not compressed.\n\nThe first file is written out to the filesystem as QuickCPU.b64, an executable payload in base64 that can be decoded by the certutil application, which by design can decode base64-encoded security certificates, researchers observed.\n\nThe batch script then runs another command that outputs the decoded executable into the same directory. Once decoded, the batch script runs the executable, which extracts the miner and configuration data from the QuickCPU.dat file, injects it into a system process, and then deletes any evidence that it was there, according to the report.\n\nThe executable in the attack appears to contain a modified version of a tool publicly available on Github called PEx64-Injector, which is [described](<https://github.com/0xyg3n/PEx64-Injector>) on its Github page as having the ability to \u201cmigrate any x64 exe to any x64 process\u201d with \u201cno administrator privileges required,\u201d according to the report.\n\nOnce the file runs on an infected system, it extracts the contents of the QuickCPU.dat file, which includes an installer for the cryptominer and its configuration temporarily to the filesystem. It then configures the miner, injects it into a running process, then quits, according to the report. \u201cThe batch file then deletes the evidence and the miner remains running in memory, injected into a process already running on the system,\u201d Brandt wrote.\n\nResearchers observed the cryptominer receiving funds on March 9, which is when Microsoft also released updates to Exchange to patch the flaws. Though the attacker lost several servers after this date and the output from the miner decreased, other servers that were gained thereafter more than made up for the early losses, according to the report.\n\n## **Exploit-Chain History**\n\nThe ProxyLogon problem started for Microsoft in early March when the company said it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange Server. The exploit chain is comprised of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).\n\nTogether the flaws created a pre-authentication remote code execution (RCE) exploit, meaning attackers can take over servers without knowing any valid account credentials. This gave them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\nAs previously mentioned, Microsoft released an out-of-band update [soon after](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in its scramble to patch the flaws in the ProxyLogon chain; however, while the company boasted later that month that 92 percent of affected machines already had been patched, much damage had already been done, and unpatched systems likely exist that remain vulnerable.\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_w
Qualys Response to CISA Alert: Binding Operational Directive 22-01
